diff --git a/browsers/edge/about-microsoft-edge.md b/browsers/edge/about-microsoft-edge.md index b38cf78717..c9801bd936 100644 --- a/browsers/edge/about-microsoft-edge.md +++ b/browsers/edge/about-microsoft-edge.md @@ -1,166 +1,166 @@ ---- -title: Microsoft Edge system and language requirements -description: Overview information about Microsoft Edge, the default browser for Windows 10. This topic includes links to other Microsoft Edge topics. -ms.assetid: 70377735-b2f9-4b0b-9658-4cf7c1d745bb -ms.reviewer: -manager: dansimp -ms.author: eravena -author: eavena -ms.prod: edge -ms.mktglfcycl: general -ms.topic: reference -ms.sitesec: library -title: Microsoft Edge for IT Pros -ms.localizationpriority: medium -ms.date: 10/02/2018 ---- - -# Microsoft Edge system and language requirements ->Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile - -Microsoft Edge is the new, default web browser for Windows 10, helping you to experience modern web standards, better performance, improved security, and increased reliability. Microsoft Edge lets you stay up-to-date through the Microsoft Store and to manage your enterprise through Group Policy or your mobile device management (MDM) tools. - - ->[!IMPORTANT] ->The Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016, don’t include Microsoft Edge or many other Universal Windows Platform (UWP) apps. Systems running the LTSB operating systems do not support these apps because their services get frequently updated with new functionality. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11. - - -## Minimum system requirements -Some of the components might also need additional system resources. Check the component's documentation for more information. - - -| Item | Minimum requirements | -|--------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Computer/processor | 1 gigahertz (GHz) or faster (32-bit (x86) or 64-bit (x64)) | -| Operating system |

Note
For specific Windows 10 Mobile requirements, see the [Minimum hardware requirements for Windows 10 Mobile](https://go.microsoft.com/fwlink/p/?LinkID=699266) topic. | -| Memory |

| -| Hard drive space | | -| DVD drive | DVD-ROM drive (if installing from a DVD-ROM) | -| Display | Super VGA (800 x 600) or higher-resolution monitor with 256 colors | -| Graphics card | Microsoft DirectX 9 or later with Windows Display Driver Model (WDDM) 1.0 driver | -| Peripherals | Internet connection and a compatible pointing device | - ---- - - -## Supported languages - -Microsoft Edge supports all of the same languages as Windows 10 and you can use the [Microsoft Translator extension](https://www.microsoft.com/en-us/p/translator-for-microsoft-edge/9nblggh4n4n3) to translate foreign language web pages and text selections for 60+ languages. - -If the extension does not work after install, restart Microsoft Edge. If the extension still does not work, provide feedback through the Feedback Hub. - - -| Language | Country/Region | Code | -|----------------------------------------------------|-----------------------------------------|----------------| -| Afrikaans (South Africa) | South Africa | af-ZA | -| Albanian (Albania) | Albania | sq-AL | -| Amharic | Ethiopia | am-ET | -| Arabic (Saudi Arabia) | Saudi Arabia | ar-SA | -| Armenian | Armenia | hy-AM | -| Assamese | India | as-IN | -| Azerbaijani (Latin, Azerbaijan) | Azerbaijan | az-Latn-AZ | -| Bangla (Bangladesh) | Bangladesh | bn-BD | -| Bangla (India) | India | bn-IN | -| Basque (Basque) | Spain | eu-ES | -| Belarusian (Belarus) | Belarus | be-BY | -| Bosnian (Latin) | Bosnia and Herzegovina | bs-Latn-BA | -| Bulgarian (Bulgaria) | Bulgaria | bg-BG | -| Catalan (Catalan) | Spain | ca-ES | -| Central Kurdish (Arabic) | Iraq | ku-Arab-IQ | -| Cherokee (Cherokee) | United States | chr-Cher-US | -| Chinese (Hong Kong SAR) | Hong Kong Special Administrative Region | zh-HK | -| Chinese (Simplified, China) | People's Republic of China | zh-CN | -| Chinese (Traditional, Taiwan) | Taiwan | zh-TW | -| Croatian (Croatia) | Croatia | hr-HR | -| Czech (Czech Republic) | Czech Republic | cs-CZ | -| Danish (Denmark) | Denmark | da-DK | -| Dari | Afghanistan | prs-AF | -| Dutch (Netherlands) | Netherlands | nl-NL | -| English (United Kingdom) | United Kingdom | en-GB | -| English (United States) | United States | en-US | -| Estonian (Estonia) | Estonia | et-EE | -| Filipino (Philippines) | Philippines | fil-PH | -| Finnish (Finland) | Finland | fi_FI | -| French (Canada) | Canada | fr-CA | -| French (France) | France | fr-FR | -| Galician (Galician) | Spain | gl-ES | -| Georgian | Georgia | ka-GE | -| German (Germany) | Germany | de-DE | -| Greek (Greece) | Greece | el-GR | -| Gujarati | India | gu-IN | -| Hausa (Latin, Nigeria) | Nigeria | ha-Latn-NG | -| Hebrew (Israel) | Israel | he-IL | -| Hindi (India) | India | hi-IN | -| Hungarian (Hungary) | Hungary | hu-HU | -| Icelandic | Iceland | is-IS | -| Igbo | Nigeria | ig-NG | -| Indonesian (Indonesia) | Indonesia | id-ID | -| Irish | Ireland | ga-IE | -| isiXhosa | South Africa | xh-ZA | -| isiZulu | South Africa | zu-ZA | -| Italian (Italy) | Italy | it-IT | -| Japanese (Japan) | Japan | ja-JP | -| Kannada | India | kn-IN | -| Kazakh (Kazakhstan) | Kazakhstan | kk-KZ | -| Khmer (Cambodia) | Cambodia | km-KH | -| K'iche' | Guatemala | quc-Latn-GT | -| Kinyarwanda | Rwanda | rw-RW | -| KiSwahili | Kenya, Tanzania | sw-KE | -| Konkani | India | kok-IN | -| Korean (Korea) | Korea | ko-KR | -| Kyrgyz | Kyrgyzstan | ky-KG | -| Lao (Laos) | Lao P.D.R. | lo-LA | -| Latvian (Latvia) | Latvia | lv-LV | -| Lithuanian (Lithuania) | Lithuania | lt-LT | -| Luxembourgish (Luxembourg) | Luxembourg | lb-LU | -| Macedonian (Former Yugoslav Republic of Macedonia) | Macedonia (FYROM) | mk-MK | -| Malay (Malaysia) | Malaysia, Brunei, and Singapore | ms-MY | -| Malayalam | India | ml-IN | -| Maltese | Malta | mt-MT | -| Maori | New Zealand | mi-NZ | -| Marathi | India | mr-IN | -| Mongolian (Cyrillic) | Mongolia | mn-MN | -| Nepali | Federal Democratic Republic of Nepal | ne-NP | -| Norwegian (Nynorsk) | Norway | nn-NO | -| Norwegian, Bokmål (Norway) | Norway | nb-NO | -| Odia | India | or-IN | -| Polish (Poland) | Poland | pl-PL | -| Portuguese (Brazil) | Brazil | pt-BR | -| Portuguese (Portugal) | Portugal | pt-PT | -| Punjabi | India | pa-IN | -| Punjabi (Arabic) | Pakistan | pa-Arab-PK | -| Quechua | Peru | quz-PE | -| Romanian (Romania) | Romania | ro-RO | -| Russian (Russia) | Russia | ru-RU | -| Scottish Gaelic | United Kingdom | gd-GB | -| Serbian (Cyrillic, Bosnia, and Herzegovina) | Bosnia and Herzegovina | sr-Cyrl-BA | -| Serbian (Cyrillic, Serbia) | Serbia | sr-Cyrl-RS | -| Serbian (Latin, Serbia) | Serbia | sr-Latn-RS | -| Sesotho sa Leboa | South Africa | nso-ZA | -| Setswana (South Africa) | South Africa and Botswana | tn-ZA | -| Sindhi (Arabic) | Pakistan | sd-Arab-PK | -| Sinhala | Sri Lanka | si-LK | -| Slovak (Slovakia) | Slovakia | sk-SK | -| Slovenian (Slovenia) | Slovenia | sl-SL | -| Spanish (Mexico) | Mexico | es-MX | -| Spanish (Spain, International Sort) | Spain | en-ES | -| Swedish (Sweden) | Sweden | sv-SE | -| Tajik (Cyrillic) | Tajikistan | tg-Cyrl-TJ | -| Tamil (India) | India and Sri Lanka | ta-IN | -| Tatar | Russia | tt-RU | -| Telugu | India | te-IN | -| Thai (Thailand) | Thailand | th-TH | -| Tigrinya (Ethiopia) | Ethiopia | ti-ET | -| Turkish (Turkey) | Turkey | tr-TR | -| Turkmen | Turkmenistan | tk-TM | -| Ukrainian (Ukraine) | Ukraine | uk-UA | -| Urdu | Pakistan | ur-PK | -| Uyghur | People's Republic of China | ug-CN | -| Uzbek (Latin, Uzbekistan) | Uzbekistan | uz-Latn-UZ | -| Valencian | Spain | ca-ES-valencia | -| Vietnamese | Vietnam | vi-VN | -| Welsh | United Kingdom | cy-GB | -| Wolof | Senegal | wo-SN | -| Yoruba | Nigeria | yo-NG | - ---- +--- +title: Microsoft Edge system and language requirements +description: Overview information about Microsoft Edge, the default browser for Windows 10. This topic includes links to other Microsoft Edge topics. +ms.assetid: 70377735-b2f9-4b0b-9658-4cf7c1d745bb +ms.reviewer: +audience: itpro manager: dansimp +ms.author: eravena +author: eavena +ms.prod: edge +ms.mktglfcycl: general +ms.topic: reference +ms.sitesec: library +title: Microsoft Edge for IT Pros +ms.localizationpriority: medium +ms.date: 10/02/2018 +--- + +# Microsoft Edge system and language requirements +>Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile + +Microsoft Edge is the new, default web browser for Windows 10, helping you to experience modern web standards, better performance, improved security, and increased reliability. Microsoft Edge lets you stay up-to-date through the Microsoft Store and to manage your enterprise through Group Policy or your mobile device management (MDM) tools. + + +>[!IMPORTANT] +>The Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016, don’t include Microsoft Edge or many other Universal Windows Platform (UWP) apps. Systems running the LTSB operating systems do not support these apps because their services get frequently updated with new functionality. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11. + + +## Minimum system requirements +Some of the components might also need additional system resources. Check the component's documentation for more information. + + +| Item | Minimum requirements | +|--------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Computer/processor | 1 gigahertz (GHz) or faster (32-bit (x86) or 64-bit (x64)) | +| Operating system |

Note
For specific Windows 10 Mobile requirements, see the [Minimum hardware requirements for Windows 10 Mobile](https://go.microsoft.com/fwlink/p/?LinkID=699266) topic. | +| Memory |

| +| Hard drive space | | +| DVD drive | DVD-ROM drive (if installing from a DVD-ROM) | +| Display | Super VGA (800 x 600) or higher-resolution monitor with 256 colors | +| Graphics card | Microsoft DirectX 9 or later with Windows Display Driver Model (WDDM) 1.0 driver | +| Peripherals | Internet connection and a compatible pointing device | + +--- + + +## Supported languages + +Microsoft Edge supports all of the same languages as Windows 10 and you can use the [Microsoft Translator extension](https://www.microsoft.com/en-us/p/translator-for-microsoft-edge/9nblggh4n4n3) to translate foreign language web pages and text selections for 60+ languages. + +If the extension does not work after install, restart Microsoft Edge. If the extension still does not work, provide feedback through the Feedback Hub. + + +| Language | Country/Region | Code | +|----------------------------------------------------|-----------------------------------------|----------------| +| Afrikaans (South Africa) | South Africa | af-ZA | +| Albanian (Albania) | Albania | sq-AL | +| Amharic | Ethiopia | am-ET | +| Arabic (Saudi Arabia) | Saudi Arabia | ar-SA | +| Armenian | Armenia | hy-AM | +| Assamese | India | as-IN | +| Azerbaijani (Latin, Azerbaijan) | Azerbaijan | az-Latn-AZ | +| Bangla (Bangladesh) | Bangladesh | bn-BD | +| Bangla (India) | India | bn-IN | +| Basque (Basque) | Spain | eu-ES | +| Belarusian (Belarus) | Belarus | be-BY | +| Bosnian (Latin) | Bosnia and Herzegovina | bs-Latn-BA | +| Bulgarian (Bulgaria) | Bulgaria | bg-BG | +| Catalan (Catalan) | Spain | ca-ES | +| Central Kurdish (Arabic) | Iraq | ku-Arab-IQ | +| Cherokee (Cherokee) | United States | chr-Cher-US | +| Chinese (Hong Kong SAR) | Hong Kong Special Administrative Region | zh-HK | +| Chinese (Simplified, China) | People's Republic of China | zh-CN | +| Chinese (Traditional, Taiwan) | Taiwan | zh-TW | +| Croatian (Croatia) | Croatia | hr-HR | +| Czech (Czech Republic) | Czech Republic | cs-CZ | +| Danish (Denmark) | Denmark | da-DK | +| Dari | Afghanistan | prs-AF | +| Dutch (Netherlands) | Netherlands | nl-NL | +| English (United Kingdom) | United Kingdom | en-GB | +| English (United States) | United States | en-US | +| Estonian (Estonia) | Estonia | et-EE | +| Filipino (Philippines) | Philippines | fil-PH | +| Finnish (Finland) | Finland | fi_FI | +| French (Canada) | Canada | fr-CA | +| French (France) | France | fr-FR | +| Galician (Galician) | Spain | gl-ES | +| Georgian | Georgia | ka-GE | +| German (Germany) | Germany | de-DE | +| Greek (Greece) | Greece | el-GR | +| Gujarati | India | gu-IN | +| Hausa (Latin, Nigeria) | Nigeria | ha-Latn-NG | +| Hebrew (Israel) | Israel | he-IL | +| Hindi (India) | India | hi-IN | +| Hungarian (Hungary) | Hungary | hu-HU | +| Icelandic | Iceland | is-IS | +| Igbo | Nigeria | ig-NG | +| Indonesian (Indonesia) | Indonesia | id-ID | +| Irish | Ireland | ga-IE | +| isiXhosa | South Africa | xh-ZA | +| isiZulu | South Africa | zu-ZA | +| Italian (Italy) | Italy | it-IT | +| Japanese (Japan) | Japan | ja-JP | +| Kannada | India | kn-IN | +| Kazakh (Kazakhstan) | Kazakhstan | kk-KZ | +| Khmer (Cambodia) | Cambodia | km-KH | +| K'iche' | Guatemala | quc-Latn-GT | +| Kinyarwanda | Rwanda | rw-RW | +| KiSwahili | Kenya, Tanzania | sw-KE | +| Konkani | India | kok-IN | +| Korean (Korea) | Korea | ko-KR | +| Kyrgyz | Kyrgyzstan | ky-KG | +| Lao (Laos) | Lao P.D.R. | lo-LA | +| Latvian (Latvia) | Latvia | lv-LV | +| Lithuanian (Lithuania) | Lithuania | lt-LT | +| Luxembourgish (Luxembourg) | Luxembourg | lb-LU | +| Macedonian (Former Yugoslav Republic of Macedonia) | Macedonia (FYROM) | mk-MK | +| Malay (Malaysia) | Malaysia, Brunei, and Singapore | ms-MY | +| Malayalam | India | ml-IN | +| Maltese | Malta | mt-MT | +| Maori | New Zealand | mi-NZ | +| Marathi | India | mr-IN | +| Mongolian (Cyrillic) | Mongolia | mn-MN | +| Nepali | Federal Democratic Republic of Nepal | ne-NP | +| Norwegian (Nynorsk) | Norway | nn-NO | +| Norwegian, Bokmål (Norway) | Norway | nb-NO | +| Odia | India | or-IN | +| Polish (Poland) | Poland | pl-PL | +| Portuguese (Brazil) | Brazil | pt-BR | +| Portuguese (Portugal) | Portugal | pt-PT | +| Punjabi | India | pa-IN | +| Punjabi (Arabic) | Pakistan | pa-Arab-PK | +| Quechua | Peru | quz-PE | +| Romanian (Romania) | Romania | ro-RO | +| Russian (Russia) | Russia | ru-RU | +| Scottish Gaelic | United Kingdom | gd-GB | +| Serbian (Cyrillic, Bosnia, and Herzegovina) | Bosnia and Herzegovina | sr-Cyrl-BA | +| Serbian (Cyrillic, Serbia) | Serbia | sr-Cyrl-RS | +| Serbian (Latin, Serbia) | Serbia | sr-Latn-RS | +| Sesotho sa Leboa | South Africa | nso-ZA | +| Setswana (South Africa) | South Africa and Botswana | tn-ZA | +| Sindhi (Arabic) | Pakistan | sd-Arab-PK | +| Sinhala | Sri Lanka | si-LK | +| Slovak (Slovakia) | Slovakia | sk-SK | +| Slovenian (Slovenia) | Slovenia | sl-SL | +| Spanish (Mexico) | Mexico | es-MX | +| Spanish (Spain, International Sort) | Spain | en-ES | +| Swedish (Sweden) | Sweden | sv-SE | +| Tajik (Cyrillic) | Tajikistan | tg-Cyrl-TJ | +| Tamil (India) | India and Sri Lanka | ta-IN | +| Tatar | Russia | tt-RU | +| Telugu | India | te-IN | +| Thai (Thailand) | Thailand | th-TH | +| Tigrinya (Ethiopia) | Ethiopia | ti-ET | +| Turkish (Turkey) | Turkey | tr-TR | +| Turkmen | Turkmenistan | tk-TM | +| Ukrainian (Ukraine) | Ukraine | uk-UA | +| Urdu | Pakistan | ur-PK | +| Uyghur | People's Republic of China | ug-CN | +| Uzbek (Latin, Uzbekistan) | Uzbekistan | uz-Latn-UZ | +| Valencian | Spain | ca-ES-valencia | +| Vietnamese | Vietnam | vi-VN | +| Welsh | United Kingdom | cy-GB | +| Wolof | Senegal | wo-SN | +| Yoruba | Nigeria | yo-NG | + +--- diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md index 1c5ce07a92..18890c69ed 100644 --- a/browsers/edge/available-policies.md +++ b/browsers/edge/available-policies.md @@ -1,222 +1,221 @@ ---- -description: You can customize your organization’s browser settings in Microsoft Edge with Group Policy or Microsoft Intune, or other MDM service. When you do this, you set the policy once and then copy it onto many computers—that is, touch once, configure many. -ms.assetid: 2e849894-255d-4f68-ae88-c2e4e31fa165 -ms.reviewer: -author: eavena -ms.author: eravena -manager: dansimp -ms.prod: edge -ms.mktglfcycl: explore -ms.topic: reference -ms.sitesec: library -title: Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros) -ms.localizationpriority: medium -ms.date: 10/29/2018 ---- - -# Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge - -> Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile - -You can customize your organization’s browser settings in Microsoft Edge with Group Policy or Microsoft Intune, or other MDM service. When you do this, you set the policy once and then copy it onto many computers—that is, touch once, configure many. For example, you can set up multiple security settings in a Group Policy Object (GPO) linked to a domain, and then apply those settings to every computer in the domain. - -Other policy settings in Microsoft Edge include allowing Adobe Flash content to play automatically, provision a favorites list, set default search engine, and more. You configure a Group Policy setting in the Administrative Templates folders, which are registry-based policy settings that Group Policy enforces. Group Policy stores these settings in a specific registry location, which users cannot change. Also, Group Policy-aware Windows features and applications look for these settings in the registry, and if found the policy setting gets used instead of the regular settings. - -**_You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor:_** - -      *Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\* - -When you edit a Group Policy setting, you have the following configuration options: - -- **Enabled** - writes the policy setting to the registry with a value that enables it. -- **Disabled** - writes the policy setting to the registry with a value that disables it. -- **Not configured** - leaves the policy setting undefined. Group Policy does not write the policy setting to the registry and has no impact on computers or users. - -Some policy settings have additional options you can configure. For example, if you want to set the default search engine, set the Start page, or configure the Enterprise Mode Site List, you would type the URL. - - -## Allow a shared books folder -[!INCLUDE [allow-shared-folder-books-include.md](includes/allow-shared-folder-books-include.md)] - -## Allow Address bar drop-down list suggestions -[!INCLUDE [allow-address-bar-suggestions-include.md](includes/allow-address-bar-suggestions-include.md)] - -## Allow Adobe Flash -[!INCLUDE [allow-adobe-flash-include.md](includes/allow-adobe-flash-include.md)] - -## Allow clearing browsing data on exit -[!INCLUDE [allow-clearing-browsing-data-include.md](includes/allow-clearing-browsing-data-include.md)] - -## Allow configuration updates for the Books Library -[!INCLUDE [allow-config-updates-books-include.md](includes/allow-config-updates-books-include.md)] - -## Allow Cortana -[!INCLUDE [allow-cortana-include.md](includes/allow-cortana-include.md)] - -## Allow Developer Tools -[!INCLUDE [allow-dev-tools-include.md](includes/allow-dev-tools-include.md)] - -## Allow extended telemetry for the Books tab -[!INCLUDE [allow-ext-telemetry-books-tab-include.md](includes/allow-ext-telemetry-books-tab-include.md)] - -## Allow Extensions -[!INCLUDE [allow-extensions-include.md](includes/allow-extensions-include.md)] - -## Allow fullscreen mode -[!INCLUDE [allow-full-screen-include](includes/allow-full-screen-include.md)] - -## Allow InPrivate browsing -[!INCLUDE [allow-inprivate-browsing-include.md](includes/allow-inprivate-browsing-include.md)] - -## Allow Microsoft Compatibility List -[!INCLUDE [allow-microsoft-compatibility-list-include.md](includes/allow-microsoft-compatibility-list-include.md)] - -## Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed -[!INCLUDE [allow-prelaunch-include](includes/allow-prelaunch-include.md)] - -## Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed -[!INCLUDE [allow-tab-preloading-include](includes/allow-tab-preloading-include.md)] - -## Allow printing -[!INCLUDE [allow-printing-include.md](includes/allow-printing-include.md)] - -## Allow Saving History -[!INCLUDE [allow-saving-history-include.md](includes/allow-saving-history-include.md)] - -## Allow search engine customization -[!INCLUDE [allow-search-engine-customization-include.md](includes/allow-search-engine-customization-include.md)] - -## Allow sideloading of Extensions -[!INCLUDE [allow-sideloading-extensions-include.md](includes/allow-sideloading-extensions-include.md)] - -## Allow web content on New Tab page -[!INCLUDE [allow-web-content-new-tab-page-include.md](includes/allow-web-content-new-tab-page-include.md)] - -## Always show the Books Library in Microsoft Edge -[!INCLUDE [always-enable-book-library-include.md](includes/always-enable-book-library-include.md)] - -## Configure additional search engines -[!INCLUDE [configure-additional-search-engines-include.md](includes/configure-additional-search-engines-include.md)] - -## Configure Autofill -[!INCLUDE [configure-autofill-include.md](includes/configure-autofill-include.md)] - -## Configure collection of browsing data for Microsoft 365 Analytics -[!INCLUDE [configure-browser-telemetry-for-m365-analytics-include](includes/configure-browser-telemetry-for-m365-analytics-include.md)] - -## Configure cookies -[!INCLUDE [configure-cookies-include.md](includes/configure-cookies-include.md)] - -## Configure Do Not Track -[!INCLUDE [configure-do-not-track-include.md](includes/configure-do-not-track-include.md)] - -## Configure Favorites -[!INCLUDE [configure-favorites-include.md](includes/configure-favorites-include.md)] - -## Configure Favorites Bar -[!INCLUDE [configure-favorites-bar-include.md](includes/configure-favorites-bar-include.md)] - -## Configure Home Button -[!INCLUDE [configure-home-button-include.md](includes/configure-home-button-include.md)] - -## Configure kiosk mode -[!INCLUDE [configure-microsoft-edge-kiosk-mode-include.md](includes/configure-microsoft-edge-kiosk-mode-include.md)] - -## Configure kiosk reset after idle timeout -[!INCLUDE [configure-edge-kiosk-reset-idle-timeout-include.md](includes/configure-edge-kiosk-reset-idle-timeout-include.md)] - -## Configure Open Microsoft Edge With -[!INCLUDE [configure-open-edge-with-include.md](includes/configure-open-edge-with-include.md)] - -## Configure Password Manager -[!INCLUDE [configure-password-manager-include.md](includes/configure-password-manager-include.md)] - -## Configure Pop-up Blocker -[!INCLUDE [configure-pop-up-blocker-include.md](includes/configure-pop-up-blocker-include.md)] - -## Configure search suggestions in Address bar -[!INCLUDE [configure-search-suggestions-address-bar-include.md](includes/configure-search-suggestions-address-bar-include.md)] - -## Configure Start pages -[!INCLUDE [configure-start-pages-include.md](includes/configure-start-pages-include.md)] - -## Configure the Adobe Flash Click-to-Run setting -[!INCLUDE [configure-adobe-flash-click-to-run-include.md](includes/configure-adobe-flash-click-to-run-include.md)] - -## Configure the Enterprise Mode Site List -[!INCLUDE [configure-enterprise-mode-site-list-include.md](includes/configure-enterprise-mode-site-list-include.md)] - -## Configure Windows Defender SmartScreen -[!INCLUDE [configure-windows-defender-smartscreen-include.md](includes/configure-windows-defender-smartscreen-include.md)] - -## Disable lockdown of Start pages -[!INCLUDE [disable-lockdown-of-start-pages-include.md](includes/disable-lockdown-of-start-pages-include.md)] - -## Do not sync -[!INCLUDE [do-not-sync-include.md](includes/do-not-sync-include.md)] - -## Do not sync browser settings -[!INCLUDE [do-not-sync-browser-settings-include.md](includes/do-not-sync-browser-settings-include.md)] - -## Keep favorites in sync between Internet Explorer and Microsoft Edge -[!INCLUDE [keep-fav-sync-ie-edge-include.md](includes/keep-fav-sync-ie-edge-include.md)] - -## Prevent access to the about:flags page -[!INCLUDE [prevent-access-about-flag-include.md](includes/prevent-access-about-flag-include.md)] - -## Prevent bypassing Windows Defender SmartScreen prompts for files -[!INCLUDE [prevent-bypassing-win-defender-files-include.md](includes/prevent-bypassing-win-defender-files-include.md)] - -## Prevent bypassing Windows Defender SmartScreen prompts for sites -[!INCLUDE [prevent-bypassing-win-defender-sites-include.md](includes/prevent-bypassing-win-defender-sites-include.md)] - -## Prevent certificate error overrides -[!INCLUDE [prevent-certificate-error-overrides-include.md](includes/prevent-certificate-error-overrides-include.md)] - -## Prevent changes to Favorites on Microsoft Edge -[!INCLUDE [prevent-changes-to-favorites-include.md](includes/prevent-changes-to-favorites-include.md)] - -## Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start -[!INCLUDE [prevent-live-tile-pinning-start-include](includes/prevent-live-tile-pinning-start-include.md)] - -## Prevent the First Run webpage from opening on Microsoft Edge -[!INCLUDE [prevent-first-run-webpage-open-include.md](includes/prevent-first-run-webpage-open-include.md)] - -## Prevent turning off required extensions -[!INCLUDE [prevent-turning-off-required-extensions-include.md](includes/prevent-turning-off-required-extensions-include.md)] - -## Prevent users from turning on browser syncing -[!INCLUDE [prevent-users-to-turn-on-browser-syncing-include](includes/prevent-users-to-turn-on-browser-syncing-include.md)] - -## Prevent using Localhost IP address for WebRTC -[!INCLUDE [prevent-localhost-address-for-webrtc-include.md](includes/prevent-localhost-address-for-webrtc-include.md)] - -## Provision Favorites -[!INCLUDE [provision-favorites-include](includes/provision-favorites-include.md)] - -## Send all intranet sites to Internet Explorer 11 -[!INCLUDE [send-all-intranet-sites-ie-include.md](includes/send-all-intranet-sites-ie-include.md)] - -## Set default search engine -[!INCLUDE [set-default-search-engine-include.md](includes/set-default-search-engine-include.md)] - -## Set Home Button URL -[!INCLUDE [set-home-button-url-include](includes/set-home-button-url-include.md)] - -## Set New Tab page URL -[!INCLUDE [set-new-tab-url-include.md](includes/set-new-tab-url-include.md)] - -## Show message when opening sites in Internet Explorer -[!INCLUDE [show-message-opening-sites-ie-include](includes/show-message-opening-sites-ie-include.md)] - -## Unlock Home Button -[!INCLUDE [unlock-home-button-include.md](includes/unlock-home-button-include.md)] - - - -## Related topics -- [Mobile Device Management (MDM) settings](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) -- [Group Policy and the Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=617921) -- [Group Policy and the Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=617922) -- [Group Policy and the Advanced Group Policy Management (AGPM)](https://go.microsoft.com/fwlink/p/?LinkId=617923) -- [Group Policy and Windows PowerShell](https://go.microsoft.com/fwlink/p/?LinkId=617924). +--- +description: You can customize your organization’s browser settings in Microsoft Edge with Group Policy or Microsoft Intune, or other MDM service. When you do this, you set the policy once and then copy it onto many computers—that is, touch once, configure many. +ms.assetid: 2e849894-255d-4f68-ae88-c2e4e31fa165 +ms.reviewer: +author: eavena +ms.author: eravena +audience: itpro manager: dansimp +ms.prod: edge +ms.mktglfcycl: explore +ms.topic: reference +ms.sitesec: library +title: Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros) +ms.localizationpriority: medium +--- + +# Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge + +> Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile + +You can customize your organization’s browser settings in Microsoft Edge with Group Policy or Microsoft Intune, or other MDM service. When you do this, you set the policy once and then copy it onto many computers—that is, touch once, configure many. For example, you can set up multiple security settings in a Group Policy Object (GPO) linked to a domain, and then apply those settings to every computer in the domain. + +Other policy settings in Microsoft Edge include allowing Adobe Flash content to play automatically, provision a favorites list, set default search engine, and more. You configure a Group Policy setting in the Administrative Templates folders, which are registry-based policy settings that Group Policy enforces. Group Policy stores these settings in a specific registry location, which users cannot change. Also, Group Policy-aware Windows features and applications look for these settings in the registry, and if found the policy setting gets used instead of the regular settings. + +**_You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor:_** + +      *Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\* + +When you edit a Group Policy setting, you have the following configuration options: + +- **Enabled** - writes the policy setting to the registry with a value that enables it. +- **Disabled** - writes the policy setting to the registry with a value that disables it. +- **Not configured** - leaves the policy setting undefined. Group Policy does not write the policy setting to the registry and has no impact on computers or users. + +Some policy settings have additional options you can configure. For example, if you want to set the default search engine, set the Start page, or configure the Enterprise Mode Site List, you would type the URL. + + +## Allow a shared books folder +[!INCLUDE [allow-shared-folder-books-include.md](includes/allow-shared-folder-books-include.md)] + +## Allow Address bar drop-down list suggestions +[!INCLUDE [allow-address-bar-suggestions-include.md](includes/allow-address-bar-suggestions-include.md)] + +## Allow Adobe Flash +[!INCLUDE [allow-adobe-flash-include.md](includes/allow-adobe-flash-include.md)] + +## Allow clearing browsing data on exit +[!INCLUDE [allow-clearing-browsing-data-include.md](includes/allow-clearing-browsing-data-include.md)] + +## Allow configuration updates for the Books Library +[!INCLUDE [allow-config-updates-books-include.md](includes/allow-config-updates-books-include.md)] + +## Allow Cortana +[!INCLUDE [allow-cortana-include.md](includes/allow-cortana-include.md)] + +## Allow Developer Tools +[!INCLUDE [allow-dev-tools-include.md](includes/allow-dev-tools-include.md)] + +## Allow extended telemetry for the Books tab +[!INCLUDE [allow-ext-telemetry-books-tab-include.md](includes/allow-ext-telemetry-books-tab-include.md)] + +## Allow Extensions +[!INCLUDE [allow-extensions-include.md](includes/allow-extensions-include.md)] + +## Allow fullscreen mode +[!INCLUDE [allow-full-screen-include](includes/allow-full-screen-include.md)] + +## Allow InPrivate browsing +[!INCLUDE [allow-inprivate-browsing-include.md](includes/allow-inprivate-browsing-include.md)] + +## Allow Microsoft Compatibility List +[!INCLUDE [allow-microsoft-compatibility-list-include.md](includes/allow-microsoft-compatibility-list-include.md)] + +## Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed +[!INCLUDE [allow-prelaunch-include](includes/allow-prelaunch-include.md)] + +## Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed +[!INCLUDE [allow-tab-preloading-include](includes/allow-tab-preloading-include.md)] + +## Allow printing +[!INCLUDE [allow-printing-include.md](includes/allow-printing-include.md)] + +## Allow Saving History +[!INCLUDE [allow-saving-history-include.md](includes/allow-saving-history-include.md)] + +## Allow search engine customization +[!INCLUDE [allow-search-engine-customization-include.md](includes/allow-search-engine-customization-include.md)] + +## Allow sideloading of Extensions +[!INCLUDE [allow-sideloading-extensions-include.md](includes/allow-sideloading-extensions-include.md)] + +## Allow web content on New Tab page +[!INCLUDE [allow-web-content-new-tab-page-include.md](includes/allow-web-content-new-tab-page-include.md)] + +## Always show the Books Library in Microsoft Edge +[!INCLUDE [always-enable-book-library-include.md](includes/always-enable-book-library-include.md)] + +## Configure additional search engines +[!INCLUDE [configure-additional-search-engines-include.md](includes/configure-additional-search-engines-include.md)] + +## Configure Autofill +[!INCLUDE [configure-autofill-include.md](includes/configure-autofill-include.md)] + +## Configure collection of browsing data for Microsoft 365 Analytics +[!INCLUDE [configure-browser-telemetry-for-m365-analytics-include](includes/configure-browser-telemetry-for-m365-analytics-include.md)] + +## Configure cookies +[!INCLUDE [configure-cookies-include.md](includes/configure-cookies-include.md)] + +## Configure Do Not Track +[!INCLUDE [configure-do-not-track-include.md](includes/configure-do-not-track-include.md)] + +## Configure Favorites +[!INCLUDE [configure-favorites-include.md](includes/configure-favorites-include.md)] + +## Configure Favorites Bar +[!INCLUDE [configure-favorites-bar-include.md](includes/configure-favorites-bar-include.md)] + +## Configure Home Button +[!INCLUDE [configure-home-button-include.md](includes/configure-home-button-include.md)] + +## Configure kiosk mode +[!INCLUDE [configure-microsoft-edge-kiosk-mode-include.md](includes/configure-microsoft-edge-kiosk-mode-include.md)] + +## Configure kiosk reset after idle timeout +[!INCLUDE [configure-edge-kiosk-reset-idle-timeout-include.md](includes/configure-edge-kiosk-reset-idle-timeout-include.md)] + +## Configure Open Microsoft Edge With +[!INCLUDE [configure-open-edge-with-include.md](includes/configure-open-edge-with-include.md)] + +## Configure Password Manager +[!INCLUDE [configure-password-manager-include.md](includes/configure-password-manager-include.md)] + +## Configure Pop-up Blocker +[!INCLUDE [configure-pop-up-blocker-include.md](includes/configure-pop-up-blocker-include.md)] + +## Configure search suggestions in Address bar +[!INCLUDE [configure-search-suggestions-address-bar-include.md](includes/configure-search-suggestions-address-bar-include.md)] + +## Configure Start pages +[!INCLUDE [configure-start-pages-include.md](includes/configure-start-pages-include.md)] + +## Configure the Adobe Flash Click-to-Run setting +[!INCLUDE [configure-adobe-flash-click-to-run-include.md](includes/configure-adobe-flash-click-to-run-include.md)] + +## Configure the Enterprise Mode Site List +[!INCLUDE [configure-enterprise-mode-site-list-include.md](includes/configure-enterprise-mode-site-list-include.md)] + +## Configure Windows Defender SmartScreen +[!INCLUDE [configure-windows-defender-smartscreen-include.md](includes/configure-windows-defender-smartscreen-include.md)] + +## Disable lockdown of Start pages +[!INCLUDE [disable-lockdown-of-start-pages-include.md](includes/disable-lockdown-of-start-pages-include.md)] + +## Do not sync +[!INCLUDE [do-not-sync-include.md](includes/do-not-sync-include.md)] + +## Do not sync browser settings +[!INCLUDE [do-not-sync-browser-settings-include.md](includes/do-not-sync-browser-settings-include.md)] + +## Keep favorites in sync between Internet Explorer and Microsoft Edge +[!INCLUDE [keep-fav-sync-ie-edge-include.md](includes/keep-fav-sync-ie-edge-include.md)] + +## Prevent access to the about:flags page +[!INCLUDE [prevent-access-about-flag-include.md](includes/prevent-access-about-flag-include.md)] + +## Prevent bypassing Windows Defender SmartScreen prompts for files +[!INCLUDE [prevent-bypassing-win-defender-files-include.md](includes/prevent-bypassing-win-defender-files-include.md)] + +## Prevent bypassing Windows Defender SmartScreen prompts for sites +[!INCLUDE [prevent-bypassing-win-defender-sites-include.md](includes/prevent-bypassing-win-defender-sites-include.md)] + +## Prevent certificate error overrides +[!INCLUDE [prevent-certificate-error-overrides-include.md](includes/prevent-certificate-error-overrides-include.md)] + +## Prevent changes to Favorites on Microsoft Edge +[!INCLUDE [prevent-changes-to-favorites-include.md](includes/prevent-changes-to-favorites-include.md)] + +## Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start +[!INCLUDE [prevent-live-tile-pinning-start-include](includes/prevent-live-tile-pinning-start-include.md)] + +## Prevent the First Run webpage from opening on Microsoft Edge +[!INCLUDE [prevent-first-run-webpage-open-include.md](includes/prevent-first-run-webpage-open-include.md)] + +## Prevent turning off required extensions +[!INCLUDE [prevent-turning-off-required-extensions-include.md](includes/prevent-turning-off-required-extensions-include.md)] + +## Prevent users from turning on browser syncing +[!INCLUDE [prevent-users-to-turn-on-browser-syncing-include](includes/prevent-users-to-turn-on-browser-syncing-include.md)] + +## Prevent using Localhost IP address for WebRTC +[!INCLUDE [prevent-localhost-address-for-webrtc-include.md](includes/prevent-localhost-address-for-webrtc-include.md)] + +## Provision Favorites +[!INCLUDE [provision-favorites-include](includes/provision-favorites-include.md)] + +## Send all intranet sites to Internet Explorer 11 +[!INCLUDE [send-all-intranet-sites-ie-include.md](includes/send-all-intranet-sites-ie-include.md)] + +## Set default search engine +[!INCLUDE [set-default-search-engine-include.md](includes/set-default-search-engine-include.md)] + +## Set Home Button URL +[!INCLUDE [set-home-button-url-include](includes/set-home-button-url-include.md)] + +## Set New Tab page URL +[!INCLUDE [set-new-tab-url-include.md](includes/set-new-tab-url-include.md)] + +## Show message when opening sites in Internet Explorer +[!INCLUDE [show-message-opening-sites-ie-include](includes/show-message-opening-sites-ie-include.md)] + +## Unlock Home Button +[!INCLUDE [unlock-home-button-include.md](includes/unlock-home-button-include.md)] + + + +## Related topics +- [Mobile Device Management (MDM) settings](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) +- [Group Policy and the Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=617921) +- [Group Policy and the Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=617922) +- [Group Policy and the Advanced Group Policy Management (AGPM)](https://go.microsoft.com/fwlink/p/?LinkId=617923) +- [Group Policy and Windows PowerShell](https://go.microsoft.com/fwlink/p/?LinkId=617924). diff --git a/browsers/edge/change-history-for-microsoft-edge.md b/browsers/edge/change-history-for-microsoft-edge.md index 888b51a3bc..19530f7f71 100644 --- a/browsers/edge/change-history-for-microsoft-edge.md +++ b/browsers/edge/change-history-for-microsoft-edge.md @@ -1,102 +1,102 @@ ---- -title: Change history for Microsoft Edge (Microsoft Edge for IT Pros) -description: Discover what's new and updated in the Microsoft Edge for both Windows 10 and Windows 10 Mobile. -ms.prod: edge -ms.topic: reference -ms.mktglfcycl: explore -ms.sitesec: library -ms.localizationpriority: medium -manager: dansimp -ms.author: eravena -author: eavena -ms.date: 10/02/2018 -ms.reviewer: ---- - -# Change history for Microsoft Edge -Discover what's new and updated in the Microsoft Edge for both Windows 10 and Windows 10 Mobile. - - -#### [2018](#tab/2018/) -## October 2018 - -The Microsoft Edge team introduces new group policies and MDM settings for Microsoft Edge on Windows 10. The new policies let you enable/disable -full-screen mode, printing, favorites bar, saving history. You can also prevent certificate error overrides, and configure the New Tab page, Home button, and startup options, as well as manage extensions. - -We have discontinued the **Configure Favorites** group policy, so use the [Provision Favorites](available-policies.md#provision-favorites) policy instead. - ->>You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: ->> ->>      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - - - -| **New or updated** | **Group Policy** | **Description** | -|--------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------| -| New | [Allow fullscreen mode](group-policies/browser-settings-management-gp.md#allow-fullscreen-mode) | [!INCLUDE [allow-fullscreen-mode-shortdesc](shortdesc/allow-fullscreen-mode-shortdesc.md)] | -| New | [Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed](group-policies/prelaunch-preload-gp.md#allow-microsoft-edge-to-pre-launch-at-windows-startup-when-the-system-is-idle-and-each-time-microsoft-edge-is-closed) | [!INCLUDE [allow-prelaunch-shortdesc](shortdesc/allow-prelaunch-shortdesc.md)] | -| New | [Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed](group-policies/prelaunch-preload-gp.md#allow-microsoft-edge-to-load-the-start-and-new-tab-page-at-windows-startup-and-each-time-microsoft-edge-is-closed) | [!INCLUDE [allow-tab-preloading-shortdesc](shortdesc/allow-tab-preloading-shortdesc.md)] | -| New | [Allow printing](group-policies/browser-settings-management-gp.md#allow-printing) | [!INCLUDE [allow-printing-shortdesc](shortdesc/allow-printing-shortdesc.md)] | -| New | [Allow Saving History](group-policies/browser-settings-management-gp.md#allow-saving-history) | [!INCLUDE [allow-saving-history-shortdesc](shortdesc/allow-saving-history-shortdesc.md)] | -| New | [Allow sideloading of Extensions](group-policies/extensions-management-gp.md#allow-sideloading-of-extensions) | [!INCLUDE [allow-sideloading-of-extensions-shortdesc](shortdesc/allow-sideloading-of-extensions-shortdesc.md)] | -| New | [Configure collection of browsing data for Microsoft 365 Analytics](group-policies/telemetry-management-gp.md#configure-collection-of-browsing-data-for-microsoft-365-analytics) | [!INCLUDE [configure-browser-telemetry-for-m365-analytics-shortdesc](shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md)] | -| New | [Configure Favorites Bar](group-policies/favorites-management-gp.md#configure-favorites-bar) | [!INCLUDE [configure-favorites-bar-shortdesc](shortdesc/configure-favorites-bar-shortdesc.md)] | -| New | [Configure Home Button](group-policies/home-button-gp.md#configure-home-button) | [!INCLUDE [configure-home-button-shortdesc](shortdesc/configure-home-button-shortdesc.md)] | -| New | [Configure kiosk mode](available-policies.md#configure-kiosk-mode) | [!INCLUDE [configure-kiosk-mode-shortdesc](shortdesc/configure-kiosk-mode-shortdesc.md)] | -| New | [Configure kiosk reset after idle timeout](available-policies.md#configure-kiosk-reset-after-idle-timeout) | [!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] | -| New | [Configure Open Microsoft Edge With](group-policies/start-pages-gp.md#configure-open-microsoft-edge-with) | [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] | -| New | [Prevent certificate error overrides](group-policies/security-privacy-management-gp.md#prevent-certificate-error-overrides) | [!INCLUDE [prevent-certificate-error-overrides-shortdesc](shortdesc/prevent-certificate-error-overrides-shortdesc.md)] | -| New | [Prevent users from turning on browser syncing](group-policies/sync-browser-settings-gp.md#prevent-users-from-turning-on-browser-syncing) | [!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] | -| New | [Prevent turning off required extensions](group-policies/extensions-management-gp.md#prevent-turning-off-required-extensions) | [!INCLUDE [prevent-turning-off-required-extensions-shortdesc](shortdesc/prevent-turning-off-required-extensions-shortdesc.md)] | -| New | [Set Home Button URL](group-policies/home-button-gp.md#set-home-button-url) | [!INCLUDE [set-home-button-url-shortdesc](shortdesc/set-home-button-url-shortdesc.md)] | -| New | [Set New Tab page URL](group-policies/new-tab-page-settings-gp.md#set-new-tab-page-url) | [!INCLUDE [set-new-tab-url-shortdesc](shortdesc/set-new-tab-url-shortdesc.md)] | -| Updated | [Show message when opening sites in Internet Explorer](group-policies/interoperability-enterprise-guidance-gp.md#show-message-when-opening-sites-in-internet-explorer) | [!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] | -| New | [Unlock Home Button](group-policies/home-button-gp.md#unlock-home-button) | [!INCLUDE [unlock-home-button-shortdesc](shortdesc/unlock-home-button-shortdesc.md)] | - -#### [2017](#tab/2017/) -## September 2017 - -|New or changed topic | Description | -|---------------------|-------------| -|[Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros](microsoft-edge-faq.md) | New | - -## February 2017 - -|New or changed topic | Description | -|----------------------|-------------| -|[Available Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](available-policies.md) |Added new Group Policy and MDM settings for the Windows Insider Program. Reformatted for easier readability outside of scrolling table. | - - -#### [2016](#tab/2016/) -## November 2016 - -|New or changed topic | Description | -|----------------------|-------------| -|[Browser: Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) |Added the infographic image and a download link.| -|[Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md) |Added a note about the 65 second wait before checking for a newer version of the site list .XML file. | -|[Available policies for Microsoft Edge](available-policies.md) |Added notes to the Configure the Enterprise Mode Site List Group Policy and the EnterpriseModeSiteList MDM policy about the 65 second wait before checking for a newer version of the site list .XML file. | -|Microsoft Edge - Deployment Guide for IT Pros |Added a link to the Microsoft Edge infographic, helping you to evaluate the potential impact of using Microsoft Edge in your organization. | -|[Browser: Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) |Added a link to the Microsoft Edge infographic, helping you to evaluate the potential impact of using Microsoft Edge in your organization. | - -## July 2016 - -|New or changed topic | Description | -|----------------------|-------------| -|[Microsoft Edge requirements and language support](hardware-and-software-requirements.md)| Updated to include a note about the Long Term Servicing Branch (LTSB). | -|[Enterprise guidance about using Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) | Content moved from What's New section. | -|[Available policies for Microsoft Edge](available-policies.md) |Updated | - - -## June 2016 - -|New or changed topic | Description | -|----------------------|-------------| -|[Security enhancements for Microsoft Edge](security-enhancements-microsoft-edge.md) |New | - -## May 2016 - -|New or changed topic | Description | -|----------------------|-------------| -|[Available Policies for Microsoft Edge](available-policies.md) | Added new policies and the Supported versions column for Windows 10 Insider Preview. | - -* * * +--- +title: Change history for Microsoft Edge (Microsoft Edge for IT Pros) +description: Discover what's new and updated in the Microsoft Edge for both Windows 10 and Windows 10 Mobile. +ms.prod: edge +ms.topic: reference +ms.mktglfcycl: explore +ms.sitesec: library +ms.localizationpriority: medium +audience: itpro manager: dansimp +ms.author: eravena +author: eavena +ms.date: 10/02/2018 +ms.reviewer: +--- + +# Change history for Microsoft Edge +Discover what's new and updated in the Microsoft Edge for both Windows 10 and Windows 10 Mobile. + + +#### [2018](#tab/2018/) +## October 2018 + +The Microsoft Edge team introduces new group policies and MDM settings for Microsoft Edge on Windows 10. The new policies let you enable/disable +full-screen mode, printing, favorites bar, saving history. You can also prevent certificate error overrides, and configure the New Tab page, Home button, and startup options, as well as manage extensions. + +We have discontinued the **Configure Favorites** group policy, so use the [Provision Favorites](available-policies.md#provision-favorites) policy instead. + +>>You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: +>> +>>      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + + + +| **New or updated** | **Group Policy** | **Description** | +|--------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------| +| New | [Allow fullscreen mode](group-policies/browser-settings-management-gp.md#allow-fullscreen-mode) | [!INCLUDE [allow-fullscreen-mode-shortdesc](shortdesc/allow-fullscreen-mode-shortdesc.md)] | +| New | [Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed](group-policies/prelaunch-preload-gp.md#allow-microsoft-edge-to-pre-launch-at-windows-startup-when-the-system-is-idle-and-each-time-microsoft-edge-is-closed) | [!INCLUDE [allow-prelaunch-shortdesc](shortdesc/allow-prelaunch-shortdesc.md)] | +| New | [Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed](group-policies/prelaunch-preload-gp.md#allow-microsoft-edge-to-load-the-start-and-new-tab-page-at-windows-startup-and-each-time-microsoft-edge-is-closed) | [!INCLUDE [allow-tab-preloading-shortdesc](shortdesc/allow-tab-preloading-shortdesc.md)] | +| New | [Allow printing](group-policies/browser-settings-management-gp.md#allow-printing) | [!INCLUDE [allow-printing-shortdesc](shortdesc/allow-printing-shortdesc.md)] | +| New | [Allow Saving History](group-policies/browser-settings-management-gp.md#allow-saving-history) | [!INCLUDE [allow-saving-history-shortdesc](shortdesc/allow-saving-history-shortdesc.md)] | +| New | [Allow sideloading of Extensions](group-policies/extensions-management-gp.md#allow-sideloading-of-extensions) | [!INCLUDE [allow-sideloading-of-extensions-shortdesc](shortdesc/allow-sideloading-of-extensions-shortdesc.md)] | +| New | [Configure collection of browsing data for Microsoft 365 Analytics](group-policies/telemetry-management-gp.md#configure-collection-of-browsing-data-for-microsoft-365-analytics) | [!INCLUDE [configure-browser-telemetry-for-m365-analytics-shortdesc](shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md)] | +| New | [Configure Favorites Bar](group-policies/favorites-management-gp.md#configure-favorites-bar) | [!INCLUDE [configure-favorites-bar-shortdesc](shortdesc/configure-favorites-bar-shortdesc.md)] | +| New | [Configure Home Button](group-policies/home-button-gp.md#configure-home-button) | [!INCLUDE [configure-home-button-shortdesc](shortdesc/configure-home-button-shortdesc.md)] | +| New | [Configure kiosk mode](available-policies.md#configure-kiosk-mode) | [!INCLUDE [configure-kiosk-mode-shortdesc](shortdesc/configure-kiosk-mode-shortdesc.md)] | +| New | [Configure kiosk reset after idle timeout](available-policies.md#configure-kiosk-reset-after-idle-timeout) | [!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] | +| New | [Configure Open Microsoft Edge With](group-policies/start-pages-gp.md#configure-open-microsoft-edge-with) | [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] | +| New | [Prevent certificate error overrides](group-policies/security-privacy-management-gp.md#prevent-certificate-error-overrides) | [!INCLUDE [prevent-certificate-error-overrides-shortdesc](shortdesc/prevent-certificate-error-overrides-shortdesc.md)] | +| New | [Prevent users from turning on browser syncing](group-policies/sync-browser-settings-gp.md#prevent-users-from-turning-on-browser-syncing) | [!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] | +| New | [Prevent turning off required extensions](group-policies/extensions-management-gp.md#prevent-turning-off-required-extensions) | [!INCLUDE [prevent-turning-off-required-extensions-shortdesc](shortdesc/prevent-turning-off-required-extensions-shortdesc.md)] | +| New | [Set Home Button URL](group-policies/home-button-gp.md#set-home-button-url) | [!INCLUDE [set-home-button-url-shortdesc](shortdesc/set-home-button-url-shortdesc.md)] | +| New | [Set New Tab page URL](group-policies/new-tab-page-settings-gp.md#set-new-tab-page-url) | [!INCLUDE [set-new-tab-url-shortdesc](shortdesc/set-new-tab-url-shortdesc.md)] | +| Updated | [Show message when opening sites in Internet Explorer](group-policies/interoperability-enterprise-guidance-gp.md#show-message-when-opening-sites-in-internet-explorer) | [!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] | +| New | [Unlock Home Button](group-policies/home-button-gp.md#unlock-home-button) | [!INCLUDE [unlock-home-button-shortdesc](shortdesc/unlock-home-button-shortdesc.md)] | + +#### [2017](#tab/2017/) +## September 2017 + +|New or changed topic | Description | +|---------------------|-------------| +|[Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros](microsoft-edge-faq.md) | New | + +## February 2017 + +|New or changed topic | Description | +|----------------------|-------------| +|[Available Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](available-policies.md) |Added new Group Policy and MDM settings for the Windows Insider Program. Reformatted for easier readability outside of scrolling table. | + + +#### [2016](#tab/2016/) +## November 2016 + +|New or changed topic | Description | +|----------------------|-------------| +|[Browser: Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) |Added the infographic image and a download link.| +|[Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md) |Added a note about the 65 second wait before checking for a newer version of the site list .XML file. | +|[Available policies for Microsoft Edge](available-policies.md) |Added notes to the Configure the Enterprise Mode Site List Group Policy and the EnterpriseModeSiteList MDM policy about the 65 second wait before checking for a newer version of the site list .XML file. | +|Microsoft Edge - Deployment Guide for IT Pros |Added a link to the Microsoft Edge infographic, helping you to evaluate the potential impact of using Microsoft Edge in your organization. | +|[Browser: Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) |Added a link to the Microsoft Edge infographic, helping you to evaluate the potential impact of using Microsoft Edge in your organization. | + +## July 2016 + +|New or changed topic | Description | +|----------------------|-------------| +|[Microsoft Edge requirements and language support](hardware-and-software-requirements.md)| Updated to include a note about the Long Term Servicing Branch (LTSB). | +|[Enterprise guidance about using Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) | Content moved from What's New section. | +|[Available policies for Microsoft Edge](available-policies.md) |Updated | + + +## June 2016 + +|New or changed topic | Description | +|----------------------|-------------| +|[Security enhancements for Microsoft Edge](security-enhancements-microsoft-edge.md) |New | + +## May 2016 + +|New or changed topic | Description | +|----------------------|-------------| +|[Available Policies for Microsoft Edge](available-policies.md) | Added new policies and the Supported versions column for Windows 10 Insider Preview. | + +* * * diff --git a/browsers/edge/edge-technical-demos.md b/browsers/edge/edge-technical-demos.md index 5e6a3bbd9f..8326776612 100644 --- a/browsers/edge/edge-technical-demos.md +++ b/browsers/edge/edge-technical-demos.md @@ -1,38 +1,38 @@ ---- -title: Microsoft Edge training and demonstrations -ms.reviewer: -manager: dansimp -description: Get access to training and demonstrations for Microsoft Edge. -ms.prod: edge -ms.topic: article -ms.manager: elizapo -author: msdmaguire -ms.author: dmaguire -ms.localizationpriority: high ---- - -# Microsoft Edge training and demonstrations - -Explore security and compatibility features of Microsoft Edge, and get tips to increase manageability, productivity, and support for legacy apps. - -## Virtual labs - -Microsoft Hands-On Labs let you experience a software product or technology using a cloud-based private virtual machine environment. Get free access to one or more virtual machines, with no additional software or setup required. - -Check out the **Use Internet Explorer Enterprise Mode to fix compatibility issues (WS00137)" on the [self-paced labs site](https://www.microsoft.com/handsonlabs/SelfPacedLabs/?storyGuid=e4155067-2c7e-4b46-8496-eca38bedca02). - -## Features and functionality - -Find out more about new and improved features of Microsoft Edge, and how you can leverage them to bring increased productivity, security, manageability, and support for legacy apps to your secure, modern desktop. - -### Building a faster browser: Behind the scenes improvements in Microsoft Edge - -Get a behind the scenes look at Microsoft Edge and the improvements we've made to make it faster and more efficient. - -> [!VIDEO https://channel9.msdn.com/events/webplatformsummit/microsoft-edge-web-summit-2017/es14/player] - -### Building a safer browser: Four guards to keep users safe - -Learn about our security strategy and how we use the Four Guards to keep your users safe while they browse the Internet. - -> [!VIDEO https://channel9.msdn.com/events/webplatformsummit/microsoft-edge-web-summit-2017/es03/player] +--- +title: Microsoft Edge training and demonstrations +ms.reviewer: +audience: itpro manager: dansimp +description: Get access to training and demonstrations for Microsoft Edge. +ms.prod: edge +ms.topic: article +ms.manager: elizapo +author: msdmaguire +ms.author: dmaguire +ms.localizationpriority: high +--- + +# Microsoft Edge training and demonstrations + +Explore security and compatibility features of Microsoft Edge, and get tips to increase manageability, productivity, and support for legacy apps. + +## Virtual labs + +Microsoft Hands-On Labs let you experience a software product or technology using a cloud-based private virtual machine environment. Get free access to one or more virtual machines, with no additional software or setup required. + +Check out the **Use Internet Explorer Enterprise Mode to fix compatibility issues (WS00137)" on the [self-paced labs site](https://www.microsoft.com/handsonlabs/SelfPacedLabs/?storyGuid=e4155067-2c7e-4b46-8496-eca38bedca02). + +## Features and functionality + +Find out more about new and improved features of Microsoft Edge, and how you can leverage them to bring increased productivity, security, manageability, and support for legacy apps to your secure, modern desktop. + +### Building a faster browser: Behind the scenes improvements in Microsoft Edge + +Get a behind the scenes look at Microsoft Edge and the improvements we've made to make it faster and more efficient. + +> [!VIDEO https://channel9.msdn.com/events/webplatformsummit/microsoft-edge-web-summit-2017/es14/player] + +### Building a safer browser: Four guards to keep users safe + +Learn about our security strategy and how we use the Four Guards to keep your users safe while they browse the Internet. + +> [!VIDEO https://channel9.msdn.com/events/webplatformsummit/microsoft-edge-web-summit-2017/es03/player] diff --git a/browsers/edge/emie-to-improve-compatibility.md b/browsers/edge/emie-to-improve-compatibility.md index afd92b1690..bddff62c1d 100644 --- a/browsers/edge/emie-to-improve-compatibility.md +++ b/browsers/edge/emie-to-improve-compatibility.md @@ -2,18 +2,18 @@ description: If you're having problems with Microsoft Edge, this topic tells how to use the Enterprise Mode site list to automatically open sites using IE11. ms.assetid: 89c75f7e-35ca-4ca8-96fa-b3b498b53bE4 ms.reviewer: +audience: itpro manager: dansimp author: eavena ms.author: eravena -ms.manager: dougkim -ms.prod: browser-edge +ms.manager: dansimp +ms.prod: edge ms.topic: reference ms.mktglfcycl: support ms.sitesec: library ms.pagetype: appcompat title: Use Enterprise Mode to improve compatibility (Microsoft Edge for IT Pros) ms.localizationpriority: medium -ms.date: 10/24/2018 --- # Use Enterprise Mode to improve compatibility diff --git a/browsers/edge/group-policies/address-bar-settings-gp.md b/browsers/edge/group-policies/address-bar-settings-gp.md index 9997f747b5..d29ed1ca88 100644 --- a/browsers/edge/group-policies/address-bar-settings-gp.md +++ b/browsers/edge/group-policies/address-bar-settings-gp.md @@ -1,33 +1,33 @@ ---- -title: Microsoft Edge - Address bar group policies -description: Microsoft Edge, by default, shows a list of search suggestions in the address bar. You can minimize network connections from Microsoft Edge to Microsoft services, hiding the functionality of the Address bar drop-down list. -services: -keywords: -ms.localizationpriority: medium -manager: dansimp -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -ms.topic: reference -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library ---- - -# Address bar - -Microsoft Edge, by default, shows a list of search suggestions in the address bar. You can minimize network connections from Microsoft Edge to Microsoft services by hiding the functionality of the Address bar drop-down list. - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - - - -## Allow Address bar drop-down list suggestions -[!INCLUDE [allow-address-bar-suggestions-include.md](../includes/allow-address-bar-suggestions-include.md)] - -## Configure search suggestions in Address bar -[!INCLUDE [configure-search-suggestions-address-bar-include.md](../includes/configure-search-suggestions-address-bar-include.md)] - +--- +title: Microsoft Edge - Address bar group policies +description: Microsoft Edge, by default, shows a list of search suggestions in the address bar. You can minimize network connections from Microsoft Edge to Microsoft services, hiding the functionality of the Address bar drop-down list. +services: +keywords: +ms.localizationpriority: medium +audience: itpro manager: dansimp +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +ms.topic: reference +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + +# Address bar + +Microsoft Edge, by default, shows a list of search suggestions in the address bar. You can minimize network connections from Microsoft Edge to Microsoft services by hiding the functionality of the Address bar drop-down list. + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + + + +## Allow Address bar drop-down list suggestions +[!INCLUDE [allow-address-bar-suggestions-include.md](../includes/allow-address-bar-suggestions-include.md)] + +## Configure search suggestions in Address bar +[!INCLUDE [configure-search-suggestions-address-bar-include.md](../includes/configure-search-suggestions-address-bar-include.md)] + diff --git a/browsers/edge/group-policies/adobe-settings-gp.md b/browsers/edge/group-policies/adobe-settings-gp.md index cb27d41986..6efc8ee3f8 100644 --- a/browsers/edge/group-policies/adobe-settings-gp.md +++ b/browsers/edge/group-policies/adobe-settings-gp.md @@ -1,35 +1,35 @@ ---- -title: Microsoft Edge - Adobe Flash group policies -description: Adobe Flash Player still has a significant presence on the internet, such as digital ads. However, open standards, such as HTML5, provide many of the capabilities and functionalities becoming an alternative for content on the web. With Adobe no longer supporting Flash after 2020, Microsoft has started to phase out Flash from Microsoft Edge by adding the Configure the Adobe Flash Click-to-Run setting group policy giving you a way to control the list of websites that have permission to run Adobe Flash content. -services: -keywords: -ms.localizationpriority: medium -manager: dansimp -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -ms.topic: reference -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library ---- - -# Adobe Flash - -Adobe Flash Player still has a significant presence on the internet, such as digital ads. However, open standards, such as HTML5, provide many of the capabilities and functionalities becoming an alternative for content on the web. With Adobe no longer supporting Flash after 2020, Microsoft has started to phase out Flash from Microsoft Edge by adding the [Configure the Adobe Flash Click-to-Run setting](#configure-the-adobe-flash-click-to-run-setting) group policy giving you a way to control the list of websites that have permission to run Adobe Flash content. - -To learn more about Microsoft’s plan for phasing out Flash from Microsoft Edge and Internet Explorer, see [The End of an Era — Next Steps for Adobe Flash]( https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#3Bcc3QjRw0l7XsZ4.97) (blog article). - - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Allow Adobe Flash -[!INCLUDE [allow-adobe-flash-include.md](../includes/allow-adobe-flash-include.md)] - - -## Configure the Adobe Flash Click-to-Run setting -[!INCLUDE [configure-adobe-flash-click-to-run-include.md](../includes/configure-adobe-flash-click-to-run-include.md)] - +--- +title: Microsoft Edge - Adobe Flash group policies +description: Adobe Flash Player still has a significant presence on the internet, such as digital ads. However, open standards, such as HTML5, provide many of the capabilities and functionalities becoming an alternative for content on the web. With Adobe no longer supporting Flash after 2020, Microsoft has started to phase out Flash from Microsoft Edge by adding the Configure the Adobe Flash Click-to-Run setting group policy giving you a way to control the list of websites that have permission to run Adobe Flash content. +services: +keywords: +ms.localizationpriority: medium +audience: itpro manager: dansimp +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +ms.topic: reference +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + +# Adobe Flash + +Adobe Flash Player still has a significant presence on the internet, such as digital ads. However, open standards, such as HTML5, provide many of the capabilities and functionalities becoming an alternative for content on the web. With Adobe no longer supporting Flash after 2020, Microsoft has started to phase out Flash from Microsoft Edge by adding the [Configure the Adobe Flash Click-to-Run setting](#configure-the-adobe-flash-click-to-run-setting) group policy giving you a way to control the list of websites that have permission to run Adobe Flash content. + +To learn more about Microsoft’s plan for phasing out Flash from Microsoft Edge and Internet Explorer, see [The End of an Era — Next Steps for Adobe Flash]( https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#3Bcc3QjRw0l7XsZ4.97) (blog article). + + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Allow Adobe Flash +[!INCLUDE [allow-adobe-flash-include.md](../includes/allow-adobe-flash-include.md)] + + +## Configure the Adobe Flash Click-to-Run setting +[!INCLUDE [configure-adobe-flash-click-to-run-include.md](../includes/configure-adobe-flash-click-to-run-include.md)] + diff --git a/browsers/edge/group-policies/books-library-management-gp.md b/browsers/edge/group-policies/books-library-management-gp.md index b6649b869c..633b5b8b51 100644 --- a/browsers/edge/group-policies/books-library-management-gp.md +++ b/browsers/edge/group-policies/books-library-management-gp.md @@ -1,37 +1,37 @@ ---- -title: Microsoft Edge - Books Library group policies -description: Microsoft Edge decreases the amount of storage used by book files by downloading them to a shared folder. You can also allow Microsoft Edge to update the configuration data for the library automatically. -services: -keywords: -ms.localizationpriority: medium -manager: dansimp -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -ms.topic: reference -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library ---- - -# Books Library - -Microsoft Edge decreases the amount of storage used by book files by downloading them to a shared folder in Windows. You can configure Microsoft Edge to update the configuration data for the library automatically or gather diagnostic data, such as usage data. - - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Allow a shared books folder -[!INCLUDE [allow-shared-folder-books-include.md](../includes/allow-shared-folder-books-include.md)] - -## Allow configuration updates for the Books Library -[!INCLUDE [allow-config-updates-books-include.md](../includes/allow-config-updates-books-include.md)] - -## Allow extended telemetry for the Books tab -[!INCLUDE [allow-ext-telemetry-books-tab-include.md](../includes/allow-ext-telemetry-books-tab-include.md)] - -## Always show the Books Library in Microsoft Edge -[!INCLUDE [always-enable-book-library-include.md](../includes/always-enable-book-library-include.md)] +--- +title: Microsoft Edge - Books Library group policies +description: Microsoft Edge decreases the amount of storage used by book files by downloading them to a shared folder. You can also allow Microsoft Edge to update the configuration data for the library automatically. +services: +keywords: +ms.localizationpriority: medium +audience: itpro manager: dansimp +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +ms.topic: reference +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + +# Books Library + +Microsoft Edge decreases the amount of storage used by book files by downloading them to a shared folder in Windows. You can configure Microsoft Edge to update the configuration data for the library automatically or gather diagnostic data, such as usage data. + + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Allow a shared books folder +[!INCLUDE [allow-shared-folder-books-include.md](../includes/allow-shared-folder-books-include.md)] + +## Allow configuration updates for the Books Library +[!INCLUDE [allow-config-updates-books-include.md](../includes/allow-config-updates-books-include.md)] + +## Allow extended telemetry for the Books tab +[!INCLUDE [allow-ext-telemetry-books-tab-include.md](../includes/allow-ext-telemetry-books-tab-include.md)] + +## Always show the Books Library in Microsoft Edge +[!INCLUDE [always-enable-book-library-include.md](../includes/always-enable-book-library-include.md)] diff --git a/browsers/edge/group-policies/browser-settings-management-gp.md b/browsers/edge/group-policies/browser-settings-management-gp.md index 8de1ada8f5..296b99b037 100644 --- a/browsers/edge/group-policies/browser-settings-management-gp.md +++ b/browsers/edge/group-policies/browser-settings-management-gp.md @@ -1,52 +1,52 @@ ---- -title: Microsoft Edge - Browser experience group policies -description: Not only do the other Microsoft Edge group policies enhance the browsing experience, but we must also talk about some of the most common or somewhat common browsing experiences. For example, printing web content is a common browsing experience. However, if you want to prevent users from printing web content, Microsoft Edge has a group policy that allows you to prevent printing. -services: -keywords: -ms.localizationpriority: medium -manager: dansimp -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -ms.topic: reference -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library ---- - -# Browser experience - -Not only do the other Microsoft Edge group policies enhance the browsing experience, but we also want to mention some of the other and common browsing experiences. For example, printing web content is a common browsing experience. However, if you want to prevent users from printing web content, Microsoft Edge has a group policy that allows you to prevent printing. The same goes for Pop-up Blocker; Microsoft Edge has a group policy that lets you prevent pop-up windows or let users choose to use Pop-up Blocker. You can use any one of the following group policies to continue enhancing the browsing experience for your users. - - - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Allow clearing browsing data on exit -[!INCLUDE [allow-clearing-browsing-data-include](../includes/allow-clearing-browsing-data-include.md)] - -## Allow fullscreen mode -[!INCLUDE [allow-full-screen-include](../includes/allow-full-screen-include.md)] - -## Allow printing -[!INCLUDE [allow-printing-include](../includes/allow-printing-include.md)] - -## Allow Saving History -[!INCLUDE [allow-saving-history-include](../includes/allow-saving-history-include.md)] - -## Configure Autofill -[!INCLUDE [configure-autofill-include](../includes/configure-autofill-include.md)] - -## Configure Pop-up Blocker -[!INCLUDE [configure-pop-up-blocker-include](../includes/configure-pop-up-blocker-include.md)] - -## Do not sync -[!INCLUDE [do-not-sync-include](../includes/do-not-sync-include.md)] - -To learn about the policies to sync the browser settings, see [Sync browser settings](sync-browser-settings-gp.md). - - - +--- +title: Microsoft Edge - Browser experience group policies +description: Not only do the other Microsoft Edge group policies enhance the browsing experience, but we must also talk about some of the most common or somewhat common browsing experiences. For example, printing web content is a common browsing experience. However, if you want to prevent users from printing web content, Microsoft Edge has a group policy that allows you to prevent printing. +services: +keywords: +ms.localizationpriority: medium +audience: itpro manager: dansimp +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +ms.topic: reference +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + +# Browser experience + +Not only do the other Microsoft Edge group policies enhance the browsing experience, but we also want to mention some of the other and common browsing experiences. For example, printing web content is a common browsing experience. However, if you want to prevent users from printing web content, Microsoft Edge has a group policy that allows you to prevent printing. The same goes for Pop-up Blocker; Microsoft Edge has a group policy that lets you prevent pop-up windows or let users choose to use Pop-up Blocker. You can use any one of the following group policies to continue enhancing the browsing experience for your users. + + + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Allow clearing browsing data on exit +[!INCLUDE [allow-clearing-browsing-data-include](../includes/allow-clearing-browsing-data-include.md)] + +## Allow fullscreen mode +[!INCLUDE [allow-full-screen-include](../includes/allow-full-screen-include.md)] + +## Allow printing +[!INCLUDE [allow-printing-include](../includes/allow-printing-include.md)] + +## Allow Saving History +[!INCLUDE [allow-saving-history-include](../includes/allow-saving-history-include.md)] + +## Configure Autofill +[!INCLUDE [configure-autofill-include](../includes/configure-autofill-include.md)] + +## Configure Pop-up Blocker +[!INCLUDE [configure-pop-up-blocker-include](../includes/configure-pop-up-blocker-include.md)] + +## Do not sync +[!INCLUDE [do-not-sync-include](../includes/do-not-sync-include.md)] + +To learn about the policies to sync the browser settings, see [Sync browser settings](sync-browser-settings-gp.md). + + + diff --git a/browsers/edge/group-policies/developer-settings-gp.md b/browsers/edge/group-policies/developer-settings-gp.md index c13c677abc..a5d7e4f42b 100644 --- a/browsers/edge/group-policies/developer-settings-gp.md +++ b/browsers/edge/group-policies/developer-settings-gp.md @@ -1,31 +1,31 @@ ---- -title: Microsoft Edge - Developer tools -description: Microsoft Edge, by default, allows users to use the F12 developer tools as well as access the about:flags page. You can prevent users from using the F12 developer tools or from accessing the about:flags page. -services: -keywords: -ms.localizationpriority: medium -manager: dougkim -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.topic: reference -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library ---- - -# Developer tools - -Microsoft Edge, by default, allows users to use the F12 developer tools as well as access the about:flags page. You can prevent users from using the F12 developer tools or from accessing the about:flags page. - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Allow Developer Tools -[!INCLUDE [allow-dev-tools-include](../includes/allow-dev-tools-include.md)] - -## Prevent access to the about:flags page -[!INCLUDE [prevent-access-about-flag-include](../includes/prevent-access-about-flag-include.md)] +--- +title: Microsoft Edge - Developer tools +description: Microsoft Edge, by default, allows users to use the F12 developer tools as well as access the about:flags page. You can prevent users from using the F12 developer tools or from accessing the about:flags page. +services: +keywords: +ms.localizationpriority: medium +manager: dougkim +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.topic: reference +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + +# Developer tools + +Microsoft Edge, by default, allows users to use the F12 developer tools as well as access the about:flags page. You can prevent users from using the F12 developer tools or from accessing the about:flags page. + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Allow Developer Tools +[!INCLUDE [allow-dev-tools-include](../includes/allow-dev-tools-include.md)] + +## Prevent access to the about:flags page +[!INCLUDE [prevent-access-about-flag-include](../includes/prevent-access-about-flag-include.md)] diff --git a/browsers/edge/group-policies/extensions-management-gp.md b/browsers/edge/group-policies/extensions-management-gp.md index 64ceac0368..5230bc5f52 100644 --- a/browsers/edge/group-policies/extensions-management-gp.md +++ b/browsers/edge/group-policies/extensions-management-gp.md @@ -1,33 +1,33 @@ ---- -title: Microsoft Edge - Extensions group policies -description: Currently, Microsoft Edge allows users to add or personalize, and uninstall extensions. You can prevent users from uninstalling extensions or sideloading of extensions, which does not prevent sideloading using Add-AppxPackage via PowerShell. Allowing sideloading of extensions installs and runs unverified extensions. -services: -keywords: -ms.localizationpriority: medium -manager: dansimp -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -ms.topic: reference -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library ---- - -# Extensions - -Currently, Microsoft Edge allows users to add or personalize, and uninstall extensions. You can prevent users from uninstalling extensions or sideloading of extensions, which does not prevent sideloading using Add-AppxPackage via PowerShell. Allowing sideloading of extensions installs and runs unverified extensions. - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Allow Extensions -[!INCLUDE [allow-extensions-include](../includes/allow-extensions-include.md)] - -## Allow sideloading of extensions -[!INCLUDE [allow-sideloading-extensions-include](../includes/allow-sideloading-extensions-include.md)] - -## Prevent turning off required extensions -[!INCLUDE [prevent-turning-off-required-extensions-include](../includes/prevent-turning-off-required-extensions-include.md)] +--- +title: Microsoft Edge - Extensions group policies +description: Currently, Microsoft Edge allows users to add or personalize, and uninstall extensions. You can prevent users from uninstalling extensions or sideloading of extensions, which does not prevent sideloading using Add-AppxPackage via PowerShell. Allowing sideloading of extensions installs and runs unverified extensions. +services: +keywords: +ms.localizationpriority: medium +audience: itpro manager: dansimp +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +ms.topic: reference +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + +# Extensions + +Currently, Microsoft Edge allows users to add or personalize, and uninstall extensions. You can prevent users from uninstalling extensions or sideloading of extensions, which does not prevent sideloading using Add-AppxPackage via PowerShell. Allowing sideloading of extensions installs and runs unverified extensions. + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Allow Extensions +[!INCLUDE [allow-extensions-include](../includes/allow-extensions-include.md)] + +## Allow sideloading of extensions +[!INCLUDE [allow-sideloading-extensions-include](../includes/allow-sideloading-extensions-include.md)] + +## Prevent turning off required extensions +[!INCLUDE [prevent-turning-off-required-extensions-include](../includes/prevent-turning-off-required-extensions-include.md)] diff --git a/browsers/edge/group-policies/favorites-management-gp.md b/browsers/edge/group-policies/favorites-management-gp.md index 9e33839605..6ba684a843 100644 --- a/browsers/edge/group-policies/favorites-management-gp.md +++ b/browsers/edge/group-policies/favorites-management-gp.md @@ -1,39 +1,39 @@ ---- -title: Microsoft Edge - Favorites group policies -description: Configure Microsoft Edge to either show or hide the favorites bar on all pages. Microsoft Edge hides the favorites bar by default but shows the favorites bar on the Start and New tab pages. Also, by default, the favorites bar toggle, in Settings, is set to Off but enabled allowing users to make changes. -services: -keywords: -ms.localizationpriority: medium -manager: dansimp -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -ms.topic: reference -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library ---- - -# Favorites - -You can customize the favorites bar, for example, you can turn off features such as Save a Favorite and Import settings, and hide or show the favorites bar on all pages. Another customization you can make is provisioning a standard list of favorites, including folders, to appear in addition to the user’s favorites. If it’s important to keep the favorites in both IE11 and Microsoft Edge synced, you can turn on syncing where changes to the list of favorites in one browser reflect in the other. - ->[!TIP] ->You can find the Favorites under C:\\Users\\<_username_>\\Favorites. - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Configure Favorites Bar -[!INCLUDE [configure-favorites-bar-include](../includes/configure-favorites-bar-include.md)] - -## Keep favorites in sync between Internet Explorer and Microsoft Edge -[!INCLUDE [keep-fav-sync-ie-edge-include](../includes/keep-fav-sync-ie-edge-include.md)] - -## Prevent changes to Favorites on Microsoft Edge -[!INCLUDE [prevent-changes-to-favorites-include](../includes/prevent-changes-to-favorites-include.md)] - -## Provision Favorites -[!INCLUDE [provision-favorites-include](../includes/provision-favorites-include.md)] +--- +title: Microsoft Edge - Favorites group policies +description: Configure Microsoft Edge to either show or hide the favorites bar on all pages. Microsoft Edge hides the favorites bar by default but shows the favorites bar on the Start and New tab pages. Also, by default, the favorites bar toggle, in Settings, is set to Off but enabled allowing users to make changes. +services: +keywords: +ms.localizationpriority: medium +audience: itpro manager: dansimp +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +ms.topic: reference +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + +# Favorites + +You can customize the favorites bar, for example, you can turn off features such as Save a Favorite and Import settings, and hide or show the favorites bar on all pages. Another customization you can make is provisioning a standard list of favorites, including folders, to appear in addition to the user’s favorites. If it’s important to keep the favorites in both IE11 and Microsoft Edge synced, you can turn on syncing where changes to the list of favorites in one browser reflect in the other. + +>[!TIP] +>You can find the Favorites under C:\\Users\\<_username_>\\Favorites. + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Configure Favorites Bar +[!INCLUDE [configure-favorites-bar-include](../includes/configure-favorites-bar-include.md)] + +## Keep favorites in sync between Internet Explorer and Microsoft Edge +[!INCLUDE [keep-fav-sync-ie-edge-include](../includes/keep-fav-sync-ie-edge-include.md)] + +## Prevent changes to Favorites on Microsoft Edge +[!INCLUDE [prevent-changes-to-favorites-include](../includes/prevent-changes-to-favorites-include.md)] + +## Provision Favorites +[!INCLUDE [provision-favorites-include](../includes/provision-favorites-include.md)] diff --git a/browsers/edge/group-policies/home-button-gp.md b/browsers/edge/group-policies/home-button-gp.md index 653b98b0c5..f9db9cbcb3 100644 --- a/browsers/edge/group-policies/home-button-gp.md +++ b/browsers/edge/group-policies/home-button-gp.md @@ -1,47 +1,47 @@ ---- -title: Microsoft Edge - Home button group policies -description: Microsoft Edge shows the home button, by default, and by clicking it the Start page loads. With the relevant Home button policies, you can configure the Home button to load the New tab page or a specific page. You can also configure Microsoft Edge to hide the home button. -manager: dansimp -ms.author: eravena -author: eavena -ms.date: 10/02/2018 -ms.reviewer: -ms.localizationpriority: medium -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library -ms.topic: reference ---- - -# Home button - -Microsoft Edge shows the home button, by default, and by clicking it the Start page loads. With the relevant Home button policies, you can configure the Home button to load the New tab page or a specific page. You can also configure Microsoft Edge to hide the home button. - -## Relevant group policies - -- [Configure Home Button](#configure-home-button) -- [Set Home Button URL](#set-home-button-url) -- [Unlock Home Button](#unlock-home-button) - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Configuration options - -![Show home button and load Start page or New Tab page](../images/home-button-start-new-tab-page-v4-sm.png) - -![Show home button and load custom URL](../images/home-buttom-custom-url-v4-sm.png) - -![Hide home button](../images/home-button-hide-v4-sm.png) - - -## Configure Home Button -[!INCLUDE [configure-home-button-include.md](../includes/configure-home-button-include.md)] - -## Set Home Button URL -[!INCLUDE [set-home-button-url-include](../includes/set-home-button-url-include.md)] - -## Unlock Home Button -[!INCLUDE [unlock-home-button-include.md](../includes/unlock-home-button-include.md)] - +--- +title: Microsoft Edge - Home button group policies +description: Microsoft Edge shows the home button, by default, and by clicking it the Start page loads. With the relevant Home button policies, you can configure the Home button to load the New tab page or a specific page. You can also configure Microsoft Edge to hide the home button. +audience: itpro manager: dansimp +ms.author: eravena +author: eavena +ms.date: 10/02/2018 +ms.reviewer: +ms.localizationpriority: medium +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +ms.topic: reference +--- + +# Home button + +Microsoft Edge shows the home button, by default, and by clicking it the Start page loads. With the relevant Home button policies, you can configure the Home button to load the New tab page or a specific page. You can also configure Microsoft Edge to hide the home button. + +## Relevant group policies + +- [Configure Home Button](#configure-home-button) +- [Set Home Button URL](#set-home-button-url) +- [Unlock Home Button](#unlock-home-button) + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Configuration options + +![Show home button and load Start page or New Tab page](../images/home-button-start-new-tab-page-v4-sm.png) + +![Show home button and load custom URL](../images/home-buttom-custom-url-v4-sm.png) + +![Hide home button](../images/home-button-hide-v4-sm.png) + + +## Configure Home Button +[!INCLUDE [configure-home-button-include.md](../includes/configure-home-button-include.md)] + +## Set Home Button URL +[!INCLUDE [set-home-button-url-include](../includes/set-home-button-url-include.md)] + +## Unlock Home Button +[!INCLUDE [unlock-home-button-include.md](../includes/unlock-home-button-include.md)] + diff --git a/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md b/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md index c6779219cb..24dc169b1a 100644 --- a/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md +++ b/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md @@ -1,79 +1,79 @@ ---- -title: Microsoft Edge - Interoperability and enterprise mode guidance -description: Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List. If you are running web apps that continue to use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and modern standards support. -ms.localizationpriority: medium -manager: dansimp -ms.author: eravena -author: eavena -ms.date: 10/02/2018 -ms.reviewer: -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library -ms.topic: reference ---- - -# Interoperability and enterprise mode guidance - -Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List. If you are running web apps that continue to use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and modern standards support. - ->[!TIP] ->If you are running an earlier version of Internet Explorer, we recommend upgrading to IE11, so that any legacy apps continue to work correctly. - -**Technology not supported by Microsoft Edge** - - -- ActiveX controls - -- Browser Helper Objects - -- VBScript - -- x-ua-compatible headers - -- \ tags - -- Legacy document modes - -If you have specific websites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the websites automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work correctly with Microsoft Edge, you can set all intranet sites to open using IE11 automatically. - -Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. - -## Relevant group policies - - -1. [Configure the Enterprise Mode Site List](#configure-the-enterprise-mode-site-list) - -2. [Send all intranet sites to Internet Explorer 11](#send-all-intranet-sites-to-internet-explorer-11) - -3. [Show message when opening sites in Internet Explorer](#show-message-when-opening-sites-in-internet-explorer) - -4. [(IE11 policy) Send all sites not included in the Enterprise Mode Site List to Microsoft Edge](#ie11-policy-send-all-sites-not-included-in-the-enterprise-mode-site-list-to-microsoft-edge) - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Configuration options - -![Use Enterprise Mode with Microsoft Edge to improve compatibility](../images/use-enterprise-mode-with-microsoft-edge-sm.png) - - -## Configure the Enterprise Mode Site List - -[!INCLUDE [configure-enterprise-mode-site-list-include](../includes/configure-enterprise-mode-site-list-include.md)] - - -## Send all intranet sites to Internet Explorer 11 - -[!INCLUDE [send-all-intranet-sites-ie-include](../includes/send-all-intranet-sites-ie-include.md)] - - -## Show message when opening sites in Internet Explorer - -[!INCLUDE [show-message-opening-sites-ie-include](../includes/show-message-opening-sites-ie-include.md)] - - -## (IE11 policy) Send all sites not included in the Enterprise Mode Site List to Microsoft Edge - -[!INCLUDE [ie11-send-all-sites-not-in-site-list-include](../includes/ie11-send-all-sites-not-in-site-list-include.md)] +--- +title: Microsoft Edge - Interoperability and enterprise mode guidance +description: Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List. If you are running web apps that continue to use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and modern standards support. +ms.localizationpriority: medium +audience: itpro manager: dansimp +ms.author: eravena +author: eavena +ms.date: 10/02/2018 +ms.reviewer: +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +ms.topic: reference +--- + +# Interoperability and enterprise mode guidance + +Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List. If you are running web apps that continue to use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and modern standards support. + +>[!TIP] +>If you are running an earlier version of Internet Explorer, we recommend upgrading to IE11, so that any legacy apps continue to work correctly. + +**Technology not supported by Microsoft Edge** + + +- ActiveX controls + +- Browser Helper Objects + +- VBScript + +- x-ua-compatible headers + +- \ tags + +- Legacy document modes + +If you have specific websites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the websites automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work correctly with Microsoft Edge, you can set all intranet sites to open using IE11 automatically. + +Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. + +## Relevant group policies + + +1. [Configure the Enterprise Mode Site List](#configure-the-enterprise-mode-site-list) + +2. [Send all intranet sites to Internet Explorer 11](#send-all-intranet-sites-to-internet-explorer-11) + +3. [Show message when opening sites in Internet Explorer](#show-message-when-opening-sites-in-internet-explorer) + +4. [(IE11 policy) Send all sites not included in the Enterprise Mode Site List to Microsoft Edge](#ie11-policy-send-all-sites-not-included-in-the-enterprise-mode-site-list-to-microsoft-edge) + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Configuration options + +![Use Enterprise Mode with Microsoft Edge to improve compatibility](../images/use-enterprise-mode-with-microsoft-edge-sm.png) + + +## Configure the Enterprise Mode Site List + +[!INCLUDE [configure-enterprise-mode-site-list-include](../includes/configure-enterprise-mode-site-list-include.md)] + + +## Send all intranet sites to Internet Explorer 11 + +[!INCLUDE [send-all-intranet-sites-ie-include](../includes/send-all-intranet-sites-ie-include.md)] + + +## Show message when opening sites in Internet Explorer + +[!INCLUDE [show-message-opening-sites-ie-include](../includes/show-message-opening-sites-ie-include.md)] + + +## (IE11 policy) Send all sites not included in the Enterprise Mode Site List to Microsoft Edge + +[!INCLUDE [ie11-send-all-sites-not-in-site-list-include](../includes/ie11-send-all-sites-not-in-site-list-include.md)] diff --git a/browsers/edge/group-policies/new-tab-page-settings-gp.md b/browsers/edge/group-policies/new-tab-page-settings-gp.md index 89d7050a86..7e0cf5f89e 100644 --- a/browsers/edge/group-policies/new-tab-page-settings-gp.md +++ b/browsers/edge/group-policies/new-tab-page-settings-gp.md @@ -1,46 +1,46 @@ ---- -title: Microsoft Edge - New Tab page group policies -description: Microsoft Edge loads the default New tab page by default. With the relevant New Tab policies, you can set a URL to load in the New Tab page and prevent users from making changes. You can also load a blank page instead or let the users choose what loads. -manager: dansimp -ms.author: eravena -author: eavena -ms.date: 10/02/2018 -ms.reviewer: -ms.localizationpriority: medium -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library -ms.topic: reference ---- - - -# New Tab page - -Microsoft Edge loads the default New tab page by default. With the relevant New Tab policies, you can set a URL to load in the New Tab page and prevent users from making changes. You can also load a blank page instead or let the users choose what loads. - ->[!NOTE] ->New tab pages do not load while running InPrivate mode. - -## Relevant group policies - -- [Set New Tab page URL](#set-new-tab-page-url) -- [Allow web content on New Tab page](#allow-web-content-on-new-tab-page) - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Configuration options - -![Load the default New Tab page](../images/load-default-new-tab-page-sm.png) - -![Load a blank page instead of the default New Tab page](../images/load-blank-page-not-new-tab-page-sm.png) - -![Let users choose what loads](../images/users-choose-new-tab-page-sm.png) - - -## Set New Tab page URL -[!INCLUDE [set-new-tab-url-include](../includes/set-new-tab-url-include.md)] - -## Allow web content on New Tab page -[!INCLUDE [allow-web-content-new-tab-page-include](../includes/allow-web-content-new-tab-page-include.md)] +--- +title: Microsoft Edge - New Tab page group policies +description: Microsoft Edge loads the default New tab page by default. With the relevant New Tab policies, you can set a URL to load in the New Tab page and prevent users from making changes. You can also load a blank page instead or let the users choose what loads. +audience: itpro manager: dansimp +ms.author: eravena +author: eavena +ms.date: 10/02/2018 +ms.reviewer: +ms.localizationpriority: medium +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +ms.topic: reference +--- + + +# New Tab page + +Microsoft Edge loads the default New tab page by default. With the relevant New Tab policies, you can set a URL to load in the New Tab page and prevent users from making changes. You can also load a blank page instead or let the users choose what loads. + +>[!NOTE] +>New tab pages do not load while running InPrivate mode. + +## Relevant group policies + +- [Set New Tab page URL](#set-new-tab-page-url) +- [Allow web content on New Tab page](#allow-web-content-on-new-tab-page) + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Configuration options + +![Load the default New Tab page](../images/load-default-new-tab-page-sm.png) + +![Load a blank page instead of the default New Tab page](../images/load-blank-page-not-new-tab-page-sm.png) + +![Let users choose what loads](../images/users-choose-new-tab-page-sm.png) + + +## Set New Tab page URL +[!INCLUDE [set-new-tab-url-include](../includes/set-new-tab-url-include.md)] + +## Allow web content on New Tab page +[!INCLUDE [allow-web-content-new-tab-page-include](../includes/allow-web-content-new-tab-page-include.md)] diff --git a/browsers/edge/group-policies/prelaunch-preload-gp.md b/browsers/edge/group-policies/prelaunch-preload-gp.md index 51f6c1d949..7ff02e7924 100644 --- a/browsers/edge/group-policies/prelaunch-preload-gp.md +++ b/browsers/edge/group-policies/prelaunch-preload-gp.md @@ -1,10 +1,11 @@ --- title: Microsoft Edge - Prelaunch and tab preload group policies description: Microsoft Edge pre-launches as a background process during Windows startup when the system is idle waiting to be launched by the user. Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start up Microsoft Edge. +audience: itpro manager: dansimp ms.author: eravena author: eavena -ms.date: 10/02/2018 +ms.prod: edge ms.reviewer: ms.localizationpriority: medium ms.topic: reference diff --git a/browsers/edge/group-policies/search-engine-customization-gp.md b/browsers/edge/group-policies/search-engine-customization-gp.md index 1dfa9b9928..6d4876ef46 100644 --- a/browsers/edge/group-policies/search-engine-customization-gp.md +++ b/browsers/edge/group-policies/search-engine-customization-gp.md @@ -1,10 +1,11 @@ --- title: Microsoft Edge - Search engine customization group policies description: Microsoft Edge, by default, uses the search engine specified in App settings, which lets users make changes. You can prevent users from making changes and still use the search engine specified in App settings by disabling the Allow search engine customization policy. You can also use the policy-set search engine specified in the OpenSearch XML file in which you can configure up to five additional search engines and setting any one of them as the default. +audience: itpro manager: dansimp ms.author: eravena author: eavena -ms.date: 10/02/2018 +ms.prod: edge ms.reviewer: ms.localizationpriority: medium ms.topic: reference diff --git a/browsers/edge/group-policies/security-privacy-management-gp.md b/browsers/edge/group-policies/security-privacy-management-gp.md index d2322bf7dc..67e656daa8 100644 --- a/browsers/edge/group-policies/security-privacy-management-gp.md +++ b/browsers/edge/group-policies/security-privacy-management-gp.md @@ -1,74 +1,74 @@ ---- -title: Microsoft Edge - Security and privacy group policies -description: Microsoft Edge helps to defend from increasingly sophisticated and prevalent web-based attacks against Windows. While most websites are safe, some sites have been designed to steal personal information or gain access to your system’s resources. -manager: dansimp -ms.author: eravena -author: eavena -ms.date: 10/02/2018 -ms.reviewer: -ms.localizationpriority: medium -ms.topic: reference ---- - -# Security and privacy - -Microsoft Edge is designed with improved security in mind, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows. Because Microsoft Edge is designed like a Universal Windows app, changing the browser to an app, it fundamentally changes the process model so that both the outer manager process and the different content processes all live within app container sandboxes. - -Microsoft Edge runs in 64-bit not just by default, but anytime it’s running on a 64-bit operating system. Because Microsoft Edge doesn’t support legacy ActiveX controls or 3rd-party binary extensions, there’s no longer a reason to run 32-bit processes on a 64-bit system. - -The value of running 64-bit all the time is that it strengthens Windows Address Space Layout Randomization (ASLR), randomizing the memory layout of the browser processes, making it much harder for attackers to hit precise memory locations. In turn, 64-bit processes make ASLR much more effective by making the address space exponentially larger and, therefore, more difficult for attackers to find sensitive memory components. - -For more details on the security features in Microsoft Edge, see [Help protect against web-based security threats](#help-protect-against-web-based-security-threats) below. - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Configure cookies -[!INCLUDE [configure-cookies-include](../includes/configure-cookies-include.md)] - -## Configure Password Manager -[!INCLUDE [configure-password-manager-include](../includes/configure-password-manager-include.md)] - -## Configure Windows Defender SmartScreen -[!INCLUDE [configure-windows-defender-smartscreen-include](../includes/configure-windows-defender-smartscreen-include.md)] - -## Prevent bypassing Windows Defender SmartScreen prompts for files -[!INCLUDE [prevent-bypassing-win-defender-files-include](../includes/prevent-bypassing-win-defender-files-include.md)] - -## Prevent bypassing Windows Defender SmartScreen prompts for sites -[!INCLUDE [prevent-bypassing-win-defender-sites-include](../includes/prevent-bypassing-win-defender-sites-include.md)] - -## Prevent certificate error overrides -[!INCLUDE [prevent-certificate-error-overrides-include](../includes/prevent-certificate-error-overrides-include.md)] - -## Prevent using Localhost IP address for WebRTC -[!INCLUDE [prevent-localhost-address-for-webrtc-include](../includes/prevent-localhost-address-for-webrtc-include.md)] - - -## Help protect against web-based security threats - -While most websites are safe, some sites have been intentionally designed to steal sensitive and private information or gain access to your system’s resources. You can help protect against threats by using strong security protocols to ensure against such threats. - -Thieves use things like _phishing_ attacks to convince someone to enter personal information, such as a banking password, into a website that looks like a legitimate bank but isn't. Attempts to identify legitimate websites through the HTTPS lock symbol and the EV Cert green bar have met with only limited success since attackers are too good at faking legitimate experiences for many people to notice the difference. - -Another method thieves often use _hacking_ to attack a system through malformed content that exploits subtle flaws in the browser or various browser extensions. This exploit lets an attacker run code on a device, taking over a browsing session, and perhaps the entire device. - -Microsoft Edge addresses these threats to help make browsing the web a safer experience. - - -| Feature | Description | -|-----------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **[Windows Hello](https://blogs.windows.com/bloggingwindows/2015/03/17/making-windows-10-more-personal-and-more-secure-with-windows-hello/)** | Microsoft Edge is the first browser to natively support Windows Hello to authenticate the user and the website with asymmetric cryptography technology, powered by early implementation of the [Web Authentication (formerly FIDO 2.0 Web API) specification](https://w3c.github.io/webauthn/). | -| **Microsoft SmartScreen** | Defends against phishing by performing reputation checks on sites visited and blocking any sites that are thought to be a phishing site. SmartScreen also helps to defend against installing malicious software, drive-by attacks, or file downloads, even from trusted sites. Drive-by attacks are malicious web-based attacks that compromise your system by targeting security vulnerabilities in commonly used software and may be hosted on trusted sites. | -| **Certificate Reputation system** | Collects data about certificates in use, detecting new certificates and flagging fraudulent certificates automatically, and sends the data to Microsoft. The systems and tools in place include | -| **Microsoft EdgeHTML and modern web standards** | Microsoft Edge uses Microsoft EdgeHTML as the rendering engine. This engine focuses on modern standards letting web developers build and maintain a consistent site across all modern browsers. It also helps to defend against hacking through these security standards features:

**NOTE:** Both Microsoft Edge and Internet Explorer 11 support HSTS. | -| **Code integrity and image loading restrictions** | Microsoft Edge content processes support code integrity and image load restrictions, helping to prevent malicious DLLs from loading or injecting into the content processes. Only [properly signed images](https://blogs.windows.com/msedgedev/2015/11/17/microsoft-edge-module-code-integrity/) are allowed to load into Microsoft Edge. Binaries on remote devices (such as UNC or WebDAV) can’t load. | -| **Memory corruption mitigations** | Memory corruption attacks frequently happen to apps written in C or C++ don’t provide safety or buffer overflow protection. When an attacker provides malformed input to a program, the program’s memory becomes corrupt allowing the attacker to take control of the program. Although attackers have adapted and invented new ways to attack, we’ve responded with memory safety defenses, mitigating the most common forms of attack, including and especially [use-after-free (UAF)](https://cwe.mitre.org/data/definitions/416.html) vulnerabilities. | -| **Memory Garbage Collector (MemGC) mitigation** | MemGC replaces Memory Protector and helps to protect the browser from UAF vulnerabilities. MemGC frees up memory from the programmer and automating it. Only freeing memory when the automation detects no references left pointing to a given block of memory. | -| **Control Flow Guard** | Attackers use memory corruption attacks to gain control of the CPU program counter to jump to any code location they want. Control Flow Guard, a Microsoft Visual Studio technology, compiles checks around code that performs indirect jumps based on a pointer. Those jumps get restricted to function entry points with known addresses only making attacker take-overs must more difficult constraining where an attack jumps. | -| **All web content runs in an app container sandbox** | Microsoft Edge takes the sandbox even farther, running its content processes in containers not just by default, but all of the time. Microsoft Edge doesn’t support 3rd party binary extensions, so there is no reason for it to run outside of the container, making Microsoft Edge more secure. | -| **Extension model and HTML5 support** | Microsoft Edge does not support binary extensions because they can bring code and data into the browser’s processes without any protection. So if anything goes wrong, the entire browser itself can be compromised or go down. We encourage everyone to use our scripted HTML5-based extension model. For more info about the new extensions, see the [Microsoft Edge Developer Center](https://developer.microsoft.com/microsoft-edge/extensions/). | -| **Reduced attack surfaces** | Microsoft Edge does not support VBScript, JScript, VML, Browser Helper Objects, Toolbars, ActiveX controls, and [document modes](https://msdn.microsoft.com/library/jj676915.aspx). Many IE browser vulnerabilities only appear in legacy document modes, so removing support reduced attack surface making the browser more secure.

It also means that it’s not as backward compatible. With this reduced backward compatibility, Microsoft Edge automatically falls back to Internet Explorer 11 for any apps that need backward compatibility. This fall back happens when you use the Enterprise Mode Site List. | - ---- +--- +title: Microsoft Edge - Security and privacy group policies +description: Microsoft Edge helps to defend from increasingly sophisticated and prevalent web-based attacks against Windows. While most websites are safe, some sites have been designed to steal personal information or gain access to your system’s resources. +audience: itpro manager: dansimp +ms.author: eravena +author: eavena +ms.date: 10/02/2018 +ms.reviewer: +ms.localizationpriority: medium +ms.topic: reference +--- + +# Security and privacy + +Microsoft Edge is designed with improved security in mind, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows. Because Microsoft Edge is designed like a Universal Windows app, changing the browser to an app, it fundamentally changes the process model so that both the outer manager process and the different content processes all live within app container sandboxes. + +Microsoft Edge runs in 64-bit not just by default, but anytime it’s running on a 64-bit operating system. Because Microsoft Edge doesn’t support legacy ActiveX controls or 3rd-party binary extensions, there’s no longer a reason to run 32-bit processes on a 64-bit system. + +The value of running 64-bit all the time is that it strengthens Windows Address Space Layout Randomization (ASLR), randomizing the memory layout of the browser processes, making it much harder for attackers to hit precise memory locations. In turn, 64-bit processes make ASLR much more effective by making the address space exponentially larger and, therefore, more difficult for attackers to find sensitive memory components. + +For more details on the security features in Microsoft Edge, see [Help protect against web-based security threats](#help-protect-against-web-based-security-threats) below. + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Configure cookies +[!INCLUDE [configure-cookies-include](../includes/configure-cookies-include.md)] + +## Configure Password Manager +[!INCLUDE [configure-password-manager-include](../includes/configure-password-manager-include.md)] + +## Configure Windows Defender SmartScreen +[!INCLUDE [configure-windows-defender-smartscreen-include](../includes/configure-windows-defender-smartscreen-include.md)] + +## Prevent bypassing Windows Defender SmartScreen prompts for files +[!INCLUDE [prevent-bypassing-win-defender-files-include](../includes/prevent-bypassing-win-defender-files-include.md)] + +## Prevent bypassing Windows Defender SmartScreen prompts for sites +[!INCLUDE [prevent-bypassing-win-defender-sites-include](../includes/prevent-bypassing-win-defender-sites-include.md)] + +## Prevent certificate error overrides +[!INCLUDE [prevent-certificate-error-overrides-include](../includes/prevent-certificate-error-overrides-include.md)] + +## Prevent using Localhost IP address for WebRTC +[!INCLUDE [prevent-localhost-address-for-webrtc-include](../includes/prevent-localhost-address-for-webrtc-include.md)] + + +## Help protect against web-based security threats + +While most websites are safe, some sites have been intentionally designed to steal sensitive and private information or gain access to your system’s resources. You can help protect against threats by using strong security protocols to ensure against such threats. + +Thieves use things like _phishing_ attacks to convince someone to enter personal information, such as a banking password, into a website that looks like a legitimate bank but isn't. Attempts to identify legitimate websites through the HTTPS lock symbol and the EV Cert green bar have met with only limited success since attackers are too good at faking legitimate experiences for many people to notice the difference. + +Another method thieves often use _hacking_ to attack a system through malformed content that exploits subtle flaws in the browser or various browser extensions. This exploit lets an attacker run code on a device, taking over a browsing session, and perhaps the entire device. + +Microsoft Edge addresses these threats to help make browsing the web a safer experience. + + +| Feature | Description | +|-----------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **[Windows Hello](https://blogs.windows.com/bloggingwindows/2015/03/17/making-windows-10-more-personal-and-more-secure-with-windows-hello/)** | Microsoft Edge is the first browser to natively support Windows Hello to authenticate the user and the website with asymmetric cryptography technology, powered by early implementation of the [Web Authentication (formerly FIDO 2.0 Web API) specification](https://w3c.github.io/webauthn/). | +| **Microsoft SmartScreen** | Defends against phishing by performing reputation checks on sites visited and blocking any sites that are thought to be a phishing site. SmartScreen also helps to defend against installing malicious software, drive-by attacks, or file downloads, even from trusted sites. Drive-by attacks are malicious web-based attacks that compromise your system by targeting security vulnerabilities in commonly used software and may be hosted on trusted sites. | +| **Certificate Reputation system** | Collects data about certificates in use, detecting new certificates and flagging fraudulent certificates automatically, and sends the data to Microsoft. The systems and tools in place include

| +| **Microsoft EdgeHTML and modern web standards** | Microsoft Edge uses Microsoft EdgeHTML as the rendering engine. This engine focuses on modern standards letting web developers build and maintain a consistent site across all modern browsers. It also helps to defend against hacking through these security standards features:

**NOTE:** Both Microsoft Edge and Internet Explorer 11 support HSTS. | +| **Code integrity and image loading restrictions** | Microsoft Edge content processes support code integrity and image load restrictions, helping to prevent malicious DLLs from loading or injecting into the content processes. Only [properly signed images](https://blogs.windows.com/msedgedev/2015/11/17/microsoft-edge-module-code-integrity/) are allowed to load into Microsoft Edge. Binaries on remote devices (such as UNC or WebDAV) can’t load. | +| **Memory corruption mitigations** | Memory corruption attacks frequently happen to apps written in C or C++ don’t provide safety or buffer overflow protection. When an attacker provides malformed input to a program, the program’s memory becomes corrupt allowing the attacker to take control of the program. Although attackers have adapted and invented new ways to attack, we’ve responded with memory safety defenses, mitigating the most common forms of attack, including and especially [use-after-free (UAF)](https://cwe.mitre.org/data/definitions/416.html) vulnerabilities. | +| **Memory Garbage Collector (MemGC) mitigation** | MemGC replaces Memory Protector and helps to protect the browser from UAF vulnerabilities. MemGC frees up memory from the programmer and automating it. Only freeing memory when the automation detects no references left pointing to a given block of memory. | +| **Control Flow Guard** | Attackers use memory corruption attacks to gain control of the CPU program counter to jump to any code location they want. Control Flow Guard, a Microsoft Visual Studio technology, compiles checks around code that performs indirect jumps based on a pointer. Those jumps get restricted to function entry points with known addresses only making attacker take-overs must more difficult constraining where an attack jumps. | +| **All web content runs in an app container sandbox** | Microsoft Edge takes the sandbox even farther, running its content processes in containers not just by default, but all of the time. Microsoft Edge doesn’t support 3rd party binary extensions, so there is no reason for it to run outside of the container, making Microsoft Edge more secure. | +| **Extension model and HTML5 support** | Microsoft Edge does not support binary extensions because they can bring code and data into the browser’s processes without any protection. So if anything goes wrong, the entire browser itself can be compromised or go down. We encourage everyone to use our scripted HTML5-based extension model. For more info about the new extensions, see the [Microsoft Edge Developer Center](https://developer.microsoft.com/microsoft-edge/extensions/). | +| **Reduced attack surfaces** | Microsoft Edge does not support VBScript, JScript, VML, Browser Helper Objects, Toolbars, ActiveX controls, and [document modes](https://msdn.microsoft.com/library/jj676915.aspx). Many IE browser vulnerabilities only appear in legacy document modes, so removing support reduced attack surface making the browser more secure.

It also means that it’s not as backward compatible. With this reduced backward compatibility, Microsoft Edge automatically falls back to Internet Explorer 11 for any apps that need backward compatibility. This fall back happens when you use the Enterprise Mode Site List. | + +--- diff --git a/browsers/edge/group-policies/start-pages-gp.md b/browsers/edge/group-policies/start-pages-gp.md index a94f166a21..ce15044aad 100644 --- a/browsers/edge/group-policies/start-pages-gp.md +++ b/browsers/edge/group-policies/start-pages-gp.md @@ -1,43 +1,43 @@ ---- -title: Microsoft Edge - Start pages group policies -description: Microsoft Edge loads the pages specified in App settings as the default Start pages. With the relevant Start pages policies, you can configure Microsoft Edge to load either the Start page, New tab page, previously opened pages, or a specific page or pages. You can also configure Microsoft Edge to prevent users from making changes. -manager: dansimp -ms.author: eravena -author: eavena -ms.localizationpriority: medium -ms.date: 10/02/2018 -ms.reviewer: -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library -ms.topic: reference ---- - -# Start pages - -Microsoft Edge loads the pages specified in App settings as the default Start pages. With the relevant Start pages policies, you can configure Microsoft Edge to load either the Start page, New tab page, previously opened pages, or a specific page or pages. You can also configure Microsoft Edge to prevent users from making changes. - -## Relevant group policies - -- [Configure Open Microsoft Edge With](#configure-open-microsoft-edge-with) -- [Configure Start Pages](#configure-start-pages) -- [Disable Lockdown of Start pages](#disable-lockdown-of-start-pages) - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Configuration options - -![Load URLs defined in Configure Start pages](../images/load-urls-defined-in-configure-open-edge-with-sm.png) - - -## Configure Open Microsoft Edge With -[!INCLUDE [configure-open-edge-with-include](../includes/configure-open-edge-with-include.md)] - -## Configure Start Pages -[!INCLUDE [configure-start-pages-include](../includes/configure-start-pages-include.md)] - -## Disable Lockdown of Start pages -[!INCLUDE [disable-lockdown-of-start-pages-include](../includes/disable-lockdown-of-start-pages-include.md)] - +--- +title: Microsoft Edge - Start pages group policies +description: Microsoft Edge loads the pages specified in App settings as the default Start pages. With the relevant Start pages policies, you can configure Microsoft Edge to load either the Start page, New tab page, previously opened pages, or a specific page or pages. You can also configure Microsoft Edge to prevent users from making changes. +audience: itpro manager: dansimp +ms.author: eravena +author: eavena +ms.localizationpriority: medium +ms.date: 10/02/2018 +ms.reviewer: +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +ms.topic: reference +--- + +# Start pages + +Microsoft Edge loads the pages specified in App settings as the default Start pages. With the relevant Start pages policies, you can configure Microsoft Edge to load either the Start page, New tab page, previously opened pages, or a specific page or pages. You can also configure Microsoft Edge to prevent users from making changes. + +## Relevant group policies + +- [Configure Open Microsoft Edge With](#configure-open-microsoft-edge-with) +- [Configure Start Pages](#configure-start-pages) +- [Disable Lockdown of Start pages](#disable-lockdown-of-start-pages) + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Configuration options + +![Load URLs defined in Configure Start pages](../images/load-urls-defined-in-configure-open-edge-with-sm.png) + + +## Configure Open Microsoft Edge With +[!INCLUDE [configure-open-edge-with-include](../includes/configure-open-edge-with-include.md)] + +## Configure Start Pages +[!INCLUDE [configure-start-pages-include](../includes/configure-start-pages-include.md)] + +## Disable Lockdown of Start pages +[!INCLUDE [disable-lockdown-of-start-pages-include](../includes/disable-lockdown-of-start-pages-include.md)] + diff --git a/browsers/edge/group-policies/sync-browser-settings-gp.md b/browsers/edge/group-policies/sync-browser-settings-gp.md index f14bbe0caf..86ed0db6fc 100644 --- a/browsers/edge/group-policies/sync-browser-settings-gp.md +++ b/browsers/edge/group-policies/sync-browser-settings-gp.md @@ -1,45 +1,45 @@ ---- -title: Microsoft Edge - Sync browser settings -description: By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. The “browser” group uses the Sync your Settings option in Settings to sync information like history and favorites. -manager: dansimp -ms.author: eravena -author: eavena -ms.date: 10/02/2018 -ms.reviewer: -ms.localizationpriority: medium -ms.topic: reference ---- - -# Sync browser settings - - -By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. The “browser” group uses the Sync your Settings option in Settings to sync information like history and favorites. You can configure Microsoft Edge to prevent the “browser” group from syncing and prevent users from turning on the _Sync your Settings_ toggle in Settings. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option in the Do not sync browser policy. - - -## Relevant policies -- [Do not sync browser settings](#do-not-sync-browser-settings) -- [Prevent users from turning on browser syncing](#prevent-users-from-turning-on-browser-syncing) - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Configuration options - -![Sync browser settings automatically](../images/sync-browser-settings-automatically-sm.png) - -![Prevent syncing of browser settings](../images/prevent-syncing-browser-settings-sm.png) - - -### Verify the configuration -To verify the settings: -1. In the upper-right corner of Microsoft Edge, click **More** \(**...**\). -2. Click **Settings**. -3. Under Account, see if the setting is toggled on or off.

![Verify configuration](../images/sync-settings.PNG) - - -## Do not sync browser settings -[!INCLUDE [do-not-sync-browser-settings-include](../includes/do-not-sync-browser-settings-include.md)] - -## Prevent users from turning on browser syncing -[!INCLUDE [prevent-users-to-turn-on-browser-syncing-include](../includes/prevent-users-to-turn-on-browser-syncing-include.md)] +--- +title: Microsoft Edge - Sync browser settings +description: By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. The “browser” group uses the Sync your Settings option in Settings to sync information like history and favorites. +audience: itpro manager: dansimp +ms.author: eravena +author: eavena +ms.date: 10/02/2018 +ms.reviewer: +ms.localizationpriority: medium +ms.topic: reference +--- + +# Sync browser settings + + +By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. The “browser” group uses the Sync your Settings option in Settings to sync information like history and favorites. You can configure Microsoft Edge to prevent the “browser” group from syncing and prevent users from turning on the _Sync your Settings_ toggle in Settings. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option in the Do not sync browser policy. + + +## Relevant policies +- [Do not sync browser settings](#do-not-sync-browser-settings) +- [Prevent users from turning on browser syncing](#prevent-users-from-turning-on-browser-syncing) + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Configuration options + +![Sync browser settings automatically](../images/sync-browser-settings-automatically-sm.png) + +![Prevent syncing of browser settings](../images/prevent-syncing-browser-settings-sm.png) + + +### Verify the configuration +To verify the settings: +1. In the upper-right corner of Microsoft Edge, click **More** \(**...**\). +2. Click **Settings**. +3. Under Account, see if the setting is toggled on or off.

![Verify configuration](../images/sync-settings.PNG) + + +## Do not sync browser settings +[!INCLUDE [do-not-sync-browser-settings-include](../includes/do-not-sync-browser-settings-include.md)] + +## Prevent users from turning on browser syncing +[!INCLUDE [prevent-users-to-turn-on-browser-syncing-include](../includes/prevent-users-to-turn-on-browser-syncing-include.md)] diff --git a/browsers/edge/group-policies/telemetry-management-gp.md b/browsers/edge/group-policies/telemetry-management-gp.md index 7ef162127b..3de0998564 100644 --- a/browsers/edge/group-policies/telemetry-management-gp.md +++ b/browsers/edge/group-policies/telemetry-management-gp.md @@ -1,31 +1,31 @@ ---- -title: Microsoft Edge - Telemetry and data collection group policies -description: Microsoft Edge gathers diagnostic data, intranet history, internet history, tracking information of sites visited, and Live Tile metadata. You can configure Microsoft Edge to collect all or none of this information. -manager: dansimp -ms.author: eravena -author: eavena -ms.date: 10/02/2018 -ms.reviewer: -ms.localizationpriority: medium -ms.topic: reference ---- - -# Telemetry and data collection - -Microsoft Edge gathers diagnostic data, intranet history, internet history, tracking information of sites visited, and Live Tile metadata. You can configure Microsoft Edge to collect all or none of this information. - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Allow extended telemetry for the Books tab -[!INCLUDE [allow-ext-telemetry-books-tab-include.md](../includes/allow-ext-telemetry-books-tab-include.md)] - -## Configure collection of browsing data for Microsoft 365 Analytics -[!INCLUDE [configure-browser-telemetry-for-m365-analytics-include](../includes/configure-browser-telemetry-for-m365-analytics-include.md)] - -## Configure Do Not Track -[!INCLUDE [configure-do-not-track-include.md](../includes/configure-do-not-track-include.md)] - -## Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start -[!INCLUDE [prevent-live-tile-pinning-start-include](../includes/prevent-live-tile-pinning-start-include.md)] +--- +title: Microsoft Edge - Telemetry and data collection group policies +description: Microsoft Edge gathers diagnostic data, intranet history, internet history, tracking information of sites visited, and Live Tile metadata. You can configure Microsoft Edge to collect all or none of this information. +audience: itpro manager: dansimp +ms.author: eravena +author: eavena +ms.date: 10/02/2018 +ms.reviewer: +ms.localizationpriority: medium +ms.topic: reference +--- + +# Telemetry and data collection + +Microsoft Edge gathers diagnostic data, intranet history, internet history, tracking information of sites visited, and Live Tile metadata. You can configure Microsoft Edge to collect all or none of this information. + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Allow extended telemetry for the Books tab +[!INCLUDE [allow-ext-telemetry-books-tab-include.md](../includes/allow-ext-telemetry-books-tab-include.md)] + +## Configure collection of browsing data for Microsoft 365 Analytics +[!INCLUDE [configure-browser-telemetry-for-m365-analytics-include](../includes/configure-browser-telemetry-for-m365-analytics-include.md)] + +## Configure Do Not Track +[!INCLUDE [configure-do-not-track-include.md](../includes/configure-do-not-track-include.md)] + +## Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start +[!INCLUDE [prevent-live-tile-pinning-start-include](../includes/prevent-live-tile-pinning-start-include.md)] diff --git a/browsers/edge/img-microsoft-edge-infographic-lg.md b/browsers/edge/img-microsoft-edge-infographic-lg.md index 3ac0066282..2a2ca7e399 100644 --- a/browsers/edge/img-microsoft-edge-infographic-lg.md +++ b/browsers/edge/img-microsoft-edge-infographic-lg.md @@ -1,15 +1,15 @@ ---- -description: A full-sized view of the Microsoft Edge infographic. -title: Full-sized view of the Microsoft Edge infographic -ms.date: 11/10/2016 -ms.reviewer: -manager: dansimp -ms.author: eravena -author: eavena ---- - -Return to: [Browser: Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md)
-Download image: [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/en-us/download/details.aspx?id=53892) - -![Full-sized Microsoft Edge infographic](images/img-microsoft-edge-infographic-lg.png) - +--- +description: A full-sized view of the Microsoft Edge infographic. +title: Full-sized view of the Microsoft Edge infographic +ms.date: 11/10/2016 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: eravena +author: eavena +--- + +Return to: [Browser: Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md)
+Download image: [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/en-us/download/details.aspx?id=53892) + +![Full-sized Microsoft Edge infographic](images/img-microsoft-edge-infographic-lg.png) + diff --git a/browsers/edge/includes/allow-address-bar-suggestions-include.md b/browsers/edge/includes/allow-address-bar-suggestions-include.md index 4c5c1fe4dd..fdcebd090e 100644 --- a/browsers/edge/includes/allow-address-bar-suggestions-include.md +++ b/browsers/edge/includes/allow-address-bar-suggestions-include.md @@ -1,52 +1,52 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
->*Default setting: Enabled or not configured (Allowed)* - -[!INCLUDE [allow-address-bar-drop-down-shortdesc](../shortdesc/allow-address-bar-drop-down-shortdesc.md)] - - -### Supported values - - -| Group Policy | MDM | Registry | Description | Most restricted | -|-----------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled | 0 | 0 | Prevented. Hide the Address bar drop-down list and disable the *Show search and site suggestions as I type* toggle in Settings. | ![Most restricted value](../images/check-gn.png) | -| Enabled or not configured **(default)** | 1 | 1 | Allowed. Show the Address bar drop-down list and make it available. | | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow Address bar drop-down list suggestions -- **GP name:** AllowAddressBarDropdown -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowAddressBarDropdown](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser\#browser-allowaddressbardropdown) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowAddressBarDropdown -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\ServiceUI -- **Value name:** ShowOneBox -- **Value type:** REG_DWORD - - -### Related policies - -[Configure search suggestions in Address bar](../available-policies.md#configure-search-suggestions-in-address-bar): [!INCLUDE [configure-additional-search-engines-shortdesc](../shortdesc/configure-additional-search-engines-shortdesc.md)] - -

+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-address-bar-drop-down-shortdesc](../shortdesc/allow-address-bar-drop-down-shortdesc.md)] + + +### Supported values + + +| Group Policy | MDM | Registry | Description | Most restricted | +|-----------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled | 0 | 0 | Prevented. Hide the Address bar drop-down list and disable the *Show search and site suggestions as I type* toggle in Settings. | ![Most restricted value](../images/check-gn.png) | +| Enabled or not configured **(default)** | 1 | 1 | Allowed. Show the Address bar drop-down list and make it available. | | + +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow Address bar drop-down list suggestions +- **GP name:** AllowAddressBarDropdown +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowAddressBarDropdown](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser\#browser-allowaddressbardropdown) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowAddressBarDropdown +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\ServiceUI +- **Value name:** ShowOneBox +- **Value type:** REG_DWORD + + +### Related policies + +[Configure search suggestions in Address bar](../available-policies.md#configure-search-suggestions-in-address-bar): [!INCLUDE [configure-additional-search-engines-shortdesc](../shortdesc/configure-additional-search-engines-shortdesc.md)] + +
diff --git a/browsers/edge/includes/allow-adobe-flash-include.md b/browsers/edge/includes/allow-adobe-flash-include.md index 8f774871e7..3a7671c32a 100644 --- a/browsers/edge/includes/allow-adobe-flash-include.md +++ b/browsers/edge/includes/allow-adobe-flash-include.md @@ -3,6 +3,7 @@ author: eavena ms.author: eravena ms.date: 10/02/2018 ms.reviewer: +audience: itpro manager: dansimp ms.prod: edge ms.topic: include @@ -34,7 +35,7 @@ ms.topic: include #### MDM settings - **MDM name:** Browser/[AllowFlash](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser\#browser-allowflash) - **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowFlash +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowFlash - **Data type:** Integer #### Registry settings diff --git a/browsers/edge/includes/allow-clearing-browsing-data-include.md b/browsers/edge/includes/allow-clearing-browsing-data-include.md index 64bd285ba5..bd8b84f244 100644 --- a/browsers/edge/includes/allow-clearing-browsing-data-include.md +++ b/browsers/edge/includes/allow-clearing-browsing-data-include.md @@ -1,47 +1,47 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
->*Default setting: Disabled or not configured (Prevented)* - -[!INCLUDE [allow-clearing-browsing-data-on-exit-shortdesc](../shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md)] - -### Supported values - - -| Group Policy | MDM | Registry | Description | Most restricted | -|------------------------------------------|:---:|:--------:|------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured **(default)** | 0 | 0 | Prevented. Users can configure the *Clear browsing data* option in Settings. | | -| Enabled | 1 | 1 | Allowed. Clear the browsing data upon exit automatically. | ![Most restricted value](../images/check-gn.png) | - ---- - - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow clearing browsing data on exit -- **GP name:** AllowClearingBrowsingDataOnExit -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[ClearBrowsingDataOnExit](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser\#browser-clearbrowsingdataonexit) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ClearBrowsingDataOnExit -- **Data type:** Integer - -#### Registry -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Privacy -- **Value name:** ClearBrowsingHistoryOnExit -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Disabled or not configured (Prevented)* + +[!INCLUDE [allow-clearing-browsing-data-on-exit-shortdesc](../shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md)] + +### Supported values + + +| Group Policy | MDM | Registry | Description | Most restricted | +|------------------------------------------|:---:|:--------:|------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured **(default)** | 0 | 0 | Prevented. Users can configure the *Clear browsing data* option in Settings. | | +| Enabled | 1 | 1 | Allowed. Clear the browsing data upon exit automatically. | ![Most restricted value](../images/check-gn.png) | + +--- + + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow clearing browsing data on exit +- **GP name:** AllowClearingBrowsingDataOnExit +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ClearBrowsingDataOnExit](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser\#browser-clearbrowsingdataonexit) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ClearBrowsingDataOnExit +- **Data type:** Integer + +#### Registry +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Privacy +- **Value name:** ClearBrowsingHistoryOnExit +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/allow-config-updates-books-include.md b/browsers/edge/includes/allow-config-updates-books-include.md index 49a95f52da..02b449e5e2 100644 --- a/browsers/edge/includes/allow-config-updates-books-include.md +++ b/browsers/edge/includes/allow-config-updates-books-include.md @@ -1,49 +1,49 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1803 or later*
->*Default setting: Enabled or not configured (Allowed)* - -[!INCLUDE [allow-configuration-updates-for-books-library-shortdesc](../shortdesc/allow-configuration-updates-for-books-library-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled | 0 | 0 | Prevented. | ![Most restricted value](../images/check-gn.png) | -| Enabled or not configured
**(default)** | 1 | 1 | Allowed. Microsoft Edge updates the configuration data for the Books Library automatically. | | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow configuration updates for the Books Library -- **GP name:** AllowConfigurationUpdateForBooksLibrary -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowConfigurationUpdateForBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowConfigurationUpdateForBooksLibrary -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\BooksLibrary -- **Value name:** AllowConfigurationUpdateForBooksLibrary -- **Value type:** REG_DWORD - -### Related topics - -[!INCLUDE [man-connections-win-comp-services-shortdesc-include](man-connections-win-comp-services-shortdesc-include.md)] - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1803 or later*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-configuration-updates-for-books-library-shortdesc](../shortdesc/allow-configuration-updates-for-books-library-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled | 0 | 0 | Prevented. | ![Most restricted value](../images/check-gn.png) | +| Enabled or not configured
**(default)** | 1 | 1 | Allowed. Microsoft Edge updates the configuration data for the Books Library automatically. | | + +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow configuration updates for the Books Library +- **GP name:** AllowConfigurationUpdateForBooksLibrary +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowConfigurationUpdateForBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowConfigurationUpdateForBooksLibrary +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\BooksLibrary +- **Value name:** AllowConfigurationUpdateForBooksLibrary +- **Value type:** REG_DWORD + +### Related topics + +[!INCLUDE [man-connections-win-comp-services-shortdesc-include](man-connections-win-comp-services-shortdesc-include.md)] + +
diff --git a/browsers/edge/includes/allow-cortana-include.md b/browsers/edge/includes/allow-cortana-include.md index 2344e1dd4c..248600e48b 100644 --- a/browsers/edge/includes/allow-cortana-include.md +++ b/browsers/edge/includes/allow-cortana-include.md @@ -1,46 +1,46 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Enabled (Allowed)* - -[!INCLUDE [allow-cortana-shortdesc](../shortdesc/allow-cortana-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------------------|:---:|:--------:|------------------------------------------------------------------|:------------------------------------------------:| -| Disabled | 0 | 0 | Prevented. Users can still search to find items on their device. | ![Most restricted value](../images/check-gn.png) | -| Enabled
**(default)** | 1 | 1 | Allowed. | | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow Cortana -- **GP name:** AllowCortana -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Experience/[AllowCortana](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) -- **Supported devices:** Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/AllowCortana -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\Windows\Windows Search -- **Value name:** AllowCortana -- **Value type:** REG_DWORD - -
- +--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Enabled (Allowed)* + +[!INCLUDE [allow-cortana-shortdesc](../shortdesc/allow-cortana-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------------------|:---:|:--------:|------------------------------------------------------------------|:------------------------------------------------:| +| Disabled | 0 | 0 | Prevented. Users can still search to find items on their device. | ![Most restricted value](../images/check-gn.png) | +| Enabled
**(default)** | 1 | 1 | Allowed. | | + +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow Cortana +- **GP name:** AllowCortana +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Experience/[AllowCortana](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) +- **Supported devices:** Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/AllowCortana +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\Windows\Windows Search +- **Value name:** AllowCortana +- **Value type:** REG_DWORD + +
+ diff --git a/browsers/edge/includes/allow-dev-tools-include.md b/browsers/edge/includes/allow-dev-tools-include.md index d23b42dea1..8a715d6905 100644 --- a/browsers/edge/includes/allow-dev-tools-include.md +++ b/browsers/edge/includes/allow-dev-tools-include.md @@ -1,47 +1,47 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
->*Default setting: Enabled (Allowed)* - -[!INCLUDE [allow-developer-tools-shortdesc](../shortdesc/allow-developer-tools-shortdesc.md)] - - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------|:---:|:--------:|-------------|:------------------------------------------------:| -| Disabled | 0 | 0 | Prevented | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Allowed | | - ---- - - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow Developer Tools -- **GP name:** AllowDeveloperTools -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowDeveloperTools](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowdevelopertools) -- **Supported devices:** Desktop -- **URI full Path:** ./Vendor/MSFT/Policy/Config/Browser/AllowDeveloperTools -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\F12 -- **Value name:** AllowDeveloperTools -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
+>*Default setting: Enabled (Allowed)* + +[!INCLUDE [allow-developer-tools-shortdesc](../shortdesc/allow-developer-tools-shortdesc.md)] + + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------|:---:|:--------:|-------------|:------------------------------------------------:| +| Disabled | 0 | 0 | Prevented | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Allowed | | + +--- + + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow Developer Tools +- **GP name:** AllowDeveloperTools +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowDeveloperTools](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowdevelopertools) +- **Supported devices:** Desktop +- **URI full Path:** ./Vendor/MSFT/Policy/Config/Browser/AllowDeveloperTools +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\F12 +- **Value name:** AllowDeveloperTools +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/allow-enable-book-library-include.md b/browsers/edge/includes/allow-enable-book-library-include.md index ca38514f37..be4dcd7cfd 100644 --- a/browsers/edge/includes/allow-enable-book-library-include.md +++ b/browsers/edge/includes/allow-enable-book-library-include.md @@ -1,44 +1,44 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1709 or later*
->*Default setting: Disabled or not configured* - -[!INCLUDE [always-show-books-library-shortdesc](../shortdesc/always-show-books-library-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|-----------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Show the Books Library only in countries or regions where supported. | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Show the Books Library, regardless of the device’s country or region. | | - ---- -### ADMX info and settings - -#### ADMX info -- **GP English name:** Always show the Books Library in Microsoft Edge -- **GP name:** AlwaysEnableBooksLibrary -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[Browser/AlwaysEnableBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AlwaysEnableBooksLibrary -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -- **Value name:** AlwaysEnableBooksLibrary -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1709 or later*
+>*Default setting: Disabled or not configured* + +[!INCLUDE [always-show-books-library-shortdesc](../shortdesc/always-show-books-library-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|-----------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Show the Books Library only in countries or regions where supported. | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Show the Books Library, regardless of the device’s country or region. | | + +--- +### ADMX info and settings + +#### ADMX info +- **GP English name:** Always show the Books Library in Microsoft Edge +- **GP name:** AlwaysEnableBooksLibrary +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[Browser/AlwaysEnableBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AlwaysEnableBooksLibrary +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** AlwaysEnableBooksLibrary +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md b/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md index bf40a1e858..1b39d3081d 100644 --- a/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md +++ b/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md @@ -1,46 +1,46 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1803 or later*
->*Default setting: Disabled or not configured (Gather and send only basic diagnostic data)* - -[!INCLUDE [allow-extended-telemetry-for-books-tab-shortdesc](../shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|-----------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Gather and send only basic diagnostic data. | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Gather all diagnostic data. For this policy to work correctly, you must set the diagnostic data in *Settings > Diagnostics & feedback* to **Full**. | | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow extended telemetry for the Books tab -- **GP name:** EnableExtendedBooksTelemetry -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** [Browser/EnableExtendedBooksTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/EnableExtendedBooksTelemetry -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\BooksLibrary -- **Value name:** EnableExtendedBooksTelemetry -- **Value type:** REG_DWORD - - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1803 or later*
+>*Default setting: Disabled or not configured (Gather and send only basic diagnostic data)* + +[!INCLUDE [allow-extended-telemetry-for-books-tab-shortdesc](../shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|-----------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Gather and send only basic diagnostic data. | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Gather all diagnostic data. For this policy to work correctly, you must set the diagnostic data in *Settings > Diagnostics & feedback* to **Full**. | | + +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow extended telemetry for the Books tab +- **GP name:** EnableExtendedBooksTelemetry +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** [Browser/EnableExtendedBooksTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/EnableExtendedBooksTelemetry +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\BooksLibrary +- **Value name:** EnableExtendedBooksTelemetry +- **Value type:** REG_DWORD + + +
diff --git a/browsers/edge/includes/allow-extensions-include.md b/browsers/edge/includes/allow-extensions-include.md index 6660627600..977e027f08 100644 --- a/browsers/edge/includes/allow-extensions-include.md +++ b/browsers/edge/includes/allow-extensions-include.md @@ -1,49 +1,49 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1607 or later*
->*Default setting: Enabled or not configured (Allowed)* - -[!INCLUDE [allow-extensions-shortdesc](../shortdesc/allow-extensions-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | -|--------------------------------------------|:---:|:--------:|-------------| -| Disabled | 0 | 0 | Prevented | -| Enabled or not configured
**(default)** | 1 | 1 | Allowed | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow Extensions -- **GP name:** AllowExtensions -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowextensions) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowExtensions -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Extensions -- **Value name:** ExtensionsEnabled -- **Value type:** REG_DWORD - -### Related topics - -[!INCLUDE [microsoft-browser-extension-policy-shortdesc](../shortdesc/microsoft-browser-extension-policy-shortdesc.md)] - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1607 or later*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-extensions-shortdesc](../shortdesc/allow-extensions-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | +|--------------------------------------------|:---:|:--------:|-------------| +| Disabled | 0 | 0 | Prevented | +| Enabled or not configured
**(default)** | 1 | 1 | Allowed | + +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow Extensions +- **GP name:** AllowExtensions +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowextensions) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowExtensions +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Extensions +- **Value name:** ExtensionsEnabled +- **Value type:** REG_DWORD + +### Related topics + +[!INCLUDE [microsoft-browser-extension-policy-shortdesc](../shortdesc/microsoft-browser-extension-policy-shortdesc.md)] + +
diff --git a/browsers/edge/includes/allow-full-screen-include.md b/browsers/edge/includes/allow-full-screen-include.md index 286ac8e876..34d3dc32be 100644 --- a/browsers/edge/includes/allow-full-screen-include.md +++ b/browsers/edge/includes/allow-full-screen-include.md @@ -1,47 +1,47 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Enabled or not configured (Allowed)* - - -[!INCLUDE [allow-fullscreen-mode-shortdesc](../shortdesc/allow-fullscreen-mode-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------------------|:---:|:--------:|-------------|:------------------------------------------------:| -| Disabled | 0 | 0 | Prevented | ![Most restricted value](../images/check-gn.png) | -| Enabled
**(default)** | 1 | 1 | Allowed | | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow fullscreen mode -- **GP name:** AllowFullScreenMode -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowFullscreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowfullscreenmode) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowFullscreen -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main -- **Value name:** AllowFullScreenMode -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: Enabled or not configured (Allowed)* + + +[!INCLUDE [allow-fullscreen-mode-shortdesc](../shortdesc/allow-fullscreen-mode-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------------------|:---:|:--------:|-------------|:------------------------------------------------:| +| Disabled | 0 | 0 | Prevented | ![Most restricted value](../images/check-gn.png) | +| Enabled
**(default)** | 1 | 1 | Allowed | | + +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow fullscreen mode +- **GP name:** AllowFullScreenMode +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowFullscreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowfullscreenmode) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowFullscreen +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** AllowFullScreenMode +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/allow-inprivate-browsing-include.md b/browsers/edge/includes/allow-inprivate-browsing-include.md index bce38eb870..0d66095576 100644 --- a/browsers/edge/includes/allow-inprivate-browsing-include.md +++ b/browsers/edge/includes/allow-inprivate-browsing-include.md @@ -1,47 +1,47 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
->*Default setting: Enabled or not configured (Allowed)* - - -[!INCLUDE [allow-inprivate-browsing-shortdesc](../shortdesc/allow-inprivate-browsing-shortdesc.md)] - - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:| -| Disabled | 0 | 0 | Prevented | ![Most restricted value](../images/check-gn.png) | -| Enabled or not configured
**(default)** | 1 | 1 | Allowed | | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow InPrivate browsing -- **GP name:** AllowInPrivate -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowInPrivate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowinprivate) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowInPrivate -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main -- **Value name:** AllowInPrivate -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
+>*Default setting: Enabled or not configured (Allowed)* + + +[!INCLUDE [allow-inprivate-browsing-shortdesc](../shortdesc/allow-inprivate-browsing-shortdesc.md)] + + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:| +| Disabled | 0 | 0 | Prevented | ![Most restricted value](../images/check-gn.png) | +| Enabled or not configured
**(default)** | 1 | 1 | Allowed | | + +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow InPrivate browsing +- **GP name:** AllowInPrivate +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowInPrivate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowinprivate) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowInPrivate +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** AllowInPrivate +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/allow-microsoft-compatibility-list-include.md b/browsers/edge/includes/allow-microsoft-compatibility-list-include.md index 8da879cdd9..580909fe1d 100644 --- a/browsers/edge/includes/allow-microsoft-compatibility-list-include.md +++ b/browsers/edge/includes/allow-microsoft-compatibility-list-include.md @@ -1,45 +1,45 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1607 or later*
->*Default setting: Enabled or not configured (Allowed)* - -[!INCLUDE [allow-microsoft-compatibility-list-shortdesc](../shortdesc/allow-microsoft-compatibility-list-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:| -| Disabled | 0 | 0 | Prevented | ![Most restricted value](../images/check-gn.png) | -| Enabled or not configured
**(default)** | 1 | 1 | Allowed | | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow Microsoft Compatibility List -- **GP name:** AllowCVList -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowMicrosoftCompatibilityList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowMicrosoftCompatibilityList -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\BrowserEmulation -- **Value name:** MSCompatibilityMode -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1607 or later*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-microsoft-compatibility-list-shortdesc](../shortdesc/allow-microsoft-compatibility-list-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:| +| Disabled | 0 | 0 | Prevented | ![Most restricted value](../images/check-gn.png) | +| Enabled or not configured
**(default)** | 1 | 1 | Allowed | | + +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow Microsoft Compatibility List +- **GP name:** AllowCVList +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowMicrosoftCompatibilityList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowMicrosoftCompatibilityList +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\BrowserEmulation +- **Value name:** MSCompatibilityMode +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/allow-prelaunch-include.md b/browsers/edge/includes/allow-prelaunch-include.md index 0aad17ca17..1953faa630 100644 --- a/browsers/edge/includes/allow-prelaunch-include.md +++ b/browsers/edge/includes/allow-prelaunch-include.md @@ -1,47 +1,47 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Enabled or not configured (Allowed)* - -[!INCLUDE [allow-prelaunch-shortdesc](../shortdesc/allow-prelaunch-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------------------------------------|:---:|:--------:|-------------|:-------------------------------------------------:| -| Disabled | 0 | 0 | Prevented | ![Most restrictive value](../images/check-gn.png) | -| Enabled or not configured
**(default)** | 1 | 1 | Allowed | | - ---- - - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed -- **GP name:** AllowPreLaunch -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowPrelaunch](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPrelaunch -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main -- **Value name:** AllowPrelaunch -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-prelaunch-shortdesc](../shortdesc/allow-prelaunch-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------------------------------------|:---:|:--------:|-------------|:-------------------------------------------------:| +| Disabled | 0 | 0 | Prevented | ![Most restrictive value](../images/check-gn.png) | +| Enabled or not configured
**(default)** | 1 | 1 | Allowed | | + +--- + + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed +- **GP name:** AllowPreLaunch +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowPrelaunch](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPrelaunch +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** AllowPrelaunch +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/allow-printing-include.md b/browsers/edge/includes/allow-printing-include.md index dd60c9aaba..47055ba966 100644 --- a/browsers/edge/includes/allow-printing-include.md +++ b/browsers/edge/includes/allow-printing-include.md @@ -1,45 +1,45 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Enabled or not configured (Allowed)* - -[!INCLUDE [allow-printing-shortdesc](../shortdesc/allow-printing-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------------------------------------|:---:|:--------:|-------------|:-------------------------------------------------:| -| Disabled | 0 | 0 | Prevented | ![Most restrictive value](../images/check-gn.png) | -| Enabled or not configured
**(default)** | 1 | 1 | Allowed | | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow printing -- **GP name:** AllowPrinting -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowPrinting](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowprinting) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPrinting -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main -- **Value name:** AllowPrinting -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-printing-shortdesc](../shortdesc/allow-printing-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------------------------------------|:---:|:--------:|-------------|:-------------------------------------------------:| +| Disabled | 0 | 0 | Prevented | ![Most restrictive value](../images/check-gn.png) | +| Enabled or not configured
**(default)** | 1 | 1 | Allowed | | + +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow printing +- **GP name:** AllowPrinting +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowPrinting](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowprinting) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPrinting +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** AllowPrinting +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/allow-saving-history-include.md b/browsers/edge/includes/allow-saving-history-include.md index 49913f23c9..874d301abb 100644 --- a/browsers/edge/includes/allow-saving-history-include.md +++ b/browsers/edge/includes/allow-saving-history-include.md @@ -1,47 +1,47 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Enabled or not configured (Allowed)* - -[!INCLUDE [allow-saving-history-shortdesc](../shortdesc/allow-saving-history-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:| -| Disabled | 0 | 0 | Prevented | ![Most restricted value](../images/check-gn.png) | -| Enabled or not configured
**(default)** | 1 | 1 | Allowed | | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow Saving History -- **GP name:** AllowSavingHistory -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowSavingHistory](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSavingHistory -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main -- **Value name:** AllowSavingHistory -- **Value type:** REG_DWORD - - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-saving-history-shortdesc](../shortdesc/allow-saving-history-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:| +| Disabled | 0 | 0 | Prevented | ![Most restricted value](../images/check-gn.png) | +| Enabled or not configured
**(default)** | 1 | 1 | Allowed | | + +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow Saving History +- **GP name:** AllowSavingHistory +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowSavingHistory](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSavingHistory +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** AllowSavingHistory +- **Value type:** REG_DWORD + + +
diff --git a/browsers/edge/includes/allow-search-engine-customization-include.md b/browsers/edge/includes/allow-search-engine-customization-include.md index 6c1fb2e5db..eb4891088f 100644 --- a/browsers/edge/includes/allow-search-engine-customization-include.md +++ b/browsers/edge/includes/allow-search-engine-customization-include.md @@ -1,59 +1,59 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
->*Default setting: Enabled or not configured (Allowed)* - -[!INCLUDE [allow-search-engine-customization-shortdesc](../shortdesc/allow-search-engine-customization-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:| -| Disabled | 0 | 0 | Prevented | ![Most restricted value](../images/check-gn.png) | -| Enabled or not configured
**(default)** | 1 | 1 | Allowed | | - ---- - -### ADMX info and settings - -##### ADMX info -- **GP English name:** Allow search engine customization -- **GP name:** AllowSearchEngineCustomization -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowSearchEngineCustomization](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSearchEngineCustomization -- **Data type:** Integer - - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Protected -- **Value name:** AllowSearchEngineCustomization -- **Value type:** REG_DWORD - - -### Related policies - -- [Set default search engine](../available-policies.md#set-default-search-engine): [!INCLUDE [set-default-search-engine-shortdesc](../shortdesc/set-default-search-engine-shortdesc.md)] - -- [Configure additional search engines](../available-policies.md#configure-additional-search-engines): [!INCLUDE [configure-additional-search-engines-shortdesc](../shortdesc/configure-additional-search-engines-shortdesc.md)] - -### Related topics - -- [!INCLUDE [man-connections-win-comp-services-shortdesc-include](man-connections-win-comp-services-shortdesc-include.md)] - -- [!INCLUDE [search-provider-discovery-shortdesc-include](search-provider-discovery-shortdesc-include.md)] - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-search-engine-customization-shortdesc](../shortdesc/allow-search-engine-customization-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:| +| Disabled | 0 | 0 | Prevented | ![Most restricted value](../images/check-gn.png) | +| Enabled or not configured
**(default)** | 1 | 1 | Allowed | | + +--- + +### ADMX info and settings + +##### ADMX info +- **GP English name:** Allow search engine customization +- **GP name:** AllowSearchEngineCustomization +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowSearchEngineCustomization](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSearchEngineCustomization +- **Data type:** Integer + + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Protected +- **Value name:** AllowSearchEngineCustomization +- **Value type:** REG_DWORD + + +### Related policies + +- [Set default search engine](../available-policies.md#set-default-search-engine): [!INCLUDE [set-default-search-engine-shortdesc](../shortdesc/set-default-search-engine-shortdesc.md)] + +- [Configure additional search engines](../available-policies.md#configure-additional-search-engines): [!INCLUDE [configure-additional-search-engines-shortdesc](../shortdesc/configure-additional-search-engines-shortdesc.md)] + +### Related topics + +- [!INCLUDE [man-connections-win-comp-services-shortdesc-include](man-connections-win-comp-services-shortdesc-include.md)] + +- [!INCLUDE [search-provider-discovery-shortdesc-include](search-provider-discovery-shortdesc-include.md)] + +
diff --git a/browsers/edge/includes/allow-shared-folder-books-include.md b/browsers/edge/includes/allow-shared-folder-books-include.md index 712fba9532..fadbac9ad5 100644 --- a/browsers/edge/includes/allow-shared-folder-books-include.md +++ b/browsers/edge/includes/allow-shared-folder-books-include.md @@ -1,53 +1,53 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1803*
->*Default setting: Disabled or not configured (Not allowed)* - -[!INCLUDE [allow-a-shared-books-folder-shortdesc](../shortdesc/allow-a-shared-books-folder-shortdesc.md)] - - - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Prevented. Microsoft Edge downloads book files to a per-user folder for each user. | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Allowed. Microsoft Edge downloads book files to a shared folder. For this policy to work correctly, you must also enable the **Allow a Windows app to share application data between users** group policy, which you can find:

**Computer Configuration\\Administrative Templates\\Windows Components\\App Package Deployment\\**

Also, the users must be signed in with a school or work account. | | - ---- - -![Allow a shared books folder](../images/allow-shared-books-folder_sm.png) - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow a shared Books folder -- **GP name:** UseSharedFolderForBooks -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[UseSharedFolderForBooks](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/UseSharedFolderForBooks -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\BooksLibrary -- **Value name:** UseSharedFolderForBooks -- **Value type:** REG_DWORD - -### Related policies - -**Allow a Windows app to share application data between users:** [!INCLUDE [allow-windows-app-to-share-data-users-shortdesc](../shortdesc/allow-windows-app-to-share-data-users-shortdesc.md)] - -

+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1803*
+>*Default setting: Disabled or not configured (Not allowed)* + +[!INCLUDE [allow-a-shared-books-folder-shortdesc](../shortdesc/allow-a-shared-books-folder-shortdesc.md)] + + + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Prevented. Microsoft Edge downloads book files to a per-user folder for each user. | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Allowed. Microsoft Edge downloads book files to a shared folder. For this policy to work correctly, you must also enable the **Allow a Windows app to share application data between users** group policy, which you can find:

**Computer Configuration\\Administrative Templates\\Windows Components\\App Package Deployment\\**

Also, the users must be signed in with a school or work account. | | + +--- + +![Allow a shared books folder](../images/allow-shared-books-folder_sm.png) + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow a shared Books folder +- **GP name:** UseSharedFolderForBooks +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[UseSharedFolderForBooks](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/UseSharedFolderForBooks +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\BooksLibrary +- **Value name:** UseSharedFolderForBooks +- **Value type:** REG_DWORD + +### Related policies + +**Allow a Windows app to share application data between users:** [!INCLUDE [allow-windows-app-to-share-data-users-shortdesc](../shortdesc/allow-windows-app-to-share-data-users-shortdesc.md)] + +

diff --git a/browsers/edge/includes/allow-sideloading-extensions-include.md b/browsers/edge/includes/allow-sideloading-extensions-include.md index 0c1108d2d5..987387dbe6 100644 --- a/browsers/edge/includes/allow-sideloading-extensions-include.md +++ b/browsers/edge/includes/allow-sideloading-extensions-include.md @@ -1,55 +1,55 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Enabled (Allowed)* - -[!INCLUDE [allow-sideloading-of-extensions-shortdesc](../shortdesc/allow-sideloading-of-extensions-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|----------------------------|:---:|:--------:|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured | 0 | 0 | Prevented. Disabling does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, you must enable the **Allows development of Windows Store apps and installing them from an integrated development environment (IDE)** group policy, which you can find:

**Computer Configuration\\Administrative Templates\\Windows Components\\App Package Deployment\\**

For the MDM setting, set the **ApplicationManagement/AllowDeveloperUnlock** policy to 1 (enabled). | ![Most restricted value](../images/check-gn.png) | -| Enabled
**(default)** | 1 | 1 | Allowed. | | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow sideloading of Extensions -- **GP name:** AllowSideloadingOfExtensions -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowSideloadingExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSideloadingExtensions -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Extensions -- **Value name:** AllowSideloadingOfExtensions -- **Value type:** REG_DWORD - -### Related policies - -- [Allows development of Windows Store apps and installing them from an integrated development environment (IDE)](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowdeveloperunlock): When you enable this policy and the **Allow all trusted apps to install** policy, you allow users to develop Windows Store apps and install them directly from an IDE. - -- [Allow all trusted apps to install](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowalltrustedapps): When you enable this policy, you can manage the installation of trusted line-of-business (LOB) or developer-signed Windows Store apps. - -### Related topics - -[Enable your device for development](https://docs.microsoft.com/windows/uwp/get-started/enable-your-device-for-development): Access development features, along with other developer-focused settings to make it possible for you to develop, test, and debug apps. Learn how to configure your environment for development, the difference between Developer Mode and sideloading, and the security risks of Developer mode. - -

+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: Enabled (Allowed)* + +[!INCLUDE [allow-sideloading-of-extensions-shortdesc](../shortdesc/allow-sideloading-of-extensions-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|----------------------------|:---:|:--------:|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured | 0 | 0 | Prevented. Disabling does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, you must enable the **Allows development of Windows Store apps and installing them from an integrated development environment (IDE)** group policy, which you can find:

**Computer Configuration\\Administrative Templates\\Windows Components\\App Package Deployment\\**

For the MDM setting, set the **ApplicationManagement/AllowDeveloperUnlock** policy to 1 (enabled). | ![Most restricted value](../images/check-gn.png) | +| Enabled
**(default)** | 1 | 1 | Allowed. | | + +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow sideloading of Extensions +- **GP name:** AllowSideloadingOfExtensions +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowSideloadingExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSideloadingExtensions +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Extensions +- **Value name:** AllowSideloadingOfExtensions +- **Value type:** REG_DWORD + +### Related policies + +- [Allows development of Windows Store apps and installing them from an integrated development environment (IDE)](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowdeveloperunlock): When you enable this policy and the **Allow all trusted apps to install** policy, you allow users to develop Windows Store apps and install them directly from an IDE. + +- [Allow all trusted apps to install](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowalltrustedapps): When you enable this policy, you can manage the installation of trusted line-of-business (LOB) or developer-signed Windows Store apps. + +### Related topics + +[Enable your device for development](https://docs.microsoft.com/windows/uwp/get-started/enable-your-device-for-development): Access development features, along with other developer-focused settings to make it possible for you to develop, test, and debug apps. Learn how to configure your environment for development, the difference between Developer Mode and sideloading, and the security risks of Developer mode. + +

diff --git a/browsers/edge/includes/allow-tab-preloading-include.md b/browsers/edge/includes/allow-tab-preloading-include.md index b6ba4f0e8e..2083558b86 100644 --- a/browsers/edge/includes/allow-tab-preloading-include.md +++ b/browsers/edge/includes/allow-tab-preloading-include.md @@ -1,46 +1,46 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1802*
->*Default setting: Enabled or not configured (Allowed)* - -[!INCLUDE [allow-tab-preloading-shortdesc](../shortdesc/allow-tab-preloading-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------------------------------------|:---:|:--------:|-------------------------------------------|:------------------------------------------------:| -| Disabled | 0 | 0 | Prevented. | ![Most restricted value](../images/check-gn.png) | -| Enabled or not configured
**(default)** | 1 | 1 | Allowed. Preload Start and New Tab pages. | | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow Microsoft Edge to load the Start and New Tab pages in the background at Windows startup and each time Microsoft Edge is closed -- **GP name:** AllowTabPreloading -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowTabPreloading](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowTabPreloading -- **Data type:** Integer - -#### Registry settings -- **Path:** HKCU\SOFTWARE\Policies\Microsoft\MicrosoftEdge\TabPreloader -- **Create Value name:** AllowTabPreloading -- **Value type:** REG_DWORD -- **DWORD Value:** 1 - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1802*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-tab-preloading-shortdesc](../shortdesc/allow-tab-preloading-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------------------------------------|:---:|:--------:|-------------------------------------------|:------------------------------------------------:| +| Disabled | 0 | 0 | Prevented. | ![Most restricted value](../images/check-gn.png) | +| Enabled or not configured
**(default)** | 1 | 1 | Allowed. Preload Start and New Tab pages. | | + +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow Microsoft Edge to load the Start and New Tab pages in the background at Windows startup and each time Microsoft Edge is closed +- **GP name:** AllowTabPreloading +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowTabPreloading](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowTabPreloading +- **Data type:** Integer + +#### Registry settings +- **Path:** HKCU\SOFTWARE\Policies\Microsoft\MicrosoftEdge\TabPreloader +- **Create Value name:** AllowTabPreloading +- **Value type:** REG_DWORD +- **DWORD Value:** 1 + +
diff --git a/browsers/edge/includes/allow-web-content-new-tab-page-include.md b/browsers/edge/includes/allow-web-content-new-tab-page-include.md index ece2371a32..88e91371ac 100644 --- a/browsers/edge/includes/allow-web-content-new-tab-page-include.md +++ b/browsers/edge/includes/allow-web-content-new-tab-page-include.md @@ -1,50 +1,50 @@ ---- -author: eavena -ms.author: eravena -ms.date: 11/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Enabled (the default New Tab page loads)* - - -[!INCLUDE [allow-web-content-on-new-tab-page-shortdesc](../shortdesc/allow-web-content-on-new-tab-page-shortdesc.md)] - - -### Supported values - -| Group Policy | MDM | Registry | Description | -|-----------------------------------------|:---:|:--------:|----------------------------------------------------------------------------------------------| -| Disabled | 0 | 0 | Load a blank page instead of the default New Tab page and prevent users from making changes. | -| Enabled or not configured **(default)** | 1 | 1 | Load the default New Tab page and the users make changes. | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow web content on New Tab page -- **GP name:** AllowWebContentOnNewTabPage -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowWebContentOnNewTabPage](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowWebContentOnNewTabPage -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI -- **Value name:** AllowWebContentOnNewTabPage -- **Value type:** REG_DWORD - -### Related policies -[Set New Tab page URL](../available-policies.md#set-new-tab-page-url): [!INCLUDE [set-new-tab-url-shortdesc](../shortdesc/set-new-tab-url-shortdesc.md)] - -
+--- +author: eavena +ms.author: eravena +ms.date: 11/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Enabled (the default New Tab page loads)* + + +[!INCLUDE [allow-web-content-on-new-tab-page-shortdesc](../shortdesc/allow-web-content-on-new-tab-page-shortdesc.md)] + + +### Supported values + +| Group Policy | MDM | Registry | Description | +|-----------------------------------------|:---:|:--------:|----------------------------------------------------------------------------------------------| +| Disabled | 0 | 0 | Load a blank page instead of the default New Tab page and prevent users from making changes. | +| Enabled or not configured **(default)** | 1 | 1 | Load the default New Tab page and the users make changes. | + +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow web content on New Tab page +- **GP name:** AllowWebContentOnNewTabPage +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowWebContentOnNewTabPage](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowWebContentOnNewTabPage +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI +- **Value name:** AllowWebContentOnNewTabPage +- **Value type:** REG_DWORD + +### Related policies +[Set New Tab page URL](../available-policies.md#set-new-tab-page-url): [!INCLUDE [set-new-tab-url-shortdesc](../shortdesc/set-new-tab-url-shortdesc.md)] + +
diff --git a/browsers/edge/includes/always-enable-book-library-include.md b/browsers/edge/includes/always-enable-book-library-include.md index 5edf01302b..7cb4f04653 100644 --- a/browsers/edge/includes/always-enable-book-library-include.md +++ b/browsers/edge/includes/always-enable-book-library-include.md @@ -1,46 +1,46 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1709 or later*
->*Default setting: Disabled or not configured* - - -[!INCLUDE [always-show-books-library-shortdesc](../shortdesc/always-show-books-library-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|-----------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Show the Books Library only in countries or regions where supported. | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Show the Books Library, regardless of the device’s country or region. | | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Always show the Books Library in Microsoft Edge -- **GP name:** AlwaysEnableBooksLibrary -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AlwaysEnableBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AlwaysEnableBooksLibrary -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main -- **Value name:** AlwaysEnableBooksLibrary -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1709 or later*
+>*Default setting: Disabled or not configured* + + +[!INCLUDE [always-show-books-library-shortdesc](../shortdesc/always-show-books-library-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|-----------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Show the Books Library only in countries or regions where supported. | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Show the Books Library, regardless of the device’s country or region. | | + +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Always show the Books Library in Microsoft Edge +- **GP name:** AlwaysEnableBooksLibrary +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AlwaysEnableBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AlwaysEnableBooksLibrary +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** AlwaysEnableBooksLibrary +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/configure-additional-search-engines-include.md b/browsers/edge/includes/configure-additional-search-engines-include.md index be90043b57..e1ff2e9999 100644 --- a/browsers/edge/includes/configure-additional-search-engines-include.md +++ b/browsers/edge/includes/configure-additional-search-engines-include.md @@ -1,58 +1,58 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
->*Default setting: Disabled or not configured (Prevented)* - -[!INCLUDE [configure-additional-search-engines-shortdesc](../shortdesc/configure-additional-search-engines-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Prevented. Use the search engine specified in App settings.

If you enabled this policy and now want to disable it, all previously configured search engines get removed. | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Allowed. Add up to five additional search engines and set any one of them as the default.

For each search engine added you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). | | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure additional search engines -- **GP name:** ConfigureAdditionalSearchEngines -- **GP element:** ConfigureAdditionalSearchEngines_Prompt -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[ConfigureAdditionalSearchEngines](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configureadditionalsearchengines) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureAdditionalSearchEngines -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\OpenSearch -- **Value name:** ConfigureAdditionalSearchEngines -- **Value type:** REG_SZ - -### Related policies - -- [Set default search engine](../available-policies.md\#set-default-search-engine): [!INCLUDE [set-default-search-engine-shortdesc](../shortdesc/set-default-search-engine-shortdesc.md)] - -- [Allow search engine customization](../available-policies.md#allow-search-engine-customization): [!INCLUDE [allow-search-engine-customization-shortdesc](../shortdesc/allow-search-engine-customization-shortdesc.md)] - - -### Related topics - -- [!INCLUDE [microsoft-browser-extension-policy-shortdesc](../shortdesc/microsoft-browser-extension-policy-shortdesc.md)] - -- [Search provider discovery](https://docs.microsoft.com/microsoft-edge/dev-guide/browser/search-provider-discovery): Rich search integration is built into the Microsoft Edge address bar, including search suggestions, results from the web, your browsing history, and favorites. - -

+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Disabled or not configured (Prevented)* + +[!INCLUDE [configure-additional-search-engines-shortdesc](../shortdesc/configure-additional-search-engines-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Prevented. Use the search engine specified in App settings.

If you enabled this policy and now want to disable it, all previously configured search engines get removed. | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Allowed. Add up to five additional search engines and set any one of them as the default.

For each search engine added you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). | | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure additional search engines +- **GP name:** ConfigureAdditionalSearchEngines +- **GP element:** ConfigureAdditionalSearchEngines_Prompt +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ConfigureAdditionalSearchEngines](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configureadditionalsearchengines) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureAdditionalSearchEngines +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\OpenSearch +- **Value name:** ConfigureAdditionalSearchEngines +- **Value type:** REG_SZ + +### Related policies + +- [Set default search engine](../available-policies.md\#set-default-search-engine): [!INCLUDE [set-default-search-engine-shortdesc](../shortdesc/set-default-search-engine-shortdesc.md)] + +- [Allow search engine customization](../available-policies.md#allow-search-engine-customization): [!INCLUDE [allow-search-engine-customization-shortdesc](../shortdesc/allow-search-engine-customization-shortdesc.md)] + + +### Related topics + +- [!INCLUDE [microsoft-browser-extension-policy-shortdesc](../shortdesc/microsoft-browser-extension-policy-shortdesc.md)] + +- [Search provider discovery](https://docs.microsoft.com/microsoft-edge/dev-guide/browser/search-provider-discovery): Rich search integration is built into the Microsoft Edge address bar, including search suggestions, results from the web, your browsing history, and favorites. + +

diff --git a/browsers/edge/includes/configure-adobe-flash-click-to-run-include.md b/browsers/edge/includes/configure-adobe-flash-click-to-run-include.md index a1ee2cc569..852be617a5 100644 --- a/browsers/edge/includes/configure-adobe-flash-click-to-run-include.md +++ b/browsers/edge/includes/configure-adobe-flash-click-to-run-include.md @@ -1,45 +1,45 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
->*Default setting: Enabled or not configured (Does not load content automatically)* - -[!INCLUDE [configure-adobe-flash-click-to-run-setting-shortdesc](../shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled | 0 | 0 | Load and run Adobe Flash content automatically. | | -| Enabled or not configured
**(default)** | 1 | 1 | Do not load or run Adobe Flash content and require action from the user. | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Configure the Adobe Flash Click-to-Run setting -- **GP name:** AllowFlashClickToRun -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowFlashClickToRun](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowFlashClickToRun -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Security -- **Value name:** FlashClickToRunMode -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Enabled or not configured (Does not load content automatically)* + +[!INCLUDE [configure-adobe-flash-click-to-run-setting-shortdesc](../shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled | 0 | 0 | Load and run Adobe Flash content automatically. | | +| Enabled or not configured
**(default)** | 1 | 1 | Do not load or run Adobe Flash content and require action from the user. | ![Most restricted value](../images/check-gn.png) | + +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Configure the Adobe Flash Click-to-Run setting +- **GP name:** AllowFlashClickToRun +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowFlashClickToRun](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowFlashClickToRun +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Security +- **Value name:** FlashClickToRunMode +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/configure-autofill-include.md b/browsers/edge/includes/configure-autofill-include.md index 18e02058ad..1ef991e263 100644 --- a/browsers/edge/includes/configure-autofill-include.md +++ b/browsers/edge/includes/configure-autofill-include.md @@ -1,45 +1,45 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Not configured (Blank)* - -[!INCLUDE [configure-autofill-shortdesc](../shortdesc/configure-autofill-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------|:-----:|:--------:|-----------------------------------|:------------------------------------------------:| -| Not configured
**(default)** | Blank | Blank | Users can choose to use Autofill. | | -| Disabled | 0 | no | Prevented. | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | yes | Allowed. | | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure Autofill -- **GP name:** AllowAutofill -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowAutofill](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser\#browser-allowautofill) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowAutofill -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main -- **Value name:** Use FormSuggest -- **Value type:** REG_SZ - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Not configured (Blank)* + +[!INCLUDE [configure-autofill-shortdesc](../shortdesc/configure-autofill-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------|:-----:|:--------:|-----------------------------------|:------------------------------------------------:| +| Not configured
**(default)** | Blank | Blank | Users can choose to use Autofill. | | +| Disabled | 0 | no | Prevented. | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | yes | Allowed. | | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Autofill +- **GP name:** AllowAutofill +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowAutofill](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser\#browser-allowautofill) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowAutofill +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** Use FormSuggest +- **Value type:** REG_SZ + +
diff --git a/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md b/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md index 1f55150328..1525399652 100644 --- a/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md +++ b/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md @@ -1,65 +1,65 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Disabled or not configured (No data collected or sent)* - -[!INCLUDE [configure-browser-telemetry-for-m365-analytics-shortdesc](../shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md)] - - -> [!IMPORTANT] -> For this policy to work, enable the **Allow Telemetry** group policy with the _Enhanced_ option and enable the **Configure the Commercial ID** group policy by providing the Commercial ID. -> -> You can find these policies in the following location of the Group Policy Editor: -> -> **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\** -> - - -### Supported values - - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|-----------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | No data collected or sent | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Send intranet history only | | -| Enabled | 2 | 2 | Send Internet history only | | -| Enabled | 3 | 3 | Send both intranet and Internet history | | - ---- - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure collection of browsing data for Microsoft 365 Analytics -- **GP name:** ConfigureTelemetryForMicrosoft365Analytics -- **GP element:** ZonesListBox -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - - -#### MDM settings -- **MDM name:** Browser/[ConfigureTelemetryForMicrosoft365Analytics](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureTelemetryForMicrosoft365Analytics -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection -- **Value name:** MicrosoftEdgeDataOptIn -- **Value type:** REG_DWORD - -### Related policies -- Allow Telemetry: Allows Microsoft to run diagnostics on the device and troubleshoot. The default setting for Allow Telemetry is set to _Enhanced_ (2 for MDM). - -- Configure the Commercial ID: Define the Commercial ID used to associate the device's telemetry data as belonging to a given organization. - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: Disabled or not configured (No data collected or sent)* + +[!INCLUDE [configure-browser-telemetry-for-m365-analytics-shortdesc](../shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md)] + + +> [!IMPORTANT] +> For this policy to work, enable the **Allow Telemetry** group policy with the _Enhanced_ option and enable the **Configure the Commercial ID** group policy by providing the Commercial ID. +> +> You can find these policies in the following location of the Group Policy Editor: +> +> **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\** +> + + +### Supported values + + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|-----------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | No data collected or sent | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Send intranet history only | | +| Enabled | 2 | 2 | Send Internet history only | | +| Enabled | 3 | 3 | Send both intranet and Internet history | | + +--- + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure collection of browsing data for Microsoft 365 Analytics +- **GP name:** ConfigureTelemetryForMicrosoft365Analytics +- **GP element:** ZonesListBox +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + + +#### MDM settings +- **MDM name:** Browser/[ConfigureTelemetryForMicrosoft365Analytics](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureTelemetryForMicrosoft365Analytics +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection +- **Value name:** MicrosoftEdgeDataOptIn +- **Value type:** REG_DWORD + +### Related policies +- Allow Telemetry: Allows Microsoft to run diagnostics on the device and troubleshoot. The default setting for Allow Telemetry is set to _Enhanced_ (2 for MDM). + +- Configure the Commercial ID: Define the Commercial ID used to associate the device's telemetry data as belonging to a given organization. + +
diff --git a/browsers/edge/includes/configure-cookies-include.md b/browsers/edge/includes/configure-cookies-include.md index a8a8fd2d5f..36922a6177 100644 --- a/browsers/edge/includes/configure-cookies-include.md +++ b/browsers/edge/includes/configure-cookies-include.md @@ -1,46 +1,46 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Disabled or not configured (Allow all cookies from all sites)* - -[!INCLUDE [configure-cookies-shortdesc](../shortdesc/configure-cookies-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|-----------------------------------------------|:------------------------------------------------:| -| Enabled | 0 | 0 | Block all cookies from all sites. | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Block only cookies from third party websites. | | -| Disabled or not configured
**(default)** | 2 | 2 | Allow all cookies from all sites. | | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure cookies -- **GP name:** Cookies -- **GP element:** CookiesListBox -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowCookies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser\#browser-allowcookies) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowCookies -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main -- **Value name:** Cookies -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled or not configured (Allow all cookies from all sites)* + +[!INCLUDE [configure-cookies-shortdesc](../shortdesc/configure-cookies-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|-----------------------------------------------|:------------------------------------------------:| +| Enabled | 0 | 0 | Block all cookies from all sites. | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Block only cookies from third party websites. | | +| Disabled or not configured
**(default)** | 2 | 2 | Allow all cookies from all sites. | | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure cookies +- **GP name:** Cookies +- **GP element:** CookiesListBox +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowCookies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser\#browser-allowcookies) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowCookies +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** Cookies +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/configure-do-not-track-include.md b/browsers/edge/includes/configure-do-not-track-include.md index 7e0f59943e..f4868357b9 100644 --- a/browsers/edge/includes/configure-do-not-track-include.md +++ b/browsers/edge/includes/configure-do-not-track-include.md @@ -1,45 +1,45 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Not configured (Do not send tracking information)* - -[!INCLUDE [configure-do-not-track-shortdesc](../shortdesc/configure-do-not-track-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------|:-----:|:--------:|---------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Not configured
**(default)** | Blank | Blank | Do not send tracking information but let users choose to send tracking information to sites they visit. | | -| Disabled | 0 | 0 | Never send tracking information. | | -| Enabled | 1 | 1 | Send tracking information. | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure Do Not Track -- **GP name:** AllowDoNotTrack -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowDoNotTrack](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowdonottrack) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowDoNotTrack -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main -- **Value name:** DoNotTrack -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Not configured (Do not send tracking information)* + +[!INCLUDE [configure-do-not-track-shortdesc](../shortdesc/configure-do-not-track-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------|:-----:|:--------:|---------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Not configured
**(default)** | Blank | Blank | Do not send tracking information but let users choose to send tracking information to sites they visit. | | +| Disabled | 0 | 0 | Never send tracking information. | | +| Enabled | 1 | 1 | Send tracking information. | ![Most restricted value](../images/check-gn.png) | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Do Not Track +- **GP name:** AllowDoNotTrack +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowDoNotTrack](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowdonottrack) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowDoNotTrack +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** DoNotTrack +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md b/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md index 4d4aea6068..ccdd275e01 100644 --- a/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md +++ b/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md @@ -1,56 +1,56 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: 5 minutes* - -[!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] - -You must set the Configure kiosk mode policy to enabled (1 - InPrivate public browsing) and configure Microsoft Edge as a single-app in assigned access for this policy to take effect; otherwise, Microsoft Edge ignores this setting. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/windows/configuration/kiosk-shared-pc). - -### Supported values - -- **Any integer from 1-1440 (5 minutes is the default)** – The time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration. A confirmation dialog displays for the user to cancel or continue and automatically continues after 30 seconds. - -- **0** – No idle timer. - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure kiosk reset after idle timeout -- **GP name:** ConfigureKioskResetAfterIdleTimeout -- **GP element:** ConfigureKioskResetAfterIdleTimeout_TextBox -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\KioskMode -- Value name:ConfigureKioskResetAfterIdleTimeout -- **Value type:** REG_DWORD - - - -### Related policies - -[Configure kiosk mode](../available-policies.md#configure-kiosk-mode): [!INCLUDE [configure-kiosk-mode-shortdesc](../shortdesc/configure-kiosk-mode-shortdesc.md)] - - - -### Related topics -[Deploy Microsoft Edge kiosk mode](../microsoft-edge-kiosk-mode-deploy.md): Microsoft Edge kiosk mode works with assigned access to allow IT administrators, to create a tailored browsing experience designed for kiosk devices. In this deployment guidance, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn about the other group policies to help you enhance the how to set up your Microsoft Edge kiosk mode experience. - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: 5 minutes* + +[!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] + +You must set the Configure kiosk mode policy to enabled (1 - InPrivate public browsing) and configure Microsoft Edge as a single-app in assigned access for this policy to take effect; otherwise, Microsoft Edge ignores this setting. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/windows/configuration/kiosk-shared-pc). + +### Supported values + +- **Any integer from 1-1440 (5 minutes is the default)** – The time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration. A confirmation dialog displays for the user to cancel or continue and automatically continues after 30 seconds. + +- **0** – No idle timer. + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure kiosk reset after idle timeout +- **GP name:** ConfigureKioskResetAfterIdleTimeout +- **GP element:** ConfigureKioskResetAfterIdleTimeout_TextBox +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\KioskMode +- Value name:ConfigureKioskResetAfterIdleTimeout +- **Value type:** REG_DWORD + + + +### Related policies + +[Configure kiosk mode](../available-policies.md#configure-kiosk-mode): [!INCLUDE [configure-kiosk-mode-shortdesc](../shortdesc/configure-kiosk-mode-shortdesc.md)] + + + +### Related topics +[Deploy Microsoft Edge kiosk mode](../microsoft-edge-kiosk-mode-deploy.md): Microsoft Edge kiosk mode works with assigned access to allow IT administrators, to create a tailored browsing experience designed for kiosk devices. In this deployment guidance, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn about the other group policies to help you enhance the how to set up your Microsoft Edge kiosk mode experience. + +
diff --git a/browsers/edge/includes/configure-enterprise-mode-site-list-include.md b/browsers/edge/includes/configure-enterprise-mode-site-list-include.md index 65c68c67e1..66ad97e9f7 100644 --- a/browsers/edge/includes/configure-enterprise-mode-site-list-include.md +++ b/browsers/edge/includes/configure-enterprise-mode-site-list-include.md @@ -55,4 +55,4 @@ -
\ No newline at end of file +
diff --git a/browsers/edge/includes/configure-favorites-bar-include.md b/browsers/edge/includes/configure-favorites-bar-include.md index 6fdeb3ee83..e4e4ae2cb6 100644 --- a/browsers/edge/includes/configure-favorites-bar-include.md +++ b/browsers/edge/includes/configure-favorites-bar-include.md @@ -1,48 +1,48 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Not configured (Hidden but shown on the Start and New Tab pages)* - - -[!INCLUDE [allow-favorites-bar-shortdesc](../shortdesc/configure-favorites-bar-shortdesc.md)] - - -### Supported values - - -|Group Policy |MDM |Registry |Description | -|---|:---:|:---:|---| -|Not configured **(default)** |Blank |Blank |Hidden but shown on the Start and New Tab pages.

Favorites Bar toggle (in Settings) = **Off** and enabled letting users make changes. | -|Disabled |0 |0 |Hidden on all pages.

| -|Enabled |1 |1 |Shown on all pages. | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure Favorites Bar -- **GP name:** ConfigureFavoritesBar -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[ConfigureFavoritesBar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureFavoritesBar -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main -- **Value name:** ConfigureFavoritesBar -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: Not configured (Hidden but shown on the Start and New Tab pages)* + + +[!INCLUDE [allow-favorites-bar-shortdesc](../shortdesc/configure-favorites-bar-shortdesc.md)] + + +### Supported values + + +|Group Policy |MDM |Registry |Description | +|---|:---:|:---:|---| +|Not configured **(default)** |Blank |Blank |Hidden but shown on the Start and New Tab pages.

Favorites Bar toggle (in Settings) = **Off** and enabled letting users make changes. | +|Disabled |0 |0 |Hidden on all pages.

| +|Enabled |1 |1 |Shown on all pages. | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Favorites Bar +- **GP name:** ConfigureFavoritesBar +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ConfigureFavoritesBar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureFavoritesBar +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** ConfigureFavoritesBar +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/configure-favorites-include.md b/browsers/edge/includes/configure-favorites-include.md index 4c2ab722f9..500c9acc12 100644 --- a/browsers/edge/includes/configure-favorites-include.md +++ b/browsers/edge/includes/configure-favorites-include.md @@ -1,14 +1,14 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->Discontinued in the Windows 10 October 2018 Update. Use the **[Provision Favorites](../available-policies.md#provision-favorites)** group policy instead. - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>Discontinued in the Windows 10 October 2018 Update. Use the **[Provision Favorites](../available-policies.md#provision-favorites)** group policy instead. + +
diff --git a/browsers/edge/includes/configure-home-button-include.md b/browsers/edge/includes/configure-home-button-include.md index 2535093959..3082d3014b 100644 --- a/browsers/edge/includes/configure-home-button-include.md +++ b/browsers/edge/includes/configure-home-button-include.md @@ -1,61 +1,61 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/28/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Disabled or not configured (Show home button and load the Start page)* - - -[!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)] - - -### Supported values - -| Group Policy | MDM | Registry | Description | -|---------------------------------------------|:---:|:--------:|----------------------------------------------------------------| -| Disabled or not configured
**(default)** | 0 | 0 | Load the Start page. | -| Enabled | 1 | 1 | Load the New Tab page. | -| Enabled | 2 | 2 | Load the custom URL defined in the Set Home Button URL policy. | -| Enabled | 3 | 3 | Hide the home button. | - ---- - - ->[!TIP] ->If you want to make changes to this policy:
  1. Enable the **Unlock Home Button** policy.
  2. Make changes to the **Configure Home Button** policy or **Set Home Button URL** policy.
  3. Disable the **Unlock Home Button** policy.
- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure Home Button -- **GP name:** ConfigureHomeButton -- **GP element:** ConfigureHomeButtonDropdown -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings -- **Value name:** ConfigureHomeButton -- **Value type:** REG_DWORD - -### Related policies - -- [Set Home Button URL](../available-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)] - -- [Unlock Home Button](../available-policies.md#unlock-home-button): [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)] - - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/28/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: Disabled or not configured (Show home button and load the Start page)* + + +[!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)] + + +### Supported values + +| Group Policy | MDM | Registry | Description | +|---------------------------------------------|:---:|:--------:|----------------------------------------------------------------| +| Disabled or not configured
**(default)** | 0 | 0 | Load the Start page. | +| Enabled | 1 | 1 | Load the New Tab page. | +| Enabled | 2 | 2 | Load the custom URL defined in the Set Home Button URL policy. | +| Enabled | 3 | 3 | Hide the home button. | + +--- + + +>[!TIP] +>If you want to make changes to this policy:
  1. Enable the **Unlock Home Button** policy.
  2. Make changes to the **Configure Home Button** policy or **Set Home Button URL** policy.
  3. Disable the **Unlock Home Button** policy.
+ + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Home Button +- **GP name:** ConfigureHomeButton +- **GP element:** ConfigureHomeButtonDropdown +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings +- **Value name:** ConfigureHomeButton +- **Value type:** REG_DWORD + +### Related policies + +- [Set Home Button URL](../available-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)] + +- [Unlock Home Button](../available-policies.md#unlock-home-button): [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)] + + +
diff --git a/browsers/edge/includes/configure-kiosk-mode-supported-values-include.md b/browsers/edge/includes/configure-kiosk-mode-supported-values-include.md index e5a7ff9155..bda51bb3e5 100644 --- a/browsers/edge/includes/configure-kiosk-mode-supported-values-include.md +++ b/browsers/edge/includes/configure-kiosk-mode-supported-values-include.md @@ -1,17 +1,16 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/27/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - -| | | -|----------|------| -|**Single-app**

![thumbnail](../images/Picture1-sm.png)

**Digital/interactive signage**

Displays a specific site in full-screen mode, running Microsoft Edge InPrivate protecting user data.

**Policy setting** = Not configured (0 default)

|

 

![thumbnail](../images/Picture2-sm.png)

Public browsing

Runs a limited multi-tab version of Microsoft Edge, protecting user data. Microsoft Edge is the only app users can use on the device, preventing them from customizing Microsoft Edge. Users can only browse publically or end their browsing session.

The single-app public browsing mode is the only kiosk mode that has an End session button. Microsoft Edge also resets the session after a specified time of user inactivity. Both restart Microsoft Edge and clear the user’s session.

Example. A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps.

Policy setting = Enabled (1) | -| **Multi-app**

![thumbnail](../images/Picture5-sm.png)

**Normal browsing**

Runs a full-version of Microsoft Edge with all browsing features and preserves the user data and state between sessions.

Some features may not work depending on what other apps you have configured in assigned access. For example, installing extensions or books from the Microsoft store are not allowed if the store is not available. Also, if Internet Explorer 11 is set up in assigned access, you can enable [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.

**Policy setting** = Not configured (0 default) |

 

![thumbnail](../images/Picture6-sm.png)

Public browsing

Runs a multi-tab version of Microsoft Edge InPrivate with a tailored experience for kiosks that runs in full-screen mode. Users can open and close Microsoft Edge and launch other apps if allowed by assigned access. Instead of an End session button to clear their browsing session, the user closes Microsoft Edge normally.

In this configuration, Microsoft Edge can interact with other applications. For example, if Internet Explorer 11 is set up in multi-app assigned access, you can enable [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.

Example. A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps.

Policy setting = Enabled (1) | - ---- +--- +author: eavena +ms.author: eravena +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +| | | +|----------|------| +|**Single-app**

![thumbnail](../images/Picture1-sm.png)

**Digital/interactive signage**

Displays a specific site in full-screen mode, running Microsoft Edge InPrivate protecting user data.

**Policy setting** = Not configured (0 default)

|

 

![thumbnail](../images/Picture2-sm.png)

Public browsing

Runs a limited multi-tab version of Microsoft Edge, protecting user data. Microsoft Edge is the only app users can use on the device, preventing them from customizing Microsoft Edge. Users can only browse publically or end their browsing session.

The single-app public browsing mode is the only kiosk mode that has an End session button. Microsoft Edge also resets the session after a specified time of user inactivity. Both restart Microsoft Edge and clear the user’s session.

Example. A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps.

Policy setting = Enabled (1) | +| **Multi-app**

![thumbnail](../images/Picture5-sm.png)

**Normal browsing**

Runs a full-version of Microsoft Edge with all browsing features and preserves the user data and state between sessions.

Some features may not work depending on what other apps you have configured in assigned access. For example, installing extensions or books from the Microsoft store are not allowed if the store is not available. Also, if Internet Explorer 11 is set up in assigned access, you can enable [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.

**Policy setting** = Not configured (0 default) |

 

![thumbnail](../images/Picture6-sm.png)

Public browsing

Runs a multi-tab version of Microsoft Edge InPrivate with a tailored experience for kiosks that runs in full-screen mode. Users can open and close Microsoft Edge and launch other apps if allowed by assigned access. Instead of an End session button to clear their browsing session, the user closes Microsoft Edge normally.

In this configuration, Microsoft Edge can interact with other applications. For example, if Internet Explorer 11 is set up in multi-app assigned access, you can enable [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.

Example. A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps.

Policy setting = Enabled (1) | + +--- diff --git a/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md b/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md index adc3dbf183..1c08a3d745 100644 --- a/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md +++ b/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md @@ -1,51 +1,51 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/27/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Not configured* - -[!INCLUDE [configure-kiosk-mode-shortdesc](../shortdesc/configure-kiosk-mode-shortdesc.md)] - -For this policy to work, you must configure Microsoft Edge in assigned access; otherwise, Microsoft Edge ignores the settings in this policy. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://aka.ms/E489vw). - -### Supported values - -[!INCLUDE [configure-kiosk-mode-supported-values-include](configure-kiosk-mode-supported-values-include.md)] - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure kiosk mode -- **GP name:** ConfigureKioskMode -- **GP element:** ConfigureKioskMode_TextBox -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\KioskMode -- **Value name:** ConfigureKioskMode -- **Value type:** REG_SZ - -### Related policies -[Configure kiosk reset after idle timeout](../available-policies.md#configure-kiosk-reset-after-idle-timeout): [!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] - - -### Related topics -[Deploy Microsoft Edge kiosk mode](../microsoft-edge-kiosk-mode-deploy.md): Microsoft Edge kiosk mode works with assigned access to allow IT administrators, to create a tailored browsing experience designed for kiosk devices. In this deployment guidance, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn about the other group policies to help you enhance the how to set up your Microsoft Edge kiosk mode experience. - -

+--- +author: eavena +ms.author: eravena +ms.date: 10/27/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: Not configured* + +[!INCLUDE [configure-kiosk-mode-shortdesc](../shortdesc/configure-kiosk-mode-shortdesc.md)] + +For this policy to work, you must configure Microsoft Edge in assigned access; otherwise, Microsoft Edge ignores the settings in this policy. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://aka.ms/E489vw). + +### Supported values + +[!INCLUDE [configure-kiosk-mode-supported-values-include](configure-kiosk-mode-supported-values-include.md)] + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure kiosk mode +- **GP name:** ConfigureKioskMode +- **GP element:** ConfigureKioskMode_TextBox +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\KioskMode +- **Value name:** ConfigureKioskMode +- **Value type:** REG_SZ + +### Related policies +[Configure kiosk reset after idle timeout](../available-policies.md#configure-kiosk-reset-after-idle-timeout): [!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] + + +### Related topics +[Deploy Microsoft Edge kiosk mode](../microsoft-edge-kiosk-mode-deploy.md): Microsoft Edge kiosk mode works with assigned access to allow IT administrators, to create a tailored browsing experience designed for kiosk devices. In this deployment guidance, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn about the other group policies to help you enhance the how to set up your Microsoft Edge kiosk mode experience. + +
diff --git a/browsers/edge/includes/configure-open-edge-with-include.md b/browsers/edge/includes/configure-open-edge-with-include.md index 02f0daa65a..a86cf568ce 100644 --- a/browsers/edge/includes/configure-open-edge-with-include.md +++ b/browsers/edge/includes/configure-open-edge-with-include.md @@ -1,68 +1,68 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Enabled (A specific page or pages)* - -[!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] - -**Version 1703 or later:**
If you don't want to send traffic to Microsoft, use the \ value, which honors both domain and non domain-joined devices when it's the only configured URL. - -**version 1809:**
When you enable this policy (Configure Open Microsoft Edge With) and select an option, and also enable the Configure Start Pages policy, Microsoft Edge ignores the Configure Start Page policy.

- -### Supported values - -| Group Policy | MDM | Registry | Description | -|--------------------------|:-----:|:--------:|---------------------------------------------------------------------------------------------------------------------------------------------| -| Not configured | Blank | Blank | If you don't configure this policy and you enable the Disable Lockdown of Start Pages policy, users can change or customize the Start page. | -| Enabled | 0 | 0 | Load the Start page. | -| Enabled | 1 | 1 | Load the New Tab page. | -| Enabled | 2 | 2 | Load the previous pages. | -| Enabled
**(default)** | 3 | 3 | Load a specific page or pages. | - ---- - - ->[!TIP] ->If you want to make changes to this policy:

  1. Set the **Disabled Lockdown of Start Pages** policy to not configured.
  2. Make changes to the **Configure Open Microsoft With** policy.
  3. Enable the **Disabled Lockdown of Start Pages** policy.
- - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure Open Microsoft Edge With -- **GP name:** ConfigureOpenMicrosoftEdgeWith -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[ConfigureOpenEdgeWith](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureOpenEdgeWith -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings -- **Value name:** ConfigureOpenEdgeWith -- **Value type:** REG_DWORD - -### Related policies - -- [Configure Start pages](../available-policies.md#configure-start-pages): [!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)] - -- [Disable lockdown of Start pages](../available-policies.md#disable-lockdown-of-start-pages): [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)] - - - - - ---- +--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: Enabled (A specific page or pages)* + +[!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] + +**Version 1703 or later:**
If you don't want to send traffic to Microsoft, use the \ value, which honors both domain and non domain-joined devices when it's the only configured URL. + +**version 1809:**
When you enable this policy (Configure Open Microsoft Edge With) and select an option, and also enable the Configure Start Pages policy, Microsoft Edge ignores the Configure Start Page policy.

+ +### Supported values + +| Group Policy | MDM | Registry | Description | +|--------------------------|:-----:|:--------:|---------------------------------------------------------------------------------------------------------------------------------------------| +| Not configured | Blank | Blank | If you don't configure this policy and you enable the Disable Lockdown of Start Pages policy, users can change or customize the Start page. | +| Enabled | 0 | 0 | Load the Start page. | +| Enabled | 1 | 1 | Load the New Tab page. | +| Enabled | 2 | 2 | Load the previous pages. | +| Enabled
**(default)** | 3 | 3 | Load a specific page or pages. | + +--- + + +>[!TIP] +>If you want to make changes to this policy:

  1. Set the **Disabled Lockdown of Start Pages** policy to not configured.
  2. Make changes to the **Configure Open Microsoft With** policy.
  3. Enable the **Disabled Lockdown of Start Pages** policy.
+ + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Open Microsoft Edge With +- **GP name:** ConfigureOpenMicrosoftEdgeWith +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ConfigureOpenEdgeWith](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureOpenEdgeWith +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings +- **Value name:** ConfigureOpenEdgeWith +- **Value type:** REG_DWORD + +### Related policies + +- [Configure Start pages](../available-policies.md#configure-start-pages): [!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)] + +- [Disable lockdown of Start pages](../available-policies.md#disable-lockdown-of-start-pages): [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)] + + + + + +--- diff --git a/browsers/edge/includes/configure-password-manager-include.md b/browsers/edge/includes/configure-password-manager-include.md index 4b6365e007..5f075480ea 100644 --- a/browsers/edge/includes/configure-password-manager-include.md +++ b/browsers/edge/includes/configure-password-manager-include.md @@ -1,49 +1,49 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Enabled (Allowed/users can change the setting)* - -[!INCLUDE [configure-password-manager-shortdesc](../shortdesc/configure-password-manager-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------------------|:-----:|:--------:|--------------------------------------------------------|:------------------------------------------------:| -| Not configured | Blank | Blank | Users can choose to save and manage passwords locally. | | -| Disabled | 0 | no | Not allowed. | ![Most restricted value](../images/check-gn.png) | -| Enabled
**(default)** | 1 | yes | Allowed. | | - ---- - -Verify not allowed/disabled settings: -1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**. -2. Verify the settings **Save Password** is toggled off or on and is greyed out. - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure Password Manager -- **GP name:** AllowPasswordManager -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowPasswordManager](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPasswordManager -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main -- **Value name:** FormSuggest Passwords -- **Value type:** REG_SZ - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Enabled (Allowed/users can change the setting)* + +[!INCLUDE [configure-password-manager-shortdesc](../shortdesc/configure-password-manager-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------------------|:-----:|:--------:|--------------------------------------------------------|:------------------------------------------------:| +| Not configured | Blank | Blank | Users can choose to save and manage passwords locally. | | +| Disabled | 0 | no | Not allowed. | ![Most restricted value](../images/check-gn.png) | +| Enabled
**(default)** | 1 | yes | Allowed. | | + +--- + +Verify not allowed/disabled settings: +1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**. +2. Verify the settings **Save Password** is toggled off or on and is greyed out. + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Password Manager +- **GP name:** AllowPasswordManager +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowPasswordManager](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPasswordManager +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** FormSuggest Passwords +- **Value type:** REG_SZ + +
diff --git a/browsers/edge/includes/configure-pop-up-blocker-include.md b/browsers/edge/includes/configure-pop-up-blocker-include.md index 69b8c53e36..43374d7ccd 100644 --- a/browsers/edge/includes/configure-pop-up-blocker-include.md +++ b/browsers/edge/includes/configure-pop-up-blocker-include.md @@ -1,45 +1,45 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Disabled (Turned off)* - -[!INCLUDE [configure-pop-up-blocker-shortdesc](../shortdesc/configure-pop-up-blocker-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------|:-----:|:--------:|-------------------------------------------------|:------------------------------------------------:| -| Not configured | Blank | Blank | Users can choose to use Pop-up Blocker. | | -| Disabled
**(default)** | 0 | 0 | Turned off. Allow pop-up windows to open. | | -| Enabled | 1 | 1 | Turned on. Prevent pop-up windows from opening. | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure Pop-up Blocker -- **GP name:** AllowPopups -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowPopups](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowpopups) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPopups -- **Data type:** Integer - -### Registry -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main -- **Value name:** AllowPopups -- **Value type:** REG_SZ - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled (Turned off)* + +[!INCLUDE [configure-pop-up-blocker-shortdesc](../shortdesc/configure-pop-up-blocker-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------|:-----:|:--------:|-------------------------------------------------|:------------------------------------------------:| +| Not configured | Blank | Blank | Users can choose to use Pop-up Blocker. | | +| Disabled
**(default)** | 0 | 0 | Turned off. Allow pop-up windows to open. | | +| Enabled | 1 | 1 | Turned on. Prevent pop-up windows from opening. | ![Most restricted value](../images/check-gn.png) | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Pop-up Blocker +- **GP name:** AllowPopups +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowPopups](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowpopups) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPopups +- **Data type:** Integer + +### Registry +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** AllowPopups +- **Value type:** REG_SZ + +
diff --git a/browsers/edge/includes/configure-search-suggestions-address-bar-include.md b/browsers/edge/includes/configure-search-suggestions-address-bar-include.md index a3510a557c..5e74e11ac7 100644 --- a/browsers/edge/includes/configure-search-suggestions-address-bar-include.md +++ b/browsers/edge/includes/configure-search-suggestions-address-bar-include.md @@ -1,45 +1,45 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Not configured (Blank)* - -[!INCLUDE [configure-search-suggestions-in-address-bar-shortdesc](../shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------|:-----:|:--------:|---------------------------------------------|:------------------------------------------------:| -| Not configured
**(default)** | Blank | Blank | Users can choose to see search suggestions. | | -| Disabled | 0 | 0 | Prevented. Hide the search suggestions. | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Allowed. Show the search suggestions. | | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure search suggestions in Address bar -- **GP name:** AllowSearchSuggestionsinAddressBar -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsearchsuggestionsinaddressbar) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSearchSuggestionsinAddressBar -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes -- **Value name:** ShowSearchSuggestionsGlobal -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Not configured (Blank)* + +[!INCLUDE [configure-search-suggestions-in-address-bar-shortdesc](../shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------|:-----:|:--------:|---------------------------------------------|:------------------------------------------------:| +| Not configured
**(default)** | Blank | Blank | Users can choose to see search suggestions. | | +| Disabled | 0 | 0 | Prevented. Hide the search suggestions. | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Allowed. Show the search suggestions. | | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure search suggestions in Address bar +- **GP name:** AllowSearchSuggestionsinAddressBar +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsearchsuggestionsinaddressbar) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSearchSuggestionsinAddressBar +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes +- **Value name:** ShowSearchSuggestionsGlobal +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/configure-start-pages-include.md b/browsers/edge/includes/configure-start-pages-include.md index 6a64d182d4..911d1b11c9 100644 --- a/browsers/edge/includes/configure-start-pages-include.md +++ b/browsers/edge/includes/configure-start-pages-include.md @@ -1,54 +1,54 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
->*Default setting: Blank or not configured (Load pages specified in App settings)* - -[!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | -|----------------|:------:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Not configured | Blank | Blank | Load the pages specified in App settings as the default Start pages. | -| Enabled | String | String | Enter the URLs of the pages you want to load as the Start pages, separating each page using angle brackets:

    \\

**Version 1703 or later:**
If you do not want to send traffic to Microsoft, use the \ value, which honors both domain and non-domain-joined devices when it's the only configured URL.

**Version 1809:**
When you enable the Configure Open Microsoft Edge With policy with any option selected, and you enable the Configure Start Pages policy, the Configure Open Microsoft Edge With policy takes precedence, ignoring the Configure Start Pages policy. | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure Start pages -- **GP name:** HomePages -- **GP element:** HomePagesPrompt -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[HomePages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-homepages) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages -- **Data type:** String - -#### Registry settings -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Internet Settings -- **Value name:** ProvisionedHomePages -- **Value type:** REG_SZ - - -### Related policies - -- [Disable Lockdown of Start Pages](../available-policies.md#disable-lockdown-of-start-pages): [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)] - -- [Configure Open Microsoft Edge With](../available-policies.md#configure-open-microsoft-edge-with): [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] - - - -

+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Blank or not configured (Load pages specified in App settings)* + +[!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | +|----------------|:------:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Not configured | Blank | Blank | Load the pages specified in App settings as the default Start pages. | +| Enabled | String | String | Enter the URLs of the pages you want to load as the Start pages, separating each page using angle brackets:

    \\

**Version 1703 or later:**
If you do not want to send traffic to Microsoft, use the \ value, which honors both domain and non-domain-joined devices when it's the only configured URL.

**Version 1809:**
When you enable the Configure Open Microsoft Edge With policy with any option selected, and you enable the Configure Start Pages policy, the Configure Open Microsoft Edge With policy takes precedence, ignoring the Configure Start Pages policy. | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Start pages +- **GP name:** HomePages +- **GP element:** HomePagesPrompt +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[HomePages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-homepages) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages +- **Data type:** String + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Internet Settings +- **Value name:** ProvisionedHomePages +- **Value type:** REG_SZ + + +### Related policies + +- [Disable Lockdown of Start Pages](../available-policies.md#disable-lockdown-of-start-pages): [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)] + +- [Configure Open Microsoft Edge With](../available-policies.md#configure-open-microsoft-edge-with): [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] + + + +

diff --git a/browsers/edge/includes/configure-windows-defender-smartscreen-include.md b/browsers/edge/includes/configure-windows-defender-smartscreen-include.md index f842745478..d86492ba81 100644 --- a/browsers/edge/includes/configure-windows-defender-smartscreen-include.md +++ b/browsers/edge/includes/configure-windows-defender-smartscreen-include.md @@ -1,50 +1,50 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Enabled (Turned on)* - -[!INCLUDE [configure-windows-defender-smartscreen-shortdesc](../shortdesc/configure-windows-defender-smartscreen-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|----------------|:-----:|:--------:|-----------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Not configured | Blank | Blank | Users can choose to use Windows Defender SmartScreen. | | -| Disabled | 0 | 0 | Turned off. Do not protect users from potential threats and prevent users from turning it on. | | -| Enabled | 1 | 1 | Turned on. Protect users from potential threats and prevent users from turning it off. | ![Most restricted value](../images/check-gn.png) | - ---- - -To verify Windows Defender SmartScreen is turned off (disabled): -1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**. -2. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is disabled.

![Verify that Windows Defender SmartScreen is turned off (disabled)](../images/allow-smart-screen-validation.PNG) - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure Windows Defender SmartScreen -- **GP name:** AllowSmartScreen -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -- **Value name:** EnabledV9 -- **Value type:** REG_DWORD - -

+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Enabled (Turned on)* + +[!INCLUDE [configure-windows-defender-smartscreen-shortdesc](../shortdesc/configure-windows-defender-smartscreen-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|----------------|:-----:|:--------:|-----------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Not configured | Blank | Blank | Users can choose to use Windows Defender SmartScreen. | | +| Disabled | 0 | 0 | Turned off. Do not protect users from potential threats and prevent users from turning it on. | | +| Enabled | 1 | 1 | Turned on. Protect users from potential threats and prevent users from turning it off. | ![Most restricted value](../images/check-gn.png) | + +--- + +To verify Windows Defender SmartScreen is turned off (disabled): +1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**. +2. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is disabled.

![Verify that Windows Defender SmartScreen is turned off (disabled)](../images/allow-smart-screen-validation.PNG) + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Windows Defender SmartScreen +- **GP name:** AllowSmartScreen +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter +- **Value name:** EnabledV9 +- **Value type:** REG_DWORD + +

diff --git a/browsers/edge/includes/disable-lockdown-of-start-pages-include.md b/browsers/edge/includes/disable-lockdown-of-start-pages-include.md index c95b9faf73..d2ae261042 100644 --- a/browsers/edge/includes/disable-lockdown-of-start-pages-include.md +++ b/browsers/edge/includes/disable-lockdown-of-start-pages-include.md @@ -1,58 +1,58 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Enabled (Start pages are not editable)* - -[!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|----------------|:---:|:--------:|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Not configured | 0 | 0 | Locked. Start pages configured in either the Configure Open Microsoft Edge With policy and Configure Start Pages policy are not editable. | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Unlocked. Users can make changes to all configured start pages.

When you enable this policy and define a set of URLs in the Configure Start Pages policy, Microsoft Edge uses the URLs defined in the Configure Open Microsoft Edge With policy. | | - ---- - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Disable lockdown of Start pages -- **GP name:** DisableLockdownOfStartPages -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[DisableLockdownOfStartPages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-disablelockdownofstartpages) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/DisableLockdownOfStartPages -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings -- **Value name:** DisableLockdownOfStartPages -- **Value type:** REG_SZ - - - - - -### Related Policies -- [Configure Start pages](../available-policies.md#configure-start-pages): [!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)] - -- [Configure Open Microsoft Edge With](../available-policies.md#configure-open-microsoft-edge-with): [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] - -### Related topics - -[!INCLUDE [microsoft-browser-extension-policy-shortdesc](../shortdesc/microsoft-browser-extension-policy-shortdesc.md)] - -

+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Enabled (Start pages are not editable)* + +[!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|----------------|:---:|:--------:|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Not configured | 0 | 0 | Locked. Start pages configured in either the Configure Open Microsoft Edge With policy and Configure Start Pages policy are not editable. | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Unlocked. Users can make changes to all configured start pages.

When you enable this policy and define a set of URLs in the Configure Start Pages policy, Microsoft Edge uses the URLs defined in the Configure Open Microsoft Edge With policy. | | + +--- + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Disable lockdown of Start pages +- **GP name:** DisableLockdownOfStartPages +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[DisableLockdownOfStartPages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-disablelockdownofstartpages) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/DisableLockdownOfStartPages +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings +- **Value name:** DisableLockdownOfStartPages +- **Value type:** REG_SZ + + + + + +### Related Policies +- [Configure Start pages](../available-policies.md#configure-start-pages): [!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)] + +- [Configure Open Microsoft Edge With](../available-policies.md#configure-open-microsoft-edge-with): [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] + +### Related topics + +[!INCLUDE [microsoft-browser-extension-policy-shortdesc](../shortdesc/microsoft-browser-extension-policy-shortdesc.md)] + +

diff --git a/browsers/edge/includes/do-not-sync-browser-settings-include.md b/browsers/edge/includes/do-not-sync-browser-settings-include.md index 97cbb929bd..c20bdd6781 100644 --- a/browsers/edge/includes/do-not-sync-browser-settings-include.md +++ b/browsers/edge/includes/do-not-sync-browser-settings-include.md @@ -1,55 +1,55 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Disabled or not configured (Allowed/turned on)* - -[!INCLUDE [do-not-sync-browser-settings-shortdesc](../shortdesc/do-not-sync-browser-settings-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | -|---------------------------------------------|:---:|:--------:|-------------------------------------------------------------------------------------------------------------------| -| Disabled or not configured
**(default)** | 0 | 0 | Allowed/turned on. The “browser” group syncs automatically between user’s devices and lets users to make changes. | -| Enabled | 2 | 2 | Prevented/turned off. The “browser” group does not use the *Sync your Settings* option. | - ---- - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Do not sync browser settings -- **GP name:** DisableWebBrowserSettingSync -- **GP path:** Windows Components/Sync your settings -- **GP ADMX file name:** SettingSync.admx - -#### MDM settings -- **MDM name:** [Experience/DoNotSyncBrowserSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/DoNotSyncBrowserSettings -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\Policies\Microsoft\Windows\SettingSync -- **Value name:** DisableWebBrowserSettingSyncUserOverride -- **Value - -### Related policies - -[Prevent users from turning on browser syncing](../available-policies.md#prevent-users-from-turning-on-browser-syncing): [!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] - - - -### Related topics - -[About sync setting on Microsoft Edge on Windows 10 devices](https://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices) -

-

+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled or not configured (Allowed/turned on)* + +[!INCLUDE [do-not-sync-browser-settings-shortdesc](../shortdesc/do-not-sync-browser-settings-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | +|---------------------------------------------|:---:|:--------:|-------------------------------------------------------------------------------------------------------------------| +| Disabled or not configured
**(default)** | 0 | 0 | Allowed/turned on. The “browser” group syncs automatically between user’s devices and lets users to make changes. | +| Enabled | 2 | 2 | Prevented/turned off. The “browser” group does not use the *Sync your Settings* option. | + +--- + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Do not sync browser settings +- **GP name:** DisableWebBrowserSettingSync +- **GP path:** Windows Components/Sync your settings +- **GP ADMX file name:** SettingSync.admx + +#### MDM settings +- **MDM name:** [Experience/DoNotSyncBrowserSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/DoNotSyncBrowserSettings +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\Policies\Microsoft\Windows\SettingSync +- **Value name:** DisableWebBrowserSettingSyncUserOverride +- **Value + +### Related policies + +[Prevent users from turning on browser syncing](../available-policies.md#prevent-users-from-turning-on-browser-syncing): [!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] + + + +### Related topics + +[About sync setting on Microsoft Edge on Windows 10 devices](https://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices) +

+

diff --git a/browsers/edge/includes/do-not-sync-include.md b/browsers/edge/includes/do-not-sync-include.md index 0adc074785..e959162f90 100644 --- a/browsers/edge/includes/do-not-sync-include.md +++ b/browsers/edge/includes/do-not-sync-include.md @@ -1,48 +1,48 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Disabled or not configured (Allowed/turned on)* - -[!INCLUDE [do-not-sync-shortdesc](../shortdesc/do-not-sync-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Allowed/turned on. Users can choose what to sync to their device. | | -| Enabled | 2 | 2 | Prevented/turned off. Disables the *Sync your Settings* toggle and prevents syncing. | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Do not sync -- **GP name:** AllowSyncMySettings -- **GP path:** Windows Components/Sync your settings -- **GP ADMX file name:** SettingSync.admx - -#### MDM settings -- **MDM name:** Experience/[AllowSyncMySettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/AllowSyncMySettings -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\Windows\SettingSync -- **Value name:** DisableSettingSyn -- **Value type:** REG_DWORD - -### Related topics -[About sync setting on Microsoft Edge on Windows 10 devices](https://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices): Learn about what settings are synced. - - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled or not configured (Allowed/turned on)* + +[!INCLUDE [do-not-sync-shortdesc](../shortdesc/do-not-sync-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Allowed/turned on. Users can choose what to sync to their device. | | +| Enabled | 2 | 2 | Prevented/turned off. Disables the *Sync your Settings* toggle and prevents syncing. | ![Most restricted value](../images/check-gn.png) | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Do not sync +- **GP name:** AllowSyncMySettings +- **GP path:** Windows Components/Sync your settings +- **GP ADMX file name:** SettingSync.admx + +#### MDM settings +- **MDM name:** Experience/[AllowSyncMySettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/AllowSyncMySettings +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\Windows\SettingSync +- **Value name:** DisableSettingSyn +- **Value type:** REG_DWORD + +### Related topics +[About sync setting on Microsoft Edge on Windows 10 devices](https://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices): Learn about what settings are synced. + + +
diff --git a/browsers/edge/includes/enable-device-for-dev-shortdesc-include.md b/browsers/edge/includes/enable-device-for-dev-shortdesc-include.md index 724125788a..afb78c58e3 100644 --- a/browsers/edge/includes/enable-device-for-dev-shortdesc-include.md +++ b/browsers/edge/includes/enable-device-for-dev-shortdesc-include.md @@ -1,11 +1,11 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -[Enable your device for development](https://docs.microsoft.com/windows/uwp/get-started/enable-your-device-for-development): Developers can access special development features, along with other developer-focused settings, which makes it possible for them to develop, test, and debug apps. Learn how to configure your environment for development, the difference between Developer Mode and sideloading, and the security risks of Developer mode. +--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +[Enable your device for development](https://docs.microsoft.com/windows/uwp/get-started/enable-your-device-for-development): Developers can access special development features, along with other developer-focused settings, which makes it possible for them to develop, test, and debug apps. Learn how to configure your environment for development, the difference between Developer Mode and sideloading, and the security risks of Developer mode. diff --git a/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md b/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md index 539b1cd2fd..d64fe44479 100644 --- a/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md +++ b/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md @@ -1,21 +1,21 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - ->*Supported versions: Internet Explorer 11 on Windows 10, version 1607 or later*
->*Default setting: Disabled or not configured* - -By default, all sites open the currently active browser. With this policy, you can automatically open all sites not included in the Enterprise Mode Site List in Microsoft Edge. When you enable this policy, you must also turn on the Internet Explorer\Use the Enterprise Mode IE website list policy and include at least one site in the Enterprise Mode Site List. - ->[!NOTE] ->If you’ve also enabled the Microsoft Edge [Send all intranet sites to Internet Explorer 11](../available-policies.md#send-all-intranet-sites-to-internet-explorer-11) policy, all intranet sites continue to open in Internet Explorer 11. - -You can find the group policy settings in the following location of the Group Policy Editor: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Internet Explorer\\** +--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +>*Supported versions: Internet Explorer 11 on Windows 10, version 1607 or later*
+>*Default setting: Disabled or not configured* + +By default, all sites open the currently active browser. With this policy, you can automatically open all sites not included in the Enterprise Mode Site List in Microsoft Edge. When you enable this policy, you must also turn on the Internet Explorer\Use the Enterprise Mode IE website list policy and include at least one site in the Enterprise Mode Site List. + +>[!NOTE] +>If you’ve also enabled the Microsoft Edge [Send all intranet sites to Internet Explorer 11](../available-policies.md#send-all-intranet-sites-to-internet-explorer-11) policy, all intranet sites continue to open in Internet Explorer 11. + +You can find the group policy settings in the following location of the Group Policy Editor: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Internet Explorer\\** diff --git a/browsers/edge/includes/keep-fav-sync-ie-edge-include.md b/browsers/edge/includes/keep-fav-sync-ie-edge-include.md index a7ff412c85..eb790351a1 100644 --- a/browsers/edge/includes/keep-fav-sync-ie-edge-include.md +++ b/browsers/edge/includes/keep-fav-sync-ie-edge-include.md @@ -1,44 +1,44 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
->*Default setting: Disabled or not configured (Turned off/not syncing)* - -[!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Turned off/not syncing | | -| Enabled | 1 | 1 | Turned on/syncing | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -### ADMX info -- **GP English name:** Keep favorites in sync between Internet Explorer and Microsoft Edge -- **GP name:** SyncFavoritesBetweenIEAndMicrosoftEdge -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[SyncFavoritesBetweenIEAndMicrosoftEdge](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-syncfavoritesbetweenieandmicrosoftedge) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SyncFavoritesBetweenIEAndMicrosoftEdge -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -- **Value name:** SyncFavoritesBetweenIEAndMicrosoftEdge -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Disabled or not configured (Turned off/not syncing)* + +[!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Turned off/not syncing | | +| Enabled | 1 | 1 | Turned on/syncing | ![Most restricted value](../images/check-gn.png) | + +--- + +### ADMX info and settings +### ADMX info +- **GP English name:** Keep favorites in sync between Internet Explorer and Microsoft Edge +- **GP name:** SyncFavoritesBetweenIEAndMicrosoftEdge +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[SyncFavoritesBetweenIEAndMicrosoftEdge](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-syncfavoritesbetweenieandmicrosoftedge) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SyncFavoritesBetweenIEAndMicrosoftEdge +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** SyncFavoritesBetweenIEAndMicrosoftEdge +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/man-connections-win-comp-services-shortdesc-include.md b/browsers/edge/includes/man-connections-win-comp-services-shortdesc-include.md index 4b65a2458c..211b16465b 100644 --- a/browsers/edge/includes/man-connections-win-comp-services-shortdesc-include.md +++ b/browsers/edge/includes/man-connections-win-comp-services-shortdesc-include.md @@ -1,11 +1,11 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -[Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services): Learn about the network connections from Windows to Microsoft services. Also, learn about the privacy settings that affect the data shared with either Microsoft or apps and how to manage them in an enterprise. You can configure diagnostic data at the lowest level for your edition of Windows and evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment. +--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +[Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services): Learn about the network connections from Windows to Microsoft services. Also, learn about the privacy settings that affect the data shared with either Microsoft or apps and how to manage them in an enterprise. You can configure diagnostic data at the lowest level for your edition of Windows and evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment. diff --git a/browsers/edge/includes/prevent-access-about-flag-include.md b/browsers/edge/includes/prevent-access-about-flag-include.md index 31f94d4c49..144451edb0 100644 --- a/browsers/edge/includes/prevent-access-about-flag-include.md +++ b/browsers/edge/includes/prevent-access-about-flag-include.md @@ -1,44 +1,44 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1607 or later*
->*Default setting: Disabled or not configured (Allowed)* - -[!INCLUDE [prevent-access-to-about-flags-page-shortdesc](../shortdesc/prevent-access-to-about-flags-page-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Allowed | | -| Enabled | 1 | 1 | Prevented | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Prevent access to the about:flags page in Microsoft Edge -- **GP name:** PreventAccessToAboutFlagsInMicrosoftEdge -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[PreventAccessToAboutFlagsInMicrosoftEdge](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventaccesstoaboutflagsinmicrosoftedge) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventAccessToAboutFlagsInMicrosoftEdge -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -- **Value name:** PreventAccessToAboutFlagsInMicrosoftEdge -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1607 or later*
+>*Default setting: Disabled or not configured (Allowed)* + +[!INCLUDE [prevent-access-to-about-flags-page-shortdesc](../shortdesc/prevent-access-to-about-flags-page-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Allowed | | +| Enabled | 1 | 1 | Prevented | ![Most restricted value](../images/check-gn.png) | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent access to the about:flags page in Microsoft Edge +- **GP name:** PreventAccessToAboutFlagsInMicrosoftEdge +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[PreventAccessToAboutFlagsInMicrosoftEdge](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventaccesstoaboutflagsinmicrosoftedge) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventAccessToAboutFlagsInMicrosoftEdge +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** PreventAccessToAboutFlagsInMicrosoftEdge +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/prevent-bypassing-win-defender-files-include.md b/browsers/edge/includes/prevent-bypassing-win-defender-files-include.md index 301dd68424..1c3c2ebf02 100644 --- a/browsers/edge/includes/prevent-bypassing-win-defender-files-include.md +++ b/browsers/edge/includes/prevent-bypassing-win-defender-files-include.md @@ -1,44 +1,44 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
->*Default setting: Disabled or not configured (Allowed/turned off)* - -[!INCLUDE [prevent-bypassing-windows-defender-prompts-for-files-shortdesc](../shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Allowed/turned off. Users can ignore the warning and continue to download the unverified file(s). | | -| Enabled | 1 | 1 | Prevented/turned on. | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Prevent bypassing Windows Defender SmartScreen prompts for files -- **GP name:** PreventSmartScreenPromptOverrideForFiles -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[PreventSmartScreenPromptOverrideForFiles](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverrideforfiles) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -- **Value name:** PreventOverrideAppRepUnknown -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
+>*Default setting: Disabled or not configured (Allowed/turned off)* + +[!INCLUDE [prevent-bypassing-windows-defender-prompts-for-files-shortdesc](../shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Allowed/turned off. Users can ignore the warning and continue to download the unverified file(s). | | +| Enabled | 1 | 1 | Prevented/turned on. | ![Most restricted value](../images/check-gn.png) | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent bypassing Windows Defender SmartScreen prompts for files +- **GP name:** PreventSmartScreenPromptOverrideForFiles +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[PreventSmartScreenPromptOverrideForFiles](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverrideforfiles) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter +- **Value name:** PreventOverrideAppRepUnknown +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/prevent-bypassing-win-defender-sites-include.md b/browsers/edge/includes/prevent-bypassing-win-defender-sites-include.md index 04339b930a..a6b5e9dde9 100644 --- a/browsers/edge/includes/prevent-bypassing-win-defender-sites-include.md +++ b/browsers/edge/includes/prevent-bypassing-win-defender-sites-include.md @@ -1,44 +1,44 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
->*Default setting: Disabled or not configured (Allowed/turned off)* - -[!INCLUDE [prevent-bypassing-windows-defender-prompts-for-sites-shortdesc](../shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|----------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Allowed/turned off. Users can ignore the warning and continue to the site. | | -| Enabled | 1 | 1 | Prevented/turned on. | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Prevent bypassing Windows Defender SmartScreen prompts for sites -- **GP name:** PreventSmartscreenPromptOverride -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[PreventSmartscreenPromptOverride](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverride) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -- **Value name:** PreventOverride -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
+>*Default setting: Disabled or not configured (Allowed/turned off)* + +[!INCLUDE [prevent-bypassing-windows-defender-prompts-for-sites-shortdesc](../shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|----------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Allowed/turned off. Users can ignore the warning and continue to the site. | | +| Enabled | 1 | 1 | Prevented/turned on. | ![Most restricted value](../images/check-gn.png) | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent bypassing Windows Defender SmartScreen prompts for sites +- **GP name:** PreventSmartscreenPromptOverride +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[PreventSmartscreenPromptOverride](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverride) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter +- **Value name:** PreventOverride +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/prevent-certificate-error-overrides-include.md b/browsers/edge/includes/prevent-certificate-error-overrides-include.md index a776bb08b6..ab20b1ca5b 100644 --- a/browsers/edge/includes/prevent-certificate-error-overrides-include.md +++ b/browsers/edge/includes/prevent-certificate-error-overrides-include.md @@ -1,43 +1,43 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Disabled or not configured (Allowed/turned off)* - -[!INCLUDE [prevent-certificate-error-overrides-shortdesc](../shortdesc/prevent-certificate-error-overrides-shortdesc.md)] - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Allowed/turned on. Override the security warning to sites that have SSL errors. | | -| Enabled | 1 | 1 | Prevented/turned on. | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Prevent certificate error overrides -- **GP name:** PreventCertErrorOverrides -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[PreventCertErrorOverrides](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventCertErrorOverrides -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Setting -- **Value name:** PreventCertErrorOverrides -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: Disabled or not configured (Allowed/turned off)* + +[!INCLUDE [prevent-certificate-error-overrides-shortdesc](../shortdesc/prevent-certificate-error-overrides-shortdesc.md)] + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Allowed/turned on. Override the security warning to sites that have SSL errors. | | +| Enabled | 1 | 1 | Prevented/turned on. | ![Most restricted value](../images/check-gn.png) | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent certificate error overrides +- **GP name:** PreventCertErrorOverrides +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[PreventCertErrorOverrides](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventCertErrorOverrides +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Setting +- **Value name:** PreventCertErrorOverrides +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/prevent-changes-to-favorites-include.md b/browsers/edge/includes/prevent-changes-to-favorites-include.md index de0f5e7ac7..0b6691b746 100644 --- a/browsers/edge/includes/prevent-changes-to-favorites-include.md +++ b/browsers/edge/includes/prevent-changes-to-favorites-include.md @@ -1,44 +1,44 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1709 or later*
->*Default setting: Disabled or not configured (Allowed/not locked down)* - -[!INCLUDE [prevent-changes-to-favorites-shortdesc](../shortdesc/prevent-changes-to-favorites-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|-----------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Allowed/unlocked. Users can add, import, and make changes to the Favorites list. | | -| Enabled | 1 | 1 | Prevented/locked down. | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Prevent changes to Favorites on Microsoft Edge -- **GP name:** LockdownFavorites -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[LockdownFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/LockdownFavorites -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Favorites -- **Value name:** LockdownFavorites -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1709 or later*
+>*Default setting: Disabled or not configured (Allowed/not locked down)* + +[!INCLUDE [prevent-changes-to-favorites-shortdesc](../shortdesc/prevent-changes-to-favorites-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|-----------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Allowed/unlocked. Users can add, import, and make changes to the Favorites list. | | +| Enabled | 1 | 1 | Prevented/locked down. | ![Most restricted value](../images/check-gn.png) | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent changes to Favorites on Microsoft Edge +- **GP name:** LockdownFavorites +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[LockdownFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/LockdownFavorites +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Favorites +- **Value name:** LockdownFavorites +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/prevent-first-run-webpage-open-include.md b/browsers/edge/includes/prevent-first-run-webpage-open-include.md index 0e3e9fa8b1..be8eec24b9 100644 --- a/browsers/edge/includes/prevent-first-run-webpage-open-include.md +++ b/browsers/edge/includes/prevent-first-run-webpage-open-include.md @@ -1,44 +1,44 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
->*Default setting: Disabled or not configured (Allowed)* - -[!INCLUDE [prevent-first-run-webpage-from-opening-shortdesc](../shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|--------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Allowed. Load the First Run webpage. | | -| Enabled | 1 | 1 | Prevented. | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Prevent the First Run webpage from opening on Microsoft Edge -- **GP name:** PreventFirstRunPage -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[PreventFirstRunPage](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventfirstrunpage) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventFirstRunPage -- **Data type:** Integer - -#### Registry -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -- **Value name:** PreventFirstRunPage -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Disabled or not configured (Allowed)* + +[!INCLUDE [prevent-first-run-webpage-from-opening-shortdesc](../shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|--------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Allowed. Load the First Run webpage. | | +| Enabled | 1 | 1 | Prevented. | ![Most restricted value](../images/check-gn.png) | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent the First Run webpage from opening on Microsoft Edge +- **GP name:** PreventFirstRunPage +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[PreventFirstRunPage](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventfirstrunpage) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventFirstRunPage +- **Data type:** Integer + +#### Registry +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** PreventFirstRunPage +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/prevent-live-tile-pinning-start-include.md b/browsers/edge/includes/prevent-live-tile-pinning-start-include.md index bfc0e23f6b..ea8f458f04 100644 --- a/browsers/edge/includes/prevent-live-tile-pinning-start-include.md +++ b/browsers/edge/includes/prevent-live-tile-pinning-start-include.md @@ -1,44 +1,44 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
->*Default setting: Disabled or not configured (Collect and send)* - -[!INCLUDE [prevent-edge-from-gathering-live-tile-info-shortdesc](../shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|--------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Collect and send Live Tile metadata. | | -| Enabled | 1 | 1 | Do not collect data. | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start -- **GP name:** PreventLiveTileDataCollection -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[PreventLiveTileDataCollection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventLiveTileDataCollection -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -- **Value name:** PreventLiveTileDataCollection -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Disabled or not configured (Collect and send)* + +[!INCLUDE [prevent-edge-from-gathering-live-tile-info-shortdesc](../shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|--------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Collect and send Live Tile metadata. | | +| Enabled | 1 | 1 | Do not collect data. | ![Most restricted value](../images/check-gn.png) | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start +- **GP name:** PreventLiveTileDataCollection +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[PreventLiveTileDataCollection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventLiveTileDataCollection +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** PreventLiveTileDataCollection +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/prevent-localhost-address-for-webrtc-include.md b/browsers/edge/includes/prevent-localhost-address-for-webrtc-include.md index 407dd4c596..0bc6ba7764 100644 --- a/browsers/edge/includes/prevent-localhost-address-for-webrtc-include.md +++ b/browsers/edge/includes/prevent-localhost-address-for-webrtc-include.md @@ -1,44 +1,44 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
->*Default setting: Disabled or not configured (Allowed/show localhost IP addresses)* - -[!INCLUDE [prevent-using-localhost-ip-address-for-webrtc-shortdesc](../shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|---------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Allowed. Show localhost IP addresses. | | -| Enabled | 1 | 1 | Prevented. | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Prevent using Localhost IP address for WebRTC -- **GP name:** HideLocalHostIPAddress -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[PreventUsingLocalHostIPAddressForWebRTC](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventusinglocalhostipaddressforwebrtc) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventUsingLocalHostIPAddressForWebRTC -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -- **Value name:** HideLocalHostIPAddress -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
+>*Default setting: Disabled or not configured (Allowed/show localhost IP addresses)* + +[!INCLUDE [prevent-using-localhost-ip-address-for-webrtc-shortdesc](../shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|---------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Allowed. Show localhost IP addresses. | | +| Enabled | 1 | 1 | Prevented. | ![Most restricted value](../images/check-gn.png) | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent using Localhost IP address for WebRTC +- **GP name:** HideLocalHostIPAddress +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[PreventUsingLocalHostIPAddressForWebRTC](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventusinglocalhostipaddressforwebrtc) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventUsingLocalHostIPAddressForWebRTC +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** HideLocalHostIPAddress +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/prevent-turning-off-required-extensions-include.md b/browsers/edge/includes/prevent-turning-off-required-extensions-include.md index 6257f4e2fb..e1a4a50a05 100644 --- a/browsers/edge/includes/prevent-turning-off-required-extensions-include.md +++ b/browsers/edge/includes/prevent-turning-off-required-extensions-include.md @@ -1,59 +1,59 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Disabled or not configured (Allowed)* - -[!INCLUDE [prevent-turning-off-required-extensions-shortdesc](../shortdesc/prevent-turning-off-required-extensions-shortdesc.md)] - -### Supported values - -| Group Policy | Description | -|---------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Disabled or not configured
**(default)** | Allowed. Users can uninstall extensions. If you previously enabled this policy and you decide to disable it, the list of extension PFNs defined in this policy get ignored. | -| Enabled | Provide a semi-colon delimited list of extension PFNs. For example, adding the following OneNote Web Clipper and Office extension prevents users from turning it off:

*Microsoft.OneNoteWebClipper8wekyb3d8bbwe;Microsoft.OfficeOnline8wekyb3d8bbwe*

After defining the list of extensions, you deploy them through any available enterprise deployment channel, such as Microsoft Intune.

Removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the [Allow Developer Tools](../group-policies/developer-settings-gp.md#allow-developer-tools) policy, then this policy does not prevent users from debugging and altering the logic on an extension. | - ---- - - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Prevent turning off required extensions -- **GP name:** PreventTurningOffRequiredExtensions -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** [Experience/PreventTurningOffRequiredExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventturningoffrequiredextensions) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventTurningOffRequiredExtensions -- **Data type:** String - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Extensions -- **Value name:** PreventTurningOffRequiredExtensions -- **Value type:** REG_SZ - -### Related policies -[Allow Developer Tools](../available-policies.md#allow-developer-tools): [!INCLUDE [allow-developer-tools-shortdesc](../shortdesc/allow-developer-tools-shortdesc.md)] - - -### Related topics - -- [Find a package family name (PFN) for per-app VPN](https://docs.microsoft.com/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn): There are two ways to find a PFN so that you can configure a per-app VPN. -- [How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/intune/windows-store-for-business): The Microsoft Store for Business gives you a place to find and purchase apps for your organization, individually, or in volume. By connecting the store to Microsoft Intune, you can manage volume-purchased apps from the Azure portal. -- [How to assign apps to groups with Microsoft Intune](https://docs.microsoft.com/intune/apps-deploy): Apps can be assigned to devices whether or not Intune manages them. -- [Manage apps from the Microsoft Store for Business with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business): Configuration Manager supports managing Microsoft Store for Business apps on both Windows 10 devices with the Configuration Manager client, and also Windows 10 devices enrolled with Microsoft Intune. -- [How to add Windows line-of-business (LOB) apps to Microsoft Intune](https://docs.microsoft.com/intune/lob-apps-windows): A line-of-business (LOB) app is one that you add from an app installation file. Typically, these types of apps are written in-house. - -

+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: Disabled or not configured (Allowed)* + +[!INCLUDE [prevent-turning-off-required-extensions-shortdesc](../shortdesc/prevent-turning-off-required-extensions-shortdesc.md)] + +### Supported values + +| Group Policy | Description | +|---------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Disabled or not configured
**(default)** | Allowed. Users can uninstall extensions. If you previously enabled this policy and you decide to disable it, the list of extension PFNs defined in this policy get ignored. | +| Enabled | Provide a semi-colon delimited list of extension PFNs. For example, adding the following OneNote Web Clipper and Office extension prevents users from turning it off:

*Microsoft.OneNoteWebClipper8wekyb3d8bbwe;Microsoft.OfficeOnline8wekyb3d8bbwe*

After defining the list of extensions, you deploy them through any available enterprise deployment channel, such as Microsoft Intune.

Removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the [Allow Developer Tools](../group-policies/developer-settings-gp.md#allow-developer-tools) policy, then this policy does not prevent users from debugging and altering the logic on an extension. | + +--- + + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent turning off required extensions +- **GP name:** PreventTurningOffRequiredExtensions +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** [Experience/PreventTurningOffRequiredExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventturningoffrequiredextensions) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventTurningOffRequiredExtensions +- **Data type:** String + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Extensions +- **Value name:** PreventTurningOffRequiredExtensions +- **Value type:** REG_SZ + +### Related policies +[Allow Developer Tools](../available-policies.md#allow-developer-tools): [!INCLUDE [allow-developer-tools-shortdesc](../shortdesc/allow-developer-tools-shortdesc.md)] + + +### Related topics + +- [Find a package family name (PFN) for per-app VPN](https://docs.microsoft.com/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn): There are two ways to find a PFN so that you can configure a per-app VPN. +- [How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/intune/windows-store-for-business): The Microsoft Store for Business gives you a place to find and purchase apps for your organization, individually, or in volume. By connecting the store to Microsoft Intune, you can manage volume-purchased apps from the Azure portal. +- [How to assign apps to groups with Microsoft Intune](https://docs.microsoft.com/intune/apps-deploy): Apps can be assigned to devices whether or not Intune manages them. +- [Manage apps from the Microsoft Store for Business with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business): Configuration Manager supports managing Microsoft Store for Business apps on both Windows 10 devices with the Configuration Manager client, and also Windows 10 devices enrolled with Microsoft Intune. +- [How to add Windows line-of-business (LOB) apps to Microsoft Intune](https://docs.microsoft.com/intune/lob-apps-windows): A line-of-business (LOB) app is one that you add from an app installation file. Typically, these types of apps are written in-house. + +

diff --git a/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md b/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md index e7f4651365..d04f548fca 100644 --- a/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md +++ b/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md @@ -1,48 +1,48 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Enabled or not configured (Prevented/turned off)* - -[!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | -|--------------------------------------------|:---:|:--------:|---------------------------------------------------------| -| Disabled | 0 | 0 | Allowed/turned on. Users can sync the browser settings. | -| Enabled or not configured
**(default)** | 1 | 1 | Prevented/turned off. | - ---- - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Prevent users from turning on browser syncing -- **GP name:** PreventUsersFromTurningOnBrowserSyncing -- **GP path:** Windows Components/Sync your settings -- **GP ADMX file name:** SettingSync.admx - -#### MDM settings -- **MDM name:** Experience/[PreventUsersFromTurningOnBrowserSyncing](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-preventusersfromturningonbrowsersyncing) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/PreventUsersFromTurningOnBrowserSyncing -- **Data type:** String - - -### Related policies -[Do not sync browser settings](../available-policies.md#do-not-sync-browser-settings): [!INCLUDE [do-not-sync-browser-settings-shortdesc](../shortdesc/do-not-sync-browser-settings-shortdesc.md)]. - -### Related topics -[About sync setting on Microsoft Edge on Windows 10 devices](https://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices) - - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: Enabled or not configured (Prevented/turned off)* + +[!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | +|--------------------------------------------|:---:|:--------:|---------------------------------------------------------| +| Disabled | 0 | 0 | Allowed/turned on. Users can sync the browser settings. | +| Enabled or not configured
**(default)** | 1 | 1 | Prevented/turned off. | + +--- + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent users from turning on browser syncing +- **GP name:** PreventUsersFromTurningOnBrowserSyncing +- **GP path:** Windows Components/Sync your settings +- **GP ADMX file name:** SettingSync.admx + +#### MDM settings +- **MDM name:** Experience/[PreventUsersFromTurningOnBrowserSyncing](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-preventusersfromturningonbrowsersyncing) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/PreventUsersFromTurningOnBrowserSyncing +- **Data type:** String + + +### Related policies +[Do not sync browser settings](../available-policies.md#do-not-sync-browser-settings): [!INCLUDE [do-not-sync-browser-settings-shortdesc](../shortdesc/do-not-sync-browser-settings-shortdesc.md)]. + +### Related topics +[About sync setting on Microsoft Edge on Windows 10 devices](https://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices) + + +
diff --git a/browsers/edge/includes/provision-favorites-include.md b/browsers/edge/includes/provision-favorites-include.md index 0df09c2d46..fdb0016715 100644 --- a/browsers/edge/includes/provision-favorites-include.md +++ b/browsers/edge/includes/provision-favorites-include.md @@ -1,52 +1,52 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
->*Default setting: Disabled or not configured (Customizable)* - -[!INCLUDE [provision-favorites-shortdesc](../shortdesc/provision-favorites-shortdesc.md)] - - ->[!IMPORTANT] ->Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers. - -### Supported values - -| Group Policy | Description | Most restricted | -|---------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | Users can customize the favorites list, such as adding folders, or adding and removing favorites. | | -| Enabled | Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.

To define a default list of favorites, do the following:

  1. In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.
  2. Click **Import from another browser**, click **Export to file** and save the file.
  3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. Specify the URL as:
    • HTTP location: "SiteList"=
    • Local network: "SiteList"="\network\shares\URLs.html"
    • Local file: "SiteList"=file:///c:/Users/Documents/URLs.html
| ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Provision Favorites -- **GP name:** ConfiguredFavorites -- **GP element:** ConfiguredFavoritesPrompt -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[ProvisionFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ProvisionFavorites -- **Data type:** String - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Favorites -- **Value name:** ConfiguredFavorites -- **Value type:** REG_SZ - -### Related policies -[Keep favorites in sync between Internet Explorer and Microsoft Edge](../available-policies.md#keep-favorites-in-sync-between-internet-explorer-and-microsoft-edge): [!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)] - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
+>*Default setting: Disabled or not configured (Customizable)* + +[!INCLUDE [provision-favorites-shortdesc](../shortdesc/provision-favorites-shortdesc.md)] + + +>[!IMPORTANT] +>Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers. + +### Supported values + +| Group Policy | Description | Most restricted | +|---------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | Users can customize the favorites list, such as adding folders, or adding and removing favorites. | | +| Enabled | Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.

To define a default list of favorites, do the following:

  1. In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.
  2. Click **Import from another browser**, click **Export to file** and save the file.
  3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. Specify the URL as:
    • HTTP location: "SiteList"=
    • Local network: "SiteList"="\network\shares\URLs.html"
    • Local file: "SiteList"=file:///c:/Users/Documents/URLs.html
| ![Most restricted value](../images/check-gn.png) | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Provision Favorites +- **GP name:** ConfiguredFavorites +- **GP element:** ConfiguredFavoritesPrompt +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ProvisionFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ProvisionFavorites +- **Data type:** String + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Favorites +- **Value name:** ConfiguredFavorites +- **Value type:** REG_SZ + +### Related policies +[Keep favorites in sync between Internet Explorer and Microsoft Edge](../available-policies.md#keep-favorites-in-sync-between-internet-explorer-and-microsoft-edge): [!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)] + +
diff --git a/browsers/edge/includes/search-provider-discovery-shortdesc-include.md b/browsers/edge/includes/search-provider-discovery-shortdesc-include.md index a09dedbcc5..ef83bc4778 100644 --- a/browsers/edge/includes/search-provider-discovery-shortdesc-include.md +++ b/browsers/edge/includes/search-provider-discovery-shortdesc-include.md @@ -1,11 +1,11 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -[Search provider discovery](https://docs.microsoft.com/microsoft-edge/dev-guide/browser/search-provider-discovery): Microsoft Edge follows the OpenSearch 1.1 specification to discover and use web search providers. When a user browses to a search service, the OpenSearch description is picked up and saved for later use. Users can then choose to add the search service to use in the Microsoft Edge address bar. +--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +[Search provider discovery](https://docs.microsoft.com/microsoft-edge/dev-guide/browser/search-provider-discovery): Microsoft Edge follows the OpenSearch 1.1 specification to discover and use web search providers. When a user browses to a search service, the OpenSearch description is picked up and saved for later use. Users can then choose to add the search service to use in the Microsoft Edge address bar. diff --git a/browsers/edge/includes/send-all-intranet-sites-ie-include.md b/browsers/edge/includes/send-all-intranet-sites-ie-include.md index af93dd7bba..2d8195f03e 100644 --- a/browsers/edge/includes/send-all-intranet-sites-ie-include.md +++ b/browsers/edge/includes/send-all-intranet-sites-ie-include.md @@ -1,62 +1,62 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Disabled or not configured* - -[!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../shortdesc/send-all-intranet-sites-to-ie-shortdesc.md)] - ->[!TIP] ->Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have websites or web apps that still use this technology and needs IE11 to run, you can add them to the Enterprise Mode site list, using Enterprise Mode Site List Manager. - - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | All sites, including intranet sites, open in Microsoft Edge automatically. | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Only intranet sites open in Internet Explorer 11 automatically.

Enabling this policy opens all intranet sites in IE11 automatically, even if the users have Microsoft Edge as their default browser.

  1. In Group Policy Editor, navigate to:

    **Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file**

  2. Click **Enable** and then refresh the policy to view the affected sites in Microsoft Edge.

    A message opens stating that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.

| | - ---- - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Send all intranet sites to Internet Explorer 11 -- **GP name:** SendIntranetTraffictoInternetExplorer -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[SendIntranetTraffictoInternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main -- **Value name:** SendIntranetTraffictoInternetExplorer -- **Value type:** REG_DWORD - -### Related Policies -- [Configure the Enterprise Mode Site List](../available-policies.md#configure-the-enterprise-mode-site-list): [!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../shortdesc/configure-enterprise-mode-site-list-shortdesc.md)] - -- [Show message when opening sites in Internet Explorer](../available-policies.md#show-message-when-opening-sites-in-internet-explorer): [!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] - - -### Related topics -- [Blog: How Microsoft Edge and Internet Explorer 11 on Windows 10 work better together in the Enterprise](https://go.microsoft.com/fwlink/p/?LinkID=624035). Many customers depend on legacy features only available in older versions of Internet Explorer and are familiar with our Enterprise Mode tools for IE11. The Enterprise Mode has been extended to support to Microsoft Edge by opening any site specified on the Enterprise Mode Site List in IE11. IT Pros can use their existing IE11 Enterprise Mode Site List, or they can create a new one specifically for Microsoft Edge. By keeping Microsoft Edge as the default browser in Windows 10 and only opening legacy line of business sites in IE11 when necessary, you can help keep newer development projects on track, using the latest web standards on Microsoft Edge. - -- [Enterprise Mode for Internet Explorer 11 (IE11)](https://go.microsoft.com/fwlink/p/?linkid=618377). Learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company. - -- [Use the Enterprise Mode Site List Manager](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager). You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode. - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled or not configured* + +[!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../shortdesc/send-all-intranet-sites-to-ie-shortdesc.md)] + +>[!TIP] +>Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have websites or web apps that still use this technology and needs IE11 to run, you can add them to the Enterprise Mode site list, using Enterprise Mode Site List Manager. + + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | All sites, including intranet sites, open in Microsoft Edge automatically. | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Only intranet sites open in Internet Explorer 11 automatically.

Enabling this policy opens all intranet sites in IE11 automatically, even if the users have Microsoft Edge as their default browser.

  1. In Group Policy Editor, navigate to:

    **Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file**

  2. Click **Enable** and then refresh the policy to view the affected sites in Microsoft Edge.

    A message opens stating that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.

| | + +--- + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Send all intranet sites to Internet Explorer 11 +- **GP name:** SendIntranetTraffictoInternetExplorer +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[SendIntranetTraffictoInternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** SendIntranetTraffictoInternetExplorer +- **Value type:** REG_DWORD + +### Related Policies +- [Configure the Enterprise Mode Site List](../available-policies.md#configure-the-enterprise-mode-site-list): [!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../shortdesc/configure-enterprise-mode-site-list-shortdesc.md)] + +- [Show message when opening sites in Internet Explorer](../available-policies.md#show-message-when-opening-sites-in-internet-explorer): [!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] + + +### Related topics +- [Blog: How Microsoft Edge and Internet Explorer 11 on Windows 10 work better together in the Enterprise](https://go.microsoft.com/fwlink/p/?LinkID=624035). Many customers depend on legacy features only available in older versions of Internet Explorer and are familiar with our Enterprise Mode tools for IE11. The Enterprise Mode has been extended to support to Microsoft Edge by opening any site specified on the Enterprise Mode Site List in IE11. IT Pros can use their existing IE11 Enterprise Mode Site List, or they can create a new one specifically for Microsoft Edge. By keeping Microsoft Edge as the default browser in Windows 10 and only opening legacy line of business sites in IE11 when necessary, you can help keep newer development projects on track, using the latest web standards on Microsoft Edge. + +- [Enterprise Mode for Internet Explorer 11 (IE11)](https://go.microsoft.com/fwlink/p/?linkid=618377). Learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company. + +- [Use the Enterprise Mode Site List Manager](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager). You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode. + +
diff --git a/browsers/edge/includes/set-default-search-engine-include.md b/browsers/edge/includes/set-default-search-engine-include.md index f42c5e8873..104cb3ebdd 100644 --- a/browsers/edge/includes/set-default-search-engine-include.md +++ b/browsers/edge/includes/set-default-search-engine-include.md @@ -1,60 +1,60 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
->*Default setting: Not configured (Defined in App settings)* - -[!INCLUDE [set-default-search-engine-shortdesc](../shortdesc/set-default-search-engine-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------|:-----:|:--------:|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Not configured
**(default)** | Blank | Blank | Use the search engine specified in App settings. If you don't configure this policy and disable the [Allow search engine customization](../group-policies/search-engine-customization-gp.md#allow-search-engine-customization) policy, users cannot make changes. | | -| Disabled | 0 | 0 | Remove or don't use the policy-set search engine and use the search engine for the market, letting users make changes. | | -| Enabled | 1 | 1 | Use the policy-set search engine specified in the OpenSearch XML file, preventing users from making changes.

Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.

If you want your users to use the default Microsoft Edge settings for each market, then set the string to **EDGEDEFAULT**.

If you would like your users to use Microsoft Bing as the default search engine, then set the string to **EDGEBING**. | ![Most restricted value](../images/check-gn.png) | - ---- - - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Set default search engine -- **GP name:** SetDefaultSearchEngine -- **GP element:** SetDefaultSearchEngine_Prompt -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** [SetDefaultSearchEngine](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setdefaultsearchengine) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetDefaultSearchEngine -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\OpenSearch -- **Value name:** SetDefaultSearchEngine -- **Value type:** REG_SZ - -### Related policies - -- [Configure additional search engines](../available-policies.md#configure-additional-search-engines): [!INCLUDE [configure-additional-search-engines-shortdesc](../shortdesc/configure-additional-search-engines-shortdesc.md)] - -- [Allow search engine customization](../available-policies.md#allow-search-engine-customization): [!INCLUDE [allow-search-engine-customization-shortdesc](../shortdesc/allow-search-engine-customization-shortdesc.md)] - -### Related topics - -- [!INCLUDE [microsoft-browser-extension-policy-shortdesc](../shortdesc/microsoft-browser-extension-policy-shortdesc.md)] - -- [Search provider discovery](https://docs.microsoft.com/microsoft-edge/dev-guide/browser/search-provider-discovery): The Microsoft Edge address bar uses rich search integration, including search suggestions, results from the web, your browsing history, and favorites. - -

+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Not configured (Defined in App settings)* + +[!INCLUDE [set-default-search-engine-shortdesc](../shortdesc/set-default-search-engine-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------|:-----:|:--------:|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Not configured
**(default)** | Blank | Blank | Use the search engine specified in App settings. If you don't configure this policy and disable the [Allow search engine customization](../group-policies/search-engine-customization-gp.md#allow-search-engine-customization) policy, users cannot make changes. | | +| Disabled | 0 | 0 | Remove or don't use the policy-set search engine and use the search engine for the market, letting users make changes. | | +| Enabled | 1 | 1 | Use the policy-set search engine specified in the OpenSearch XML file, preventing users from making changes.

Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.

If you want your users to use the default Microsoft Edge settings for each market, then set the string to **EDGEDEFAULT**.

If you would like your users to use Microsoft Bing as the default search engine, then set the string to **EDGEBING**. | ![Most restricted value](../images/check-gn.png) | + +--- + + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Set default search engine +- **GP name:** SetDefaultSearchEngine +- **GP element:** SetDefaultSearchEngine_Prompt +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** [SetDefaultSearchEngine](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setdefaultsearchengine) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetDefaultSearchEngine +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\OpenSearch +- **Value name:** SetDefaultSearchEngine +- **Value type:** REG_SZ + +### Related policies + +- [Configure additional search engines](../available-policies.md#configure-additional-search-engines): [!INCLUDE [configure-additional-search-engines-shortdesc](../shortdesc/configure-additional-search-engines-shortdesc.md)] + +- [Allow search engine customization](../available-policies.md#allow-search-engine-customization): [!INCLUDE [allow-search-engine-customization-shortdesc](../shortdesc/allow-search-engine-customization-shortdesc.md)] + +### Related topics + +- [!INCLUDE [microsoft-browser-extension-policy-shortdesc](../shortdesc/microsoft-browser-extension-policy-shortdesc.md)] + +- [Search provider discovery](https://docs.microsoft.com/microsoft-edge/dev-guide/browser/search-provider-discovery): The Microsoft Edge address bar uses rich search integration, including search suggestions, results from the web, your browsing history, and favorites. + +

diff --git a/browsers/edge/includes/set-home-button-url-include.md b/browsers/edge/includes/set-home-button-url-include.md index 5d3549e402..3cf0692dbb 100644 --- a/browsers/edge/includes/set-home-button-url-include.md +++ b/browsers/edge/includes/set-home-button-url-include.md @@ -1,52 +1,52 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Disabled or not configured (Blank)* - -[!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | -|---------------------------------------------|:------:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Disabled or not configured
**(default)** | Blank | Blank | Show the home button, load the Start pages, and lock down the home button to prevent users from changing what page loads. | -| Enabled - String | String | String | Enter a URL in string format, for example, https://www.msn.com.

For this policy to work, you must also enable the [Configure Home Button](../available-policies.md#configure-home-button) policy and select the *Show home button & set a specific page* option. | - ---- - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Set Home Button URL -- **GP name:** SetHomeButtonURL -- **GP element:** SetHomeButtonURLPrompt -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[SetHomeButtonURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL -- **Data type:** String - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings -- **Value name:** ConfigureHomeButtonURL -- **Value type:** REG_SZ - -### Related policies - -- [Configure Home Button](../available-policies.md#configure-home-button): [!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)] - -- [Unlock Home Button](../available-policies.md#unlock-home-button): [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)] - -

+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: Disabled or not configured (Blank)* + +[!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | +|---------------------------------------------|:------:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Disabled or not configured
**(default)** | Blank | Blank | Show the home button, load the Start pages, and lock down the home button to prevent users from changing what page loads. | +| Enabled - String | String | String | Enter a URL in string format, for example, https://www.msn.com.

For this policy to work, you must also enable the [Configure Home Button](../available-policies.md#configure-home-button) policy and select the *Show home button & set a specific page* option. | + +--- + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Set Home Button URL +- **GP name:** SetHomeButtonURL +- **GP element:** SetHomeButtonURLPrompt +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[SetHomeButtonURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL +- **Data type:** String + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings +- **Value name:** ConfigureHomeButtonURL +- **Value type:** REG_SZ + +### Related policies + +- [Configure Home Button](../available-policies.md#configure-home-button): [!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)] + +- [Unlock Home Button](../available-policies.md#unlock-home-button): [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)] + +

diff --git a/browsers/edge/includes/set-new-tab-url-include.md b/browsers/edge/includes/set-new-tab-url-include.md index b8521a3c98..58536ae480 100644 --- a/browsers/edge/includes/set-new-tab-url-include.md +++ b/browsers/edge/includes/set-new-tab-url-include.md @@ -1,51 +1,51 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Disabled or not configured (Blank)* - -[!INCLUDE [set-new-tab-url-shortdesc](../shortdesc/set-new-tab-url-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | -|---------------------------------------------|:------:|:--------:|----------------------------------------------------------------------------------------------------------------------------------| -| Disabled or not configured
**(default)** | Blank | Blank | Load the default New Tab page. | -| Enabled - String | String | String | Enter a URL in string format, for example, https://www.msn.com.

Enabling this policy prevents users from making changes.

| - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Set New Tab page URL -- **GP name:** SetNewTabPageURL -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL -- **Data type:** String - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings -- **Value name:** NewTabPageUR -- **Value type:** REG_SZ - - -### Related policies - -[Allow web content on New Tab page](../available-policies.md#allow-web-content-on-new-tab-page): [!INCLUDE [allow-web-content-on-new-tab-page-shortdesc](../shortdesc/allow-web-content-on-new-tab-page-shortdesc.md)] - - - -

+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: Disabled or not configured (Blank)* + +[!INCLUDE [set-new-tab-url-shortdesc](../shortdesc/set-new-tab-url-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | +|---------------------------------------------|:------:|:--------:|----------------------------------------------------------------------------------------------------------------------------------| +| Disabled or not configured
**(default)** | Blank | Blank | Load the default New Tab page. | +| Enabled - String | String | String | Enter a URL in string format, for example, https://www.msn.com.

Enabling this policy prevents users from making changes.

| + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Set New Tab page URL +- **GP name:** SetNewTabPageURL +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL +- **Data type:** String + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings +- **Value name:** NewTabPageUR +- **Value type:** REG_SZ + + +### Related policies + +[Allow web content on New Tab page](../available-policies.md#allow-web-content-on-new-tab-page): [!INCLUDE [allow-web-content-on-new-tab-page-shortdesc](../shortdesc/allow-web-content-on-new-tab-page-shortdesc.md)] + + + +

diff --git a/browsers/edge/includes/show-message-opening-sites-ie-include.md b/browsers/edge/includes/show-message-opening-sites-ie-include.md index 418034e68a..024279e776 100644 --- a/browsers/edge/includes/show-message-opening-sites-ie-include.md +++ b/browsers/edge/includes/show-message-opening-sites-ie-include.md @@ -1,55 +1,55 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1607 and later*
->*Default setting: Disabled or not configured (No additional message)* - - -[!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] - - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | No additional message displays. | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Show an additional message stating that a site has opened in IE11. | | -| Enabled | 2 | 2 | Show an additional message with a *Keep going in Microsoft Edge* link to allow users to open the site in Microsoft Edge. | | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Show message when opening sites in Internet Explorer -- **GP name:** ShowMessageWhenOpeningSitesInInternetExplorer -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[ShowMessageWhenOpeningSitesInInternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-showmessagewhenopeningsitesininternetexplorer) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ShowMessageWhenOpeningSitesInInternetExplorer -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main -- **Value name:** ShowMessageWhenOpeningSitesInInternetExplorer -- **Value type:** REG_DWORD - -### Related policies - -- [Configure the Enterprise Mode Site List](../available-policies.md#configure-the-enterprise-mode-site-list): [!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../shortdesc/configure-enterprise-mode-site-list-shortdesc.md)] - -- [Send all intranet sites to Internet Explorer 11](../available-policies.md#send-all-intranet-sites-to-internet-explorer-11): [!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../shortdesc/send-all-intranet-sites-to-ie-shortdesc.md)] - - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + + +>*Supported versions: Microsoft Edge on Windows 10, version 1607 and later*
+>*Default setting: Disabled or not configured (No additional message)* + + +[!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] + + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | No additional message displays. | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Show an additional message stating that a site has opened in IE11. | | +| Enabled | 2 | 2 | Show an additional message with a *Keep going in Microsoft Edge* link to allow users to open the site in Microsoft Edge. | | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Show message when opening sites in Internet Explorer +- **GP name:** ShowMessageWhenOpeningSitesInInternetExplorer +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ShowMessageWhenOpeningSitesInInternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-showmessagewhenopeningsitesininternetexplorer) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ShowMessageWhenOpeningSitesInInternetExplorer +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** ShowMessageWhenOpeningSitesInInternetExplorer +- **Value type:** REG_DWORD + +### Related policies + +- [Configure the Enterprise Mode Site List](../available-policies.md#configure-the-enterprise-mode-site-list): [!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../shortdesc/configure-enterprise-mode-site-list-shortdesc.md)] + +- [Send all intranet sites to Internet Explorer 11](../available-policies.md#send-all-intranet-sites-to-internet-explorer-11): [!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../shortdesc/send-all-intranet-sites-to-ie-shortdesc.md)] + + +
diff --git a/browsers/edge/includes/unlock-home-button-include.md b/browsers/edge/includes/unlock-home-button-include.md index 022ba40f20..c7dae69002 100644 --- a/browsers/edge/includes/unlock-home-button-include.md +++ b/browsers/edge/includes/unlock-home-button-include.md @@ -1,51 +1,51 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Disabled or not configured (Home button is locked)* - -[!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | -|---------------------------------------------|:---:|:--------:|-----------------------------------------------| -| Disabled or not configured
**(default)** | 0 | 0 | Locked, preventing users from making changes. | -| Enabled | 1 | 1 | Unlocked, letting users make changes. | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Unlock Home Button -- **GP name:** UnlockHomeButton -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[UnlockHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/UnlockHomeButton -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Internet Settings -- **Value name:** UnlockHomeButton -- **Value type:** REG_DWORD - -### Related policies - -- [Configure Home Button](../available-policies.md#configure-home-button): [!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)] - -- [Set Home Button URL](../available-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)] - - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: Disabled or not configured (Home button is locked)* + +[!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | +|---------------------------------------------|:---:|:--------:|-----------------------------------------------| +| Disabled or not configured
**(default)** | 0 | 0 | Locked, preventing users from making changes. | +| Enabled | 1 | 1 | Unlocked, letting users make changes. | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Unlock Home Button +- **GP name:** UnlockHomeButton +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[UnlockHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/UnlockHomeButton +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Internet Settings +- **Value name:** UnlockHomeButton +- **Value type:** REG_DWORD + +### Related policies + +- [Configure Home Button](../available-policies.md#configure-home-button): [!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)] + +- [Set Home Button URL](../available-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)] + + +
diff --git a/browsers/edge/managing-group-policy-admx-files.md b/browsers/edge/managing-group-policy-admx-files.md index ff853cd179..f749992d29 100644 --- a/browsers/edge/managing-group-policy-admx-files.md +++ b/browsers/edge/managing-group-policy-admx-files.md @@ -1,26 +1,26 @@ ---- -title: Managing group policy ADMX files -description: Learn how to centrally administer and incorporate ADMX files when editing the administrative template policy settings inside a local or domain-based Group Policy object. -ms.assetid: -ms.reviewer: -manager: dansimp -author: eavena -ms.author: eravena -ms.prod: edge -ms.sitesec: library -ms.localizationpriority: medium -ms.date: 10/19/2018 ---- - -# Managing group policy ADMX files - ->Applies to: Microsoft Edge on Windows 10 - -ADMX files, which are registry-based policy settings provide an XML-based structure for defining the display of the Administrative Template policy settings in the Group Policy Object Editor. The ADMX files replace ADM files, which used a different markup language. - ->[!NOTE] ->The administrative tools you use—Group Policy Object Editor and Group Policy Management Console—remain mostly unchanged. In the majority of situations, you won’t notice the presence of ADMX files during your day-to-day Group Policy administration tasks. - -Unlike ADM files, ADMX files are not stored in individual GPOs by default; however, this behavior supports less common scenarios. For domain-based enterprises, you can create a central store location of ADMX files accessible by anyone with permission to create or edit GPOs. Group Policy tools continue to recognize other earlier ADM files you have in your existing environment. The Group Policy Object Editor automatically reads and displays Administrative Template policy settings from both the ADMX and ADM files. - -Some situations require a better understanding of how ADMX files are structured and the location of the files. In this article, we show you how ADMX files are incorporated when editing Administrative Template policy settings in a local or domain-based Group Policy object (GPO). +--- +title: Managing group policy ADMX files +description: Learn how to centrally administer and incorporate ADMX files when editing the administrative template policy settings inside a local or domain-based Group Policy object. +ms.assetid: +ms.reviewer: +audience: itpro manager: dansimp +author: eavena +ms.author: eravena +ms.prod: edge +ms.sitesec: library +ms.localizationpriority: medium +ms.date: 10/19/2018 +--- + +# Managing group policy ADMX files + +>Applies to: Microsoft Edge on Windows 10 + +ADMX files, which are registry-based policy settings provide an XML-based structure for defining the display of the Administrative Template policy settings in the Group Policy Object Editor. The ADMX files replace ADM files, which used a different markup language. + +>[!NOTE] +>The administrative tools you use—Group Policy Object Editor and Group Policy Management Console—remain mostly unchanged. In the majority of situations, you won’t notice the presence of ADMX files during your day-to-day Group Policy administration tasks. + +Unlike ADM files, ADMX files are not stored in individual GPOs by default; however, this behavior supports less common scenarios. For domain-based enterprises, you can create a central store location of ADMX files accessible by anyone with permission to create or edit GPOs. Group Policy tools continue to recognize other earlier ADM files you have in your existing environment. The Group Policy Object Editor automatically reads and displays Administrative Template policy settings from both the ADMX and ADM files. + +Some situations require a better understanding of how ADMX files are structured and the location of the files. In this article, we show you how ADMX files are incorporated when editing Administrative Template policy settings in a local or domain-based Group Policy object (GPO). diff --git a/browsers/edge/microsoft-edge-faq.md b/browsers/edge/microsoft-edge-faq.md index ac6e0b7224..e73d7bb1a6 100644 --- a/browsers/edge/microsoft-edge-faq.md +++ b/browsers/edge/microsoft-edge-faq.md @@ -1,54 +1,54 @@ ---- -title: Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros -ms.reviewer: -manager: dansimp -description: Answers to frequently asked questions about Microsoft Edge features, integration, support, and potential problems. -author: msdmaguire -ms.author: dmaguire -ms.prod: edge -ms.topic: article -ms.mktglfcycl: general -ms.sitesec: library -ms.localizationpriority: medium ---- - -# Frequently Asked Questions (FAQs) for IT Pros - ->Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile - -## How can I get the next major version of Microsoft Edge, based on Chromium? -In December 2018, Microsoft [announced](https://blogs.windows.com/windowsexperience/2018/12/06/microsoft-edge-making-the-web-better-through-more-open-source-collaboration/#8jv53blDvL6TIKuS.97) our intention to adopt the Chromium open source project in the development of Microsoft Edge on the desktop, to create better web compatibility for our customers and less fragmentation of the web for all web developers. You can get more information at the [Microsoft Edge Insiders site](https://www.microsoftedgeinsider.com/). - -## What’s the difference between Microsoft Edge and Internet Explorer 11? How do I know which one to use? -Microsoft Edge is the default browser for all Windows 10 devices. It’s built to be highly compatible with the modern web. For some enterprise web apps and a small set of sites that were built to work with older technologies like ActiveX, [you can use Enterprise Mode](emie-to-improve-compatibility.md) to automatically send users to Internet Explorer 11. - -For more information on how Internet Explorer and Microsoft Edge work together to support your legacy web apps, while still defaulting to the higher security and modern experiences enabled by Microsoft Edge, see [Legacy apps in the enterprise](https://blogs.windows.com/msedgedev/2017/04/07/legacy-web-apps-enterprise/#RAbtRvJSYFaKu2BI.97). - -## Does Microsoft Edge work with Enterprise Mode? -[Enterprise Mode](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11) helps you run many legacy web applications with better backward compatibility. You can configure both Microsoft Edge and Internet Explorer to use the same Enterprise Mode Site List, switching seamlessly between browsers to support both modern and legacy web apps. - -## How do I customize Microsoft Edge and related settings for my organization? -You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/group-policies/) for a list of policies currently available for Microsoft Edge and configuration information. Note that the preview release of Chromium-based Microsoft Edge might not include management policies or other enterprise functionality; our focus during the preview is modern browser fundamentals. - -## Is Adobe Flash supported in Microsoft Edge? -Adobe Flash is currently supported as a built-in feature of Microsoft Edge on PCs running Windows 10. In July 2017, Adobe announced that Flash support will end after 2020. With this change to Adobe support, we’ve started to phase Flash out of Microsoft Edge by adding the [Configure the Adobe Flash Click-to-Run setting group policy](https://docs.microsoft.com/microsoft-edge/deploy/available-policies#configure-the-adobe-flash-click-to-run-setting) - this lets you control which websites can run Adobe Flash content. - -To learn more about Microsoft’s plan for phasing Flash out of Microsoft Edge and Internet Explorer, see [The End of an Era — Next Steps for Adobe Flash](https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#3Bcc3QjRw0l7XsZ4.97) (blog article). - -## Does Microsoft Edge support ActiveX controls or BHOs like Silverlight or Java? -No. Microsoft Edge doesn’t support ActiveX controls and BHOs like Silverlight or Java. If you’re running web apps that use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and standards support. - -## How often will Microsoft Edge be updated? -In Windows 10, we’re delivering Windows as a service, updated on a cadence driven by quality and the availability of new features. Microsoft Edge security updates are released every two to four weeks, while bigger feature updates are included in the Windows 10 releases on a semi-annual cadence. - -## How can I provide feedback on Microsoft Edge? -Microsoft Edge is an evergreen browser - we’ll continue to evolve both the web platform and the user interface with regular updates. To send feedback on user experience, or on broken or malicious sites, use the **Send Feedback** option under the ellipses icon (**...**) in the Microsoft Edge toolbar. - -## Will Internet Explorer 11 continue to receive updates? -We’re committed to keeping Internet Explorer a supported, reliable, and safe browser. Internet Explorer is still a component of Windows and follows the support lifecycle of the OS on which it’s installed. For details, see [Lifecycle FAQ - Internet Explorer](https://support.microsoft.com/help/17454/). While we continue to support and update Internet Explorer, the latest features and platform updates will only be available in Microsoft Edge. - -## How do I find out what version of Microsoft Edge I have? -In the upper right corner of Microsoft Edge, click the ellipses icon (**...**), and then click **Settings**. Look in the **About Microsoft Edge** section to find your version. - -## What is Microsoft EdgeHTML? -Microsoft EdgeHTML is the web rendering engine that powers the current Microsoft Edge web browser and Windows 10 web app platform. (As opposed to *Microsoft Edge, based on Chromium*.) +--- +title: Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros +ms.reviewer: +audience: itpro manager: dansimp +description: Answers to frequently asked questions about Microsoft Edge features, integration, support, and potential problems. +author: msdmaguire +ms.author: dmaguire +ms.prod: edge +ms.topic: article +ms.mktglfcycl: general +ms.sitesec: library +ms.localizationpriority: medium +--- + +# Frequently Asked Questions (FAQs) for IT Pros + +>Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile + +## How can I get the next major version of Microsoft Edge, based on Chromium? +In December 2018, Microsoft [announced](https://blogs.windows.com/windowsexperience/2018/12/06/microsoft-edge-making-the-web-better-through-more-open-source-collaboration/#8jv53blDvL6TIKuS.97) our intention to adopt the Chromium open source project in the development of Microsoft Edge on the desktop, to create better web compatibility for our customers and less fragmentation of the web for all web developers. You can get more information at the [Microsoft Edge Insiders site](https://www.microsoftedgeinsider.com/). + +## What’s the difference between Microsoft Edge and Internet Explorer 11? How do I know which one to use? +Microsoft Edge is the default browser for all Windows 10 devices. It’s built to be highly compatible with the modern web. For some enterprise web apps and a small set of sites that were built to work with older technologies like ActiveX, [you can use Enterprise Mode](emie-to-improve-compatibility.md) to automatically send users to Internet Explorer 11. + +For more information on how Internet Explorer and Microsoft Edge work together to support your legacy web apps, while still defaulting to the higher security and modern experiences enabled by Microsoft Edge, see [Legacy apps in the enterprise](https://blogs.windows.com/msedgedev/2017/04/07/legacy-web-apps-enterprise/#RAbtRvJSYFaKu2BI.97). + +## Does Microsoft Edge work with Enterprise Mode? +[Enterprise Mode](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11) helps you run many legacy web applications with better backward compatibility. You can configure both Microsoft Edge and Internet Explorer to use the same Enterprise Mode Site List, switching seamlessly between browsers to support both modern and legacy web apps. + +## How do I customize Microsoft Edge and related settings for my organization? +You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/group-policies/) for a list of policies currently available for Microsoft Edge and configuration information. Note that the preview release of Chromium-based Microsoft Edge might not include management policies or other enterprise functionality; our focus during the preview is modern browser fundamentals. + +## Is Adobe Flash supported in Microsoft Edge? +Adobe Flash is currently supported as a built-in feature of Microsoft Edge on PCs running Windows 10. In July 2017, Adobe announced that Flash support will end after 2020. With this change to Adobe support, we’ve started to phase Flash out of Microsoft Edge by adding the [Configure the Adobe Flash Click-to-Run setting group policy](https://docs.microsoft.com/microsoft-edge/deploy/available-policies#configure-the-adobe-flash-click-to-run-setting) - this lets you control which websites can run Adobe Flash content. + +To learn more about Microsoft’s plan for phasing Flash out of Microsoft Edge and Internet Explorer, see [The End of an Era — Next Steps for Adobe Flash](https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#3Bcc3QjRw0l7XsZ4.97) (blog article). + +## Does Microsoft Edge support ActiveX controls or BHOs like Silverlight or Java? +No. Microsoft Edge doesn’t support ActiveX controls and BHOs like Silverlight or Java. If you’re running web apps that use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and standards support. + +## How often will Microsoft Edge be updated? +In Windows 10, we’re delivering Windows as a service, updated on a cadence driven by quality and the availability of new features. Microsoft Edge security updates are released every two to four weeks, while bigger feature updates are included in the Windows 10 releases on a semi-annual cadence. + +## How can I provide feedback on Microsoft Edge? +Microsoft Edge is an evergreen browser - we’ll continue to evolve both the web platform and the user interface with regular updates. To send feedback on user experience, or on broken or malicious sites, use the **Send Feedback** option under the ellipses icon (**...**) in the Microsoft Edge toolbar. + +## Will Internet Explorer 11 continue to receive updates? +We’re committed to keeping Internet Explorer a supported, reliable, and safe browser. Internet Explorer is still a component of Windows and follows the support lifecycle of the OS on which it’s installed. For details, see [Lifecycle FAQ - Internet Explorer](https://support.microsoft.com/help/17454/). While we continue to support and update Internet Explorer, the latest features and platform updates will only be available in Microsoft Edge. + +## How do I find out what version of Microsoft Edge I have? +In the upper right corner of Microsoft Edge, click the ellipses icon (**...**), and then click **Settings**. Look in the **About Microsoft Edge** section to find your version. + +## What is Microsoft EdgeHTML? +Microsoft EdgeHTML is the web rendering engine that powers the current Microsoft Edge web browser and Windows 10 web app platform. (As opposed to *Microsoft Edge, based on Chromium*.) diff --git a/browsers/edge/microsoft-edge-forrester.md b/browsers/edge/microsoft-edge-forrester.md index a68908bb52..2407ccef53 100644 --- a/browsers/edge/microsoft-edge-forrester.md +++ b/browsers/edge/microsoft-edge-forrester.md @@ -1,36 +1,36 @@ ---- -title: Forrester Total Economic Impact - Microsoft Edge -ms.reviewer: -manager: dansimp -description: Review the results of the Microsoft Edge study carried out by Forrester Research -ms.prod: edge -ms.topic: article -author: msdmaguire -ms.author: dmaguire -ms.localizationpriority: high ---- -# Measuring the impact of Microsoft Edge - Total Economic Impact (TEI) of Microsoft Edge - -Forrester Research measures the return on investment (ROI) of Microsoft Edge in its latest TEI report and survey. Browse and download these free resources to learn about the impact Microsoft Edge can have in your organization, including significant cost savings in reduced browser help desk tickets and improved browser security, to increased speed, performance, and user productivity. - -## Forrester report video summary -View a brief overview of the Forrester TEI case study that Microsoft commissioned to examine the value your organization can achieve by utilizing Microsoft Edge: - -> ![VIDEO ] - -## Forrester Study report - -Forrester interviewed several customers with more than six months of experience using Microsoft Edge – all customers reported improvements in browser security, increased user productivity, and efficiencies gained in supporting the software. - -[Download the full report](https://www.microsoft.com/download/details.aspx?id=55847) - -## Forrester Study report infographic -Get a graphical summary of the TEI of Microsoft Edge Forrester Study report and highlights of the three-year financial impact of Microsoft Edge. - -[Download the report infographic](https://www.microsoft.com/download/details.aspx?id=55956) - -## Forrester survey infographic - -Forrester surveyed 168 customers using Microsoft Edge form the US, Germany, UK, and Japan, ranging in size from 500 to over 100,000 employees. This document is an abridged version of this survey commissioned by Microsoft and delivery by Forrester consulting. - -[Download the survey infographic](https://www.microsoft.com/download/details.aspx?id=53892) +--- +title: Forrester Total Economic Impact - Microsoft Edge +ms.reviewer: +audience: itpro manager: dansimp +description: Review the results of the Microsoft Edge study carried out by Forrester Research +ms.prod: edge +ms.topic: article +author: msdmaguire +ms.author: dmaguire +ms.localizationpriority: high +--- +# Measuring the impact of Microsoft Edge - Total Economic Impact (TEI) of Microsoft Edge + +Forrester Research measures the return on investment (ROI) of Microsoft Edge in its latest TEI report and survey. Browse and download these free resources to learn about the impact Microsoft Edge can have in your organization, including significant cost savings in reduced browser help desk tickets and improved browser security, to increased speed, performance, and user productivity. + +## Forrester report video summary +View a brief overview of the Forrester TEI case study that Microsoft commissioned to examine the value your organization can achieve by utilizing Microsoft Edge: + +> ![VIDEO ] + +## Forrester Study report + +Forrester interviewed several customers with more than six months of experience using Microsoft Edge – all customers reported improvements in browser security, increased user productivity, and efficiencies gained in supporting the software. + +[Download the full report](https://www.microsoft.com/download/details.aspx?id=55847) + +## Forrester Study report infographic +Get a graphical summary of the TEI of Microsoft Edge Forrester Study report and highlights of the three-year financial impact of Microsoft Edge. + +[Download the report infographic](https://www.microsoft.com/download/details.aspx?id=55956) + +## Forrester survey infographic + +Forrester surveyed 168 customers using Microsoft Edge form the US, Germany, UK, and Japan, ranging in size from 500 to over 100,000 employees. This document is an abridged version of this survey commissioned by Microsoft and delivery by Forrester consulting. + +[Download the survey infographic](https://www.microsoft.com/download/details.aspx?id=53892) diff --git a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md index b1d69471cd..5150d172c9 100644 --- a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md +++ b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md @@ -1,265 +1,265 @@ ---- -title: Deploy Microsoft Edge kiosk mode -description: Microsoft Edge kiosk mode works with assigned access to allow IT admins to create a tailored browsing experience designed for kiosk devices. To use Microsoft Edge kiosk mode, you must configure Microsoft Edge as an application in assigned access. -ms.assetid: -ms.reviewer: -manager: dansimp -author: eavena -ms.author: eravena -ms.prod: edge -ms.sitesec: library -ms.topic: get-started-article -ms.localizationpriority: medium -ms.date: 10/29/2018 ---- - -# Deploy Microsoft Edge kiosk mode - ->Applies to: Microsoft Edge on Windows 10, version 1809 ->Professional, Enterprise, and Education - -In the Windows 10 October 2018 Update, we added the capability to use Microsoft Edge as a kiosk using assigned access. With assigned access, you create a tailored browsing experience locking down a Windows 10 device to only run as a single-app or multi-app kiosk. Assigned access restricts a local standard user account so that it only has access to one or more Windows app, such as Microsoft Edge in kiosk mode. - -In this topic, you learn how to configure the behavior of Microsoft Edge when it's running in kiosk mode with assigned access. You also learn how to set up your kiosk device using either Windows Setting or Microsoft Intune or other MDM service. - -At the end of this topic, you can find a list of [supported policies](#supported-policies-for-kiosk-mode) for kiosk mode and a [feature comparison](#feature-comparison-of-kiosk-mode-and-kiosk-browser-app) of the kiosk mode policy and kiosk browser app. You also find instructions on how to provide us feedback or get support. - - -## Kiosk mode configuration types - ->**Policy** = Configure kiosk mode (ConfigureKioskMode) - -Microsoft Edge kiosk mode supports four configurations types that depend on how Microsoft Edge is set up with assigned access, either as a single-app or multi-app kiosk. These configuration types help you determine what is best suited for your kiosk device or scenario. - -- Learn about [creating a kiosk experience](https://docs.microsoft.com/windows-hardware/customize/enterprise/create-a-kiosk-image) - - - [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage) - - - [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps). - -- Learn about configuring a more secure kiosk experience: [Other settings to lock down](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage#other-settings-to-lock-down). - - -### Important things to remember before getting started - -- The public browsing kiosk types run Microsoft Edge InPrivate mode to protect user data with a browsing experience designed for public kiosks. - -- Microsoft Edge kiosk mode has a built-in timer to help keep data safe in public browsing sessions. When the idle time (no user activity) meets the time limit, a confirmation message prompts the user to continue, and if no user activity Microsoft Edge resets the session to the default URL. By default, the idle timer is 5 minutes, but you can choose a value of your own. - -- Optionally, you can define a single URL for the Home button, Start page, and New Tab page. See [Supported policies for kiosk mode](#supported-policies-for-kiosk-mode) to learn more. - -- No matter which configuration type you choose, you must set up Microsoft Edge in assigned access; otherwise, Microsoft Edge ignores the settings in this policy (Configure kiosk mode/ConfigureKioskMode).

Learn more about assigned access: - - - [Configure kiosk and shared devices running Windows desktop editions](https://aka.ms/E489vw). - - - [Kiosk apps for assigned access best practices](https://aka.ms/H1s8y4). - - - [Guidelines for choosing an app for assigned access (kiosk mode)](https://aka.ms/Ul7dw3). - - -### Supported configuration types - -[!INCLUDE [configure-kiosk-mode-supported-values-include](includes/configure-kiosk-mode-supported-values-include.md)] - -## Set up Microsoft Edge kiosk mode - -Now that you're familiar with the different kiosk mode configurations and have the one you want to use in mind, you can use one of the following methods to set up Microsoft Edge kiosk mode: - -- **Windows Settings.** Use only to set up a couple of single-app devices because you perform these steps physically on each device. For a multi-app kiosk device, use Microsoft Intune or other MDM service. - -- **Microsoft Intune or other MDM service.** Use to set up several single-app or multi-app kiosk devices. Microsoft Intune and other MDM service providers offer more options for customizing the Microsoft Edge kiosk mode experience using any of the [Supported policies for kiosk mode](#supported-policies-for-kiosk-mode). - - -### Prerequisites - -- Microsoft Edge on Windows 10, version 1809 (Professional, Enterprise, and Education). - -- URL to load when the kiosk launches. The URL that you provide sets the Home button, Start page, and New Tab page. - -- _**For Microsoft Intune or other MDM service**_, you must have the AppUserModelID (AUMID) to set up Microsoft Edge: - - ``` - Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge - ``` - - -### Use Windows Settings - -Windows Settings is the simplest and the only way to set up one or a couple of single-app devices. - - -1. On the kiosk device, open Windows Settings, and in the search field type **kiosk** and then select **Set up a kiosk (assigned access)**. - -2. On the **Set up a kiosk** page, click **Get started**. - -3. Type a name to create a new kiosk account, or choose an existing account from the populated list and click **Next**. - -4. On the **Choose a kiosk app** page, select **Microsoft Edge** and then click **Next**. - -5. Select how Microsoft Edge displays when running in kiosk mode: - - - **As a digital sign or interactive display** - Displays a specific site in full-screen mode, running Microsoft Edge InPrivate protecting user data. - - - **As a public browser** - Runs a limited multi-tab version of Microsoft Edge, protecting user data. - -6. Select **Next**. - -7. Type the URL to load when the kiosk launches. - -8. Accept the default value of **5 minutes** for the idle time or provide a value of your own. - -9. Click **Next**. - -10. Close the **Settings** window to save and apply your choices. - -11. Restart the kiosk device and sign in with the local kiosk account to validate the configuration. - -**_Congratulations!_**

You’ve just finished setting up a single-app kiosk device using Windows Settings. - -**_What's next?_** - -- User your new kiosk device.

- OR

-- Make changes to your kiosk device. In Windows Settings, on the **Set up a kiosk** page, make your changes to **Choose a kiosk mode** and **Set up Microsoft Edge**. - ---- - - -### Use Microsoft Intune or other MDM service - -With this method, you can use Microsoft Intune or other MDM services to configure Microsoft Edge kiosk mode in assigned access and how it behaves on a kiosk device. To learn about a few app fundamentals and requirements before adding them to Intune, see [Add apps to Microsoft Intune](https://docs.microsoft.com/intune/apps-add). - ->[!IMPORTANT] ->If you are using a local account as a kiosk account in Microsoft Intune, make sure to sign into this account and then sign out before configuring the kiosk device. - -1. In Microsoft Intune or other MDM service, configure [AssignedAccess](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) to prevent users from accessing the file system, running executables, or other apps. - -2. Configure the following MDM settings to setup Microsoft Edge kiosk mode on the kiosk device and then restart the device. - - | | | - |---|---| - | **[ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)**

![](images/icon-thin-line-computer.png) | Configure the display mode for Microsoft Edge as a kiosk app.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode

**Data type:** Integer

**Allowed values:**

  • **Single-app kiosk experience**
    • **0** - Digital signage and interactive display
    • **1** - InPrivate Public browsing
  • **Multi-app kiosk experience**
    • **0** - Normal Microsoft Edge running in assigned access
    • **1** - InPrivate public browsing with other apps
| - | **[ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout)**

![](images/icon-thin-line-computer.png) | Change the time in minutes from the last user activity before Microsoft Edge kiosk mode resets the user's session.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout

**Data type:** Integer

**Allowed values:**

  • **0** - No idle timer
  • **1-1440 (5 minutes is the default)** - Set reset on idle timer
| - | **[HomePages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-homepages)**

![](images/icon-thin-line-computer.png) | Set one or more start pages, URLs, to load when Microsoft Edge launches.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages

**Data type:** String

**Allowed values:**

Enter one or more URLs, for example,
   \\ | - | **[ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)**

![](images/icon-thin-line-computer.png) | Configure how the Home Button behaves.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton

**Data type:** Integer

**Allowed values:**

  • **0 (default)** - Not configured. Show home button, and load the default Start page.
  • **1** - Enabled. Show home button and load New Tab page
  • **2** - Enabled. Show home button & set a specific page.
  • **3** - Enabled. Hide the home button.
| - | **[SetHomeButtonURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl)**

![](images/icon-thin-line-computer.png) | If you set ConfigureHomeButton to 2, configure the home button URL.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.bing.com | - | **[SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)**

![](images/icon-thin-line-computer.png) | Set a custom URL for the New Tab page.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.msn.com | - - -**_Congratulations!_**

You’ve just finished setting up a kiosk or digital signage with policies for Microsoft Edge kiosk mode using Microsoft Intune or other MDM service. - -**_What's next?_**

Now it's time to use your new kiosk device. Sign into the device with the kiosk account selected to run Microsoft Edge kiosk mode. - ---- - - -## Supported policies for kiosk mode - -Use any of the Microsoft Edge policies listed below to enhance the kiosk experience depending on the Microsoft Edge kiosk mode type you configure. To learn more about these policies, see [Policy CSP - Browser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser). - -Make sure to check with your provider for instructions. - -| **MDM Setting** | **Digital /
Interactive signage** | **Public browsing
single-app** | **Public browsing
multi-app** | **Normal
mode** | -|------------------|:---------:|:---------:|:---------:|:---------:| -| [AllowAddressBarDropdown](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowaddressbardropdown) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowAutofill](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowautofill) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowBrowser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowbrowser) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | -| [AllowConfigurationUpdateForBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowCookies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowcookies) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowDeveloperTools](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowdevelopertools) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowDoNotTrack](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowdonottrack) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowextensions) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowFlash](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowflash) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowFlashClickToRun](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) | ![Supported](images/148767.png)2 | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowFullscreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowfullscreenmode)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowInPrivate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowinprivate) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowMicrosoftCompatibilityList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | -| [AllowPasswordManager](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowPopups](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowpopups) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowPrelaunch](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowPrinting](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowprinting)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowSavingHistory](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowSearchEngineCustomization](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowSideloadingExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowSyncMySettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowTabPreloading](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowWebContentOnNewTabPage](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AlwaysEnabledBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [ClearBrowsingDataOnExit](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-clearbrowsingdataonexit) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [ConfigureAdditionalSearchEngines](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configureadditionalsearchengines) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [ConfigureFavoritesBar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -|  [ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -|  [ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | -| [ConfigureOpenEdgeWith](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [ConfigureTelemetryForMicrosoft365Analytics](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [DisableLockdownOfStartPages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-disablelockdownofstartpages) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [Experience/DoNotSyncBrowserSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting)\* and [Experience/PreventTurningOffRequiredExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventturningoffrequiredextensions)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [EnableExtendedBooksTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | -| [FirstRunURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-firstrunurl) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | -| [HomePages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-homepages) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [LockdownFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [PreventAccessToAboutFlagsInMicrosoftEdge](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventaccesstoaboutflagsinmicrosoftedge) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [PreventCertErrorOverrides](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [PreventFirstRunPage](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventfirstrunpage) | ![Supported](images/148767.png) | ![Supported](images/148767.png)| ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [PreventLiveTileDataCollection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [PreventSmartScreenPromptOverride](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverride) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [PreventSmartScreenPromptOverrideForFiles](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverrideforfiles) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [PreventTurningOffRequiredExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventturningoffrequiredextensions)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [PreventUsingLocalHostIPAddressForWebRTC](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventusinglocalhostipaddressforwebrtc) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [ProvisionFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [SendIntranetTraffictoInternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | -| [SetDefaultSearchEngine](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setdefaultsearchengine) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [SetHomeButtonURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [ShowMessageWhenOpeningInteretExplorerSites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-showmessagewhenopeningsitesininternetexplorer) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | -| [SyncFavoritesBetweenIEAndMicrosoftEdge](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-syncfavoritesbetweenieandmicrosoftedge) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | -| [UnlockHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [UseSharedFolderForBooks](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | - - -*\* New policy as of Windows 10, version 1809.*

-*1) For multi-app assigned access, you must configure Internet Explorer 11.*
-*2) For digital/interactive signage to enable Flash, set [AllowFlashClickToRun](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) to 0.* - -**Legend:**

-       ![Not supported](images/148766.png) = Not applicable or not supported
-       ![Supported](images/148767.png) = Supported - ---- - -## Feature comparison of kiosk mode and kiosk browser app -In the following table, we show you the features available in both Microsoft Edge kiosk mode and Kiosk Browser app available in Microsoft Store. Both kiosk mode and kiosk browser app work in assigned access. - - -| **Feature** | **Microsoft Edge kiosk mode** | **Microsoft Kiosk browser app** | -|-----------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:-------------------------------------------------------------------------------------------------------------------------------------------------------:| -| Print support | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | -| Multi-tab support | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | -| Allow/Block URL support | ![Supported](images/148767.png)

*\*For Microsoft Edge kiosk mode use* Windows Defender Firewall. Microsoft kiosk browser has custom policy support. | ![Supported](images/148767.png) | -| Configure Home Button | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| Set Start page(s) URL | ![Supported](images/148767.png) | ![Supported](images/148767.png)

*Same as Home button URL* | -| Set New Tab page URL | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | -| Favorites management | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | -| End session button | ![Supported](images/148767.png) | ![Supported](images/148767.png)

*In Microsoft Intune, you must create a custom URI to enable. Dedicated UI configuration introduced in version 1808.* | -| Reset on inactivity | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| Internet Explorer integration (Enterprise Mode site list) | ![Supported](images/148767.png)

*Multi-app mode only* | ![Not supported](images/148766.png) | -| Available in Microsoft Store | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| SKU availability | Windows 10 October 2018 Update
Professional, Enterprise, and Education | Windows 10 April 2018 Update
Professional, Enterprise, and Education | - -**\*Windows Defender Firewall**

-To prevent access to unwanted websites on your kiosk device, use Windows Defender Firewall to configure a list of allowed websites, blocked websites or both. For more details, see [Windows Defender Firewall with Advanced Security Deployment](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide). - ---- - -## Provide feedback or get support - -To provide feedback on Microsoft Edge kiosk mode in Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory. - -**_For multi-app kiosk only._** If you have set up the Feedback Hub in assigned access, you can you submit the feedback from the device running Microsoft Edge in kiosk mode in which you can include diagnostic logs. In the Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory. - - - +--- +title: Deploy Microsoft Edge kiosk mode +description: Microsoft Edge kiosk mode works with assigned access to allow IT admins to create a tailored browsing experience designed for kiosk devices. To use Microsoft Edge kiosk mode, you must configure Microsoft Edge as an application in assigned access. +ms.assetid: +ms.reviewer: +audience: itpro manager: dansimp +author: eavena +ms.author: eravena +ms.prod: edge +ms.sitesec: library +ms.topic: get-started-article +ms.localizationpriority: medium +ms.date: 10/29/2018 +--- + +# Deploy Microsoft Edge kiosk mode + +>Applies to: Microsoft Edge on Windows 10, version 1809 +>Professional, Enterprise, and Education + +In the Windows 10 October 2018 Update, we added the capability to use Microsoft Edge as a kiosk using assigned access. With assigned access, you create a tailored browsing experience locking down a Windows 10 device to only run as a single-app or multi-app kiosk. Assigned access restricts a local standard user account so that it only has access to one or more Windows app, such as Microsoft Edge in kiosk mode. + +In this topic, you learn how to configure the behavior of Microsoft Edge when it's running in kiosk mode with assigned access. You also learn how to set up your kiosk device using either Windows Setting or Microsoft Intune or other MDM service. + +At the end of this topic, you can find a list of [supported policies](#supported-policies-for-kiosk-mode) for kiosk mode and a [feature comparison](#feature-comparison-of-kiosk-mode-and-kiosk-browser-app) of the kiosk mode policy and kiosk browser app. You also find instructions on how to provide us feedback or get support. + + +## Kiosk mode configuration types + +>**Policy** = Configure kiosk mode (ConfigureKioskMode) + +Microsoft Edge kiosk mode supports four configurations types that depend on how Microsoft Edge is set up with assigned access, either as a single-app or multi-app kiosk. These configuration types help you determine what is best suited for your kiosk device or scenario. + +- Learn about [creating a kiosk experience](https://docs.microsoft.com/windows-hardware/customize/enterprise/create-a-kiosk-image) + + - [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage) + + - [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps). + +- Learn about configuring a more secure kiosk experience: [Other settings to lock down](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage#other-settings-to-lock-down). + + +### Important things to remember before getting started + +- The public browsing kiosk types run Microsoft Edge InPrivate mode to protect user data with a browsing experience designed for public kiosks. + +- Microsoft Edge kiosk mode has a built-in timer to help keep data safe in public browsing sessions. When the idle time (no user activity) meets the time limit, a confirmation message prompts the user to continue, and if no user activity Microsoft Edge resets the session to the default URL. By default, the idle timer is 5 minutes, but you can choose a value of your own. + +- Optionally, you can define a single URL for the Home button, Start page, and New Tab page. See [Supported policies for kiosk mode](#supported-policies-for-kiosk-mode) to learn more. + +- No matter which configuration type you choose, you must set up Microsoft Edge in assigned access; otherwise, Microsoft Edge ignores the settings in this policy (Configure kiosk mode/ConfigureKioskMode).

Learn more about assigned access: + + - [Configure kiosk and shared devices running Windows desktop editions](https://aka.ms/E489vw). + + - [Kiosk apps for assigned access best practices](https://aka.ms/H1s8y4). + + - [Guidelines for choosing an app for assigned access (kiosk mode)](https://aka.ms/Ul7dw3). + + +### Supported configuration types + +[!INCLUDE [configure-kiosk-mode-supported-values-include](includes/configure-kiosk-mode-supported-values-include.md)] + +## Set up Microsoft Edge kiosk mode + +Now that you're familiar with the different kiosk mode configurations and have the one you want to use in mind, you can use one of the following methods to set up Microsoft Edge kiosk mode: + +- **Windows Settings.** Use only to set up a couple of single-app devices because you perform these steps physically on each device. For a multi-app kiosk device, use Microsoft Intune or other MDM service. + +- **Microsoft Intune or other MDM service.** Use to set up several single-app or multi-app kiosk devices. Microsoft Intune and other MDM service providers offer more options for customizing the Microsoft Edge kiosk mode experience using any of the [Supported policies for kiosk mode](#supported-policies-for-kiosk-mode). + + +### Prerequisites + +- Microsoft Edge on Windows 10, version 1809 (Professional, Enterprise, and Education). + +- URL to load when the kiosk launches. The URL that you provide sets the Home button, Start page, and New Tab page. + +- _**For Microsoft Intune or other MDM service**_, you must have the AppUserModelID (AUMID) to set up Microsoft Edge: + + ``` + Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge + ``` + + +### Use Windows Settings + +Windows Settings is the simplest and the only way to set up one or a couple of single-app devices. + + +1. On the kiosk device, open Windows Settings, and in the search field type **kiosk** and then select **Set up a kiosk (assigned access)**. + +2. On the **Set up a kiosk** page, click **Get started**. + +3. Type a name to create a new kiosk account, or choose an existing account from the populated list and click **Next**. + +4. On the **Choose a kiosk app** page, select **Microsoft Edge** and then click **Next**. + +5. Select how Microsoft Edge displays when running in kiosk mode: + + - **As a digital sign or interactive display** - Displays a specific site in full-screen mode, running Microsoft Edge InPrivate protecting user data. + + - **As a public browser** - Runs a limited multi-tab version of Microsoft Edge, protecting user data. + +6. Select **Next**. + +7. Type the URL to load when the kiosk launches. + +8. Accept the default value of **5 minutes** for the idle time or provide a value of your own. + +9. Click **Next**. + +10. Close the **Settings** window to save and apply your choices. + +11. Restart the kiosk device and sign in with the local kiosk account to validate the configuration. + +**_Congratulations!_**

You’ve just finished setting up a single-app kiosk device using Windows Settings. + +**_What's next?_** + +- User your new kiosk device.

+ OR

+- Make changes to your kiosk device. In Windows Settings, on the **Set up a kiosk** page, make your changes to **Choose a kiosk mode** and **Set up Microsoft Edge**. + +--- + + +### Use Microsoft Intune or other MDM service + +With this method, you can use Microsoft Intune or other MDM services to configure Microsoft Edge kiosk mode in assigned access and how it behaves on a kiosk device. To learn about a few app fundamentals and requirements before adding them to Intune, see [Add apps to Microsoft Intune](https://docs.microsoft.com/intune/apps-add). + +>[!IMPORTANT] +>If you are using a local account as a kiosk account in Microsoft Intune, make sure to sign into this account and then sign out before configuring the kiosk device. + +1. In Microsoft Intune or other MDM service, configure [AssignedAccess](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) to prevent users from accessing the file system, running executables, or other apps. + +2. Configure the following MDM settings to setup Microsoft Edge kiosk mode on the kiosk device and then restart the device. + + | | | + |---|---| + | **[ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)**

![](images/icon-thin-line-computer.png) | Configure the display mode for Microsoft Edge as a kiosk app.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode

**Data type:** Integer

**Allowed values:**

  • **Single-app kiosk experience**
    • **0** - Digital signage and interactive display
    • **1** - InPrivate Public browsing
  • **Multi-app kiosk experience**
    • **0** - Normal Microsoft Edge running in assigned access
    • **1** - InPrivate public browsing with other apps
| + | **[ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout)**

![](images/icon-thin-line-computer.png) | Change the time in minutes from the last user activity before Microsoft Edge kiosk mode resets the user's session.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout

**Data type:** Integer

**Allowed values:**

  • **0** - No idle timer
  • **1-1440 (5 minutes is the default)** - Set reset on idle timer
| + | **[HomePages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-homepages)**

![](images/icon-thin-line-computer.png) | Set one or more start pages, URLs, to load when Microsoft Edge launches.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages

**Data type:** String

**Allowed values:**

Enter one or more URLs, for example,
   \\ | + | **[ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)**

![](images/icon-thin-line-computer.png) | Configure how the Home Button behaves.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton

**Data type:** Integer

**Allowed values:**

  • **0 (default)** - Not configured. Show home button, and load the default Start page.
  • **1** - Enabled. Show home button and load New Tab page
  • **2** - Enabled. Show home button & set a specific page.
  • **3** - Enabled. Hide the home button.
| + | **[SetHomeButtonURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl)**

![](images/icon-thin-line-computer.png) | If you set ConfigureHomeButton to 2, configure the home button URL.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.bing.com | + | **[SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)**

![](images/icon-thin-line-computer.png) | Set a custom URL for the New Tab page.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.msn.com | + + +**_Congratulations!_**

You’ve just finished setting up a kiosk or digital signage with policies for Microsoft Edge kiosk mode using Microsoft Intune or other MDM service. + +**_What's next?_**

Now it's time to use your new kiosk device. Sign into the device with the kiosk account selected to run Microsoft Edge kiosk mode. + +--- + + +## Supported policies for kiosk mode + +Use any of the Microsoft Edge policies listed below to enhance the kiosk experience depending on the Microsoft Edge kiosk mode type you configure. To learn more about these policies, see [Policy CSP - Browser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser). + +Make sure to check with your provider for instructions. + +| **MDM Setting** | **Digital /
Interactive signage** | **Public browsing
single-app** | **Public browsing
multi-app** | **Normal
mode** | +|------------------|:---------:|:---------:|:---------:|:---------:| +| [AllowAddressBarDropdown](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowaddressbardropdown) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowAutofill](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowautofill) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowBrowser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowbrowser) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | +| [AllowConfigurationUpdateForBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowCookies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowcookies) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowDeveloperTools](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowdevelopertools) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowDoNotTrack](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowdonottrack) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowextensions) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowFlash](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowflash) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowFlashClickToRun](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) | ![Supported](images/148767.png)2 | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowFullscreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowfullscreenmode)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowInPrivate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowinprivate) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowMicrosoftCompatibilityList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | +| [AllowPasswordManager](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowPopups](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowpopups) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowPrelaunch](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowPrinting](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowprinting)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowSavingHistory](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowSearchEngineCustomization](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowSideloadingExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowSyncMySettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowTabPreloading](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowWebContentOnNewTabPage](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AlwaysEnabledBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [ClearBrowsingDataOnExit](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-clearbrowsingdataonexit) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [ConfigureAdditionalSearchEngines](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configureadditionalsearchengines) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [ConfigureFavoritesBar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +|  [ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +|  [ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | +| [ConfigureOpenEdgeWith](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [ConfigureTelemetryForMicrosoft365Analytics](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [DisableLockdownOfStartPages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-disablelockdownofstartpages) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [Experience/DoNotSyncBrowserSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting)\* and [Experience/PreventTurningOffRequiredExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventturningoffrequiredextensions)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [EnableExtendedBooksTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | +| [FirstRunURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-firstrunurl) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | +| [HomePages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-homepages) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [LockdownFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventAccessToAboutFlagsInMicrosoftEdge](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventaccesstoaboutflagsinmicrosoftedge) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventCertErrorOverrides](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventFirstRunPage](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventfirstrunpage) | ![Supported](images/148767.png) | ![Supported](images/148767.png)| ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventLiveTileDataCollection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [PreventSmartScreenPromptOverride](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverride) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventSmartScreenPromptOverrideForFiles](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverrideforfiles) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventTurningOffRequiredExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventturningoffrequiredextensions)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventUsingLocalHostIPAddressForWebRTC](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventusinglocalhostipaddressforwebrtc) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [ProvisionFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [SendIntranetTraffictoInternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | +| [SetDefaultSearchEngine](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setdefaultsearchengine) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [SetHomeButtonURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [ShowMessageWhenOpeningInteretExplorerSites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-showmessagewhenopeningsitesininternetexplorer) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | +| [SyncFavoritesBetweenIEAndMicrosoftEdge](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-syncfavoritesbetweenieandmicrosoftedge) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | +| [UnlockHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [UseSharedFolderForBooks](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | + + +*\* New policy as of Windows 10, version 1809.*

+*1) For multi-app assigned access, you must configure Internet Explorer 11.*
+*2) For digital/interactive signage to enable Flash, set [AllowFlashClickToRun](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) to 0.* + +**Legend:**

+       ![Not supported](images/148766.png) = Not applicable or not supported
+       ![Supported](images/148767.png) = Supported + +--- + +## Feature comparison of kiosk mode and kiosk browser app +In the following table, we show you the features available in both Microsoft Edge kiosk mode and Kiosk Browser app available in Microsoft Store. Both kiosk mode and kiosk browser app work in assigned access. + + +| **Feature** | **Microsoft Edge kiosk mode** | **Microsoft Kiosk browser app** | +|-----------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:-------------------------------------------------------------------------------------------------------------------------------------------------------:| +| Print support | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | +| Multi-tab support | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | +| Allow/Block URL support | ![Supported](images/148767.png)

*\*For Microsoft Edge kiosk mode use* Windows Defender Firewall. Microsoft kiosk browser has custom policy support. | ![Supported](images/148767.png) | +| Configure Home Button | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| Set Start page(s) URL | ![Supported](images/148767.png) | ![Supported](images/148767.png)

*Same as Home button URL* | +| Set New Tab page URL | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | +| Favorites management | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | +| End session button | ![Supported](images/148767.png) | ![Supported](images/148767.png)

*In Microsoft Intune, you must create a custom URI to enable. Dedicated UI configuration introduced in version 1808.* | +| Reset on inactivity | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| Internet Explorer integration (Enterprise Mode site list) | ![Supported](images/148767.png)

*Multi-app mode only* | ![Not supported](images/148766.png) | +| Available in Microsoft Store | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| SKU availability | Windows 10 October 2018 Update
Professional, Enterprise, and Education | Windows 10 April 2018 Update
Professional, Enterprise, and Education | + +**\*Windows Defender Firewall**

+To prevent access to unwanted websites on your kiosk device, use Windows Defender Firewall to configure a list of allowed websites, blocked websites or both. For more details, see [Windows Defender Firewall with Advanced Security Deployment](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide). + +--- + +## Provide feedback or get support + +To provide feedback on Microsoft Edge kiosk mode in Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory. + +**_For multi-app kiosk only._** If you have set up the Feedback Hub in assigned access, you can you submit the feedback from the device running Microsoft Edge in kiosk mode in which you can include diagnostic logs. In the Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory. + + + diff --git a/browsers/edge/shortdesc/allow-a-shared-books-folder-shortdesc.md b/browsers/edge/shortdesc/allow-a-shared-books-folder-shortdesc.md index 00da0e5de3..6ca44ca392 100644 --- a/browsers/edge/shortdesc/allow-a-shared-books-folder-shortdesc.md +++ b/browsers/edge/shortdesc/allow-a-shared-books-folder-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge does not use a shared folder by default but downloads book files to a per-user folder for each user. With this policy, you can configure Microsoft Edge to store books from the Books Library to a default, shared folder in Windows, which decreases the amount of storage used by book files. When you enable this policy, Microsoft Edge downloads books to a shared folder after user action to download the book to their device, which allows them to remove downloaded books at any time. For this policy to work correctly, you must also enable the **Allow a Windows app to share application data between users** group policy. Also, the users must be signed in with a school or work account. +--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge does not use a shared folder by default but downloads book files to a per-user folder for each user. With this policy, you can configure Microsoft Edge to store books from the Books Library to a default, shared folder in Windows, which decreases the amount of storage used by book files. When you enable this policy, Microsoft Edge downloads books to a shared folder after user action to download the book to their device, which allows them to remove downloaded books at any time. For this policy to work correctly, you must also enable the **Allow a Windows app to share application data between users** group policy. Also, the users must be signed in with a school or work account. diff --git a/browsers/edge/shortdesc/allow-address-bar-drop-down-shortdesc.md b/browsers/edge/shortdesc/allow-address-bar-drop-down-shortdesc.md index 2e877de455..4b4897683a 100644 --- a/browsers/edge/shortdesc/allow-address-bar-drop-down-shortdesc.md +++ b/browsers/edge/shortdesc/allow-address-bar-drop-down-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge shows the Address bar drop-down list and makes it available by default, which takes precedence over the Configure search suggestions in Address bar policy. We recommend disabling this policy if you want to minimize network connections from Microsoft Edge to Microsoft service, which hides the functionality of the Address bar drop-down list. When you disable this policy, Microsoft Edge also disables the _Show search and site suggestions as I type_ toggle in Settings. +--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge shows the Address bar drop-down list and makes it available by default, which takes precedence over the Configure search suggestions in Address bar policy. We recommend disabling this policy if you want to minimize network connections from Microsoft Edge to Microsoft service, which hides the functionality of the Address bar drop-down list. When you disable this policy, Microsoft Edge also disables the _Show search and site suggestions as I type_ toggle in Settings. diff --git a/browsers/edge/shortdesc/allow-adobe-flash-shortdesc.md b/browsers/edge/shortdesc/allow-adobe-flash-shortdesc.md index c3aa88d8c1..bd2d105ef2 100644 --- a/browsers/edge/shortdesc/allow-adobe-flash-shortdesc.md +++ b/browsers/edge/shortdesc/allow-adobe-flash-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Adobe Flash is integrated with Microsoft Edge and runs Adobe Flash content by default. With this policy, you can configure Microsoft Edge to prevent Adobe Flash content from running. +--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Adobe Flash is integrated with Microsoft Edge and runs Adobe Flash content by default. With this policy, you can configure Microsoft Edge to prevent Adobe Flash content from running. diff --git a/browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md b/browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md index 5515b7a283..373cac8619 100644 --- a/browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md +++ b/browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge does not clear the browsing data on exit by default, but users can configure the _Clear browsing data_ option in Settings. Browsing data includes information you entered in forms, passwords, and even the websites visited. With this policy, you can configure Microsoft Edge to clear the browsing data automatically each time Microsoft Edge closes. +--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge does not clear the browsing data on exit by default, but users can configure the _Clear browsing data_ option in Settings. Browsing data includes information you entered in forms, passwords, and even the websites visited. With this policy, you can configure Microsoft Edge to clear the browsing data automatically each time Microsoft Edge closes. diff --git a/browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md b/browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md index 329f024f3f..4775e4ba3e 100644 --- a/browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md +++ b/browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge automatically updates the configuration data for the Books library. Disabling this policy prevents Microsoft Edge from updating the configuration data. If Microsoft receives feedback about the amount of data about the Books library, the data comes as a JSON file. +--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge automatically updates the configuration data for the Books library. Disabling this policy prevents Microsoft Edge from updating the configuration data. If Microsoft receives feedback about the amount of data about the Books library, the data comes as a JSON file. diff --git a/browsers/edge/shortdesc/allow-cortana-shortdesc.md b/browsers/edge/shortdesc/allow-cortana-shortdesc.md index 035f849a7f..5975b2b148 100644 --- a/browsers/edge/shortdesc/allow-cortana-shortdesc.md +++ b/browsers/edge/shortdesc/allow-cortana-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Since Microsoft Edge is integration with Cortana, Microsoft Edge allows users to use Cortana voice assistant by default. With this policy, you can configure Microsoft Edge to prevent users from using Cortana but can still search to find items on their device. +--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Since Microsoft Edge is integration with Cortana, Microsoft Edge allows users to use Cortana voice assistant by default. With this policy, you can configure Microsoft Edge to prevent users from using Cortana but can still search to find items on their device. diff --git a/browsers/edge/shortdesc/allow-developer-tools-shortdesc.md b/browsers/edge/shortdesc/allow-developer-tools-shortdesc.md index 43fb795cdd..4084a7dfde 100644 --- a/browsers/edge/shortdesc/allow-developer-tools-shortdesc.md +++ b/browsers/edge/shortdesc/allow-developer-tools-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge allows users to use the F12 developer tools to build and debug web pages by default. With this policy, you can configure Microsoft Edge to prevent users from using the F12 developer tools. +--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge allows users to use the F12 developer tools to build and debug web pages by default. With this policy, you can configure Microsoft Edge to prevent users from using the F12 developer tools. diff --git a/browsers/edge/shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md b/browsers/edge/shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md index 56e23ae4da..9d39c7e091 100644 --- a/browsers/edge/shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md +++ b/browsers/edge/shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, and depending on the device configuration, Microsoft Edge gathers basic diagnostic data about the books in the Books Library and sends it to Microsoft. Enabling this policy gathers and sends both basic and additional diagnostic data, such as usage data. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, and depending on the device configuration, Microsoft Edge gathers basic diagnostic data about the books in the Books Library and sends it to Microsoft. Enabling this policy gathers and sends both basic and additional diagnostic data, such as usage data. diff --git a/browsers/edge/shortdesc/allow-extensions-shortdesc.md b/browsers/edge/shortdesc/allow-extensions-shortdesc.md index 8276b06760..ca5e422178 100644 --- a/browsers/edge/shortdesc/allow-extensions-shortdesc.md +++ b/browsers/edge/shortdesc/allow-extensions-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge allows users to add or personalize extensions in Microsoft Edge by default. With this policy, you can configure Microsoft to prevent users from adding or personalizing extensions. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge allows users to add or personalize extensions in Microsoft Edge by default. With this policy, you can configure Microsoft to prevent users from adding or personalizing extensions. diff --git a/browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md b/browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md index cb47a5d149..1aca979b7e 100644 --- a/browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md +++ b/browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge allows fullscreen mode by default, which shows only the web content and hides the Microsoft Edge UI. When allowing fullscreen mode, users and extensions must have the proper permissions. Disabling this policy prevents fullscreen mode in Microsoft Edge. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge allows fullscreen mode by default, which shows only the web content and hides the Microsoft Edge UI. When allowing fullscreen mode, users and extensions must have the proper permissions. Disabling this policy prevents fullscreen mode in Microsoft Edge. diff --git a/browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md b/browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md index 1340e13406..4e15608ff7 100644 --- a/browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md +++ b/browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge allows InPrivate browsing, and after closing all InPrivate tabs, Microsoft Edge deletes the browsing data from the device. With this policy, you can configure Microsoft Edge to prevent InPrivate web browsing. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge allows InPrivate browsing, and after closing all InPrivate tabs, Microsoft Edge deletes the browsing data from the device. With this policy, you can configure Microsoft Edge to prevent InPrivate web browsing. diff --git a/browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md b/browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md index 35a86bfd85..46d2b5f57e 100644 --- a/browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md +++ b/browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -During browser navigation, Microsoft Edge checks the Microsoft Compatibility List for websites with known compatibility issues. If found, users are prompted to use Internet Explorer, where the site loads and displays correctly. Periodically during browser navigation, Microsoft Edge downloads the latest version of the list and applies the updates. With this policy, you can configure Microsoft Edge to ignore the compatibility list. You can view the compatibility list at about:compat. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +During browser navigation, Microsoft Edge checks the Microsoft Compatibility List for websites with known compatibility issues. If found, users are prompted to use Internet Explorer, where the site loads and displays correctly. Periodically during browser navigation, Microsoft Edge downloads the latest version of the list and applies the updates. With this policy, you can configure Microsoft Edge to ignore the compatibility list. You can view the compatibility list at about:compat. diff --git a/browsers/edge/shortdesc/allow-prelaunch-shortdesc.md b/browsers/edge/shortdesc/allow-prelaunch-shortdesc.md index a8437f2035..fcaf11e3ef 100644 --- a/browsers/edge/shortdesc/allow-prelaunch-shortdesc.md +++ b/browsers/edge/shortdesc/allow-prelaunch-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge pre-launches as a background process during Windows startup when the system is idle waiting to be launched by the user. Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start Microsoft Edge. You can also configure Microsoft Edge to prevent from pre-launching. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge pre-launches as a background process during Windows startup when the system is idle waiting to be launched by the user. Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start Microsoft Edge. You can also configure Microsoft Edge to prevent from pre-launching. diff --git a/browsers/edge/shortdesc/allow-printing-shortdesc.md b/browsers/edge/shortdesc/allow-printing-shortdesc.md index 288599efdd..f03766176c 100644 --- a/browsers/edge/shortdesc/allow-printing-shortdesc.md +++ b/browsers/edge/shortdesc/allow-printing-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge allows users to print web content by default. With this policy, you can configure Microsoft Edge to prevent users from printing web content. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge allows users to print web content by default. With this policy, you can configure Microsoft Edge to prevent users from printing web content. diff --git a/browsers/edge/shortdesc/allow-saving-history-shortdesc.md b/browsers/edge/shortdesc/allow-saving-history-shortdesc.md index 00be5b8c4d..9acffb1e18 100644 --- a/browsers/edge/shortdesc/allow-saving-history-shortdesc.md +++ b/browsers/edge/shortdesc/allow-saving-history-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge saves the browsing history of visited websites and shows them in the History pane by default. Disabling this policy prevents Microsoft Edge from saving the browsing history. If browsing history existed before disabling this policy, the previous browsing history remains in the History pane. Disabling this policy does not stop roaming of existing browsing history or browsing history from other devices. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge saves the browsing history of visited websites and shows them in the History pane by default. Disabling this policy prevents Microsoft Edge from saving the browsing history. If browsing history existed before disabling this policy, the previous browsing history remains in the History pane. Disabling this policy does not stop roaming of existing browsing history or browsing history from other devices. diff --git a/browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md b/browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md index fab9a56cff..4992a19eab 100644 --- a/browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md +++ b/browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users can add new search engines or change the default search engine, in Settings. With this policy, you can prevent users from customizing the search engine in Microsoft Edge. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, users can add new search engines or change the default search engine, in Settings. With this policy, you can prevent users from customizing the search engine in Microsoft Edge. diff --git a/browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md b/browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md index 588e9f64f9..e16dbdc2db 100644 --- a/browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md +++ b/browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge allows sideloading, which installs and runs unverified extensions. Disabling this policy prevents sideloading of extensions but does not prevent sideloading using Add-AppxPackage via PowerShell. You can only install extensions through Microsoft store (including a store for business), enterprise storefront (such as Company Portal) or PowerShell (using Add-AppxPackage). +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge allows sideloading, which installs and runs unverified extensions. Disabling this policy prevents sideloading of extensions but does not prevent sideloading using Add-AppxPackage via PowerShell. You can only install extensions through Microsoft store (including a store for business), enterprise storefront (such as Company Portal) or PowerShell (using Add-AppxPackage). diff --git a/browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md b/browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md index ec10c36e78..783d8517ed 100644 --- a/browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md +++ b/browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge allows preloading of the Start and New Tab pages during Windows sign in, and each time Microsoft Edge closes by default. Preloading minimizes the amount of time required to start Microsoft Edge and load a new tab. With this policy, you can configure Microsoft Edge to prevent preloading of tabs. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge allows preloading of the Start and New Tab pages during Windows sign in, and each time Microsoft Edge closes by default. Preloading minimizes the amount of time required to start Microsoft Edge and load a new tab. With this policy, you can configure Microsoft Edge to prevent preloading of tabs. diff --git a/browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md b/browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md index 5d9a75ed5a..eb2a40f269 100644 --- a/browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md +++ b/browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 11/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge loads the default New Tab page and lets the users make changes. If you disable this policy, a blank page loads instead of the New Tab page and prevents users from changing it. +--- +author: dansimp +ms.author: dansimp +ms.date: 11/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge loads the default New Tab page and lets the users make changes. If you disable this policy, a blank page loads instead of the New Tab page and prevents users from changing it. diff --git a/browsers/edge/shortdesc/allow-windows-app-to-share-data-users-shortdesc.md b/browsers/edge/shortdesc/allow-windows-app-to-share-data-users-shortdesc.md index 2c63762356..51e769d22c 100644 --- a/browsers/edge/shortdesc/allow-windows-app-to-share-data-users-shortdesc.md +++ b/browsers/edge/shortdesc/allow-windows-app-to-share-data-users-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -With this policy, you can configure Windows 10 to share application data among multiple users on the system and with other instances of that app. Data shared through the SharedLocal folder is available through the Windows.Storage API. If you previously enabled this policy and now want to disable it, any shared app data remains in the SharedLocal folder. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +With this policy, you can configure Windows 10 to share application data among multiple users on the system and with other instances of that app. Data shared through the SharedLocal folder is available through the Windows.Storage API. If you previously enabled this policy and now want to disable it, any shared app data remains in the SharedLocal folder. diff --git a/browsers/edge/shortdesc/always-show-books-library-shortdesc.md b/browsers/edge/shortdesc/always-show-books-library-shortdesc.md index a9e0bdb003..264f64a898 100644 --- a/browsers/edge/shortdesc/always-show-books-library-shortdesc.md +++ b/browsers/edge/shortdesc/always-show-books-library-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge shows the Books Library only in countries or regions where supported. With this policy, you can configure Microsoft Edge to show the Books Library regardless of the device’s country or region. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge shows the Books Library only in countries or regions where supported. With this policy, you can configure Microsoft Edge to show the Books Library regardless of the device’s country or region. diff --git a/browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md b/browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md index 57fc82b0a1..f4a61c024c 100644 --- a/browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md +++ b/browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users cannot add, remove, or change any of the search engines in Microsoft Edge, but they can set a default search engine. You can set the default search engine using the Set default search engine policy. However, with this policy, you can configure up to five additional search engines and set any one of them as the default. If you previously enabled this policy and now want to disable it, disabling deletes all configured search engines. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, users cannot add, remove, or change any of the search engines in Microsoft Edge, but they can set a default search engine. You can set the default search engine using the Set default search engine policy. However, with this policy, you can configure up to five additional search engines and set any one of them as the default. If you previously enabled this policy and now want to disable it, disabling deletes all configured search engines. diff --git a/browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md b/browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md index d409c6374c..0f73c32d5f 100644 --- a/browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md +++ b/browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge supports Adobe Flash as a built-in feature rather than as an external add-on and updates automatically via Windows Update. By default, Microsoft Edge prevents Adobe Flash content from loading automatically, requiring action from the user, for example, clicking the **Click-to-Run** button. Depending on how often the content loads and runs, the sites for the content gets added to the auto-allowed list. Disable this policy if you want Adobe Flash content to load automatically. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge supports Adobe Flash as a built-in feature rather than as an external add-on and updates automatically via Windows Update. By default, Microsoft Edge prevents Adobe Flash content from loading automatically, requiring action from the user, for example, clicking the **Click-to-Run** button. Depending on how often the content loads and runs, the sites for the content gets added to the auto-allowed list. Disable this policy if you want Adobe Flash content to load automatically. diff --git a/browsers/edge/shortdesc/configure-autofill-shortdesc.md b/browsers/edge/shortdesc/configure-autofill-shortdesc.md index 74af7970c6..94441080d8 100644 --- a/browsers/edge/shortdesc/configure-autofill-shortdesc.md +++ b/browsers/edge/shortdesc/configure-autofill-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users can choose to use the Autofill feature to populate the form fields automatically. With this policy, you can configure Microsoft Edge, when enabled to use Autofill or, when disabled to prevent using Autofill. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, users can choose to use the Autofill feature to populate the form fields automatically. With this policy, you can configure Microsoft Edge, when enabled to use Autofill or, when disabled to prevent using Autofill. diff --git a/browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md b/browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md index 3f8d400ca5..75a3631a95 100644 --- a/browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md +++ b/browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge does not send browsing history data to Microsoft 365 Analytics by default. With this policy though, you can configure Microsoft Edge to send intranet history only, internet history only, or both to Microsoft 365 Analytics for enterprise devices with a configured Commercial ID. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge does not send browsing history data to Microsoft 365 Analytics by default. With this policy though, you can configure Microsoft Edge to send intranet history only, internet history only, or both to Microsoft 365 Analytics for enterprise devices with a configured Commercial ID. diff --git a/browsers/edge/shortdesc/configure-cookies-shortdesc.md b/browsers/edge/shortdesc/configure-cookies-shortdesc.md index eeb223000b..93152d2e3d 100644 --- a/browsers/edge/shortdesc/configure-cookies-shortdesc.md +++ b/browsers/edge/shortdesc/configure-cookies-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge allows all cookies from all websites by default. With this policy, you can configure Microsoft to block only 3rd-party cookies or block all cookies. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge allows all cookies from all websites by default. With this policy, you can configure Microsoft to block only 3rd-party cookies or block all cookies. diff --git a/browsers/edge/shortdesc/configure-do-not-track-shortdesc.md b/browsers/edge/shortdesc/configure-do-not-track-shortdesc.md index 68e1b83ac2..dd27fad917 100644 --- a/browsers/edge/shortdesc/configure-do-not-track-shortdesc.md +++ b/browsers/edge/shortdesc/configure-do-not-track-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge does not send ‘Do Not Track’ requests to websites asking for tracking information, but users can choose to send tracking information to sites they visit. With this policy, you can configure Microsoft Edge to send or never send tracking information. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge does not send ‘Do Not Track’ requests to websites asking for tracking information, but users can choose to send tracking information to sites they visit. With this policy, you can configure Microsoft Edge to send or never send tracking information. diff --git a/browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md b/browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md index f98aa94435..d13febee60 100644 --- a/browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md +++ b/browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have sites or apps that use this technology, you can configure Microsoft Edge to check the Enterprise Mode Site List XML file that lists the sites and domains with compatibility issues and switch to IE11 automatically. You can use the same site list for both Microsoft Edge and IE11, or you can use separate lists. By default, Microsoft Edge ignores the Enterprise Mode and the Enterprise Mode Site List XML file. In this case, users might experience problems while using legacy apps. These sites and domains must be viewed using Internet Explorer 11 and Enterprise Mode. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have sites or apps that use this technology, you can configure Microsoft Edge to check the Enterprise Mode Site List XML file that lists the sites and domains with compatibility issues and switch to IE11 automatically. You can use the same site list for both Microsoft Edge and IE11, or you can use separate lists. By default, Microsoft Edge ignores the Enterprise Mode and the Enterprise Mode Site List XML file. In this case, users might experience problems while using legacy apps. These sites and domains must be viewed using Internet Explorer 11 and Enterprise Mode. diff --git a/browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md b/browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md index 661818a582..8f16c20242 100644 --- a/browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md +++ b/browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge hides the favorites bar by default but shows it on the Start and New Tab pages. Also, by default, the Favorites Bar toggle, in Settings, is set to Off but enabled letting users make changes. With this policy, you can configure Microsoft Edge to either show or hide the Favorites Bar on all pages. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge hides the favorites bar by default but shows it on the Start and New Tab pages. Also, by default, the Favorites Bar toggle, in Settings, is set to Off but enabled letting users make changes. With this policy, you can configure Microsoft Edge to either show or hide the Favorites Bar on all pages. diff --git a/browsers/edge/shortdesc/configure-favorites-shortdesc.md b/browsers/edge/shortdesc/configure-favorites-shortdesc.md index 34e0cded8f..9317df97f3 100644 --- a/browsers/edge/shortdesc/configure-favorites-shortdesc.md +++ b/browsers/edge/shortdesc/configure-favorites-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Discontinued in Windows 10, version 1809. Use the **[Provision Favorites](../available-policies.md#provision-favorites)** policy instead. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Discontinued in Windows 10, version 1809. Use the **[Provision Favorites](../available-policies.md#provision-favorites)** policy instead. diff --git a/browsers/edge/shortdesc/configure-home-button-shortdesc.md b/browsers/edge/shortdesc/configure-home-button-shortdesc.md index 17d1b68784..c02a0dcee9 100644 --- a/browsers/edge/shortdesc/configure-home-button-shortdesc.md +++ b/browsers/edge/shortdesc/configure-home-button-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge shows the home button and by clicking it the Start page loads by default. With this policy, you can configure the home button to load the New Tab page or a URL defined in the Set Home Button URL policy. You can also configure Microsoft Edge to hide the home button. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge shows the home button and by clicking it the Start page loads by default. With this policy, you can configure the home button to load the New Tab page or a URL defined in the Set Home Button URL policy. You can also configure Microsoft Edge to hide the home button. diff --git a/browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md b/browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md index 37ca79a2c7..0247b490e6 100644 --- a/browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md +++ b/browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single-app or as one of many apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with a tailored experience for kiosks, or normal browsing in Microsoft Edge. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single-app or as one of many apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with a tailored experience for kiosks, or normal browsing in Microsoft Edge. diff --git a/browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md b/browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md index 767c933e7c..3a7657e544 100644 --- a/browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md +++ b/browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -You can configure Microsoft Edge kiosk mode to reset to the configured start experience after a specified amount of idle time in minutes (0-1440). The reset timer begins after the last user interaction. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge kiosk mode resets after 30 seconds. Resetting to the configured start experience deletes the current user’s browsing data. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +You can configure Microsoft Edge kiosk mode to reset to the configured start experience after a specified amount of idle time in minutes (0-1440). The reset timer begins after the last user interaction. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge kiosk mode resets after 30 seconds. Resetting to the configured start experience deletes the current user’s browsing data. diff --git a/browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md b/browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md index cf69dd8af8..8d1cc4f603 100644 --- a/browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md +++ b/browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge loads a specific page or pages defined in the Configure Start Pages policy and allow users to make changes. With this policy, you can configure Microsoft Edge to load either the Start page, New Tab page, previously opened pages. You can also configure Microsoft Edge to prevent users from changing or customizing the Start page. For this policy to work correctly, you must also configure the Configure Start Pages. If you want to prevent users from making changes, don’t configure the Disable Lockdown of Start Pages policy. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge loads a specific page or pages defined in the Configure Start Pages policy and allow users to make changes. With this policy, you can configure Microsoft Edge to load either the Start page, New Tab page, previously opened pages. You can also configure Microsoft Edge to prevent users from changing or customizing the Start page. For this policy to work correctly, you must also configure the Configure Start Pages. If you want to prevent users from making changes, don’t configure the Disable Lockdown of Start Pages policy. diff --git a/browsers/edge/shortdesc/configure-password-manager-shortdesc.md b/browsers/edge/shortdesc/configure-password-manager-shortdesc.md index f0b41c5b0f..0d3bd9b655 100644 --- a/browsers/edge/shortdesc/configure-password-manager-shortdesc.md +++ b/browsers/edge/shortdesc/configure-password-manager-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge uses Password Manager automatically, allowing users to manager passwords locally. Disabling this policy restricts Microsoft Edge from using Password Manager. Don’t configure this policy if you want to let users choose to save and manage passwords locally using Password Manager. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge uses Password Manager automatically, allowing users to manager passwords locally. Disabling this policy restricts Microsoft Edge from using Password Manager. Don’t configure this policy if you want to let users choose to save and manage passwords locally using Password Manager. diff --git a/browsers/edge/shortdesc/configure-pop-up-blocker-shortdesc.md b/browsers/edge/shortdesc/configure-pop-up-blocker-shortdesc.md index a34c788e1e..d15347179d 100644 --- a/browsers/edge/shortdesc/configure-pop-up-blocker-shortdesc.md +++ b/browsers/edge/shortdesc/configure-pop-up-blocker-shortdesc.md @@ -1,12 +1,12 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge turns off Pop-up Blocker, which opens pop-up windows. Enabling this policy turns on Pop-up Blocker preventing pop-up windows from opening. If you want users to choose to use Pop-up Blocker, don’t configure this policy. - +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge turns off Pop-up Blocker, which opens pop-up windows. Enabling this policy turns on Pop-up Blocker preventing pop-up windows from opening. If you want users to choose to use Pop-up Blocker, don’t configure this policy. + diff --git a/browsers/edge/shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md b/browsers/edge/shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md index 71b3e06d0d..2bdf42c6d3 100644 --- a/browsers/edge/shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md +++ b/browsers/edge/shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users can choose to see search suggestions in the Address bar of Microsoft Edge. Disabling this policy hides the search suggestions and enabling this policy shows the search suggestions. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, users can choose to see search suggestions in the Address bar of Microsoft Edge. Disabling this policy hides the search suggestions and enabling this policy shows the search suggestions. diff --git a/browsers/edge/shortdesc/configure-start-pages-shortdesc.md b/browsers/edge/shortdesc/configure-start-pages-shortdesc.md index 6cf35edc0e..146511b737 100644 --- a/browsers/edge/shortdesc/configure-start-pages-shortdesc.md +++ b/browsers/edge/shortdesc/configure-start-pages-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge loads the pages specified in App settings as the default Start pages. With this policy, you can configure one or more Start pages when you enable this policy and enable the Configure Open Microsoft Edge With policy. Once you set the Start pages, either in this policy or Configure Open Microsoft Edge With policy, users cannot make changes. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge loads the pages specified in App settings as the default Start pages. With this policy, you can configure one or more Start pages when you enable this policy and enable the Configure Open Microsoft Edge With policy. Once you set the Start pages, either in this policy or Configure Open Microsoft Edge With policy, users cannot make changes. diff --git a/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md b/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md index 600d2e2986..62547e8955 100644 --- a/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md +++ b/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge uses Windows Defender SmartScreen (turned on) to protect users from potential phishing scams and malicious software by default. Also, by default, users cannot disable (turn off) Windows Defender SmartScreen. Enabling this policy turns on Windows Defender SmartScreen and prevent users from turning it off. Don’t configure this policy to let users choose to turn Windows defender SmartScreen on or off. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge uses Windows Defender SmartScreen (turned on) to protect users from potential phishing scams and malicious software by default. Also, by default, users cannot disable (turn off) Windows Defender SmartScreen. Enabling this policy turns on Windows Defender SmartScreen and prevent users from turning it off. Don’t configure this policy to let users choose to turn Windows defender SmartScreen on or off. diff --git a/browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md b/browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md index 3f0ebb72c4..37ff4011ad 100644 --- a/browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md +++ b/browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, the Start pages configured in either the Configure Start Pages policy or Configure Open Microsoft Edge policies cannot be changed and remain locked down. Enabling this policy unlocks the Start pages, and lets users make changes to either all configured Start page or any Start page configured with the Configure Start pages policy. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, the Start pages configured in either the Configure Start Pages policy or Configure Open Microsoft Edge policies cannot be changed and remain locked down. Enabling this policy unlocks the Start pages, and lets users make changes to either all configured Start page or any Start page configured with the Configure Start pages policy. diff --git a/browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md b/browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md index b269a7f3e3..f0cb07d514 100644 --- a/browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md +++ b/browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, the “browser” group syncs automatically between user’s devices and allowing users to choose to make changes. The “browser” group uses the _Sync your Settings_ option in Settings to sync information like history and favorites. Enabling this policy prevents the “browser” group from using the Sync your Settings option. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, the “browser” group syncs automatically between user’s devices and allowing users to choose to make changes. The “browser” group uses the _Sync your Settings_ option in Settings to sync information like history and favorites. Enabling this policy prevents the “browser” group from using the Sync your Settings option. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option. diff --git a/browsers/edge/shortdesc/do-not-sync-shortdesc.md b/browsers/edge/shortdesc/do-not-sync-shortdesc.md index 2fe09c0260..f61cc11548 100644 --- a/browsers/edge/shortdesc/do-not-sync-shortdesc.md +++ b/browsers/edge/shortdesc/do-not-sync-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge turns on the _Sync your settings_ toggle in **Settings > Device sync settings** letting users choose what to sync on their devices. Enabling this policy turns off and disables the _Sync your settings_ toggle preventing the syncing of user’s settings between their devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable this policy and select the _Allow users to turn syncing on_ option. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge turns on the _Sync your settings_ toggle in **Settings > Device sync settings** letting users choose what to sync on their devices. Enabling this policy turns off and disables the _Sync your settings_ toggle preventing the syncing of user’s settings between their devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable this policy and select the _Allow users to turn syncing on_ option. diff --git a/browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md b/browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md index 0b377e56b6..3bd062d263 100644 --- a/browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md +++ b/browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge does not sync the user’s favorites between IE and Microsoft Edge. Enabling this policy syncs favorites between Internet Explorer and Microsoft Edge. Changes to favorites in one browser reflect in the other, including additions, deletions, modifications, and ordering of favorites. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge does not sync the user’s favorites between IE and Microsoft Edge. Enabling this policy syncs favorites between Internet Explorer and Microsoft Edge. Changes to favorites in one browser reflect in the other, including additions, deletions, modifications, and ordering of favorites. diff --git a/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md b/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md index 4b4a459339..91065aa687 100644 --- a/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md +++ b/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md @@ -1,12 +1,12 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -[Microsoft browser extension policy](https://docs.microsoft.com/legal/windows/agreements/microsoft-browser-extension-policy): -This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +[Microsoft browser extension policy](https://docs.microsoft.com/legal/windows/agreements/microsoft-browser-extension-policy): +This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**. diff --git a/browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md b/browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md index 7bf20983de..5bf46ea949 100644 --- a/browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users can access the about:flags page in Microsoft Edge, which is used to change developer settings and enable experimental features. Enabling this policy prevents users from accessing the about:flags page. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, users can access the about:flags page in Microsoft Edge, which is used to change developer settings and enable experimental features. Enabling this policy prevents users from accessing the about:flags page. diff --git a/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md b/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md index f6b222fde2..3676adbc89 100644 --- a/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious files, allowing them to continue downloading the unverified file(s). Enabling this policy prevents users from bypassing the warnings, blocking them from downloading of the unverified file(s). +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious files, allowing them to continue downloading the unverified file(s). Enabling this policy prevents users from bypassing the warnings, blocking them from downloading of the unverified file(s). diff --git a/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md b/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md index d04429bef8..05bae5dac6 100644 --- a/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious sites, allowing them to continue to the site. With this policy though, you can configure Microsoft Edge to prevent users from bypassing the warnings, blocking them from continuing to the site. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious sites, allowing them to continue to the site. With this policy though, you can configure Microsoft Edge to prevent users from bypassing the warnings, blocking them from continuing to the site. diff --git a/browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md b/browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md index c73e676517..675180c666 100644 --- a/browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge, by default, allows overriding of the security warnings to sites that have SSL errors, bypassing or ignoring certificate errors. Enabling this policy prevents overriding of the security warnings. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge, by default, allows overriding of the security warnings to sites that have SSL errors, bypassing or ignoring certificate errors. Enabling this policy prevents overriding of the security warnings. diff --git a/browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md b/browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md index b635ee64e8..33db87a522 100644 --- a/browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users can add, import, and make changes to the Favorites list in Microsoft Edge. Enabling this policy locks down the Favorites list in Microsoft Edge, preventing users from making changes. When enabled, Microsoft Edge turns off the Save a Favorite, Import settings, and context menu items, such as Create a new folder. Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, users can add, import, and make changes to the Favorites list in Microsoft Edge. Enabling this policy locks down the Favorites list in Microsoft Edge, preventing users from making changes. When enabled, Microsoft Edge turns off the Save a Favorite, Import settings, and context menu items, such as Create a new folder. Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers. diff --git a/browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md b/browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md index bba9ec1ad5..30d9a48e8d 100644 --- a/browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge collects the Live Tile metadata and sends it to Microsoft to help provide users a complete experience when they pin Live Tiles to the Start menu. However, with this policy, you can configure Microsoft Edge to prevent Microsoft from collecting Live Tile metadata, providing users with a limited experience. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge collects the Live Tile metadata and sends it to Microsoft to help provide users a complete experience when they pin Live Tiles to the Start menu. However, with this policy, you can configure Microsoft Edge to prevent Microsoft from collecting Live Tile metadata, providing users with a limited experience. diff --git a/browsers/edge/shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md b/browsers/edge/shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md index c156c94126..9ed6170971 100644 --- a/browsers/edge/shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, when launching Microsoft Edge for the first time, the First Run webpage (a welcome page) hosted on Microsoft.com loads automatically via an FWLINK. The welcome page lists the new features and helpful tips of Microsoft Edge. With this policy, you can configure Microsoft Edge to prevent loading the welcome page on first explicit user-launch. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, when launching Microsoft Edge for the first time, the First Run webpage (a welcome page) hosted on Microsoft.com loads automatically via an FWLINK. The welcome page lists the new features and helpful tips of Microsoft Edge. With this policy, you can configure Microsoft Edge to prevent loading the welcome page on first explicit user-launch. diff --git a/browsers/edge/shortdesc/prevent-turning-off-required-extensions-shortdesc.md b/browsers/edge/shortdesc/prevent-turning-off-required-extensions-shortdesc.md index 35b0859dc6..7264330137 100644 --- a/browsers/edge/shortdesc/prevent-turning-off-required-extensions-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-turning-off-required-extensions-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge allows users to uninstall extensions by default. Enabling this policy prevents users from uninstalling extensions but lets them configure options for extensions defined in this policy, such as allowing InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. If you enabled this policy and now you want to disable it, the list of extension package family names (PFNs) defined in this policy get ignored after disabling this policy. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge allows users to uninstall extensions by default. Enabling this policy prevents users from uninstalling extensions but lets them configure options for extensions defined in this policy, such as allowing InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. If you enabled this policy and now you want to disable it, the list of extension package family names (PFNs) defined in this policy get ignored after disabling this policy. diff --git a/browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md b/browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md index 037c535aa8..e624de62e6 100644 --- a/browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. With this policy, though, you can prevent the “browser” group from syncing and prevent users from turning on the _Sync your Settings_ toggle in Settings. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option in the Do not sync browser policy. For this policy to work correctly, you must enable the Do not sync browser policy. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. With this policy, though, you can prevent the “browser” group from syncing and prevent users from turning on the _Sync your Settings_ toggle in Settings. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option in the Do not sync browser policy. For this policy to work correctly, you must enable the Do not sync browser policy. diff --git a/browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md b/browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md index 3a25de844f..5ef4bbdeca 100644 --- a/browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge shows localhost IP address while making calls using the WebRTC protocol. Enabling this policy hides the localhost IP addresses. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge shows localhost IP address while making calls using the WebRTC protocol. Enabling this policy hides the localhost IP addresses. diff --git a/browsers/edge/shortdesc/provision-favorites-shortdesc.md b/browsers/edge/shortdesc/provision-favorites-shortdesc.md index 0d84ac76c1..30b9677f92 100644 --- a/browsers/edge/shortdesc/provision-favorites-shortdesc.md +++ b/browsers/edge/shortdesc/provision-favorites-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users can customize the Favorites list in Microsoft Edge. With this policy though, you provision a standard list of favorites, which can include folders, to appear in the Favorites list in addition to the user’s favorites. Edge. Once you provision the Favorites list, users cannot customize it, such as adding folders for organizing, and adding or removing any of the favorites configured. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, users can customize the Favorites list in Microsoft Edge. With this policy though, you provision a standard list of favorites, which can include folders, to appear in the Favorites list in addition to the user’s favorites. Edge. Once you provision the Favorites list, users cannot customize it, such as adding folders for organizing, and adding or removing any of the favorites configured. diff --git a/browsers/edge/shortdesc/search-provider-discovery-shortdesc.md b/browsers/edge/shortdesc/search-provider-discovery-shortdesc.md index 8524933996..8f54c4b93a 100644 --- a/browsers/edge/shortdesc/search-provider-discovery-shortdesc.md +++ b/browsers/edge/shortdesc/search-provider-discovery-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge follows the OpenSearch 1.1 specification to discover and use web search providers. When a user browses to a search service, the OpenSearch description is picked up and saved for later use. Users can then choose to add the search service to use in the Microsoft Edge address bar. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge follows the OpenSearch 1.1 specification to discover and use web search providers. When a user browses to a search service, the OpenSearch description is picked up and saved for later use. Users can then choose to add the search service to use in the Microsoft Edge address bar. diff --git a/browsers/edge/shortdesc/send-all-intranet-sites-to-ie-shortdesc.md b/browsers/edge/shortdesc/send-all-intranet-sites-to-ie-shortdesc.md index 3b17cd7e5f..787f96dd9b 100644 --- a/browsers/edge/shortdesc/send-all-intranet-sites-to-ie-shortdesc.md +++ b/browsers/edge/shortdesc/send-all-intranet-sites-to-ie-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, all websites, including intranet sites, open in Microsoft Edge automatically. Only enable this policy if there are known compatibility problems with Microsoft Edge. Enabling this policy loads only intranet sites in Internet Explorer 11 automatically. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, all websites, including intranet sites, open in Microsoft Edge automatically. Only enable this policy if there are known compatibility problems with Microsoft Edge. Enabling this policy loads only intranet sites in Internet Explorer 11 automatically. diff --git a/browsers/edge/shortdesc/set-default-search-engine-shortdesc.md b/browsers/edge/shortdesc/set-default-search-engine-shortdesc.md index 958dd67138..39b408d1b4 100644 --- a/browsers/edge/shortdesc/set-default-search-engine-shortdesc.md +++ b/browsers/edge/shortdesc/set-default-search-engine-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge uses the search engine specified in App settings, letting users make changes at any time unless the Allow search engine customization policy is disabled, which restricts users from making changes. With this policy, you can either remove or use the policy-set search engine. When you remove the policy-set search engine, Microsoft Edge uses the specified search engine for the market, which lets users make changes to the default search engine. You can use the policy-set search engine specified in the OpenSearch XML, which prevents users from making changes. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge uses the search engine specified in App settings, letting users make changes at any time unless the Allow search engine customization policy is disabled, which restricts users from making changes. With this policy, you can either remove or use the policy-set search engine. When you remove the policy-set search engine, Microsoft Edge uses the specified search engine for the market, which lets users make changes to the default search engine. You can use the policy-set search engine specified in the OpenSearch XML, which prevents users from making changes. diff --git a/browsers/edge/shortdesc/set-home-button-url-shortdesc.md b/browsers/edge/shortdesc/set-home-button-url-shortdesc.md index 67e62738a6..863cfdf84a 100644 --- a/browsers/edge/shortdesc/set-home-button-url-shortdesc.md +++ b/browsers/edge/shortdesc/set-home-button-url-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge shows the home button and loads the Start page, and locks down the home button to prevent users from changing what page loads. Enabling this policy loads a custom URL for the home button. When you enable this policy, and enable the Configure Home Button policy with the _Show home button & set a specific page_ option selected, a custom URL loads when the user clicks the home button. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge shows the home button and loads the Start page, and locks down the home button to prevent users from changing what page loads. Enabling this policy loads a custom URL for the home button. When you enable this policy, and enable the Configure Home Button policy with the _Show home button & set a specific page_ option selected, a custom URL loads when the user clicks the home button. diff --git a/browsers/edge/shortdesc/set-new-tab-url-shortdesc.md b/browsers/edge/shortdesc/set-new-tab-url-shortdesc.md index a909cbbdc7..5062d322e4 100644 --- a/browsers/edge/shortdesc/set-new-tab-url-shortdesc.md +++ b/browsers/edge/shortdesc/set-new-tab-url-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge loads the default New Tab page by default. Enabling this policy lets you set a New Tab page URL in Microsoft Edge, preventing users from changing it. When you enable this policy, and you disable the Allow web content on New Tab page policy, Microsoft Edge ignores any URL specified in this policy and opens about:blank. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge loads the default New Tab page by default. Enabling this policy lets you set a New Tab page URL in Microsoft Edge, preventing users from changing it. When you enable this policy, and you disable the Allow web content on New Tab page policy, Microsoft Edge ignores any URL specified in this policy and opens about:blank. diff --git a/browsers/edge/shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md b/browsers/edge/shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md index 5ae8a12782..1dc59094fd 100644 --- a/browsers/edge/shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md +++ b/browsers/edge/shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md @@ -1,10 +1,10 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- -Microsoft Edge does not show a notification before opening sites in Internet Explorer 11. However, with this policy, you can configure Microsoft Edge to display a notification before a site opens in IE11 or let users continue in Microsoft Edge. If you want users to continue in Microsoft Edge, enable this policy to show the _Keep going in Microsoft Edge_ link in the notification. For this policy to work correctly, you must also enable the Configure the Enterprise Mode Site List or Send all intranet sites to Internet Explorer 11, or both. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- +Microsoft Edge does not show a notification before opening sites in Internet Explorer 11. However, with this policy, you can configure Microsoft Edge to display a notification before a site opens in IE11 or let users continue in Microsoft Edge. If you want users to continue in Microsoft Edge, enable this policy to show the _Keep going in Microsoft Edge_ link in the notification. For this policy to work correctly, you must also enable the Configure the Enterprise Mode Site List or Send all intranet sites to Internet Explorer 11, or both. diff --git a/browsers/edge/shortdesc/unlock-home-button-shortdesc.md b/browsers/edge/shortdesc/unlock-home-button-shortdesc.md index 722998c5bf..0dd37009b6 100644 --- a/browsers/edge/shortdesc/unlock-home-button-shortdesc.md +++ b/browsers/edge/shortdesc/unlock-home-button-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, when you enable the Configure Home Button policy or provide a URL in the Set Home Button URL policy, Microsoft Edge locks down the home button to prevent users from changing the settings. When you enable this policy, users can make changes to the home button even if you enabled the Configure Home Button or Set Home Button URL policies. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, when you enable the Configure Home Button policy or provide a URL in the Set Home Button URL policy, Microsoft Edge locks down the home button to prevent users from changing the settings. When you enable this policy, users can make changes to the home button even if you enabled the Configure Home Button or Set Home Button URL policies. diff --git a/browsers/edge/troubleshooting-microsoft-edge.md b/browsers/edge/troubleshooting-microsoft-edge.md index 4adc94fcf4..ba351d8b48 100644 --- a/browsers/edge/troubleshooting-microsoft-edge.md +++ b/browsers/edge/troubleshooting-microsoft-edge.md @@ -1,37 +1,37 @@ ---- -title: Troubleshoot Microsoft Edge -description: -ms.assetid: -ms.reviewer: -manager: dansimp -author: eavena -ms.author: eravena -ms.prod: edge -ms.sitesec: library -title: Deploy Microsoft Edge kiosk mode -ms.localizationpriority: medium -ms.date: 10/15/2018 ---- - -# Troubleshoot Microsoft Edge - - -## Microsoft Edge and IPv6 -We are aware of the known issue with Microsoft Edge and all UWP-based apps, such as Store, Mail, Feedback Hub, and so on. It only happens if you have disabled IPv6 (not recommended), so a temporary workaround is to enable it. - -## Microsoft Edge hijacks .PDF and .HTM files - - - -## Citrix Receiver in Microsoft Edge kiosk mode -If you want to deliver applications to users via Citrix through Microsoft Edge, you must create the kiosk user account and then log into the account to install Citrix Receiver BEFORE setting up assigned access. - -1. Create the kiosk user account. -2. Log into the account. -3. Install Citrix Receiver. -4. Set up assigned access. - - -## Missing SettingSync.admx and SettingSync.adml files - -Make sure to [download](https://www.microsoft.com/en-us/download/windows.aspx) the latest templates to C:\windows\policydefinitions\. +--- +title: Troubleshoot Microsoft Edge +description: +ms.assetid: +ms.reviewer: +audience: itpro manager: dansimp +author: eavena +ms.author: eravena +ms.prod: edge +ms.sitesec: library +title: Deploy Microsoft Edge kiosk mode +ms.localizationpriority: medium +ms.date: 10/15/2018 +--- + +# Troubleshoot Microsoft Edge + + +## Microsoft Edge and IPv6 +We are aware of the known issue with Microsoft Edge and all UWP-based apps, such as Store, Mail, Feedback Hub, and so on. It only happens if you have disabled IPv6 (not recommended), so a temporary workaround is to enable it. + +## Microsoft Edge hijacks .PDF and .HTM files + + + +## Citrix Receiver in Microsoft Edge kiosk mode +If you want to deliver applications to users via Citrix through Microsoft Edge, you must create the kiosk user account and then log into the account to install Citrix Receiver BEFORE setting up assigned access. + +1. Create the kiosk user account. +2. Log into the account. +3. Install Citrix Receiver. +4. Set up assigned access. + + +## Missing SettingSync.admx and SettingSync.adml files + +Make sure to [download](https://www.microsoft.com/en-us/download/windows.aspx) the latest templates to C:\windows\policydefinitions\. diff --git a/browsers/edge/use-powershell-to manage-group-policy.md b/browsers/edge/use-powershell-to manage-group-policy.md index 58ce9b4d8c..4427c17e84 100644 --- a/browsers/edge/use-powershell-to manage-group-policy.md +++ b/browsers/edge/use-powershell-to manage-group-policy.md @@ -1,29 +1,29 @@ ---- -title: Use Windows PowerShell to manage group policy -description: -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -title: Security enhancements for Microsoft Edge (Microsoft Edge for IT Pros) -ms.localizationpriority: medium -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.author: eravena -author: eavena ---- - -# Use Windows PowerShell to manage group policy - -Windows PowerShell supports group policy automation of the same tasks you perform in Group Policy Management Console (GPMC) for domain-based group policy objects (GPOs): - -- Maintain GPOs (GPO creation, removal, backup, and import) -- Associate GPOs with Active Directory service containers (group policy link creation, update, and removal) -- Set permissions on GPOs -- Modify inheritance flags on Active Directory organization units (OUs) and domains -- Configure registry-based policy settings and group policy preferences registry settings (update, retrieval, and removal) -- Create starter GPOs - - - +--- +title: Use Windows PowerShell to manage group policy +description: +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +title: Security enhancements for Microsoft Edge (Microsoft Edge for IT Pros) +ms.localizationpriority: medium +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: eravena +author: eavena +--- + +# Use Windows PowerShell to manage group policy + +Windows PowerShell supports group policy automation of the same tasks you perform in Group Policy Management Console (GPMC) for domain-based group policy objects (GPOs): + +- Maintain GPOs (GPO creation, removal, backup, and import) +- Associate GPOs with Active Directory service containers (group policy link creation, update, and removal) +- Set permissions on GPOs +- Modify inheritance flags on Active Directory organization units (OUs) and domains +- Configure registry-based policy settings and group policy preferences registry settings (update, retrieval, and removal) +- Create starter GPOs + + + diff --git a/browsers/edge/web-app-compat-toolkit.md b/browsers/edge/web-app-compat-toolkit.md index 29b12ada64..b502df7292 100644 --- a/browsers/edge/web-app-compat-toolkit.md +++ b/browsers/edge/web-app-compat-toolkit.md @@ -1,57 +1,57 @@ ---- -title: Web Application Compatibility lab kit -ms.reviewer: -manager: dansimp -description: Learn how to use the web application compatibility toolkit for Microsoft Edge. -ms.prod: edge -ms.topic: article -ms.manager: elizapo -author: eavena -ms.author: eravena -ms.localizationpriority: high ---- - -# Web Application Compatibility lab kit - ->Updated: October, 2017 - -Upgrading web applications to modern standards is the best long-term solution to ensure compatibility with today’s web browsers, but using backward compatibility can save time and money. Internet Explorer 11 has features that can ease your browser and operating system upgrades, reducing web application testing and remediation costs. On Windows 10, you can standardize on Microsoft Edge for faster, safer browsing and fall back to Internet Explorer 11 just for sites that need backward compatibility. - -The Web Application Compatibility Lab Kit is a primer for the features and techniques used to provide web application compatibility during a typical enterprise migration to Microsoft Edge. It walks you through how to configure and set up Enterprise Mode, leverage Enterprise Site Discovery, test web apps using the F12 developer tools, and manage the Enterprise Mode Site List. - -The Web Application Compatibility Lab Kit includes: - -- A pre-configured Windows 7 and Windows 10 virtual lab environment with: - - Windows 7 Enterprise Evaluation - - Windows 10 Enterprise Evaluation (version 1607) - - Enterprise Mode Site List Manager - - Enterprise Site Discovery Toolkit -- A "lite" lab option to run the lab on your own Windows 7 or Windows 10 operating system -- A step-by-step lab guide -- A web application compatibility overview video -- A white paper and IT Showcase studies - -Depending on your environment, your web apps may "just work” using the methods described below. Visit [Microsoft Edge Dev](https://developer.microsoft.com/microsoft-edge/) for tools and guidance for web developers. - -There are two versions of the lab kit available: - -- Full version (8 GB) - includes a complete virtual lab environment -- Lite version (400 MB) - includes guidance for running the Lab Kit on your own Windows 7 or Windows 10 operating system - -The Web Application Compatibility Lab Kit is also available in the following languages: - -- Chinese (Simplified) -- Chinese (Traditional) -- French -- German -- Italian -- Japanese -- Korean -- Portuguese (Brazil) -- Russian -- Spanish - -[DOWNLOAD THE LAB KIT](https://www.microsoft.com/evalcenter/evaluate-windows-10-web-application-compatibility-lab) - ->[!TIP] ->Please use a broad bandwidth to download this content to enhance your downloading experience. Lab environment requires 8 GB of available memory and 100 GB of free disk space. +--- +title: Web Application Compatibility lab kit +ms.reviewer: +audience: itpro manager: dansimp +description: Learn how to use the web application compatibility toolkit for Microsoft Edge. +ms.prod: edge +ms.topic: article +ms.manager: elizapo +author: eavena +ms.author: eravena +ms.localizationpriority: high +--- + +# Web Application Compatibility lab kit + +>Updated: October, 2017 + +Upgrading web applications to modern standards is the best long-term solution to ensure compatibility with today’s web browsers, but using backward compatibility can save time and money. Internet Explorer 11 has features that can ease your browser and operating system upgrades, reducing web application testing and remediation costs. On Windows 10, you can standardize on Microsoft Edge for faster, safer browsing and fall back to Internet Explorer 11 just for sites that need backward compatibility. + +The Web Application Compatibility Lab Kit is a primer for the features and techniques used to provide web application compatibility during a typical enterprise migration to Microsoft Edge. It walks you through how to configure and set up Enterprise Mode, leverage Enterprise Site Discovery, test web apps using the F12 developer tools, and manage the Enterprise Mode Site List. + +The Web Application Compatibility Lab Kit includes: + +- A pre-configured Windows 7 and Windows 10 virtual lab environment with: + - Windows 7 Enterprise Evaluation + - Windows 10 Enterprise Evaluation (version 1607) + - Enterprise Mode Site List Manager + - Enterprise Site Discovery Toolkit +- A "lite" lab option to run the lab on your own Windows 7 or Windows 10 operating system +- A step-by-step lab guide +- A web application compatibility overview video +- A white paper and IT Showcase studies + +Depending on your environment, your web apps may "just work” using the methods described below. Visit [Microsoft Edge Dev](https://developer.microsoft.com/microsoft-edge/) for tools and guidance for web developers. + +There are two versions of the lab kit available: + +- Full version (8 GB) - includes a complete virtual lab environment +- Lite version (400 MB) - includes guidance for running the Lab Kit on your own Windows 7 or Windows 10 operating system + +The Web Application Compatibility Lab Kit is also available in the following languages: + +- Chinese (Simplified) +- Chinese (Traditional) +- French +- German +- Italian +- Japanese +- Korean +- Portuguese (Brazil) +- Russian +- Spanish + +[DOWNLOAD THE LAB KIT](https://www.microsoft.com/evalcenter/evaluate-windows-10-web-application-compatibility-lab) + +>[!TIP] +>Please use a broad bandwidth to download this content to enhance your downloading experience. Lab environment requires 8 GB of available memory and 100 GB of free disk space. diff --git a/browsers/includes/available-duel-browser-experiences-include.md b/browsers/includes/available-duel-browser-experiences-include.md index 03e5488335..e506d779b2 100644 --- a/browsers/includes/available-duel-browser-experiences-include.md +++ b/browsers/includes/available-duel-browser-experiences-include.md @@ -1,22 +1,22 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -## Available dual-browser experiences -Based on the size of your legacy web app dependency, determined by the data collected with [Windows Upgrade Analytics](https://blogs.windows.com/windowsexperience/2016/09/26/new-windows-10-and-office-365-features-for-the-secure-productive-enterprise/), there are several options from which you can choose to configure your enterprise browsing environment: - -- Use Microsoft Edge as your primary browser. - -- Use Microsoft Edge as your primary browser and use Enterprise Mode to open sites in Internet Explorer 11 (IE11) that use IE proprietary technologies. - -- Use Microsoft Edge as your primary browser and open all intranet sites in IE11. - -- Use IE11 as your primary browser and use Enterprise Mode to open sites in Microsoft Edge that use modern web technologies. - -For more info about when to use which option, and which option is best for you, see the [Continuing to make it easier for Enterprise customers to upgrade to Internet Explorer 11 — and Windows 10](https://blogs.windows.com/msedgedev/2015/11/23/windows-10-1511-enterprise-improvements) blog. +--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +## Available dual-browser experiences +Based on the size of your legacy web app dependency, determined by the data collected with [Windows Upgrade Analytics](https://blogs.windows.com/windowsexperience/2016/09/26/new-windows-10-and-office-365-features-for-the-secure-productive-enterprise/), there are several options from which you can choose to configure your enterprise browsing environment: + +- Use Microsoft Edge as your primary browser. + +- Use Microsoft Edge as your primary browser and use Enterprise Mode to open sites in Internet Explorer 11 (IE11) that use IE proprietary technologies. + +- Use Microsoft Edge as your primary browser and open all intranet sites in IE11. + +- Use IE11 as your primary browser and use Enterprise Mode to open sites in Microsoft Edge that use modern web technologies. + +For more info about when to use which option, and which option is best for you, see the [Continuing to make it easier for Enterprise customers to upgrade to Internet Explorer 11 — and Windows 10](https://blogs.windows.com/msedgedev/2015/11/23/windows-10-1511-enterprise-improvements) blog. diff --git a/browsers/includes/helpful-topics-include.md b/browsers/includes/helpful-topics-include.md index e4a5e68376..9d4ab636ca 100644 --- a/browsers/includes/helpful-topics-include.md +++ b/browsers/includes/helpful-topics-include.md @@ -1,38 +1,38 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - -## Helpful information and additional resources -- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) - -- [Technical guidance, tools, and resources on Enterprise browsing](https://technet.microsoft.com/ie) - -- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501) - -- [Enterprise Mode Site List Manager (schema v.2)](https://www.microsoft.com/download/details.aspx?id=49974) - -- [Use the Enterprise Mode Site List Manager](../enterprise-mode/use-the-enterprise-mode-site-list-manager.md) - -- [Collect data using Enterprise Site Discovery](../enterprise-mode/collect-data-using-enterprise-site-discovery.md) - -- [Web Application Compatibility Lab Kit](https://technet.microsoft.com/microsoft-edge/mt612809.aspx) - -- [Microsoft Services Support](https://www.microsoft.com/en-us/microsoftservices/support.aspx) - -- [Find a Microsoft partner on Pinpoint](https://partnercenter.microsoft.com/pcv/search) - - - - - -- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/browser/mt612809.aspx) -- [Download Internet Explorer 11](https://go.microsoft.com/fwlink/p/?linkid=290956) -- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](https://go.microsoft.com/fwlink/p/?LinkId=760646) -- [Fix web compatibility issues using document modes and the Enterprise Mode site list](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list) +--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +## Helpful information and additional resources +- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) + +- [Technical guidance, tools, and resources on Enterprise browsing](https://technet.microsoft.com/ie) + +- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501) + +- [Enterprise Mode Site List Manager (schema v.2)](https://www.microsoft.com/download/details.aspx?id=49974) + +- [Use the Enterprise Mode Site List Manager](../enterprise-mode/use-the-enterprise-mode-site-list-manager.md) + +- [Collect data using Enterprise Site Discovery](../enterprise-mode/collect-data-using-enterprise-site-discovery.md) + +- [Web Application Compatibility Lab Kit](https://technet.microsoft.com/microsoft-edge/mt612809.aspx) + +- [Microsoft Services Support](https://www.microsoft.com/en-us/microsoftservices/support.aspx) + +- [Find a Microsoft partner on Pinpoint](https://partnercenter.microsoft.com/pcv/search) + + + + + +- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/browser/mt612809.aspx) +- [Download Internet Explorer 11](https://go.microsoft.com/fwlink/p/?linkid=290956) +- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](https://go.microsoft.com/fwlink/p/?LinkId=760646) +- [Fix web compatibility issues using document modes and the Enterprise Mode site list](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list) diff --git a/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md b/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md index 1954c6ad4e..22464cc569 100644 --- a/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md +++ b/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md @@ -1,22 +1,22 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager. - ->[!IMPORTANT] ->Importing your file overwrites everything that’s currently in the tool, so make sure it’s what want to do. - -1. In the Enterprise Mode Site List Manager, click **File \> Import**. - -2. Go to the exported .EMIE file.

For example, `C:\users\\documents\sites.emie` - -1. Click **Open**. - -2. Review the alert message about all of your entries being overwritten and click **Yes**. +--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager. + +>[!IMPORTANT] +>Importing your file overwrites everything that’s currently in the tool, so make sure it’s what want to do. + +1. In the Enterprise Mode Site List Manager, click **File \> Import**. + +2. Go to the exported .EMIE file.

For example, `C:\users\\documents\sites.emie` + +1. Click **Open**. + +2. Review the alert message about all of your entries being overwritten and click **Yes**. diff --git a/browsers/includes/interoperability-goals-enterprise-guidance.md b/browsers/includes/interoperability-goals-enterprise-guidance.md index fffc2e5480..04470d33af 100644 --- a/browsers/includes/interoperability-goals-enterprise-guidance.md +++ b/browsers/includes/interoperability-goals-enterprise-guidance.md @@ -1,41 +1,41 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/15/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -## Interoperability goals and enterprise guidance - -Our primary goal is that your websites work in Microsoft Edge. To that end, we've made Microsoft Edge the default browser. - -You must continue using IE11 if web apps use any of the following: - -* ActiveX controls - -* x-ua-compatible headers - -* <meta> tags with an http-equivalent value of X-UA-Compatible header - -* Enterprise mode or compatibility view to addressing compatibility issues - -* legacy document modes - -If you have uninstalled IE11, you can download it from the Microsoft Store or the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). Alternatively, you can use Enterprise Mode with Microsoft Edge to transition only the sites that need these technologies to load in IE11. - ->[!TIP] ->If you want to use Group Policy to set Internet Explorer as your default browser, you can find the info here, [Set the default browser using Group Policy](https://go.microsoft.com/fwlink/p/?LinkId=620714). - - -|Technology |Why it existed |Why we don't need it anymore | -|---------|---------|---------| -|ActiveX |ActiveX is a binary extension model introduced in 1996 which allowed developers to embed native Windows technologies (COM/OLE) in web pages. These controls can be downloaded and installed from a site and were subsequently loaded in-process and rendered in Internet Explorer. | | -|Browser Helper Objects (BHO) |BHOs are a binary extension model introduced in 1997 which enabled developers to write COM objects that were loaded in-process with the browser and could perform actions on available windows and modules. A common use was to build toolbars that installed into Internet Explorer. | | -|Document modes | Starting with IE8, Internet Explorer introduced a new “document mode” with every release. These document modes could be requested via the x-ua-compatible header to put the browser into a mode which emulates legacy versions. |Similar to other modern browsers, Microsoft Edge has a single “living” document mode. To minimize the compatibility burden, we test features behind switches in about:flags until stable and ready to be turned on by default. | - - ---- - +--- +author: eavena +ms.author: eravena +ms.date: 10/15/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +## Interoperability goals and enterprise guidance + +Our primary goal is that your websites work in Microsoft Edge. To that end, we've made Microsoft Edge the default browser. + +You must continue using IE11 if web apps use any of the following: + +* ActiveX controls + +* x-ua-compatible headers + +* <meta> tags with an http-equivalent value of X-UA-Compatible header + +* Enterprise mode or compatibility view to addressing compatibility issues + +* legacy document modes + +If you have uninstalled IE11, you can download it from the Microsoft Store or the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). Alternatively, you can use Enterprise Mode with Microsoft Edge to transition only the sites that need these technologies to load in IE11. + +>[!TIP] +>If you want to use Group Policy to set Internet Explorer as your default browser, you can find the info here, [Set the default browser using Group Policy](https://go.microsoft.com/fwlink/p/?LinkId=620714). + + +|Technology |Why it existed |Why we don't need it anymore | +|---------|---------|---------| +|ActiveX |ActiveX is a binary extension model introduced in 1996 which allowed developers to embed native Windows technologies (COM/OLE) in web pages. These controls can be downloaded and installed from a site and were subsequently loaded in-process and rendered in Internet Explorer. | | +|Browser Helper Objects (BHO) |BHOs are a binary extension model introduced in 1997 which enabled developers to write COM objects that were loaded in-process with the browser and could perform actions on available windows and modules. A common use was to build toolbars that installed into Internet Explorer. | | +|Document modes | Starting with IE8, Internet Explorer introduced a new “document mode” with every release. These document modes could be requested via the x-ua-compatible header to put the browser into a mode which emulates legacy versions. |Similar to other modern browsers, Microsoft Edge has a single “living” document mode. To minimize the compatibility burden, we test features behind switches in about:flags until stable and ready to be turned on by default. | + + +--- + diff --git a/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md index a9b94e0990..8fe62f2f79 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md +++ b/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md @@ -1,49 +1,49 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -description: How to use Group Policy to install ActiveX controls. -author: dansimp -ms.prod: ie11 -ms.assetid: 59185370-558c-47e0-930c-8a5ed657e9e3 -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: ActiveX installation using group policy (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Group Policy and ActiveX installation - -ActiveX controls are installed and invoked using the HTML object tag with the CODEBASE attribute. This attribute, through a URL, makes Internet Explorer: - -- Get the ActiveX control if it's not already installed. - -- Download the installation package. - -- Perform trust verification on the object. - -- Prompt for installation permission, using the IE Information Bar. - -During installation, the rendering page registers and invokes the control, so that after installation, any standard user can invoke the control. - -**Important**
ActiveX control installation requires administrator-level permissions. - -## Group Policy for the ActiveX Installer Service - -You use the ActiveX Installer Service (AXIS) and Group Policy to manage your ActiveX control deployment. The AXIS-related settings can be changed using either the Group Policy Management Console (GPMC) or the Local Group Policy Editor, and include: - -- **Approved Installation Sites for ActiveX Controls.** A list of approved installation sites used by AXIS to determine whether it can install a particular ActiveX control. - -- **ActiveX installation policy for sites in trusted zones.** Identifies how AXIS should behave when a website tries to install an ActiveX control. First, AXIS looks to see if the site appears in either the list of approved installation sites or in the **Trusted sites** zone. If the does, then AXIS checks to make sure the control meets your company's policy requirements. If the ActiveX control meets all of these requirements, the control is installed. - -For more information about the ActiveX Installer Service, see [Administering the ActiveX Installer Service in Windows 7](https://go.microsoft.com/fwlink/p/?LinkId=214503). - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +description: How to use Group Policy to install ActiveX controls. +author: dansimp +ms.prod: ie11 +ms.assetid: 59185370-558c-47e0-930c-8a5ed657e9e3 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +title: ActiveX installation using group policy (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Group Policy and ActiveX installation + +ActiveX controls are installed and invoked using the HTML object tag with the CODEBASE attribute. This attribute, through a URL, makes Internet Explorer: + +- Get the ActiveX control if it's not already installed. + +- Download the installation package. + +- Perform trust verification on the object. + +- Prompt for installation permission, using the IE Information Bar. + +During installation, the rendering page registers and invokes the control, so that after installation, any standard user can invoke the control. + +**Important**
ActiveX control installation requires administrator-level permissions. + +## Group Policy for the ActiveX Installer Service + +You use the ActiveX Installer Service (AXIS) and Group Policy to manage your ActiveX control deployment. The AXIS-related settings can be changed using either the Group Policy Management Console (GPMC) or the Local Group Policy Editor, and include: + +- **Approved Installation Sites for ActiveX Controls.** A list of approved installation sites used by AXIS to determine whether it can install a particular ActiveX control. + +- **ActiveX installation policy for sites in trusted zones.** Identifies how AXIS should behave when a website tries to install an ActiveX control. First, AXIS looks to see if the site appears in either the list of approved installation sites or in the **Trusted sites** zone. If the does, then AXIS checks to make sure the control meets your company's policy requirements. If the ActiveX control meets all of these requirements, the control is installed. + +For more information about the ActiveX Installer Service, see [Administering the ActiveX Installer Service in Windows 7](https://go.microsoft.com/fwlink/p/?LinkId=214503). + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md index da48e06a3b..664bc596e1 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md @@ -1,68 +1,68 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Details about how to add employees to the Enterprise Mode Site List Portal. -author: dansimp -ms.prod: ie11 -title: Add employees to the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 -ms.reviewer: -manager: dansimp -ms.author: dansimp ---- - -# Add employees to the Enterprise Mode Site List Portal - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -After you get the Enterprise Mode Site List Portal up and running, you must add your employees. During this process, you'll also assign roles and groups. - -The available roles are: - -- **Requester.** The primary role to assign to employees that need to access the Enterprise Mode Site List Portal. The Requester can create change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal change requests, and sign off and close personal change requests. - -- **App Manager.** This role is considered part of the Approvers group. The App Manager can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests. - -- **Group Head.** This role is considered part of the Approvers group. The Group Head can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests. - -- **Administrator.** The role with the highest-level rights; we recommend limiting the number of employees you grant this role. The Administrator can perform any task that can be performed by the other roles, in addition to adding employees to the portal, assigning employee roles, approving registrations to the portal, configuring portal settings (for example, determining the freeze schedule, determining the pre-production and production XML paths, and determining the attachment upload location), and using the standalone Enterprise Mode Site List Manager page. - -**To add an employee to the Enterprise Mode Site List Portal** -1. Open the Enterprise Mode Site List Portal and click the **Employee Management** icon in the upper-right area of the page. - - The **Employee management** page appears. - -2. Click **Add a new employee**. - - The **Add a new employee** page appears. - -3. Fill out the fields for each employee, including: - - - **Email.** Add the employee's email address. - - - **Name.** This box autofills based on the email address. - - - **Role.** Pick a single role for the employee, based on the list above. - - - **Group name.** Pick the name of the employee's group. The group association also assigns a group of Approvers. - - - **Comments.** Add optional comments about the employee. - - - **Active.** Click the check box to make the employee active in the system. If you want to keep the employee in the system, but you want to prevent access, clear this check box. - -4. Click **Save**. - -**To export all employees to an Excel spreadsheet** -1. On the **Employee management** page, click **Export to Excel**. - -2. Save the EnterpriseModeUsersList.xlsx file. - - The Excel file includes all employees with access to the Enterprise Mode Site List Portal, including user name, email address, role, and group name. +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how to add employees to the Enterprise Mode Site List Portal. +author: dansimp +ms.prod: ie11 +title: Add employees to the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +--- + +# Add employees to the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +After you get the Enterprise Mode Site List Portal up and running, you must add your employees. During this process, you'll also assign roles and groups. + +The available roles are: + +- **Requester.** The primary role to assign to employees that need to access the Enterprise Mode Site List Portal. The Requester can create change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal change requests, and sign off and close personal change requests. + +- **App Manager.** This role is considered part of the Approvers group. The App Manager can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests. + +- **Group Head.** This role is considered part of the Approvers group. The Group Head can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests. + +- **Administrator.** The role with the highest-level rights; we recommend limiting the number of employees you grant this role. The Administrator can perform any task that can be performed by the other roles, in addition to adding employees to the portal, assigning employee roles, approving registrations to the portal, configuring portal settings (for example, determining the freeze schedule, determining the pre-production and production XML paths, and determining the attachment upload location), and using the standalone Enterprise Mode Site List Manager page. + +**To add an employee to the Enterprise Mode Site List Portal** +1. Open the Enterprise Mode Site List Portal and click the **Employee Management** icon in the upper-right area of the page. + + The **Employee management** page appears. + +2. Click **Add a new employee**. + + The **Add a new employee** page appears. + +3. Fill out the fields for each employee, including: + + - **Email.** Add the employee's email address. + + - **Name.** This box autofills based on the email address. + + - **Role.** Pick a single role for the employee, based on the list above. + + - **Group name.** Pick the name of the employee's group. The group association also assigns a group of Approvers. + + - **Comments.** Add optional comments about the employee. + + - **Active.** Click the check box to make the employee active in the system. If you want to keep the employee in the system, but you want to prevent access, clear this check box. + +4. Click **Save**. + +**To export all employees to an Excel spreadsheet** +1. On the **Employee management** page, click **Export to Excel**. + +2. Save the EnterpriseModeUsersList.xlsx file. + + The Excel file includes all employees with access to the Enterprise Mode Site List Portal, including user name, email address, role, and group name. diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md index ab6bed0da5..8ead60630e 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md +++ b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md @@ -1,112 +1,112 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the Bulk add from file area of the Enterprise Mode Site List Manager. -author: dansimp -ms.prod: ie11 -ms.assetid: 20aF07c4-051a-451f-9c46-5a052d9Ae27c -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1) - -**Applies to:** - -- Windows 8.1 -- Windows 7 - -You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the **Bulk add from file** area of the Enterprise Mode Site List Manager. You can only add specific URLs, not Internet or Intranet Zones. - -If you want to add your websites one at a time, see Add sites to the [Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md). - -## Create an Enterprise Mode site list (TXT) file -You can create and use a custom text file to add multiple sites to your Enterprise Mode site list at the same time.

**Important**
This text file is only lets you add multiple sites at the same time. You can’t use this file to deploy Enterprise Mode into your company. - -You must separate each site using commas or carriage returns. For example: - -``` -microsoft.com, bing.com, bing.com/images -``` -**-OR-** - -``` -microsoft.com -bing.com -bing.com/images -``` - -## Create an Enterprise Mode site list (XML) file using the v.1 version of the Enterprise Mode schema -You can create and use a custom XML file with the Enterprise Mode Site List Manager to add multiple sites to your Enterprise Mode site list at the same time. For more info about the v.1 version of the Enterprise Mode schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). - -Each XML file must include: - -- **Version number.** This number must be incremented with each version of the Enterprise Mode site list, letting Internet Explorer know whether the list is new. Approximately 65 seconds after Internet Explorer 11 starts, it compares your site list version to the stored version number. If your file has a higher number, the newer version is loaded.

**Important**
After this check, IE11 won’t look for an updated list again until you restart the browser. - -- **<emie> tag.** This tag specifies the domains and domain paths that must be rendered using IE7 Enterprise Mode, IE8 Enterprise Mode, or the default IE11 browser environment.

**Important**
If you decide a site requires IE7 Enterprise Mode, you must add `forceCompatView=”true”` to your XML file. That code tells Enterprise Mode to check for a `DOCTYPE` tag on the specified webpage. If there is, the site renders using Windows Internet Explorer 7. If there’s no tag, the site renders using Microsoft Internet Explorer 5. - -- <docMode> tag.This tag specifies the domains and domain paths that need either to appear using the specific doc mode you assigned to the site. Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). - -### Enterprise Mode v.1 XML schema example -The following is an example of what your XML file should look like when you’re done adding your sites. For more info about how to create your XML file, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). - -``` - - - www.cpandl.com - www.woodgrovebank.com - adatum.com - contoso.com - relecloud.com - /about - - fabrikam.com - /products - - - - contoso.com - /travel - - fabrikam.com - /products - - - -``` - -To make sure your site list is up-to-date; wait 65 seconds after opening IE and then check that the `CurrentVersion` value in the `HKEY\CURRENT\USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode\` registry key matches the version number in your file.

**Important**
If `CurrentVersion` is not set or is wrong, it means that the XML parsing failed. This can mean that the XML file isn’t there, that there are access problems, or that the XML file format is wrong. Don’t manually change the `CurrentVersion` registry setting. You must make your changes to your site list and then update the list using the import function in the Enterprise Mode Site List Manager (. - -## Add multiple sites to the Enterprise Mode Site List Manager (schema v.1) -After you create your .xml or .txt file, you can bulk add the sites to the Enterprise Mode Site List Manager (schema v.1). - - **To add multiple sites** - -1. In the Enterprise Mode Site List Manager (schema v.1), click **Bulk add from file**. - -2. Go to your site list (either .txt or .xml) to add the included sites to the tool, and then click **Open**.

-Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). - -3. Click **OK** to close the **Bulk add sites to the list** menu. - -4. On the **File** menu, click **Save to XML**, and save your file.

-You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md). - -## Next steps -After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). - -## Related topics -- [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) -- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the Bulk add from file area of the Enterprise Mode Site List Manager. +author: dansimp +ms.prod: ie11 +ms.assetid: 20aF07c4-051a-451f-9c46-5a052d9Ae27c +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1) + +**Applies to:** + +- Windows 8.1 +- Windows 7 + +You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the **Bulk add from file** area of the Enterprise Mode Site List Manager. You can only add specific URLs, not Internet or Intranet Zones. + +If you want to add your websites one at a time, see Add sites to the [Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md). + +## Create an Enterprise Mode site list (TXT) file +You can create and use a custom text file to add multiple sites to your Enterprise Mode site list at the same time.

**Important**
This text file is only lets you add multiple sites at the same time. You can’t use this file to deploy Enterprise Mode into your company. + +You must separate each site using commas or carriage returns. For example: + +``` +microsoft.com, bing.com, bing.com/images +``` +**-OR-** + +``` +microsoft.com +bing.com +bing.com/images +``` + +## Create an Enterprise Mode site list (XML) file using the v.1 version of the Enterprise Mode schema +You can create and use a custom XML file with the Enterprise Mode Site List Manager to add multiple sites to your Enterprise Mode site list at the same time. For more info about the v.1 version of the Enterprise Mode schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). + +Each XML file must include: + +- **Version number.** This number must be incremented with each version of the Enterprise Mode site list, letting Internet Explorer know whether the list is new. Approximately 65 seconds after Internet Explorer 11 starts, it compares your site list version to the stored version number. If your file has a higher number, the newer version is loaded.

**Important**
After this check, IE11 won’t look for an updated list again until you restart the browser. + +- **<emie> tag.** This tag specifies the domains and domain paths that must be rendered using IE7 Enterprise Mode, IE8 Enterprise Mode, or the default IE11 browser environment.

**Important**
If you decide a site requires IE7 Enterprise Mode, you must add `forceCompatView=”true”` to your XML file. That code tells Enterprise Mode to check for a `DOCTYPE` tag on the specified webpage. If there is, the site renders using Windows Internet Explorer 7. If there’s no tag, the site renders using Microsoft Internet Explorer 5. + +- <docMode> tag.This tag specifies the domains and domain paths that need either to appear using the specific doc mode you assigned to the site. Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). + +### Enterprise Mode v.1 XML schema example +The following is an example of what your XML file should look like when you’re done adding your sites. For more info about how to create your XML file, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). + +``` + + + www.cpandl.com + www.woodgrovebank.com + adatum.com + contoso.com + relecloud.com + /about + + fabrikam.com + /products + + + + contoso.com + /travel + + fabrikam.com + /products + + + +``` + +To make sure your site list is up-to-date; wait 65 seconds after opening IE and then check that the `CurrentVersion` value in the `HKEY\CURRENT\USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode\` registry key matches the version number in your file.

**Important**
If `CurrentVersion` is not set or is wrong, it means that the XML parsing failed. This can mean that the XML file isn’t there, that there are access problems, or that the XML file format is wrong. Don’t manually change the `CurrentVersion` registry setting. You must make your changes to your site list and then update the list using the import function in the Enterprise Mode Site List Manager (. + +## Add multiple sites to the Enterprise Mode Site List Manager (schema v.1) +After you create your .xml or .txt file, you can bulk add the sites to the Enterprise Mode Site List Manager (schema v.1). + + **To add multiple sites** + +1. In the Enterprise Mode Site List Manager (schema v.1), click **Bulk add from file**. + +2. Go to your site list (either .txt or .xml) to add the included sites to the tool, and then click **Open**.

+Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). + +3. Click **OK** to close the **Bulk add sites to the list** menu. + +4. On the **File** menu, click **Save to XML**, and save your file.

+You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md). + +## Next steps +After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). + +## Related topics +- [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md index 6286b356ea..f351c57bb9 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md +++ b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md @@ -1,122 +1,122 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Add multiple sites to your Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2). -author: dansimp -ms.prod: ie11 -ms.assetid: da659ff5-70d5-4852-995e-4df67c4871dd -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2) (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 10/24/2017 ---- - - -# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2) - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 - -You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the **Bulk add from file** area of the Enterprise Mode Site List Manager (schema v.2). You can only add specific URLs, not Internet or Intranet Zones. - -To add your websites one at a time, see [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md). - -## Create an Enterprise Mode site list (TXT) file - -You can create and use a custom text file with the Enterprise Mode Site List Manager (schema v.2) to add multiple sites to your Enterprise Mode site list at the same time. - ->**Important:**
This text file is only lets you add multiple sites at the same time. You can’t use this file to deploy Enterprise Mode into your company. - -You must separate each site using commas or carriage returns. For example: - -``` -microsoft.com, bing.com, bing.com/images -``` -**-OR-** - -``` -microsoft.com -bing.com -bing.com/images -``` - -## Create an Enterprise Mode site list (XML) file using the v.2 version of the Enterprise Mode schema - -You can create and use a custom XML file with the Enterprise Mode Site List Manager (schema v.2) to add multiple sites to your Enterprise Mode site list at the same time. - -Each XML file must include: - -- **site-list version number**. This number must be incremented with each version of the Enterprise Mode site list, letting Internet Explorer know whether the list is new. Approximately 65 seconds after Internet Explorer 11 starts, it compares your site list version to the stored version number. If your file has a higher number, the newer version is loaded.

**Important**
After this check, IE11 won’t look for an updated list again until you restart the browser.  - -- **<compat-mode> tag.** This tag specifies what compatibility setting are used for specific sites or domains. - -- **<open-in> tag.** This tag specifies what browser opens for each sites or domain. - -### Enterprise Mode v.2 XML schema example - -The following is an example of what your XML file should look like when you’re done adding your sites. For more info about how to create your XML file, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md). - -``` - - - - EnterpriseSitelistManager - 10240 - 20150728.135021 - - - - IE8Enterprise - MSEdge - - - IE7Enterprise - IE11 - - - default - IE11 - - -``` -In the above example, the following is true: - -- www.cpandl.com, as the main domain, must use IE8 Enterprise Mode. However, www.cpandl.com/images must use IE7 Enterprise Mode. - -- contoso.com, and all of its domain paths, can use the default compatibility mode for the site. - -To make sure your site list is up-to-date; wait 65 seconds after opening IE and then check that the `CurrentVersion` value in the `HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode\` registry key matches the version number in your file.

**Important**
If `CurrentVersion` is not set or is wrong, it means that the XML parsing failed. This can mean that the XML file isn’t there, that there are access problems, or that the XML file format is wrong. Don’t manually change the `CurrentVersion` registry setting. You must make your changes to your site list and then update the list using the import function in the Enterprise Mode Site List Manager (schema v.2). - -## Add multiple sites to the Enterprise Mode Site List Manager (schema v.2) -After you create your .xml or .txt file, you can bulk add the sites to the Enterprise Mode Site List Manager (schema v.2). - - **To add multiple sites** - -1. In the Enterprise Mode Site List Manager (schema v.2), click **Bulk add from file**. - -2. Go to your site list (either .txt or .xml) to add the included sites to the tool, and then click **Open**.

-Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md). - -3. Click **OK** to close the **Bulk add sites to the list** menu. - -4. On the **File** menu, click **Save to XML**, and save your file.

-You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md). - -## Next steps -After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). - -## Related topics -- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) -- [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Add multiple sites to your Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2). +author: dansimp +ms.prod: ie11 +ms.assetid: da659ff5-70d5-4852-995e-4df67c4871dd +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2) (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 10/24/2017 +--- + + +# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2) + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 + +You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the **Bulk add from file** area of the Enterprise Mode Site List Manager (schema v.2). You can only add specific URLs, not Internet or Intranet Zones. + +To add your websites one at a time, see [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md). + +## Create an Enterprise Mode site list (TXT) file + +You can create and use a custom text file with the Enterprise Mode Site List Manager (schema v.2) to add multiple sites to your Enterprise Mode site list at the same time. + +>**Important:**
This text file is only lets you add multiple sites at the same time. You can’t use this file to deploy Enterprise Mode into your company. + +You must separate each site using commas or carriage returns. For example: + +``` +microsoft.com, bing.com, bing.com/images +``` +**-OR-** + +``` +microsoft.com +bing.com +bing.com/images +``` + +## Create an Enterprise Mode site list (XML) file using the v.2 version of the Enterprise Mode schema + +You can create and use a custom XML file with the Enterprise Mode Site List Manager (schema v.2) to add multiple sites to your Enterprise Mode site list at the same time. + +Each XML file must include: + +- **site-list version number**. This number must be incremented with each version of the Enterprise Mode site list, letting Internet Explorer know whether the list is new. Approximately 65 seconds after Internet Explorer 11 starts, it compares your site list version to the stored version number. If your file has a higher number, the newer version is loaded.

**Important**
After this check, IE11 won’t look for an updated list again until you restart the browser.  + +- **<compat-mode> tag.** This tag specifies what compatibility setting are used for specific sites or domains. + +- **<open-in> tag.** This tag specifies what browser opens for each sites or domain. + +### Enterprise Mode v.2 XML schema example + +The following is an example of what your XML file should look like when you’re done adding your sites. For more info about how to create your XML file, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md). + +``` + + + + EnterpriseSitelistManager + 10240 + 20150728.135021 + + + + IE8Enterprise + MSEdge + + + IE7Enterprise + IE11 + + + default + IE11 + + +``` +In the above example, the following is true: + +- www.cpandl.com, as the main domain, must use IE8 Enterprise Mode. However, www.cpandl.com/images must use IE7 Enterprise Mode. + +- contoso.com, and all of its domain paths, can use the default compatibility mode for the site. + +To make sure your site list is up-to-date; wait 65 seconds after opening IE and then check that the `CurrentVersion` value in the `HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode\` registry key matches the version number in your file.

**Important**
If `CurrentVersion` is not set or is wrong, it means that the XML parsing failed. This can mean that the XML file isn’t there, that there are access problems, or that the XML file format is wrong. Don’t manually change the `CurrentVersion` registry setting. You must make your changes to your site list and then update the list using the import function in the Enterprise Mode Site List Manager (schema v.2). + +## Add multiple sites to the Enterprise Mode Site List Manager (schema v.2) +After you create your .xml or .txt file, you can bulk add the sites to the Enterprise Mode Site List Manager (schema v.2). + + **To add multiple sites** + +1. In the Enterprise Mode Site List Manager (schema v.2), click **Bulk add from file**. + +2. Go to your site list (either .txt or .xml) to add the included sites to the tool, and then click **Open**.

+Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md). + +3. Click **OK** to close the **Bulk add sites to the list** menu. + +4. On the **File** menu, click **Save to XML**, and save your file.

+You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md). + +## Next steps +After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md index 06f0afe48d..8b8435daff 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md +++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md @@ -1,66 +1,66 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that's designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. -author: dansimp -ms.prod: ie11 -ms.assetid: 042e44e8-568d-4717-8fd3-69dd198bbf26 -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1) - -**Applies to:** - -- Windows 8.1 -- Windows 7 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.

**Important**
You can only add specific URLs, not Internet or Intranet Zones. - -

Note
If you need to include a lot of sites, instead of adding them one at a time, you can create a list of websites and add them all at the same time. For more information, see Add multiple sites to the Enterprise Mode site list using a file and the Windows 7 and 8.1 Enterprise Mode Site List Manager. - -## Adding a site to your compatibility list -You can add individual sites to your compatibility list by using the Enterprise Mode Site List Manager. -

Note
If you're using the v.2 version of the Enterprise Mode schema, you'll need to use the Enterprise Mode Site List Manager (schema v.1). For more info, see Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2). - - **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.1)** - -1. In the Enterprise Mode Site List Manager (schema v.1), click **Add**. - -2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.

-Don't include the `https://` or `https://` designation. The tool automatically tries both versions during validation. - -3. Type any comments about the website into the **Notes about URL** box.

-Administrators can only see comments while they’re in this tool. - -4. Choose **IE7 Enterprise Mode**, **IE8 Enterprise Mode**, or the appropriate document mode for sites that must be rendered using the emulation of a previous version of IE, or pick **Default IE** if the site should use the latest version of IE. - -The path within a domain can require a different compatibility mode from the domain itself. For example, the domain might look fine in the default IE11 browser, but the path might have problems and require the use of Enterprise Mode. If you added the domain previously, your original compatibility choice is still selected. However, if the domain is new, **IE8 Enterprise Mode** is automatically selected. - -Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). - -5. Click **Save** to validate your website and to add it to the site list for your enterprise.

- If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway. - -6. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.

- You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). - -## Next steps -After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). - -## Related topics -- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that's designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. +author: dansimp +ms.prod: ie11 +ms.assetid: 042e44e8-568d-4717-8fd3-69dd198bbf26 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1) + +**Applies to:** + +- Windows 8.1 +- Windows 7 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.

**Important**
You can only add specific URLs, not Internet or Intranet Zones. + +

Note
If you need to include a lot of sites, instead of adding them one at a time, you can create a list of websites and add them all at the same time. For more information, see Add multiple sites to the Enterprise Mode site list using a file and the Windows 7 and 8.1 Enterprise Mode Site List Manager. + +## Adding a site to your compatibility list +You can add individual sites to your compatibility list by using the Enterprise Mode Site List Manager. +

Note
If you're using the v.2 version of the Enterprise Mode schema, you'll need to use the Enterprise Mode Site List Manager (schema v.1). For more info, see Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2). + + **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.1)** + +1. In the Enterprise Mode Site List Manager (schema v.1), click **Add**. + +2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.

+Don't include the `https://` or `https://` designation. The tool automatically tries both versions during validation. + +3. Type any comments about the website into the **Notes about URL** box.

+Administrators can only see comments while they’re in this tool. + +4. Choose **IE7 Enterprise Mode**, **IE8 Enterprise Mode**, or the appropriate document mode for sites that must be rendered using the emulation of a previous version of IE, or pick **Default IE** if the site should use the latest version of IE. + +The path within a domain can require a different compatibility mode from the domain itself. For example, the domain might look fine in the default IE11 browser, but the path might have problems and require the use of Enterprise Mode. If you added the domain previously, your original compatibility choice is still selected. However, if the domain is new, **IE8 Enterprise Mode** is automatically selected. + +Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). + +5. Click **Save** to validate your website and to add it to the site list for your enterprise.

+ If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway. + +6. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.

+ You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). + +## Next steps +After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md index 481ddaa91a..46a8edef5e 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md +++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md @@ -1,82 +1,82 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that''s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. -author: dansimp -ms.prod: ie11 -ms.assetid: 513e8f3b-fedf-4d57-8d81-1ea4fdf1ac0b -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2) (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2) - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 - -Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.

**Important**
You can only add specific URLs, not Internet or Intranet Zones. - -

Note
If you need to include a lot of sites, instead of adding them one at a time, you can create a list of websites and add them all at the same time. For more information, see the Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2) or the Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1) topic, based on your operating system. - -## Adding a site to your compatibility list -You can add individual sites to your compatibility list by using the Enterprise Mode Site List Manager.

-**Note**
If you're using the v.1 version of the Enterprise Mode schema, you'll need to use the Enterprise Mode Site List Manager (schema v.1). For more info, see [Add sites to the Enterprise Mode site list using the WEnterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md). - - **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.2)** - -1. In the Enterprise Mode Site List Manager (schema v.2), click **Add**. - -2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.

- Don't include the `https://` or `https://` designation. The tool automatically tries both versions during validation. - -3. Type any comments about the website into the **Notes about URL** box.

- Administrators can only see comments while they’re in this tool. - -4. In the **Compat Mode** box, choose one of the following: - - - **IE8Enterprise**. Loads the site in IE8 Enterprise Mode. - - - **IE7Enterprise**. Loads the site in IE7 Enterprise Mode. - - - **IE\[*x*\]**. Where \[x\] is the document mode number and the site loads in the specified document mode. - - - **Default Mode**. Loads the site using the default compatibility mode for the page. - - The path within a domain can require a different compatibility mode from the domain itself. For example, the domain might look fine in the default IE11 browser, but the path might have problems and require the use of Enterprise Mode. If you added the domain previously, your original compatibility choice is still selected. However, if the domain is new, **IE8 Enterprise Mode** is automatically selected. - - Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). - -5. In conjunction with the compatibility mode, you'll need to use the **Open in** box to pick which browser opens the site. - - - **IE11**. Opens the site in IE11, regardless of which browser is opened by the employee. - - - **MSEdge**. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee. - - - **None**. Opens in whatever browser the employee chooses. - -6. Click **Save** to validate your website and to add it to the site list for your enterprise.

- If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway. - -7. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.

- You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). - -## Next steps -After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). - -## Related topics -- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that''s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. +author: dansimp +ms.prod: ie11 +ms.assetid: 513e8f3b-fedf-4d57-8d81-1ea4fdf1ac0b +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2) (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2) + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 + +Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.

**Important**
You can only add specific URLs, not Internet or Intranet Zones. + +

Note
If you need to include a lot of sites, instead of adding them one at a time, you can create a list of websites and add them all at the same time. For more information, see the Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2) or the Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1) topic, based on your operating system. + +## Adding a site to your compatibility list +You can add individual sites to your compatibility list by using the Enterprise Mode Site List Manager.

+**Note**
If you're using the v.1 version of the Enterprise Mode schema, you'll need to use the Enterprise Mode Site List Manager (schema v.1). For more info, see [Add sites to the Enterprise Mode site list using the WEnterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md). + + **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.2)** + +1. In the Enterprise Mode Site List Manager (schema v.2), click **Add**. + +2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.

+ Don't include the `https://` or `https://` designation. The tool automatically tries both versions during validation. + +3. Type any comments about the website into the **Notes about URL** box.

+ Administrators can only see comments while they’re in this tool. + +4. In the **Compat Mode** box, choose one of the following: + + - **IE8Enterprise**. Loads the site in IE8 Enterprise Mode. + + - **IE7Enterprise**. Loads the site in IE7 Enterprise Mode. + + - **IE\[*x*\]**. Where \[x\] is the document mode number and the site loads in the specified document mode. + + - **Default Mode**. Loads the site using the default compatibility mode for the page. + + The path within a domain can require a different compatibility mode from the domain itself. For example, the domain might look fine in the default IE11 browser, but the path might have problems and require the use of Enterprise Mode. If you added the domain previously, your original compatibility choice is still selected. However, if the domain is new, **IE8 Enterprise Mode** is automatically selected. + + Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). + +5. In conjunction with the compatibility mode, you'll need to use the **Open in** box to pick which browser opens the site. + + - **IE11**. Opens the site in IE11, regardless of which browser is opened by the employee. + + - **MSEdge**. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee. + + - **None**. Opens in whatever browser the employee chooses. + +6. Click **Save** to validate your website and to add it to the site list for your enterprise.

+ If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway. + +7. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.

+ You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). + +## Next steps +After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md index 4ad92662d8..f08c08fcdb 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md @@ -1,82 +1,82 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -description: Administrative templates and Internet Explorer 11 -author: dansimp -ms.prod: ie11 -ms.assetid: 2b390786-f786-41cc-bddc-c55c8a4c5af3 -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Administrative templates and Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Administrative templates and Internet Explorer 11 - -Administrative Templates are made up of a hierarchy of policy categories and subcategories that define how your policy settings appear in the Local Group Policy Editor, including: - -- What registry locations correspond to each setting. - -- What value options or restrictions are associated with each setting. - -- The default value for many settings. - -- Text explanations about each setting and the supported version of Internet Explorer. - -For a conceptual overview of Administrative Templates, see [Managing Group Policy ADMX Files Step-by-Step Guide](https://go.microsoft.com/fwlink/p/?LinkId=214519). - -## What are Administrative Templates? -Administrative Templates are XML-based, multi-language files that define the registry-based Group Policy settings in the Local Group Policy Editor. There are two types of Administrative Templates: - -- **ADMX.** A language-neutral setup file that states the number and type of policy setting, and the location by category, as it shows up in the Local Group Policy Editor. - -- **ADML.** A language-specific setup file that provides language-related information to the ADMX file. This file lets the policy setting show up in the right language in the Local Group Policy Editor. You can add new languages by adding new ADML files in the required language. - -## How do I store Administrative Templates? -As an admin, you can create a central store folder on your SYSVOL directory, named **PolicyDefinitions**. For example, %*SystemRoot*%\\PolicyDefinitions. This folder provides a single, centralized storage location for your Administrative Templates (both ADMX and ADML) files, so they can be used by your domain-based Group Policy Objects (GPOs). -

Important
Your Group Policy tools use the ADMX files in your store, ignoring any local copies. For more information about creating a central store, see Scenario 1: Editing the Local GPO Using ADMX Files. - -## Administrative Templates-related Group Policy settings -When you install Internet Explorer 11, it updates the local administrative files, Inetres.admx and Inetres.adml, both located in the **PolicyDefinitions** folder. -

Note
You won't see the new policy settings if you try to view or edit your policy settings on a computer that isn't running IE11. To fix this, you can either install IE11, or you can copy the updated Inetres.admx and Inetres.adml files from another computer to the PolicyDefinitions folder on this computer. - -IE11 provides these new policy settings, which are editable in the Local Group Policy Editor, and appear in the following policy paths: - -- Computer Configuration\\Administrative Templates\\Windows Components\\ - -- User Configuration\\Administrative Templates\\Windows Components\\ - - -|Catalog |Description | -| ------------------------------------------------ | --------------------------------------------| -|IE |Turns standard IE configuration on and off. | -|Internet Explorer\Accelerators |Sets up and manages Accelerators. | -|Internet Explorer\Administrator Approved Controls |Turns ActiveX controls on and off. | -|Internet Explorer\Application Compatibility |Turns the **Cut**, **Copy**, or **Paste** operations on or off. This setting also requires that `URLACTION_SCRIPT_PASTE` is set to **Prompt**. | -|Internet Explorer\Browser Menus |Shows or hides the IE menus and menu options.| -|Internet Explorer\Corporate Settings |Turns off whether you specify the code download path for each computer. | -|Internet Explorer\Delete Browsing History |Turns the **Delete Browsing History** settings on and off. | -|Internet Explorer\Internet Control Panel |Turns pages on and off in the **Internet Options** dialog box. Also turns on and off the subcategories that manage settings on the **Content**, **General**, **Security** and **Advanced** pages. | -|Internet Explorer\Internet Settings |Sets up and manages the **Advanced settings**, **AutoComplete**, **Display Settings**, and **URL Encoding** options. | -|Internet Explorer\Persistence Behavior |Sets up and manages the file size limits for Internet security zones. | -|Internet Explorer\Privacy |Turns various privacy-related features on and off. | -|Internet Explorer\Security Features |Turns various security-related features on and off in the browser, Windows Explorer, and other applications. | -|Internet Explorer\Toolbars |Turns on and off the ability for users to edit toolbars in the browser. You can also set the default toolbar buttons here. | -|RSS Feeds |Sets up and manages RSS feeds in the browser. | - - -## Editing Group Policy settings -Regardless which tool you're using to edit your Group Policy settings, you'll need to follow one of these guides for step-by-step editing instructions: - -- **If you're using the Group Policy Management Console (GPMC) or the Local Group Policy Editor.** See [Edit Administrative Template Policy Settings](https://go.microsoft.com/fwlink/p/?LinkId=214521) for step-by-step instructions about editing your Administrative Templates. - -- **If you're using GPMC with Advanced Group Policy Management (AGPM).** See [Checklist: Create, Edit, and Deploy a GPO](https://go.microsoft.com/fwlink/p/?LinkId=214522) for step-by-step instructions about how to check out a GPO from the AGPM archive, edit it, and request deployment. - -## Related topics -- [Administrative templates (.admx) for Windows 10 April 2018 Update](https://www.microsoft.com/download/details.aspx?id=56880) -- [Administrative templates (.admx) for Windows 10 October 2018 Update](https://www.microsoft.com/download/details.aspx?id=57576) -- [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580) +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +description: Administrative templates and Internet Explorer 11 +author: dansimp +ms.prod: ie11 +ms.assetid: 2b390786-f786-41cc-bddc-c55c8a4c5af3 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +title: Administrative templates and Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Administrative templates and Internet Explorer 11 + +Administrative Templates are made up of a hierarchy of policy categories and subcategories that define how your policy settings appear in the Local Group Policy Editor, including: + +- What registry locations correspond to each setting. + +- What value options or restrictions are associated with each setting. + +- The default value for many settings. + +- Text explanations about each setting and the supported version of Internet Explorer. + +For a conceptual overview of Administrative Templates, see [Managing Group Policy ADMX Files Step-by-Step Guide](https://go.microsoft.com/fwlink/p/?LinkId=214519). + +## What are Administrative Templates? +Administrative Templates are XML-based, multi-language files that define the registry-based Group Policy settings in the Local Group Policy Editor. There are two types of Administrative Templates: + +- **ADMX.** A language-neutral setup file that states the number and type of policy setting, and the location by category, as it shows up in the Local Group Policy Editor. + +- **ADML.** A language-specific setup file that provides language-related information to the ADMX file. This file lets the policy setting show up in the right language in the Local Group Policy Editor. You can add new languages by adding new ADML files in the required language. + +## How do I store Administrative Templates? +As an admin, you can create a central store folder on your SYSVOL directory, named **PolicyDefinitions**. For example, %*SystemRoot*%\\PolicyDefinitions. This folder provides a single, centralized storage location for your Administrative Templates (both ADMX and ADML) files, so they can be used by your domain-based Group Policy Objects (GPOs). +

Important
Your Group Policy tools use the ADMX files in your store, ignoring any local copies. For more information about creating a central store, see Scenario 1: Editing the Local GPO Using ADMX Files. + +## Administrative Templates-related Group Policy settings +When you install Internet Explorer 11, it updates the local administrative files, Inetres.admx and Inetres.adml, both located in the **PolicyDefinitions** folder. +

Note
You won't see the new policy settings if you try to view or edit your policy settings on a computer that isn't running IE11. To fix this, you can either install IE11, or you can copy the updated Inetres.admx and Inetres.adml files from another computer to the PolicyDefinitions folder on this computer. + +IE11 provides these new policy settings, which are editable in the Local Group Policy Editor, and appear in the following policy paths: + +- Computer Configuration\\Administrative Templates\\Windows Components\\ + +- User Configuration\\Administrative Templates\\Windows Components\\ + + +|Catalog |Description | +| ------------------------------------------------ | --------------------------------------------| +|IE |Turns standard IE configuration on and off. | +|Internet Explorer\Accelerators |Sets up and manages Accelerators. | +|Internet Explorer\Administrator Approved Controls |Turns ActiveX controls on and off. | +|Internet Explorer\Application Compatibility |Turns the **Cut**, **Copy**, or **Paste** operations on or off. This setting also requires that `URLACTION_SCRIPT_PASTE` is set to **Prompt**. | +|Internet Explorer\Browser Menus |Shows or hides the IE menus and menu options.| +|Internet Explorer\Corporate Settings |Turns off whether you specify the code download path for each computer. | +|Internet Explorer\Delete Browsing History |Turns the **Delete Browsing History** settings on and off. | +|Internet Explorer\Internet Control Panel |Turns pages on and off in the **Internet Options** dialog box. Also turns on and off the subcategories that manage settings on the **Content**, **General**, **Security** and **Advanced** pages. | +|Internet Explorer\Internet Settings |Sets up and manages the **Advanced settings**, **AutoComplete**, **Display Settings**, and **URL Encoding** options. | +|Internet Explorer\Persistence Behavior |Sets up and manages the file size limits for Internet security zones. | +|Internet Explorer\Privacy |Turns various privacy-related features on and off. | +|Internet Explorer\Security Features |Turns various security-related features on and off in the browser, Windows Explorer, and other applications. | +|Internet Explorer\Toolbars |Turns on and off the ability for users to edit toolbars in the browser. You can also set the default toolbar buttons here. | +|RSS Feeds |Sets up and manages RSS feeds in the browser. | + + +## Editing Group Policy settings +Regardless which tool you're using to edit your Group Policy settings, you'll need to follow one of these guides for step-by-step editing instructions: + +- **If you're using the Group Policy Management Console (GPMC) or the Local Group Policy Editor.** See [Edit Administrative Template Policy Settings](https://go.microsoft.com/fwlink/p/?LinkId=214521) for step-by-step instructions about editing your Administrative Templates. + +- **If you're using GPMC with Advanced Group Policy Management (AGPM).** See [Checklist: Create, Edit, and Deploy a GPO](https://go.microsoft.com/fwlink/p/?LinkId=214522) for step-by-step instructions about how to check out a GPO from the AGPM archive, edit it, and request deployment. + +## Related topics +- [Administrative templates (.admx) for Windows 10 April 2018 Update](https://www.microsoft.com/download/details.aspx?id=56880) +- [Administrative templates (.admx) for Windows 10 October 2018 Update](https://www.microsoft.com/download/details.aspx?id=57576) +- [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580) diff --git a/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md index 6ed6595c40..977e17394e 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md @@ -1,62 +1,62 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Details about how Approvers can approve open change requests in the Enterprise Mode Site List Portal. -author: dansimp -ms.prod: ie11 -title: Approve a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 -ms.reviewer: -manager: dansimp -ms.author: dansimp ---- - -# Approve a change request using the Enterprise Mode Site List Portal - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -After a change request is successfully submitted to the pre-defined Approver(s), employees granted the role of **App Manager**, **Group Head**, or **Administrator**, they must approve the changes. - -## Approve or reject a change request -The Approvers get an email stating that a Requester successfully opened, tested, and submitted the change request to the Approvers group. The Approvers can accept or reject a change request. - -**To approve or reject a change request** -1. The Approver logs onto the Enterprise Mode Site List Portal, **All Approvals** page. - - The Approver can also get to the **All Approvals** page by clicking **Approvals Pending** from the left pane. - -2. The Approver clicks the expander arrow (**\/**) to the right side of the change request, showing the list of Approvers and the **Approve** and **Reject** buttons. - -3. The Approver reviews the change request, making sure it's correct. If the info is correct, the Approver clicks **Approve** to approve the change request. If the info seems incorrect, or if the app shouldn't be added to the site list, the Approver clicks **Reject**. - - An email is sent to the Requester, the Approver(s) group, and the Administrator(s) group, with the updated status of the request. - - -## Send a reminder to the Approver(s) group -If the change request is sitting in the approval queue for too long, the Requester can send a reminder to the group. - -- From the **My Approvals** page, click the checkbox next to the name of each Approver to be reminded, and then click **Send reminder**. - - An email is sent to the selected Approver(s). - - -## View rejected change requests -The original Requester, the Approver(s) group, and the Administrator(s) group can all view the rejected change request. - -**To view the rejected change request** - -- In the Enterprise Mode Site List Portal, click **Rejected** from the left pane. - - All rejected change requests appear, with role assignment determining which ones are visible. - - -## Next steps -After an Approver approves the change request, it must be scheduled for inclusion in the production Enterprise Mode Site List. For the scheduling steps, see the [Schedule approved change requests for production using the Enterprise Mode Site List Portal](schedule-production-change-enterprise-mode-portal.md) topic. +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how Approvers can approve open change requests in the Enterprise Mode Site List Portal. +author: dansimp +ms.prod: ie11 +title: Approve a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +--- + +# Approve a change request using the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +After a change request is successfully submitted to the pre-defined Approver(s), employees granted the role of **App Manager**, **Group Head**, or **Administrator**, they must approve the changes. + +## Approve or reject a change request +The Approvers get an email stating that a Requester successfully opened, tested, and submitted the change request to the Approvers group. The Approvers can accept or reject a change request. + +**To approve or reject a change request** +1. The Approver logs onto the Enterprise Mode Site List Portal, **All Approvals** page. + + The Approver can also get to the **All Approvals** page by clicking **Approvals Pending** from the left pane. + +2. The Approver clicks the expander arrow (**\/**) to the right side of the change request, showing the list of Approvers and the **Approve** and **Reject** buttons. + +3. The Approver reviews the change request, making sure it's correct. If the info is correct, the Approver clicks **Approve** to approve the change request. If the info seems incorrect, or if the app shouldn't be added to the site list, the Approver clicks **Reject**. + + An email is sent to the Requester, the Approver(s) group, and the Administrator(s) group, with the updated status of the request. + + +## Send a reminder to the Approver(s) group +If the change request is sitting in the approval queue for too long, the Requester can send a reminder to the group. + +- From the **My Approvals** page, click the checkbox next to the name of each Approver to be reminded, and then click **Send reminder**. + + An email is sent to the selected Approver(s). + + +## View rejected change requests +The original Requester, the Approver(s) group, and the Administrator(s) group can all view the rejected change request. + +**To view the rejected change request** + +- In the Enterprise Mode Site List Portal, click **Rejected** from the left pane. + + All rejected change requests appear, with role assignment determining which ones are visible. + + +## Next steps +After an Approver approves the change request, it must be scheduled for inclusion in the production Enterprise Mode Site List. For the scheduling steps, see the [Schedule approved change requests for production using the Enterprise Mode Site List Portal](schedule-production-change-enterprise-mode-portal.md) topic. diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md index d109a8971f..d45374e404 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md @@ -1,62 +1,62 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: networking -description: Auto configuration and auto proxy problems with Internet Explorer 11 -author: dansimp -ms.prod: ie11 -ms.assetid: 3fbbc2c8-859b-4b2e-abc3-de2c299e0938 -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Auto configuration and auto proxy problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Auto configuration and auto proxy problems with Internet Explorer 11 -You might experience some problems using automatic configuration and auto-proxy with Internet Explorer 11. - -## Branding changes aren't distributed using automatic configuration -If you've turned on the **Disable external branding of Internet Explorer** Group Policy Object, you won't be able to use automatic configuration to distribute your branding changes to your users' computers. When this object is turned on, it prevents the branding of IE by a non-Microsoft company or entity, such as an Internet service provider or Internet content provider. For more information about automatic configuration, see [Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md) and [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md). For more information about Group Policy settings, see [Group policy objects and Internet Explorer 11 (IE11)](group-policy-objects-and-ie11.md). - -## Proxy server setup issues -If you experience issues while setting up your proxy server, you can try these troubleshooting steps: - -- Check to make sure the proxy server address is right. - -- Check that both **Automatically detect settings** and **Automatic configuration** are turned on in the browser. - -- Check that the browser is pointing to the right automatic configuration script location. - - **To check your proxy server address** - -1. On the **Tools** menu, click **Internet Options**, and then **Connections**. - -2. Click **Settings** or **LAN Settings**, and then look at your proxy server address. - -3. If you have multiple proxy servers, click **Advanced** to look at all of the additional addresses.

**Note**
If IE11 uses a proxy server for local IP addresses, regardless whether you turned on the **Bypass Proxy Server for Local Addresses** option, see [Internet Explorer Uses Proxy Server for Local IP Address Even if the "Bypass Proxy Server for Local Addresses" Option Is Turned On](https://go.microsoft.com/fwlink/p/?LinkId=85652). - - **To check that you've turned on the correct settings** - -4. On the **Tools** menu, click **Internet Options**, and then click **Connections**. - -5. Click **Settings** or **LAN Settings**. - -6. In the **Automatic configuration** area, check that you've clicked the **Automatically detect settings** box. If you've turned on automatic configuration, check to make sure that you've also clicked the **Use automatic configuration script** box.

**Note**
If at this point everything is set up correctly, but the proxy server still isn't behaving properly, click the **Detect my network settings** box in the **Error** dialog box to try to detect the proxy server, again. - - **To check that you're pointing to the correct automatic configuration script location** - -7. On the **Tools** menu, click **Internet Options**, and then click **Connections**. - -8. Click **Settings** or **LAN Settings**. - -9. In the **Automatic configuration** area, check that you've chosen the **Use automatic configuration script** box, and that it has the correct location to your automatic configuration script or for your automatic proxy URL. - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: networking +description: Auto configuration and auto proxy problems with Internet Explorer 11 +author: dansimp +ms.prod: ie11 +ms.assetid: 3fbbc2c8-859b-4b2e-abc3-de2c299e0938 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +title: Auto configuration and auto proxy problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Auto configuration and auto proxy problems with Internet Explorer 11 +You might experience some problems using automatic configuration and auto-proxy with Internet Explorer 11. + +## Branding changes aren't distributed using automatic configuration +If you've turned on the **Disable external branding of Internet Explorer** Group Policy Object, you won't be able to use automatic configuration to distribute your branding changes to your users' computers. When this object is turned on, it prevents the branding of IE by a non-Microsoft company or entity, such as an Internet service provider or Internet content provider. For more information about automatic configuration, see [Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md) and [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md). For more information about Group Policy settings, see [Group policy objects and Internet Explorer 11 (IE11)](group-policy-objects-and-ie11.md). + +## Proxy server setup issues +If you experience issues while setting up your proxy server, you can try these troubleshooting steps: + +- Check to make sure the proxy server address is right. + +- Check that both **Automatically detect settings** and **Automatic configuration** are turned on in the browser. + +- Check that the browser is pointing to the right automatic configuration script location. + + **To check your proxy server address** + +1. On the **Tools** menu, click **Internet Options**, and then **Connections**. + +2. Click **Settings** or **LAN Settings**, and then look at your proxy server address. + +3. If you have multiple proxy servers, click **Advanced** to look at all of the additional addresses.

**Note**
If IE11 uses a proxy server for local IP addresses, regardless whether you turned on the **Bypass Proxy Server for Local Addresses** option, see [Internet Explorer Uses Proxy Server for Local IP Address Even if the "Bypass Proxy Server for Local Addresses" Option Is Turned On](https://go.microsoft.com/fwlink/p/?LinkId=85652). + + **To check that you've turned on the correct settings** + +4. On the **Tools** menu, click **Internet Options**, and then click **Connections**. + +5. Click **Settings** or **LAN Settings**. + +6. In the **Automatic configuration** area, check that you've clicked the **Automatically detect settings** box. If you've turned on automatic configuration, check to make sure that you've also clicked the **Use automatic configuration script** box.

**Note**
If at this point everything is set up correctly, but the proxy server still isn't behaving properly, click the **Detect my network settings** box in the **Error** dialog box to try to detect the proxy server, again. + + **To check that you're pointing to the correct automatic configuration script location** + +7. On the **Tools** menu, click **Internet Options**, and then click **Connections**. + +8. Click **Settings** or **LAN Settings**. + +9. In the **Automatic configuration** area, check that you've chosen the **Use automatic configuration script** box, and that it has the correct location to your automatic configuration script or for your automatic proxy URL. + + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md index 1e912f54d0..1b9a0ba9c8 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md @@ -1,74 +1,74 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: networking -description: Auto configuration settings for Internet Explorer 11 -author: dansimp -ms.prod: ie11 -ms.assetid: 90308d59-45b9-4639-ab1b-497e5ba19023 -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Auto configuration settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Auto configuration settings for Internet Explorer 11 -Automatic configuration lets you apply custom branding and graphics to your internal Internet Explorer installations, running on Windows 8.1 or Windows Server 2012 R2. For more information about adding custom branding and graphics to your IE package, see [Customize the toolbar button and Favorites List icons using IEAK 11](../ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md).

**Important**
You'll only see and be able to use the **IE Customization Wizard 11 - Automatic Configuration** page if you're creating an internal IE installation package. For more information about the **IE Customization Wizard 11 - Automatic Configuration** page, see [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md). - -## Adding the automatic configuration registry key -For custom graphics and branding, add the `FEATURE\AUTOCONFIG\BRANDING` registry key to your IE installation package.

**Important**
Follow these directions carefully because serious problems can occur if you update your registry incorrectly. For added protection, back up your registry so you can restore it if a problem occurs. - - **To add the registry key** - -1. On the **Start** screen, type **regedit**, and then click **Regedit.exe**. - -2. Right-click the `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl` subkey, point to **New**, and then click **Key**. - -3. Enter the new key name, `FEATURE\AUTOCONFIG\BRANDING`, and then press Enter. - -4. Right-click `FEATURE\AUTOCONFIG\BRANDING`, point to **New**, and then click **DWORD (32-bit) Value**. - -5. Enter the new DWORD value name, **iexplore.exe**, and then press Enter. - -6. Right-click **iexplore.exe**, and then click **Modify**. - -7. In the **Value data** box, enter **1**, and then click **OK**. - -8. Exit the registry editor. - -## Updating your automatic configuration settings -After adding the `FEATURE\AUTOCONFIG\BRANDING` registry key, you can change your automatic configuration settings to pick up the updated branding. -

Important
Your branding changes won't be added or updated if you've previously chosen the Disable external branding of IE setting in the User Configuration\Administrative Templates\Windows Components\Internet Explorer Group Policy object. This setting is intended to prevent branding by a third-party, like an Internet service or content provider. For more information about Group Policy, including videos and the latest technical documentation, see the Group Policy TechCenter. - - **To update your settings** - -1. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page. - -2. Choose the **Automatically detect configuration settings** check box to allow automatic detection of browser settings. - -3. Choose the **Enable Automatic Configuration** box to let you change the rest of the configuration options, including: - - - **Automatically configure every box:** Type how often IE should check for configuration updates. Typing **0** (zero), or not putting in any number, means that automatic configuration only happens when the computer restarts. - - - **Automatic Configuration URL (.INS file) box:** Type the location of your automatic configuration script. - - - **Automatic proxy URL (.JS, .JVS, or .PAC file) box:** Type the location of your automatic proxy script.

**Important**
Internet Explorer 11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like `https://share/test.ins`. - -If your branding changes aren't correctly deployed after running through this process, see [Auto configuration and auto proxy problems with Internet Explorer 11](auto-configuration-and-auto-proxy-problems-with-ie11.md). - -## Locking your automatic configuration settings -You have two options to restrict your users' ability to override the automatic configuration settings, based on your environment. - -- **Using Microsoft Active Directory.** Choose **Disable changing Automatic Configuration settings** from the Administrative Templates setting. - -- **Not Using Active Directory.** Choose the **Disable changing Automatic Configuration settings** setting in the `User Configuration\Administrative Templates\Windows Components\Internet Explorer` Group Policy object. - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: networking +description: Auto configuration settings for Internet Explorer 11 +author: dansimp +ms.prod: ie11 +ms.assetid: 90308d59-45b9-4639-ab1b-497e5ba19023 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +title: Auto configuration settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Auto configuration settings for Internet Explorer 11 +Automatic configuration lets you apply custom branding and graphics to your internal Internet Explorer installations, running on Windows 8.1 or Windows Server 2012 R2. For more information about adding custom branding and graphics to your IE package, see [Customize the toolbar button and Favorites List icons using IEAK 11](../ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md).

**Important**
You'll only see and be able to use the **IE Customization Wizard 11 - Automatic Configuration** page if you're creating an internal IE installation package. For more information about the **IE Customization Wizard 11 - Automatic Configuration** page, see [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md). + +## Adding the automatic configuration registry key +For custom graphics and branding, add the `FEATURE\AUTOCONFIG\BRANDING` registry key to your IE installation package.

**Important**
Follow these directions carefully because serious problems can occur if you update your registry incorrectly. For added protection, back up your registry so you can restore it if a problem occurs. + + **To add the registry key** + +1. On the **Start** screen, type **regedit**, and then click **Regedit.exe**. + +2. Right-click the `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl` subkey, point to **New**, and then click **Key**. + +3. Enter the new key name, `FEATURE\AUTOCONFIG\BRANDING`, and then press Enter. + +4. Right-click `FEATURE\AUTOCONFIG\BRANDING`, point to **New**, and then click **DWORD (32-bit) Value**. + +5. Enter the new DWORD value name, **iexplore.exe**, and then press Enter. + +6. Right-click **iexplore.exe**, and then click **Modify**. + +7. In the **Value data** box, enter **1**, and then click **OK**. + +8. Exit the registry editor. + +## Updating your automatic configuration settings +After adding the `FEATURE\AUTOCONFIG\BRANDING` registry key, you can change your automatic configuration settings to pick up the updated branding. +

Important
Your branding changes won't be added or updated if you've previously chosen the Disable external branding of IE setting in the User Configuration\Administrative Templates\Windows Components\Internet Explorer Group Policy object. This setting is intended to prevent branding by a third-party, like an Internet service or content provider. For more information about Group Policy, including videos and the latest technical documentation, see the Group Policy TechCenter. + + **To update your settings** + +1. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page. + +2. Choose the **Automatically detect configuration settings** check box to allow automatic detection of browser settings. + +3. Choose the **Enable Automatic Configuration** box to let you change the rest of the configuration options, including: + + - **Automatically configure every box:** Type how often IE should check for configuration updates. Typing **0** (zero), or not putting in any number, means that automatic configuration only happens when the computer restarts. + + - **Automatic Configuration URL (.INS file) box:** Type the location of your automatic configuration script. + + - **Automatic proxy URL (.JS, .JVS, or .PAC file) box:** Type the location of your automatic proxy script.

**Important**
Internet Explorer 11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like `https://share/test.ins`. + +If your branding changes aren't correctly deployed after running through this process, see [Auto configuration and auto proxy problems with Internet Explorer 11](auto-configuration-and-auto-proxy-problems-with-ie11.md). + +## Locking your automatic configuration settings +You have two options to restrict your users' ability to override the automatic configuration settings, based on your environment. + +- **Using Microsoft Active Directory.** Choose **Disable changing Automatic Configuration settings** from the Administrative Templates setting. + +- **Not Using Active Directory.** Choose the **Disable changing Automatic Configuration settings** setting in the `User Configuration\Administrative Templates\Windows Components\Internet Explorer` Group Policy object. + + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md index 508da17224..6d58aac85b 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md @@ -1,55 +1,55 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: networking -description: Auto detect settings Internet Explorer 11 -author: dansimp -ms.prod: ie11 -ms.assetid: c6753cf4-3276-43c5-aae9-200e9e82753f -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Auto detect settings Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Auto detect settings Internet Explorer 11 -After you specify the specific settings related to automatic detection on your Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) servers, you can set up your users' browser settings from a central location. - -Automatic detection works even if the browser wasn't originally set up or installed by the administrator. - -- **Using DHCP servers:** For local area network (LAN)-based users. This server type lets you specify your global and subnet TCP/IP parameters centrally, defining your users' parameters by using reserved addresses. By doing it this way, a computer can move between subnets, automatically reconfiguring for TCP/IP when it starts. - -- **Using DNS servers:** For users on dial-up connections. This server type uses a set of protocols and services on a TCP/IP network, which lets users search for other computers by using hierarchical, user-friendly names (hosts), instead of numeric IP addresses.

**Note**
DHCP has a higher priority than DNS for automatic configuration. If DHCP provides the URL to a .pac, .jvs, .js, or .ins configuration file, the process stops and the DNS lookup doesn't happen. - -## Updating your automatic detection settings -To use automatic detection, you have to set up your DHCP and DNS servers.

**Note**
Your DHCP servers must support the `DHCPINFORM` message, to obtain the DHCP options. - - **To turn on automatic detection for DHCP servers** - -1. Open the Internet Explorer Customization Wizard 11, and go to the **Automatic Configuration** page. - -2. Choose the **Automatically detect configuration settings** box to automatically detect your browser settings. For more information about the **Automatic Configuration** page, see [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md). - -3. Open the [DHCP Administrative Tool](https://go.microsoft.com/fwlink/p/?LinkId=302212), create a new option type, using the code number 252, and then associate it with the URL to your configuration file. For detailed instructions about how to do this, see [Create an option 252 entry in DHCP](https://go.microsoft.com/fwlink/p/?LinkId=294649). - - **To turn on automatic detection for DNS servers** - -4. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page. - -5. Choose the **Automatically detect configuration settings** box to automatically detect your browser settings. - -6. In your DNS database file, create a host record named, **WPAD**. This record has the IP address of the web server storing your automatic configuration (.js, .jvs, .pac, or .ins) file.

**-OR-**

Create a canonical name (CNAME) alias record named, **WPAD**. This record has the resolved name (not the IP address) of the server storing your automatic configuration (.pac) file.

**Note**
For more information about creating a **WPAD** entry, see [Creating a WPAD entry in DNS](https://go.microsoft.com/fwlink/p/?LinkId=294651). - -7. After the database file propagates to the server, the DNS name, `wpad..com` resolves to the server name that includes your automatic configuration file.

**Note**
Internet Explorer 11 creates a default URL template based on the host name, **wpad**. For example, `https://wpad..com/wpad.dat`. Because of this, you need to set up a file or redirection point in your web server **WPAD** record, named **wpad.dat**. The **wpad.dat** record delivers the contents of your automatic configuration file. - - - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: networking +description: Auto detect settings Internet Explorer 11 +author: dansimp +ms.prod: ie11 +ms.assetid: c6753cf4-3276-43c5-aae9-200e9e82753f +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +title: Auto detect settings Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Auto detect settings Internet Explorer 11 +After you specify the specific settings related to automatic detection on your Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) servers, you can set up your users' browser settings from a central location. + +Automatic detection works even if the browser wasn't originally set up or installed by the administrator. + +- **Using DHCP servers:** For local area network (LAN)-based users. This server type lets you specify your global and subnet TCP/IP parameters centrally, defining your users' parameters by using reserved addresses. By doing it this way, a computer can move between subnets, automatically reconfiguring for TCP/IP when it starts. + +- **Using DNS servers:** For users on dial-up connections. This server type uses a set of protocols and services on a TCP/IP network, which lets users search for other computers by using hierarchical, user-friendly names (hosts), instead of numeric IP addresses.

**Note**
DHCP has a higher priority than DNS for automatic configuration. If DHCP provides the URL to a .pac, .jvs, .js, or .ins configuration file, the process stops and the DNS lookup doesn't happen. + +## Updating your automatic detection settings +To use automatic detection, you have to set up your DHCP and DNS servers.

**Note**
Your DHCP servers must support the `DHCPINFORM` message, to obtain the DHCP options. + + **To turn on automatic detection for DHCP servers** + +1. Open the Internet Explorer Customization Wizard 11, and go to the **Automatic Configuration** page. + +2. Choose the **Automatically detect configuration settings** box to automatically detect your browser settings. For more information about the **Automatic Configuration** page, see [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md). + +3. Open the [DHCP Administrative Tool](https://go.microsoft.com/fwlink/p/?LinkId=302212), create a new option type, using the code number 252, and then associate it with the URL to your configuration file. For detailed instructions about how to do this, see [Create an option 252 entry in DHCP](https://go.microsoft.com/fwlink/p/?LinkId=294649). + + **To turn on automatic detection for DNS servers** + +4. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page. + +5. Choose the **Automatically detect configuration settings** box to automatically detect your browser settings. + +6. In your DNS database file, create a host record named, **WPAD**. This record has the IP address of the web server storing your automatic configuration (.js, .jvs, .pac, or .ins) file.

**-OR-**

Create a canonical name (CNAME) alias record named, **WPAD**. This record has the resolved name (not the IP address) of the server storing your automatic configuration (.pac) file.

**Note**
For more information about creating a **WPAD** entry, see [Creating a WPAD entry in DNS](https://go.microsoft.com/fwlink/p/?LinkId=294651). + +7. After the database file propagates to the server, the DNS name, `wpad..com` resolves to the server name that includes your automatic configuration file.

**Note**
Internet Explorer 11 creates a default URL template based on the host name, **wpad**. For example, `https://wpad..com/wpad.dat`. Because of this, you need to set up a file or redirection point in your web server **WPAD** record, named **wpad.dat**. The **wpad.dat** record delivers the contents of your automatic configuration file. + + + + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md index 5784aff62d..bd7bd5c030 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md @@ -1,50 +1,50 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: networking -description: Auto proxy configuration settings for Internet Explorer 11 -author: dansimp -ms.prod: ie11 -ms.assetid: 5120aaf9-8ead-438a-8472-3cdd924b7d9e -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Auto proxy configuration settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Auto proxy configuration settings for Internet Explorer 11 -Configure and maintain your proxy settings, like pointing your users' browsers to your automatic proxy script, through the Internet Explorer Customization Wizard 11 running on either Windows 8.1 or Windows Server 2012 R2. - -## Updating your auto-proxy settings -You can use your Internet settings (.ins) files to set up your standard proxy settings. You can also specify script files (.js, .jvs, or .pac) to configure and maintain your advanced proxy settings. IE uses your auto-proxy script files to dynamically determine whether to connect to a host or use a proxy server. If a proxy server connection fails, Internet Explorer 11 automatically attempts to connect to another proxy server that you have specified. - - **To update your settings** - -1. Create a script file with your proxy information, copying it to a server location. - -2. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page. - -3. Choose the **Enable Automatic Configuration** box to let you change the rest of the configuration options, including: - - - **Automatically configure every box:** Type how often IE should check for configuration updates. Typing **0** (zero), or not putting in any number, means that updates only happen when the computer restarts. - - - **Automatic Configuration URL (.INS file) box:** Type the location of the .ins file you want to use for automatic configuration. For more information about setting up **Automatic Configuration**, see [Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md). - - - **Automatic proxy URL (.JS, .JVS, or .PAC file) box:** Type the location of your automatic proxy script. This script runs whenever IE11 makes a network request and can include multiple proxy servers for each protocol type.

**Important**
IE11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like `https://share/test.ins`. - -## Locking your auto-proxy settings -You have two options to restrict your users' ability to override the automatic configuration settings, based on your environment. - -- **Using Microsoft Active Directory.** Choose **Disable changing proxy settings** from the Administrative Templates setting. - -- **Not Using Active Directory.** Choose the **Prevent changing proxy settings** setting in the `User Configuration\Administrative Templates\Windows Components\Internet Explorer` Group Policy object. For more information about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514). - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: networking +description: Auto proxy configuration settings for Internet Explorer 11 +author: dansimp +ms.prod: ie11 +ms.assetid: 5120aaf9-8ead-438a-8472-3cdd924b7d9e +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +title: Auto proxy configuration settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Auto proxy configuration settings for Internet Explorer 11 +Configure and maintain your proxy settings, like pointing your users' browsers to your automatic proxy script, through the Internet Explorer Customization Wizard 11 running on either Windows 8.1 or Windows Server 2012 R2. + +## Updating your auto-proxy settings +You can use your Internet settings (.ins) files to set up your standard proxy settings. You can also specify script files (.js, .jvs, or .pac) to configure and maintain your advanced proxy settings. IE uses your auto-proxy script files to dynamically determine whether to connect to a host or use a proxy server. If a proxy server connection fails, Internet Explorer 11 automatically attempts to connect to another proxy server that you have specified. + + **To update your settings** + +1. Create a script file with your proxy information, copying it to a server location. + +2. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page. + +3. Choose the **Enable Automatic Configuration** box to let you change the rest of the configuration options, including: + + - **Automatically configure every box:** Type how often IE should check for configuration updates. Typing **0** (zero), or not putting in any number, means that updates only happen when the computer restarts. + + - **Automatic Configuration URL (.INS file) box:** Type the location of the .ins file you want to use for automatic configuration. For more information about setting up **Automatic Configuration**, see [Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md). + + - **Automatic proxy URL (.JS, .JVS, or .PAC file) box:** Type the location of your automatic proxy script. This script runs whenever IE11 makes a network request and can include multiple proxy servers for each protocol type.

**Important**
IE11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like `https://share/test.ins`. + +## Locking your auto-proxy settings +You have two options to restrict your users' ability to override the automatic configuration settings, based on your environment. + +- **Using Microsoft Active Directory.** Choose **Disable changing proxy settings** from the Administrative Templates setting. + +- **Not Using Active Directory.** Choose the **Prevent changing proxy settings** setting in the `User Configuration\Administrative Templates\Windows Components\Internet Explorer` Group Policy object. For more information about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514). + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md b/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md index eee4b1425c..12bd5502e3 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md +++ b/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md @@ -1,43 +1,43 @@ ---- -title: Blocked out-of-date ActiveX controls -description: This page is periodically updated with new ActiveX controls blocked by this feature. -author: dansimp -ms.author: dansimp -manager: dansimp -ms.date: 05/10/2018 -ms.topic: article -ms.prod: ie11 -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -ms.assetid: '' -ms.reviewer: -ms.sitesec: library ---- - -# Blocked out-of-date ActiveX controls - -ActiveX controls are small apps that let websites provide content, like videos and games, and let you interact with content, like toolbars. Unfortunately, because many ActiveX controls aren't automatically updated, they can become outdated as new versions are released. It's very important that you keep your ActiveX controls up to date because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. To help avoid this situation, Internet Explorer includes a security feature called _out-of-date ActiveX control blocking_. - -We'll periodically update this page with new ActiveX controls blocked by this feature. We'll typically provide one month's advance notice before adding new controls to the list. - -You will receive a notification if a webpage tries to load one of the following of ActiveX control versions: - -**Java** - -| Java 2 Platform, Standard Edition (J2SE) 1.4, everything below (but not including) update 43 | -|----------------------------------------------------------------------------------------------| -| J2SE 5.0, everything below (but not including) update 99 | -| Java SE 6, everything below (but not including) update 181 | -| Java SE 7, everything below (but not including) update 171 | -| Java SE 8, everything below (but not including) update 161 | -| Java SE 9, everything below (but not including) update 4 | - -**Silverlight** - - -| Everything below (but not including) Silverlight 5.1.50907.0 | -|--------------------------------------------------------------| -| | - -For more information, see [Out-of-date ActiveX control blocking](out-of-date-activex-control-blocking.md) and [Internet Explorer begins blocking out-of-date ActiveX controls](https://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx). You can also view Microsoft's complete list of out-of-date ActiveX controls in the XML-based [version list](https://go.microsoft.com/fwlink/?LinkId=403864). +--- +title: Blocked out-of-date ActiveX controls +description: This page is periodically updated with new ActiveX controls blocked by this feature. +author: dansimp +ms.author: dansimp +audience: itpro manager: dansimp +ms.date: 05/10/2018 +ms.topic: article +ms.prod: ie11 +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +ms.assetid: '' +ms.reviewer: +ms.sitesec: library +--- + +# Blocked out-of-date ActiveX controls + +ActiveX controls are small apps that let websites provide content, like videos and games, and let you interact with content, like toolbars. Unfortunately, because many ActiveX controls aren't automatically updated, they can become outdated as new versions are released. It's very important that you keep your ActiveX controls up to date because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. To help avoid this situation, Internet Explorer includes a security feature called _out-of-date ActiveX control blocking_. + +We'll periodically update this page with new ActiveX controls blocked by this feature. We'll typically provide one month's advance notice before adding new controls to the list. + +You will receive a notification if a webpage tries to load one of the following of ActiveX control versions: + +**Java** + +| Java 2 Platform, Standard Edition (J2SE) 1.4, everything below (but not including) update 43 | +|----------------------------------------------------------------------------------------------| +| J2SE 5.0, everything below (but not including) update 99 | +| Java SE 6, everything below (but not including) update 181 | +| Java SE 7, everything below (but not including) update 171 | +| Java SE 8, everything below (but not including) update 161 | +| Java SE 9, everything below (but not including) update 4 | + +**Silverlight** + + +| Everything below (but not including) Silverlight 5.1.50907.0 | +|--------------------------------------------------------------| +| | + +For more information, see [Out-of-date ActiveX control blocking](out-of-date-activex-control-blocking.md) and [Internet Explorer begins blocking out-of-date ActiveX controls](https://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx). You can also view Microsoft's complete list of out-of-date ActiveX controls in the XML-based [version list](https://go.microsoft.com/fwlink/?LinkId=403864). diff --git a/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md b/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md index cbea60be67..fe61c67cf5 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md +++ b/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md @@ -1,38 +1,38 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: performance -description: Browser cache changes and roaming profiles -author: dansimp -ms.prod: ie11 -ms.assetid: 85f0cd01-6f82-4bd1-9c0b-285af1ce3436 -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Browser cache changes and roaming profiles (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 10/16/2017 ---- - - -# Browser cache changes and roaming profiles -We’ve redesigned the browser cache to improve the performance, flexibility, reliability, and scalability of Internet Explorer and the apps that rely on the Windows Internet (WinINet) cache. Our new database design stops multiple clients from simultaneously accessing and using cached information, while also providing a higher level of data integrity. - -You won’t notice any changes to the management of your roaming profile data if you use our new database implementation in conjunction with the [roaming user profile guidelines](https://go.microsoft.com/fwlink/p/?LinkId=401544). This means that IE data that’s stored in the `AppData\Roaming` user profile folder is still be uploaded to your normal profile storage location after a user successfully logs off.

**Note**
Cookies in a roaming profile can only be set by Internet Explorer for the desktop, with Enhanced Protected Mode turned off. Cookies set by the immersive version of IE or by Microsoft Store apps, can’t be part of a roaming profile. For more information about persistent cookies and roaming, see [Persistent cookies are not roamed in Internet Explorer](https://go.microsoft.com/fwlink/p/?LinkId=401545). - -To get the best results while using roaming profiles, we strongly recommend the following: - -- Create a separate roaming repository for each domain account that uses roaming. - -- Restrict roaming user profiles so they work on only one computer at a time. Using a single roaming profile on multiple computers isn’t supported (via console or Remote Desktop) and can cause unpredictable results, including cookie loss. - -- Allow all computers that let users sign-on with a roaming profile have identical IE cookie policies and settings. - -- Make sure to delete the user’s local roaming profile at sign off for any computer using user profile roaming. You can do this by turning on the **Delete cached copies of roaming profiles** Group Policy Object. - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: performance +description: Browser cache changes and roaming profiles +author: dansimp +ms.prod: ie11 +ms.assetid: 85f0cd01-6f82-4bd1-9c0b-285af1ce3436 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +title: Browser cache changes and roaming profiles (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 10/16/2017 +--- + + +# Browser cache changes and roaming profiles +We’ve redesigned the browser cache to improve the performance, flexibility, reliability, and scalability of Internet Explorer and the apps that rely on the Windows Internet (WinINet) cache. Our new database design stops multiple clients from simultaneously accessing and using cached information, while also providing a higher level of data integrity. + +You won’t notice any changes to the management of your roaming profile data if you use our new database implementation in conjunction with the [roaming user profile guidelines](https://go.microsoft.com/fwlink/p/?LinkId=401544). This means that IE data that’s stored in the `AppData\Roaming` user profile folder is still be uploaded to your normal profile storage location after a user successfully logs off.

**Note**
Cookies in a roaming profile can only be set by Internet Explorer for the desktop, with Enhanced Protected Mode turned off. Cookies set by the immersive version of IE or by Microsoft Store apps, can’t be part of a roaming profile. For more information about persistent cookies and roaming, see [Persistent cookies are not roamed in Internet Explorer](https://go.microsoft.com/fwlink/p/?LinkId=401545). + +To get the best results while using roaming profiles, we strongly recommend the following: + +- Create a separate roaming repository for each domain account that uses roaming. + +- Restrict roaming user profiles so they work on only one computer at a time. Using a single roaming profile on multiple computers isn’t supported (via console or Remote Desktop) and can cause unpredictable results, including cookie loss. + +- Allow all computers that let users sign-on with a roaming profile have identical IE cookie policies and settings. + +- Make sure to delete the user’s local roaming profile at sign off for any computer using user profile roaming. You can do this by turning on the **Delete cached copies of roaming profiles** Group Policy Object. + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md index 02abe465ad..d3cae2a67a 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md @@ -1,56 +1,56 @@ ---- -ms.localizationpriority: medium -title: Change history for Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Explorer 11 for IT Pros) -description: This topic lists new and updated topics in the Internet Explorer 11 Deployment Guide documentation for Windows 10 and Windows 10 Mobile. -ms.mktglfcycl: deploy -ms.prod: ie11 -ms.sitesec: library -author: dansimp -ms.date: 07/27/2017 -ms.reviewer: -manager: dansimp -ms.author: dansimp ---- - - -# Change history for Internet Explorer 11 -This topic lists new and updated topics in the Internet Explorer 11 documentation for both Windows 10 and Windows 10 Mobile. - -## April 2017 -|New or changed topic | Description | -|----------------------|-------------| -|[Enterprise Mode for Internet Explorer 11](enterprise-mode-overview-for-ie11.md)|Updates to the Enterprise Mode section to include info about the Enterprise Mode Site List Portal. | - -## March 2017 -|New or changed topic | Description | -|----------------------|-------------| -|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated to add the Allow VBScript to run in Internet Explorer and the Hide the button (next to the New Tab button) that opens Microsoft Edge settings. | - -## November 2016 -|New or changed topic | Description | -|----------------------|-------------| -|[Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md) |Updated the DocMode reason section to correct Code 8 and to add Code 9.| - -## August 2016 -|New or changed topic | Description | -|----------------------|-------------| -|[Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) |Updated to remove the IP range restrictions and to add code examples for both IPv4 and IPv6 addresses. | -|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) |Updated to remove the IP range restrictions and to add code examples for both IPv4 and IPv6 addresses. | -|[Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md)|Added the Understanding the returned reason codes section to the topic. | - -## July 2016 -|New or changed topic | Description | -|----------------------|-------------| -|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated to include the comprehensive list of Group Policies that were added with Internet Explorer 11. | - -## June 2016 -|New or changed topic | Description | -|----------------------|-------------| -|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated with 2 new policies, Send all sites not included in the Enterprise Mode Site List to Microsoft Edge and Show message when opening sites in Microsoft Edge using Enterprise Mode. | - - -## May 2016 -|New or changed topic | Description | -|----------------------|-------------| -|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) | Added info about using <emie> and <docMode> together. | - +--- +ms.localizationpriority: medium +title: Change history for Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Explorer 11 for IT Pros) +description: This topic lists new and updated topics in the Internet Explorer 11 Deployment Guide documentation for Windows 10 and Windows 10 Mobile. +ms.mktglfcycl: deploy +ms.prod: ie11 +ms.sitesec: library +author: dansimp +ms.date: 07/27/2017 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +--- + + +# Change history for Internet Explorer 11 +This topic lists new and updated topics in the Internet Explorer 11 documentation for both Windows 10 and Windows 10 Mobile. + +## April 2017 +|New or changed topic | Description | +|----------------------|-------------| +|[Enterprise Mode for Internet Explorer 11](enterprise-mode-overview-for-ie11.md)|Updates to the Enterprise Mode section to include info about the Enterprise Mode Site List Portal. | + +## March 2017 +|New or changed topic | Description | +|----------------------|-------------| +|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated to add the Allow VBScript to run in Internet Explorer and the Hide the button (next to the New Tab button) that opens Microsoft Edge settings. | + +## November 2016 +|New or changed topic | Description | +|----------------------|-------------| +|[Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md) |Updated the DocMode reason section to correct Code 8 and to add Code 9.| + +## August 2016 +|New or changed topic | Description | +|----------------------|-------------| +|[Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) |Updated to remove the IP range restrictions and to add code examples for both IPv4 and IPv6 addresses. | +|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) |Updated to remove the IP range restrictions and to add code examples for both IPv4 and IPv6 addresses. | +|[Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md)|Added the Understanding the returned reason codes section to the topic. | + +## July 2016 +|New or changed topic | Description | +|----------------------|-------------| +|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated to include the comprehensive list of Group Policies that were added with Internet Explorer 11. | + +## June 2016 +|New or changed topic | Description | +|----------------------|-------------| +|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated with 2 new policies, Send all sites not included in the Enterprise Mode Site List to Microsoft Edge and Show message when opening sites in Microsoft Edge using Enterprise Mode. | + + +## May 2016 +|New or changed topic | Description | +|----------------------|-------------| +|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) | Added info about using <emie> and <docMode> together. | + diff --git a/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md b/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md index 08d7c2f831..0b2d9ff141 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md +++ b/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md @@ -1,51 +1,51 @@ ---- -title: Check for a new Enterprise Mode site list xml file (Internet Explorer 11 for IT Pros) -description: You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode. -ms.assetid: 2bbc7017-622e-4baa-8981-c0bbda10e9df -ms.reviewer: -manager: dansimp -ms.prod: ie11 -ms.mktglfcycl: deploy -ms.pagetype: appcompat -ms.sitesec: library -author: dansimp -ms.author: dansimp -ms.date: 08/14/2017 -ms.localizationpriority: medium ---- - - -# Check for a new Enterprise Mode site list xml file - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode. You can add and remove sites from your XML list as frequently as you want, changing which sites should render in Enterprise Mode for your employees. For information about turning on Enterprise Mode and using site lists, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md). - -The information in this topic only covers HTTPS protocol. We strongly recommend that you use HTTPS protocol instead of file protocol due to increased performance. - -**How Internet Explorer 11 looks for an updated site list** - -1. Internet Explorer starts up and looks for an updated site list in the following places: - - 1. **In the cache container.** IE first checks the cache container to see if it finds your XML site list. - - 2. **In the local cache.** If there’s nothing in the cache container, IE checks your local cache for the site list. - - 3. **On the server.** Based on standard IE caching rules, IE might look for a copy of your site list in the location you put specified in the **SiteList** value of the registry. - -2. If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.

**Note**
If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one. - -   - -  - -  - - - +--- +title: Check for a new Enterprise Mode site list xml file (Internet Explorer 11 for IT Pros) +description: You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode. +ms.assetid: 2bbc7017-622e-4baa-8981-c0bbda10e9df +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: ie11 +ms.mktglfcycl: deploy +ms.pagetype: appcompat +ms.sitesec: library +author: dansimp +ms.author: dansimp +ms.date: 08/14/2017 +ms.localizationpriority: medium +--- + + +# Check for a new Enterprise Mode site list xml file + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode. You can add and remove sites from your XML list as frequently as you want, changing which sites should render in Enterprise Mode for your employees. For information about turning on Enterprise Mode and using site lists, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md). + +The information in this topic only covers HTTPS protocol. We strongly recommend that you use HTTPS protocol instead of file protocol due to increased performance. + +**How Internet Explorer 11 looks for an updated site list** + +1. Internet Explorer starts up and looks for an updated site list in the following places: + + 1. **In the cache container.** IE first checks the cache container to see if it finds your XML site list. + + 2. **In the local cache.** If there’s nothing in the cache container, IE checks your local cache for the site list. + + 3. **On the server.** Based on standard IE caching rules, IE might look for a copy of your site list in the location you put specified in the **SiteList** value of the registry. + +2. If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.

**Note**
If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one. + +   + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md index 4e6630b0f1..c35d115df7 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md @@ -1,31 +1,31 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Choose how to deploy Internet Explorer 11 (IE11) -author: dansimp -ms.prod: ie11 -ms.assetid: 21b6a301-c222-40bc-ad0b-27f66fc54d9d -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Choose how to deploy Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Choose how to deploy Internet Explorer 11 (IE11) -In this section, you can learn about how to deploy your custom version of Internet Explorer using Automatic Version Synchronization (AVS) or using your software distribution tools. - -## In this section - -| Topic | Description | -|------------------------------------------------------------- | ------------------------------------------------------ | -|[Deploy IE11 using Automatic Version Synchronization (AVS)](deploy-ie11-using-automatic-version-synchronization-avs.md) |Guidance about how to deploy your custom browser packages using Automatic Version Synchronization (AVS). | -|[Deploy IE11 using software distribution tools](deploy-ie11-using-software-distribution-tools.md) |Guidance about how to deploy your custom browser packages using System Center 2012 R2, Windows Server Update Services (WSUS), Group Policy software installation, or Microsoft Deployment toolkit (MDT). | - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Choose how to deploy Internet Explorer 11 (IE11) +author: dansimp +ms.prod: ie11 +ms.assetid: 21b6a301-c222-40bc-ad0b-27f66fc54d9d +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +title: Choose how to deploy Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Choose how to deploy Internet Explorer 11 (IE11) +In this section, you can learn about how to deploy your custom version of Internet Explorer using Automatic Version Synchronization (AVS) or using your software distribution tools. + +## In this section + +| Topic | Description | +|------------------------------------------------------------- | ------------------------------------------------------ | +|[Deploy IE11 using Automatic Version Synchronization (AVS)](deploy-ie11-using-automatic-version-synchronization-avs.md) |Guidance about how to deploy your custom browser packages using Automatic Version Synchronization (AVS). | +|[Deploy IE11 using software distribution tools](deploy-ie11-using-software-distribution-tools.md) |Guidance about how to deploy your custom browser packages using System Center 2012 R2, Windows Server Update Services (WSUS), Group Policy software installation, or Microsoft Deployment toolkit (MDT). | + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md index e66fa1ed2a..a430073e9d 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md @@ -1,37 +1,37 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Choose how to install Internet Explorer 11 (IE11) -author: dansimp -ms.prod: ie11 -ms.assetid: 9572f5f1-5d67-483e-bd63-ffea95053481 -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Choose how to install Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Choose how to install Internet Explorer 11 (IE11) -Before you install Internet Explorer 11, you should: - -- **Migrate Group Policy Objects.** Decide if your Group Policy Objects should migrate to the new version. - -- **Check vendor support for updated functionality.** Check whether third-party vendors have new versions or updates to necessary add-ons, apps, or code libraries. - -- **Choose the right version of Internet Explorer.** IE11 comes pre-installed on Windows 8.1 and Windows Server 2012 R2 or you can download it for Windows 7 SP1 or Windows Server 2008 R2 with Service Pack 1 (SP1) from the [Internet Explorer Downloads](https://go.microsoft.com/fwlink/p/?LinkId=214251) site. - -- **Choose how you'll deploy your installation package.** Your deployment method should be based on whether you're installing to computers already running Windows, or if you're deploying IE11 as part of a Windows installation. - - - **Existing computers running Windows.** Use System Center R2 2012 System Center 2012 R2 Configuration Manager, System Center Essentials 2010, Windows Server Updates Services (WSUS), or Microsoft Intune to deploy IE11. For more information about how to use these systems, see [System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkID=276664), [System Center Essentials 2010](https://go.microsoft.com/fwlink/p/?LinkId=395200), [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790), and [Microsoft Intune Overview](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune). - - - **As part of a Windows deployment.** Update your Windows images to include IE11, and then add the update to your MDT deployment share or to your Windows image. For instructions about how to create and use Windows images, see [Create and Manage a Windows Image Using DISM](https://go.microsoft.com/fwlink/p/?LinkId=299408). For general information about deploying IE, see [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=331148), [Windows ADK Overview](https://go.microsoft.com/fwlink/p/?LinkId=276669). - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Choose how to install Internet Explorer 11 (IE11) +author: dansimp +ms.prod: ie11 +ms.assetid: 9572f5f1-5d67-483e-bd63-ffea95053481 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +title: Choose how to install Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Choose how to install Internet Explorer 11 (IE11) +Before you install Internet Explorer 11, you should: + +- **Migrate Group Policy Objects.** Decide if your Group Policy Objects should migrate to the new version. + +- **Check vendor support for updated functionality.** Check whether third-party vendors have new versions or updates to necessary add-ons, apps, or code libraries. + +- **Choose the right version of Internet Explorer.** IE11 comes pre-installed on Windows 8.1 and Windows Server 2012 R2 or you can download it for Windows 7 SP1 or Windows Server 2008 R2 with Service Pack 1 (SP1) from the [Internet Explorer Downloads](https://go.microsoft.com/fwlink/p/?LinkId=214251) site. + +- **Choose how you'll deploy your installation package.** Your deployment method should be based on whether you're installing to computers already running Windows, or if you're deploying IE11 as part of a Windows installation. + + - **Existing computers running Windows.** Use System Center R2 2012 System Center 2012 R2 Configuration Manager, System Center Essentials 2010, Windows Server Updates Services (WSUS), or Microsoft Intune to deploy IE11. For more information about how to use these systems, see [System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkID=276664), [System Center Essentials 2010](https://go.microsoft.com/fwlink/p/?LinkId=395200), [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790), and [Microsoft Intune Overview](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune). + + - **As part of a Windows deployment.** Update your Windows images to include IE11, and then add the update to your MDT deployment share or to your Windows image. For instructions about how to create and use Windows images, see [Create and Manage a Windows Image Using DISM](https://go.microsoft.com/fwlink/p/?LinkId=299408). For general information about deploying IE, see [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=331148), [Windows ADK Overview](https://go.microsoft.com/fwlink/p/?LinkId=276669). + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md index 3a2826187a..aaabccc9ae 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md +++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md @@ -1,482 +1,482 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. -author: dansimp -ms.prod: ie11 -ms.assetid: a145e80f-eb62-4116-82c4-3cc35fd064b6 -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Collect data using Enterprise Site Discovery -ms.sitesec: library -ms.date: 07/27/2017 ---- - -# Collect data using Enterprise Site Discovery - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 with Service Pack 1 (SP1) - -Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your IE deployments, including figuring out which sites might be at risk or require overhauls during future upgrades. - ->**Upgrade Readiness and Windows upgrades**
->You can use Upgrade Readiness to help manage your Windows 10 upgrades on devices running Windows 8.1 and Windows 7 (SP1). You can also use Upgrade Readiness to review several site discovery reports. For more information, see [Manage Windows upgrades with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). - - -## Before you begin -Before you start, you need to make sure you have the following: - -- Latest cumulative security update (for all supported versions of Internet Explorer): - - 1. Go to the [Microsoft Security Bulletin](https://go.microsoft.com/fwlink/p/?LinkID=718223) page, and change the filter to **Windows Internet Explorer 11**. - - ![microsoft security bulletin techcenter](images/securitybulletin-filter.png) - - 2. Click the title of the latest cumulative security update, and then scroll down to the **Affected software** table. - - ![affected software section](images/affectedsoftware.png) - - 3. Click the link that represents both your operating system version and Internet Explorer 11, and then follow the instructions in the **How to get this update** section. - -- [Setup and configuration package](https://go.microsoft.com/fwlink/p/?LinkId=517719), including: - - - Configuration-related PowerShell scripts - - - IETelemetry.mof file - - - Sample System Center 2012 report templates - - You must use System Center 2012 R2 Configuration Manager or later for these samples to work. - -Both the PowerShell script and the Managed Object Format (.MOF) file need to be copied to the same location on the client device, before you run the scripts. - -## What data is collected? -Data is collected on the configuration characteristics of IE and the sites it browses, as shown here. - -|Data point |IE11 |IE10 |IE9 |IE8 |Description | -|------------------------|-----|-----|-----|-----|------------------------------------------------------------------------| -|URL | X | X | X | X |URL of the browsed site, including any parameters included in the URL. | -|Domain | X | X | X | X |Top-level domain of the browsed site. | -|ActiveX GUID | X | X | X | X |GUID of the ActiveX controls loaded by the site. | -|Document mode | X | X | X | X |Document mode used by IE for a site, based on page characteristics. | -|Document mode reason | X | X | | |The reason why a document mode was set by IE. | -|Browser state reason | X | X | | |Additional information about why the browser is in its current state. Also called, browser mode. | -|Hang count | X | X | X | X |Number of visits to the URL when the browser hung. | -|Crash count | X | X | X | X |Number of visits to the URL when the browser crashed. | -|Most recent navigation failure (and count) | X | X | X | X |Description of the most recent navigation failure (like, a 404 bad request or 500 internal server error) and the number of times it happened. | -|Number of visits | X | X | X | X |Number of times a site has been visited. | -|Zone | X | X | X | X |Zone used by IE to browse sites, based on browser settings. | - - ->**Important**
By default, IE doesn’t collect this data; you have to turn this feature on if you want to use it. After you turn on this feature, data is collected on all sites visited by IE, except during InPrivate sessions. Additionally, the data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements. - -### Understanding the returned reason codes -The following tables provide more info about the Document mode reason, Browser state reason, and the Zone codes that are returned as part of your data collection. - -#### DocMode reason -The codes in this table can tell you what document mode was set by IE for a webpage.
These codes only apply to Internet Explorer 10 and Internet Explorer 11. - -|Code |Description | -|-----|------------| -|3 |Page state is set by the `FEATURE_DOCUMENT_COMPATIBLE_MODE` feature control key.| -|4 |Page is using an X-UA-compatible meta tag. | -|5 |Page is using an X-UA-compatible HTTP header. | -|6 |Page appears on an active **Compatibility View** list. | -|7 |Page is using native XML parsing. | -|8 |Page is using a special Quirks Mode Emulation (QME) mode that uses the modern layout engine, but the quirks behavior of Internet Explorer 5. | -|9 |Page state is set by the browser mode and the page's DOCTYPE.| - -#### Browser state reason -The codes in this table can tell you why the browser is in its current state. Also called “browser mode”.
These codes only apply to Internet Explorer 10 and Internet Explorer 11. - -|Code |Description | -|-----|------------| -|1 |Site is on the intranet, with the **Display intranet sites in Compatibility View** box checked. | -|2 |Site appears on an active **Compatibility View** list, created in Group Policy. | -|3 |Site appears on an active **Compatibility View** list, created by the user. | -|4 |Page is using an X-UA-compatible tag. | -|5 |Page state is set by the **Developer** toolbar. | -|6 |Page state is set by the `FEATURE_BROWSER_EMULATION` feature control key. | -|7 |Site appears on the Microsoft **Compatibility View (CV)** list. | -|8 |Site appears on the **Quirks** list, created in Group Policy. | -|11 |Site is using the default browser. | - -#### Zone -The codes in this table can tell you what zone is being used by IE to browse sites, based on browser settings.
These codes apply to Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11. - -|Code |Description | -|-----|------------| -|-1 |Internet Explorer is using an invalid zone. | -|0 |Internet Explorer is using the Local machine zone. | -|1 |Internet Explorer is using the Local intranet zone. | -|2 |Internet Explorer is using the Trusted sites zone. | -|3 |Internet Explorer is using the Internet zone. | -|4 |Internet Explorer is using the Restricted sites zone. | - -## Where is the data stored and how do I collect it? -The data is stored locally, in an industry-standard WMI class, .MOF file or in an XML file, depending on your configuration. This file remains on the client computer until it’s collected. To collect the files, we recommend: - -- **WMI file**. Use Microsoft Configuration Manager or any agent that can read the contents of a WMI class on your computer. - -- **XML file**. Any agent that works with XML can be used. - -## WMI Site Discovery suggestions -We recommend that you collect your data for at most a month at a time, to capture a user’s typical workflow. We don’t recommend collecting data longer than that because the data is stored in a WMI provider and can fill up your computer’s hard drive. You may also want to collect data only for pilot users or a representative sample of people, instead of turning this feature on for everyone in your company. - -On average, a website generates about 250bytes of data for each visit, causing only a minor impact to Internet Explorer’s performance. Over the course of a month, collecting data from 20 sites per day from 1,000 users, you’ll get about 150MB of data:

250 bytes (per site visit) X 20 sites/day X 30 days = (approximately) 150KB X 1000 users = (approximately) 150MB - ->**Important**
The data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements. - -## Getting ready to use Enterprise Site Discovery -Before you can start to collect your data, you must run the provided PowerShell script (IETelemetrySetUp.ps1) on your client devices to start generating the site discovery data and to set up a place to store this data locally. Then, you must start collecting the site discovery data from the client devices, using one of these three options: - -- Collect your hardware inventory using the MOF Editor, while connecting to a client device.

--OR- -- Collect your hardware inventory using the MOF Editor with a .MOF import file.

--OR- -- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) - -### WMI only: Running the PowerShell script to compile the .MOF file and to update security privileges -You need to set up your computers for data collection by running the provided PowerShell script (IETelemetrySetUp.ps1) to compile the .mof file and to update security privileges for the new WMI classes. - ->**Important**
You must run this script if you’re using WMI as your data output. It's not necessary if you're using XML as your data output. - -**To set up Enterprise Site Discovery** - -- Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1 by by-passing the PowerShell execution policy, using this command: `powershell -ExecutionPolicy Bypass .\IETelemetrySetUp.ps1`. For more info, see [about Execution Policies](https://go.microsoft.com/fwlink/p/?linkid=517460). - -### WMI only: Set up your firewall for WMI data -If you choose to use WMI as your data output, you need to make sure that your WMI data can travel through your firewall for the domain. If you’re sure, you can skip this section; otherwise, follow these steps: - -**To set up your firewall** - -1. In **Control Panel**, click **System and Security**, and then click **Windows Firewall**. - -2. In the left pane, click **Allow an app or feature through Windows Firewall** and scroll down to check the box for **Windows Management Instrumentation (WMI)**. - -3. Restart your computer to start collecting your WMI data. - -## Use PowerShell to finish setting up Enterprise Site Discovery -You can determine which zones or domains are used for data collection, using PowerShell. If you don’t want to use PowerShell, you can do this using Group Policy. For more info, see [Use Group Policy to finish setting up Enterprise Site Discovery](#use-group-policy-to-finish-setting-up-enterprise-site-discovery). - ->**Important**
The .ps1 file updates turn on Enterprise Site Discovery and WMI collection for all users on a device. - -- **Domain allow list.** If you have a domain allow list, a comma-separated list of domains that should have this feature turned on, you should use this process. - -- **Zone allow list.** If you have a zone allow list, a comma-separated list of zones that should have this feature turned on, you should use this process. - -**To set up data collection using a domain allow list** - - - Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -SiteAllowList sharepoint.com,outlook.com,onedrive.com`. - - >**Important**
Wildcards, like \*.microsoft.com, aren’t supported. - -**To set up data collection using a zone allow list** - - - Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -ZoneAllowList Computer,Intranet,TrustedSites,Internet,RestrictedSites`. - - >**Important**
Only Computer, Intranet, TrustedSites, Internet, and RestrictedSites are supported. - -## Use Group Policy to finish setting up Enterprise Site Discovery -You can use Group Policy to finish setting up Enterprise Site Discovery. If you don’t want to use Group Policy, you can do this using PowerShell. For more info, see [Use Powershell to finish setting up Enterprise Site Discovery](#use-powershell-to-finish-setting-up-enterprise-site-discovery). - ->**Note**
 All of the Group Policy settings can be used individually or as a group. - - **To set up Enterprise Site Discovery using Group Policy** - -- Open your Group Policy editor, and go to these new settings: - - |Setting name and location |Description |Options | - |---------------------------|-------------|---------| - |Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output |Writes collected data to a WMI class, which can be aggregated using a client-management solution like Configuration Manager. |

  • **On.** Turns on WMI recording.
  • **Off.** Turns off WMI recording.
| - |Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery XML output |Writes collected data to an XML file, which is stored in your specified location. |
  • **XML file path.** Including this turns on XML recording.
  • **Blank.** Turns off XML recording.
| - |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by Zone |Manages which zone can collect data. |To specify which zones can collect data, you must include a binary number that represents your selected zones, based on this order:

0 – Restricted Sites zone
0 – Internet zone
0 – Trusted Sites zone
0 – Local Intranet zone
0 – Local Machine zone

**Example 1:** Include only the Local Intranet zone

Binary representation: *00010*, based on:

0 – Restricted Sites zone
0 – Internet zone
0 – Trusted Sites zone
1 – Local Intranet zone
0 – Local Machine zone

**Example 2:** Include only the Restricted Sites, Trusted Sites, and Local Intranet zones

Binary representation: *10110*, based on:

1 – Restricted Sites zone
0 – Internet zone
1 – Trusted Sites zone
1 – Local Intranet zone
1 – Local Machine zone | - |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by domain |Manages which domains can collect data |To specify which domains can collect data, you must include your selected domains, one domain per line, in the provided box. It should look like:

microsoft.sharepoint.com
outlook.com
onedrive.com
timecard.contoso.com
LOBApp.contoso.com | - -### Combining WMI and XML Group Policy settings -You can use both the WMI and XML settings individually or together: - -**To turn off Enterprise Site Discovery** - - - - - - - - - - - - - -
Setting nameOption
Turn on Site Discovery WMI outputOff
Turn on Site Discovery XML outputBlank
- -**Turn on WMI recording only** - - - - - - - - - - - - - -
Setting nameOption
Turn on Site Discovery WMI outputOn
Turn on Site Discovery XML outputBlank
- -**To turn on XML recording only** - - - - - - - - - - - - - -
Setting nameOption
Turn on Site Discovery WMI outputOff
Turn on Site Discovery XML outputXML file path
- -To turn on both WMI and XML recording - - - - - - - - - - - - - -
Setting nameOption
Turn on Site Discovery WMI outputOn
Turn on Site Discovery XML outputXML file path
- -## Use Configuration Manager to collect your data -After you’ve collected your data, you’ll need to get the local files off of your employee’s computers. To do this, use the hardware inventory process in Configuration Manager, using one of these options: - -- Collect your hardware inventory using the MOF Editor, while connecting to a client device.

--OR- -- Collect your hardware inventory using the MOF Editor with a .MOF import file.

--OR- -- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) - -### Collect your hardware inventory using the MOF Editor while connected to a client device -You can collect your hardware inventory using the MOF Editor, while you’re connected to your client devices. - - **To collect your inventory** - -1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**. - - ![Configuration Manager, showing the hardware inventory settings for client computers](images/configmgrhardwareinventory.png) - -2. Click **Add**, click **Connect**, and connect to a computer that has completed the setup process and has already existing classes. - -3. Change the **WMI Namespace** to `root\cimv2\IETelemetry`, and click **Connect**. - - ![Configuration Manager, with the Connect to Windows Management Instrumentation (WMI) box](images/ie11-inventory-addclassconnectscreen.png) - -4. Select the check boxes next to the following classes, and then click **OK**: - - - IESystemInfo - - - IEURLInfo - - - IECountInfo - -5. Click **OK** to close the default windows.
-Your environment is now ready to collect your hardware inventory and review the sample reports. - -### Collect your hardware inventory using the MOF Editor with a .MOF import file -You can collect your hardware inventory using the MOF Editor and a .MOF import file. - - **To collect your inventory** - -1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**. - -2. Click **Import**, choose the MOF file from the downloaded package we provided, and click **Open**. - -3. Pick the inventory items to install, and then click **Import**. - -4. Click **OK** to close the default windows.
-Your environment is now ready to collect your hardware inventory and review the sample reports. - -### Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) -You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for System Center Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option. - -**To collect your inventory** - -1. Using a text editor like Notepad, open the SMS\DEF.MOF file, located in your `\inboxes\clifiles.src\hinv` directory. - -2. Add this text to the end of the file: - - ``` - [SMS_Report (TRUE), - SMS_Group_Name ("IESystemInfo"), - SMS_Class_ID ("MICROSOFT|IESystemInfo|1.0"), - Namespace ("root\\\\cimv2\\\\IETelemetry") ] - Class IESystemInfo: SMS_Class_Template - { - [SMS_Report (TRUE), Key ] - String SystemKey; - [SMS_Report (TRUE) ] - String IEVer; - }; - - [SMS_Report (TRUE), - SMS_Group_Name ("IEURLInfo"), - SMS_Class_ID ("MICROSOFT|IEURLInfo|1.0"), - Namespace ("root\\\\cimv2\\\\IETelemetry") ] - Class IEURLInfo: SMS_Class_Template - { - [SMS_Report (TRUE), Key ] - String URL; - [SMS_Report (TRUE) ] - String Domain; - [SMS_Report (TRUE) ] - UInt32 DocMode; - [SMS_Report (TRUE) ] - UInt32 DocModeReason; - [SMS_Report (TRUE) ] - UInt32 Zone; - [SMS_Report (TRUE) ] - UInt32 BrowserStateReason; - [SMS_Report (TRUE) ] - String ActiveXGUID[]; - [SMS_Report (TRUE) ] - UInt32 CrashCount; - [SMS_Report (TRUE) ] - UInt32 HangCount; - [SMS_Report (TRUE) ] - UInt32 NavigationFailureCount; - [SMS_Report (TRUE) ] - UInt32 NumberOfVisits; - [SMS_Report (TRUE) ] - UInt32 MostRecentNavigationFailure; - }; - - [SMS_Report (TRUE), - SMS_Group_Name ("IECountInfo"), - SMS_Class_ID ("MICROSOFT|IECountInfo|1.0"), - Namespace ("root\\\\cimv2\\\\IETelemetry") ] - Class IECountInfo: SMS_Class_Template - { - [SMS_Report (TRUE), Key ] - String CountKey; - [SMS_Report (TRUE) ] - UInt32 CrashCount; - [SMS_Report (TRUE) ] - UInt32 HangCount; - [SMS_Report (TRUE) ] - UInt32 NavigationFailureCount; - }; - ``` - -3. Save the file and close it to the same location. - Your environment is now ready to collect your hardware inventory and review the sample reports. - -## View the sample reports with your collected data -The sample reports, **SCCM Report Sample – ActiveX.rdl** and **SCCM Report Sample – Site Discovery.rdl**, work with System Center 2012, so you can review your collected data. - -### SCCM Report Sample – ActiveX.rdl -Gives you a list of all of the ActiveX-related sites visited by the client computer. - -![ActiveX.rdl report, lists all ActiveX-related sites visited by the client computer](images/configmgractivexreport.png) - -### SCCM Report Sample – Site Discovery.rdl -Gives you a list of all of the sites visited by the client computer. - -![Site Discovery.rdl report, lists all websites visited by the client computer](images/ie-site-discovery-sample-report.png) - -## View the collected XML data -After the XML files are created, you can use your own solutions to extract and parse the data. The data will look like: - -``` xml - - - [dword] - [dword] - [dword] - - - [string] - - [guid] - - [dword] - [dword] - [dword] - [dword] - [dword] - [dword] - [dword] - [dword] - [string] - [dword] - - - - -``` -You can import this XML data into the correct version of the Enterprise Mode Site List Manager, automatically adding the included sites to your Enterprise Mode site list. - -**To add your XML data to your Enterprise Mode site list** - -1. Open the Enterprise Mode Site List Manager, click **File**, and then click **Bulk add from file**. - - ![Enterprise Mode Site List Manager with Bulk add from file option](images/bulkadd-emiesitelistmgr.png) - -2. Go to your XML file to add the included sites to the tool, and then click **Open**.
Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md). - -3. Click **OK** to close the **Bulk add sites to the list** menu. - -## Turn off data collection on your client devices -After you’ve collected your data, you’ll need to turn Enterprise Site Discovery off. - -**To stop collecting data, using PowerShell** - -- On your client computer, start Windows PowerShell in elevated mode (using admin privileges) and run `IETelemetrySetUp.ps1`, using this command: `powershell -ExecutionPolicy Bypass .\IETelemetrySetUp.ps1 –IEFeatureOff`. - - >**Note**
Turning off data collection only disables the Enterprise Site Discovery feature – all data already written to WMI stays on your employee’s computer. - - -**To stop collecting data, using Group Policy** - -1. Open your Group Policy editor, go to `Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output`, and click **Off**. - -2. Go to `Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery XML output`, and clear the file path location. - -### Delete already stored data from client computers -You can completely remove the data stored on your employee’s computers. - -**To delete all existing data** - -- On the client computer, start PowerShell in elevated mode (using admin privileges) and run these four commands: - - - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IEURLInfo` - - - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IESystemInfo` - - - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IECountInfo` - - - `Remove-Item -Path 'HKCU:\Software\Microsoft\Internet Explorer\WMITelemetry'` - -## Related topics -* [Enterprise Mode Site List Manager (schema v.2) download](https://go.microsoft.com/fwlink/?LinkId=746562) -* [Enterprise Mode for Internet Explorer 11 (IE11)](enterprise-mode-overview-for-ie11.md) - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. +author: dansimp +ms.prod: ie11 +ms.assetid: a145e80f-eb62-4116-82c4-3cc35fd064b6 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +title: Collect data using Enterprise Site Discovery +ms.sitesec: library +ms.date: 07/27/2017 +--- + +# Collect data using Enterprise Site Discovery + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 with Service Pack 1 (SP1) + +Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your IE deployments, including figuring out which sites might be at risk or require overhauls during future upgrades. + +>**Upgrade Readiness and Windows upgrades**
+>You can use Upgrade Readiness to help manage your Windows 10 upgrades on devices running Windows 8.1 and Windows 7 (SP1). You can also use Upgrade Readiness to review several site discovery reports. For more information, see [Manage Windows upgrades with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). + + +## Before you begin +Before you start, you need to make sure you have the following: + +- Latest cumulative security update (for all supported versions of Internet Explorer): + + 1. Go to the [Microsoft Security Bulletin](https://go.microsoft.com/fwlink/p/?LinkID=718223) page, and change the filter to **Windows Internet Explorer 11**. + + ![microsoft security bulletin techcenter](images/securitybulletin-filter.png) + + 2. Click the title of the latest cumulative security update, and then scroll down to the **Affected software** table. + + ![affected software section](images/affectedsoftware.png) + + 3. Click the link that represents both your operating system version and Internet Explorer 11, and then follow the instructions in the **How to get this update** section. + +- [Setup and configuration package](https://go.microsoft.com/fwlink/p/?LinkId=517719), including: + + - Configuration-related PowerShell scripts + + - IETelemetry.mof file + + - Sample System Center 2012 report templates + + You must use System Center 2012 R2 Configuration Manager or later for these samples to work. + +Both the PowerShell script and the Managed Object Format (.MOF) file need to be copied to the same location on the client device, before you run the scripts. + +## What data is collected? +Data is collected on the configuration characteristics of IE and the sites it browses, as shown here. + +|Data point |IE11 |IE10 |IE9 |IE8 |Description | +|------------------------|-----|-----|-----|-----|------------------------------------------------------------------------| +|URL | X | X | X | X |URL of the browsed site, including any parameters included in the URL. | +|Domain | X | X | X | X |Top-level domain of the browsed site. | +|ActiveX GUID | X | X | X | X |GUID of the ActiveX controls loaded by the site. | +|Document mode | X | X | X | X |Document mode used by IE for a site, based on page characteristics. | +|Document mode reason | X | X | | |The reason why a document mode was set by IE. | +|Browser state reason | X | X | | |Additional information about why the browser is in its current state. Also called, browser mode. | +|Hang count | X | X | X | X |Number of visits to the URL when the browser hung. | +|Crash count | X | X | X | X |Number of visits to the URL when the browser crashed. | +|Most recent navigation failure (and count) | X | X | X | X |Description of the most recent navigation failure (like, a 404 bad request or 500 internal server error) and the number of times it happened. | +|Number of visits | X | X | X | X |Number of times a site has been visited. | +|Zone | X | X | X | X |Zone used by IE to browse sites, based on browser settings. | + + +>**Important**
By default, IE doesn’t collect this data; you have to turn this feature on if you want to use it. After you turn on this feature, data is collected on all sites visited by IE, except during InPrivate sessions. Additionally, the data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements. + +### Understanding the returned reason codes +The following tables provide more info about the Document mode reason, Browser state reason, and the Zone codes that are returned as part of your data collection. + +#### DocMode reason +The codes in this table can tell you what document mode was set by IE for a webpage.
These codes only apply to Internet Explorer 10 and Internet Explorer 11. + +|Code |Description | +|-----|------------| +|3 |Page state is set by the `FEATURE_DOCUMENT_COMPATIBLE_MODE` feature control key.| +|4 |Page is using an X-UA-compatible meta tag. | +|5 |Page is using an X-UA-compatible HTTP header. | +|6 |Page appears on an active **Compatibility View** list. | +|7 |Page is using native XML parsing. | +|8 |Page is using a special Quirks Mode Emulation (QME) mode that uses the modern layout engine, but the quirks behavior of Internet Explorer 5. | +|9 |Page state is set by the browser mode and the page's DOCTYPE.| + +#### Browser state reason +The codes in this table can tell you why the browser is in its current state. Also called “browser mode”.
These codes only apply to Internet Explorer 10 and Internet Explorer 11. + +|Code |Description | +|-----|------------| +|1 |Site is on the intranet, with the **Display intranet sites in Compatibility View** box checked. | +|2 |Site appears on an active **Compatibility View** list, created in Group Policy. | +|3 |Site appears on an active **Compatibility View** list, created by the user. | +|4 |Page is using an X-UA-compatible tag. | +|5 |Page state is set by the **Developer** toolbar. | +|6 |Page state is set by the `FEATURE_BROWSER_EMULATION` feature control key. | +|7 |Site appears on the Microsoft **Compatibility View (CV)** list. | +|8 |Site appears on the **Quirks** list, created in Group Policy. | +|11 |Site is using the default browser. | + +#### Zone +The codes in this table can tell you what zone is being used by IE to browse sites, based on browser settings.
These codes apply to Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11. + +|Code |Description | +|-----|------------| +|-1 |Internet Explorer is using an invalid zone. | +|0 |Internet Explorer is using the Local machine zone. | +|1 |Internet Explorer is using the Local intranet zone. | +|2 |Internet Explorer is using the Trusted sites zone. | +|3 |Internet Explorer is using the Internet zone. | +|4 |Internet Explorer is using the Restricted sites zone. | + +## Where is the data stored and how do I collect it? +The data is stored locally, in an industry-standard WMI class, .MOF file or in an XML file, depending on your configuration. This file remains on the client computer until it’s collected. To collect the files, we recommend: + +- **WMI file**. Use Microsoft Configuration Manager or any agent that can read the contents of a WMI class on your computer. + +- **XML file**. Any agent that works with XML can be used. + +## WMI Site Discovery suggestions +We recommend that you collect your data for at most a month at a time, to capture a user’s typical workflow. We don’t recommend collecting data longer than that because the data is stored in a WMI provider and can fill up your computer’s hard drive. You may also want to collect data only for pilot users or a representative sample of people, instead of turning this feature on for everyone in your company. + +On average, a website generates about 250bytes of data for each visit, causing only a minor impact to Internet Explorer’s performance. Over the course of a month, collecting data from 20 sites per day from 1,000 users, you’ll get about 150MB of data:

250 bytes (per site visit) X 20 sites/day X 30 days = (approximately) 150KB X 1000 users = (approximately) 150MB + +>**Important**
The data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements. + +## Getting ready to use Enterprise Site Discovery +Before you can start to collect your data, you must run the provided PowerShell script (IETelemetrySetUp.ps1) on your client devices to start generating the site discovery data and to set up a place to store this data locally. Then, you must start collecting the site discovery data from the client devices, using one of these three options: + +- Collect your hardware inventory using the MOF Editor, while connecting to a client device.

+-OR- +- Collect your hardware inventory using the MOF Editor with a .MOF import file.

+-OR- +- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) + +### WMI only: Running the PowerShell script to compile the .MOF file and to update security privileges +You need to set up your computers for data collection by running the provided PowerShell script (IETelemetrySetUp.ps1) to compile the .mof file and to update security privileges for the new WMI classes. + +>**Important**
You must run this script if you’re using WMI as your data output. It's not necessary if you're using XML as your data output. + +**To set up Enterprise Site Discovery** + +- Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1 by by-passing the PowerShell execution policy, using this command: `powershell -ExecutionPolicy Bypass .\IETelemetrySetUp.ps1`. For more info, see [about Execution Policies](https://go.microsoft.com/fwlink/p/?linkid=517460). + +### WMI only: Set up your firewall for WMI data +If you choose to use WMI as your data output, you need to make sure that your WMI data can travel through your firewall for the domain. If you’re sure, you can skip this section; otherwise, follow these steps: + +**To set up your firewall** + +1. In **Control Panel**, click **System and Security**, and then click **Windows Firewall**. + +2. In the left pane, click **Allow an app or feature through Windows Firewall** and scroll down to check the box for **Windows Management Instrumentation (WMI)**. + +3. Restart your computer to start collecting your WMI data. + +## Use PowerShell to finish setting up Enterprise Site Discovery +You can determine which zones or domains are used for data collection, using PowerShell. If you don’t want to use PowerShell, you can do this using Group Policy. For more info, see [Use Group Policy to finish setting up Enterprise Site Discovery](#use-group-policy-to-finish-setting-up-enterprise-site-discovery). + +>**Important**
The .ps1 file updates turn on Enterprise Site Discovery and WMI collection for all users on a device. + +- **Domain allow list.** If you have a domain allow list, a comma-separated list of domains that should have this feature turned on, you should use this process. + +- **Zone allow list.** If you have a zone allow list, a comma-separated list of zones that should have this feature turned on, you should use this process. + +**To set up data collection using a domain allow list** + + - Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -SiteAllowList sharepoint.com,outlook.com,onedrive.com`. + + >**Important**
Wildcards, like \*.microsoft.com, aren’t supported. + +**To set up data collection using a zone allow list** + + - Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -ZoneAllowList Computer,Intranet,TrustedSites,Internet,RestrictedSites`. + + >**Important**
Only Computer, Intranet, TrustedSites, Internet, and RestrictedSites are supported. + +## Use Group Policy to finish setting up Enterprise Site Discovery +You can use Group Policy to finish setting up Enterprise Site Discovery. If you don’t want to use Group Policy, you can do this using PowerShell. For more info, see [Use Powershell to finish setting up Enterprise Site Discovery](#use-powershell-to-finish-setting-up-enterprise-site-discovery). + +>**Note**
 All of the Group Policy settings can be used individually or as a group. + + **To set up Enterprise Site Discovery using Group Policy** + +- Open your Group Policy editor, and go to these new settings: + + |Setting name and location |Description |Options | + |---------------------------|-------------|---------| + |Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output |Writes collected data to a WMI class, which can be aggregated using a client-management solution like Configuration Manager. |

  • **On.** Turns on WMI recording.
  • **Off.** Turns off WMI recording.
| + |Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery XML output |Writes collected data to an XML file, which is stored in your specified location. |
  • **XML file path.** Including this turns on XML recording.
  • **Blank.** Turns off XML recording.
| + |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by Zone |Manages which zone can collect data. |To specify which zones can collect data, you must include a binary number that represents your selected zones, based on this order:

0 – Restricted Sites zone
0 – Internet zone
0 – Trusted Sites zone
0 – Local Intranet zone
0 – Local Machine zone

**Example 1:** Include only the Local Intranet zone

Binary representation: *00010*, based on:

0 – Restricted Sites zone
0 – Internet zone
0 – Trusted Sites zone
1 – Local Intranet zone
0 – Local Machine zone

**Example 2:** Include only the Restricted Sites, Trusted Sites, and Local Intranet zones

Binary representation: *10110*, based on:

1 – Restricted Sites zone
0 – Internet zone
1 – Trusted Sites zone
1 – Local Intranet zone
1 – Local Machine zone | + |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by domain |Manages which domains can collect data |To specify which domains can collect data, you must include your selected domains, one domain per line, in the provided box. It should look like:

microsoft.sharepoint.com
outlook.com
onedrive.com
timecard.contoso.com
LOBApp.contoso.com | + +### Combining WMI and XML Group Policy settings +You can use both the WMI and XML settings individually or together: + +**To turn off Enterprise Site Discovery** + + + + + + + + + + + + + +
Setting nameOption
Turn on Site Discovery WMI outputOff
Turn on Site Discovery XML outputBlank
+ +**Turn on WMI recording only** + + + + + + + + + + + + + +
Setting nameOption
Turn on Site Discovery WMI outputOn
Turn on Site Discovery XML outputBlank
+ +**To turn on XML recording only** + + + + + + + + + + + + + +
Setting nameOption
Turn on Site Discovery WMI outputOff
Turn on Site Discovery XML outputXML file path
+ +To turn on both WMI and XML recording + + + + + + + + + + + + + +
Setting nameOption
Turn on Site Discovery WMI outputOn
Turn on Site Discovery XML outputXML file path
+ +## Use Configuration Manager to collect your data +After you’ve collected your data, you’ll need to get the local files off of your employee’s computers. To do this, use the hardware inventory process in Configuration Manager, using one of these options: + +- Collect your hardware inventory using the MOF Editor, while connecting to a client device.

+-OR- +- Collect your hardware inventory using the MOF Editor with a .MOF import file.

+-OR- +- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) + +### Collect your hardware inventory using the MOF Editor while connected to a client device +You can collect your hardware inventory using the MOF Editor, while you’re connected to your client devices. + + **To collect your inventory** + +1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**. + + ![Configuration Manager, showing the hardware inventory settings for client computers](images/configmgrhardwareinventory.png) + +2. Click **Add**, click **Connect**, and connect to a computer that has completed the setup process and has already existing classes. + +3. Change the **WMI Namespace** to `root\cimv2\IETelemetry`, and click **Connect**. + + ![Configuration Manager, with the Connect to Windows Management Instrumentation (WMI) box](images/ie11-inventory-addclassconnectscreen.png) + +4. Select the check boxes next to the following classes, and then click **OK**: + + - IESystemInfo + + - IEURLInfo + + - IECountInfo + +5. Click **OK** to close the default windows.
+Your environment is now ready to collect your hardware inventory and review the sample reports. + +### Collect your hardware inventory using the MOF Editor with a .MOF import file +You can collect your hardware inventory using the MOF Editor and a .MOF import file. + + **To collect your inventory** + +1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**. + +2. Click **Import**, choose the MOF file from the downloaded package we provided, and click **Open**. + +3. Pick the inventory items to install, and then click **Import**. + +4. Click **OK** to close the default windows.
+Your environment is now ready to collect your hardware inventory and review the sample reports. + +### Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) +You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for System Center Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option. + +**To collect your inventory** + +1. Using a text editor like Notepad, open the SMS\DEF.MOF file, located in your `\inboxes\clifiles.src\hinv` directory. + +2. Add this text to the end of the file: + + ``` + [SMS_Report (TRUE), + SMS_Group_Name ("IESystemInfo"), + SMS_Class_ID ("MICROSOFT|IESystemInfo|1.0"), + Namespace ("root\\\\cimv2\\\\IETelemetry") ] + Class IESystemInfo: SMS_Class_Template + { + [SMS_Report (TRUE), Key ] + String SystemKey; + [SMS_Report (TRUE) ] + String IEVer; + }; + + [SMS_Report (TRUE), + SMS_Group_Name ("IEURLInfo"), + SMS_Class_ID ("MICROSOFT|IEURLInfo|1.0"), + Namespace ("root\\\\cimv2\\\\IETelemetry") ] + Class IEURLInfo: SMS_Class_Template + { + [SMS_Report (TRUE), Key ] + String URL; + [SMS_Report (TRUE) ] + String Domain; + [SMS_Report (TRUE) ] + UInt32 DocMode; + [SMS_Report (TRUE) ] + UInt32 DocModeReason; + [SMS_Report (TRUE) ] + UInt32 Zone; + [SMS_Report (TRUE) ] + UInt32 BrowserStateReason; + [SMS_Report (TRUE) ] + String ActiveXGUID[]; + [SMS_Report (TRUE) ] + UInt32 CrashCount; + [SMS_Report (TRUE) ] + UInt32 HangCount; + [SMS_Report (TRUE) ] + UInt32 NavigationFailureCount; + [SMS_Report (TRUE) ] + UInt32 NumberOfVisits; + [SMS_Report (TRUE) ] + UInt32 MostRecentNavigationFailure; + }; + + [SMS_Report (TRUE), + SMS_Group_Name ("IECountInfo"), + SMS_Class_ID ("MICROSOFT|IECountInfo|1.0"), + Namespace ("root\\\\cimv2\\\\IETelemetry") ] + Class IECountInfo: SMS_Class_Template + { + [SMS_Report (TRUE), Key ] + String CountKey; + [SMS_Report (TRUE) ] + UInt32 CrashCount; + [SMS_Report (TRUE) ] + UInt32 HangCount; + [SMS_Report (TRUE) ] + UInt32 NavigationFailureCount; + }; + ``` + +3. Save the file and close it to the same location. + Your environment is now ready to collect your hardware inventory and review the sample reports. + +## View the sample reports with your collected data +The sample reports, **SCCM Report Sample – ActiveX.rdl** and **SCCM Report Sample – Site Discovery.rdl**, work with System Center 2012, so you can review your collected data. + +### SCCM Report Sample – ActiveX.rdl +Gives you a list of all of the ActiveX-related sites visited by the client computer. + +![ActiveX.rdl report, lists all ActiveX-related sites visited by the client computer](images/configmgractivexreport.png) + +### SCCM Report Sample – Site Discovery.rdl +Gives you a list of all of the sites visited by the client computer. + +![Site Discovery.rdl report, lists all websites visited by the client computer](images/ie-site-discovery-sample-report.png) + +## View the collected XML data +After the XML files are created, you can use your own solutions to extract and parse the data. The data will look like: + +``` xml + + + [dword] + [dword] + [dword] + + + [string] + + [guid] + + [dword] + [dword] + [dword] + [dword] + [dword] + [dword] + [dword] + [dword] + [string] + [dword] + + + + +``` +You can import this XML data into the correct version of the Enterprise Mode Site List Manager, automatically adding the included sites to your Enterprise Mode site list. + +**To add your XML data to your Enterprise Mode site list** + +1. Open the Enterprise Mode Site List Manager, click **File**, and then click **Bulk add from file**. + + ![Enterprise Mode Site List Manager with Bulk add from file option](images/bulkadd-emiesitelistmgr.png) + +2. Go to your XML file to add the included sites to the tool, and then click **Open**.
Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md). + +3. Click **OK** to close the **Bulk add sites to the list** menu. + +## Turn off data collection on your client devices +After you’ve collected your data, you’ll need to turn Enterprise Site Discovery off. + +**To stop collecting data, using PowerShell** + +- On your client computer, start Windows PowerShell in elevated mode (using admin privileges) and run `IETelemetrySetUp.ps1`, using this command: `powershell -ExecutionPolicy Bypass .\IETelemetrySetUp.ps1 –IEFeatureOff`. + + >**Note**
Turning off data collection only disables the Enterprise Site Discovery feature – all data already written to WMI stays on your employee’s computer. + + +**To stop collecting data, using Group Policy** + +1. Open your Group Policy editor, go to `Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output`, and click **Off**. + +2. Go to `Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery XML output`, and clear the file path location. + +### Delete already stored data from client computers +You can completely remove the data stored on your employee’s computers. + +**To delete all existing data** + +- On the client computer, start PowerShell in elevated mode (using admin privileges) and run these four commands: + + - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IEURLInfo` + + - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IESystemInfo` + + - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IECountInfo` + + - `Remove-Item -Path 'HKCU:\Software\Microsoft\Internet Explorer\WMITelemetry'` + +## Related topics +* [Enterprise Mode Site List Manager (schema v.2) download](https://go.microsoft.com/fwlink/?LinkId=746562) +* [Enterprise Mode for Internet Explorer 11 (IE11)](enterprise-mode-overview-for-ie11.md) + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md index bc538f78ad..502c425b80 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md @@ -1,97 +1,97 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Details about how the Administrator can use the Settings page to set up Groups and roles, the Enterprise Mode Site List Portal environment, and the freeze dates for production changes. -author: lomayor -ms.prod: ie11 -title: Use the Settings page to finish setting up the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 -ms.reviewer: -manager: dansimp -ms.author: lomayor ---- - -# Use the Settings page to finish setting up the Enterprise Mode Site List Portal - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -The **Settings** page lets anyone with Administrator rights set up groups and roles, set up the Enterprise Mode Site List Portal environment, and choose the freeze dates for production changes. - -## Use the Environment settings area -This area lets you specify the location of your production and pre-production environments, where to store your attachments, your settings location, and the website domain for email notifications. - -**To add location info** -1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page. - - The **Settings** page appears. - -2. In the **Environment settings** area of the page, provide the info for your **Pre-production environment**, your **Production environment**, your **Attachments location**, your **Settings location**, and your **Website domain for email notifications**. - -3. Click **Credentials** to add the appropriate domain, user name, and password for each location, and then click **OK**. - -## Use the Group and role settings area -After you set up your email credentials, you'll be able to add or edit your Group info, along with picking which roles must be Approvers for the group. - -**To add a new group and determine the required change request Approvers** -1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page. - - The **Settings** page appears. - -2. In the **Group and role settings** area of the page, click **Group details**. - - The **Add or edit group names** box appears. - -3. Click the **Add group** tab, and then add the following info: - - - **New group name.** Type name of your new group. - - - **Group head email.** Type the email address for the primary contact for the group. - - - **Group head name.** This box automatically fills, based on the email address. - - - **Active.** Click the check box to make the group active in the system. If you want to keep the group in the system, but you want to prevent access, clear this check box. - -4. Click **Save**. - - -**To set a group's required Approvers** -1. In the **Group and role settings** area of the page, choose the group name you want to update with Approvers from the **Group name** box. - -2. In the **Required approvers** area, choose which roles are required to approve a change request for the group. You can choose one or many roles. - - - **App Manager.** All employees in the selected group must get change request approval by someone assigned this role. - - You can change the name of this role by clicking the pencil icon and providing a new name in the **Edit role name** box. - - - **Group Head.** All employees in the selected group must get change request approval by someone assigned this role. - - You can change the name of this role by clicking the pencil icon and providing a new name in the **Edit role name** box. - - - **Administrator.** All employees in the selected group must get change request approval by someone assigned this role. - -## Use the Freeze production changes area -This optional area lets you specify a period when your employees must stop adding changes to the current Enterprise Mode Site List. This must include both a start and an end date. - -**To add the start and end dates** -1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page. - - The **Settings** page appears. - -2. In the **Freeze production changes** area of the page, use the calendars to provide the **Freeze start date** and the **Freeze end date**. Your employees can't add apps to the production Enterprise Mode Site List during this span of time. - -3. Click **Save**. - -## Related topics -- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) - -- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md) - -- [Use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md) +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how the Administrator can use the Settings page to set up Groups and roles, the Enterprise Mode Site List Portal environment, and the freeze dates for production changes. +author: lomayor +ms.prod: ie11 +title: Use the Settings page to finish setting up the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +--- + +# Use the Settings page to finish setting up the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +The **Settings** page lets anyone with Administrator rights set up groups and roles, set up the Enterprise Mode Site List Portal environment, and choose the freeze dates for production changes. + +## Use the Environment settings area +This area lets you specify the location of your production and pre-production environments, where to store your attachments, your settings location, and the website domain for email notifications. + +**To add location info** +1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page. + + The **Settings** page appears. + +2. In the **Environment settings** area of the page, provide the info for your **Pre-production environment**, your **Production environment**, your **Attachments location**, your **Settings location**, and your **Website domain for email notifications**. + +3. Click **Credentials** to add the appropriate domain, user name, and password for each location, and then click **OK**. + +## Use the Group and role settings area +After you set up your email credentials, you'll be able to add or edit your Group info, along with picking which roles must be Approvers for the group. + +**To add a new group and determine the required change request Approvers** +1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page. + + The **Settings** page appears. + +2. In the **Group and role settings** area of the page, click **Group details**. + + The **Add or edit group names** box appears. + +3. Click the **Add group** tab, and then add the following info: + + - **New group name.** Type name of your new group. + + - **Group head email.** Type the email address for the primary contact for the group. + + - **Group head name.** This box automatically fills, based on the email address. + + - **Active.** Click the check box to make the group active in the system. If you want to keep the group in the system, but you want to prevent access, clear this check box. + +4. Click **Save**. + + +**To set a group's required Approvers** +1. In the **Group and role settings** area of the page, choose the group name you want to update with Approvers from the **Group name** box. + +2. In the **Required approvers** area, choose which roles are required to approve a change request for the group. You can choose one or many roles. + + - **App Manager.** All employees in the selected group must get change request approval by someone assigned this role. + + You can change the name of this role by clicking the pencil icon and providing a new name in the **Edit role name** box. + + - **Group Head.** All employees in the selected group must get change request approval by someone assigned this role. + + You can change the name of this role by clicking the pencil icon and providing a new name in the **Edit role name** box. + + - **Administrator.** All employees in the selected group must get change request approval by someone assigned this role. + +## Use the Freeze production changes area +This optional area lets you specify a period when your employees must stop adding changes to the current Enterprise Mode Site List. This must include both a start and an end date. + +**To add the start and end dates** +1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page. + + The **Settings** page appears. + +2. In the **Freeze production changes** area of the page, use the calendars to provide the **Freeze start date** and the **Freeze end date**. Your employees can't add apps to the production Enterprise Mode Site List during this span of time. + +3. Click **Save**. + +## Related topics +- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) + +- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md) + +- [Use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md) diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md index 3f3ea15d45..24e93d73e5 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md @@ -1,73 +1,73 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Details about how to create a change request within the Enterprise Mode Site List Portal. -author: lomayor -ms.prod: ie11 -title: Create a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 -ms.reviewer: -manager: dansimp -ms.author: lomayor ---- - -# Create a change request using the Enterprise Mode Site List Portal - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Employees assigned to the Requester role can create a change request. A change request is used to tell the Approvers and the Administrator that a website needs to be added or removed from the Enterprise Mode Site List. The employee can navigate to each stage of the process by using the workflow links provided at the top of each page of the portal. - ->[!Important] ->Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. - -**To create a new change request** -1. The Requester (an employee that has been assigned the Requester role) signs into the Enterprise Mode Site List Portal, and clicks **Create new request**. - - The **Create new request** page appears. - -2. Fill out the required fields, based on the group and the app, including: - - - **Group name.** Select the name of your group from the dropdown box. - - - **App name.** Type the name of the app you want to add, delete, or update in the Enterprise Mode Site List. - - - **Search all apps.** If you can't remember the name of your app, you can click **Search all apps** and search the list. - - - **Add new app.** If your app isn't listed, you can click **Add new app** to add it to the list. - - - **Requested by.** Automatically filled in with your name. - - - **Description.** Add descriptive info about the app. - - - **Requested change.** Select whether you want to **Add to EMIE**, **Delete from EMIE**, or **Update to EMIE**. - - - **Reason for request.** Select the best reason for why you want to update, delete, or add the app. - - - **Business impact (optional).** An optional area where you can provide info about the business impact of this app and the change. - - - **App location (URL).** The full URL location to the app, starting with https:// or https://. - - - **App best viewed in.** Select the best browser experience for the app. This can be Internet Explorer 5 through Internet Explorer 11 or one of the IE7Enterprise or IE8Enterprise modes. - - - **Is an x-ua tag used?** Select **Yes** or **No** whether an x-ua-compatible tag is used by the app. For more info about x-ua-compatible tags, see the topics in [Defining document compatibility](https://msdn.microsoft.com/library/cc288325(v=vs.85).aspx). - -4. Click **Save and continue** to save the request and get the app info sent to the pre-production environment site list for testing. - - A message appears that the request was successful, including a **Request ID** number, saying that the change is being made to the pre-production environment site list. - -5. The Requester gets an email with a batch script, that when run, configures their test machine for the pre-production environment, along with the necessary steps to make sure the changed info is correct. - - - **If the change is correct.** The Requester asks the approvers to approve the change request by selecting **Successful** and clicking **Send for approval**. - - - **If the change is incorrect.** The Requester can rollback the change in pre-production or ask for help from the Administrator. - -## Next steps -After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see the [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md) topic. +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how to create a change request within the Enterprise Mode Site List Portal. +author: lomayor +ms.prod: ie11 +title: Create a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +--- + +# Create a change request using the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Employees assigned to the Requester role can create a change request. A change request is used to tell the Approvers and the Administrator that a website needs to be added or removed from the Enterprise Mode Site List. The employee can navigate to each stage of the process by using the workflow links provided at the top of each page of the portal. + +>[!Important] +>Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. + +**To create a new change request** +1. The Requester (an employee that has been assigned the Requester role) signs into the Enterprise Mode Site List Portal, and clicks **Create new request**. + + The **Create new request** page appears. + +2. Fill out the required fields, based on the group and the app, including: + + - **Group name.** Select the name of your group from the dropdown box. + + - **App name.** Type the name of the app you want to add, delete, or update in the Enterprise Mode Site List. + + - **Search all apps.** If you can't remember the name of your app, you can click **Search all apps** and search the list. + + - **Add new app.** If your app isn't listed, you can click **Add new app** to add it to the list. + + - **Requested by.** Automatically filled in with your name. + + - **Description.** Add descriptive info about the app. + + - **Requested change.** Select whether you want to **Add to EMIE**, **Delete from EMIE**, or **Update to EMIE**. + + - **Reason for request.** Select the best reason for why you want to update, delete, or add the app. + + - **Business impact (optional).** An optional area where you can provide info about the business impact of this app and the change. + + - **App location (URL).** The full URL location to the app, starting with https:// or https://. + + - **App best viewed in.** Select the best browser experience for the app. This can be Internet Explorer 5 through Internet Explorer 11 or one of the IE7Enterprise or IE8Enterprise modes. + + - **Is an x-ua tag used?** Select **Yes** or **No** whether an x-ua-compatible tag is used by the app. For more info about x-ua-compatible tags, see the topics in [Defining document compatibility](https://msdn.microsoft.com/library/cc288325(v=vs.85).aspx). + +4. Click **Save and continue** to save the request and get the app info sent to the pre-production environment site list for testing. + + A message appears that the request was successful, including a **Request ID** number, saying that the change is being made to the pre-production environment site list. + +5. The Requester gets an email with a batch script, that when run, configures their test machine for the pre-production environment, along with the necessary steps to make sure the changed info is correct. + + - **If the change is correct.** The Requester asks the approvers to approve the change request by selecting **Successful** and clicking **Send for approval**. + + - **If the change is incorrect.** The Requester can rollback the change in pre-production or ask for help from the Administrator. + +## Next steps +After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see the [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md) topic. diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md b/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md index 090b718581..c69b357557 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md +++ b/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md @@ -1,43 +1,43 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Create packages for multiple operating systems or languages -author: lomayor -ms.prod: ie11 -ms.assetid: 44051f9d-63a7-43bf-a427-d0a0a1c717da -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Create packages for multiple operating systems or languages (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Create packages for multiple operating systems or languages -You'll create multiple versions of your custom browser package if: - -- You support more than 1 version of Windows®. - -- You support more than 1 language. - -- You have custom installation packages with only minor differences. Like, having a different phone number. - - **To create a new package** - -1. Create an installation package using the Internet Explorer Customization Wizard 11, as described in the [Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options](../ie11-ieak/ieak11-wizard-custom-options.md) topic. - -2. Go to your **CIE/Custom** folder and rename the `Install.ins`file. For example, if you need a version for employees in Texas, rename the file to Texas.ins. - -3. Run the wizard again, using the Custom folder as the destination directory.

-**Important**
-Except for the **Title bar** text, **Favorites**, **Links bar**, **Home page**, and **Search bar**, keep all of your wizard settings the same for all of your build computers. - - - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Create packages for multiple operating systems or languages +author: lomayor +ms.prod: ie11 +ms.assetid: 44051f9d-63a7-43bf-a427-d0a0a1c717da +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Create packages for multiple operating systems or languages (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Create packages for multiple operating systems or languages +You'll create multiple versions of your custom browser package if: + +- You support more than 1 version of Windows®. + +- You support more than 1 language. + +- You have custom installation packages with only minor differences. Like, having a different phone number. + + **To create a new package** + +1. Create an installation package using the Internet Explorer Customization Wizard 11, as described in the [Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options](../ie11-ieak/ieak11-wizard-custom-options.md) topic. + +2. Go to your **CIE/Custom** folder and rename the `Install.ins`file. For example, if you need a version for employees in Texas, rename the file to Texas.ins. + +3. Run the wizard again, using the Custom folder as the destination directory.

+**Important**
+Except for the **Title bar** text, **Favorites**, **Links bar**, **Home page**, and **Search bar**, keep all of your wizard settings the same for all of your build computers. + + + + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md index 421429eb16..d5ebc1d49f 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md +++ b/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md @@ -1,44 +1,44 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Customize Internet Explorer 11 installation packages -author: lomayor -ms.prod: ie11 -ms.assetid: 10a14a09-673b-4f8b-8d12-64036135e7fd -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Customize Internet Explorer 11 installation packages (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Customize Internet Explorer 11 installation packages -You can customize Internet Explorer 11 to support various browser behaviors, multiple operating system versions and languages, and Setup information (.inf) files. - -|Topic |Description | -|------------------------------------------------------------------------|----------------------------------------------------| -|[Using IEAK 11 to create packages](using-ieak11-to-create-install-packages.md) |How to use the Internet Explorer Administration Kit 11 (IEAK 11) and the IE Customization Wizard 11 to set up, configure, deploy, and maintain IE11. | -|[Create packages for multiple operating systems or languages](create-install-packages-for-multiple-operating-systems-or-languages.md) |How to create multiple versions of your custom installation package, to support multiple operating systems or languages. | -|[Using .INF files to create packages](using-inf-files-to-create-install-packages.md) |How to use the Microsoft® Windows Setup Engine to automate setup tasks and customize your component installations. | - - - -In addition, you can configure IE before, during, or after deployment, using these tools: - -- **IE Administration Kit 11 (IEAK 11)**. Creates customized installation packages that can be deployed through your software distribution system. For more information about the IEAK 11, see [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md). - -- **Group Policy**. Configures and enforces IE11 settings. For more information about settings and configuration options, see [Group policy objects and Internet Explorer 11 (IE11)](group-policy-objects-and-ie11.md). - -- **Unattend.xml**. Customizes some of the IE settings during your Windows installation. This option only applies if you're updating a Windows image with IE11.

**Note**
-You'll only see the new IE11 Unattend.xml settings if your Unattend.xml file's associated with a Windows image that includes the IE11 update. For more information about editing and using the Unattend.xml file, see [Unattended Windows Setup Reference](https://go.microsoft.com/fwlink/p/?LinkId=276788). For more information about using the Windows System Image Manager, see [Windows System Image Manager Technical Reference](https://go.microsoft.com/fwlink/p/?LinkId=276789). - -   - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Customize Internet Explorer 11 installation packages +author: lomayor +ms.prod: ie11 +ms.assetid: 10a14a09-673b-4f8b-8d12-64036135e7fd +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Customize Internet Explorer 11 installation packages (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Customize Internet Explorer 11 installation packages +You can customize Internet Explorer 11 to support various browser behaviors, multiple operating system versions and languages, and Setup information (.inf) files. + +|Topic |Description | +|------------------------------------------------------------------------|----------------------------------------------------| +|[Using IEAK 11 to create packages](using-ieak11-to-create-install-packages.md) |How to use the Internet Explorer Administration Kit 11 (IEAK 11) and the IE Customization Wizard 11 to set up, configure, deploy, and maintain IE11. | +|[Create packages for multiple operating systems or languages](create-install-packages-for-multiple-operating-systems-or-languages.md) |How to create multiple versions of your custom installation package, to support multiple operating systems or languages. | +|[Using .INF files to create packages](using-inf-files-to-create-install-packages.md) |How to use the Microsoft® Windows Setup Engine to automate setup tasks and customize your component installations. | + + + +In addition, you can configure IE before, during, or after deployment, using these tools: + +- **IE Administration Kit 11 (IEAK 11)**. Creates customized installation packages that can be deployed through your software distribution system. For more information about the IEAK 11, see [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md). + +- **Group Policy**. Configures and enforces IE11 settings. For more information about settings and configuration options, see [Group policy objects and Internet Explorer 11 (IE11)](group-policy-objects-and-ie11.md). + +- **Unattend.xml**. Customizes some of the IE settings during your Windows installation. This option only applies if you're updating a Windows image with IE11.

**Note**
+You'll only see the new IE11 Unattend.xml settings if your Unattend.xml file's associated with a Windows image that includes the IE11 update. For more information about editing and using the Unattend.xml file, see [Unattended Windows Setup Reference](https://go.microsoft.com/fwlink/p/?LinkId=276788). For more information about using the Windows System Image Manager, see [Windows System Image Manager Technical Reference](https://go.microsoft.com/fwlink/p/?LinkId=276789). + +   + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md index 9fe470dfba..71d871cad1 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md +++ b/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md @@ -1,49 +1,49 @@ ---- -ms.localizationpriority: medium -description: Delete a single site from your global Enterprise Mode site list. -ms.pagetype: appcompat -ms.mktglfcycl: deploy -author: lomayor -ms.prod: ie11 -ms.assetid: 41413459-b57f-48da-aedb-4cbec1e2981a -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - - - **To delete a single site from your global Enterprise Mode site list** - -- From the Enterprise Mode Site List Manager, pick the site you want to delete, and then click **Delete**.
-The site is permanently removed from your list. - -If you delete a site by mistake, you’ll need to manually add it back using the instructions in the following topics, based on operating system. - -- [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md) - -- [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md) - -## Related topics -- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) -- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) -- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) -  - -  - - - +--- +ms.localizationpriority: medium +description: Delete a single site from your global Enterprise Mode site list. +ms.pagetype: appcompat +ms.mktglfcycl: deploy +author: lomayor +ms.prod: ie11 +ms.assetid: 41413459-b57f-48da-aedb-4cbec1e2981a +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + + + **To delete a single site from your global Enterprise Mode site list** + +- From the Enterprise Mode Site List Manager, pick the site you want to delete, and then click **Delete**.
+The site is permanently removed from your list. + +If you delete a site by mistake, you’ll need to manually add it back using the instructions in the following topics, based on operating system. + +- [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md) + +- [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md) + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md index e964d84927..21baca9a6b 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md +++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md @@ -1,35 +1,35 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: You can deploy Internet Explorer 11 to your users' computers by using your custom browser packages and Automatic Version Synchronization (AVS). -author: lomayor -ms.prod: ie11 -ms.assetid: f51224bd-3371-4551-821d-1d62310e3384 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Deploy Internet Explorer 11 using Automatic Version Synchronization (AVS) (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - -# Deploy Internet Explorer 11 using Automatic Version Synchronization (AVS) -You can deploy Internet Explorer 11 to your users' computers by using your custom browser packages and Automatic Version Synchronization (AVS). - -## What is Automatic Version Synchronization? -Automatic Version Synchronization (AVS) lets you use the Internet Explorer Administration Kit 11 (IEAK 11) to synchronize the IE11 setup files on a local computer with the latest setup files on the web. - -You must synchronize the setup files at least once on the local computer, for each language and operating system combination, before proceeding through the rest of the wizard. If your packages have more than one version of IE, you need to keep the versions in separate component download folders, which can be pointed to from the **File Locations** page of the IEAK 11. For more information about using the AVS feature, see [Use the Automatic Version Synchronization page in the IEAK 11 Wizard](../ie11-ieak/auto-version-sync-ieak11-wizard.md) -. - -## Related topics -- [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md) -- [Customize Internet Explorer 11 installation packages](customize-ie11-install-packages.md) - - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: You can deploy Internet Explorer 11 to your users' computers by using your custom browser packages and Automatic Version Synchronization (AVS). +author: lomayor +ms.prod: ie11 +ms.assetid: f51224bd-3371-4551-821d-1d62310e3384 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Deploy Internet Explorer 11 using Automatic Version Synchronization (AVS) (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + +# Deploy Internet Explorer 11 using Automatic Version Synchronization (AVS) +You can deploy Internet Explorer 11 to your users' computers by using your custom browser packages and Automatic Version Synchronization (AVS). + +## What is Automatic Version Synchronization? +Automatic Version Synchronization (AVS) lets you use the Internet Explorer Administration Kit 11 (IEAK 11) to synchronize the IE11 setup files on a local computer with the latest setup files on the web. + +You must synchronize the setup files at least once on the local computer, for each language and operating system combination, before proceeding through the rest of the wizard. If your packages have more than one version of IE, you need to keep the versions in separate component download folders, which can be pointed to from the **File Locations** page of the IEAK 11. For more information about using the AVS feature, see [Use the Automatic Version Synchronization page in the IEAK 11 Wizard](../ie11-ieak/auto-version-sync-ieak11-wizard.md) +. + +## Related topics +- [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md) +- [Customize Internet Explorer 11 installation packages](customize-ie11-install-packages.md) + + + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md index cffde71282..1df03c3f05 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md +++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md @@ -1,33 +1,33 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Deploy Internet Explorer 11 using software distribution tools -author: lomayor -ms.prod: ie11 -ms.assetid: fd027775-651a-41e1-8ec3-d32eca876d8a -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Deploy Internet Explorer 11 using software distribution tools (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Deploy Internet Explorer 11 using software distribution tools -If you already manage software distribution and updates on your network through software distribution tools, you can also use these tools for ongoing deployments of Internet Explorer. Software distribution tools include: - -- **System Center R2 2012 System Center 2012 R2 Configuration Manager.** Deploy and install Internet Explorer 11 on your user's computers through a software distribution package. For more information about using this tool, see [System Center R2 2012 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkID=276664). - -- **Windows Server Update Services (WSUS).** Download a single copy of the IE11 updates, caching them to local servers so your users' computers can receive the updates directly from the WSUS servers, instead of through Windows Update. For more information about using this tool, see [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790). - -- **Group Policy Software Installation.** Deploy and install IE11 on your user's computers through a combination of Group Policy and Microsoft Active Directory. For more information about using this tool, see [Group Policy Software Installation overview](https://go.microsoft.com/fwlink/p/?LinkId=296365). - -- **Microsoft Deployment Toolkit (MDT).** Add the IE11 update to your deployment share, using MDT to update your previously-deployed Windows image. For more information about using this tool, see [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkID=331148). - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Deploy Internet Explorer 11 using software distribution tools +author: lomayor +ms.prod: ie11 +ms.assetid: fd027775-651a-41e1-8ec3-d32eca876d8a +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Deploy Internet Explorer 11 using software distribution tools (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Deploy Internet Explorer 11 using software distribution tools +If you already manage software distribution and updates on your network through software distribution tools, you can also use these tools for ongoing deployments of Internet Explorer. Software distribution tools include: + +- **System Center R2 2012 System Center 2012 R2 Configuration Manager.** Deploy and install Internet Explorer 11 on your user's computers through a software distribution package. For more information about using this tool, see [System Center R2 2012 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkID=276664). + +- **Windows Server Update Services (WSUS).** Download a single copy of the IE11 updates, caching them to local servers so your users' computers can receive the updates directly from the WSUS servers, instead of through Windows Update. For more information about using this tool, see [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790). + +- **Group Policy Software Installation.** Deploy and install IE11 on your user's computers through a combination of Group Policy and Microsoft Active Directory. For more information about using this tool, see [Group Policy Software Installation overview](https://go.microsoft.com/fwlink/p/?LinkId=296365). + +- **Microsoft Deployment Toolkit (MDT).** Add the IE11 update to your deployment share, using MDT to update your previously-deployed Windows image. For more information about using this tool, see [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkID=331148). + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md index b2038ad2f7..acb447d590 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md +++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md @@ -1,121 +1,121 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: You can pin websites to the Windows 8.1 taskbar for quick access using the Microsoft Deployment Toolkit (MDT) 2013. -author: lomayor -ms.prod: ie11 -ms.assetid: 24f4dcac-9032-4fe8-bf6d-2d712d61cb0c -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Deploy pinned websites using Microsoft Deployment Toolkit (MDT) 2013 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Deploy pinned websites using Microsoft Deployment Toolkit (MDT) 2013 - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -You can pin websites to the Windows 8.1 taskbar for quick access. You pin a website simply by dragging its tab to the taskbar. Some websites can also extend the icon’s Jump List. - -The ability to pin websites to the Windows 8.1 taskbar can help make end users in businesses more productive. As an IT professional, for example, you can pin intranet and SharePoint websites to the taskbar to make them immediately available to users. In this article, you learn how to deploy pinned websites by using Lite Touch Installation in the [Microsoft Deployment Toolkit (MDT) 2013](https://go.microsoft.com/fwlink/p/?LinkId=398474). - -## Deploying pinned websites in MDT 2013 -This topic requires that you have a complete MDT 2013 deployment share that contains Windows 8.1 which comes with Internet Explorer 11. If you’re deploying to Windows 7 clients and need to learn how to add IE11 to an MDT 2013 deployment share as an update, see [Installing Internet Explorer 11 using Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=398475) in the TechNet library. - -Deploying pinned websites in MDT 2013 is a 4-step process: - -1. Create a .website file for each website that you want to deploy. When you pin a website to the taskbar, Windows 8.1 creates a .website file that describes how the icon should look and feel. - -2. Copy the .website files to your deployment share. - -3. Copy the .website files to your target computers. - -4. Edit the task sequence of your Unattend.xml answer files to pin the websites to the taskbar. In particular, you want to add each .website file to the **TaskbarLinks** item in Unattend.xml during oobeSystem phase. You can add up to six .website files to the **TaskbarLinks** item. - -Pinned websites are immediately available to every user who logs on to the computer although the user must click each icon to populate its Jump List. - -**Important**
-To follow the examples in this topic, you’ll need to pin the Bing (https://www.bing.com/) and MSN (https://www.msn.com/) websites to the taskbar. - -### Step 1: Creating .website files -The first step is to create a .website file for each website that you want to pin to the Windows 8.1 taskbar during deployment. A .website file is like a shortcut, except it’s a plain text file that describes not only the website’s URL but also how the icon looks. - - **To create each .website file** - -1. Open the website in IE11. - -2. Drag the website’s tab and drop it on the Windows 8.1 taskbar. - -3. Go to `%USERPROFILE%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar` in Windows Explorer, and copy the bing.website and msn.website files to your desktop. - -### Step 2: Copying the .website files to the deployment share -Next, you must enable your deployment share to copy the bing.website and msn.website files to the **Start** menu on each target computer. - - **To copy .website files to the deployment share** - -1. Open your MDT 2013 deployment share in Windows Explorer. - -2. In the `$OEM$` folder, create the path `$1\Users\Public\Public Links`. If the `$OEM$` folder doesn’t exist, create it at the root of your deployment share. - -3. Copy the bing.website and msn.website files from your desktop to `$OEM$\$1\Users\Public\Public Links` in your deployment share. - -### Step 3: Copying .website files to target computers -After your operating system is installed on the target computer, you need to copy the .website files over so they can be pinned to the taskbar. - - **To copy .website files to target computers** - -1. In the **Deployment Workbench** of MDT 2013, open the deployment share containing the task sequence during which you want to deploy pinned websites, and then click **Task Sequences**. - -2. In the right pane of the **Deployment Workbench**, right-click your task sequence (create a new one if you don’t have one yet), and click **Properties**. - -3. In the **Task Sequence** tab, click the **Postinstall** folder, click **General** from the **Add** button, and then click **Run Command Line**. - -4. Rename the newly created item to *Copy Files* and move it up to the top of the **Postinstall** folder. - -5. In the **Command Line** box enter the following text, `xcopy "%DEPLOYROOT%\$OEM$\$1" "%OSDisk%\" /yqe`. - -6. Click the **Apply** button to save your changes. - -### Step 4: Pinning .website files to the Taskbar -With the .website files ready to copy to the **Public Links** folder on target computers for all users, the last step is to edit the Unattend.xml answer files to pin those .website files to the taskbar. You will need to complete the following steps for each task sequence during which you want to pin these websites to the taskbar. - - **To pin .website files to the Taskbar** - -1. Open the Windows System Image Manager (Windows SIM). - -2. On the **OS Info** tab, click **Edit Unattend.xml** to open the Unattend.xml file. - -2. In the **Windows Image** pane, under **Components** and then **Microsoft-Windows-Shell-Setup**, right-click **TaskbarLinks**, and then click **Add Setting to Pass 7 oobeSystem**. - -3. In the **TaskbarLinks Properties** pane, add the relative path to the target computer’s (not the deployment share’s) .website files that you created earlier. You can add up to six links to the **TaskbarLinks** item. For example, `%PUBLIC%\Users\Public\Public Links\Bing.website` and `%PUBLIC%\Users\Public\Public Links\MSN.website` - -4. On the **File** menu, click **Save Answer File**, and then close Windows SIM. - -5. To close the task sequence, click **OK**. - -## Updating intranet websites for pinning -The MDT 2013 deployment share and task sequences are now ready to pin websites to the taskbar during deployment. This pinning feature can include intranet sites important in your organization. - -You can make your intranet websites act more like applications by extending them to fully support the Windows 8.1 taskbar. This includes creating custom Jump Lists, thumbnail previews, and notifications. For info about extending your intranet websites, see [Pinned Sites Developer Documentation](https://go.microsoft.com/fwlink/p/?LinkId=398484) on MSDN. For more ideas about what to pin, see [Add-ons](https://go.microsoft.com/fwlink/p/?LinkId=398483) in the Internet Explorer Gallery. - -## Related topics -- [Unattended Windows Setup Reference](https://go.microsoft.com/fwlink/p/?LinkId=276788) -- [Windows System Image Manager Technical Reference](https://go.microsoft.com/fwlink/p/?LinkId=276789) -- [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=331148) -- [Windows ADK Overview](https://go.microsoft.com/fwlink/p/?LinkId=276669) - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: You can pin websites to the Windows 8.1 taskbar for quick access using the Microsoft Deployment Toolkit (MDT) 2013. +author: lomayor +ms.prod: ie11 +ms.assetid: 24f4dcac-9032-4fe8-bf6d-2d712d61cb0c +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Deploy pinned websites using Microsoft Deployment Toolkit (MDT) 2013 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Deploy pinned websites using Microsoft Deployment Toolkit (MDT) 2013 + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +You can pin websites to the Windows 8.1 taskbar for quick access. You pin a website simply by dragging its tab to the taskbar. Some websites can also extend the icon’s Jump List. + +The ability to pin websites to the Windows 8.1 taskbar can help make end users in businesses more productive. As an IT professional, for example, you can pin intranet and SharePoint websites to the taskbar to make them immediately available to users. In this article, you learn how to deploy pinned websites by using Lite Touch Installation in the [Microsoft Deployment Toolkit (MDT) 2013](https://go.microsoft.com/fwlink/p/?LinkId=398474). + +## Deploying pinned websites in MDT 2013 +This topic requires that you have a complete MDT 2013 deployment share that contains Windows 8.1 which comes with Internet Explorer 11. If you’re deploying to Windows 7 clients and need to learn how to add IE11 to an MDT 2013 deployment share as an update, see [Installing Internet Explorer 11 using Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=398475) in the TechNet library. + +Deploying pinned websites in MDT 2013 is a 4-step process: + +1. Create a .website file for each website that you want to deploy. When you pin a website to the taskbar, Windows 8.1 creates a .website file that describes how the icon should look and feel. + +2. Copy the .website files to your deployment share. + +3. Copy the .website files to your target computers. + +4. Edit the task sequence of your Unattend.xml answer files to pin the websites to the taskbar. In particular, you want to add each .website file to the **TaskbarLinks** item in Unattend.xml during oobeSystem phase. You can add up to six .website files to the **TaskbarLinks** item. + +Pinned websites are immediately available to every user who logs on to the computer although the user must click each icon to populate its Jump List. + +**Important**
+To follow the examples in this topic, you’ll need to pin the Bing (https://www.bing.com/) and MSN (https://www.msn.com/) websites to the taskbar. + +### Step 1: Creating .website files +The first step is to create a .website file for each website that you want to pin to the Windows 8.1 taskbar during deployment. A .website file is like a shortcut, except it’s a plain text file that describes not only the website’s URL but also how the icon looks. + + **To create each .website file** + +1. Open the website in IE11. + +2. Drag the website’s tab and drop it on the Windows 8.1 taskbar. + +3. Go to `%USERPROFILE%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar` in Windows Explorer, and copy the bing.website and msn.website files to your desktop. + +### Step 2: Copying the .website files to the deployment share +Next, you must enable your deployment share to copy the bing.website and msn.website files to the **Start** menu on each target computer. + + **To copy .website files to the deployment share** + +1. Open your MDT 2013 deployment share in Windows Explorer. + +2. In the `$OEM$` folder, create the path `$1\Users\Public\Public Links`. If the `$OEM$` folder doesn’t exist, create it at the root of your deployment share. + +3. Copy the bing.website and msn.website files from your desktop to `$OEM$\$1\Users\Public\Public Links` in your deployment share. + +### Step 3: Copying .website files to target computers +After your operating system is installed on the target computer, you need to copy the .website files over so they can be pinned to the taskbar. + + **To copy .website files to target computers** + +1. In the **Deployment Workbench** of MDT 2013, open the deployment share containing the task sequence during which you want to deploy pinned websites, and then click **Task Sequences**. + +2. In the right pane of the **Deployment Workbench**, right-click your task sequence (create a new one if you don’t have one yet), and click **Properties**. + +3. In the **Task Sequence** tab, click the **Postinstall** folder, click **General** from the **Add** button, and then click **Run Command Line**. + +4. Rename the newly created item to *Copy Files* and move it up to the top of the **Postinstall** folder. + +5. In the **Command Line** box enter the following text, `xcopy "%DEPLOYROOT%\$OEM$\$1" "%OSDisk%\" /yqe`. + +6. Click the **Apply** button to save your changes. + +### Step 4: Pinning .website files to the Taskbar +With the .website files ready to copy to the **Public Links** folder on target computers for all users, the last step is to edit the Unattend.xml answer files to pin those .website files to the taskbar. You will need to complete the following steps for each task sequence during which you want to pin these websites to the taskbar. + + **To pin .website files to the Taskbar** + +1. Open the Windows System Image Manager (Windows SIM). + +2. On the **OS Info** tab, click **Edit Unattend.xml** to open the Unattend.xml file. + +2. In the **Windows Image** pane, under **Components** and then **Microsoft-Windows-Shell-Setup**, right-click **TaskbarLinks**, and then click **Add Setting to Pass 7 oobeSystem**. + +3. In the **TaskbarLinks Properties** pane, add the relative path to the target computer’s (not the deployment share’s) .website files that you created earlier. You can add up to six links to the **TaskbarLinks** item. For example, `%PUBLIC%\Users\Public\Public Links\Bing.website` and `%PUBLIC%\Users\Public\Public Links\MSN.website` + +4. On the **File** menu, click **Save Answer File**, and then close Windows SIM. + +5. To close the task sequence, click **OK**. + +## Updating intranet websites for pinning +The MDT 2013 deployment share and task sequences are now ready to pin websites to the taskbar during deployment. This pinning feature can include intranet sites important in your organization. + +You can make your intranet websites act more like applications by extending them to fully support the Windows 8.1 taskbar. This includes creating custom Jump Lists, thumbnail previews, and notifications. For info about extending your intranet websites, see [Pinned Sites Developer Documentation](https://go.microsoft.com/fwlink/p/?LinkId=398484) on MSDN. For more ideas about what to pin, see [Add-ons](https://go.microsoft.com/fwlink/p/?LinkId=398483) in the Internet Explorer Gallery. + +## Related topics +- [Unattended Windows Setup Reference](https://go.microsoft.com/fwlink/p/?LinkId=276788) +- [Windows System Image Manager Technical Reference](https://go.microsoft.com/fwlink/p/?LinkId=276789) +- [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=331148) +- [Windows ADK Overview](https://go.microsoft.com/fwlink/p/?LinkId=276669) + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md index b34b835676..d892799770 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md +++ b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md @@ -1,61 +1,61 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Windows Internet Explorer 8 introduced document modes as a way to move from the proprietary coding of web features to a more standardized type of coding that could run on multiple browsers and devices. -author: lomayor -ms.prod: ie11 -ms.assetid: 00cb1f39-2b20-4d37-9436-62dc03a6320b -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Deprecated document modes and Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - -# Deprecated document modes and Internet Explorer 11 - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Windows Internet Explorer 8 introduced document modes as a way to move from the proprietary coding of web features to a more standardized type of coding that could run on multiple browsers and devices. Starting with Windows 10, we’re deprecating document modes. - -This means that while Internet Explorer 11 will continue to support document modes, Microsoft Edge won’t. And because of that, it also means that if you want to use Microsoft Edge, you’re going to have to update your legacy webpages and apps to support modern features, browsers, and devices. - ->**Note**
->For specific details about the technologies and APIs that are no longer supported in Microsoft Edge, see [A break from the past, part 2: Saying goodbye to ActiveX, VBScript, attachEvent](https://go.microsoft.com/fwlink/p/?LinkId=615953). - -## What is document mode? -Each release after Internet Explorer 8 has helped with the transition by introducing additional document modes that emulated previously supported versions, while also introducing support for features defined by industry standards. During this time, numerous websites and apps were updated to the latest and greatest industry standards, while many other sites and apps continued to simply rely on document modes to work properly. - -Because our goal with Microsoft Edge is to give users the best site and app viewing experience possible, we’ve decided to stop support for document modes. All websites and apps using legacy features and code will need to be updated to rely on the new modern standards and practices. - -If you have legacy sites and apps that can’t be updated to modern standards, you can continue to use IE11 and document modes. We recommend that you use the **IE11 Standards document mode** because it represents the highest support available for modern standards. You should also use the HTML5 document type declaration to turn on the latest supported standards while using IE11:``. - -## Document modes and IE11 -The compatibility improvements made in IE11 lets older websites just work in the latest standards mode, by default, without requiring emulation of the previous browser behavior. Because older websites are now just working, we’ve decided that Internet Explorer 10 document mode will be the last new document mode. Instead, developers will need to move to using the IE11 document mode going forward. - -## Document mode selection flowchart -This flowchart shows how IE11 works when document modes are used. - -![Flowchart detailing how document modes are chosen in IE11](images/docmode-decisions-sm.png)
-[Click this link to enlarge image](img-ie11-docmode-lg.md) - -## Known Issues with Internet Explorer 8 document mode in Enterprise Mode -The default document mode for Enterprise Mode is Internet Explorer 8. While this mode provides a strong emulation of that browser, it isn’t an exact match. For example, Windows Internet Explorer 9 fundamentally changed how document modes work with iframes and document modes can’t undo architectural changes. It’s also a known issue that Windows 10 supports GDI font rendering while using Enterprise Mode, but uses natural metrics once outside of Enterprise Mode. - -## Related topics -- [Enterprise Mode for Internet Explorer 11](enterprise-mode-overview-for-ie11.md) - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Windows Internet Explorer 8 introduced document modes as a way to move from the proprietary coding of web features to a more standardized type of coding that could run on multiple browsers and devices. +author: lomayor +ms.prod: ie11 +ms.assetid: 00cb1f39-2b20-4d37-9436-62dc03a6320b +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Deprecated document modes and Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + +# Deprecated document modes and Internet Explorer 11 + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Windows Internet Explorer 8 introduced document modes as a way to move from the proprietary coding of web features to a more standardized type of coding that could run on multiple browsers and devices. Starting with Windows 10, we’re deprecating document modes. + +This means that while Internet Explorer 11 will continue to support document modes, Microsoft Edge won’t. And because of that, it also means that if you want to use Microsoft Edge, you’re going to have to update your legacy webpages and apps to support modern features, browsers, and devices. + +>**Note**
+>For specific details about the technologies and APIs that are no longer supported in Microsoft Edge, see [A break from the past, part 2: Saying goodbye to ActiveX, VBScript, attachEvent](https://go.microsoft.com/fwlink/p/?LinkId=615953). + +## What is document mode? +Each release after Internet Explorer 8 has helped with the transition by introducing additional document modes that emulated previously supported versions, while also introducing support for features defined by industry standards. During this time, numerous websites and apps were updated to the latest and greatest industry standards, while many other sites and apps continued to simply rely on document modes to work properly. + +Because our goal with Microsoft Edge is to give users the best site and app viewing experience possible, we’ve decided to stop support for document modes. All websites and apps using legacy features and code will need to be updated to rely on the new modern standards and practices. + +If you have legacy sites and apps that can’t be updated to modern standards, you can continue to use IE11 and document modes. We recommend that you use the **IE11 Standards document mode** because it represents the highest support available for modern standards. You should also use the HTML5 document type declaration to turn on the latest supported standards while using IE11:``. + +## Document modes and IE11 +The compatibility improvements made in IE11 lets older websites just work in the latest standards mode, by default, without requiring emulation of the previous browser behavior. Because older websites are now just working, we’ve decided that Internet Explorer 10 document mode will be the last new document mode. Instead, developers will need to move to using the IE11 document mode going forward. + +## Document mode selection flowchart +This flowchart shows how IE11 works when document modes are used. + +![Flowchart detailing how document modes are chosen in IE11](images/docmode-decisions-sm.png)
+[Click this link to enlarge image](img-ie11-docmode-lg.md) + +## Known Issues with Internet Explorer 8 document mode in Enterprise Mode +The default document mode for Enterprise Mode is Internet Explorer 8. While this mode provides a strong emulation of that browser, it isn’t an exact match. For example, Windows Internet Explorer 9 fundamentally changed how document modes work with iframes and document modes can’t undo architectural changes. It’s also a known issue that Windows 10 supports GDI font rendering while using Enterprise Mode, but uses natural metrics once outside of Enterprise Mode. + +## Related topics +- [Enterprise Mode for Internet Explorer 11](enterprise-mode-overview-for-ie11.md) + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md index 82c1e09e9d..6f6339d452 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md +++ b/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md @@ -1,53 +1,53 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: You can use Internet Explorer 11 and the Enterprise Mode Site List Manager to change whether page rendering should use Enterprise Mode or the default Internet Explorer browser configuration. You can also add, remove, or delete associated comments. -author: lomayor -ms.prod: ie11 -ms.assetid: 76aa9a85-6190-4c3a-bc25-0f914de228ea -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -You can use Internet Explorer 11 and the Enterprise Mode Site List Manager to change whether page rendering should use Enterprise Mode or the default Internet Explorer browser configuration. You can also add, remove, or delete associated comments. - -If you need to edit a lot of websites, you probably don’t want to do it one at a time. Instead, you can edit your saved XML or TXT file and add the sites back again. For information about how to do this, depending on your operating system and schema version, see [Add multiple sites to the Enterprise Mode site list using a file and Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md). - - **To change how your page renders** - -1. In the Enterprise Mode Site List Manager, double-click the site you want to change. - -2. Change the comment or the compatibility mode option. - -3. Click **Save** to validate your changes and to add the updated information to your site list.
-If your change passes validation, it’s added to the global site list. If the update doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the update or ignore the validation problem and add it to your list anyway. For more information about fixing validation issues, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md). - -4. On the **File** menu, click **Save to XML**, and save the updated file.
-You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md). - -## Related topics -- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) -- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) -- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: You can use Internet Explorer 11 and the Enterprise Mode Site List Manager to change whether page rendering should use Enterprise Mode or the default Internet Explorer browser configuration. You can also add, remove, or delete associated comments. +author: lomayor +ms.prod: ie11 +ms.assetid: 76aa9a85-6190-4c3a-bc25-0f914de228ea +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +You can use Internet Explorer 11 and the Enterprise Mode Site List Manager to change whether page rendering should use Enterprise Mode or the default Internet Explorer browser configuration. You can also add, remove, or delete associated comments. + +If you need to edit a lot of websites, you probably don’t want to do it one at a time. Instead, you can edit your saved XML or TXT file and add the sites back again. For information about how to do this, depending on your operating system and schema version, see [Add multiple sites to the Enterprise Mode site list using a file and Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md). + + **To change how your page renders** + +1. In the Enterprise Mode Site List Manager, double-click the site you want to change. + +2. Change the comment or the compatibility mode option. + +3. Click **Save** to validate your changes and to add the updated information to your site list.
+If your change passes validation, it’s added to the global site list. If the update doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the update or ignore the validation problem and add it to your list anyway. For more information about fixing validation issues, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md). + +4. On the **File** menu, click **Save to XML**, and save the updated file.
+You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md). + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md index 236dfd3b18..4e5e30e18a 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md +++ b/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md @@ -1,110 +1,110 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -description: Enable and disable add-ons using administrative templates and group policy -ms.author: lomayor -author: lomayor -ms.prod: ie11 -ms.assetid: c6fe1cd3-0bfc-4d23-8016-c9601f674c0b -ms.reviewer: -manager: dansimp -title: Enable and disable add-ons using administrative templates and group policy (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 4/12/2018 ---- - - -# Enable and disable add-ons using administrative templates and group policy -Add-ons let your employees personalize Internet Explorer. You can manage IE add-ons using Group Policy and Group Policy templates. - -There are four types of add-ons: - -- **Search Providers.** Type a term and see suggestions provided by your search provider. - -- **Accelerators.** Highlight text on a web page and then click the blue **Accelerator** icon to email, map, search, translate, or do many other tasks. - -- **Web Slices.** Subscribe to parts of a website to get real-time information on the Favorites bar. - -- **Toolbars.** Add features (like stock tickers) to your browser. - -## Using the Local Group Policy Editor to manage group policy objects -You can use the Local Group Policy Editor to change how add-ons work in your organization. - - **To manage add-ons** - -1. In the Local Group Policy Editor, go to `Computer Configuration\Administrative Templates\Windows Components\Internet Explorer`. - -2. Change any or all of these settings to match your company’s policy and requirements. - - - Turn off add-on performance notifications - - - Automatically activate newly installed add-ons - - - Do not allow users to enable or disable add-ons - -3. Go into the **Internet Control Panel\\Advance Page** folder, where you can change: - - - Do not allow resetting IE settings - - - Allow third-party browser extensions - -4. Go into the **Security Features\\Add-on Management** folder, where you can change: - - - Add-on List - - - Deny all add-ons unless specifically allowed in the Add-on List - - - Turn off Adobe Flash in IE and prevent applications from using IE technology to instantiate Flash objects - -5. Close the Local Group Policy Editor when you’re done. - -## Using the CLSID and Administrative Templates to manage group policy objects -Every add-on has a Class ID (CLSID) that you use to enable and disable specific add-ons, using Group Policy and Administrative Templates. - - **To manage add-ons** - -1. Get the CLSID for the add-on you want to enable or disable: - - 1. Open IE, click **Tools**, and then click **Manage Add-ons**. - - 2. Double-click the add-on you want to change. - - 3. In the More Information dialog, click **Copy** and then click **Close**. - - 4. Open Notepad and paste the information for the add-on. - - 5. On the Manage Add-ons windows, click **Close**. - - 6. On the Internet Options dialog, click **Close** and then close IE. - -2. From the copied information, select and copy just the **Class ID** value. - - >[!NOTE] - >You want to copy the curly brackets as well as the CLSID: **{47833539-D0C5-4125-9FA8-0819E2EAAC93}**. - -3. Open the Group Policy Management Editor and go to: Computer Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management. -
**-OR-**
-Open the Local Group Policy Editor and go to: User Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management. - -4. Open the **Add-on List** Group Policy Object, select **Enabled**, and then click **Show**.
The Show Contents dialog appears. - -6. In **Value Name**, paste the Class ID for your add-on, for example, **{47833539-D0C5-4125-9FA8-0819E2EAAC93}**. - -6. In **Value**, enter one of the following: - - - **0**. The add-on is disabled and your employees can’t change it. - - - **1**. The add-on is enabled and your employees can’t change it. - - - **2**. The add-on is enabled and your employees can change it. - -7. Close the Show Contents dialog. - -7. In the Group Policy editor, go to: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer. - -8. Double-click **Automatically activate/enable newly installed add-ons** and select **Enabled**.

Enabling turns off the message prompting you to Enable or Don't enable the add-on. - -7. Click **OK** twice to close the Group Policy editor. - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +description: Enable and disable add-ons using administrative templates and group policy +ms.author: lomayor +author: lomayor +ms.prod: ie11 +ms.assetid: c6fe1cd3-0bfc-4d23-8016-c9601f674c0b +ms.reviewer: +audience: itpro manager: dansimp +title: Enable and disable add-ons using administrative templates and group policy (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 4/12/2018 +--- + + +# Enable and disable add-ons using administrative templates and group policy +Add-ons let your employees personalize Internet Explorer. You can manage IE add-ons using Group Policy and Group Policy templates. + +There are four types of add-ons: + +- **Search Providers.** Type a term and see suggestions provided by your search provider. + +- **Accelerators.** Highlight text on a web page and then click the blue **Accelerator** icon to email, map, search, translate, or do many other tasks. + +- **Web Slices.** Subscribe to parts of a website to get real-time information on the Favorites bar. + +- **Toolbars.** Add features (like stock tickers) to your browser. + +## Using the Local Group Policy Editor to manage group policy objects +You can use the Local Group Policy Editor to change how add-ons work in your organization. + + **To manage add-ons** + +1. In the Local Group Policy Editor, go to `Computer Configuration\Administrative Templates\Windows Components\Internet Explorer`. + +2. Change any or all of these settings to match your company’s policy and requirements. + + - Turn off add-on performance notifications + + - Automatically activate newly installed add-ons + + - Do not allow users to enable or disable add-ons + +3. Go into the **Internet Control Panel\\Advance Page** folder, where you can change: + + - Do not allow resetting IE settings + + - Allow third-party browser extensions + +4. Go into the **Security Features\\Add-on Management** folder, where you can change: + + - Add-on List + + - Deny all add-ons unless specifically allowed in the Add-on List + + - Turn off Adobe Flash in IE and prevent applications from using IE technology to instantiate Flash objects + +5. Close the Local Group Policy Editor when you’re done. + +## Using the CLSID and Administrative Templates to manage group policy objects +Every add-on has a Class ID (CLSID) that you use to enable and disable specific add-ons, using Group Policy and Administrative Templates. + + **To manage add-ons** + +1. Get the CLSID for the add-on you want to enable or disable: + + 1. Open IE, click **Tools**, and then click **Manage Add-ons**. + + 2. Double-click the add-on you want to change. + + 3. In the More Information dialog, click **Copy** and then click **Close**. + + 4. Open Notepad and paste the information for the add-on. + + 5. On the Manage Add-ons windows, click **Close**. + + 6. On the Internet Options dialog, click **Close** and then close IE. + +2. From the copied information, select and copy just the **Class ID** value. + + >[!NOTE] + >You want to copy the curly brackets as well as the CLSID: **{47833539-D0C5-4125-9FA8-0819E2EAAC93}**. + +3. Open the Group Policy Management Editor and go to: Computer Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management. +
**-OR-**
+Open the Local Group Policy Editor and go to: User Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management. + +4. Open the **Add-on List** Group Policy Object, select **Enabled**, and then click **Show**.
The Show Contents dialog appears. + +6. In **Value Name**, paste the Class ID for your add-on, for example, **{47833539-D0C5-4125-9FA8-0819E2EAAC93}**. + +6. In **Value**, enter one of the following: + + - **0**. The add-on is disabled and your employees can’t change it. + + - **1**. The add-on is enabled and your employees can’t change it. + + - **2**. The add-on is enabled and your employees can change it. + +7. Close the Show Contents dialog. + +7. In the Group Policy editor, go to: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer. + +8. Double-click **Automatically activate/enable newly installed add-ons** and select **Enabled**.

Enabling turns off the message prompting you to Enable or Don't enable the add-on. + +7. Click **OK** twice to close the Group Policy editor. + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md index 6d21965faa..d1ac1a3190 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md @@ -1,30 +1,30 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -description: Enhanced Protected Mode problems with Internet Explorer -author: lomayor -ms.prod: ie11 -ms.assetid: 15890ad1-733d-4f7e-a318-10399b389f45 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Enhanced Protected Mode problems with Internet Explorer (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Enhanced Protected Mode problems with Internet Explorer -Enhanced Protected Mode further restricts Protected Mode to deny potential attackers access to sensitive or personal information. If this feature is turned on, users might start to see errors asking them to turn it off, like **This webpage wants to run "npctrl.dll. If you trust this site, you can disable Enhanced Protected Mode for this site to run the control**. If your users click the **Disable** box, Enhanced Protected Mode is turned off for only the single visit to that specific site. After the user leaves the site, Enhanced Protected Mode is automatically turned back on. - -You can use your company’s Group Policy to turn Enhanced Protected Mode on or off for all users. For more information, see the [Group policy objects and Internet Explorer 11 (IE11)](group-policy-objects-and-ie11.md) information in this guide. - -For more information about Enhanced Protected Mode, see the [Enhanced Protected Mode](https://go.microsoft.com/fwlink/p/?LinkId=267512) post on IEBlog, and both the [Understanding Enhanced Protected Mode](https://go.microsoft.com/fwlink/p/?LinkId=282662) and the [Enhanced Protected Mode and Local Files](https://go.microsoft.com/fwlink/p/?LinkId=282663) blog posts on IEInternals. - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +description: Enhanced Protected Mode problems with Internet Explorer +author: lomayor +ms.prod: ie11 +ms.assetid: 15890ad1-733d-4f7e-a318-10399b389f45 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Enhanced Protected Mode problems with Internet Explorer (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Enhanced Protected Mode problems with Internet Explorer +Enhanced Protected Mode further restricts Protected Mode to deny potential attackers access to sensitive or personal information. If this feature is turned on, users might start to see errors asking them to turn it off, like **This webpage wants to run "npctrl.dll. If you trust this site, you can disable Enhanced Protected Mode for this site to run the control**. If your users click the **Disable** box, Enhanced Protected Mode is turned off for only the single visit to that specific site. After the user leaves the site, Enhanced Protected Mode is automatically turned back on. + +You can use your company’s Group Policy to turn Enhanced Protected Mode on or off for all users. For more information, see the [Group policy objects and Internet Explorer 11 (IE11)](group-policy-objects-and-ie11.md) information in this guide. + +For more information about Enhanced Protected Mode, see the [Enhanced Protected Mode](https://go.microsoft.com/fwlink/p/?LinkId=267512) post on IEBlog, and both the [Understanding Enhanced Protected Mode](https://go.microsoft.com/fwlink/p/?LinkId=282662) and the [Enhanced Protected Mode and Local Files](https://go.microsoft.com/fwlink/p/?LinkId=282663) blog posts on IEInternals. + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md index f3ffd4bf9f..2059dff44a 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md @@ -1,55 +1,55 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Use the topics in this section to learn how to set up and use Enterprise Mode, Enterprise Mode Site List Manager, and the Enterprise Mode Site List Portal for your company. -author: lomayor -ms.prod: ie11 -ms.assetid: d52ba8ba-b3c7-4314-ba14-0610e1d8456e -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Enterprise Mode for Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Enterprise Mode for Internet Explorer 11 - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Use the topics in this section to learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company. - -## In this section - -|Topic |Description | -|---------------------------------------------------------------|-----------------------------------------------------------------------------------| -|[Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md)|Includes descriptions of the features of Enterprise Mode. | -|[Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) |Guidance about how to turn on local control of Enterprise Mode and how to use ASP or the GitHub sample to collect data from your local computers. | -|[Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md) |Guidance about how to turn on Enterprise Mode and set up a site list, using Group Policy or the registry. | -|[Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) |Guidance about how to write the XML for your site list, including what not to include, how to use trailing slashes, and info about how to target specific sites. | -|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) |Guidance about how to write the XML for your site list, including what not to include, how to use trailing slashes, and info about how to target specific sites. | -|[Check for a new Enterprise Mode site list xml file](check-for-new-enterprise-mode-site-list-xml-file.md) |Guidance about how the Enterprise Mode functionality looks for your updated site list. | -|[Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md) |Guidance about how to turn on local control of Enterprise Mode, using Group Policy or the registry.| -|[Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) |Guidance about how to use the Enterprise Mode Site List Manager, including how to add and update sites on your site list. | -|[Use the Enterprise Mode Site List Portal](use-the-enterprise-mode-portal.md) |Guidance about how to set up and use the Enterprise Mode Site List Manager, including how to add and update sites on your site list. | -|[Using Enterprise Mode](using-enterprise-mode.md) |Guidance about how to turn on either IE7 Enterprise Mode or IE8 Enterprise Mode. | -|[Fix web compatibility issues using document modes and the Enterprise Mode Site List](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md) |Guidance about how to decide and test whether to use document modes or Enterprise Mode to help fix compatibility issues. | -|[Remove sites from a local Enterprise Mode site list](remove-sites-from-a-local-enterprise-mode-site-list.md) |Guidance about how to remove websites from a device's local Enterprise Mode site list. | -|[Remove sites from a local compatibility view list](remove-sites-from-a-local-compatibililty-view-list.md) |Guidance about how to remove websites from a device's local compatibility view list. | -|[Turn off Enterprise Mode](turn-off-enterprise-mode.md) |Guidance about how to stop using your site list and how to turn off local control, using Group Policy or the registry. | - - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Use the topics in this section to learn how to set up and use Enterprise Mode, Enterprise Mode Site List Manager, and the Enterprise Mode Site List Portal for your company. +author: lomayor +ms.prod: ie11 +ms.assetid: d52ba8ba-b3c7-4314-ba14-0610e1d8456e +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Enterprise Mode for Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Enterprise Mode for Internet Explorer 11 + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Use the topics in this section to learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company. + +## In this section + +|Topic |Description | +|---------------------------------------------------------------|-----------------------------------------------------------------------------------| +|[Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md)|Includes descriptions of the features of Enterprise Mode. | +|[Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) |Guidance about how to turn on local control of Enterprise Mode and how to use ASP or the GitHub sample to collect data from your local computers. | +|[Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md) |Guidance about how to turn on Enterprise Mode and set up a site list, using Group Policy or the registry. | +|[Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) |Guidance about how to write the XML for your site list, including what not to include, how to use trailing slashes, and info about how to target specific sites. | +|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) |Guidance about how to write the XML for your site list, including what not to include, how to use trailing slashes, and info about how to target specific sites. | +|[Check for a new Enterprise Mode site list xml file](check-for-new-enterprise-mode-site-list-xml-file.md) |Guidance about how the Enterprise Mode functionality looks for your updated site list. | +|[Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md) |Guidance about how to turn on local control of Enterprise Mode, using Group Policy or the registry.| +|[Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) |Guidance about how to use the Enterprise Mode Site List Manager, including how to add and update sites on your site list. | +|[Use the Enterprise Mode Site List Portal](use-the-enterprise-mode-portal.md) |Guidance about how to set up and use the Enterprise Mode Site List Manager, including how to add and update sites on your site list. | +|[Using Enterprise Mode](using-enterprise-mode.md) |Guidance about how to turn on either IE7 Enterprise Mode or IE8 Enterprise Mode. | +|[Fix web compatibility issues using document modes and the Enterprise Mode Site List](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md) |Guidance about how to decide and test whether to use document modes or Enterprise Mode to help fix compatibility issues. | +|[Remove sites from a local Enterprise Mode site list](remove-sites-from-a-local-enterprise-mode-site-list.md) |Guidance about how to remove websites from a device's local Enterprise Mode site list. | +|[Remove sites from a local compatibility view list](remove-sites-from-a-local-compatibililty-view-list.md) |Guidance about how to remove websites from a device's local compatibility view list. | +|[Turn off Enterprise Mode](turn-off-enterprise-mode.md) |Guidance about how to stop using your site list and how to turn off local control, using Group Policy or the registry. | + + + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md index daa0f1c0ee..3e8e129b3d 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md +++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md @@ -1,236 +1,236 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Use the Enterprise Mode Site List Manager to create and update your Enterprise Mode site list for devices running Windows 7 or Windows 8.1 Update. -author: lomayor -ms.prod: ie11 -ms.assetid: 17c61547-82e3-48f2-908d-137a71938823 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Enterprise Mode schema v.1 guidance (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Enterprise Mode schema v.1 guidance - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 - -Use the Enterprise Mode Site List Manager (schema v.1) to create and update your Enterprise Mode site list for devices running the v.1 version of the schema, or the Enterprise Mode Site List Manager (schema v.2) to create and update your Enterprise Mode site list for devices running the v.2 version of the schema. We strongly recommend moving to the new schema, v.2. For more info, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md). - -If you don't want to use the Enterprise Mode Site List Manager, you also have the option to update your XML schema using Notepad, or any other XML-editing app. - -## Enterprise Mode schema v.1 example -The following is an example of the Enterprise Mode schema v.1. This schema can run on devices running Windows 7 and Windows 8.1. - -**Important**
-Make sure that you don't specify a protocol when adding your URLs. Using a URL like `contoso.com` automatically applies to both https://contoso.com and https://contoso.com. - -``` xml - - - www.cpandl.com - www.woodgrovebank.com - adatum.com - contoso.com - relecloud.com - /about - - fabrikam.com - /products - - - - contoso.com - /travel - - fabrikam.com - /products - - - -``` - -### Schema elements -This table includes the elements used by the Enterprise Mode schema. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ElementDescriptionSupported browser
<rules>Root node for the schema. -

Example -

-<rules version="205">
-  <emie>
-    <domain>contoso.com</domain>
-  </emie>
-</rules>
Internet Explorer 11 and Microsoft Edge
<emie>The parent node for the Enterprise Mode section of the schema. All <domain> entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied. -

Example -

-<rules version="205">
-  <emie>
-    <domain>contoso.com</domain>
-  </emie>
-</rules>
--or- -

For IPv6 ranges:

<rules version="205">
-  <emie>
-    <domain>[10.122.34.99]:8080</domain>
-  </emie>
-  </rules>
--or- -

For IPv4 ranges:

<rules version="205">
-  <emie>
-    <domain>10.122.34.99:8080</domain>
-  </emie>
-  </rules>
Internet Explorer 11 and Microsoft Edge
<docMode>The parent node for the document mode section of the section. All <domain> entries will get IE5 - IE11 document modes applied. If there's a <domain> element in the <docMode> section that uses the same value as a <domain> element in the <emie> section, the <emie> element is applied. -

Example -

-<rules version="205">
-  <docMode>
-    <domain docMode="7">contoso.com</domain>
-  </docMode>
-</rules>
Internet Explorer 11
<domain>A unique entry added for each site you want to put on the Enterprise Mode site list. The first <domain> element will overrule any additional <domain> elements that use the same value for the section. You can use port numbers for this element. -

Example -

-<emie>
-  <domain>contoso.com:8080</domain>
-</emie>
Internet Explorer 11 and Microsoft Edge
<path>A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The <path> element is a child of the <domain> element. Additionally, the first <path> element will overrule any additional <path> elements in the schema section. -

Example -

-<emie>
-  <domain exclude="true">fabrikam.com
-    <path exclude="false">/products</path>
-  </domain>
-</emie>

-Where https://fabrikam.com doesn't use IE8 Enterprise Mode, but https://fabrikam.com/products does.

Internet Explorer 11 and Microsoft Edge
- -### Schema attributes -This table includes the attributes used by the Enterprise Mode schema. - - - - - - - - - - - - - - - - - - - - - - - - - -
AttributeDescriptionSupported browser
<version>Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <rules> element.Internet Explorer 11 and Microsoft Edge
<exclude>Specifies the domain or path excluded from applying the behavior and is supported on the <domain> and <path> elements. -

Example -

-<emie>
-  <domain exclude="false">fabrikam.com
-    <path exclude="true">/products</path>
-  </domain>
-</emie>

-Where https://fabrikam.com uses IE8 Enterprise Mode, but https://fabrikam.com/products does not.

Internet Explorer 11 and Microsoft Edge
<docMode>Specifies the document mode to apply. This attribute is only supported on <domain> or <path> elements in the <docMode> section. -

Example -

-<docMode>
-  <domain exclude="false">fabrikam.com
-    <path docMode="7">/products</path>
-  </domain>
-</docMode>
Internet Explorer 11
- -### Using Enterprise Mode and document mode together -If you want to use both Enterprise Mode and document mode together, you need to be aware that <emie> entries override <docMode> entries for the same domain. - -For example, say you want all of the sites in the contoso.com domain to open using IE8 Enterprise Mode, except test.contoso.com, which needs to open in document mode 11. Because Enterprise Mode takes precedence over document mode, if you want test.contoso.com to open using document mode, you'll need to explicitly add it as an exclusion to the <emie> parent node. - -```xml - - - contoso.com - test.contoso.com - - - test.contoso.com - - -``` - -### What not to include in your schema -We recommend that you not add any of the following items to your schema because they can make your compatibility list behave in unexpected ways: -- Don’t use protocols. For example, `https://`, `https://`, or custom protocols. They break parsing. -- Don’t use wildcards. -- Don’t use query strings, ampersands break parsing. - -## How to use trailing slashes -You can use trailing slashes at the path-level, but not at the domain-level: -- **Domain-level.** Don’t add trailing slashes to a domain, it breaks parsing. -- **Path-level.** Adding a trailing slash to a path means that the path ends at that point. By not adding a trailing slash, the rule applies to all of the sub-paths. - -**Example** - -``` xml -contoso.com - /about/ - -``` -In this example, `contoso.com/about/careers` will use the default version of Internet Explorer, even though `contoso.com/about/` uses Enterprise Mode. - - -## How to target specific sites -If you want to target specific sites in your organization. - -|Targeted site |Example |Explanation | -|--------------|--------|------------| -|You can specify subdomains in the domain tag. |<docMode>
<domain docMode="5">contoso.com</domain>
<domain docMode="9">info.contoso.com</domain>
<docMode> |

  • contoso.com uses document mode 5.
  • info.contoso.com uses document mode 9.
  • test.contoso.com also uses document mode 5.
| -|You can specify exact URLs by listing the full path. |<emie>
<domain exclude="false">bing.com</domain>
<domain exclude="false" forceCompatView="true">contoso.com</domain>
<emie>|
  • bing.com uses IE8 Enterprise Mode.
  • contoso.com uses IE7 Enterprise Mode.
| -|You can nest paths underneath domains. |<emie>
<domain exclude="true">contoso.com
<path exclude="false">/about</path>
<path exclude="true">
/about/business</path>
</domain>
</emie> |
  • contoso.com will use the default version of IE.
  • contoso.com/about and everything underneath that node will load in Enterprise Mode, except contoso.com/about/business, which will load in the default version of IE.
| -|You can’t add a path underneath a path. The file will still be parsed, but the sub-path will be ignored. |<emie>
<domain exclude="true">contoso.com
<path>/about
<path exclude="true">/business</path>
</path>
</domain>
</emie> |
  • contoso.com will use the default version of IE.
  • contoso.com/about and everything underneath that node will load in Enterprise Mode, including contoso.com/about/business because the last rule is ignored.
| +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Use the Enterprise Mode Site List Manager to create and update your Enterprise Mode site list for devices running Windows 7 or Windows 8.1 Update. +author: lomayor +ms.prod: ie11 +ms.assetid: 17c61547-82e3-48f2-908d-137a71938823 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Enterprise Mode schema v.1 guidance (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Enterprise Mode schema v.1 guidance + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 + +Use the Enterprise Mode Site List Manager (schema v.1) to create and update your Enterprise Mode site list for devices running the v.1 version of the schema, or the Enterprise Mode Site List Manager (schema v.2) to create and update your Enterprise Mode site list for devices running the v.2 version of the schema. We strongly recommend moving to the new schema, v.2. For more info, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md). + +If you don't want to use the Enterprise Mode Site List Manager, you also have the option to update your XML schema using Notepad, or any other XML-editing app. + +## Enterprise Mode schema v.1 example +The following is an example of the Enterprise Mode schema v.1. This schema can run on devices running Windows 7 and Windows 8.1. + +**Important**
+Make sure that you don't specify a protocol when adding your URLs. Using a URL like `contoso.com` automatically applies to both https://contoso.com and https://contoso.com. + +``` xml + + + www.cpandl.com + www.woodgrovebank.com + adatum.com + contoso.com + relecloud.com + /about + + fabrikam.com + /products + + + + contoso.com + /travel + + fabrikam.com + /products + + + +``` + +### Schema elements +This table includes the elements used by the Enterprise Mode schema. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ElementDescriptionSupported browser
<rules>Root node for the schema. +

Example +

+<rules version="205">
+  <emie>
+    <domain>contoso.com</domain>
+  </emie>
+</rules>
Internet Explorer 11 and Microsoft Edge
<emie>The parent node for the Enterprise Mode section of the schema. All <domain> entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied. +

Example +

+<rules version="205">
+  <emie>
+    <domain>contoso.com</domain>
+  </emie>
+</rules>
+-or- +

For IPv6 ranges:

<rules version="205">
+  <emie>
+    <domain>[10.122.34.99]:8080</domain>
+  </emie>
+  </rules>
+-or- +

For IPv4 ranges:

<rules version="205">
+  <emie>
+    <domain>10.122.34.99:8080</domain>
+  </emie>
+  </rules>
Internet Explorer 11 and Microsoft Edge
<docMode>The parent node for the document mode section of the section. All <domain> entries will get IE5 - IE11 document modes applied. If there's a <domain> element in the <docMode> section that uses the same value as a <domain> element in the <emie> section, the <emie> element is applied. +

Example +

+<rules version="205">
+  <docMode>
+    <domain docMode="7">contoso.com</domain>
+  </docMode>
+</rules>
Internet Explorer 11
<domain>A unique entry added for each site you want to put on the Enterprise Mode site list. The first <domain> element will overrule any additional <domain> elements that use the same value for the section. You can use port numbers for this element. +

Example +

+<emie>
+  <domain>contoso.com:8080</domain>
+</emie>
Internet Explorer 11 and Microsoft Edge
<path>A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The <path> element is a child of the <domain> element. Additionally, the first <path> element will overrule any additional <path> elements in the schema section. +

Example +

+<emie>
+  <domain exclude="true">fabrikam.com
+    <path exclude="false">/products</path>
+  </domain>
+</emie>

+Where https://fabrikam.com doesn't use IE8 Enterprise Mode, but https://fabrikam.com/products does.

Internet Explorer 11 and Microsoft Edge
+ +### Schema attributes +This table includes the attributes used by the Enterprise Mode schema. + + + + + + + + + + + + + + + + + + + + + + + + + +
AttributeDescriptionSupported browser
<version>Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <rules> element.Internet Explorer 11 and Microsoft Edge
<exclude>Specifies the domain or path excluded from applying the behavior and is supported on the <domain> and <path> elements. +

Example +

+<emie>
+  <domain exclude="false">fabrikam.com
+    <path exclude="true">/products</path>
+  </domain>
+</emie>

+Where https://fabrikam.com uses IE8 Enterprise Mode, but https://fabrikam.com/products does not.

Internet Explorer 11 and Microsoft Edge
<docMode>Specifies the document mode to apply. This attribute is only supported on <domain> or <path> elements in the <docMode> section. +

Example +

+<docMode>
+  <domain exclude="false">fabrikam.com
+    <path docMode="7">/products</path>
+  </domain>
+</docMode>
Internet Explorer 11
+ +### Using Enterprise Mode and document mode together +If you want to use both Enterprise Mode and document mode together, you need to be aware that <emie> entries override <docMode> entries for the same domain. + +For example, say you want all of the sites in the contoso.com domain to open using IE8 Enterprise Mode, except test.contoso.com, which needs to open in document mode 11. Because Enterprise Mode takes precedence over document mode, if you want test.contoso.com to open using document mode, you'll need to explicitly add it as an exclusion to the <emie> parent node. + +```xml + + + contoso.com + test.contoso.com + + + test.contoso.com + + +``` + +### What not to include in your schema +We recommend that you not add any of the following items to your schema because they can make your compatibility list behave in unexpected ways: +- Don’t use protocols. For example, `https://`, `https://`, or custom protocols. They break parsing. +- Don’t use wildcards. +- Don’t use query strings, ampersands break parsing. + +## How to use trailing slashes +You can use trailing slashes at the path-level, but not at the domain-level: +- **Domain-level.** Don’t add trailing slashes to a domain, it breaks parsing. +- **Path-level.** Adding a trailing slash to a path means that the path ends at that point. By not adding a trailing slash, the rule applies to all of the sub-paths. + +**Example** + +``` xml +contoso.com + /about/ + +``` +In this example, `contoso.com/about/careers` will use the default version of Internet Explorer, even though `contoso.com/about/` uses Enterprise Mode. + + +## How to target specific sites +If you want to target specific sites in your organization. + +|Targeted site |Example |Explanation | +|--------------|--------|------------| +|You can specify subdomains in the domain tag. |<docMode>
<domain docMode="5">contoso.com</domain>
<domain docMode="9">info.contoso.com</domain>
<docMode> |
  • contoso.com uses document mode 5.
  • info.contoso.com uses document mode 9.
  • test.contoso.com also uses document mode 5.
| +|You can specify exact URLs by listing the full path. |<emie>
<domain exclude="false">bing.com</domain>
<domain exclude="false" forceCompatView="true">contoso.com</domain>
<emie>|
  • bing.com uses IE8 Enterprise Mode.
  • contoso.com uses IE7 Enterprise Mode.
| +|You can nest paths underneath domains. |<emie>
<domain exclude="true">contoso.com
<path exclude="false">/about</path>
<path exclude="true">
/about/business</path>
</domain>
</emie> |
  • contoso.com will use the default version of IE.
  • contoso.com/about and everything underneath that node will load in Enterprise Mode, except contoso.com/about/business, which will load in the default version of IE.
| +|You can’t add a path underneath a path. The file will still be parsed, but the sub-path will be ignored. |<emie>
<domain exclude="true">contoso.com
<path>/about
<path exclude="true">/business</path>
</path>
</domain>
</emie> |
  • contoso.com will use the default version of IE.
  • contoso.com/about and everything underneath that node will load in Enterprise Mode, including contoso.com/about/business because the last rule is ignored.
| diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md index 186b96bd2c..17e4e860cf 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md +++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md @@ -7,6 +7,7 @@ author: lomayor ms.prod: ie11 ms.assetid: 909ca359-5654-4df9-b9fb-921232fc05f5 ms.reviewer: +audience: itpro manager: dansimp ms.author: lomayor title: Enterprise Mode schema v.2 guidance (Internet Explorer 11 for IT Pros) @@ -19,11 +20,11 @@ ms.date: 12/04/2017 **Applies to:** -- Windows 10 (>= v1709) +- Windows 10 - Windows 8.1 - Windows 7 -Use the Enterprise Mode Site List Manager to create and update your site list for devices running Windows 7, Windows 8.1, and Windows 10 (>= v1709), using the version 2.0 (v.2) of the Enterprise Mode schema. If you don't want to use the Enterprise Mode Site List Manager, you also have the option to update your XML schema using Notepad, or any other XML-editing app. +Use the Enterprise Mode Site List Manager to create and update your site list for devices running Windows 7, Windows 8.1, and Windows 10, using the version 2.0 (v.2) of the Enterprise Mode schema. If you don't want to use the Enterprise Mode Site List Manager, you also have the option to update your XML schema using Notepad, or any other XML-editing app. **Important**
If you're running Windows 7 or Windows 8.1 and you've been using the version 1.0 (v.1) of the schema, you can continue to do so, but you won't get the benefits that come with the updated schema. For info about the v.1 schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). diff --git a/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md index d2b98ef8a0..abb8513201 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md +++ b/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md @@ -1,49 +1,49 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: After you create your Enterprise Mode site list in the Enterprise Mode Site List Manager, you can export the contents to an Enterprise Mode (.EMIE) file. -author: lomayor -ms.prod: ie11 -ms.assetid: 9ee7c13d-6fca-4446-bc22-d23a0213a95d -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Export your Enterprise Mode site list from the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Export your Enterprise Mode site list from the Enterprise Mode Site List Manager - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -After you create your Enterprise Mode site list in the Enterprise Mode Site List Manager, you can export the contents to an Enterprise Mode (.EMIE) file. This file includes all of your URLs, including your compatibility mode selections and should be stored somewhere safe. If your list gets deleted by mistake you can easily import this file and return everything back to when this file was last saved. - -**Important**
  -This file is not intended for distribution to your managed devices. Instead, it is only for transferring data and comments from one manager to another. For example, if one administrator leaves and passes the existing data to another administrator. Internet Explorer doesn’t read this file. - - **To export your compatibility list** - -1. On the **File** menu of the Enterprise Mode Site List Manager, click **Export**. - -2. Export the file to your selected location. For example, `C:\Users\\Documents\sites.emie`. - -## Related topics - -- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) -- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) -- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: After you create your Enterprise Mode site list in the Enterprise Mode Site List Manager, you can export the contents to an Enterprise Mode (.EMIE) file. +author: lomayor +ms.prod: ie11 +ms.assetid: 9ee7c13d-6fca-4446-bc22-d23a0213a95d +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Export your Enterprise Mode site list from the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Export your Enterprise Mode site list from the Enterprise Mode Site List Manager + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +After you create your Enterprise Mode site list in the Enterprise Mode Site List Manager, you can export the contents to an Enterprise Mode (.EMIE) file. This file includes all of your URLs, including your compatibility mode selections and should be stored somewhere safe. If your list gets deleted by mistake you can easily import this file and return everything back to when this file was last saved. + +**Important**
  +This file is not intended for distribution to your managed devices. Instead, it is only for transferring data and comments from one manager to another. For example, if one administrator leaves and passes the existing data to another administrator. Internet Explorer doesn’t read this file. + + **To export your compatibility list** + +1. On the **File** menu of the Enterprise Mode Site List Manager, click **Export**. + +2. Export the file to your selected location. For example, `C:\Users\\Documents\sites.emie`. + +## Related topics + +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md index 2170dd1219..a48b0e5732 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md +++ b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md @@ -1,109 +1,109 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: The Internet Explorer 11 Enterprise Mode site list lets you specify document modes for specific websites, helping you fix compatibility issues without changing a single line of code on the site. -author: lomayor -ms.prod: ie11 -ms.assetid: 4b21bb27-aeac-407f-ae58-ab4c6db2baf6 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Fix web compatibility issues using document modes and the Enterprise Mode site list (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Fix web compatibility issues using document modes and the Enterprise Mode site list -The Internet Explorer 11 Enterprise Mode site list lets you specify document modes for specific websites, helping you fix compatibility issues without changing a single line of code on the site. This addition to the site list is a continuation of our commitment to help you upgrade and stay up-to-date on the latest version of Internet Explorer, while still preserving your investments in existing apps. - -## What does this mean for me? -Enterprises can have critical apps that are coded explicitly for a specific browser version and that might not be in their direct control, making it very difficult and expensive to update to modern standards or newer browser versions. Because you can decide which URLs should open using specific document modes, this update helps ensure better compatibility, faster upgrades, and reduced testing and fixing costs. - -## How does this fix work? -You can continue to use your legacy and orphaned web apps, by specifying a document mode in the centralized Enterprise Mode site list. Then, when IE11 goes to a site on your list, the browser loads the page in the specified document mode just as it would if it were specified through an X-UA-Compatible meta tag on the site. For more information about document modes and X-UA-compatible headers, see [Defining document compatibility](https://go.microsoft.com/fwlink/p/?LinkId=518412). - -**Important**
-Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. - -### When do I use document modes versus Enterprise Mode? -While the `` functionality provides great compatibility for you on Windows Internet Explorer 8 or Windows Internet Explorer 7, the new `` capabilities can help you stay up-to-date regardless of which versions of IE are running in your environment. Because of this, we recommend starting your testing process like this: - -- If your enterprise primarily uses Internet Explorer 8 or Internet Explorer 7 start testing using Enterprise Mode. - -- If your enterprise primarily uses Windows Internet Explorer 9 or Internet Explorer 10, start testing using the various document modes. - -Because you might have multiple versions of IE deployed, you might need to use both Enterprise Mode and document modes to effectively move to IE11. - -### Test your sites for document mode compatibility -To see if this fix might help you, run through this process one step at a time, for each of your problematic sites: - -1. Go to a site having compatibility problems, press **F12** to open the **F12 Developer Tools**, and go to the **Emulation** tool. - - ![Emulation tool showing document mode selection](images/docmode-f12.png) - -2. Starting with the **11 (Default)** option, test your broken scenario.
-If that doesn’t work, continue down to the next lowest document mode, stopping as soon as you find a document mode that fixes your problems. For more information about the Emulation tool, see [Emulate browsers, screen sizes, and GPS locations](https://go.microsoft.com/fwlink/p/?LinkId=518417). - -3. If none of the document modes fix your issue, change the **Browser Profile** to **Enterprise**, pick the mode you want to test with starting with **8** (IE8 Enterprise Mode), and then test your broken scenario. - -### Add your site to the Enterprise Mode site list -After you’ve figured out the document mode that fixes your compatibility problems, you can add the site to your Enterprise Mode site list. - -**Note**
-There are two versions of the Enterprise Mode site list schema and the Enterprise Mode Site List Manager, based on your operating system. For more info about the schemas, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) or [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). For more info about the different site list management tools, see [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md). - - **To add your site to the site list** - -1. Open the Enterprise Mode Site List Manager, and click **Add**. - - ![Enterprise Mode Site List Manager, showing the available modes](images/emie-listmgr.png) - -2. Add the **URL** and pick the document mode from the **Launch in** box. This should be the same document mode you found fixed your problems while testing the site.
-Similar to Enterprise Mode, you can specify a document mode for a particular web path—such as contoso.com/ERP—or at a domain level. In the above, the entire contoso.com domain loads in Enterprise Mode, while microsoft.com is forced to load into IE8 Document Mode and bing.com loads in IE11. - -**Note**
-For more information about Enterprise Mode, see [What is Enterprise Mode?](what-is-enterprise-mode.md) For more information about the Enterprise Mode Site List Manager and how to add sites to your site list, see [Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md). - - -### Review your Enterprise Mode site list -Take a look at your Enterprise Mode site list and make sure everything is the way you want it. The next step will be to turn the list on and start to use it in your company. The Enterprise Mode Site List Manager will look something like: - -![Enterprise Mode Site List Manager, showing the different modes](images/emie-sitelistmgr.png) - -And the underlying XML code will look something like: - -``` xml - - - bing.com/images - www.msn.com/news - - - - timecard - tar - msdn.microsoft.com - - -``` - -### Turn on Enterprise Mode and using your site list -If you haven’t already turned on Enterprise Mode for your company, you’ll need to do that. You can turn on Enterprise Mode using Group Policy or your registry. For specific instructions and details, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md). - -## Turn off default Compatibility View for your intranet sites -By default, IE11 uses the **Display intranet sites in Compatibility View** setting. However, we’ve heard your feedback and know that you might want to turn this functionality off so you can continue to upgrade your web apps to more modern standards. - -To help you move forward, you can now use the Enterprise Mode site list to specify sites or web paths to use the IE7 document mode, which goes down to IE5 “Quirks” mode if the page doesn’t have an explicit `DOCTYPE` tag. Using this document mode effectively helps you provide the Compatibility View functionality for single sites or a group of sites, which after thorough testing, can help you turn off Compatibility View as the default setting for your intranet sites. - -## Related topics -- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) -- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) -- [Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: The Internet Explorer 11 Enterprise Mode site list lets you specify document modes for specific websites, helping you fix compatibility issues without changing a single line of code on the site. +author: lomayor +ms.prod: ie11 +ms.assetid: 4b21bb27-aeac-407f-ae58-ab4c6db2baf6 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Fix web compatibility issues using document modes and the Enterprise Mode site list (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Fix web compatibility issues using document modes and the Enterprise Mode site list +The Internet Explorer 11 Enterprise Mode site list lets you specify document modes for specific websites, helping you fix compatibility issues without changing a single line of code on the site. This addition to the site list is a continuation of our commitment to help you upgrade and stay up-to-date on the latest version of Internet Explorer, while still preserving your investments in existing apps. + +## What does this mean for me? +Enterprises can have critical apps that are coded explicitly for a specific browser version and that might not be in their direct control, making it very difficult and expensive to update to modern standards or newer browser versions. Because you can decide which URLs should open using specific document modes, this update helps ensure better compatibility, faster upgrades, and reduced testing and fixing costs. + +## How does this fix work? +You can continue to use your legacy and orphaned web apps, by specifying a document mode in the centralized Enterprise Mode site list. Then, when IE11 goes to a site on your list, the browser loads the page in the specified document mode just as it would if it were specified through an X-UA-Compatible meta tag on the site. For more information about document modes and X-UA-compatible headers, see [Defining document compatibility](https://go.microsoft.com/fwlink/p/?LinkId=518412). + +**Important**
+Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. + +### When do I use document modes versus Enterprise Mode? +While the `` functionality provides great compatibility for you on Windows Internet Explorer 8 or Windows Internet Explorer 7, the new `` capabilities can help you stay up-to-date regardless of which versions of IE are running in your environment. Because of this, we recommend starting your testing process like this: + +- If your enterprise primarily uses Internet Explorer 8 or Internet Explorer 7 start testing using Enterprise Mode. + +- If your enterprise primarily uses Windows Internet Explorer 9 or Internet Explorer 10, start testing using the various document modes. + +Because you might have multiple versions of IE deployed, you might need to use both Enterprise Mode and document modes to effectively move to IE11. + +### Test your sites for document mode compatibility +To see if this fix might help you, run through this process one step at a time, for each of your problematic sites: + +1. Go to a site having compatibility problems, press **F12** to open the **F12 Developer Tools**, and go to the **Emulation** tool. + + ![Emulation tool showing document mode selection](images/docmode-f12.png) + +2. Starting with the **11 (Default)** option, test your broken scenario.
+If that doesn’t work, continue down to the next lowest document mode, stopping as soon as you find a document mode that fixes your problems. For more information about the Emulation tool, see [Emulate browsers, screen sizes, and GPS locations](https://go.microsoft.com/fwlink/p/?LinkId=518417). + +3. If none of the document modes fix your issue, change the **Browser Profile** to **Enterprise**, pick the mode you want to test with starting with **8** (IE8 Enterprise Mode), and then test your broken scenario. + +### Add your site to the Enterprise Mode site list +After you’ve figured out the document mode that fixes your compatibility problems, you can add the site to your Enterprise Mode site list. + +**Note**
+There are two versions of the Enterprise Mode site list schema and the Enterprise Mode Site List Manager, based on your operating system. For more info about the schemas, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) or [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). For more info about the different site list management tools, see [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md). + + **To add your site to the site list** + +1. Open the Enterprise Mode Site List Manager, and click **Add**. + + ![Enterprise Mode Site List Manager, showing the available modes](images/emie-listmgr.png) + +2. Add the **URL** and pick the document mode from the **Launch in** box. This should be the same document mode you found fixed your problems while testing the site.
+Similar to Enterprise Mode, you can specify a document mode for a particular web path—such as contoso.com/ERP—or at a domain level. In the above, the entire contoso.com domain loads in Enterprise Mode, while microsoft.com is forced to load into IE8 Document Mode and bing.com loads in IE11. + +**Note**
+For more information about Enterprise Mode, see [What is Enterprise Mode?](what-is-enterprise-mode.md) For more information about the Enterprise Mode Site List Manager and how to add sites to your site list, see [Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md). + + +### Review your Enterprise Mode site list +Take a look at your Enterprise Mode site list and make sure everything is the way you want it. The next step will be to turn the list on and start to use it in your company. The Enterprise Mode Site List Manager will look something like: + +![Enterprise Mode Site List Manager, showing the different modes](images/emie-sitelistmgr.png) + +And the underlying XML code will look something like: + +``` xml + + + bing.com/images + www.msn.com/news + + + + timecard + tar + msdn.microsoft.com + + +``` + +### Turn on Enterprise Mode and using your site list +If you haven’t already turned on Enterprise Mode for your company, you’ll need to do that. You can turn on Enterprise Mode using Group Policy or your registry. For specific instructions and details, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md). + +## Turn off default Compatibility View for your intranet sites +By default, IE11 uses the **Display intranet sites in Compatibility View** setting. However, we’ve heard your feedback and know that you might want to turn this functionality off so you can continue to upgrade your web apps to more modern standards. + +To help you move forward, you can now use the Enterprise Mode site list to specify sites or web paths to use the IE7 document mode, which goes down to IE5 “Quirks” mode if the page doesn’t have an explicit `DOCTYPE` tag. Using this document mode effectively helps you provide the Compatibility View functionality for single sites or a group of sites, which after thorough testing, can help you turn off Compatibility View as the default setting for your intranet sites. + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md index 69d58d1c31..852ac4ae6c 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md +++ b/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md @@ -1,48 +1,48 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: When you add multiple sites to your Enterprise Mode site list entries, they’re validated by the Enterprise Mode Site List Manager before they’re entered into your global list. -author: lomayor -ms.prod: ie11 -ms.assetid: 9f80e39f-dcf1-4124-8931-131357f31d67 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Fix validation problems using the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Fix validation problems using the Enterprise Mode Site List Manager - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -When you add multiple sites to your Enterprise Mode site list entries, they’re validated by the Enterprise Mode Site List Manager before they’re entered into your global list. If a site doesn’t pass validation, you’ll have a couple of options to address it. - -There are typically 3 types of errors you’ll see: - -- **Validation**. The site caused a validation error. Typically these occur because of typos, malformed URLs, or access-related issues. You can pick the site, click **Add to list** to ignore the problem and accept the site to your site list, or you can click **OK** to keep the site off of your site list. - -- **Duplicate**. The site already exists in the global compatibility list with a different compatibility mode. For example, the site was originally rendered in Enterprise Mode, but this update is for Default IE. You can pick the site, click **Add to list** to ignore the problem and accept the change to your site list, or you can click **OK** to keep your original compatibility mode. - -- **Redirection**. This is the least common type of validation error. Typically in this situation, a site redirects from an easy-to-remember URL to a longer URL. Like `\\tar` redirects to `\\timecard`. You can add the short URL or you can add both the short and long versions to your list.
-Another possibility is that redirection happens multiple times, with an intermediary site experiencing compatibility issues. For example, an employee types a short URL that then redirects multiple times, finally ending up on a non-intranet site. In this situation, you might want to add the intermediary URLs to your Enterprise Mode site list, in case there’s logic in one of them that has compatibility issues. - -## Related topics -- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) -- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) -- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: When you add multiple sites to your Enterprise Mode site list entries, they’re validated by the Enterprise Mode Site List Manager before they’re entered into your global list. +author: lomayor +ms.prod: ie11 +ms.assetid: 9f80e39f-dcf1-4124-8931-131357f31d67 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Fix validation problems using the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Fix validation problems using the Enterprise Mode Site List Manager + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +When you add multiple sites to your Enterprise Mode site list entries, they’re validated by the Enterprise Mode Site List Manager before they’re entered into your global list. If a site doesn’t pass validation, you’ll have a couple of options to address it. + +There are typically 3 types of errors you’ll see: + +- **Validation**. The site caused a validation error. Typically these occur because of typos, malformed URLs, or access-related issues. You can pick the site, click **Add to list** to ignore the problem and accept the site to your site list, or you can click **OK** to keep the site off of your site list. + +- **Duplicate**. The site already exists in the global compatibility list with a different compatibility mode. For example, the site was originally rendered in Enterprise Mode, but this update is for Default IE. You can pick the site, click **Add to list** to ignore the problem and accept the change to your site list, or you can click **OK** to keep your original compatibility mode. + +- **Redirection**. This is the least common type of validation error. Typically in this situation, a site redirects from an easy-to-remember URL to a longer URL. Like `\\tar` redirects to `\\timecard`. You can add the short URL or you can add both the short and long versions to your list.
+Another possibility is that redirection happens multiple times, with an intermediary site experiencing compatibility issues. For example, an employee types a short URL that then redirects multiple times, finally ending up on a non-intranet site. In this situation, you might want to add the intermediary URLs to your Enterprise Mode site list, in case there’s logic in one of them that has compatibility issues. + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md index ae518b4cd1..859cf8fbb7 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md @@ -1,43 +1,43 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -description: Overview about Group Policy, Advanced Group Policy Management (AGPM), and Internet Explorer 11 -author: lomayor -ms.prod: ie11 -ms.assetid: 63a7ef4a-6de2-4d08-aaba-0479131e3406 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Group Policy, Advanced Group Policy Management (AGPM), and Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Group Policy, Advanced Group Policy Management (AGPM), and Internet Explorer 11 -Advanced Group Policy Management (AGPM) is an add-on license that available for the Microsoft Desktop Optimization Pack (MDOP). This license gives you change control and a role assignment-model that helps optimize Group Policy management and reduce the risk of widespread failures. - -From AGPM you can: - -- **Edit GPOs outside of your production environment.** Your GPOs are stored in an outside archive for editing, reviewing, and approving. Then, when you deploy, AGPM moves the GPOs to your production environment. - -- **Assign roles to your employees.** You can assign 3 roles to your employees or groups, including: - - - **Reviewer.** Can view and compare GPOs in the archive. This role can't edit or deploy GPOs. - - - **Editor.** Can view, compare, check-in and out, and edit GPOs in the archive. This role can also request GPO deployment. - - - **Approver.** Can approve GPO creation and deployment to the production environment. - -- **Manage your GPO lifecycle with change control features.** You can use the available version-control, history, and auditing features to help you manage your GPOs while moving through your archive, to your editing process, and finally to your GPO deployment. - -**Note**
-For more information about AGPM, and to get the license, see [Advanced Group Policy Management 4.0 Documents](https://www.microsoft.com/en-us/download/details.aspx?id=13975). - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +description: Overview about Group Policy, Advanced Group Policy Management (AGPM), and Internet Explorer 11 +author: lomayor +ms.prod: ie11 +ms.assetid: 63a7ef4a-6de2-4d08-aaba-0479131e3406 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Group Policy, Advanced Group Policy Management (AGPM), and Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Group Policy, Advanced Group Policy Management (AGPM), and Internet Explorer 11 +Advanced Group Policy Management (AGPM) is an add-on license that available for the Microsoft Desktop Optimization Pack (MDOP). This license gives you change control and a role assignment-model that helps optimize Group Policy management and reduce the risk of widespread failures. + +From AGPM you can: + +- **Edit GPOs outside of your production environment.** Your GPOs are stored in an outside archive for editing, reviewing, and approving. Then, when you deploy, AGPM moves the GPOs to your production environment. + +- **Assign roles to your employees.** You can assign 3 roles to your employees or groups, including: + + - **Reviewer.** Can view and compare GPOs in the archive. This role can't edit or deploy GPOs. + + - **Editor.** Can view, compare, check-in and out, and edit GPOs in the archive. This role can also request GPO deployment. + + - **Approver.** Can approve GPO creation and deployment to the production environment. + +- **Manage your GPO lifecycle with change control features.** You can use the available version-control, history, and auditing features to help you manage your GPOs while moving through your archive, to your editing process, and finally to your GPO deployment. + +**Note**
+For more information about AGPM, and to get the license, see [Advanced Group Policy Management 4.0 Documents](https://www.microsoft.com/en-us/download/details.aspx?id=13975). + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md index fb65dd9940..3c121b3e5e 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md @@ -1,48 +1,48 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -description: Overview about Group Policy, the Group Policy Management Console (GPMC), and Internet Explorer 11 -author: lomayor -ms.prod: ie11 -ms.assetid: ae3d227d-3da7-46b8-8a61-c71bfeae0c63 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Group Policy, the Group Policy Management Console (GPMC), and Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Group Policy, the Group Policy Management Console (GPMC), and Internet Explorer 11 -A Microsoft Management Console (MMC)-based tool that uses scriptable interfaces to manage Group Policy. The 32-bit and 64-bit versions are included with Windows Server R2 with Service Pack 1 (SP1) and Windows Server 2012 R2. - -## Why use the GPMC? -The GPMC lets you: - -- Import, export, copy, paste, backup and restore GPOs. - -- Search for existing GPOs. - -- Create reports, including providing the Resultant Set of Policy (RSoP) data in HTML reports that you can save and print. - -- Use simulated RSoP data to prototype your Group Policy before implementing it in the production environment. - -- Obtain RSoP data to view your GPO interactions and to troubleshoot your Group Policy deployment. - -- Create migration tables to let you import and copy GPOs across domains and across forests. Migration tables are files that map references to users, groups, computers, and Universal Naming Convention (UNC) paths in the source GPO to new values in the destination GPO. - -- Create scriptable interfaces to support all of the operations available within the GPMC. You can't use scripts to edit individual policy settings in a GPO. - -For more information about the GPMC, see [Group Policy Management Console](https://go.microsoft.com/fwlink/p/?LinkId=214515) on TechNet. - -## Searching for Group Policy settings -To search for Group Policy settings in the Group Policy Management Console (GPMC), use the [Group Policy Search tool](https://go.microsoft.com/fwlink/p/?LinkId=279857). To find the Group Policy settings, click **Windows Components**, and then click **Internet Explorer**. - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +description: Overview about Group Policy, the Group Policy Management Console (GPMC), and Internet Explorer 11 +author: lomayor +ms.prod: ie11 +ms.assetid: ae3d227d-3da7-46b8-8a61-c71bfeae0c63 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Group Policy, the Group Policy Management Console (GPMC), and Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Group Policy, the Group Policy Management Console (GPMC), and Internet Explorer 11 +A Microsoft Management Console (MMC)-based tool that uses scriptable interfaces to manage Group Policy. The 32-bit and 64-bit versions are included with Windows Server R2 with Service Pack 1 (SP1) and Windows Server 2012 R2. + +## Why use the GPMC? +The GPMC lets you: + +- Import, export, copy, paste, backup and restore GPOs. + +- Search for existing GPOs. + +- Create reports, including providing the Resultant Set of Policy (RSoP) data in HTML reports that you can save and print. + +- Use simulated RSoP data to prototype your Group Policy before implementing it in the production environment. + +- Obtain RSoP data to view your GPO interactions and to troubleshoot your Group Policy deployment. + +- Create migration tables to let you import and copy GPOs across domains and across forests. Migration tables are files that map references to users, groups, computers, and Universal Naming Convention (UNC) paths in the source GPO to new values in the destination GPO. + +- Create scriptable interfaces to support all of the operations available within the GPMC. You can't use scripts to edit individual policy settings in a GPO. + +For more information about the GPMC, see [Group Policy Management Console](https://go.microsoft.com/fwlink/p/?LinkId=214515) on TechNet. + +## Searching for Group Policy settings +To search for Group Policy settings in the Group Policy Management Console (GPMC), use the [Group Policy Search tool](https://go.microsoft.com/fwlink/p/?LinkId=279857). To find the Group Policy settings, click **Windows Components**, and then click **Internet Explorer**. + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md index d6703810d1..574b7f8895 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md @@ -1,48 +1,48 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -description: Use the topics in this section to learn about Group Policy and how to use it to manage Internet Explorer. -author: lomayor -ms.prod: ie11 -ms.assetid: 50383d3f-9ac9-4a30-8852-354b6eb9434a -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Group Policy and Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Group Policy and Internet Explorer 11 (IE11) - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Use the topics in this section to learn about Group Policy and how to use it to manage Internet Explorer. - -## In this section - -|Topic |Description | -|----------------------------------------------------|-----------------------------------------------------------------| -|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Info about many of the new group policy settings added for Internet Explorer 11. | -|[Group Policy management tools](group-policy-objects-and-ie11.md) |Guidance about how to use Microsoft Active Directory Domain Services (AD DS) to manage your Group Policy settings. | -|[ActiveX installation using group policy](activex-installation-using-group-policy.md) |Info about using the ActiveX Installer Service (AXIS) and Group Policy to manage your ActiveX control deployment. | -|[Group Policy and compatibility with Internet Explorer 11](group-policy-compatibility-with-ie11.md) |Our Group Policy recommendations for security, performance, and compatibility with previous versions of IE, regardless of which Zone the website is in. | -|[Group policy preferences and Internet Explorer 11](group-policy-preferences-and-ie11.md) |Info about Group Policy preferences, as compared to Group Policy settings. | -|[Administrative templates and Internet Explorer 11](administrative-templates-and-ie11.md) |Info about Administrative Templates, including where to store them and the related Group Policy settings. | -|[Enable and disable add\-ons using administrative templates and group policy](enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md) |Guidance about how to use your local Group Policy editor or the CLSID and Administrative Templates to manage your Group Policy objects. - - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +description: Use the topics in this section to learn about Group Policy and how to use it to manage Internet Explorer. +author: lomayor +ms.prod: ie11 +ms.assetid: 50383d3f-9ac9-4a30-8852-354b6eb9434a +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Group Policy and Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Group Policy and Internet Explorer 11 (IE11) + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Use the topics in this section to learn about Group Policy and how to use it to manage Internet Explorer. + +## In this section + +|Topic |Description | +|----------------------------------------------------|-----------------------------------------------------------------| +|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Info about many of the new group policy settings added for Internet Explorer 11. | +|[Group Policy management tools](group-policy-objects-and-ie11.md) |Guidance about how to use Microsoft Active Directory Domain Services (AD DS) to manage your Group Policy settings. | +|[ActiveX installation using group policy](activex-installation-using-group-policy.md) |Info about using the ActiveX Installer Service (AXIS) and Group Policy to manage your ActiveX control deployment. | +|[Group Policy and compatibility with Internet Explorer 11](group-policy-compatibility-with-ie11.md) |Our Group Policy recommendations for security, performance, and compatibility with previous versions of IE, regardless of which Zone the website is in. | +|[Group policy preferences and Internet Explorer 11](group-policy-preferences-and-ie11.md) |Info about Group Policy preferences, as compared to Group Policy settings. | +|[Administrative templates and Internet Explorer 11](administrative-templates-and-ie11.md) |Info about Administrative Templates, including where to store them and the related Group Policy settings. | +|[Enable and disable add\-ons using administrative templates and group policy](enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md) |Guidance about how to use your local Group Policy editor or the CLSID and Administrative Templates to manage your Group Policy objects. + + + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md index 8895e8e19e..36176c7bde 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md @@ -1,36 +1,36 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -description: Group Policy, the Local Group Policy Editor, and Internet Explorer 11 -author: lomayor -ms.prod: ie11 -ms.assetid: 6fc30e91-efac-4ba5-9ee2-fa77dcd36467 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Group Policy, the Local Group Policy Editor, and Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Group Policy, the Local Group Policy Editor, and Internet Explorer 11 -A Microsoft Management Console (MMC)-based tool that manages both computer and user-related configurations for an individual computer policy. This tool is included with Windows® 7 Service Pack 1 (SP1) and Windows 8.1. - -Here's a list of the policy settings you can use, based on the configuration type. For more info, see [Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=294912). - -|Computer configuration |User configuration | -|-----------------------|-------------------| -|Windows settings:
  • Name Resolution policy
  • Scripts (Startup/Shutdown)
  • Deployed printers
  • Security settings
  • Policy-based Quality of Service (QoS)
|Windows settings:
  • Scripts (Startup/Shutdown)
  • Deployed printers
  • Security settings
  • Policy-based Quality of Service (QoS)

| -|Administrative templates:
  • Control Panel
  • Network
  • Printers
  • Server
  • System
  • Windows components
  • All settings

|Administrative templates:
  • Control Panel
  • Desktop
  • Network
  • Shared folders
  • Start menu and taskbar
  • System
  • Windows components
  • All settings
| - - -  - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +description: Group Policy, the Local Group Policy Editor, and Internet Explorer 11 +author: lomayor +ms.prod: ie11 +ms.assetid: 6fc30e91-efac-4ba5-9ee2-fa77dcd36467 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Group Policy, the Local Group Policy Editor, and Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Group Policy, the Local Group Policy Editor, and Internet Explorer 11 +A Microsoft Management Console (MMC)-based tool that manages both computer and user-related configurations for an individual computer policy. This tool is included with Windows® 7 Service Pack 1 (SP1) and Windows 8.1. + +Here's a list of the policy settings you can use, based on the configuration type. For more info, see [Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=294912). + +|Computer configuration |User configuration | +|-----------------------|-------------------| +|Windows settings:
  • Name Resolution policy
  • Scripts (Startup/Shutdown)
  • Deployed printers
  • Security settings
  • Policy-based Quality of Service (QoS)
|Windows settings:
  • Scripts (Startup/Shutdown)
  • Deployed printers
  • Security settings
  • Policy-based Quality of Service (QoS)

| +|Administrative templates:
  • Control Panel
  • Network
  • Printers
  • Server
  • System
  • Windows components
  • All settings

|Administrative templates:
  • Control Panel
  • Desktop
  • Network
  • Shared folders
  • Start menu and taskbar
  • System
  • Windows components
  • All settings
| + + +  + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatibility-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatibility-with-ie11.md index 812e8abe3d..5e66dc9f4c 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatibility-with-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatibility-with-ie11.md @@ -1,38 +1,38 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -description: Group Policy suggestions for compatibility with Internet Explorer 11 -author: lomayor -ms.prod: ie11 -ms.assetid: 7482c99f-5d79-4344-9e1c-aea9f0a68e18 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Group Policy and compatibility with Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Group Policy and compatibility with Internet Explorer 11 -Internet Explorer 11 has many Group Policy entries that can be configured for keeping your environment managed and safe. This table includes all of our recommendations around security, performance, and compatibility with the previous versions of Internet Explorer, regardless of which Zone the website is in. - -|Activity |Location |Setting the policy object | -|---------------------------------|----------------------------------------------|-------------------------------------------------------------------------| -|Turn on Compatibility View for all intranet zones |`Administrative Templates\Windows Components\Internet Explorer\Compatibility View` |Double-click **Turn on IE Standards Mode for local intranet** , and then click **Disabled**. | -|Turn on Compatibility View for selected websites, using Group Policy |`Administrative Templates\Windows Components\Internet Explorer\Compatibility View` |Double-click **Use Policy List of Windows Internet Explorer 7 sites** , and then click **Enabled**.Users will be able to add or remove sites manually to their local Compatibility View list, but they won’t be able to remove the sites you specifically added. | -|Turn on Quirks mode for selected websites, using Group Policy |`Administrative Templates\Windows Components\Internet Explorer\Compatibility View` |Double-click **Use Policy List of Quirks Mode sites**, and then click **Enabled**. | -|Ensure your users are using the most up-to-date version of Microsoft’s compatibility list. |`Administrative Templates\Windows Components\Internet Explorer\Compatibility View` |Double-click **Include updated Web site lists from Microsoft**, and then click **Enabled**. | -|Restrict users from making security zone configuration changes. |`Administrative Templates\ Windows Components\Internet Explorer\Internet Control Panel` |Double-click **Disable the Security Page**, and then click **Enabled**. | -|Control which security zone settings are applied to specific websites. |`Administrative Templates\ Windows Components\Internet Explorer\Internet Control Panel\Security Page` |Double-click **Site to Zone Assignment List**, click **Enabled**, and then enter your list of websites and their applicable security zones. | -|Turn off Data Execution Prevention (DEP). |`Administrative Templates\ Windows Components\Internet Explorer\Security Features` |Double-click **Turn off Data Execution Prevention**, and then click **Enabled**. | - -  - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +description: Group Policy suggestions for compatibility with Internet Explorer 11 +author: lomayor +ms.prod: ie11 +ms.assetid: 7482c99f-5d79-4344-9e1c-aea9f0a68e18 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Group Policy and compatibility with Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Group Policy and compatibility with Internet Explorer 11 +Internet Explorer 11 has many Group Policy entries that can be configured for keeping your environment managed and safe. This table includes all of our recommendations around security, performance, and compatibility with the previous versions of Internet Explorer, regardless of which Zone the website is in. + +|Activity |Location |Setting the policy object | +|---------------------------------|----------------------------------------------|-------------------------------------------------------------------------| +|Turn on Compatibility View for all intranet zones |`Administrative Templates\Windows Components\Internet Explorer\Compatibility View` |Double-click **Turn on IE Standards Mode for local intranet** , and then click **Disabled**. | +|Turn on Compatibility View for selected websites, using Group Policy |`Administrative Templates\Windows Components\Internet Explorer\Compatibility View` |Double-click **Use Policy List of Windows Internet Explorer 7 sites** , and then click **Enabled**.Users will be able to add or remove sites manually to their local Compatibility View list, but they won’t be able to remove the sites you specifically added. | +|Turn on Quirks mode for selected websites, using Group Policy |`Administrative Templates\Windows Components\Internet Explorer\Compatibility View` |Double-click **Use Policy List of Quirks Mode sites**, and then click **Enabled**. | +|Ensure your users are using the most up-to-date version of Microsoft’s compatibility list. |`Administrative Templates\Windows Components\Internet Explorer\Compatibility View` |Double-click **Include updated Web site lists from Microsoft**, and then click **Enabled**. | +|Restrict users from making security zone configuration changes. |`Administrative Templates\ Windows Components\Internet Explorer\Internet Control Panel` |Double-click **Disable the Security Page**, and then click **Enabled**. | +|Control which security zone settings are applied to specific websites. |`Administrative Templates\ Windows Components\Internet Explorer\Internet Control Panel\Security Page` |Double-click **Site to Zone Assignment List**, click **Enabled**, and then enter your list of websites and their applicable security zones. | +|Turn off Data Execution Prevention (DEP). |`Administrative Templates\ Windows Components\Internet Explorer\Security Features` |Double-click **Turn off Data Execution Prevention**, and then click **Enabled**. | + +  + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md index 247e023667..494906c975 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md @@ -1,55 +1,55 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -description: Overview of the available Group Policy management tools -author: lomayor -ms.prod: ie11 -ms.assetid: e33bbfeb-6b80-4e71-8bba-1d0369a87312 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Group Policy management tools (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Group Policy management tools -Group Policy, based on Microsoft Active Directory Domain Services (AD DS), lets you manage your organization's computer and user settings as part of your Group Policy objects (GPOs), which are added and changed in the Group Policy Management Console (GPMC). GPOs can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. The most effective way to target a specific GPO is to use Windows Management Instrumentation (WMI) filters. Like, creating a WMI filter that applies a GPO only to computers with a specific make and model. - -By using Group Policy, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple Internet Explorer 11 security settings in a GPO that's linked to a domain, and then apply all of those settings to every computer in the domain. - -**Note**
   -For more information about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514). This site provides links to the latest technical documentation, videos, and downloads for Group Policy. - -## Managing settings with GPOs -After deploying IE11 to your organization, you can continue to manage the browser settings by using Active Directory Domain Services (AD DS) together with the following Group Policy-related setting management groups: - -- [Administrative templates and Internet Explorer 11](administrative-templates-and-ie11.md). Used to manage registry-based policies and options. - -- [Group policy preferences and Internet Explorer 11](group-policy-preferences-and-ie11.md). Used to set up and manage options that can be changed by the user after installation. - -**Note**
-Whenever possible, we recommend that you manage IE11 using Administrative Templates, because these settings are always written to secure policy branches in the registry. In addition, we recommend that you deploy using standard user accounts instead of letting your users log on to their computers as administrators. This helps to prevent your users from making unwanted changes to their systems or overriding Group Policy settings. - - -Users won't be able to use the IE11 user interface or the registry to change any managed settings on their computers. However, they will be able to change many of the preferences associated with the settings you set up using the Internet Explorer Administration Kit 11 (IEAK 11). - -## Which GPO tool should I use? -You can use any of these tools to create, manage, view, and troubleshoot Group Policy objects (GPOs). For information about each, see: - -- [Group Policy, the Group Policy Management Console (GPMC), and Internet Explorer 11](group-policy-and-group-policy-mgmt-console-ie11.md). Provides a single location to manage all GPOs, WMI filters, and Group Policy–related permissions across multiple forests in an organization. - -- [Group Policy, the Local Group Policy Editor, and Internet Explorer 11](group-policy-and-local-group-policy-editor-ie11.md). Provides a user interface that lets you edit settings within individual GPOs. - -- [Group Policy, Advanced Group Policy Management (AGPM), and Internet Explorer 11](group-policy-and-advanced-group-policy-mgmt-ie11.md). An add-on license for the Microsoft Desktop Optimization Pack (MDOP) that helps to extend Group Policy for Software Assurance customers. - -- [Group Policy, Windows Powershell, and Internet Explorer 11](group-policy-windows-powershell-ie11.md). A command-line shell and scripting language that helps automate Windows and application administration on a single computer locally, or across many computers remotely. - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +description: Overview of the available Group Policy management tools +author: lomayor +ms.prod: ie11 +ms.assetid: e33bbfeb-6b80-4e71-8bba-1d0369a87312 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Group Policy management tools (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Group Policy management tools +Group Policy, based on Microsoft Active Directory Domain Services (AD DS), lets you manage your organization's computer and user settings as part of your Group Policy objects (GPOs), which are added and changed in the Group Policy Management Console (GPMC). GPOs can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. The most effective way to target a specific GPO is to use Windows Management Instrumentation (WMI) filters. Like, creating a WMI filter that applies a GPO only to computers with a specific make and model. + +By using Group Policy, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple Internet Explorer 11 security settings in a GPO that's linked to a domain, and then apply all of those settings to every computer in the domain. + +**Note**
   +For more information about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514). This site provides links to the latest technical documentation, videos, and downloads for Group Policy. + +## Managing settings with GPOs +After deploying IE11 to your organization, you can continue to manage the browser settings by using Active Directory Domain Services (AD DS) together with the following Group Policy-related setting management groups: + +- [Administrative templates and Internet Explorer 11](administrative-templates-and-ie11.md). Used to manage registry-based policies and options. + +- [Group policy preferences and Internet Explorer 11](group-policy-preferences-and-ie11.md). Used to set up and manage options that can be changed by the user after installation. + +**Note**
+Whenever possible, we recommend that you manage IE11 using Administrative Templates, because these settings are always written to secure policy branches in the registry. In addition, we recommend that you deploy using standard user accounts instead of letting your users log on to their computers as administrators. This helps to prevent your users from making unwanted changes to their systems or overriding Group Policy settings. + + +Users won't be able to use the IE11 user interface or the registry to change any managed settings on their computers. However, they will be able to change many of the preferences associated with the settings you set up using the Internet Explorer Administration Kit 11 (IEAK 11). + +## Which GPO tool should I use? +You can use any of these tools to create, manage, view, and troubleshoot Group Policy objects (GPOs). For information about each, see: + +- [Group Policy, the Group Policy Management Console (GPMC), and Internet Explorer 11](group-policy-and-group-policy-mgmt-console-ie11.md). Provides a single location to manage all GPOs, WMI filters, and Group Policy–related permissions across multiple forests in an organization. + +- [Group Policy, the Local Group Policy Editor, and Internet Explorer 11](group-policy-and-local-group-policy-editor-ie11.md). Provides a user interface that lets you edit settings within individual GPOs. + +- [Group Policy, Advanced Group Policy Management (AGPM), and Internet Explorer 11](group-policy-and-advanced-group-policy-mgmt-ie11.md). An add-on license for the Microsoft Desktop Optimization Pack (MDOP) that helps to extend Group Policy for Software Assurance customers. + +- [Group Policy, Windows Powershell, and Internet Explorer 11](group-policy-windows-powershell-ie11.md). A command-line shell and scripting language that helps automate Windows and application administration on a single computer locally, or across many computers remotely. + + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md index 66f39f438f..473be60b15 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md @@ -1,38 +1,38 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -description: Info about Group Policy preferences versus Group Policy settings -author: lomayor -ms.prod: ie11 -ms.assetid: f2264c97-7f09-4f28-bb5c-58ab80dcc6ee -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Group policy preferences and Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Group policy preferences and Internet Explorer 11 -Group Policy preferences are less strict than Group Policy settings, based on: - -| |Group Policy preferences |Group Policy settings | -|-----|-------------------------|----------------------| -|Enforcement |
  • Not enforced
  • Has the user interface turned on
  • Can only be refreshed or applied once
|
  • Enforced
  • Has the user interface turned off
  • Can be refreshed multiple times
| -|Flexibility |Lets you create preference items for registry settings, files, and folders. |
  • Requires app support
  • Needs you to create Administrative Templates for new policy settings
  • Won't let you create policy settings to manage files and folders
| -|Local Group Policy |Not available |Available -|Awareness |Supports apps that aren't Group Policy-aware |Requires apps to be Group Policy-aware | -|Storage |
  • Overwrites the original settings
  • Removing the preference doesn't restore the original setting
|
  • Doesn't overwrite the original settings
  • Stored in the Policy branches of the registry
  • Removing the setting restores the original setting
| -|Targeting and filtering |
  • Targeting is specific, with a user interface for each type of targeting item
  • Supports targeting at the individual preference item level
|
  • Filtering is based on Windows Management Instrumentation (WMI), and requires writing WMI queries
  • Supports filtering at the Group Policy Object (GPO) level
| - - -For more information about Group Policy preferences, see the [Group Policy Settings Reference for Windows and Windows Server](https://go.microsoft.com/fwlink/p/?LinkId=279876). - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +description: Info about Group Policy preferences versus Group Policy settings +author: lomayor +ms.prod: ie11 +ms.assetid: f2264c97-7f09-4f28-bb5c-58ab80dcc6ee +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Group policy preferences and Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Group policy preferences and Internet Explorer 11 +Group Policy preferences are less strict than Group Policy settings, based on: + +| |Group Policy preferences |Group Policy settings | +|-----|-------------------------|----------------------| +|Enforcement |
  • Not enforced
  • Has the user interface turned on
  • Can only be refreshed or applied once
|
  • Enforced
  • Has the user interface turned off
  • Can be refreshed multiple times
| +|Flexibility |Lets you create preference items for registry settings, files, and folders. |
  • Requires app support
  • Needs you to create Administrative Templates for new policy settings
  • Won't let you create policy settings to manage files and folders
| +|Local Group Policy |Not available |Available +|Awareness |Supports apps that aren't Group Policy-aware |Requires apps to be Group Policy-aware | +|Storage |
  • Overwrites the original settings
  • Removing the preference doesn't restore the original setting
|
  • Doesn't overwrite the original settings
  • Stored in the Policy branches of the registry
  • Removing the setting restores the original setting
| +|Targeting and filtering |
  • Targeting is specific, with a user interface for each type of targeting item
  • Supports targeting at the individual preference item level
|
  • Filtering is based on Windows Management Instrumentation (WMI), and requires writing WMI queries
  • Supports filtering at the Group Policy Object (GPO) level
| + + +For more information about Group Policy preferences, see the [Group Policy Settings Reference for Windows and Windows Server](https://go.microsoft.com/fwlink/p/?LinkId=279876). + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md index 19c1de8291..65ae07a3ce 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md @@ -1,29 +1,29 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -description: Links to troubleshooting topics and log files that can help address Group Policy problems with Internet Explorer 11. -author: lomayor -ms.prod: ie11 -ms.assetid: 0da0d9a9-200c-46c4-96be-630e82de017b -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Group Policy problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Group Policy problems with Internet Explorer 11 -If you're having problems with Group Policy and Internet Explorer 11, or if you're looking for high-level information about the concepts and techniques used to troubleshoot Group Policy, as well as links to detailed reference topics, procedures, and troubleshooting scenario guides, see [Group Policy Analysis and Troubleshooting Overview](https://go.microsoft.com/fwlink/p/?LinkId=279872). - -## Group Policy Object-related Log Files -You can use the Event Viewer to review Group Policy-related messages in the **Windows Logs**, **System** file. All of the Group Policy-related events are shown with a source of **GroupPolicy**. For more information about the Event Viewer, see [What information appears in event logs? (Event Viewer)](https://go.microsoft.com/fwlink/p/?LinkId=294917). - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +description: Links to troubleshooting topics and log files that can help address Group Policy problems with Internet Explorer 11. +author: lomayor +ms.prod: ie11 +ms.assetid: 0da0d9a9-200c-46c4-96be-630e82de017b +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Group Policy problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Group Policy problems with Internet Explorer 11 +If you're having problems with Group Policy and Internet Explorer 11, or if you're looking for high-level information about the concepts and techniques used to troubleshoot Group Policy, as well as links to detailed reference topics, procedures, and troubleshooting scenario guides, see [Group Policy Analysis and Troubleshooting Overview](https://go.microsoft.com/fwlink/p/?LinkId=279872). + +## Group Policy Object-related Log Files +You can use the Event Viewer to review Group Policy-related messages in the **Windows Logs**, **System** file. All of the Group Policy-related events are shown with a source of **GroupPolicy**. For more information about the Event Viewer, see [What information appears in event logs? (Event Viewer)](https://go.microsoft.com/fwlink/p/?LinkId=294917). + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md index 02a0adf579..7c53292112 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md @@ -1,49 +1,49 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -description: Instructions about how to create and configure shortcut preference extensions to file system objects, URLs, and shell objects. -author: lomayor -ms.prod: ie11 -ms.assetid: c6fbf990-13e4-4be7-9f08-5bdd43179b3b -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Group Policy, Shortcut Extensions, and Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Group Policy, Shortcut Extensions, and Internet Explorer 11 -Group Policy includes the Shortcuts preference extension, which lets you configure shortcuts to: - -- **File system objects.** Traditional shortcuts that link to apps, files, folders, drives, shares, or computers. For example, linking a shortcut to an app from the **Start** screen. - -- **URLs.** Shortcuts to webpages or FTP sites. For example, a link to your intranet site from your employee's **Favorites** folder. - -- **Shell objects.** Shortcuts to objects that appear in the shell namespace, such as printers, desktop items, Control Panel items, the Recycle Bin, and so on. - -## How do I configure shortcuts? -You can create and configure shortcuts for any domain-based Group Policy Object (GPO) in the Group Policy Management Console (GPMC). - - **To create a new Shortcut preference item** - -1. Open GPMC, right-click the Group Policy object that needs the new shortcut extension, and click **Edit**. - -2. From **Computer Configuration** or **User Configuration**, go to **Preferences**, and then go to **Windows Settings**. - -3. Right-click **Shortcuts**, click **New**, and then choose **Shortcut**. - -4. Choose what the shortcut should do, including **Create**, **Delete**, **Replace**, or **Update**. - -5. Type the required shortcut settings and your comments into the **Description** box, and click **OK**. - -For more information about shortcut extensions, including step-by-step guidance, see [Shortcuts Extension](https://go.microsoft.com/fwlink/p/?LinkId=214525) and [Configure a Shortcut Item](https://go.microsoft.com/fwlink/p/?LinkId=301837). - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +description: Instructions about how to create and configure shortcut preference extensions to file system objects, URLs, and shell objects. +author: lomayor +ms.prod: ie11 +ms.assetid: c6fbf990-13e4-4be7-9f08-5bdd43179b3b +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Group Policy, Shortcut Extensions, and Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Group Policy, Shortcut Extensions, and Internet Explorer 11 +Group Policy includes the Shortcuts preference extension, which lets you configure shortcuts to: + +- **File system objects.** Traditional shortcuts that link to apps, files, folders, drives, shares, or computers. For example, linking a shortcut to an app from the **Start** screen. + +- **URLs.** Shortcuts to webpages or FTP sites. For example, a link to your intranet site from your employee's **Favorites** folder. + +- **Shell objects.** Shortcuts to objects that appear in the shell namespace, such as printers, desktop items, Control Panel items, the Recycle Bin, and so on. + +## How do I configure shortcuts? +You can create and configure shortcuts for any domain-based Group Policy Object (GPO) in the Group Policy Management Console (GPMC). + + **To create a new Shortcut preference item** + +1. Open GPMC, right-click the Group Policy object that needs the new shortcut extension, and click **Edit**. + +2. From **Computer Configuration** or **User Configuration**, go to **Preferences**, and then go to **Windows Settings**. + +3. Right-click **Shortcuts**, click **New**, and then choose **Shortcut**. + +4. Choose what the shortcut should do, including **Create**, **Delete**, **Replace**, or **Update**. + +5. Type the required shortcut settings and your comments into the **Description** box, and click **OK**. + +For more information about shortcut extensions, including step-by-step guidance, see [Shortcuts Extension](https://go.microsoft.com/fwlink/p/?LinkId=214525) and [Configure a Shortcut Item](https://go.microsoft.com/fwlink/p/?LinkId=301837). + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md index 0a81ff7136..dcea0b00e6 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md @@ -1,38 +1,38 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -description: Overview about how Group Policy works with Windows Powershell and Internet Explorer 11 -author: lomayor -ms.prod: ie11 -ms.assetid: e3607cde-a498-4e04-9daa-b331412967fc -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Group Policy, Windows Powershell, and Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Group Policy, Windows Powershell, and Internet Explorer 11 -Your domain-joined Group Policy Objects (GPOs) can use any of Group Policy-related “cmdlets” that run within Windows PowerShell. - -Each cmdlet is a single-function command-line tool that can: - -- Create, edit, remove, back up, and import GPOs. - -- Create, update, and remove Group Policy links. - -- Set inheritance flags and permissions on organizational units (OU) and domains. - -- Configure registry-based policy settings and registry settings for Group Policy preferences. - -For more info about PowerShell and Group Policy management, see [Use Windows PowerShell to Manage Group Policy](https://go.microsoft.com/fwlink/p/?LinkId=276828). - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +description: Overview about how Group Policy works with Windows Powershell and Internet Explorer 11 +author: lomayor +ms.prod: ie11 +ms.assetid: e3607cde-a498-4e04-9daa-b331412967fc +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Group Policy, Windows Powershell, and Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Group Policy, Windows Powershell, and Internet Explorer 11 +Your domain-joined Group Policy Objects (GPOs) can use any of Group Policy-related “cmdlets” that run within Windows PowerShell. + +Each cmdlet is a single-function command-line tool that can: + +- Create, edit, remove, back up, and import GPOs. + +- Create, update, and remove Group Policy links. + +- Set inheritance flags and permissions on organizational units (OU) and domains. + +- Configure registry-based policy settings and registry settings for Group Policy preferences. + +For more info about PowerShell and Group Policy management, see [Use Windows PowerShell to Manage Group Policy](https://go.microsoft.com/fwlink/p/?LinkId=276828). + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md index 0b4e605611..4e3fdb4baa 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md +++ b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md @@ -1,142 +1,142 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: support -ms.pagetype: security -description: -author: lomayor -ms.author: lomayor -ms.manager: elizapo -ms.prod: ie11 -ms.assetid: -ms.reviewer: -manager: dansimp -title: Internet Explorer 11 delivery through automatic updates -ms.sitesec: library -ms.date: 05/22/2018 ---- - -# Internet Explorer 11 delivery through automatic updates -Internet Explorer 11 makes browsing the web faster, easier, safer, and more reliable than ever. To help customers become more secure and up-to-date, Microsoft will distribute Internet Explorer 11 through Automatic Updates and the Windows Update and Microsoft Update sites. Internet Explorer 11 will be available for users of the 32-bit and 64-bit versions of Windows 7 Service Pack 1 (SP1), and 64-bit version of Windows Server 2008 R2 SP1. This article provides an overview of the delivery process and options available for IT administrators to control how and when Internet Explorer 11 is deployed to their organization through Automatic Updates. - -- [Automatic updates delivery process](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#automatic-updates-delivery-process) - -- [Internet Explorer 11 automatic upgrades](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#internet-explorer-11-automatic-upgrades) - -- [Options for blocking automatic delivery](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#options-for-blocking-automatic-delivery) - -- [Availability of Internet Explorer 11](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#availability-of-internet-explorer-11) - -- [Prevent automatic installation of Internet Explorer 11 with WSUS](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#prevent-automatic-installation-of-internet-explorer-11-with-wsus) - -## Automatic updates delivery process - -Internet Explorer 11 only downloads and installs if it’s available for delivery through Automatic Updates; and Automatic Updates only offer Internet Explorer 11 -to users with local administrator accounts. User’s without local administrator accounts won’t be prompted to install the update and will continue using their -current version of Internet Explorer. - -Internet Explorer 11 replaces Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10. If you decide you don’t want Internet Explorer 11, and you’re running Windows 7 SP1 or Windows Server 2008 R2 with SP1, you can uninstall it from the **View installed updates** section of the **Uninstall an update** page of the Control Panel. - ->[!Note] ->If a user installs Internet Explorer 11 and then removes it, it won’t be re-offered to that computer through Automatic Updates. Instead, the user will have to manually re-install the app. - -## Internet Explorer 11 automatic upgrades - -Internet Explorer 11 is offered through Automatic Updates and Windows Update as an Important update. Users running Windows 7 SP1, who have chosen to download and install updates automatically through Windows Update, are automatically upgraded to Internet Explorer 11. - -Users who were automatically upgraded to Internet Explorer 11 can decide to uninstall Internet Explorer 11. However, Internet Explorer 11 will still appear as an optional update through Windows Update. - -## Options for blocking automatic delivery - -If you use Automatic Updates in your company, but want to stop your users from automatically getting Internet Explorer 11, do one of the following: - -- **Download and use the Internet Explorer 11 Blocker Toolkit.** Includes a Group Policy template and a script that permanently blocks Internet Explorer 11 from being offered by Windows Update or Microsoft Update as a high-priority update. You can download this kit from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722). - - >[!Note] - >The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-ie11-blocker-toolkit.md). - -- **Use an update management solution to control update deployment.** - If you already use an update management solution, like [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [System Center 2012 Configuration Manager](https://go.microsoft.com/fwlink/?LinkID=276664), you should use that instead of the Internet Explorer Blocker Toolkit. - - >[!Note] - >If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. This scenario is discussed in detail in the Knowledge Base article [here](https://support.microsoft.com/kb/946202). - -Additional information on Internet Explorer 11, including a Readiness Toolkit, technical overview, in-depth feature summary, and Internet Explorer 11 download is available on the [Internet Explorer 11 page of the Microsoft Edge IT Center](https://technet.microsoft.com/microsoft-edge/dn262703.aspx). - -## Availability of Internet Explorer 11 - -Automatic Updates will start to distribute Internet Explorer 11 shortly after the final release of the product and will distribute it through the System Center Configuration Manager, Microsoft Systems Management Server, and WSUS. - -## Prevent automatic installation of Internet Explorer 11 with WSUS - -Internet Explorer 11 will be released to WSUS as an Update Rollup package. Therefore, if you’ve configured WSUS to “auto-approve” Update Rollup packages, it’ll be automatically approved and installed. To stop Internet Explorer 11 from being automatically approved for installation, you need to: - -1. Click **Start**, click **Administrative Tools**, and then click **Microsoft - Windows Server Update Services 3.0**. - -2. Expand *ComputerName*, and then click **Options**. - -3. Click **Automatic Approvals**. - -4. Click the rule that automatically approves an update that is classified as - Update Rollup, and then click **Edit.** - - >[!Note] - >If you don’t see a rule like this, you most likely haven’t configured WSUS to automatically approve Update Rollups for installation. In this situation, you don’t have to do anything else. - -5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section. - - >[!Note] - >The properties for this rule will resemble the following:
  • When an update is in Update Rollups
  • Approve the update for all computers
- -6. Clear the **Update Rollup** check box, and then click **OK**. - -7. Click **OK** to close the **Automatic Approvals** dialog box.

After the new Internet Explorer 11 package is available for download, you should manually synchronize the new package to your WSUS server, so that when you re-enable auto-approval it won’t be automatically installed. - -8. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**. - -9. Expand *ComputerName*, and then click **Synchronizations**. - -10. Click **Synchronize Now**. - -11. Expand *ComputerName*, expand **Updates**, and then click **All Updates**. - -12. Choose **Unapproved** in the **Approval**drop down box. - -13. Check to make sure that Microsoft Internet Explorer 11 is listed as an unapproved update. - - >[!Note] - >There may be multiple updates, depending on the imported language and operating system updates. - -**Optional** - -If you need to reset your Update Rollups packages to auto-approve, do this: - -1. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**. - -2. Expand *ComputerName*, and then click **Options**. - -3. Click **Automatic Approvals**. - -4. Click the rule that automatically approves updates of different classifications, and then click **Edit**. - -5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section. - -6. Check the **Update Rollups** check box, and then click **OK**. - -7. Click **OK** to close the **Automatic Approvals** dialog box. - ->[!Note] ->Because auto-approval rules are only evaluated when an update is first imported into WSUS, turning this rule back on after the Internet Explorer 11 update has been imported and synchronized to the server won’t cause this update to be auto-approved. - - -## Additional resources - -- [Automatic delivery process](what-is-the-internet-explorer-11-blocker-toolkit.md#automatic-delivery-process) - -- [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722) - -- [Internet Explorer 11 FAQ for IT pros](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11) - -- [Internet Explorer 11 delivery through automatic updates](https://technet.microsoft.com/microsoft-edge/dn449235) - -- [Internet Explorer 11 deployment guide](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/index) +--- +ms.localizationpriority: medium +ms.mktglfcycl: support +ms.pagetype: security +description: +author: lomayor +ms.author: lomayor +ms.manager: elizapo +ms.prod: ie11 +ms.assetid: +ms.reviewer: +audience: itpro manager: dansimp +title: Internet Explorer 11 delivery through automatic updates +ms.sitesec: library +ms.date: 05/22/2018 +--- + +# Internet Explorer 11 delivery through automatic updates +Internet Explorer 11 makes browsing the web faster, easier, safer, and more reliable than ever. To help customers become more secure and up-to-date, Microsoft will distribute Internet Explorer 11 through Automatic Updates and the Windows Update and Microsoft Update sites. Internet Explorer 11 will be available for users of the 32-bit and 64-bit versions of Windows 7 Service Pack 1 (SP1), and 64-bit version of Windows Server 2008 R2 SP1. This article provides an overview of the delivery process and options available for IT administrators to control how and when Internet Explorer 11 is deployed to their organization through Automatic Updates. + +- [Automatic updates delivery process](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#automatic-updates-delivery-process) + +- [Internet Explorer 11 automatic upgrades](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#internet-explorer-11-automatic-upgrades) + +- [Options for blocking automatic delivery](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#options-for-blocking-automatic-delivery) + +- [Availability of Internet Explorer 11](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#availability-of-internet-explorer-11) + +- [Prevent automatic installation of Internet Explorer 11 with WSUS](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#prevent-automatic-installation-of-internet-explorer-11-with-wsus) + +## Automatic updates delivery process + +Internet Explorer 11 only downloads and installs if it’s available for delivery through Automatic Updates; and Automatic Updates only offer Internet Explorer 11 +to users with local administrator accounts. User’s without local administrator accounts won’t be prompted to install the update and will continue using their +current version of Internet Explorer. + +Internet Explorer 11 replaces Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10. If you decide you don’t want Internet Explorer 11, and you’re running Windows 7 SP1 or Windows Server 2008 R2 with SP1, you can uninstall it from the **View installed updates** section of the **Uninstall an update** page of the Control Panel. + +>[!Note] +>If a user installs Internet Explorer 11 and then removes it, it won’t be re-offered to that computer through Automatic Updates. Instead, the user will have to manually re-install the app. + +## Internet Explorer 11 automatic upgrades + +Internet Explorer 11 is offered through Automatic Updates and Windows Update as an Important update. Users running Windows 7 SP1, who have chosen to download and install updates automatically through Windows Update, are automatically upgraded to Internet Explorer 11. + +Users who were automatically upgraded to Internet Explorer 11 can decide to uninstall Internet Explorer 11. However, Internet Explorer 11 will still appear as an optional update through Windows Update. + +## Options for blocking automatic delivery + +If you use Automatic Updates in your company, but want to stop your users from automatically getting Internet Explorer 11, do one of the following: + +- **Download and use the Internet Explorer 11 Blocker Toolkit.** Includes a Group Policy template and a script that permanently blocks Internet Explorer 11 from being offered by Windows Update or Microsoft Update as a high-priority update. You can download this kit from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722). + + >[!Note] + >The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-ie11-blocker-toolkit.md). + +- **Use an update management solution to control update deployment.** + If you already use an update management solution, like [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [System Center 2012 Configuration Manager](https://go.microsoft.com/fwlink/?LinkID=276664), you should use that instead of the Internet Explorer Blocker Toolkit. + + >[!Note] + >If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. This scenario is discussed in detail in the Knowledge Base article [here](https://support.microsoft.com/kb/946202). + +Additional information on Internet Explorer 11, including a Readiness Toolkit, technical overview, in-depth feature summary, and Internet Explorer 11 download is available on the [Internet Explorer 11 page of the Microsoft Edge IT Center](https://technet.microsoft.com/microsoft-edge/dn262703.aspx). + +## Availability of Internet Explorer 11 + +Automatic Updates will start to distribute Internet Explorer 11 shortly after the final release of the product and will distribute it through the System Center Configuration Manager, Microsoft Systems Management Server, and WSUS. + +## Prevent automatic installation of Internet Explorer 11 with WSUS + +Internet Explorer 11 will be released to WSUS as an Update Rollup package. Therefore, if you’ve configured WSUS to “auto-approve” Update Rollup packages, it’ll be automatically approved and installed. To stop Internet Explorer 11 from being automatically approved for installation, you need to: + +1. Click **Start**, click **Administrative Tools**, and then click **Microsoft + Windows Server Update Services 3.0**. + +2. Expand *ComputerName*, and then click **Options**. + +3. Click **Automatic Approvals**. + +4. Click the rule that automatically approves an update that is classified as + Update Rollup, and then click **Edit.** + + >[!Note] + >If you don’t see a rule like this, you most likely haven’t configured WSUS to automatically approve Update Rollups for installation. In this situation, you don’t have to do anything else. + +5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section. + + >[!Note] + >The properties for this rule will resemble the following:

  • When an update is in Update Rollups
  • Approve the update for all computers
+ +6. Clear the **Update Rollup** check box, and then click **OK**. + +7. Click **OK** to close the **Automatic Approvals** dialog box.

After the new Internet Explorer 11 package is available for download, you should manually synchronize the new package to your WSUS server, so that when you re-enable auto-approval it won’t be automatically installed. + +8. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**. + +9. Expand *ComputerName*, and then click **Synchronizations**. + +10. Click **Synchronize Now**. + +11. Expand *ComputerName*, expand **Updates**, and then click **All Updates**. + +12. Choose **Unapproved** in the **Approval**drop down box. + +13. Check to make sure that Microsoft Internet Explorer 11 is listed as an unapproved update. + + >[!Note] + >There may be multiple updates, depending on the imported language and operating system updates. + +**Optional** + +If you need to reset your Update Rollups packages to auto-approve, do this: + +1. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**. + +2. Expand *ComputerName*, and then click **Options**. + +3. Click **Automatic Approvals**. + +4. Click the rule that automatically approves updates of different classifications, and then click **Edit**. + +5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section. + +6. Check the **Update Rollups** check box, and then click **OK**. + +7. Click **OK** to close the **Automatic Approvals** dialog box. + +>[!Note] +>Because auto-approval rules are only evaluated when an update is first imported into WSUS, turning this rule back on after the Internet Explorer 11 update has been imported and synchronized to the server won’t cause this update to be auto-approved. + + +## Additional resources + +- [Automatic delivery process](what-is-the-internet-explorer-11-blocker-toolkit.md#automatic-delivery-process) + +- [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722) + +- [Internet Explorer 11 FAQ for IT pros](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11) + +- [Internet Explorer 11 delivery through automatic updates](https://technet.microsoft.com/microsoft-edge/dn449235) + +- [Internet Explorer 11 deployment guide](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/index) diff --git a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md index 421a10b9d9..48331957e3 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md +++ b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md @@ -1,16 +1,16 @@ ---- -description: A full-sized view of how document modes are chosen in IE11. -title: Full-sized flowchart detailing how document modes are chosen in IE11 -author: lomayor -ms.date: 04/19/2017 -ms.reviewer: -manager: dansimp -ms.author: lomayor ---- - -Return to: [Deprecated document modes and Internet Explorer 11](deprecated-document-modes.md)
- -

- Full-sized flowchart detailing how document modes are chosen in IE11 -

- +--- +description: A full-sized view of how document modes are chosen in IE11. +title: Full-sized flowchart detailing how document modes are chosen in IE11 +author: lomayor +ms.date: 04/19/2017 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +--- + +Return to: [Deprecated document modes and Internet Explorer 11](deprecated-document-modes.md)
+ +

+ Full-sized flowchart detailing how document modes are chosen in IE11 +

+ diff --git a/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md index a84fbae316..add9fe0016 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md +++ b/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md @@ -1,50 +1,50 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager. -author: lomayor -ms.prod: ie11 -ms.assetid: cacd5d68-700b-4a96-b4c9-ca2c40c1ac5f -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Import your Enterprise Mode site list to the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Import your Enterprise Mode site list to the Enterprise Mode Site List Manager - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager. - -**Important**   -Importing your file overwrites everything that’s currently in the tool, so make sure it’s what you really mean to do. - - **To import your compatibility list** - -1. On the **File** menu of the Enterprise Mode Site List Manager, click **Import**. - -2. Go to your exported .EMIE file (for example, `C:\users\\documents\sites.emie`), and then click **Open**. - -3. Review the alert message about all of your entries being overwritten. If you still want to import the file, click **Yes**. - -## Related topics -- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) -- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) -- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager. +author: lomayor +ms.prod: ie11 +ms.assetid: cacd5d68-700b-4a96-b4c9-ca2c40c1ac5f +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Import your Enterprise Mode site list to the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Import your Enterprise Mode site list to the Enterprise Mode Site List Manager + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager. + +**Important**   +Importing your file overwrites everything that’s currently in the tool, so make sure it’s what you really mean to do. + + **To import your compatibility list** + +1. On the **File** menu of the Enterprise Mode Site List Manager, click **Import**. + +2. Go to your exported .EMIE file (for example, `C:\users\\documents\sites.emie`), and then click **Open**. + +3. Review the alert message about all of your entries being overwritten. If you still want to import the file, click **Yes**. + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md index 3f147df80e..f5e959c3c4 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md @@ -1,44 +1,44 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Use the topics in this section to learn how to customize your Internet Explorer installation package, how to choose the right method for installation, and how to deploy IE into your environment. -author: lomayor -ms.prod: ie11 -ms.assetid: caca18c1-d5c4-4404-84f8-d02bc562915f -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Install and Deploy Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Install and Deploy Internet Explorer 11 (IE11) - -**Applies to:** - -- Windows 10 -- Windows 8.1 Update -- Windows 7 with Service Pack 1 (SP1) -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Use the topics in this section to learn how to customize your Internet Explorer installation package, how to choose the right method for installation, and how to deploy IE into your environment. You can also find more info about your virtualization options for legacy apps. - -## In this section - -|Topic |Description | -|------|------------| -|[Customize Internet Explorer 11 installation packages](customize-ie11-install-packages.md) |Guidance about how to use .INF files or the IE Administration Kit 11 (IEAK 11) to create custom packages and about how to create those packages for multiple operating systems. | -|[Choose how to install Internet Explorer 11 (IE11)](choose-how-to-install-ie11.md) |Guidance for the different ways you can install IE, including using System Center 2012 R2 Configuration Manager, Windows Server Update Services (WSUS), Microsoft Intune, your network, the operating system deployment system, or third-party tools. | -|[Choose how to deploy Internet Explorer 11 (IE11)](choose-how-to-deploy-ie11.md) |Guidance about how to deploy your custom version of IE using Automatic Version Synchronization (AVS) or using your software distribution tools. | -|[Virtualization and compatibility with Internet Explorer 11](virtualization-and-compatibility-with-ie11.md) |Info about the Microsoft-supported options for virtualizing web apps. | - - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Use the topics in this section to learn how to customize your Internet Explorer installation package, how to choose the right method for installation, and how to deploy IE into your environment. +author: lomayor +ms.prod: ie11 +ms.assetid: caca18c1-d5c4-4404-84f8-d02bc562915f +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Install and Deploy Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Install and Deploy Internet Explorer 11 (IE11) + +**Applies to:** + +- Windows 10 +- Windows 8.1 Update +- Windows 7 with Service Pack 1 (SP1) +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Use the topics in this section to learn how to customize your Internet Explorer installation package, how to choose the right method for installation, and how to deploy IE into your environment. You can also find more info about your virtualization options for legacy apps. + +## In this section + +|Topic |Description | +|------|------------| +|[Customize Internet Explorer 11 installation packages](customize-ie11-install-packages.md) |Guidance about how to use .INF files or the IE Administration Kit 11 (IEAK 11) to create custom packages and about how to create those packages for multiple operating systems. | +|[Choose how to install Internet Explorer 11 (IE11)](choose-how-to-install-ie11.md) |Guidance for the different ways you can install IE, including using System Center 2012 R2 Configuration Manager, Windows Server Update Services (WSUS), Microsoft Intune, your network, the operating system deployment system, or third-party tools. | +|[Choose how to deploy Internet Explorer 11 (IE11)](choose-how-to-deploy-ie11.md) |Guidance about how to deploy your custom version of IE using Automatic Version Synchronization (AVS) or using your software distribution tools. | +|[Virtualization and compatibility with Internet Explorer 11](virtualization-and-compatibility-with-ie11.md) |Info about the Microsoft-supported options for virtualizing web apps. | + + + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md index 4791de3e60..e93450be88 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md +++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md @@ -1,54 +1,54 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to add and deploy the Internet Explorer 11 update using Microsoft Intune. -author: lomayor -ms.prod: ie11 -ms.assetid: b2dfc08c-78af-4c22-8867-7be3b92b1616 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Install Internet Explorer 11 (IE11) using Microsoft Intune (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Install Internet Explorer 11 (IE11) using Microsoft Intune -Internet Explorer 11 is available as an update in Microsoft Intune. Microsoft Intune uses Windows cloud services to help you manage updates, monitor and protect your computers, provide remote assistance, track hardware and software inventory, and set security policies. For more information, see the [Documentation Library for Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=301805). - -## Adding and deploying the IE11 package -You can add and then deploy the IE11 package to any computer that's managed by Microsoft Intune. - - **To add the IE11 package** - -1. From the Microsoft Intune administrator console, start the Microsoft Intune Software Publisher. - -2. Add your IE11 package as either an external link or as a Windows installer package (.exe or .msi). - -For more info about how to decide which one to use, and how to use it, see [Deploy and configure apps](https://go.microsoft.com/fwlink/p/?LinkId=301806). - - **To automatically deploy and install the IE11 package** - -1. From the Microsoft Intune administrator console, start and run through the Deploy Software wizard. - -2. Deploy the package to any of your employee computers that are managed by Microsoft Intune. - -3. After the package is on your employee's computers, the installation process runs, based on what you set up in your wizard. - -For more info about this, see [Deploy and configure apps](https://go.microsoft.com/fwlink/p/?LinkId=301806). - - **To let your employees install the IE11 package** - -1. Install the package on your company's Microsoft Intune site, marking it as **Available** for the appropriate groups. - -2. Any employee in the assigned group can now install the package. - -For more info about this, see [Update apps using Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=301808) - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to add and deploy the Internet Explorer 11 update using Microsoft Intune. +author: lomayor +ms.prod: ie11 +ms.assetid: b2dfc08c-78af-4c22-8867-7be3b92b1616 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Install Internet Explorer 11 (IE11) using Microsoft Intune (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Install Internet Explorer 11 (IE11) using Microsoft Intune +Internet Explorer 11 is available as an update in Microsoft Intune. Microsoft Intune uses Windows cloud services to help you manage updates, monitor and protect your computers, provide remote assistance, track hardware and software inventory, and set security policies. For more information, see the [Documentation Library for Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=301805). + +## Adding and deploying the IE11 package +You can add and then deploy the IE11 package to any computer that's managed by Microsoft Intune. + + **To add the IE11 package** + +1. From the Microsoft Intune administrator console, start the Microsoft Intune Software Publisher. + +2. Add your IE11 package as either an external link or as a Windows installer package (.exe or .msi). + +For more info about how to decide which one to use, and how to use it, see [Deploy and configure apps](https://go.microsoft.com/fwlink/p/?LinkId=301806). + + **To automatically deploy and install the IE11 package** + +1. From the Microsoft Intune administrator console, start and run through the Deploy Software wizard. + +2. Deploy the package to any of your employee computers that are managed by Microsoft Intune. + +3. After the package is on your employee's computers, the installation process runs, based on what you set up in your wizard. + +For more info about this, see [Deploy and configure apps](https://go.microsoft.com/fwlink/p/?LinkId=301806). + + **To let your employees install the IE11 package** + +1. Install the package on your company's Microsoft Intune site, marking it as **Available** for the appropriate groups. + +2. Any employee in the assigned group can now install the package. + +For more info about this, see [Update apps using Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=301808) + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md index 594e4cc0ae..5046293535 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md +++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md @@ -1,59 +1,59 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to install the Internet Explorer 11 update using Microsoft Deployment Toolkit (MDT) and your Windows images. -author: lomayor -ms.prod: ie11 -ms.assetid: e16f9144-170c-4964-a62d-0d1a16f4cd1f -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Install Internet Explorer 11 (IE11) using Microsoft Deployment Toolkit (MDT) and your Windows images (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Install Internet Explorer 11 (IE11) using Microsoft Deployment Toolkit (MDT) and your Windows images - -You can install Internet Explorer 11 (IE11) using Microsoft Deployment Toolkit (MDT) and your Windows images. - -You'll need to extract the .cab file for each supported operating system and platform combination and the .msu file for each prerequisite update. Download the IE11 update and prerequisites here: - -- [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=279697) - -- [Microsoft Update Catalog](https://go.microsoft.com/fwlink/p/?LinkId=214287) - -After you install the .msu file updates, you'll need to add them to your MDT deployment. You'll also need to extract the IE11 .cab update file from the IE11 installation package, using the `/x` command-line option. For example, `IE11-Windows6.1-x64-en-us.exe /x:c:\ie11cab`. - -## Installing IE11 using Microsoft Deployment Toolkit (MDT) - -MDT adds IE11 to your Windows images, regardless whether you are creating or deploying a customized or non-customized image. MDT also lets you perform offline servicing during the System Center 2012 R2 Configuration Manager task sequence, letting you add IE11 before starting Windows. For info, see [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?linkid=331148). - - **To add IE11 to a MDT deployment share** - -1. Right-click **Packages** from each **Deployment Shares** location, and then click **Import OS Packages**. - -2. Go to the **Specify Directory** page, search for your folder with your update files (.cab and .msu) for import, and click **Next**. - -3. Go to the **Summary** page and click **Next**.

-MDT starts importing your update files.

**Note**
Ignore any warnings that say, "Skipping invalid CAB file". This shows up because the **Import OS Packages** wizard skips the IE11\_Support.cab file, which isn't an actual update file. - -4. After the import finishes, click **Finish**. - -### Offline servicing with MDT - -You can add the IE11 update while you're performing offline servicing, or slipstreaming, of your Windows images. This method lets you deploy IE11 without needing any additional installation after you've deployed Windows. - -These articles have step-by-step details about adding packages to your Windows images: - -- For Windows 8.1, see [Add or Remove Packages Offline Using DISM](https://go.microsoft.com/fwlink/p/?LinkId=276791). - -- For Windows 7 SP1, see [Add or Remove Packages Offline](https://go.microsoft.com/fwlink/p/?LinkId=214490). - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to install the Internet Explorer 11 update using Microsoft Deployment Toolkit (MDT) and your Windows images. +author: lomayor +ms.prod: ie11 +ms.assetid: e16f9144-170c-4964-a62d-0d1a16f4cd1f +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Install Internet Explorer 11 (IE11) using Microsoft Deployment Toolkit (MDT) and your Windows images (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Install Internet Explorer 11 (IE11) using Microsoft Deployment Toolkit (MDT) and your Windows images + +You can install Internet Explorer 11 (IE11) using Microsoft Deployment Toolkit (MDT) and your Windows images. + +You'll need to extract the .cab file for each supported operating system and platform combination and the .msu file for each prerequisite update. Download the IE11 update and prerequisites here: + +- [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=279697) + +- [Microsoft Update Catalog](https://go.microsoft.com/fwlink/p/?LinkId=214287) + +After you install the .msu file updates, you'll need to add them to your MDT deployment. You'll also need to extract the IE11 .cab update file from the IE11 installation package, using the `/x` command-line option. For example, `IE11-Windows6.1-x64-en-us.exe /x:c:\ie11cab`. + +## Installing IE11 using Microsoft Deployment Toolkit (MDT) + +MDT adds IE11 to your Windows images, regardless whether you are creating or deploying a customized or non-customized image. MDT also lets you perform offline servicing during the System Center 2012 R2 Configuration Manager task sequence, letting you add IE11 before starting Windows. For info, see [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?linkid=331148). + + **To add IE11 to a MDT deployment share** + +1. Right-click **Packages** from each **Deployment Shares** location, and then click **Import OS Packages**. + +2. Go to the **Specify Directory** page, search for your folder with your update files (.cab and .msu) for import, and click **Next**. + +3. Go to the **Summary** page and click **Next**.

+MDT starts importing your update files.

**Note**
Ignore any warnings that say, "Skipping invalid CAB file". This shows up because the **Import OS Packages** wizard skips the IE11\_Support.cab file, which isn't an actual update file. + +4. After the import finishes, click **Finish**. + +### Offline servicing with MDT + +You can add the IE11 update while you're performing offline servicing, or slipstreaming, of your Windows images. This method lets you deploy IE11 without needing any additional installation after you've deployed Windows. + +These articles have step-by-step details about adding packages to your Windows images: + +- For Windows 8.1, see [Add or Remove Packages Offline Using DISM](https://go.microsoft.com/fwlink/p/?LinkId=276791). + +- For Windows 7 SP1, see [Add or Remove Packages Offline](https://go.microsoft.com/fwlink/p/?LinkId=214490). + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md index e94d46a676..4d91b89af4 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md +++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md @@ -1,38 +1,38 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: How to install the Internet Explorer 11 update using System Center 2012 R2 Configuration Manager -author: lomayor -ms.prod: ie11 -ms.assetid: 9ede9722-29b3-4cb7-956d-ffa91e7bedbd -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Install Internet Explorer 11 (IE11) using System Center 2012 R2 Configuration Manager (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Install Internet Explorer 11 (IE11) using System Center 2012 R2 Configuration Manager -You can install Internet Explorer 11 (IE11) by using [System Center R2 2012 Configuration Manager](https://go.microsoft.com/fwlink/p/?linkid=276664). Complete these steps for each operating system and platform combination. - - **To install IE11** - -1. Download and approve the [System requirements and language support for Internet Explorer 11 (IE11)](system-requirements-and-language-support-for-ie11.md). - -2. Create a software distribution package that includes the IE11 installation package. - -3. Create a program that includes the command-line needed to run the IE11 installation package. To run the package silently, without restarting and without checking the Internet for updates, use:`ie11_package.exe /quiet /norestart /update-no`. - -4. Move the installation package to your distribution points, and then advertise the package. - -You can also use System Center Essentials 2010 to deploy IE11 installation packages. For info, see [System Center Essentials 2010](https://go.microsoft.com/fwlink/p/?linkid=395200) and the [System Center Essentials 2010 Operations Guide](https://go.microsoft.com/fwlink/p/?LinkId=214266). - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: How to install the Internet Explorer 11 update using System Center 2012 R2 Configuration Manager +author: lomayor +ms.prod: ie11 +ms.assetid: 9ede9722-29b3-4cb7-956d-ffa91e7bedbd +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Install Internet Explorer 11 (IE11) using System Center 2012 R2 Configuration Manager (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Install Internet Explorer 11 (IE11) using System Center 2012 R2 Configuration Manager +You can install Internet Explorer 11 (IE11) by using [System Center R2 2012 Configuration Manager](https://go.microsoft.com/fwlink/p/?linkid=276664). Complete these steps for each operating system and platform combination. + + **To install IE11** + +1. Download and approve the [System requirements and language support for Internet Explorer 11 (IE11)](system-requirements-and-language-support-for-ie11.md). + +2. Create a software distribution package that includes the IE11 installation package. + +3. Create a program that includes the command-line needed to run the IE11 installation package. To run the package silently, without restarting and without checking the Internet for updates, use:`ie11_package.exe /quiet /norestart /update-no`. + +4. Move the installation package to your distribution points, and then advertise the package. + +You can also use System Center Essentials 2010 to deploy IE11 installation packages. For info, see [System Center Essentials 2010](https://go.microsoft.com/fwlink/p/?linkid=395200) and the [System Center Essentials 2010 Operations Guide](https://go.microsoft.com/fwlink/p/?LinkId=214266). + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md index 7816ad8190..2dfe51cdf9 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md +++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md @@ -1,42 +1,42 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to install the Internet Explorer 11 update using your network -author: lomayor -ms.prod: ie11 -ms.assetid: 85f6429d-947a-4031-8f93-e26110a35828 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Install Internet Explorer 11 (IE11) using your network (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Install Internet Explorer 11 (IE11) using your network -You can install Internet Explorer 11 (IE11) over your network by putting your custom IE11 installation package in a shared network folder and letting your employees run the Setup program on their own computers. You can create the network folder structure manually, or you can run Internet Explorer Administration Kit 11 (IEAK 11). - -**Note**
If you support multiple architectures and operating systems, create a subfolder for each combination. If you support multiple languages, create a subfolder for each localized installation file. - - **To manually create the folder structure** - -- Copy your custom IE11 installation file into a folder on your network, making sure it's available to your employees. - - **To create the folder structure using IEAK 11** - -- Run the Internet Explorer Customization Wizard 11 in IEAK 11, using the **Full Installation Package** option.

- The wizard automatically puts your custom installation files in your `\\Flat` folder. Where the `` is the location of your other build files. - -**Note**
Use the localized versions of the IE Customization Wizard 11 to create localized IE11 installation packages. - -## Related topics -- [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md) - - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to install the Internet Explorer 11 update using your network +author: lomayor +ms.prod: ie11 +ms.assetid: 85f6429d-947a-4031-8f93-e26110a35828 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Install Internet Explorer 11 (IE11) using your network (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Install Internet Explorer 11 (IE11) using your network +You can install Internet Explorer 11 (IE11) over your network by putting your custom IE11 installation package in a shared network folder and letting your employees run the Setup program on their own computers. You can create the network folder structure manually, or you can run Internet Explorer Administration Kit 11 (IEAK 11). + +**Note**
If you support multiple architectures and operating systems, create a subfolder for each combination. If you support multiple languages, create a subfolder for each localized installation file. + + **To manually create the folder structure** + +- Copy your custom IE11 installation file into a folder on your network, making sure it's available to your employees. + + **To create the folder structure using IEAK 11** + +- Run the Internet Explorer Customization Wizard 11 in IEAK 11, using the **Full Installation Package** option.

+ The wizard automatically puts your custom installation files in your `\\Flat` folder. Where the `` is the location of your other build files. + +**Note**
Use the localized versions of the IE Customization Wizard 11 to create localized IE11 installation packages. + +## Related topics +- [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md) + + + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md index 99af9a34e2..063f5c2aa2 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md +++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md @@ -1,50 +1,50 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to install the Internet Explorer 11 update using third-party tools and command-line options. -author: lomayor -ms.prod: ie11 -ms.assetid: 30190c66-49f7-4ca4-8b57-a47656aa0c7e -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Install Internet Explorer 11 (IE11) using third-party tools (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Install Internet Explorer 11 (IE11) using third-party tools -You can install Internet Explorer 11 (IE11) using third-party electronic software distribution (ESD) systems and these command-line options: - -## Setup Modes - -|Command-line options |Description | -|---------------------|------------------------------------------------------| -|`/passive` |Installs without customer involvement. | -|`/quiet` |Installs without customer involvement and without showing the UI. | - -## Setup Options - -|Command-line options |Description | -|---------------------|------------------------------------------------------| -|`/update-no` |Installs without checking for updates.

**Important**
If you don't use this option, you'll need an Internet connection to finish your installation. | -|`/no-default` |Installs without making IE11 the default web browser. | -|`/closeprograms` |Automatically closes running programs. | - - -## Restart Options - -|Command-line options |Description | -|---------------------|------------------------------------------------------| -|`/norestart` |Installs without restarting the computer. | -|`/forcerestart` |Installs and restarts after installation. | - -  - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to install the Internet Explorer 11 update using third-party tools and command-line options. +author: lomayor +ms.prod: ie11 +ms.assetid: 30190c66-49f7-4ca4-8b57-a47656aa0c7e +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Install Internet Explorer 11 (IE11) using third-party tools (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Install Internet Explorer 11 (IE11) using third-party tools +You can install Internet Explorer 11 (IE11) using third-party electronic software distribution (ESD) systems and these command-line options: + +## Setup Modes + +|Command-line options |Description | +|---------------------|------------------------------------------------------| +|`/passive` |Installs without customer involvement. | +|`/quiet` |Installs without customer involvement and without showing the UI. | + +## Setup Options + +|Command-line options |Description | +|---------------------|------------------------------------------------------| +|`/update-no` |Installs without checking for updates.

**Important**
If you don't use this option, you'll need an Internet connection to finish your installation. | +|`/no-default` |Installs without making IE11 the default web browser. | +|`/closeprograms` |Automatically closes running programs. | + + +## Restart Options + +|Command-line options |Description | +|---------------------|------------------------------------------------------| +|`/norestart` |Installs without restarting the computer. | +|`/forcerestart` |Installs and restarts after installation. | + +  + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md index 3bc741dbc0..aba6187431 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md +++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md @@ -1,52 +1,52 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to install the Internet Explorer 11 update using Windows Server Update Services (WSUS)' -author: lomayor -ms.prod: ie11 -ms.assetid: 6cbd6797-c670-4236-8423-e0919478f2ce -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Install Internet Explorer 11 (IE11) using Windows Server Update Services (WSUS) (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Install Internet Explorer 11 (IE11) using Windows Server Update Services (WSUS) -Windows Server Update Services (WSUS) lets you download a single copy of the Microsoft product update and cache it on your local WSUS servers. You can then configure your computers to get the update from your local servers instead of Windows Update. For more information about WSUS, see [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790). - - **To import from Windows Update to WSUS** - -1. Open your WSUS admin site. For example, `https:///WSUSAdmin/`.

- Where `` is the name of your WSUS server. - -2. Choose the top server node or the **Updates** node, and then click **Import Updates**. - -3. To get the updates, install the Microsoft Update Catalog ActiveX control. - -4. Search for Internet Explorer 11 and add its contents to your basket. - -5. After you're done browsing, go to your basket and click **Import**. - - You can also download the updates without importing them by unchecking the **Import directly into Windows Server Update Services** box. - - **To approve Internet Explorer in WSUS for installation** - -6. Open your WSUS admin site and check the **Review synchronization settings** box from the **To Do** list. - -7. Click **Synchronize now** to sync your WSUS server with Windows Update, and then click **Updates** from the navigation bar. - -8. Enter **Internet Explorer 11** into the **Search Contains** box, and then click **Apply**. - -9. Choose the right version of IE11 for your operating system, and click **Approve for installation**. - -10. Click each computer group you want to set up for the WSUS server, picking the right approval level, and then click **OK**. - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to install the Internet Explorer 11 update using Windows Server Update Services (WSUS)' +author: lomayor +ms.prod: ie11 +ms.assetid: 6cbd6797-c670-4236-8423-e0919478f2ce +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Install Internet Explorer 11 (IE11) using Windows Server Update Services (WSUS) (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Install Internet Explorer 11 (IE11) using Windows Server Update Services (WSUS) +Windows Server Update Services (WSUS) lets you download a single copy of the Microsoft product update and cache it on your local WSUS servers. You can then configure your computers to get the update from your local servers instead of Windows Update. For more information about WSUS, see [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790). + + **To import from Windows Update to WSUS** + +1. Open your WSUS admin site. For example, `https:///WSUSAdmin/`.

+ Where `` is the name of your WSUS server. + +2. Choose the top server node or the **Updates** node, and then click **Import Updates**. + +3. To get the updates, install the Microsoft Update Catalog ActiveX control. + +4. Search for Internet Explorer 11 and add its contents to your basket. + +5. After you're done browsing, go to your basket and click **Import**. + + You can also download the updates without importing them by unchecking the **Import directly into Windows Server Update Services** box. + + **To approve Internet Explorer in WSUS for installation** + +6. Open your WSUS admin site and check the **Review synchronization settings** box from the **To Do** list. + +7. Click **Synchronize now** to sync your WSUS server with Windows Update, and then click **Updates** from the navigation bar. + +8. Enter **Internet Explorer 11** into the **Search Contains** box, and then click **Apply**. + +9. Choose the right version of IE11 for your operating system, and click **Approve for installation**. + +10. Click each computer group you want to set up for the WSUS server, picking the right approval level, and then click **OK**. + + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md index c7eac22844..29b3b5ca55 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md @@ -1,61 +1,61 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to fix potential installation problems with Internet Explorer 11 -author: lomayor -ms.prod: ie11 -ms.assetid: 3ae77745-86ac-40a9-a37d-eebbf37661a3 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Install problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Install problems with Internet Explorer 11 -Most Internet Explorer 11 installations are straightforward and work the way they should. But it's possible that you might have problems. - -If you do, you can: - -- Check that you meet the minimum operating system requirements and have the prerequisites installed. - -- Check that there are no other updates or restarts waiting. - -- Temporarily turn off your antispyware and antivirus software. - -- Try another IE11 installer. For example from [Windows Update](https://go.microsoft.com/fwlink/p/?LinkId=302315) or from the [Download Internet Explorer 11](https://go.microsoft.com/fwlink/p/?linkid=327753) website. - -- Review the `IE11_main.log` file in the `\Windows` folder. This log file has information about each installation and is appended for each subsequent installation. - -- Make sure you use the same download server URLs that you entered during the Setup process. - -## Internet Explorer didn't finish installing -If Internet Explorer doesn't finish installing, it might mean that Windows Update wasn't able to install an associated update, that you have a previous, unsupported version of IE installed, or that there's a problem with your copy of IE. We recommend you try this: - - **To fix this issue** - -1. Uninstall IE: - - 1. In the Control Panel, open the **Programs and Features** box, scroll down to IE11, and then click **Uninstall**. - - 2. After the uninstall finishes, restart your computer. - -2. Run [Windows Update](https://go.microsoft.com/fwlink/p/?LinkId=302315), clicking **Check for updates**. - -3. Check the list for IE11. If it's included in the list of updates for download, exclude it before you update your computer.

-If you get an error during the Windows Update process, see [Fix the problem with Microsoft Windows Update that is not working](https://go.microsoft.com/fwlink/p/?LinkId=302316). - -4. Restart your computer, making sure all of your the updates are finished. - -5. Try to reinstall IE11 from either Windows Update (if you saw it in Step 3) or from the [Download Internet Explorer 11](https://go.microsoft.com/fwlink/p/?linkid=327753) website. - - - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to fix potential installation problems with Internet Explorer 11 +author: lomayor +ms.prod: ie11 +ms.assetid: 3ae77745-86ac-40a9-a37d-eebbf37661a3 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Install problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Install problems with Internet Explorer 11 +Most Internet Explorer 11 installations are straightforward and work the way they should. But it's possible that you might have problems. + +If you do, you can: + +- Check that you meet the minimum operating system requirements and have the prerequisites installed. + +- Check that there are no other updates or restarts waiting. + +- Temporarily turn off your antispyware and antivirus software. + +- Try another IE11 installer. For example from [Windows Update](https://go.microsoft.com/fwlink/p/?LinkId=302315) or from the [Download Internet Explorer 11](https://go.microsoft.com/fwlink/p/?linkid=327753) website. + +- Review the `IE11_main.log` file in the `\Windows` folder. This log file has information about each installation and is appended for each subsequent installation. + +- Make sure you use the same download server URLs that you entered during the Setup process. + +## Internet Explorer didn't finish installing +If Internet Explorer doesn't finish installing, it might mean that Windows Update wasn't able to install an associated update, that you have a previous, unsupported version of IE installed, or that there's a problem with your copy of IE. We recommend you try this: + + **To fix this issue** + +1. Uninstall IE: + + 1. In the Control Panel, open the **Programs and Features** box, scroll down to IE11, and then click **Uninstall**. + + 2. After the uninstall finishes, restart your computer. + +2. Run [Windows Update](https://go.microsoft.com/fwlink/p/?LinkId=302315), clicking **Check for updates**. + +3. Check the list for IE11. If it's included in the list of updates for download, exclude it before you update your computer.

+If you get an error during the Windows Update process, see [Fix the problem with Microsoft Windows Update that is not working](https://go.microsoft.com/fwlink/p/?LinkId=302316). + +4. Restart your computer, making sure all of your the updates are finished. + +5. Try to reinstall IE11 from either Windows Update (if you saw it in Step 3) or from the [Download Internet Explorer 11](https://go.microsoft.com/fwlink/p/?linkid=327753) website. + + + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md index 77eb2fa5b1..cf102f1c8f 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md @@ -1,42 +1,42 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to fix intranet search problems with Internet Explorer 11 -author: lomayor -ms.prod: ie11 -ms.assetid: 3ee71d93-d9d2-48e1-899e-07932c73faa6 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Fix intranet search problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Fix intranet search problems with Internet Explorer 11 -After upgrading to Internet Explorer 11, you might experience search issues while using your intranet site. - -## Why is my intranet redirecting me to search results? -IE11 works differently with search, based on whether your organization is domain-joined. - -- **Domain-joined computers.** A single word entry is treated as a search term. However, IE11 also checks for available intranet sites and offers matches through the **Notification bar**. If you select **Yes** from the **Notification bar** to navigate to the intranet site, IE11 associates that word with the site so that the next time you type in the intranet site name, inline auto-complete will resolve to the intranet site address. - -- **Non-domain-joined computers.** A single word entry is treated as an intranet site. However, if the term doesn't resolve to a site, IE11 then treats the entry as a search term and opens your default search provider. - -To explicitly go to an intranet site, regardless of the environment, users can type either a trailing slash like `contoso/` or the `https://` prefix. Either of these will cause IE11 to treat the entry as an intranet search. You can also change the default behavior so that IE11 treats your single word entry in the address bar as an intranet site, regardless of your environment. - - **To enable single-word intranet search** - -1. Open Internet Explorer for the desktop, click the **Tools** menu, and then click **Internet Options**. - -2. Click **Advanced**, check the **Go to an intranet site for a single word entry in the Address bar** box, and then click **OK**. - -If you'd like your entire organization to have single word entries default to an intranet site, you can turn on the **Go to an intranet site for a single word entry in the Address bar** Group Policy. With this policy turned on, a search for `contoso` automatically resolves to `https://contoso`. - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to fix intranet search problems with Internet Explorer 11 +author: lomayor +ms.prod: ie11 +ms.assetid: 3ee71d93-d9d2-48e1-899e-07932c73faa6 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Fix intranet search problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Fix intranet search problems with Internet Explorer 11 +After upgrading to Internet Explorer 11, you might experience search issues while using your intranet site. + +## Why is my intranet redirecting me to search results? +IE11 works differently with search, based on whether your organization is domain-joined. + +- **Domain-joined computers.** A single word entry is treated as a search term. However, IE11 also checks for available intranet sites and offers matches through the **Notification bar**. If you select **Yes** from the **Notification bar** to navigate to the intranet site, IE11 associates that word with the site so that the next time you type in the intranet site name, inline auto-complete will resolve to the intranet site address. + +- **Non-domain-joined computers.** A single word entry is treated as an intranet site. However, if the term doesn't resolve to a site, IE11 then treats the entry as a search term and opens your default search provider. + +To explicitly go to an intranet site, regardless of the environment, users can type either a trailing slash like `contoso/` or the `https://` prefix. Either of these will cause IE11 to treat the entry as an intranet search. You can also change the default behavior so that IE11 treats your single word entry in the address bar as an intranet site, regardless of your environment. + + **To enable single-word intranet search** + +1. Open Internet Explorer for the desktop, click the **Tools** menu, and then click **Internet Options**. + +2. Click **Advanced**, check the **Go to an intranet site for a single word entry in the Address bar** box, and then click **OK**. + +If you'd like your entire organization to have single word entries default to an intranet site, you can turn on the **Go to an intranet site for a single word entry in the Address bar** Group Policy. With this policy turned on, a search for `contoso` automatically resolves to `https://contoso`. + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md b/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md index 3a9b502928..a464bbc679 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md +++ b/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md @@ -1,42 +1,42 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Use the topics in this section to learn about how to auto detect your settings, auto configure your configuration settings, and auto configure your proxy configuration settings for Internet Explorer. -author: lomayor -ms.prod: ie11 -ms.assetid: eb3cce62-fc7b-41e3-97b6-2916b85bcf55 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Manage Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Manage Internet Explorer 11 - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Use the topics in this section to learn about how to auto detect your settings, auto configure your configuration settings, and auto configure your proxy configuration settings for Internet Explorer. - -## In this section - -|Topic |Description | -|------|------------| -|[Auto detect settings Internet Explorer 11](auto-detect-settings-for-ie11.md) |Guidance about how to update your automatic detection of DHCP and DNS servers. | -|[Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md) |Guidance about how to add, update and lock your auto configuration settings. | -|[Auto proxy configuration settings for Internet Explorer 11](auto-proxy-configuration-settings-for-ie11.md) |Guidance about how to add, update, and lock your auto-proxy settings. |  - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Use the topics in this section to learn about how to auto detect your settings, auto configure your configuration settings, and auto configure your proxy configuration settings for Internet Explorer. +author: lomayor +ms.prod: ie11 +ms.assetid: eb3cce62-fc7b-41e3-97b6-2916b85bcf55 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Manage Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Manage Internet Explorer 11 + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Use the topics in this section to learn about how to auto detect your settings, auto configure your configuration settings, and auto configure your proxy configuration settings for Internet Explorer. + +## In this section + +|Topic |Description | +|------|------------| +|[Auto detect settings Internet Explorer 11](auto-detect-settings-for-ie11.md) |Guidance about how to update your automatic detection of DHCP and DNS servers. | +|[Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md) |Guidance about how to add, update and lock your auto configuration settings. | +|[Auto proxy configuration settings for Internet Explorer 11](auto-proxy-configuration-settings-for-ie11.md) |Guidance about how to add, update, and lock your auto-proxy settings. |  + + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md index 42ffd10dc8..6c19898cf3 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md @@ -1,98 +1,98 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: support -description: IEM-configured settings have been deprecated for Internet Explorer 10 and newer. Use this topic to learn where to go to fix the affected settings through Group Policy Preferences, Administrative Templates (.admx), or the IEAK. -author: lomayor -ms.prod: ie11 -ms.assetid: 89084e01-4e3f-46a6-b90e-48ee58d6821c -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Missing Internet Explorer Maintenance settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Missing Internet Explorer Maintenance settings for Internet Explorer 11 - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -The Internet Explorer Maintenance (IEM) settings have been deprecated in favor of Group Policy Preferences, Administrative Templates (.admx), and the IE Administration Kit 11 (IEAK 11). - -Because of this change, your IEM-configured settings will no longer work on computers running Internet Explorer 10 or newer. To fix this, you need to update the affected settings using Group Policy Preferences, Administrative Templates (.admx), or IE Administration Kit 11 (IEAK 11). - -Because Group Policy Preferences and IEAK 11 run using asynchronous processes, you should choose to use only one of the tools within each group of settings. For example, using only IEAK 11 in the **Security** settings or Group Policy Preferences within the **Internet Zone** settings. Also, it's important to remember that policy is enforced and can't be changed by the user, while preferences are configured, but can be changed by the user. - -For more information about all of the new options and Group Policy, see: - -- [Group policy preferences and Internet Explorer 11](group-policy-preferences-and-ie11.md) - -- [Administrative templates and Internet Explorer 11](administrative-templates-and-ie11.md) - -- [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md) - -- [Group Policy Settings Reference for Windows and Windows Server](https://go.microsoft.com/fwlink/p/?LinkId=279876) - -- [Group Policy ADMX Syntax Reference Guide](https://go.microsoft.com/fwlink/p/?LinkId=276830) - -- [Enable and Disable Settings in a Preference Item](https://go.microsoft.com/fwlink/p/?LinkId=282671) - -## IEM replacements -The IEM settings have replacements you can use in either Group Policy Preferences or IEAK 11. - -### Browser user interface replacements - -|IEM setting |Description |Replacement tool | -|------------|------------|-----------------| -|Browser title |Lets you customize the text that shows up in the title bar of the browser.|On the **Browser User Interface** page of IEAK 11, click **Customize Title Bars**, and then type the text that appears on the title bar of the **Title Bar Text** box.

Your text is appended to the text," Microsoft Internet Explorer provided by". | -|Browser toolbar customizations (background and buttons) |Lets you customize the buttons on the browser toolbar.

  • **Buttons.** Customizes the buttons on the Internet Explorer 11 toolbar.
  • **Background.** No longer available.
|On the **Browser User Interface** page of IEAK 11, click **Add**, type your new toolbar caption, action, and icon, and if the button should appear by default, and then click **OK**. You can also edit, remove, or delete an existing toolbar button from this page. | -|Custom logo and animated bitmaps |Lets you replace the static and animated logos in the upper-right corner of the IE window with customized logos. |This setting isn't available anymore. | - - -### Connection replacements - -|IEM setting |Description |Replacement tool | -|------------|------------|-----------------| -|Connection settings|Lets you import your connection settings from a previously set up computer. These settings define how your employees interact with the connection settings on the **System Polices and Restrictions** page. You can also remove old dial-up connections settings from your employee's computers.|In the **Internet Settings Group Policy Preferences** dialog box, click the **Connections** tab, and set up your proxy settings.

-OR-

On the **Connection Settings** page of IEAK 11, change your connection settings, including importing your current connection settings and deleting existing dial-up connection settings (as needed). | -|Automatic browser configuration |Lets you update your employee's computer after you've deployed IE11, by specifying a URL to an .ins file, an auto-proxy URL, or both. You can decide when the update occurs, in minutes. Typing zero, or not putting in any number, means that automatic configuration only happens after the browser is started and used to go to a page. |In the **Internet Settings Group Policy Preferences** dialog box, click the **Automatic Configuration** tab, and then add your URL.

On the **Automatic Configuration** page of IEAK 11, modify the configuration settings, including providing the URL to an .ins file or an auto-proxy site. | -|Proxy settings |Lets you specify your proxy servers. |In the **Internet Settings Group Policy Preferences** dialog box, click the **Connections** tab, click **LAN Settings**, and then choose whether to turn on automatic detection of your configuration settings and if you want to use proxy servers.

-OR-

On the **Proxy Settings** page of IEAK 11, turn on your proxy settings, adding your proxy server addresses and exceptions. | -|User Agent string |Lets the browser provide identification to visited servers. This string is often used to keep Internet traffic statistics. |This setting isn't available anymore. | - -### URLs replacements - -|IEM setting |Description |Replacement tool | -|------------|------------|-----------------| -|Favorites and links |Lets you use custom URLs for the **Favorites** and **Links** folders. You can also specify the folder order, disable IE Suggested Sites, and import an existing folder structure. |On the **Favorites, Favorites Bar and Feeds** page of IEAK 11, add your custom URLs to the **Favorites**, **Favorites Bar**, or **RSS Feeds** folders, or create new folders.

You can also edit, test, or remove your URLs, sort the list order, or disable IE Suggested Sites. | -|Important URLs |Lets you add custom **Home** pages that can open different tabs. You can also add a **Support** page that shows up when an employee clicks online Help.|In the **Internet Settings Group Policy Preferences** dialog box, click the **General** tab, and add your custom **Home** page.

On the **Important URLs - Home page and Support** page of IEAK 11, add the custom URLs to your **Home** and **Support** pages.

You can also click to retain the previous home page information when the user upgrades to a newer version of IE. | - -### Security Zones and Content Ratings - -|IEM setting |Description |Replacement tool | -|------------|------------|-----------------| -|Security zones |Lets you change your security settings, by zone |In the **Internet Settings Group Policy Preferences** dialog box, click the **Security** tab, and update your security settings, based on zone.

-OR-

On the **Security and Privacy Settings** page of IEAK 11, choose your **Security Zones and Privacy** setting, changing it, as necessary. | -|Content ratings |Lets you change your content ratings so your employees can't view sites with risky content. |On the **Security and Privacy Settings** page of IEAK 11, choose your **Content Ratings** setting, changing it, as necessary. | -|Authenticode settings |Lets you pick your trustworthy software publishers and stop your employees from adding new, untrusted publishers while browsing. |These settings aren't available anymore. | - -### Programs - -|IEM setting |Description |Replacement tool | -|------------|------------|-----------------| -|Programs |Lets you import your default program settings, which specify the programs Windows uses for each Internet service. |In the **Internet Settings Group Policy Preferences** dialog box, click the **Programs** tab, and choose how to open IE11 links.

-OR-

On the **Programs** page of IEAK 11, choose whether to customize or import your program settings. | - -#### Advanced IEM settings -The Advanced IEM settings, including Corporate and Internet settings, were also deprecated. However, they also have replacements you can use in either Group Policy Preferences or IEAK 11. - -**Note**
Advanced IEM Settings were shown under **Programs** and only available when running in **Preference** mode. - -|IEM setting |Description |Replacement tool | -|------------|------------|-----------------| -|Corporate settings |Specifies the location of the file with the settings you use to make IE work best in your organization. |On the Additional Settings page of IEAK 11, expand Corporate Settings, and then customize how your organization handles temporary Internet files, code downloads, menu items, and toolbar buttons. | -|Internet settings |Specifies the location of the file that includes your default IE settings. |In the Internet Settings Group Policy Preferences dialog box, click the Advanced tab, and then update your Internet-related settings, as required

-OR-

On the Additional Settings page of IEAK 11, expand Internet Settings, and then customize your default values in the Internet Options dialog box. | - +--- +ms.localizationpriority: medium +ms.mktglfcycl: support +description: IEM-configured settings have been deprecated for Internet Explorer 10 and newer. Use this topic to learn where to go to fix the affected settings through Group Policy Preferences, Administrative Templates (.admx), or the IEAK. +author: lomayor +ms.prod: ie11 +ms.assetid: 89084e01-4e3f-46a6-b90e-48ee58d6821c +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Missing Internet Explorer Maintenance settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Missing Internet Explorer Maintenance settings for Internet Explorer 11 + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +The Internet Explorer Maintenance (IEM) settings have been deprecated in favor of Group Policy Preferences, Administrative Templates (.admx), and the IE Administration Kit 11 (IEAK 11). + +Because of this change, your IEM-configured settings will no longer work on computers running Internet Explorer 10 or newer. To fix this, you need to update the affected settings using Group Policy Preferences, Administrative Templates (.admx), or IE Administration Kit 11 (IEAK 11). + +Because Group Policy Preferences and IEAK 11 run using asynchronous processes, you should choose to use only one of the tools within each group of settings. For example, using only IEAK 11 in the **Security** settings or Group Policy Preferences within the **Internet Zone** settings. Also, it's important to remember that policy is enforced and can't be changed by the user, while preferences are configured, but can be changed by the user. + +For more information about all of the new options and Group Policy, see: + +- [Group policy preferences and Internet Explorer 11](group-policy-preferences-and-ie11.md) + +- [Administrative templates and Internet Explorer 11](administrative-templates-and-ie11.md) + +- [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md) + +- [Group Policy Settings Reference for Windows and Windows Server](https://go.microsoft.com/fwlink/p/?LinkId=279876) + +- [Group Policy ADMX Syntax Reference Guide](https://go.microsoft.com/fwlink/p/?LinkId=276830) + +- [Enable and Disable Settings in a Preference Item](https://go.microsoft.com/fwlink/p/?LinkId=282671) + +## IEM replacements +The IEM settings have replacements you can use in either Group Policy Preferences or IEAK 11. + +### Browser user interface replacements + +|IEM setting |Description |Replacement tool | +|------------|------------|-----------------| +|Browser title |Lets you customize the text that shows up in the title bar of the browser.|On the **Browser User Interface** page of IEAK 11, click **Customize Title Bars**, and then type the text that appears on the title bar of the **Title Bar Text** box.

Your text is appended to the text," Microsoft Internet Explorer provided by". | +|Browser toolbar customizations (background and buttons) |Lets you customize the buttons on the browser toolbar.

  • **Buttons.** Customizes the buttons on the Internet Explorer 11 toolbar.
  • **Background.** No longer available.
|On the **Browser User Interface** page of IEAK 11, click **Add**, type your new toolbar caption, action, and icon, and if the button should appear by default, and then click **OK**. You can also edit, remove, or delete an existing toolbar button from this page. | +|Custom logo and animated bitmaps |Lets you replace the static and animated logos in the upper-right corner of the IE window with customized logos. |This setting isn't available anymore. | + + +### Connection replacements + +|IEM setting |Description |Replacement tool | +|------------|------------|-----------------| +|Connection settings|Lets you import your connection settings from a previously set up computer. These settings define how your employees interact with the connection settings on the **System Polices and Restrictions** page. You can also remove old dial-up connections settings from your employee's computers.|In the **Internet Settings Group Policy Preferences** dialog box, click the **Connections** tab, and set up your proxy settings.

-OR-

On the **Connection Settings** page of IEAK 11, change your connection settings, including importing your current connection settings and deleting existing dial-up connection settings (as needed). | +|Automatic browser configuration |Lets you update your employee's computer after you've deployed IE11, by specifying a URL to an .ins file, an auto-proxy URL, or both. You can decide when the update occurs, in minutes. Typing zero, or not putting in any number, means that automatic configuration only happens after the browser is started and used to go to a page. |In the **Internet Settings Group Policy Preferences** dialog box, click the **Automatic Configuration** tab, and then add your URL.

On the **Automatic Configuration** page of IEAK 11, modify the configuration settings, including providing the URL to an .ins file or an auto-proxy site. | +|Proxy settings |Lets you specify your proxy servers. |In the **Internet Settings Group Policy Preferences** dialog box, click the **Connections** tab, click **LAN Settings**, and then choose whether to turn on automatic detection of your configuration settings and if you want to use proxy servers.

-OR-

On the **Proxy Settings** page of IEAK 11, turn on your proxy settings, adding your proxy server addresses and exceptions. | +|User Agent string |Lets the browser provide identification to visited servers. This string is often used to keep Internet traffic statistics. |This setting isn't available anymore. | + +### URLs replacements + +|IEM setting |Description |Replacement tool | +|------------|------------|-----------------| +|Favorites and links |Lets you use custom URLs for the **Favorites** and **Links** folders. You can also specify the folder order, disable IE Suggested Sites, and import an existing folder structure. |On the **Favorites, Favorites Bar and Feeds** page of IEAK 11, add your custom URLs to the **Favorites**, **Favorites Bar**, or **RSS Feeds** folders, or create new folders.

You can also edit, test, or remove your URLs, sort the list order, or disable IE Suggested Sites. | +|Important URLs |Lets you add custom **Home** pages that can open different tabs. You can also add a **Support** page that shows up when an employee clicks online Help.|In the **Internet Settings Group Policy Preferences** dialog box, click the **General** tab, and add your custom **Home** page.

On the **Important URLs - Home page and Support** page of IEAK 11, add the custom URLs to your **Home** and **Support** pages.

You can also click to retain the previous home page information when the user upgrades to a newer version of IE. | + +### Security Zones and Content Ratings + +|IEM setting |Description |Replacement tool | +|------------|------------|-----------------| +|Security zones |Lets you change your security settings, by zone |In the **Internet Settings Group Policy Preferences** dialog box, click the **Security** tab, and update your security settings, based on zone.

-OR-

On the **Security and Privacy Settings** page of IEAK 11, choose your **Security Zones and Privacy** setting, changing it, as necessary. | +|Content ratings |Lets you change your content ratings so your employees can't view sites with risky content. |On the **Security and Privacy Settings** page of IEAK 11, choose your **Content Ratings** setting, changing it, as necessary. | +|Authenticode settings |Lets you pick your trustworthy software publishers and stop your employees from adding new, untrusted publishers while browsing. |These settings aren't available anymore. | + +### Programs + +|IEM setting |Description |Replacement tool | +|------------|------------|-----------------| +|Programs |Lets you import your default program settings, which specify the programs Windows uses for each Internet service. |In the **Internet Settings Group Policy Preferences** dialog box, click the **Programs** tab, and choose how to open IE11 links.

-OR-

On the **Programs** page of IEAK 11, choose whether to customize or import your program settings. | + +#### Advanced IEM settings +The Advanced IEM settings, including Corporate and Internet settings, were also deprecated. However, they also have replacements you can use in either Group Policy Preferences or IEAK 11. + +**Note**
Advanced IEM Settings were shown under **Programs** and only available when running in **Preference** mode. + +|IEM setting |Description |Replacement tool | +|------------|------------|-----------------| +|Corporate settings |Specifies the location of the file with the settings you use to make IE work best in your organization. |On the Additional Settings page of IEAK 11, expand Corporate Settings, and then customize how your organization handles temporary Internet files, code downloads, menu items, and toolbar buttons. | +|Internet settings |Specifies the location of the file that includes your default IE settings. |In the Internet Settings Group Policy Preferences dialog box, click the Advanced tab, and then update your Internet-related settings, as required

-OR-

On the Additional Settings page of IEAK 11, expand Internet Settings, and then customize your default values in the Internet Options dialog box. | + diff --git a/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md b/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md index 40ab475677..ea68f25a40 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md +++ b/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md @@ -1,53 +1,53 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: support -description: Internet Explorer 11 uses the latest standards mode, which simplifies web page compatibility for users by removing the **Compatibility View** button and reducing the number of compatibility options in the F12 developer tools for developers. -author: lomayor -ms.prod: ie11 -ms.assetid: 501c96c9-9f03-4913-9f4b-f67bd9edbb61 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Missing the Compatibility View Button (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Missing the Compatibility View Button - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Compatibility View was introduced in Windows Internet Explorer 8 to help existing content continue to work with Windows Internet Explorer 7, while developers updated their content to support modern interoperable web standards. Since then, the Internet Explorer web platform, and the web itself, have changed so that most public web content looks for standards-based features instead of IE 7-compatible behavior. - -Thanks to these changes, using Internet Explorer 11 in the latest standards mode is more compatible with the web than ever before. As a result, IE11 simplifies web page compatibility for users by removing the **Compatibility View** button and reducing the number of compatibility options in the F12 developer tools for developers. - -## What happened to the Compatibility View button? -In previous versions of IE, the **Compatibility View** button would attempt to fix a broken standards-based website, by getting the page to appear like it did in Internet Explorer 7. Today however, more standards-based websites are broken by attempting to appear like they did in Internet Explorer 7. So instead of implementing and using Compatibility View, developers are updating their server configuration to add X-UA-Compatible meta tags, which forces the content to the “edge”, making the **Compatibility View** button disappear. In support of these changes, the Compatibility View button has been completely removed for IE11. - -## What if I still need Compatibility View? -There might be extenuating circumstances in your company, which require you to continue to use Compatibility View. In this situation, this process should be viewed strictly as a workaround. You should work with the website vendor to make sure that the affected pages are updated to match the latest web standards. The functionality described here is currently deprecated and will be removed at a time in the future. - -**Important**
This functionality is only available in Internet Explorer for the desktop. - - **To change your Compatibility View settings** - -1. Open Internet Explorer for the desktop, click **Tools**, and then click **Compatibility View settings**. - -2. In the **Compatibility View Settings** box, add the problematic website URL, and then click **Add**.

-Compatibility View is turned on for this single website, for this specific computer. - -3. Decide if you want your intranet sites displayed using Compatibility View, decide whether to use Microsoft compatibility lists, and then click **Close**. - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: support +description: Internet Explorer 11 uses the latest standards mode, which simplifies web page compatibility for users by removing the **Compatibility View** button and reducing the number of compatibility options in the F12 developer tools for developers. +author: lomayor +ms.prod: ie11 +ms.assetid: 501c96c9-9f03-4913-9f4b-f67bd9edbb61 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Missing the Compatibility View Button (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Missing the Compatibility View Button + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Compatibility View was introduced in Windows Internet Explorer 8 to help existing content continue to work with Windows Internet Explorer 7, while developers updated their content to support modern interoperable web standards. Since then, the Internet Explorer web platform, and the web itself, have changed so that most public web content looks for standards-based features instead of IE 7-compatible behavior. + +Thanks to these changes, using Internet Explorer 11 in the latest standards mode is more compatible with the web than ever before. As a result, IE11 simplifies web page compatibility for users by removing the **Compatibility View** button and reducing the number of compatibility options in the F12 developer tools for developers. + +## What happened to the Compatibility View button? +In previous versions of IE, the **Compatibility View** button would attempt to fix a broken standards-based website, by getting the page to appear like it did in Internet Explorer 7. Today however, more standards-based websites are broken by attempting to appear like they did in Internet Explorer 7. So instead of implementing and using Compatibility View, developers are updating their server configuration to add X-UA-Compatible meta tags, which forces the content to the “edge”, making the **Compatibility View** button disappear. In support of these changes, the Compatibility View button has been completely removed for IE11. + +## What if I still need Compatibility View? +There might be extenuating circumstances in your company, which require you to continue to use Compatibility View. In this situation, this process should be viewed strictly as a workaround. You should work with the website vendor to make sure that the affected pages are updated to match the latest web standards. The functionality described here is currently deprecated and will be removed at a time in the future. + +**Important**
This functionality is only available in Internet Explorer for the desktop. + + **To change your Compatibility View settings** + +1. Open Internet Explorer for the desktop, click **Tools**, and then click **Compatibility View settings**. + +2. In the **Compatibility View Settings** box, add the problematic website URL, and then click **Add**.

+Compatibility View is turned on for this single website, for this specific computer. + +3. Decide if you want your intranet sites displayed using Compatibility View, decide whether to use Microsoft compatibility lists, and then click **Close**. + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md index f4e208137d..df476d43ad 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md @@ -1,33 +1,33 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: support -description: How to turn managed browser hosting controls back on in Internet Explorer 11. -author: lomayor -ms.prod: ie11 -ms.assetid: b0b7f60f-9099-45ab-84f4-4ac64d7bcb43 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: .NET Framework problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# .NET Framework problems with Internet Explorer 11 -If you’re having problems launching your legacy apps while running Internet Explorer 11, it’s most likely because Internet Explorer no longer starts apps that use managed browser hosting controls, like in .NET Framework 1.1 and 2.0. - - **To turn managed browser hosting controls back on** - -1. **For x86 systems or for 64-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**. - -2. **For 32-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\Wow6432Node\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**. - -For more information, see the [Web Applications](https://go.microsoft.com/fwlink/p/?LinkId=308903) section of the Application Compatibility in the .NET Framework 4.5 page. - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: support +description: How to turn managed browser hosting controls back on in Internet Explorer 11. +author: lomayor +ms.prod: ie11 +ms.assetid: b0b7f60f-9099-45ab-84f4-4ac64d7bcb43 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: .NET Framework problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# .NET Framework problems with Internet Explorer 11 +If you’re having problems launching your legacy apps while running Internet Explorer 11, it’s most likely because Internet Explorer no longer starts apps that use managed browser hosting controls, like in .NET Framework 1.1 and 2.0. + + **To turn managed browser hosting controls back on** + +1. **For x86 systems or for 64-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**. + +2. **For 32-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\Wow6432Node\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**. + +For more information, see the [Web Applications](https://go.microsoft.com/fwlink/p/?LinkId=308903) section of the Application Compatibility in the .NET Framework 4.5 page. + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md index 5098fab9f0..c1cd3ac8b3 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md @@ -1,74 +1,74 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -description: New group policy settings for Internet Explorer 11 -author: lomayor -ms.prod: ie11 -ms.assetid: 669cc1a6-e2cb-403f-aa31-c1de52a615d1 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: New group policy settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# New group policy settings for Internet Explorer 11 -Internet Explorer 11 gives you some new Group Policy settings to help you manage your company's web browser configurations, including: - - -| Policy | Category Path | Supported on | Explanation | -|-----------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Allow IE to use the HTTP2 network protocol | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | IE11 on Windows 10 | This policy setting determines whether IE uses the HTTP2 network protocol. HTTP2 works with HTTP requests to optimize the latency of network requests through compression, multiplexing, and prioritization.

If you enable this policy setting, IE uses the HTTP2 network protocol.

If you disable this policy setting, IE won't use the HTTP2 network protocol.

If you don't configure this policy setting, users can turn this behavior on or off, using the **Internet Explorer Advanced Internet Options** settings. The default is on. | -| Allow IE to use the SPDY/3 network protocol | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | IE11 on Windows 10 | This policy setting determines whether Internet Explorer uses the SPDY/3 network protocol. SPDY/3 works with HTTP requests to optimize the latency of network requests through compression, multiplexing and prioritization.

If you enable this policy setting, Internet Explorer uses the SPDY/3 network protocol.

If you disable this policy setting, Internet Explorer won't use the SPDY/3 network protocol.

If you don't configure this policy setting, users can turn this behavior on or off, on the **Advanced\* tab of the \*\*Internet Options** dialog box. The default is on.

**Note**
We've replaced the SPDY/3 protocol with the HTTP2 protocol in Windows 10. You can configure the HTTP2 protocol by using the **Allow IE to use the HTTP2 network protocol** setting. | -| Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar | Administrative Templates\Windows Components\Internet Explorer | IE11 on Windows 10 | This policy setting allows IE to provide enhanced suggestions as the user types in the Address bar. To provide enhanced suggestions, the user’s keystrokes are sent to Microsoft through Microsoft services.

If you enable this policy setting, users receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm.

If you disable this policy setting, users won’t receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm.

If you don’t configure this policy setting, users can change the **Suggestions** setting on the **Settings** charm. | -| Allow only approved domains to use the TDC ActiveX control |

  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone
| IE11 in Windows 10 | This policy setting determines whether users can run the Tabular Data Control (TDC) ActiveX control, based on security zone. By default, the TDC ActiveX Control is disabled in the **Internet** and **Restricted Sites** security zones.

If you enable this policy setting, users won’t be able to run the TDC ActiveX control from all sites in the specified zone.

If you disable this policy setting, users can run the TDC Active X control from all sites in the specified zone. | -| Allow SSL3 Fallback | Administrative Templates\Windows Components\Internet Explorer\Security Features | Internet Explorer 11 on Windows 10 | This policy setting allows you to stop websites from falling back to using Secure Socket Layer (SSL) 3.0 or lower, if Transport Layer Security (TLS) 1.0 or higher, fails. This setting doesn’t affect which security protocols are enabled.

If you enable this policy setting and a website fails while using the TLS 1.0 or higher security protocols, Internet Explorer will try to fallback and use SSL 3.0 or lower security protocols.

If you disable or don’t configure this setting, Internet Explorer uses the default system protocols.

**Important:**
By default, SSL 3.0 is disabled. If you choose to enable SSL 3.0, we recommend that you disable or don't configure this setting to help mitigate potential man-in-the-middle attacks. | -| Allow VBScript to run in Internet Explorer |

  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Internet Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Intranet Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Local Machine Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Internet Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Intranet Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Local Machine Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Restricted Sites Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Trusted Sites Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Restricted Sites Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Trusted Sites Zone
| Internet Explorer 11 | This policy setting lets you decide whether VBScript can run on pages in specific Internet Explorer zones.

If you enable this policy setting (default), you must also pick one of the following options from the Options box:

  • Enable. VBScript runs on pages in specific zones, without any interaction.
  • Prompt. Employees are prompted whether to allow VBScript to run in the zone.
  • Disable. VBScript is prevented from running in the zone.

If you disable or don’t configure this policy setting, VBScript runs without any interaction in the specified zone. | -| Always send Do Not Track header | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | At least Internet Explorer 10 | This policy setting allows you to configure how IE sends the Do Not Track (DNT) header.

If you enable this policy setting, IE sends a `DNT:1` header with all HTTP and HTTPS requests. The `DNT:1` header signals to the servers not to track the user.

**In Internet Explorer 9 and 10:**
If you disable this policy setting, IE only sends the Do Not Track header if a Tracking Protection List is enabled or inPrivate Browsing mode is used.

**In at least IE11:**
If you disable this policy setting, IE only sends the Do Not Track header if inPrivate Browsing mode is used.

If you don't configure the policy setting, users can select the **Always send Do Not Track header** option on the **Advanced\* tab of the \*\*Internet Options** dialog box. By selecting this option, IE sends a `DNT:1` header with all HTTP and HTTPS requests; unless the user grants a site-specific exception, in which case IE sends a `DNT:0` header. By default, this option is enabled. | -| Don't run antimalware programs against ActiveX controls
(Internet, Restricted Zones) |

  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone
| IE11 on Windows 10 | This policy setting determines whether IE runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.

If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.

If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.

If you don't configure this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using the Internet Explorer's **Security** settings. | -| Don't run antimalware programs against ActiveX controls
(Intranet, Trusted, Local Machine Zones) |

  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone
| IE11 on Windows 10 | This policy setting determines whether IE runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.

If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.

If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.

If you don't configure this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer's **Security** settings. | -| Hide the button (next to the New Tab button) that opens Microsoft Edge | User Configuration\Administrative Templates\Windows Components/Internet Explorer\Internet Settings\Advanced Settings\Browsing\ | IE11 on Windows 10, version 1703 | This policy setting lets you decide whether employees can see the open Microsoft Edge button, which appears next to the New Tab button.

If you enable this policy setting, the button to open Microsoft Edge from Internet Explorer will be hidden.

If you disable this policy setting, the button to open Microsoft Edge from Internet Explorer appears.

If you don't configure this policy setting, the button to open Microsoft Edge from Internet Explorer can be configured by your employees. | -| Let users turn on and use Enterprise Mode from the **Tools** menu | Administrative Templates\Windows Components\Internet Explorer | IE11 on Windows 10 | This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the **Tools** menu.

If you enable this policy setting, users can see and use the **Enterprise Mode** option from the **Tools** menu. If you enable this setting, but don’t specify a report location, Enterprise Mode will still be available to your users, but you won’t get any reports.

If you disable or don’t configure this policy setting, the menu option won’t appear and users won’t be able to turn on Enterprise Mode locally. | -| Limit Site Discovery output by Domain | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to control which domains are included in the discovery function of the Internet Explorer Site Discovery Toolkit.

If you enable this policy setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in your specified domains, configured by adding one domain per line to the included text box.

If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in all domains.

**Note:**
You can use this setting in conjunction with the other settings that control the Internet Explorer Site Discovery Toolkit. | -| Limit Site Discovery output by Zone | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to control which zones are included in the discovery function of the Internet Explorer Site Discovery Toolkit.

If you enable this policy setting, the Internet Explorer Site Discovery Toolkit collects data from all specified security zones.

If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in all security zones.

To specify which zones can collect data, you must include a binary number that represents your selected zones, based on this order:

  • 0 – Restricted Sites zone
  • 0 – Internet zone
  • 0 – Trusted Sites zone
  • 0 – Local Intranet zone
  • 0 – Local Machine zone

**Example 1:** Include only the Local Intranet zone (binary representation: 00010), based on:
  • 0 – Restricted Sites zone
  • 0 – Internet zone
  • 0 – Trusted Sites zone
  • 1 – Local Intranet zone
  • 0 – Local Machine zone

**Example 2:** Include only the Restricted Sites, Trusted Sites, and Local Intranet zones (binary representation: 10110), based on:
  • 1 – Restricted Sites zone
  • 0 – Internet zone
  • 1 – Trusted Sites zone
  • 1 – Local Intranet zone
  • 1 – Local Machine zone

**Note:**
You can use this setting in conjunction with the other settings that control the Internet Explorer Site Discovery Toolkit. | -| Prevent deleting ActiveX Filtering, Tracking Protection and Do Not Track data | Administrative Templates\Windows Components\Internet Explorer\Delete Browsing History | At least Windows Internet Explorer 9 | **In Internet Explorer 9 and Internet Explorer 10:**
This policy setting prevents users from deleting ActiveX Filtering and Tracking Protection data, which includes the list of websites for which the user has chosen to disable ActiveX Filtering or Tracking Protection. In addition, Tracking Protection data is also collected if users turn on the **Personalized Tracking Protection List**, which blocks third-party items while the user is browsing.

**In IE11:**
This policy setting prevents users from deleting ActiveX Filtering, Tracking Protection data, and Do Not Track exceptions, stored in the **Delete Browsing History** dialog box, for visited websites.

If you enable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is preserved when the user clicks **Delete**.

If you disable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is deleted when the user clicks **Delete**.

If you don’t configure this policy setting, users can turn this feature on and off, determining whether to delete ActiveX Filtering, Tracking Protection, and Do Not Track data when clicking **Delete**. | -| Send all sites not included in the Enterprise Mode Site List to Microsoft Edge | Administrative Templates\Windows Components\Internet Explorer | IE11 on Windows 10, version 1607 | This policy setting lets you decide whether to open all sites that aren’t specified to open in IE11 by the Enterprise Mode site list, to open in Microsoft Edge.

If you enable this policy setting, you must also enable the Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list policy setting and you must include at least one site in the Enterprise Mode site list.

If you disable or don't configure this policy setting, all sites will open based on the currently active browser.

**Note:**
If you’ve also enabled the Administrative Templates\Windows Components\Microsoft Edge\Send all intranet sites to Internet Explorer 11 policy setting, then all intranet sites will continue to open in Internet Explorer 11. | -| Show message when opening sites in Microsoft Edge using Enterprise Mode | Administrative Templates\Windows Components\Internet Explorer | IE11 on Windows 10, version 1607 | This policy setting lets you decide whether employees see an additional page in Internet Explorer 11, stating that a site has been opened using Microsoft Edge with Enterprise Mode.

If you enable this policy setting, employees see an additional page in Internet Explorer 11, stating that a site has been opened using Microsoft Edge with Enterprise Mode.

If you disable or don't configure this policy setting, the default app behavior occurs and no additional page appears. | -| Turn off automatic download of the ActiveX VersionList | Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management | At least Windows Internet Explorer 8 | This policy setting allows you to decide whether Internet Explorer automatically downloads updated versions of Microsoft's VersionList.XML file. This file tells Internet Explorer whether to stop specific ActiveX controls from loading.

If you enable this policy setting, Internet Explorer stops automatically downloading updated versions of the VersionList.XML file.

If you disable or don’t configure this setting, Internet Explorer continues to download updated versions of the VersionList.XML file.

**Important:**
Stopping this file from updating breaks the out-of-date ActiveX control blocking feature, potentially compromising the security of the device. For more info, see the Out-of-Date ActiveX Control Blocking () topic. | -| Turn off loading websites and content in the background to optimize performance | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | IE11 on Windows 10 | This policy setting determines whether Internet Explorer preemptively loads websites and content in the background, speeding up performance such that when the user clicks a hyperlink, the background page seamlessly switches into view.

If you enable this policy setting, IE doesn't load any websites or content in the background.

If you disable this policy setting, IE preemptively loads websites and content in the background.

If you don’t configure this policy setting, users can turn this behavior on or off, using IE settings. This feature is turned on by default. | -| Turn off phone number detection | Administrative Templates\Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing | IE11 on Windows 10 | This policy setting determines whether phone numbers are recognized and turned into hyperlinks, which can be used to invoke the default phone application on the system.

If you enable this policy setting, phone number detection is turned off. Users won’t be able to modify this setting.

If you disable this policy setting, phone number detection is turned on. Users won’t be able to modify this setting.

If you don't configure this policy setting, users can turn this behavior on or off, using IE settings. The default is on. | -| Turn off sending URL path as UTF-8 | User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Settings\URL Encoding | At least Windows Internet Explorer 7 | This policy setting determines whether to let IE send the path portion of a URL using the UTF-8 standard. This standard defines characters so they're readable in any language and lets you exchange Internet addresses (URLs) with characters included in any language.

If you enable this policy setting, UTF-8 is not allowed. Users won't be able to change this setting.

If you disable this policy setting, UTF-8 is allowed. Users won't be able to change this setting.

If you don't configure this policy setting, users can turn this behavior on or off. | -| Turn off sending UTF-8 query strings for URLs | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | IE11 on Windows 10 | This policy setting determines whether IE uses 8-bit Unicode Transformation Format (UTF-8) to encode query strings in URLs before sending them to servers or to proxy servers.

If you enable this policy setting, you must specify when to use UTF-8 to encode query strings:

  • **0.** Never encode query strings.
  • **1.** Only encode query strings for URLs that aren't in the Intranet zone.
  • **2.** Only encode query strings for URLs that are in the Intranet zone.
  • **3.** Always encode query strings.

If you disable or don't configure this policy setting, users can turn this behavior on or off, using IE Advanced Options settings. The default is to encode all query strings in UTF-8. | -| Turn off the ability to launch report site problems using a menu option | Administrative Templates\Windows Components\Internet Explorer\Browser menus | Internet Explorer 11 | This policy setting allows you to manage whether users can start the **eport Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu.

If you enable this policy setting, users won’t be able to start the **Report Site Problems** dialog box from the Internet Explorer settings or the Tools menu.

If you disable or don’t configure this policy setting, users will be able to start the **Report Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu. | -| Turn off the flip ahead with page prediction feature | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | At least Internet Explorer 10 on Windows 8 | This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.

If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn’t loaded into the background.

If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.

If you don’t configure this setting, users can turn this behavior on or off, using the **Settings** charm.

**Note**
Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn’t available for Internet Explorer for the desktop. | -| Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | IE11 on Windows 10 | This policy setting determines whether IE11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.

If you enable this policy setting, IE11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.

If you disable this policy setting, IE11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.

If you don't configure this policy setting, users can turn this feature on or off using IE settings. This feature is turned off by default.

**Important**
When using 64-bit processes, some ActiveX controls and toolbars might not be available. | -| Turn on Site Discovery WMI output | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to manage the WMI output functionality of the Internet Explorer Site Discovery Toolkit.

If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an WMI class, which can be aggregated by using a client-management solution, such as System Center Configuration Manager.

If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an WMI class.

**Note:**
Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. | -| Turn on Site Discovery XML output | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to manage the XML output functionality of the Internet Explorer Site Discovery Toolkit.

If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an XML file, stored in your specified location.

If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an XML file.

**Note:**
Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. | -| Use the Enterprise Mode IE website list | Administrative Templates\Windows Components\Internet Explorer | IE11 on Windows 10, version 1511 | This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode, instead of Standard mode, because of compatibility issues. Users can’t edit this list.

If you enable this policy setting, Internet Explorer downloads the Enterprise Mode website list from the `HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE`\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode hive, opening all included websites using Enterprise Mode. We recommend storing and downloading your list from a secure web server `(https://)`, to help protect against data tampering.

If you disable or don’t configure this policy setting, Internet Explorer opens all websites using **Standard** mode. | - -## Removed Group Policy settings -IE11 no longer supports these Group Policy settings: - -- Turn on Internet Explorer 7 Standards Mode - -- Turn off Compatibility View button - -- Turn off Quick Tabs functionality - -- Turn off the quick pick menu - -- Use large icons for command buttons - -## Viewing your policy settings -After you've finished updating and deploying your Group Policy, you can use the Resultant Set of Policy (RSoP) snap-in to view your settings. - -**To use the RSoP snap-in** - -1. Open and run the Resultant Set of Policy (RSoP) wizard, specifying the information you want to see. - -2. Open your wizard results in the Group Policy Management Console (GPMC).

-For complete instructions about how to add, open, and use RSoP, see [Use the RSoP Snap-in](https://go.microsoft.com/fwlink/p/?LinkId=395201) - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +description: New group policy settings for Internet Explorer 11 +author: lomayor +ms.prod: ie11 +ms.assetid: 669cc1a6-e2cb-403f-aa31-c1de52a615d1 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: New group policy settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# New group policy settings for Internet Explorer 11 +Internet Explorer 11 gives you some new Group Policy settings to help you manage your company's web browser configurations, including: + + +| Policy | Category Path | Supported on | Explanation | +|-----------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Allow IE to use the HTTP2 network protocol | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | IE11 on Windows 10 | This policy setting determines whether IE uses the HTTP2 network protocol. HTTP2 works with HTTP requests to optimize the latency of network requests through compression, multiplexing, and prioritization.

If you enable this policy setting, IE uses the HTTP2 network protocol.

If you disable this policy setting, IE won't use the HTTP2 network protocol.

If you don't configure this policy setting, users can turn this behavior on or off, using the **Internet Explorer Advanced Internet Options** settings. The default is on. | +| Allow IE to use the SPDY/3 network protocol | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | IE11 on Windows 10 | This policy setting determines whether Internet Explorer uses the SPDY/3 network protocol. SPDY/3 works with HTTP requests to optimize the latency of network requests through compression, multiplexing and prioritization.

If you enable this policy setting, Internet Explorer uses the SPDY/3 network protocol.

If you disable this policy setting, Internet Explorer won't use the SPDY/3 network protocol.

If you don't configure this policy setting, users can turn this behavior on or off, on the **Advanced\* tab of the \*\*Internet Options** dialog box. The default is on.

**Note**
We've replaced the SPDY/3 protocol with the HTTP2 protocol in Windows 10. You can configure the HTTP2 protocol by using the **Allow IE to use the HTTP2 network protocol** setting. | +| Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar | Administrative Templates\Windows Components\Internet Explorer | IE11 on Windows 10 | This policy setting allows IE to provide enhanced suggestions as the user types in the Address bar. To provide enhanced suggestions, the user’s keystrokes are sent to Microsoft through Microsoft services.

If you enable this policy setting, users receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm.

If you disable this policy setting, users won’t receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm.

If you don’t configure this policy setting, users can change the **Suggestions** setting on the **Settings** charm. | +| Allow only approved domains to use the TDC ActiveX control |

  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone
| IE11 in Windows 10 | This policy setting determines whether users can run the Tabular Data Control (TDC) ActiveX control, based on security zone. By default, the TDC ActiveX Control is disabled in the **Internet** and **Restricted Sites** security zones.

If you enable this policy setting, users won’t be able to run the TDC ActiveX control from all sites in the specified zone.

If you disable this policy setting, users can run the TDC Active X control from all sites in the specified zone. | +| Allow SSL3 Fallback | Administrative Templates\Windows Components\Internet Explorer\Security Features | Internet Explorer 11 on Windows 10 | This policy setting allows you to stop websites from falling back to using Secure Socket Layer (SSL) 3.0 or lower, if Transport Layer Security (TLS) 1.0 or higher, fails. This setting doesn’t affect which security protocols are enabled.

If you enable this policy setting and a website fails while using the TLS 1.0 or higher security protocols, Internet Explorer will try to fallback and use SSL 3.0 or lower security protocols.

If you disable or don’t configure this setting, Internet Explorer uses the default system protocols.

**Important:**
By default, SSL 3.0 is disabled. If you choose to enable SSL 3.0, we recommend that you disable or don't configure this setting to help mitigate potential man-in-the-middle attacks. | +| Allow VBScript to run in Internet Explorer |

  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Internet Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Intranet Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Local Machine Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Internet Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Intranet Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Local Machine Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Restricted Sites Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Trusted Sites Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Restricted Sites Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Trusted Sites Zone
| Internet Explorer 11 | This policy setting lets you decide whether VBScript can run on pages in specific Internet Explorer zones.

If you enable this policy setting (default), you must also pick one of the following options from the Options box:

  • Enable. VBScript runs on pages in specific zones, without any interaction.
  • Prompt. Employees are prompted whether to allow VBScript to run in the zone.
  • Disable. VBScript is prevented from running in the zone.

If you disable or don’t configure this policy setting, VBScript runs without any interaction in the specified zone. | +| Always send Do Not Track header | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | At least Internet Explorer 10 | This policy setting allows you to configure how IE sends the Do Not Track (DNT) header.

If you enable this policy setting, IE sends a `DNT:1` header with all HTTP and HTTPS requests. The `DNT:1` header signals to the servers not to track the user.

**In Internet Explorer 9 and 10:**
If you disable this policy setting, IE only sends the Do Not Track header if a Tracking Protection List is enabled or inPrivate Browsing mode is used.

**In at least IE11:**
If you disable this policy setting, IE only sends the Do Not Track header if inPrivate Browsing mode is used.

If you don't configure the policy setting, users can select the **Always send Do Not Track header** option on the **Advanced\* tab of the \*\*Internet Options** dialog box. By selecting this option, IE sends a `DNT:1` header with all HTTP and HTTPS requests; unless the user grants a site-specific exception, in which case IE sends a `DNT:0` header. By default, this option is enabled. | +| Don't run antimalware programs against ActiveX controls
(Internet, Restricted Zones) |

  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone
| IE11 on Windows 10 | This policy setting determines whether IE runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.

If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.

If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.

If you don't configure this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using the Internet Explorer's **Security** settings. | +| Don't run antimalware programs against ActiveX controls
(Intranet, Trusted, Local Machine Zones) |

  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone
| IE11 on Windows 10 | This policy setting determines whether IE runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.

If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.

If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.

If you don't configure this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer's **Security** settings. | +| Hide the button (next to the New Tab button) that opens Microsoft Edge | User Configuration\Administrative Templates\Windows Components/Internet Explorer\Internet Settings\Advanced Settings\Browsing\ | IE11 on Windows 10, version 1703 | This policy setting lets you decide whether employees can see the open Microsoft Edge button, which appears next to the New Tab button.

If you enable this policy setting, the button to open Microsoft Edge from Internet Explorer will be hidden.

If you disable this policy setting, the button to open Microsoft Edge from Internet Explorer appears.

If you don't configure this policy setting, the button to open Microsoft Edge from Internet Explorer can be configured by your employees. | +| Let users turn on and use Enterprise Mode from the **Tools** menu | Administrative Templates\Windows Components\Internet Explorer | IE11 on Windows 10 | This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the **Tools** menu.

If you enable this policy setting, users can see and use the **Enterprise Mode** option from the **Tools** menu. If you enable this setting, but don’t specify a report location, Enterprise Mode will still be available to your users, but you won’t get any reports.

If you disable or don’t configure this policy setting, the menu option won’t appear and users won’t be able to turn on Enterprise Mode locally. | +| Limit Site Discovery output by Domain | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to control which domains are included in the discovery function of the Internet Explorer Site Discovery Toolkit.

If you enable this policy setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in your specified domains, configured by adding one domain per line to the included text box.

If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in all domains.

**Note:**
You can use this setting in conjunction with the other settings that control the Internet Explorer Site Discovery Toolkit. | +| Limit Site Discovery output by Zone | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to control which zones are included in the discovery function of the Internet Explorer Site Discovery Toolkit.

If you enable this policy setting, the Internet Explorer Site Discovery Toolkit collects data from all specified security zones.

If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in all security zones.

To specify which zones can collect data, you must include a binary number that represents your selected zones, based on this order:

  • 0 – Restricted Sites zone
  • 0 – Internet zone
  • 0 – Trusted Sites zone
  • 0 – Local Intranet zone
  • 0 – Local Machine zone

**Example 1:** Include only the Local Intranet zone (binary representation: 00010), based on:
  • 0 – Restricted Sites zone
  • 0 – Internet zone
  • 0 – Trusted Sites zone
  • 1 – Local Intranet zone
  • 0 – Local Machine zone

**Example 2:** Include only the Restricted Sites, Trusted Sites, and Local Intranet zones (binary representation: 10110), based on:
  • 1 – Restricted Sites zone
  • 0 – Internet zone
  • 1 – Trusted Sites zone
  • 1 – Local Intranet zone
  • 1 – Local Machine zone

**Note:**
You can use this setting in conjunction with the other settings that control the Internet Explorer Site Discovery Toolkit. | +| Prevent deleting ActiveX Filtering, Tracking Protection and Do Not Track data | Administrative Templates\Windows Components\Internet Explorer\Delete Browsing History | At least Windows Internet Explorer 9 | **In Internet Explorer 9 and Internet Explorer 10:**
This policy setting prevents users from deleting ActiveX Filtering and Tracking Protection data, which includes the list of websites for which the user has chosen to disable ActiveX Filtering or Tracking Protection. In addition, Tracking Protection data is also collected if users turn on the **Personalized Tracking Protection List**, which blocks third-party items while the user is browsing.

**In IE11:**
This policy setting prevents users from deleting ActiveX Filtering, Tracking Protection data, and Do Not Track exceptions, stored in the **Delete Browsing History** dialog box, for visited websites.

If you enable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is preserved when the user clicks **Delete**.

If you disable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is deleted when the user clicks **Delete**.

If you don’t configure this policy setting, users can turn this feature on and off, determining whether to delete ActiveX Filtering, Tracking Protection, and Do Not Track data when clicking **Delete**. | +| Send all sites not included in the Enterprise Mode Site List to Microsoft Edge | Administrative Templates\Windows Components\Internet Explorer | IE11 on Windows 10, version 1607 | This policy setting lets you decide whether to open all sites that aren’t specified to open in IE11 by the Enterprise Mode site list, to open in Microsoft Edge.

If you enable this policy setting, you must also enable the Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list policy setting and you must include at least one site in the Enterprise Mode site list.

If you disable or don't configure this policy setting, all sites will open based on the currently active browser.

**Note:**
If you’ve also enabled the Administrative Templates\Windows Components\Microsoft Edge\Send all intranet sites to Internet Explorer 11 policy setting, then all intranet sites will continue to open in Internet Explorer 11. | +| Show message when opening sites in Microsoft Edge using Enterprise Mode | Administrative Templates\Windows Components\Internet Explorer | IE11 on Windows 10, version 1607 | This policy setting lets you decide whether employees see an additional page in Internet Explorer 11, stating that a site has been opened using Microsoft Edge with Enterprise Mode.

If you enable this policy setting, employees see an additional page in Internet Explorer 11, stating that a site has been opened using Microsoft Edge with Enterprise Mode.

If you disable or don't configure this policy setting, the default app behavior occurs and no additional page appears. | +| Turn off automatic download of the ActiveX VersionList | Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management | At least Windows Internet Explorer 8 | This policy setting allows you to decide whether Internet Explorer automatically downloads updated versions of Microsoft's VersionList.XML file. This file tells Internet Explorer whether to stop specific ActiveX controls from loading.

If you enable this policy setting, Internet Explorer stops automatically downloading updated versions of the VersionList.XML file.

If you disable or don’t configure this setting, Internet Explorer continues to download updated versions of the VersionList.XML file.

**Important:**
Stopping this file from updating breaks the out-of-date ActiveX control blocking feature, potentially compromising the security of the device. For more info, see the Out-of-Date ActiveX Control Blocking () topic. | +| Turn off loading websites and content in the background to optimize performance | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | IE11 on Windows 10 | This policy setting determines whether Internet Explorer preemptively loads websites and content in the background, speeding up performance such that when the user clicks a hyperlink, the background page seamlessly switches into view.

If you enable this policy setting, IE doesn't load any websites or content in the background.

If you disable this policy setting, IE preemptively loads websites and content in the background.

If you don’t configure this policy setting, users can turn this behavior on or off, using IE settings. This feature is turned on by default. | +| Turn off phone number detection | Administrative Templates\Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing | IE11 on Windows 10 | This policy setting determines whether phone numbers are recognized and turned into hyperlinks, which can be used to invoke the default phone application on the system.

If you enable this policy setting, phone number detection is turned off. Users won’t be able to modify this setting.

If you disable this policy setting, phone number detection is turned on. Users won’t be able to modify this setting.

If you don't configure this policy setting, users can turn this behavior on or off, using IE settings. The default is on. | +| Turn off sending URL path as UTF-8 | User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Settings\URL Encoding | At least Windows Internet Explorer 7 | This policy setting determines whether to let IE send the path portion of a URL using the UTF-8 standard. This standard defines characters so they're readable in any language and lets you exchange Internet addresses (URLs) with characters included in any language.

If you enable this policy setting, UTF-8 is not allowed. Users won't be able to change this setting.

If you disable this policy setting, UTF-8 is allowed. Users won't be able to change this setting.

If you don't configure this policy setting, users can turn this behavior on or off. | +| Turn off sending UTF-8 query strings for URLs | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | IE11 on Windows 10 | This policy setting determines whether IE uses 8-bit Unicode Transformation Format (UTF-8) to encode query strings in URLs before sending them to servers or to proxy servers.

If you enable this policy setting, you must specify when to use UTF-8 to encode query strings:

  • **0.** Never encode query strings.
  • **1.** Only encode query strings for URLs that aren't in the Intranet zone.
  • **2.** Only encode query strings for URLs that are in the Intranet zone.
  • **3.** Always encode query strings.

If you disable or don't configure this policy setting, users can turn this behavior on or off, using IE Advanced Options settings. The default is to encode all query strings in UTF-8. | +| Turn off the ability to launch report site problems using a menu option | Administrative Templates\Windows Components\Internet Explorer\Browser menus | Internet Explorer 11 | This policy setting allows you to manage whether users can start the **eport Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu.

If you enable this policy setting, users won’t be able to start the **Report Site Problems** dialog box from the Internet Explorer settings or the Tools menu.

If you disable or don’t configure this policy setting, users will be able to start the **Report Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu. | +| Turn off the flip ahead with page prediction feature | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | At least Internet Explorer 10 on Windows 8 | This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.

If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn’t loaded into the background.

If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.

If you don’t configure this setting, users can turn this behavior on or off, using the **Settings** charm.

**Note**
Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn’t available for Internet Explorer for the desktop. | +| Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | IE11 on Windows 10 | This policy setting determines whether IE11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.

If you enable this policy setting, IE11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.

If you disable this policy setting, IE11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.

If you don't configure this policy setting, users can turn this feature on or off using IE settings. This feature is turned off by default.

**Important**
When using 64-bit processes, some ActiveX controls and toolbars might not be available. | +| Turn on Site Discovery WMI output | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to manage the WMI output functionality of the Internet Explorer Site Discovery Toolkit.

If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an WMI class, which can be aggregated by using a client-management solution, such as System Center Configuration Manager.

If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an WMI class.

**Note:**
Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. | +| Turn on Site Discovery XML output | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to manage the XML output functionality of the Internet Explorer Site Discovery Toolkit.

If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an XML file, stored in your specified location.

If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an XML file.

**Note:**
Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. | +| Use the Enterprise Mode IE website list | Administrative Templates\Windows Components\Internet Explorer | IE11 on Windows 10, version 1511 | This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode, instead of Standard mode, because of compatibility issues. Users can’t edit this list.

If you enable this policy setting, Internet Explorer downloads the Enterprise Mode website list from the `HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE`\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode hive, opening all included websites using Enterprise Mode. We recommend storing and downloading your list from a secure web server `(https://)`, to help protect against data tampering.

If you disable or don’t configure this policy setting, Internet Explorer opens all websites using **Standard** mode. | + +## Removed Group Policy settings +IE11 no longer supports these Group Policy settings: + +- Turn on Internet Explorer 7 Standards Mode + +- Turn off Compatibility View button + +- Turn off Quick Tabs functionality + +- Turn off the quick pick menu + +- Use large icons for command buttons + +## Viewing your policy settings +After you've finished updating and deploying your Group Policy, you can use the Resultant Set of Policy (RSoP) snap-in to view your settings. + +**To use the RSoP snap-in** + +1. Open and run the Resultant Set of Policy (RSoP) wizard, specifying the information you want to see. + +2. Open your wizard results in the Group Policy Management Console (GPMC).

+For complete instructions about how to add, open, and use RSoP, see [Use the RSoP Snap-in](https://go.microsoft.com/fwlink/p/?LinkId=395201) + diff --git a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md index 825f199730..32665259c3 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md +++ b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md @@ -1,205 +1,205 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -description: Use out-of-date ActiveX control blocking to help you know when IE prevents a webpage from loading outdated ActiveX controls and to update the outdated control, so that it’s safer to use. -author: lomayor -ms.author: lomayor -ms.prod: ie11 -ms.assetid: e61866bb-1ff1-4a8d-96f2-61d3534e8199 -ms.reviewer: -manager: dansimp -title: Out-of-date ActiveX control blocking (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 05/10/2018 ---- - - -# Out-of-date ActiveX control blocking - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) -- Windows Vista SP2 - -ActiveX controls are small apps that let websites provide content, like videos, games, and let you interact with content like toolbars. Unfortunately, because many ActiveX controls aren’t automatically updated, they can become outdated as new versions are released. It’s very important that you keep your ActiveX controls up-to-date because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. To help avoid this situation, Internet Explorer includes a new security feature, called *out-of-date ActiveX control blocking*. - -Out-of-date ActiveX control blocking lets you: - -- Know when IE prevents a webpage from loading common, but outdated ActiveX controls. - -- Interact with other parts of the webpage that aren’t affected by the outdated control. - -- Update the outdated control, so that it’s up-to-date and safer to use. - -The out-of-date ActiveX control blocking feature works with all [Security Zones](https://go.microsoft.com/fwlink/p/?LinkId=403863), except the Local Intranet Zone and the Trusted Sites Zone. - -It also works with these operating system and IE combinations: - -|Windows operating system |IE version | -|----------------------------------------|---------------------------------| -|Windows 10 |All supported versions of IE.
Microsoft Edge doesn't support ActiveX controls. | -|Windows 8.1 and Windows 8.1 Update |All supported versions of IE | -|Windows 7 SP1 |All supported versions of IE | -|Windows Server 2012 |All supported versions of IE | -|Windows Server 2008 R2 SP1 |All supported versions of IE | -|Windows Server 2008 SP2 |Windows Internet Explorer 9 only | -|Windows Vista SP2 |Windows Internet Explorer 9 only | - -For more info about this new feature, see the [Internet Explorer begins blocking out-of-date ActiveX controls](https://go.microsoft.com/fwlink/p/?LinkId=507691) blog. To see the complete list of out-of-date Active controls blocked by this feature, see [Blocked out-of-date ActiveX controls](blocked-out-of-date-activex-controls.md). - - -## What does the out-of-date ActiveX control blocking notification look like? -When IE blocks an outdated ActiveX control, you’ll see a notification bar similar to this, depending on your version of IE: - -**Internet Explorer 9 through Internet Explorer 11** - -![Warning about outdated activex controls (ie9+)](images/outdatedcontrolwarning.png) - -**Windows Internet Explorer 8** - -![Warning about outdated activex controls (ie8)](images/ieoutdatedcontrolwarning.png) - -Out-of-date ActiveX control blocking also gives you a security warning that tells you if a webpage tries to launch specific outdated apps, outside of IE: - -![Warning about outdated activex controls outside ie](images/ieoutdatedcontroloutsideofie.png) - - -## How do I fix an outdated ActiveX control or app? -From the notification about the outdated ActiveX control, you can go to the control’s website to download its latest version. - - **To get the updated ActiveX control** - -1. From the notification bar, tap or click **Update**.

-IE opens the ActiveX control’s website. - -2. Download the latest version of the control. - -**Security Note:**
If you don’t fully trust a site, you shouldn’t allow it to load an outdated ActiveX control. However, although we don’t recommend it, you can view the missing webpage content by tapping or clicking **Run this time**. This option runs the ActiveX control without updating or fixing the problem. The next time you visit a webpage running the same outdated ActiveX control, you’ll get the notification again. - - **To get the updated app** - -1. From the security warning, tap or click **Update** link.

-IE opens the app’s website. - -2. Download the latest version of the app. - -**Security Note:**
If you don’t fully trust a site, you shouldn’t allow it to launch an outdated app. However, although we don’t recommend it, you can let the webpage launch the app by tapping or clicking **Allow**. This option opens the app without updating or fixing the problem. The next time you visit a webpage running the same outdated app, you’ll get the notification again. - -## How does IE decide which ActiveX controls to block? -IE uses Microsoft’s versionlist.xml or versionlistWin7.xml file to determine whether an ActiveX control should be stopped from loading. These files are updated with newly-discovered out-of-date ActiveX controls, which IE automatically downloads to your local copy of the file. - -You can see your copy of the file here `%LOCALAPPDATA%\Microsoft\Internet Explorer\VersionManager\versionlist.xml` or you can view Microsoft’s version, based on your operating system and version of IE, here: -- [Internet Explorer 11 on Windows 7 SP1 or Windows Server 2008 R2](https://go.microsoft.com/fwlink/p/?LinkId=798230) -- [All other configurations](https://go.microsoft.com/fwlink/p/?LinkId=403864) - -**Security Note:**
Although we strongly recommend against it, if you don’t want your computer to automatically download the updated version list from Microsoft, run the following command from a command prompt: - -``` -reg add "HKCU\Software\Microsoft\Internet Explorer\VersionManager" /v DownloadVersionList /t REG_DWORD /d 0 /f -``` -Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer. Use this configuration option at your own risk. - -## Out-of-date ActiveX control blocking on managed devices -Out-of-date ActiveX control blocking includes four new Group Policy settings that you can use to manage your web browser configuration, based on your domain controller. You can download the administrative templates, including the new settings, from the [Administrative templates (.admx) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=746579) page or the [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580) page, depending on your operating system. - -### Group Policy settings -Here’s a list of the new Group Policy info, including the settings, location, requirements, and Help text strings. All of these settings can be set in either the Computer Configuration or User Configuration scope, but Computer Configuration takes precedence over User Configuration. - -**Important**
-Out-of-date ActiveX control blocking is turned off in the Local Intranet Zone and the Trusted Sites Zone; therefore, intranet websites and line-of-business apps will continue to use out-of-date ActiveX controls without disruption. - -|Setting |Category path |Supported on |Help text | -|--------|--------------|-------------|----------| -|Turn on ActiveX control logging in IE |`Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management` |Internet Explorer 8 through IE11 |This setting determines whether IE saves log information for ActiveX controls.

If you enable this setting, IE logs ActiveX control information (including the source URI that loaded the control and whether it was blocked) to a local file.

If you disable or don't configure this setting, IE won't log ActiveX control information.

Note that you can turn this setting on or off regardless of the **Turn off blocking of outdated ActiveX controls for IE** or **Turn off blocking of outdated ActiveX controls for IE on specific domains** settings. | -|Remove the **Run this time** button for outdated ActiveX controls in IE |`Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management`|Internet Explorer 8 through IE11 |This setting allows you stop users from seeing the **Run this time** button and from running specific outdated ActiveX controls in IE.

If you enable this setting, users won't see the **Run this time** button on the warning message that appears when IE blocks an outdated ActiveX control.

If you disable or don't configure this setting, users will see the **Run this time** button on the warning message that appears when IE blocks an outdated ActiveX control. Clicking this button lets the user run the outdated ActiveX control once. | -|Turn off blocking of outdated ActiveX controls for IE on specific domains |`Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management` |Internet Explorer 8 through IE11 |This setting allows you to manage a list of domains on which IE will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

If you enable this setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in IE. Each domain entry must be formatted like one of the following:

  • **"domainname.TLD".** For example, if you want to include `*.contoso.com/*`, use "contoso.com".
  • **"hostname".** For example, if you want to include `https://example`, use "example".
  • **"file:///path/filename.htm"**. For example, use `file:///C:/Users/contoso/Desktop/index.htm`.

If you disable or don't configure this setting, the list is deleted and IE continues to block specific outdated ActiveX controls on all domains in the Internet Zone. | -|Turn off blocking of outdated ActiveX controls for IE |`Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management` |Internet Explorer 8 through IE11 |This setting determines whether IE blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

If you enable this setting, IE stops blocking outdated ActiveX controls.

If you disable or don't configure this setting, IE continues to block specific outdated ActiveX controls. | -|Remove the **Update** button in the out-of-date ActiveX control blocking notification for IE |This functionality is only available through the registry |Internet Explorer 8 through IE11 |This setting determines whether the out-of-date ActiveX control blocking notification shows the **Update** button. This button points users to update specific out-of-date ActiveX controls in IE. | - - -If you don't want to use Group Policy, you can also turn these settings on or off using the registry. You can update the registry manually. - -|Setting |Registry setting | -|-------------------------|----------------------------------------------------------------| -|Turn on ActiveX control logging in IE |`reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" /v AuditModeEnabled /t REG_DWORD /d 1 /f`

Where:

  • **0 or not configured.** Logs ActiveX control information (including the source URI that loaded the control and whether it was blocked) to a local file.
  • **1.** Logs ActiveX control information.
| -|Remove **Run this time** button for outdated ActiveX controls in IE |`reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" /v RunThisTimeEnabled /t REG_DWORD /d 0 /f`

Where:

  • **0.** Removes the **Run this time** button.
  • **1 or not configured.** Leaves the **Run this time** button.
| -|Turn off blocking of outdated ActiveX controls for IE on specific domains |reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\Domain" /v contoso.com /t REG_SZ /f

Where:

  • **contoso.com.** A single domain on which outdated ActiveX controls won't be blocked in IE. Use a new `reg add` command for each domain you wish to add to the **Allow** list.
| -|Turn off blocking of outdated ActiveX controls for IE |`reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" /v VersionCheckEnabled /t REG_DWORD /d 0 /f`

Where:

  • **0.** Stops blocking outdated ActiveX controls.
  • **1 or not configured.** Continues to block specific outdated ActiveX controls.
| -|Remove the **Update** button in the out-of-date ActiveX control blocking notification for IE |`reg add "HKCU\Software\Microsoft\Internet Explorer\VersionManager" /v UpdateEnabled /t REG_DWORD /d 0 /f`

Where:

  • **0.** Removes the **Update** button
  • **1 or not configured.** Leaves the **Update** button.
- -## Inventory your ActiveX controls -You can inventory the ActiveX controls being used in your company, by turning on the **Turn on ActiveX control logging in IE** setting: - -- **Windows 10:** Through a comma-separated values (.csv) file or through a local Windows Management Instrumentation (WMI) class. - -- **All other versions of Microsoft Windows:** Through a .csv file only. - - -### Inventory your ActiveX controls by using a .CSV file -If you decide to inventory the ActiveX controls being used in your company by turning on the **Turn on ActiveX control logging in IE** setting, IE logs the ActiveX control information to the `%LOCALAPPDATA%\Microsoft\Internet Explorer\AuditMode\VersionAuditLog.csv` file. - -Here’s a detailed example and description of what’s included in the VersionAuditLog.csv file. - -|Source URI |File path |Product version |File version |Allowed/Blocked |Reason |EPM-compatible | -|-----------|----------|----------------|-------------|----------------|-------|---------------| -|`https://contoso.com/test1.html` |C:\Windows\System32\Macromed\Flash\Flash.ocx |14.0.0.125 |14.0.0.125 |Allowed |Not in blocklist |EPM-compatible | -|`https://contoso.com/test2.html` |C:\Program Files\Java\jre6\bin\jp2iexp.dll |6.0.410.2 |6.0.410.2 |Blocked |Out of date |Not EPM-compatible | - -**Where:** -- **Source URI.** The URL of the page that loaded the ActiveX control. - -- **File path.** The location of the binary that implements the ActiveX control. - -- **Product version.** The product version of the binary that implements the ActiveX control. - -- **File version.** The file version of the binary that implements the ActiveX control. - -- **Allowed/Blocked** Whether IE blocked the ActiveX control. - -- **Enhanced Protected Mode (EPM)-compatible.** Whether the loaded ActiveX control is compatible with [Enhanced Protected Mode](https://go.microsoft.com/fwlink/p/?LinkId=403865).

**Note**
Enhanced Protected Mode isn’t supported on Internet Explorer 9 or earlier versions of IE. Therefore, if you’re using Internet Explorer 8 or Internet Explorer 9, all ActiveX controls will always be marked as not EPM-compatible. - -- **Reason.** The ActiveX control can be blocked or allowed for any of these reasons: - -|Reason |Corresponds to |Description | -|-------------------------|---------------|-------------------------------------------------| -|Version not in blocklist |Allowed |The version of the loaded ActiveX control is explicitly allowed by the IE version list. | -|Trusted domain |Allowed |The ActiveX control was loaded on a domain listed in the **Turn off blocking of outdated ActiveX controls for IE on specific domains** setting. | -|File doesn’t exist |Allowed |The loaded ActiveX control is missing required binaries to run correctly. | -|Out-of-date |Blocked |The loaded ActiveX control is explicitly blocked by the IE version list because it is out-of-date. | -|Not in blocklist |Allowed |The loaded ActiveX control isn’t in the IE version list. | -|Managed by policy |Allowed |The loaded ActiveX control is managed by a Group Policy setting that isn’t listed here, and will be managed in accordance with that Group Policy setting. | -|Trusted Site Zone or intranet |Allowed |The ActiveX control was loaded in the Trusted Sites Zone or the Local Intranet Zone. | -|Hardblocked |Blocked |The loaded ActiveX control is blocked in IE because it contains known security vulnerabilities. | -|Unknown |Allowed or blocked |None of the above apply. | - -### Inventory your ActiveX controls by using a local WMI class -For Windows 10 you also have the option to log your inventory info to a local WMI class. Info logged to this class includes all of info you get from the .csv file, plus the CLSID of the loaded ActiveX control or the name of any apps started from an ActiveX control. - -#### Before you begin -Before you can use WMI to inventory your ActiveX controls, you need to [download the configuration package (.zip file)](https://go.microsoft.com/fwlink/p/?LinkId=616971), which includes: - -- **ConfigureWMILogging.ps1**. A Windows PowerShell script. - -- **ActiveXWMILogging.mof**. A managed object file. - -Before running the PowerShell script, you must copy both the .ps1 and .mof file to the same directory location, on the client computer. - - **To configure IE to use WMI logging** - -1. Open your Group Policy editor and turn on the `Administrative Templates\Windows Components\Internet Explorer\Turn on ActiveX control logging in IE` setting. - -2. On the client device, start PowerShell in elevated mode (using admin privileges) and run `ConfigureWMILogging.ps1` by by-passing the PowerShell execution policy, using this command: - ``` - powershell –ExecutionPolicy Bypass .\ConfigureWMILogging.ps1 - ``` - For more info, see [about_Execution_Policies](https://go.microsoft.com/fwlink/p/?linkid=517460). - -3. **Optional:** Set up your domain firewall for WMI data. For more info, see [Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md). - -The inventory info appears in the WMI class, `IEAXControlBlockingAuditInfo`, located in the WMI namespace, *root\\cimv2\\IETelemetry*. To collect the inventory info from your client computers, we recommend using System Center 2012 R2 Configuration Manager or any agent that can access the WMI data. For more info, see [Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md). - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +description: Use out-of-date ActiveX control blocking to help you know when IE prevents a webpage from loading outdated ActiveX controls and to update the outdated control, so that it’s safer to use. +author: lomayor +ms.author: lomayor +ms.prod: ie11 +ms.assetid: e61866bb-1ff1-4a8d-96f2-61d3534e8199 +ms.reviewer: +audience: itpro manager: dansimp +title: Out-of-date ActiveX control blocking (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 05/10/2018 +--- + + +# Out-of-date ActiveX control blocking + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) +- Windows Vista SP2 + +ActiveX controls are small apps that let websites provide content, like videos, games, and let you interact with content like toolbars. Unfortunately, because many ActiveX controls aren’t automatically updated, they can become outdated as new versions are released. It’s very important that you keep your ActiveX controls up-to-date because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. To help avoid this situation, Internet Explorer includes a new security feature, called *out-of-date ActiveX control blocking*. + +Out-of-date ActiveX control blocking lets you: + +- Know when IE prevents a webpage from loading common, but outdated ActiveX controls. + +- Interact with other parts of the webpage that aren’t affected by the outdated control. + +- Update the outdated control, so that it’s up-to-date and safer to use. + +The out-of-date ActiveX control blocking feature works with all [Security Zones](https://go.microsoft.com/fwlink/p/?LinkId=403863), except the Local Intranet Zone and the Trusted Sites Zone. + +It also works with these operating system and IE combinations: + +|Windows operating system |IE version | +|----------------------------------------|---------------------------------| +|Windows 10 |All supported versions of IE.
Microsoft Edge doesn't support ActiveX controls. | +|Windows 8.1 and Windows 8.1 Update |All supported versions of IE | +|Windows 7 SP1 |All supported versions of IE | +|Windows Server 2012 |All supported versions of IE | +|Windows Server 2008 R2 SP1 |All supported versions of IE | +|Windows Server 2008 SP2 |Windows Internet Explorer 9 only | +|Windows Vista SP2 |Windows Internet Explorer 9 only | + +For more info about this new feature, see the [Internet Explorer begins blocking out-of-date ActiveX controls](https://go.microsoft.com/fwlink/p/?LinkId=507691) blog. To see the complete list of out-of-date Active controls blocked by this feature, see [Blocked out-of-date ActiveX controls](blocked-out-of-date-activex-controls.md). + + +## What does the out-of-date ActiveX control blocking notification look like? +When IE blocks an outdated ActiveX control, you’ll see a notification bar similar to this, depending on your version of IE: + +**Internet Explorer 9 through Internet Explorer 11** + +![Warning about outdated activex controls (ie9+)](images/outdatedcontrolwarning.png) + +**Windows Internet Explorer 8** + +![Warning about outdated activex controls (ie8)](images/ieoutdatedcontrolwarning.png) + +Out-of-date ActiveX control blocking also gives you a security warning that tells you if a webpage tries to launch specific outdated apps, outside of IE: + +![Warning about outdated activex controls outside ie](images/ieoutdatedcontroloutsideofie.png) + + +## How do I fix an outdated ActiveX control or app? +From the notification about the outdated ActiveX control, you can go to the control’s website to download its latest version. + + **To get the updated ActiveX control** + +1. From the notification bar, tap or click **Update**.

+IE opens the ActiveX control’s website. + +2. Download the latest version of the control. + +**Security Note:**
If you don’t fully trust a site, you shouldn’t allow it to load an outdated ActiveX control. However, although we don’t recommend it, you can view the missing webpage content by tapping or clicking **Run this time**. This option runs the ActiveX control without updating or fixing the problem. The next time you visit a webpage running the same outdated ActiveX control, you’ll get the notification again. + + **To get the updated app** + +1. From the security warning, tap or click **Update** link.

+IE opens the app’s website. + +2. Download the latest version of the app. + +**Security Note:**
If you don’t fully trust a site, you shouldn’t allow it to launch an outdated app. However, although we don’t recommend it, you can let the webpage launch the app by tapping or clicking **Allow**. This option opens the app without updating or fixing the problem. The next time you visit a webpage running the same outdated app, you’ll get the notification again. + +## How does IE decide which ActiveX controls to block? +IE uses Microsoft’s versionlist.xml or versionlistWin7.xml file to determine whether an ActiveX control should be stopped from loading. These files are updated with newly-discovered out-of-date ActiveX controls, which IE automatically downloads to your local copy of the file. + +You can see your copy of the file here `%LOCALAPPDATA%\Microsoft\Internet Explorer\VersionManager\versionlist.xml` or you can view Microsoft’s version, based on your operating system and version of IE, here: +- [Internet Explorer 11 on Windows 7 SP1 or Windows Server 2008 R2](https://go.microsoft.com/fwlink/p/?LinkId=798230) +- [All other configurations](https://go.microsoft.com/fwlink/p/?LinkId=403864) + +**Security Note:**
Although we strongly recommend against it, if you don’t want your computer to automatically download the updated version list from Microsoft, run the following command from a command prompt: + +``` +reg add "HKCU\Software\Microsoft\Internet Explorer\VersionManager" /v DownloadVersionList /t REG_DWORD /d 0 /f +``` +Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer. Use this configuration option at your own risk. + +## Out-of-date ActiveX control blocking on managed devices +Out-of-date ActiveX control blocking includes four new Group Policy settings that you can use to manage your web browser configuration, based on your domain controller. You can download the administrative templates, including the new settings, from the [Administrative templates (.admx) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=746579) page or the [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580) page, depending on your operating system. + +### Group Policy settings +Here’s a list of the new Group Policy info, including the settings, location, requirements, and Help text strings. All of these settings can be set in either the Computer Configuration or User Configuration scope, but Computer Configuration takes precedence over User Configuration. + +**Important**
+Out-of-date ActiveX control blocking is turned off in the Local Intranet Zone and the Trusted Sites Zone; therefore, intranet websites and line-of-business apps will continue to use out-of-date ActiveX controls without disruption. + +|Setting |Category path |Supported on |Help text | +|--------|--------------|-------------|----------| +|Turn on ActiveX control logging in IE |`Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management` |Internet Explorer 8 through IE11 |This setting determines whether IE saves log information for ActiveX controls.

If you enable this setting, IE logs ActiveX control information (including the source URI that loaded the control and whether it was blocked) to a local file.

If you disable or don't configure this setting, IE won't log ActiveX control information.

Note that you can turn this setting on or off regardless of the **Turn off blocking of outdated ActiveX controls for IE** or **Turn off blocking of outdated ActiveX controls for IE on specific domains** settings. | +|Remove the **Run this time** button for outdated ActiveX controls in IE |`Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management`|Internet Explorer 8 through IE11 |This setting allows you stop users from seeing the **Run this time** button and from running specific outdated ActiveX controls in IE.

If you enable this setting, users won't see the **Run this time** button on the warning message that appears when IE blocks an outdated ActiveX control.

If you disable or don't configure this setting, users will see the **Run this time** button on the warning message that appears when IE blocks an outdated ActiveX control. Clicking this button lets the user run the outdated ActiveX control once. | +|Turn off blocking of outdated ActiveX controls for IE on specific domains |`Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management` |Internet Explorer 8 through IE11 |This setting allows you to manage a list of domains on which IE will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

If you enable this setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in IE. Each domain entry must be formatted like one of the following:

  • **"domainname.TLD".** For example, if you want to include `*.contoso.com/*`, use "contoso.com".
  • **"hostname".** For example, if you want to include `https://example`, use "example".
  • **"file:///path/filename.htm"**. For example, use `file:///C:/Users/contoso/Desktop/index.htm`.

If you disable or don't configure this setting, the list is deleted and IE continues to block specific outdated ActiveX controls on all domains in the Internet Zone. | +|Turn off blocking of outdated ActiveX controls for IE |`Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management` |Internet Explorer 8 through IE11 |This setting determines whether IE blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

If you enable this setting, IE stops blocking outdated ActiveX controls.

If you disable or don't configure this setting, IE continues to block specific outdated ActiveX controls. | +|Remove the **Update** button in the out-of-date ActiveX control blocking notification for IE |This functionality is only available through the registry |Internet Explorer 8 through IE11 |This setting determines whether the out-of-date ActiveX control blocking notification shows the **Update** button. This button points users to update specific out-of-date ActiveX controls in IE. | + + +If you don't want to use Group Policy, you can also turn these settings on or off using the registry. You can update the registry manually. + +|Setting |Registry setting | +|-------------------------|----------------------------------------------------------------| +|Turn on ActiveX control logging in IE |`reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" /v AuditModeEnabled /t REG_DWORD /d 1 /f`

Where:

  • **0 or not configured.** Logs ActiveX control information (including the source URI that loaded the control and whether it was blocked) to a local file.
  • **1.** Logs ActiveX control information.
| +|Remove **Run this time** button for outdated ActiveX controls in IE |`reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" /v RunThisTimeEnabled /t REG_DWORD /d 0 /f`

Where:

  • **0.** Removes the **Run this time** button.
  • **1 or not configured.** Leaves the **Run this time** button.
| +|Turn off blocking of outdated ActiveX controls for IE on specific domains |reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\Domain" /v contoso.com /t REG_SZ /f

Where:

  • **contoso.com.** A single domain on which outdated ActiveX controls won't be blocked in IE. Use a new `reg add` command for each domain you wish to add to the **Allow** list.
| +|Turn off blocking of outdated ActiveX controls for IE |`reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" /v VersionCheckEnabled /t REG_DWORD /d 0 /f`

Where:

  • **0.** Stops blocking outdated ActiveX controls.
  • **1 or not configured.** Continues to block specific outdated ActiveX controls.
| +|Remove the **Update** button in the out-of-date ActiveX control blocking notification for IE |`reg add "HKCU\Software\Microsoft\Internet Explorer\VersionManager" /v UpdateEnabled /t REG_DWORD /d 0 /f`

Where:

  • **0.** Removes the **Update** button
  • **1 or not configured.** Leaves the **Update** button.
+ +## Inventory your ActiveX controls +You can inventory the ActiveX controls being used in your company, by turning on the **Turn on ActiveX control logging in IE** setting: + +- **Windows 10:** Through a comma-separated values (.csv) file or through a local Windows Management Instrumentation (WMI) class. + +- **All other versions of Microsoft Windows:** Through a .csv file only. + + +### Inventory your ActiveX controls by using a .CSV file +If you decide to inventory the ActiveX controls being used in your company by turning on the **Turn on ActiveX control logging in IE** setting, IE logs the ActiveX control information to the `%LOCALAPPDATA%\Microsoft\Internet Explorer\AuditMode\VersionAuditLog.csv` file. + +Here’s a detailed example and description of what’s included in the VersionAuditLog.csv file. + +|Source URI |File path |Product version |File version |Allowed/Blocked |Reason |EPM-compatible | +|-----------|----------|----------------|-------------|----------------|-------|---------------| +|`https://contoso.com/test1.html` |C:\Windows\System32\Macromed\Flash\Flash.ocx |14.0.0.125 |14.0.0.125 |Allowed |Not in blocklist |EPM-compatible | +|`https://contoso.com/test2.html` |C:\Program Files\Java\jre6\bin\jp2iexp.dll |6.0.410.2 |6.0.410.2 |Blocked |Out of date |Not EPM-compatible | + +**Where:** +- **Source URI.** The URL of the page that loaded the ActiveX control. + +- **File path.** The location of the binary that implements the ActiveX control. + +- **Product version.** The product version of the binary that implements the ActiveX control. + +- **File version.** The file version of the binary that implements the ActiveX control. + +- **Allowed/Blocked** Whether IE blocked the ActiveX control. + +- **Enhanced Protected Mode (EPM)-compatible.** Whether the loaded ActiveX control is compatible with [Enhanced Protected Mode](https://go.microsoft.com/fwlink/p/?LinkId=403865).

**Note**
Enhanced Protected Mode isn’t supported on Internet Explorer 9 or earlier versions of IE. Therefore, if you’re using Internet Explorer 8 or Internet Explorer 9, all ActiveX controls will always be marked as not EPM-compatible. + +- **Reason.** The ActiveX control can be blocked or allowed for any of these reasons: + +|Reason |Corresponds to |Description | +|-------------------------|---------------|-------------------------------------------------| +|Version not in blocklist |Allowed |The version of the loaded ActiveX control is explicitly allowed by the IE version list. | +|Trusted domain |Allowed |The ActiveX control was loaded on a domain listed in the **Turn off blocking of outdated ActiveX controls for IE on specific domains** setting. | +|File doesn’t exist |Allowed |The loaded ActiveX control is missing required binaries to run correctly. | +|Out-of-date |Blocked |The loaded ActiveX control is explicitly blocked by the IE version list because it is out-of-date. | +|Not in blocklist |Allowed |The loaded ActiveX control isn’t in the IE version list. | +|Managed by policy |Allowed |The loaded ActiveX control is managed by a Group Policy setting that isn’t listed here, and will be managed in accordance with that Group Policy setting. | +|Trusted Site Zone or intranet |Allowed |The ActiveX control was loaded in the Trusted Sites Zone or the Local Intranet Zone. | +|Hardblocked |Blocked |The loaded ActiveX control is blocked in IE because it contains known security vulnerabilities. | +|Unknown |Allowed or blocked |None of the above apply. | + +### Inventory your ActiveX controls by using a local WMI class +For Windows 10 you also have the option to log your inventory info to a local WMI class. Info logged to this class includes all of info you get from the .csv file, plus the CLSID of the loaded ActiveX control or the name of any apps started from an ActiveX control. + +#### Before you begin +Before you can use WMI to inventory your ActiveX controls, you need to [download the configuration package (.zip file)](https://go.microsoft.com/fwlink/p/?LinkId=616971), which includes: + +- **ConfigureWMILogging.ps1**. A Windows PowerShell script. + +- **ActiveXWMILogging.mof**. A managed object file. + +Before running the PowerShell script, you must copy both the .ps1 and .mof file to the same directory location, on the client computer. + + **To configure IE to use WMI logging** + +1. Open your Group Policy editor and turn on the `Administrative Templates\Windows Components\Internet Explorer\Turn on ActiveX control logging in IE` setting. + +2. On the client device, start PowerShell in elevated mode (using admin privileges) and run `ConfigureWMILogging.ps1` by by-passing the PowerShell execution policy, using this command: + ``` + powershell –ExecutionPolicy Bypass .\ConfigureWMILogging.ps1 + ``` + For more info, see [about_Execution_Policies](https://go.microsoft.com/fwlink/p/?linkid=517460). + +3. **Optional:** Set up your domain firewall for WMI data. For more info, see [Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md). + +The inventory info appears in the WMI class, `IEAXControlBlockingAuditInfo`, located in the WMI namespace, *root\\cimv2\\IETelemetry*. To collect the inventory info from your client computers, we recommend using System Center 2012 R2 Configuration Manager or any agent that can access the WMI data. For more info, see [Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md). + diff --git a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md index dfa4a9576b..7b0af11274 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md @@ -1,73 +1,73 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: support -description: Possible solutions to the problems you might encounter after installing IE11, such as crashing or seeming slow, getting into an unusable state, or problems with adaptive streaming and DRM playback. -author: lomayor -ms.prod: ie11 -ms.assetid: c4b75ad3-9c4a-4dd2-9fed-69f776f542e6 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Problems after installing Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 10/16/2017 ---- - - -# Problems after installing Internet Explorer 11 -After you install Internet Explorer 11 in your organization, you might run into the following issues. By following these suggestions, you should be able to fix them. - -## Internet Explorer is in an unusable state -If IE11 gets into an unusable state on an employee's computer, you can use the **Reset Internet Explorer Settings (RIES)** feature to restore the default settings for many of the browser features, including: - -- Search scopes - -- Appearance settings - -- Toolbars - -- ActiveX® controls (resets to the opt-in state, unless they're pre-approved) - -- Branding settings created with IEAK 11 - -RIES does not: - -- Clear the Favorites list, RSS feeds, or Web slices. - -- Reset connection or proxy settings. - -- Affect the applied Administrative Template Group Policy settings. - -RIES turns off all custom toolbars, browser extensions, and customizations installed with IE11. If you change your mind, you can turn each of the customizations back on through the **Manage Add-ons** dialog box. For more information about resetting IE settings, see [How to Reset Internet Explorer Settings](https://go.microsoft.com/fwlink/p/?LinkId=214528). - -## IE is crashing or seems slow -If you notice that CPU usage is running higher than normal, or that IE is frequently crashing or slowing down, you should check your browser add-ons and video card. By default, IE11 uses graphics processing unit (GPU) rendering mode. However, some outdated video cards and video drivers don't support GPU hardware acceleration. If IE11 determines that your current video card or video driver doesn't support GPU hardware acceleration, it'll use Software Rendering mode. - - **To check your browser add-ons** - -1. Start IE11 in **No Add-ons mode** by running the **Run** command from the **Start** menu, and then typing `iexplore.exe -extoff` into the box. - -2. Check if IE still crashes.

- If the browser doesn't crash, open Internet Explorer for the desktop, click the **Tools** menu, and click **Manage Add-ons**. - -3. Click **Toolbars and Extensions**, click each toolbar or extension, clicking **Disable** to turn off all of the browser extensions and toolbars. - -4. Restart IE11. Go back to the **Manage Add-Ons** window and turn on each item, one-by-one.

- After you turn each item back on, see if IE crashes or slows down. Doing it this way will help you identify the add-on that's causing IE to crash. After you've figured out which add-on was causing the problem, turn it off until you have an update from the manufacturer. - - **To check for Software Rendering mode** - -5. Open Internet Explorer for the desktop, click the **Tools** menu, and then click **Internet Options**. - -6. On the **Advanced** tab, go to the **Accelerated graphics** section, and then turn on Software Rendering mode by choosing the **Use software rendering instead of GPU rendering** box.

- If the **Use software rendering instead of GPU rendering** option is greyed out, it means that your current video card or video driver doesn't support GPU hardware acceleration. For more information, see [Windows 10 Support](https://go.microsoft.com/fwlink/?LinkId=746588). - -## Adaptive streaming and DRM playback don’t work with Windows Server 2012 R2 -IE11 in Windows Server 2012 R2 doesn’t include media features like adaptive streaming or Digital Rights Management (DRM) playback. To add these features, you’ll need to download and install the Media Feature Pack from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=320789), as well as an app that uses PlayReady DRM from the Microsoft Store, such as the Xbox Music app or Xbox Video app. The app must be installed to specifically turn on DRM features, while all other media features are installed with the Media Feature Pack. - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: support +description: Possible solutions to the problems you might encounter after installing IE11, such as crashing or seeming slow, getting into an unusable state, or problems with adaptive streaming and DRM playback. +author: lomayor +ms.prod: ie11 +ms.assetid: c4b75ad3-9c4a-4dd2-9fed-69f776f542e6 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Problems after installing Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 10/16/2017 +--- + + +# Problems after installing Internet Explorer 11 +After you install Internet Explorer 11 in your organization, you might run into the following issues. By following these suggestions, you should be able to fix them. + +## Internet Explorer is in an unusable state +If IE11 gets into an unusable state on an employee's computer, you can use the **Reset Internet Explorer Settings (RIES)** feature to restore the default settings for many of the browser features, including: + +- Search scopes + +- Appearance settings + +- Toolbars + +- ActiveX® controls (resets to the opt-in state, unless they're pre-approved) + +- Branding settings created with IEAK 11 + +RIES does not: + +- Clear the Favorites list, RSS feeds, or Web slices. + +- Reset connection or proxy settings. + +- Affect the applied Administrative Template Group Policy settings. + +RIES turns off all custom toolbars, browser extensions, and customizations installed with IE11. If you change your mind, you can turn each of the customizations back on through the **Manage Add-ons** dialog box. For more information about resetting IE settings, see [How to Reset Internet Explorer Settings](https://go.microsoft.com/fwlink/p/?LinkId=214528). + +## IE is crashing or seems slow +If you notice that CPU usage is running higher than normal, or that IE is frequently crashing or slowing down, you should check your browser add-ons and video card. By default, IE11 uses graphics processing unit (GPU) rendering mode. However, some outdated video cards and video drivers don't support GPU hardware acceleration. If IE11 determines that your current video card or video driver doesn't support GPU hardware acceleration, it'll use Software Rendering mode. + + **To check your browser add-ons** + +1. Start IE11 in **No Add-ons mode** by running the **Run** command from the **Start** menu, and then typing `iexplore.exe -extoff` into the box. + +2. Check if IE still crashes.

+ If the browser doesn't crash, open Internet Explorer for the desktop, click the **Tools** menu, and click **Manage Add-ons**. + +3. Click **Toolbars and Extensions**, click each toolbar or extension, clicking **Disable** to turn off all of the browser extensions and toolbars. + +4. Restart IE11. Go back to the **Manage Add-Ons** window and turn on each item, one-by-one.

+ After you turn each item back on, see if IE crashes or slows down. Doing it this way will help you identify the add-on that's causing IE to crash. After you've figured out which add-on was causing the problem, turn it off until you have an update from the manufacturer. + + **To check for Software Rendering mode** + +5. Open Internet Explorer for the desktop, click the **Tools** menu, and then click **Internet Options**. + +6. On the **Advanced** tab, go to the **Accelerated graphics** section, and then turn on Software Rendering mode by choosing the **Use software rendering instead of GPU rendering** box.

+ If the **Use software rendering instead of GPU rendering** option is greyed out, it means that your current video card or video driver doesn't support GPU hardware acceleration. For more information, see [Windows 10 Support](https://go.microsoft.com/fwlink/?LinkId=746588). + +## Adaptive streaming and DRM playback don’t work with Windows Server 2012 R2 +IE11 in Windows Server 2012 R2 doesn’t include media features like adaptive streaming or Digital Rights Management (DRM) playback. To add these features, you’ll need to download and install the Media Feature Pack from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=320789), as well as an app that uses PlayReady DRM from the Microsoft Store, such as the Xbox Music app or Xbox Video app. The app must be installed to specifically turn on DRM features, while all other media features are installed with the Media Feature Pack. + + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md index 40db70828c..f77ef953c0 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md +++ b/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md @@ -1,48 +1,48 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Instructions about how to clear all of the sites from your global Enterprise Mode site list. -author: lomayor -ms.prod: ie11 -ms.assetid: 90f38a6c-e0e2-4c93-9a9e-c425eca99e97 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Remove all sites from your Enterprise Mode site list using the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Remove all sites from your Enterprise Mode site list using the Enterprise Mode Site List Manager - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -You can clear all of the sites from your global Enterprise Mode site list. - -**Important**   -This is a permanent removal and erases everything. However, if you determine it was a mistake, and you saved an XML copy of your list, you can add the file again by following the steps in the [Add multiple sites to the Enterprise Mode site list using a file and Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md), depending on your operating system. - - **To clear your compatibility list** - -1. On the **File** menu of the Enterprise Mode Site List Manager, click **Clear list**. - -2. Click **Yes** in the warning message.

Your sites are all cleared from your list. - -## Related topics -- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) -- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) -- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Instructions about how to clear all of the sites from your global Enterprise Mode site list. +author: lomayor +ms.prod: ie11 +ms.assetid: 90f38a6c-e0e2-4c93-9a9e-c425eca99e97 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Remove all sites from your Enterprise Mode site list using the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Remove all sites from your Enterprise Mode site list using the Enterprise Mode Site List Manager + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +You can clear all of the sites from your global Enterprise Mode site list. + +**Important**   +This is a permanent removal and erases everything. However, if you determine it was a mistake, and you saved an XML copy of your list, you can add the file again by following the steps in the [Add multiple sites to the Enterprise Mode site list using a file and Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md), depending on your operating system. + + **To clear your compatibility list** + +1. On the **File** menu of the Enterprise Mode Site List Manager, click **Clear list**. + +2. Click **Yes** in the warning message.

Your sites are all cleared from your list. + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md index d1c5e4e457..b682c46207 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md +++ b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md @@ -1,42 +1,42 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Instructions about how to remove sites from a local compatibility view list. -author: lomayor -ms.prod: ie11 -ms.assetid: f6ecaa75-ebcb-4f8d-8721-4cd6e73c0ac9 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Remove sites from a local compatibility view list (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Remove sites from a local compatibility view list - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Remove websites that were added to a local compatibility view list by mistake or because they no longer have compatibility problems. - - **To remove sites from a local compatibility view list** - -1. Open Internet Explorer 11, click **Tools**, and then click **Compatibility View Settings**. - -2. Pick the site to remove, and then click **Remove**.

-Sites can only be removed one at a time. If one is removed by mistake, it can be added back using this same box and the **Add** section. - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Instructions about how to remove sites from a local compatibility view list. +author: lomayor +ms.prod: ie11 +ms.assetid: f6ecaa75-ebcb-4f8d-8721-4cd6e73c0ac9 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Remove sites from a local compatibility view list (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Remove sites from a local compatibility view list + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Remove websites that were added to a local compatibility view list by mistake or because they no longer have compatibility problems. + + **To remove sites from a local compatibility view list** + +1. Open Internet Explorer 11, click **Tools**, and then click **Compatibility View Settings**. + +2. Pick the site to remove, and then click **Remove**.

+Sites can only be removed one at a time. If one is removed by mistake, it can be added back using this same box and the **Add** section. + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md index 0331c344b2..6cfccfd925 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md +++ b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md @@ -1,58 +1,58 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Instructions about how to remove sites from a local Enterprise Mode site list. -author: lomayor -ms.prod: ie11 -ms.assetid: c7d6dd0b-e264-42bb-8c9d-ac2f837018d2 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Remove sites from a local Enterprise Mode site list (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Remove sites from a local Enterprise Mode site list - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Remove websites that were added to a local Enterprise Mode site list by mistake or because the sites no longer have compatibility problems. - -**Note**
The changes described in this topic only impact sites added to a local Enterprise Mode site list and not the list of sites deployed to all employees by an administrator. Employees can't delete sites added to the list by an administrator. - -  **To remove single sites from a local Enterprise Mode site list** - -1. Open Internet Explorer 11 and go to the site you want to remove. - -2. Click **Tools**, and then click **Enterprise Mode**.

-The checkmark disappears from next to Enterprise Mode and the site is removed from the list. - -**Note**
If the site is removed by mistake, it can be added back by clicking **Enterprise Mode** again. - - **To remove all sites from a local Enterprise Mode site list** - -1. Open IE11, click **Tools**, and then click **Internet options**. - -2. Click the **Delete** button from the **Browsing history** area. - -3. Click the box next to **Cookies and website data**, and then click **Delete**. - -**Note**
This removes all of the sites from a local Enterprise Mode site list. - -   - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Instructions about how to remove sites from a local Enterprise Mode site list. +author: lomayor +ms.prod: ie11 +ms.assetid: c7d6dd0b-e264-42bb-8c9d-ac2f837018d2 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Remove sites from a local Enterprise Mode site list (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Remove sites from a local Enterprise Mode site list + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Remove websites that were added to a local Enterprise Mode site list by mistake or because the sites no longer have compatibility problems. + +**Note**
The changes described in this topic only impact sites added to a local Enterprise Mode site list and not the list of sites deployed to all employees by an administrator. Employees can't delete sites added to the list by an administrator. + +  **To remove single sites from a local Enterprise Mode site list** + +1. Open Internet Explorer 11 and go to the site you want to remove. + +2. Click **Tools**, and then click **Enterprise Mode**.

+The checkmark disappears from next to Enterprise Mode and the site is removed from the list. + +**Note**
If the site is removed by mistake, it can be added back by clicking **Enterprise Mode** again. + + **To remove all sites from a local Enterprise Mode site list** + +1. Open IE11, click **Tools**, and then click **Internet options**. + +2. Click the **Delete** button from the **Browsing history** area. + +3. Click the box next to **Cookies and website data**, and then click **Delete**. + +**Note**
This removes all of the sites from a local Enterprise Mode site list. + +   + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md index a5617dbc2c..48ead2d656 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md +++ b/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md @@ -1,46 +1,46 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: You can save your current Enterprise Mode compatibility site list as an XML file, for distribution and use by your managed systems. -author: lomayor -ms.prod: ie11 -ms.assetid: 254a986b-494f-4316-92c1-b089ee8b3e0a -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Save your site list to XML in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Save your site list to XML in the Enterprise Mode Site List Manager - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -You can save your current Enterprise Mode compatibility site list as an XML file, for distribution and use by your managed systems. - - **To save your list as XML** - -1. On the **File** menu of the Enterprise Mode Site List Manager, click **Save to XML**. - -2. Save the file to the location you specified in your Enterprise Mode registry key, set up when you turned on Enterprise Mode for use in your company. For information about the Enterprise Mode registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).

-The first time a user starts Internet Explorer 11 on a managed device; Internet Explorer will look for a new version of the site list at the specified location. If the browser finds an updated site list, IE downloads the new XML site list and uses it. - -## Related topics -- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) -- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) -- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: You can save your current Enterprise Mode compatibility site list as an XML file, for distribution and use by your managed systems. +author: lomayor +ms.prod: ie11 +ms.assetid: 254a986b-494f-4316-92c1-b089ee8b3e0a +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Save your site list to XML in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Save your site list to XML in the Enterprise Mode Site List Manager + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +You can save your current Enterprise Mode compatibility site list as an XML file, for distribution and use by your managed systems. + + **To save your list as XML** + +1. On the **File** menu of the Enterprise Mode Site List Manager, click **Save to XML**. + +2. Save the file to the location you specified in your Enterprise Mode registry key, set up when you turned on Enterprise Mode for use in your company. For information about the Enterprise Mode registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).

+The first time a user starts Internet Explorer 11 on a managed device; Internet Explorer will look for a new version of the site list at the specified location. If the browser finds an updated site list, IE downloads the new XML site list and uses it. + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md index 06750c612b..b2a83dc360 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md @@ -1,53 +1,53 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Details about how Administrators can schedule approved change requests for production in the Enterprise Mode Site List Portal. -author: lomayor -ms.prod: ie11 -title: Schedule approved change requests for production using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 -ms.reviewer: -manager: dansimp -ms.author: lomayor ---- - -# Schedule approved change requests for production using the Enterprise Mode Site List Portal - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -After a change request is approved, the original Requester can schedule the change for the production environment. The change can be immediate or set for a future time. - -**To schedule an immediate change** -1. The Requester logs onto the Enterprise Mode Site List Portal and clicks **In Progress** from the left pane. - -2. The Requester clicks the **Approved** status for the change request. - - The **Schedule changes** page appears. - -3. The Requester clicks **Now**, and then clicks **Save**. - - The update is scheduled to immediately update the production environment, and an email is sent to the Requester. After the update finishes, the Requester is asked to verify the changes. - - -**To schedule the change for a different day or time** -1. The Requester logs onto the Enterprise Mode Site List Portal and clicks **In Progress** from the left pane. - -2. The Requester clicks the **Approved** status for the change request. - - The **Schedule changes** page appears. - -3. The Requester clicks **Schedule**, sets the **Preferred day**, **Preferred start time**, and the **Preferred end time**, and then clicks **Save**. - - The update is scheduled to update the production environment on that day and time and an email is sent to the Requester. After the update finishes, the Requester will be asked to verify the changes. - - -## Next steps -After the update to the production environment completes, the Requester must again test the change. If the testing succeeds, the Requester can sign off on the change request. If the testing fails, the Requester can contact the Administrator group for more help. For the production environment testing steps, see the [Verify the change request update in the production environment using the Enterprise Mode Site List Portal](verify-changes-production-enterprise-mode-portal.md) topic. +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how Administrators can schedule approved change requests for production in the Enterprise Mode Site List Portal. +author: lomayor +ms.prod: ie11 +title: Schedule approved change requests for production using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +--- + +# Schedule approved change requests for production using the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +After a change request is approved, the original Requester can schedule the change for the production environment. The change can be immediate or set for a future time. + +**To schedule an immediate change** +1. The Requester logs onto the Enterprise Mode Site List Portal and clicks **In Progress** from the left pane. + +2. The Requester clicks the **Approved** status for the change request. + + The **Schedule changes** page appears. + +3. The Requester clicks **Now**, and then clicks **Save**. + + The update is scheduled to immediately update the production environment, and an email is sent to the Requester. After the update finishes, the Requester is asked to verify the changes. + + +**To schedule the change for a different day or time** +1. The Requester logs onto the Enterprise Mode Site List Portal and clicks **In Progress** from the left pane. + +2. The Requester clicks the **Approved** status for the change request. + + The **Schedule changes** page appears. + +3. The Requester clicks **Schedule**, sets the **Preferred day**, **Preferred start time**, and the **Preferred end time**, and then clicks **Save**. + + The update is scheduled to update the production environment on that day and time and an email is sent to the Requester. After the update finishes, the Requester will be asked to verify the changes. + + +## Next steps +After the update to the production environment completes, the Requester must again test the change. If the testing succeeds, the Requester can sign off on the change request. If the testing fails, the Requester can contact the Administrator group for more help. For the production environment testing steps, see the [Verify the change request update in the production environment using the Enterprise Mode Site List Portal](verify-changes-production-enterprise-mode-portal.md) topic. diff --git a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md index f78022cc56..985b416947 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md +++ b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md @@ -1,44 +1,44 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Search to see if a specific site already appears in your global Enterprise Mode site list. -author: lomayor -ms.prod: ie11 -ms.assetid: e399aeaf-6c3b-4cad-93c9-813df6ad47f9 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Search your Enterprise Mode site list in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Search your Enterprise Mode site list in the Enterprise Mode Site List Manager - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -You can search to see if a specific site already appears in your global Enterprise Mode site list so you don’t try to add it again. - - **To search your compatibility list** - -- From the Enterprise Mode Site List Manager, type part of the URL into the **Search** box.

- The search query searches all of the text. For example, entering *“micro”* will return results like, www.microsoft.com, microsoft.com, and microsoft.com/images. Wildcard characters aren’t supported. - -## Related topics -- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) -- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) -- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Search to see if a specific site already appears in your global Enterprise Mode site list. +author: lomayor +ms.prod: ie11 +ms.assetid: e399aeaf-6c3b-4cad-93c9-813df6ad47f9 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Search your Enterprise Mode site list in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Search your Enterprise Mode site list in the Enterprise Mode Site List Manager + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +You can search to see if a specific site already appears in your global Enterprise Mode site list so you don’t try to add it again. + + **To search your compatibility list** + +- From the Enterprise Mode Site List Manager, type part of the URL into the **Search** box.

+ The search query searches all of the text. For example, entering *“micro”* will return results like, www.microsoft.com, microsoft.com, and microsoft.com/images. Wildcard characters aren’t supported. + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md index 09b341577a..829f920161 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md +++ b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md @@ -1,38 +1,38 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -description: Use the Group Policy setting, Set a default associations configuration file, to set the default browser for your company devices running Windows 10. -author: lomayor -ms.prod: ie11 -ms.assetid: f486c9db-0dc9-4cd6-8a0b-8cb872b1d361 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Set the default browser using Group Policy (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Set the default browser using Group Policy -You can use the Group Policy setting, **Set a default associations configuration file**, to set the default browser for your company devices running Windows 10. - - **To set the default browser as Internet Explorer 11** - -1. Open your Group Policy editor and go to the **Computer Configuration\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** setting.

-Turning this setting on also requires you to create and store a default associations configuration file, locally or on a network share. For more information about creating this file, see [Export or Import Default Application Associations]( https://go.microsoft.com/fwlink/p/?LinkId=618268). - - ![set default associations group policy setting](images/setdefaultbrowsergp.png) - -2. Click **Enabled**, and then in the **Options** area, type the location to your default associations configuration file.

-If this setting is turned on and your employee's device is domain-joined, this file is processed and default associations are applied at logon. If this setting isn't configured or is turned off, or if your employee's device isn't domain-joined, no default associations are applied at logon. - -Your employees can change this setting by changing the Internet Explorer default value from the **Set Default Programs** area of the Control Panel. - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +description: Use the Group Policy setting, Set a default associations configuration file, to set the default browser for your company devices running Windows 10. +author: lomayor +ms.prod: ie11 +ms.assetid: f486c9db-0dc9-4cd6-8a0b-8cb872b1d361 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Set the default browser using Group Policy (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Set the default browser using Group Policy +You can use the Group Policy setting, **Set a default associations configuration file**, to set the default browser for your company devices running Windows 10. + + **To set the default browser as Internet Explorer 11** + +1. Open your Group Policy editor and go to the **Computer Configuration\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** setting.

+Turning this setting on also requires you to create and store a default associations configuration file, locally or on a network share. For more information about creating this file, see [Export or Import Default Application Associations]( https://go.microsoft.com/fwlink/p/?LinkId=618268). + + ![set default associations group policy setting](images/setdefaultbrowsergp.png) + +2. Click **Enabled**, and then in the **Options** area, type the location to your default associations configuration file.

+If this setting is turned on and your employee's device is domain-joined, this file is processed and default associations are applied at logon. If this setting isn't configured or is turned off, or if your employee's device isn't domain-joined, no default associations are applied at logon. + +Your employees can change this setting by changing the Internet Explorer default value from the **Set Default Programs** area of the Control Panel. + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md index 3d3726d938..ea77e11d87 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md +++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md @@ -1,160 +1,160 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Set up and turn on Enterprise Mode logging and data collection in your organization. -author: lomayor -ms.prod: ie11 -ms.assetid: 2e98a280-f677-422f-ba2e-f670362afcde -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Set up Enterprise Mode logging and data collection (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Set up Enterprise Mode logging and data collection - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Using Group Policy, you can turn on Enterprise Mode for Internet Explorer and then you can turn on local user control using the **Let users turn on and use Enterprise Mode from the Tools menu** setting, located in the `Administrative Templates\Windows Components\Internet Explorer` category path. After you turn this setting on, your users can turn on Enterprise Mode locally, from the IE **Tools** menu. - -![enterprise mode option on the tools menu](images/ie-emie-toolsmenu.png) - -The **Let users turn on and use Enterprise Mode from the Tools menu** setting also lets you decide where to send the user reports (as a URL). We recommend creating a custom HTTP port 81 to let your incoming user information go to a dedicated site. A dedicated site is important so you can quickly pick out the Enterprise Mode traffic from your other website traffic. - -![group policy to turn on enterprise mode](images/ie-emie-grouppolicy.png) - -Getting these reports lets you find out about sites that aren’t working right, so you can add them to your Enterprise Mode site list, without having to locate them all yourself. For more information about creating and using a site list, see the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) topic, based on your operating system. - -## Using ASP to collect your data -When you turn logging on, you need a valid URL that points to a server that can be listened to for updates to a user’s registry key. This means you need to set up an endpoint server for the incoming POST messages, which are sent every time the user turns Enterprise Mode on or off from the **Tools** menu. - - **To set up an endpoint server** - -1. Configure an IIS server to work with your Enterprise Mode data collection process. If you’re unsure how to set up IIS, see the [IIS installation webpage](https://go.microsoft.com/fwlink/p/?LinkId=507609). - -2. Open Internet Information Services (IIS) and turn on the ASP components from the **Add Roles and Features Wizard**, **Server Roles** page.

- This lets you create an ASP form that accepts the incoming POST messages. - -3. Open the Internet Information Services (IIS) Manager, click **Bindings**, highlight **Port 81**, click **Edit**, and then change the website information to point to Port 81 so it matches your custom-created port. - - ![IIS Manager, editing website bindings](images/ie-emie-editbindings.png) - -4. Open the **Logging** feature, pick **W3C** for the format, and click **Select Fields** to open the **W3C Logging Fields** box. - - ![IIS Manager, setting logging options](images/ie-emie-logging.png) - -5. Change the WC3 logging fields to include only the **Date**, **Client IP**, **User Name**, and **URI Query** standard fields, and then click **OK**.

- Using only these fields keeps the log file simple, giving you the date, client IP address, and the website URI information for any site changed by your users. - -6. Apply these changes to your default website and close the IIS Manager. - -7. Put your EmIE.asp file into the root of the web server, using this command: - - ``` - <% @ LANGUAGE=javascript %> - <% - Response.AppendToLog(" ;" + Request.Form("URL") + " ;" + Request.Form("EnterpriseMode")); - %> - ``` - This code logs your POST fields to your IIS log file, where you can review all of the collected data. - - -### IIS log file information -This is what your log files will look like after you set everything up and at least one of your users has turned on Enterprise Mode locally from the **Tools** menu. You can see the URL of the problematic website and client IP address of the user that turned on Enterprise Mode. - -![Enterprise Mode log file](images/ie-emie-logfile.png) - - -## Using the GitHub sample to collect your data -Microsoft has created the [EMIE-Data-Collection_Sample](https://go.microsoft.com/fwlink/p/?LinkId=507401) that shows how to collect your Enterprise Mode reports. This sample only shows how to collect data, it doesn’t show how to aggregate the data into your Enterprise Mode site list.

-This sample starts with you turning on Enterprise Mode and logging (either through Group Policy, or by manually setting the EnterpriseMode registry key) so that your users can use Enterprise Mode locally. For the steps to do this, go to [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). - -**Note**
If you decide to manually change the registry key, you can change the **Enable** setting to `[deployment url]/api/records/`, which automatically sends your reports to this page. - -### Setting up, collecting, and viewing reports -For logging, you’re going to need a valid URL that points to a server that can be listened to for updates to a user’s registry key. This means you need to set up an endpoint server for the incoming POST messages, which are sent every time the user turns Enterprise Mode on or off from the **Tools** menu. These POST messages go into your database, aggregating the report data by URL, giving you the total number of reports where users turned on Enterprise Mode, the total number of reports where users turned off Enterprise Mode, and the date of the last report. - - **To set up the sample** - -1. Set up a server to collect your Enterprise Mode information from your users. - -2. Go to the Internet Explorer/[EMIE-Data_Collection_Sample](https://go.microsoft.com/fwlink/p/?LinkId=507401) page on GitHub and tap or click the **Download ZIP** button to download the complete project. - -3. Open Microsoft Visual Studio 2013 with Update 2, and then open the PhoneHomeSample.sln file. - -4. On the **Build** menu, tap or click **Build Solution**.

- The required packages are automatically downloaded and included in the solution. - - **To set up your endpoint server** - -5. Right-click on the name, PhoneHomeSample, and click **Publish**. - - ![Visual Studio, Publish menu](images/ie-emie-publishsolution.png) - -6. In the **Publish Web** wizard, pick the publishing target and options that work for your organization. - - **Important**
- Make sure you have a database associated with your publishing target. Otherwise, your reports won’t be collected and you’ll have problems deploying the website.  - - ![Visual Studio, Publish Web wizard](images/ie-emie-publishweb.png) - - After you finish the publishing process, you need to test to make sure the app deployed successfully. - - **To test, deploy, and use the app** - -7. Open a registry editor on the computer where you deployed the app, go to the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode` key, and change the **Enable** string to: - - ``` "Enable"="https:///api/records/" - ``` - Where `` points to your deployment URL. - -8. After you’re sure your deployment works, you can deploy it to your users using one of the following: - - - Turn on the **Let users turn on and use Enterprise Mode from the Tools menu** Group Policy setting, putting your `` information into the **Options** box. - - - Deploy the registry key in Step 3 using System Center or other management software. - -9. Get your users to visit websites, turning Enterprise Mode on or off locally, as necessary. - - **To view the report results** - -- Go to `https:///List` to see the report results.

-If you’re already on the webpage, you’ll need to refresh the page to see the results. - - ![Enterprise Mode Result report with details](images/ie-emie-reportwdetails.png) - - -### Troubleshooting publishing errors -If you have errors while you’re publishing your project, you should try to update your packages. - - **To update your packages** - -1. From the **Tools** menu of Microsoft Visual Studio, click **NuGet Package Manager**, and click **Manage NuGet Packages for Solution**. - - ![Nuget Package Manager for package updates](images/ie-emie-packageupdate.png) - -2. Click **Updates** on the left side of the tool, and click the **Update All** button.

-You may need to do some additional package cleanup to remove older package versions. - -## Related topics -- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) -- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) -- [What is Enterprise Mode?](what-is-enterprise-mode.md) -- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) -- [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md) - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Set up and turn on Enterprise Mode logging and data collection in your organization. +author: lomayor +ms.prod: ie11 +ms.assetid: 2e98a280-f677-422f-ba2e-f670362afcde +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Set up Enterprise Mode logging and data collection (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Set up Enterprise Mode logging and data collection + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Using Group Policy, you can turn on Enterprise Mode for Internet Explorer and then you can turn on local user control using the **Let users turn on and use Enterprise Mode from the Tools menu** setting, located in the `Administrative Templates\Windows Components\Internet Explorer` category path. After you turn this setting on, your users can turn on Enterprise Mode locally, from the IE **Tools** menu. + +![enterprise mode option on the tools menu](images/ie-emie-toolsmenu.png) + +The **Let users turn on and use Enterprise Mode from the Tools menu** setting also lets you decide where to send the user reports (as a URL). We recommend creating a custom HTTP port 81 to let your incoming user information go to a dedicated site. A dedicated site is important so you can quickly pick out the Enterprise Mode traffic from your other website traffic. + +![group policy to turn on enterprise mode](images/ie-emie-grouppolicy.png) + +Getting these reports lets you find out about sites that aren’t working right, so you can add them to your Enterprise Mode site list, without having to locate them all yourself. For more information about creating and using a site list, see the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) topic, based on your operating system. + +## Using ASP to collect your data +When you turn logging on, you need a valid URL that points to a server that can be listened to for updates to a user’s registry key. This means you need to set up an endpoint server for the incoming POST messages, which are sent every time the user turns Enterprise Mode on or off from the **Tools** menu. + + **To set up an endpoint server** + +1. Configure an IIS server to work with your Enterprise Mode data collection process. If you’re unsure how to set up IIS, see the [IIS installation webpage](https://go.microsoft.com/fwlink/p/?LinkId=507609). + +2. Open Internet Information Services (IIS) and turn on the ASP components from the **Add Roles and Features Wizard**, **Server Roles** page.

+ This lets you create an ASP form that accepts the incoming POST messages. + +3. Open the Internet Information Services (IIS) Manager, click **Bindings**, highlight **Port 81**, click **Edit**, and then change the website information to point to Port 81 so it matches your custom-created port. + + ![IIS Manager, editing website bindings](images/ie-emie-editbindings.png) + +4. Open the **Logging** feature, pick **W3C** for the format, and click **Select Fields** to open the **W3C Logging Fields** box. + + ![IIS Manager, setting logging options](images/ie-emie-logging.png) + +5. Change the WC3 logging fields to include only the **Date**, **Client IP**, **User Name**, and **URI Query** standard fields, and then click **OK**.

+ Using only these fields keeps the log file simple, giving you the date, client IP address, and the website URI information for any site changed by your users. + +6. Apply these changes to your default website and close the IIS Manager. + +7. Put your EmIE.asp file into the root of the web server, using this command: + + ``` + <% @ LANGUAGE=javascript %> + <% + Response.AppendToLog(" ;" + Request.Form("URL") + " ;" + Request.Form("EnterpriseMode")); + %> + ``` + This code logs your POST fields to your IIS log file, where you can review all of the collected data. + + +### IIS log file information +This is what your log files will look like after you set everything up and at least one of your users has turned on Enterprise Mode locally from the **Tools** menu. You can see the URL of the problematic website and client IP address of the user that turned on Enterprise Mode. + +![Enterprise Mode log file](images/ie-emie-logfile.png) + + +## Using the GitHub sample to collect your data +Microsoft has created the [EMIE-Data-Collection_Sample](https://go.microsoft.com/fwlink/p/?LinkId=507401) that shows how to collect your Enterprise Mode reports. This sample only shows how to collect data, it doesn’t show how to aggregate the data into your Enterprise Mode site list.

+This sample starts with you turning on Enterprise Mode and logging (either through Group Policy, or by manually setting the EnterpriseMode registry key) so that your users can use Enterprise Mode locally. For the steps to do this, go to [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). + +**Note**
If you decide to manually change the registry key, you can change the **Enable** setting to `[deployment url]/api/records/`, which automatically sends your reports to this page. + +### Setting up, collecting, and viewing reports +For logging, you’re going to need a valid URL that points to a server that can be listened to for updates to a user’s registry key. This means you need to set up an endpoint server for the incoming POST messages, which are sent every time the user turns Enterprise Mode on or off from the **Tools** menu. These POST messages go into your database, aggregating the report data by URL, giving you the total number of reports where users turned on Enterprise Mode, the total number of reports where users turned off Enterprise Mode, and the date of the last report. + + **To set up the sample** + +1. Set up a server to collect your Enterprise Mode information from your users. + +2. Go to the Internet Explorer/[EMIE-Data_Collection_Sample](https://go.microsoft.com/fwlink/p/?LinkId=507401) page on GitHub and tap or click the **Download ZIP** button to download the complete project. + +3. Open Microsoft Visual Studio 2013 with Update 2, and then open the PhoneHomeSample.sln file. + +4. On the **Build** menu, tap or click **Build Solution**.

+ The required packages are automatically downloaded and included in the solution. + + **To set up your endpoint server** + +5. Right-click on the name, PhoneHomeSample, and click **Publish**. + + ![Visual Studio, Publish menu](images/ie-emie-publishsolution.png) + +6. In the **Publish Web** wizard, pick the publishing target and options that work for your organization. + + **Important**
+ Make sure you have a database associated with your publishing target. Otherwise, your reports won’t be collected and you’ll have problems deploying the website.  + + ![Visual Studio, Publish Web wizard](images/ie-emie-publishweb.png) + + After you finish the publishing process, you need to test to make sure the app deployed successfully. + + **To test, deploy, and use the app** + +7. Open a registry editor on the computer where you deployed the app, go to the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode` key, and change the **Enable** string to: + + ``` "Enable"="https:///api/records/" + ``` + Where `` points to your deployment URL. + +8. After you’re sure your deployment works, you can deploy it to your users using one of the following: + + - Turn on the **Let users turn on and use Enterprise Mode from the Tools menu** Group Policy setting, putting your `` information into the **Options** box. + + - Deploy the registry key in Step 3 using System Center or other management software. + +9. Get your users to visit websites, turning Enterprise Mode on or off locally, as necessary. + + **To view the report results** + +- Go to `https:///List` to see the report results.

+If you’re already on the webpage, you’ll need to refresh the page to see the results. + + ![Enterprise Mode Result report with details](images/ie-emie-reportwdetails.png) + + +### Troubleshooting publishing errors +If you have errors while you’re publishing your project, you should try to update your packages. + + **To update your packages** + +1. From the **Tools** menu of Microsoft Visual Studio, click **NuGet Package Manager**, and click **Manage NuGet Packages for Solution**. + + ![Nuget Package Manager for package updates](images/ie-emie-packageupdate.png) + +2. Click **Updates** on the left side of the tool, and click the **Update All** button.

+You may need to do some additional package cleanup to remove older package versions. + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [What is Enterprise Mode?](what-is-enterprise-mode.md) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) +- [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md) + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md index 872071fdf8..469464c98f 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md @@ -1,227 +1,227 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Details about how to set up the Enterprise Mode Site List Portal for your organization. -author: lomayor -ms.prod: ie11 -title: Set up the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 -ms.reviewer: -manager: dansimp -ms.author: lomayor ---- - -# Set up the Enterprise Mode Site List Portal - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -The Enterprise Mode Site List Portal is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management. Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later. - -Before you can begin using the Enterprise Mode Site List Portal, you must set up your environment. - -## Step 1 - Copy the deployment folder to the web server -You must download the deployment folder (**EMIEWebPortal/**), which includes all of the source code for the website, from the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) site to your web server. - -**To download the source code** -1. Download the deployment folder from the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) source code to your web server. - -2. Install the Node.js® package manager, [npm](https://www.npmjs.com/). - - >[!Note] - >You need to install the npm package manager to replace all the third-party libraries we removed to make the Enterprise Mode Site List Portal open-source. - -3. Open File Explorer and then open the **EMIEWebPortal/** folder. - -4. Press and hold **Shift**, right-click the window, then click **Open PowerShell window here**. - -5. Type _npm i_ into the command prompt, then press **Enter**. - - Installs the npm package manager and bulk adds all the third-party libraries back into your codebase. - -6. Go back up a directory, open the solution file **EMIEWebPortal.sln** in Visual Studio, open **Web.config** from **EMIEWebPortal/** folder, and replace MSIT-LOB-COMPAT with your server name hosting your database, replace LOBMerged with your database name, and build the entire solution. - - >[!Note] - >Step 3 of this topic provides the steps to create your database. - -7. Copy the contents of the **EMIEWebPortal/** folder to a dedicated folder on your file system. For example, _D:\EMIEWebApp_. In a later step, you'll designate this folder as your website in the IIS Manager. - -## Step 2 - Create the Application Pool and website, by using IIS -Create a new Application Pool and the website, by using the IIS Manager. - -**To create a new Application Pool** -1. In IIS Manager, expand your local computer in the **Connections** pane, right-click **Application Pools**, then click **Add Application Pool**. - - The **Add Application Pool** box appears. - -2. In the **Add Application Pool** box, enter the following info: - - - **Name.** Type the name of your new application pool. For example, _EMIEWebAppPool_. - - - **.NET CLR version.** Pick the version of .NET CLR used by your application pool from the drop-down box. It must be version 4.0 or higher. - - - **Managed pipeline mode.** Pick **Integrated** from the drop-down box. IIS uses the integrated IIS and ASP.NET request-processing pipeline for managed content. - -3. Click **OK**. - -4. Select your new application pool from the **Application Pool** pane, click **Advanced Settings** from the **Edit Application Pool** area of the **Actions** pane. - - The **Advanced Settings** box appears. - -5. Make sure your **Identity** value is **ApplicationPoolIdentity**, click **OK**, and then close the box. - -6. Open File Explorer and go to your deployment directory, created in Step 1. For example, _D:\EMIEWebApp_. - -7. Right-click on the directory, click **Properties**, and then click the **Security** tab. - -8. Add your new application pool to the list (for example, _IIS AppPool\EMIEWebAppPool_) with **Full control access**, making sure the location searches the local computer. - -9. Add **Everyone** to the list with **Read & execute access**. - -**To create the website** -1. In IIS Manager, expand your local computer in the **Connections** pane, right-click **Sites**, then click **Add Website**. - - The **Add Website** box appears. - -2. In the **Add Website** box, type the name of your website into the **Site name** box. For example, _EMIEWebApp_, and then click **Select**. - - The **Select Application Pool** box appears. - -4. Pick the name of the application pool created earlier in this step, and then click **OK**. For example, _EMIEWebAppPool_. - -5. In the **Physical path** box, browse to your folder that contains your deployment directory. For example, _D:\EMIEWebApp_. - -6. Set up your **Binding**, including your **Binding Type**, **IP address**, and **Port**, as appropriate for your organization. - -7. Clear the **Start Website immediately** check box, and then click **OK**. - -8. In IIS Manager, expand your local computer, and then double-click your new website. For example, _EMIEWebApp_. - - The **<website_name> Home** pane appears. - -9. Double-click the **Authentication** icon, right-click on **Windows Authentication**, and then click **Enable**. - - >[!Note] - >You must also make sure that **Anonymous Authentication** is marked as **Enabled**. - -## Step 3 - Create and prep your database -Create a SQL Server database and run our custom query to create the Enterprise Mode Site List tables. - -**To create and prep your database** -1. Start SQL Server Management Studio. - -2. Open **Object Explorer** and then connect to an instance of the SQL Server Database Engine. - -3. Expand the instance, right-click on **Databases**, and then click **New Database**. - -4. Type a database name. For example, _EMIEDatabase_. - -5. Leave all default values for the database files, and then click **OK**. - -6. Open the **DatabaseScripts/Create DB Tables/1_CreateEMIETables.sql** query file, located in the deployment directory. - -7. Replace the database name placeholder with the database name you created earlier. For example, _EMIEDatabase_. - -8. Run the query. - -## Step 4 - Map your Application Pool to a SQL Server role -Map your ApplicationPoolIdentity to your database, adding the db_owner role. - -**To map your ApplicationPoolIdentity to a SQL Server role** -1. Start SQL Server Management Studio and connect to your database. - -2. Expand the database instance and then open the server-level **Security** folder. - - > [!IMPORTANT] - > Make sure you open the **Security** folder at the server level and not for the database. - -3. Right-click **Logins**, and then click **New Login**. - - The **Login-New** dialog box appears. - -4. Type the following into the **Login name** box, based on your server instance type: - - - **Local SQL Server instance.** If you have a local SQL Server instance, where IIS and SQL Server are on the same server, type the name of your Application Pool. For example, _IIS AppPool\EMIEWebAppPool_. - - - **Remote SQL Server instance.** If you have a remote SQL Server instance, where IIS and SQL Server are on different servers, type `Domain\ServerName$`. - - > [!IMPORTANT] - > Don't click **Search** in the **Login name** box. Login name searches will resolve to a ServerName\AppPool Name account and SQL Server Management Studio won't be able to resolve the account's virtual Security ID (SID). - -5. Click **User Mapping** from the **Select a page** pane, click the checkbox for your database (for example, _EMIEDatabase_) from the **Users mapped to this login** pane, and then click **db_owner** from the list of available roles in the **Database role membership** pane. - -6. Click **OK**. - -## Step 5 - Restart the Application Pool and website -Using the IIS Manager, you must restart both your Application Pool and your website. - -**To restart your Application Pool and website** -1. In IIS Manager, expand your local computer in the **Connections** pane, select your website, then click **Restart** from the **Manage Website** pane. - -2. In the **Connections** pane, select your Application Pool, and then click **Recycle** from the **Application Pool Tasks** pane. - -## Step 6 - Registering as an administrator -After you've created your database and website, you'll need to register yourself (or another employee) as an administrator for the Enterprise Mode Site List Portal. - -**To register as an administrator** -1. Open Microsoft Edge and type your website URL into the Address bar. For example, https://emieportal:8085. - -2. Click **Register now**. - -3. Type your name or alias into the **Email** box, making sure it matches the info in the drop-down box. - -4. Click **Administrator** from the **Role** box, and then click **Save**. - -5. Append your website URL with `/#/EMIEAdminConsole` in the Address bar to go to your administrator console. For example, https://emieportal:8085/#/EMIEAdminConsole. - - A dialog box appears, prompting you for the system user name and password. The default user name is EMIEAdmin and the default password is Admin123. We strongly recommend that you change the password by using the **Change password** link as soon as you're done with your first visit. - -6. Select your name from the available list, and then click **Activate**. - -7. Go to the Enterprise Mode Site List Portal Home page and sign in. - -## Step 7 - Configure the SMTP server and port for email notification -After you've set up the portal, you need to configure your SMTP server and port for email notifications from the system. - -**To set up your SMTP server and port for emails** -1. Open Visual Studio, and then open the web.config file from your deployment directory. - -2. Update the SMTP server and port info with your info, using this format: - - ``` - - - ``` -3. Open the **Settings** page in the Enterprise Mode Site List Portal, and then update the email account and password info. - -## Step 8 - Register the scheduler service -Register the EMIEScheduler tool and service for production site list changes. - -**To register the scheduler service** - -1. Open File Explorer and go to EMIEWebPortal.SchedulerService\EMIEWebPortal.SchedulerService in your deployment directory, and then copy the **App_Data**, **bin**, and **Logs** folders to a separate folder. For example, C:\EMIEService\. - - >[!Important] - >If you can't find the **bin** and **Logs** folders, you probably haven't built the Visual Studio solution. Building the solution creates the folders and files. - -2. In Visual Studio start the Developer Command Prompt as an administrator, and then change the directory to the location of the InstallUtil.exe file. For example, _C:\Windows\Microsoft.NET\Framework\v4.0.30319_. - -3. Run the command, `InstallUtil ""`. For example, _InstallUtil "C:\EMIEService\bin\Debug\EMIEWebPortal.SchedulerService.exe"._ - - You'll be asked for your user name and password for the service. - -4. Open the **Run** command, type `Services.msc`, and then start the EMIEScheduler service. - -## Related topics -- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) - -- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md) - -- [Use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md) +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how to set up the Enterprise Mode Site List Portal for your organization. +author: lomayor +ms.prod: ie11 +title: Set up the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +--- + +# Set up the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +The Enterprise Mode Site List Portal is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management. Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later. + +Before you can begin using the Enterprise Mode Site List Portal, you must set up your environment. + +## Step 1 - Copy the deployment folder to the web server +You must download the deployment folder (**EMIEWebPortal/**), which includes all of the source code for the website, from the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) site to your web server. + +**To download the source code** +1. Download the deployment folder from the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) source code to your web server. + +2. Install the Node.js® package manager, [npm](https://www.npmjs.com/). + + >[!Note] + >You need to install the npm package manager to replace all the third-party libraries we removed to make the Enterprise Mode Site List Portal open-source. + +3. Open File Explorer and then open the **EMIEWebPortal/** folder. + +4. Press and hold **Shift**, right-click the window, then click **Open PowerShell window here**. + +5. Type _npm i_ into the command prompt, then press **Enter**. + + Installs the npm package manager and bulk adds all the third-party libraries back into your codebase. + +6. Go back up a directory, open the solution file **EMIEWebPortal.sln** in Visual Studio, open **Web.config** from **EMIEWebPortal/** folder, and replace MSIT-LOB-COMPAT with your server name hosting your database, replace LOBMerged with your database name, and build the entire solution. + + >[!Note] + >Step 3 of this topic provides the steps to create your database. + +7. Copy the contents of the **EMIEWebPortal/** folder to a dedicated folder on your file system. For example, _D:\EMIEWebApp_. In a later step, you'll designate this folder as your website in the IIS Manager. + +## Step 2 - Create the Application Pool and website, by using IIS +Create a new Application Pool and the website, by using the IIS Manager. + +**To create a new Application Pool** +1. In IIS Manager, expand your local computer in the **Connections** pane, right-click **Application Pools**, then click **Add Application Pool**. + + The **Add Application Pool** box appears. + +2. In the **Add Application Pool** box, enter the following info: + + - **Name.** Type the name of your new application pool. For example, _EMIEWebAppPool_. + + - **.NET CLR version.** Pick the version of .NET CLR used by your application pool from the drop-down box. It must be version 4.0 or higher. + + - **Managed pipeline mode.** Pick **Integrated** from the drop-down box. IIS uses the integrated IIS and ASP.NET request-processing pipeline for managed content. + +3. Click **OK**. + +4. Select your new application pool from the **Application Pool** pane, click **Advanced Settings** from the **Edit Application Pool** area of the **Actions** pane. + + The **Advanced Settings** box appears. + +5. Make sure your **Identity** value is **ApplicationPoolIdentity**, click **OK**, and then close the box. + +6. Open File Explorer and go to your deployment directory, created in Step 1. For example, _D:\EMIEWebApp_. + +7. Right-click on the directory, click **Properties**, and then click the **Security** tab. + +8. Add your new application pool to the list (for example, _IIS AppPool\EMIEWebAppPool_) with **Full control access**, making sure the location searches the local computer. + +9. Add **Everyone** to the list with **Read & execute access**. + +**To create the website** +1. In IIS Manager, expand your local computer in the **Connections** pane, right-click **Sites**, then click **Add Website**. + + The **Add Website** box appears. + +2. In the **Add Website** box, type the name of your website into the **Site name** box. For example, _EMIEWebApp_, and then click **Select**. + + The **Select Application Pool** box appears. + +4. Pick the name of the application pool created earlier in this step, and then click **OK**. For example, _EMIEWebAppPool_. + +5. In the **Physical path** box, browse to your folder that contains your deployment directory. For example, _D:\EMIEWebApp_. + +6. Set up your **Binding**, including your **Binding Type**, **IP address**, and **Port**, as appropriate for your organization. + +7. Clear the **Start Website immediately** check box, and then click **OK**. + +8. In IIS Manager, expand your local computer, and then double-click your new website. For example, _EMIEWebApp_. + + The **<website_name> Home** pane appears. + +9. Double-click the **Authentication** icon, right-click on **Windows Authentication**, and then click **Enable**. + + >[!Note] + >You must also make sure that **Anonymous Authentication** is marked as **Enabled**. + +## Step 3 - Create and prep your database +Create a SQL Server database and run our custom query to create the Enterprise Mode Site List tables. + +**To create and prep your database** +1. Start SQL Server Management Studio. + +2. Open **Object Explorer** and then connect to an instance of the SQL Server Database Engine. + +3. Expand the instance, right-click on **Databases**, and then click **New Database**. + +4. Type a database name. For example, _EMIEDatabase_. + +5. Leave all default values for the database files, and then click **OK**. + +6. Open the **DatabaseScripts/Create DB Tables/1_CreateEMIETables.sql** query file, located in the deployment directory. + +7. Replace the database name placeholder with the database name you created earlier. For example, _EMIEDatabase_. + +8. Run the query. + +## Step 4 - Map your Application Pool to a SQL Server role +Map your ApplicationPoolIdentity to your database, adding the db_owner role. + +**To map your ApplicationPoolIdentity to a SQL Server role** +1. Start SQL Server Management Studio and connect to your database. + +2. Expand the database instance and then open the server-level **Security** folder. + + > [!IMPORTANT] + > Make sure you open the **Security** folder at the server level and not for the database. + +3. Right-click **Logins**, and then click **New Login**. + + The **Login-New** dialog box appears. + +4. Type the following into the **Login name** box, based on your server instance type: + + - **Local SQL Server instance.** If you have a local SQL Server instance, where IIS and SQL Server are on the same server, type the name of your Application Pool. For example, _IIS AppPool\EMIEWebAppPool_. + + - **Remote SQL Server instance.** If you have a remote SQL Server instance, where IIS and SQL Server are on different servers, type `Domain\ServerName$`. + + > [!IMPORTANT] + > Don't click **Search** in the **Login name** box. Login name searches will resolve to a ServerName\AppPool Name account and SQL Server Management Studio won't be able to resolve the account's virtual Security ID (SID). + +5. Click **User Mapping** from the **Select a page** pane, click the checkbox for your database (for example, _EMIEDatabase_) from the **Users mapped to this login** pane, and then click **db_owner** from the list of available roles in the **Database role membership** pane. + +6. Click **OK**. + +## Step 5 - Restart the Application Pool and website +Using the IIS Manager, you must restart both your Application Pool and your website. + +**To restart your Application Pool and website** +1. In IIS Manager, expand your local computer in the **Connections** pane, select your website, then click **Restart** from the **Manage Website** pane. + +2. In the **Connections** pane, select your Application Pool, and then click **Recycle** from the **Application Pool Tasks** pane. + +## Step 6 - Registering as an administrator +After you've created your database and website, you'll need to register yourself (or another employee) as an administrator for the Enterprise Mode Site List Portal. + +**To register as an administrator** +1. Open Microsoft Edge and type your website URL into the Address bar. For example, https://emieportal:8085. + +2. Click **Register now**. + +3. Type your name or alias into the **Email** box, making sure it matches the info in the drop-down box. + +4. Click **Administrator** from the **Role** box, and then click **Save**. + +5. Append your website URL with `/#/EMIEAdminConsole` in the Address bar to go to your administrator console. For example, https://emieportal:8085/#/EMIEAdminConsole. + + A dialog box appears, prompting you for the system user name and password. The default user name is EMIEAdmin and the default password is Admin123. We strongly recommend that you change the password by using the **Change password** link as soon as you're done with your first visit. + +6. Select your name from the available list, and then click **Activate**. + +7. Go to the Enterprise Mode Site List Portal Home page and sign in. + +## Step 7 - Configure the SMTP server and port for email notification +After you've set up the portal, you need to configure your SMTP server and port for email notifications from the system. + +**To set up your SMTP server and port for emails** +1. Open Visual Studio, and then open the web.config file from your deployment directory. + +2. Update the SMTP server and port info with your info, using this format: + + ``` + + + ``` +3. Open the **Settings** page in the Enterprise Mode Site List Portal, and then update the email account and password info. + +## Step 8 - Register the scheduler service +Register the EMIEScheduler tool and service for production site list changes. + +**To register the scheduler service** + +1. Open File Explorer and go to EMIEWebPortal.SchedulerService\EMIEWebPortal.SchedulerService in your deployment directory, and then copy the **App_Data**, **bin**, and **Logs** folders to a separate folder. For example, C:\EMIEService\. + + >[!Important] + >If you can't find the **bin** and **Logs** folders, you probably haven't built the Visual Studio solution. Building the solution creates the folders and files. + +2. In Visual Studio start the Developer Command Prompt as an administrator, and then change the directory to the location of the InstallUtil.exe file. For example, _C:\Windows\Microsoft.NET\Framework\v4.0.30319_. + +3. Run the command, `InstallUtil ""`. For example, _InstallUtil "C:\EMIEService\bin\Debug\EMIEWebPortal.SchedulerService.exe"._ + + You'll be asked for your user name and password for the service. + +4. Open the **Run** command, type `Services.msc`, and then start the EMIEScheduler service. + +## Related topics +- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) + +- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md) + +- [Use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md) diff --git a/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md index 155feca2cc..2e0ad0a745 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md @@ -1,66 +1,66 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: support -ms.pagetype: appcompat -description: Reviewing log files to learn more about potential setup problems with Internet Explorer 11. -author: lomayor -ms.prod: ie11 -ms.assetid: 2cd79988-17d1-4317-bee9-b3ae2dd110a0 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Setup problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Setup problems with Internet Explorer 11 -Installing Internet Explorer creates the following log files, which are stored in the Windows installation folder (typically, the C:\\Windows folder): - -- `IE11_main.log` - -- `IE11_NR_Setup.log` - -- `IE11_uninst.log` - -- `cbs*.log` - -- `WU_ IE11_LangPacks.log` - -These log files continuously record the entire process from the moment the IE setup program starts running until the last .cab file is downloaded, including error codes. The possible error codes are: - -|Error code |Description | -|-----------|-------------------------------------------| -|0 |Success | -|1460 |Timeout | -|3010 |Success, reboot required | -|40001 |USER_ERROR_CANNOT_OPEN_LOG_FILE | -|40003 |USER_ERROR_CANNOT_INITIALIZE_APPLICATION | -|40004 |USER_ERROR_OLD_OS_VERSION | -|40005 |USER_ERROR_WRONG_PLATFORM | -|40006 |USER_ERROR_BAD_SPVERSION | -|40007 |USER_ERROR_MISSING_REQUIRED_PREREQUISITE | -|40008 |USER_ERROR_IE_GREATERVERSION_INSTALLED | -|40010 |USER_ERROR_BAD_LANGUAGE | -|40012 |USER_ERROR_CRYPTO_VALIDATION_FAILED | -|40013 |USER_ERROR_ALREADY_INSTALLED | -|40015 |USER_ERROR_WRONG_OS | -|40016 |USER_ERROR_EXTRACTION_FAILED | -|40019 |USER_ERROR_WINDOWS_PRERELEASE_NOT_SUPPORTED | -|40021 |USER_ERROR_UNSUPPORTED_VIDEO_HARDWARE | -|40022 |USER_ERROR_UNSUPPORTED_VIDEO_DRIVER | -|40023 |USER_ERROR_PREREQUISITE_INSTALL_FAILED | -|40024 |USER_ERROR_NEUTRAL_CAB_DOWNLOAD_FAILED | -|40025 |USER_ERROR_NEUTRAL_CAB_INSTALL_FAILED | -|41001 |USER_ERROR_UNKNOWN | -|50005 |USER_SUCCESS_USER_CANCELLED | - -  - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: support +ms.pagetype: appcompat +description: Reviewing log files to learn more about potential setup problems with Internet Explorer 11. +author: lomayor +ms.prod: ie11 +ms.assetid: 2cd79988-17d1-4317-bee9-b3ae2dd110a0 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Setup problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Setup problems with Internet Explorer 11 +Installing Internet Explorer creates the following log files, which are stored in the Windows installation folder (typically, the C:\\Windows folder): + +- `IE11_main.log` + +- `IE11_NR_Setup.log` + +- `IE11_uninst.log` + +- `cbs*.log` + +- `WU_ IE11_LangPacks.log` + +These log files continuously record the entire process from the moment the IE setup program starts running until the last .cab file is downloaded, including error codes. The possible error codes are: + +|Error code |Description | +|-----------|-------------------------------------------| +|0 |Success | +|1460 |Timeout | +|3010 |Success, reboot required | +|40001 |USER_ERROR_CANNOT_OPEN_LOG_FILE | +|40003 |USER_ERROR_CANNOT_INITIALIZE_APPLICATION | +|40004 |USER_ERROR_OLD_OS_VERSION | +|40005 |USER_ERROR_WRONG_PLATFORM | +|40006 |USER_ERROR_BAD_SPVERSION | +|40007 |USER_ERROR_MISSING_REQUIRED_PREREQUISITE | +|40008 |USER_ERROR_IE_GREATERVERSION_INSTALLED | +|40010 |USER_ERROR_BAD_LANGUAGE | +|40012 |USER_ERROR_CRYPTO_VALIDATION_FAILED | +|40013 |USER_ERROR_ALREADY_INSTALLED | +|40015 |USER_ERROR_WRONG_OS | +|40016 |USER_ERROR_EXTRACTION_FAILED | +|40019 |USER_ERROR_WINDOWS_PRERELEASE_NOT_SUPPORTED | +|40021 |USER_ERROR_UNSUPPORTED_VIDEO_HARDWARE | +|40022 |USER_ERROR_UNSUPPORTED_VIDEO_DRIVER | +|40023 |USER_ERROR_PREREQUISITE_INSTALL_FAILED | +|40024 |USER_ERROR_NEUTRAL_CAB_DOWNLOAD_FAILED | +|40025 |USER_ERROR_NEUTRAL_CAB_INSTALL_FAILED | +|41001 |USER_ERROR_UNKNOWN | +|50005 |USER_SUCCESS_USER_CANCELLED | + +  + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md index b04869b6fe..66bf4edda5 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md @@ -1,61 +1,61 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Lists the minimum system requirements and supported languages for Internet Explorer 11. -author: lomayor -ms.prod: ie11 -ms.assetid: 27185e3d-c486-4e4a-9c51-5cb317c0006d -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: System requirements and language support for Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# System requirements and language support for Internet Explorer 11 (IE11) - -**Applies to:** - -- Windows 10 -- Windows 8.1 Update -- Windows 7 with Service Pack 1 (SP1) -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Internet Explorer 11 is available for a number of systems and languages. This topic provides info about the minimum system requirements and language support. - -## Minimum system requirements for IE11 -IE11 is pre-installed on Windows 8.1, Windows 10, and Windows Server 2012 R2 and is listed here for reference. For more info about IE11 on Windows 10, see [Browser: Microsoft Edge and Internet Explorer 11](https://technet.microsoft.com/library/mt156988.aspx). - -**Important**
  -IE11 isn't supported on Windows 8 or Windows Server 2012. - -Some of the components in this table might also need additional system resources. Check the component's documentation for more information. - - -| Item | Minimum requirements | -|--------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Computer/processor | 1 gigahertz (GHz) 32-bit (x86) or 64-bit (x64) | -| Operating system |

  • Windows 10 (32-bit or 64-bit)
  • Windows 8.1 Update (32-bit or 64-bit)
  • Windows 7 with SP1 (32-bit or 64-bit)
  • Windows Server 2012 R2
  • Windows Server 2008 R2 with SP1 (64-bit only)
| -| Memory |
  • Windows 10 (32-bit)-1 GB
  • Windows 10 (64-bit)-2 GB
  • Windows 8.1 Update (32-bit)-1 GB
  • Windows 8.1 Update (64-bit)-2 GB
  • Windows 7 with SP1 (32-bit or 64-bit)-512 MB
  • Windows Server 2012 R2-512 MB
  • Windows Server 2008 R2 with SP1 (64-bit only)-512 MB
| -| Hard drive space |
  • Windows 10 (32-bit)-16 GB
  • Windows 10 (64-bit)-20 GB
  • Windows 8.1 Update (32-bit)-16 GB
  • Windows 8.1 Update (64-bit)-20 GB
  • Windows 7 with SP1 (32-bit)-70 MB
  • Windows 7 with SP1 (64-bit)-120 MB
  • Windows Server 2012 R2-32 GB
  • Windows Server 2008 R2 with SP1 (64-bit only)-200 MB
      • | -| Drive | CD-ROM drive (if installing from a CD-ROM) | -| Display | Super VGA (800 x 600) or higher-resolution monitor with 256 colors | -| Peripherals | Internet connection and a compatible pointing device | - -## Support for .NET Framework -You might experience start up issues where IE11 fails to launch an application that uses managed browser hosting controls with your legacy apps. This is because, starting with Internet Explorer 10, the browser started blocking legacy apps from using the .NET Framework 1.1 and 2.0. To fix this problem, see [.NET Framework problems with Internet Explorer 11](net-framework-problems-with-ie11.md). - -## Support for multiple languages -IE11 is available in 108 languages for Windows 8.1 and Windows 10 and in 97 languages for Windows 7 with SP1. For the list of languages and download links, see [Available language packs based on operating system](https://go.microsoft.com/fwlink/p/?LinkId=281818). - -Computers running localized versions of Windows should run the same version of IE11. For example, if your employees use the Spanish edition of Windows, you should deploy the Spanish version of IE11. On the other hand, if your employees use multiple localized versions of Windows, like Spanish, French, and Catalan, you should install IE11 in one of the languages, and then install language packs for the others. - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Lists the minimum system requirements and supported languages for Internet Explorer 11. +author: lomayor +ms.prod: ie11 +ms.assetid: 27185e3d-c486-4e4a-9c51-5cb317c0006d +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: System requirements and language support for Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# System requirements and language support for Internet Explorer 11 (IE11) + +**Applies to:** + +- Windows 10 +- Windows 8.1 Update +- Windows 7 with Service Pack 1 (SP1) +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Internet Explorer 11 is available for a number of systems and languages. This topic provides info about the minimum system requirements and language support. + +## Minimum system requirements for IE11 +IE11 is pre-installed on Windows 8.1, Windows 10, and Windows Server 2012 R2 and is listed here for reference. For more info about IE11 on Windows 10, see [Browser: Microsoft Edge and Internet Explorer 11](https://technet.microsoft.com/library/mt156988.aspx). + +**Important**
        +IE11 isn't supported on Windows 8 or Windows Server 2012. + +Some of the components in this table might also need additional system resources. Check the component's documentation for more information. + + +| Item | Minimum requirements | +|--------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Computer/processor | 1 gigahertz (GHz) 32-bit (x86) or 64-bit (x64) | +| Operating system |
      • Windows 10 (32-bit or 64-bit)
      • Windows 8.1 Update (32-bit or 64-bit)
      • Windows 7 with SP1 (32-bit or 64-bit)
      • Windows Server 2012 R2
      • Windows Server 2008 R2 with SP1 (64-bit only)
      | +| Memory |
      • Windows 10 (32-bit)-1 GB
      • Windows 10 (64-bit)-2 GB
      • Windows 8.1 Update (32-bit)-1 GB
      • Windows 8.1 Update (64-bit)-2 GB
      • Windows 7 with SP1 (32-bit or 64-bit)-512 MB
      • Windows Server 2012 R2-512 MB
      • Windows Server 2008 R2 with SP1 (64-bit only)-512 MB
      | +| Hard drive space |
      • Windows 10 (32-bit)-16 GB
      • Windows 10 (64-bit)-20 GB
      • Windows 8.1 Update (32-bit)-16 GB
      • Windows 8.1 Update (64-bit)-20 GB
      • Windows 7 with SP1 (32-bit)-70 MB
      • Windows 7 with SP1 (64-bit)-120 MB
      • Windows Server 2012 R2-32 GB
      • Windows Server 2008 R2 with SP1 (64-bit only)-200 MB
          • | +| Drive | CD-ROM drive (if installing from a CD-ROM) | +| Display | Super VGA (800 x 600) or higher-resolution monitor with 256 colors | +| Peripherals | Internet connection and a compatible pointing device | + +## Support for .NET Framework +You might experience start up issues where IE11 fails to launch an application that uses managed browser hosting controls with your legacy apps. This is because, starting with Internet Explorer 10, the browser started blocking legacy apps from using the .NET Framework 1.1 and 2.0. To fix this problem, see [.NET Framework problems with Internet Explorer 11](net-framework-problems-with-ie11.md). + +## Support for multiple languages +IE11 is available in 108 languages for Windows 8.1 and Windows 10 and in 97 languages for Windows 7 with SP1. For the list of languages and download links, see [Available language packs based on operating system](https://go.microsoft.com/fwlink/p/?LinkId=281818). + +Computers running localized versions of Windows should run the same version of IE11. For example, if your employees use the Spanish edition of Windows, you should deploy the Spanish version of IE11. On the other hand, if your employees use multiple localized versions of Windows, like Spanish, French, and Catalan, you should install IE11 in one of the languages, and then install language packs for the others. + + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md index 100c1159b5..00029e6c5b 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md +++ b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md @@ -1,135 +1,135 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Find out how to achieve better backward compatibility for your legacy web applications with the Enterprise Mode Site List. -author: lomayor -ms.author: lomayor -ms.prod: ie11 -ms.assetid: -ms.reviewer: -manager: dansimp -title: Tips and tricks to manage Internet Explorer compatibility -ms.sitesec: library -ms.date: 05/10/2018 ---- - -# Tips and tricks to manage Internet Explorer compatibility - -Find out how to achieve better backward compatibility for your legacy web applications with the Enterprise Mode Site List. - -Jump to: -- [Tips for IT professionals](#tips-for-it-professionals) -- [Tips for web developers](#tips-for-web-developers) - -[Enterprise Mode for Internet Explorer 11](enterprise-mode-overview-for-ie11.md) can be very effective in providing backward compatibility for older web apps. The Enterprise Mode Site List includes the ability to put any web app in any document mode, include IE8 and IE7 Enterprise Modes, without changing a single line of code on the website. - -![Internet Explorer Enterprise Modes and document modes](images/img-enterprise-mode-site-list-xml.jpg) - -Sites in the \ section can be rendered in any document mode, as shown in blue above. Some sites designed for older versions of Internet Explorer may require better backward compatibility, and these can leverage the \ section of the Enterprise Mode Site List. IE8 Enterprise Mode provides higher-fidelity emulation for Internet Explorer 8 by using, among other improvements, the original Internet Explorer 8 user agent string. IE7 Enterprise Mode further improves emulation by adding Compatibility View. - -Compatibility View, first introduced with Internet Explorer 8, is basically a switch. If a webpage has no DOCTYPE, that page will be rendered in Internet Explorer 5 mode. If there is a DOCTYPE, the page will be rendered in Internet Explorer 7 mode. You can effectively get Compatibility View by specifying Internet Explorer 7 in the \ section, as this falls back to Internet Explorer 5 automatically if there's no DOCTYPE, or you can use IE7 Enterprise Mode for even better emulation. - -## Tips for IT professionals - -### Inventory your sites - -Upgrading to a new browser can be a time-consuming and potentially costly venture. To help reduce these costs, you can download the [Enterprise Site Discovery Toolkit](https://www.microsoft.com/download/details.aspx?id=44570), which can help you prioritize which sites you should be testing based on their usage in your enterprise. For example, if the data shows that no one is visiting a particular legacy web app, you may not need to test or fix it. The toolkit is supported on Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11. The toolkit also gives you information about which document mode a page runs in your current browser so you can better understand how to fix that site if it breaks in a newer version of the browser. - -Once you know which sites to test and fix, the following remediation methods may help fix your compatibility issues in Internet Explorer 11 and Windows 10. - -### If you're on Internet Explorer 8 and upgrading to Internet Explorer 11: - -Use the Enterprise Mode Site List to add sites to the Internet Explorer 5, Internet Explorer 7, and Internet Explorer 8 documents modes, as well as IE8 Enterprise Mode and IE7 Enterprise Mode. - -- Sites with the *x-ua-compatible* meta tag or HTTP header set to "IE=edge" may break in Internet Explorer 11 and need to be set to Internet Explorer 8 mode. This is because "edge" in Internet Explorer 8 meant Internet Explorer 8 mode, but "edge" in Internet Explorer 11 means Internet Explorer 11 mode. - -- Sites without a DOCTYPE in zones other than Intranet will default to QME (or "interoperable quirks") rather than Internet Explorer 5 Quirks and may need to be set to Internet Explorer 5 mode. - -- Some sites may need to be added to both Enterprise Mode and Compatibility View to work. You can do this by adding the site to IE7 Enterprise Mode. - -### If you're on Internet Explorer 9 and upgrading to Internet Explorer 11: - -Use the Enterprise Mode Site List to add sites to the Internet Explorer 5, Internet Explorer 7, and Internet Explorer 9 document modes. - -- Sites with the *x-ua-compatible* meta tag or HTTP header set to "IE=edge" may break in Internet Explorer 11 and need to be set to Internet Explorer 9 mode. This is because "edge" in Internet Explorer 9 meant Internet Explorer 9 mode, but "edge" in Internet Explorer 11 means Internet Explorer 11 mode. - -- Sites without a DOCTYPE in zones other than Intranet will default to Interoperable Quirks rather than Internet Explorer 5 Quirks and may need to be set to Internet Explorer 5 mode. - -- If your sites worked in Internet Explorer 9, you won't need IE8 Enterprise Mode or IE7 Enterprise Mode. - -### If you're on Internet Explorer 10 and upgrading to Internet Explorer 11: - -Use the Enterprise Mode Site List to add sites to the Internet Explorer 5, Internet Explorer 7, and Internet Explorer 10 modes. - -- Sites with the *x-ua-compatible* meta tag or HTTP header set to "IE=edge" may break in Internet Explorer 11 and need to be set to Internet Explorer 10 mode. This is because "edge" in Internet Explorer 10 meant Internet Explorer 10 mode, but "edge" in Internet Explorer 11 means Internet Explorer 11 mode. - -- If your sites worked in Internet Explorer 10, you won't need IE8 Enterprise Mode or IE7 Enterprise Mode. - -### If you're on Internet Explorer 11 and upgrading to Windows 10: - -You're all set! You shouldn’t need to make any changes. - -## Tips for web developers - -If your website worked in an older version of Internet Explorer, but no longer works in Internet Explorer 11, you may need to update the site. Here are the set of steps you should take to find the appropriate remediation strategy. - -### Try document modes - -To see if the site works in the Internet Explorer 5, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, or Internet Explorer 11 document modes: - -- Open the site in Internet Explorer 11, load the F12 tools by pressing the **F12** key or by selecting **F12 Developer Tools** from the **Tools** menu, and select the **Emulation** tab. - - ![F12 Developer Tools Emulation tab](images/img-f12-developer-tools-emulation.jpg) - -- Run the site in each document mode until you find the mode in which the site works. - - >[!NOTE] - >You will need to make sure the User agent string dropdown matches the same browser version as the Document mode dropdown. For example, if you were testing to see if the site works in Internet Explorer 10, you should update the Document mode dropdown to 10 and the User agent string dropdown to Internet Explorer 10. - -- If you find a mode in which your site works, you will need to add the site domain, sub-domain, or URL to the Enterprise Mode Site List for the document mode in which the site works, or ask the IT administrator to do so. You can add the *x-ua-compatible* meta tag or HTTP header as well. - -### Try IE8 Enterprise Mode - -If a document mode didn't fix your site, try IE8 Enterprise Mode, which benefits sites written for Internet Explorer 5, Internet Explorer 7, and Internet Explorer 8 document modes. - -- Enable the **Let users turn on and use Enterprise Mode from the Tools menu** policy locally on your machine. To do this: - - - Search for and run **gpedit.msc** - - - Navigate to **Computer Configuration** \> **Administrative Template** \> **Windows Components** \> **Internet Explorer**. - - - Enable the **Let users turn on and use Enterprise Mode from the Tools menu** Group Policy setting. - - After making this change, run **gpupdate.exe /force** to make sure the setting is applied locally. You should also make sure to disable this setting once you're done testing. Alternately, you can use a regkey; see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md) for more information. - -- Restart Internet Explorer 11 and open the site you're testing, then go to **Emulation** tab in the **F12 Developer Tools** and select **Enterprise** from the **Browser profile** dropdown. If the site works, inform the IT administrator that the site needs to be added to the IE8 Enterprise Mode section. - -### Try IE7 Enterprise Mode - -If IE8 Enterprise Mode doesn't work, IE7 Enterprise Mode will give you the Compatibility View behavior that shipped with Internet Explorer 8 with Enterprise Mode. To try this approach: - -- Go to the **Tools** menu, select **Compatibility View Settings**, and add the site to the list. - -- Go to **Emulation** tab in the **F12 Developer Tools** and select **Enterprise** from the **Browser profile** dropdown. - -If the site works, inform the IT administrator that the site needs to be added to the IE7 Enterprise Mode section.\ - ->[!NOTE] ->Adding the same Web path to the Enterprise Mode and sections of the Enterprise Mode Site List will not work, but we will address this in a future update. - -### Update the site for modern web standards - -We recommend that enterprise customers focus their new development on established, modern web standards for better performance and interoperability across devices, and avoid developing sites in older Internet Explorer document modes. We often hear that, due to fact that the Intranet zone defaults to Compatibility View, web developers inadvertently create new sites in the Internet Explorer 7 or Internet Explorer 5 modes in the Intranet zone, depending on whether or not they used a DOCTYPE. As you move your web apps to modern standards, you can enable the **Turn on Internet Explorer Standards Mode for local intranet** Group Policy setting and add those sites that need Internet Explorer 5 or Internet Explorer 7 modes to the Site List. Of course, it is always a good idea to test the app to ensure that these settings work for your environment. - -## Related resources - -- [Document modes](https://msdn.microsoft.com/library/dn384051(v=vs.85).aspx) -- [What is Enterprise Mode?](what-is-enterprise-mode.md) -- [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md) -- [Enterprise Site Discovery Toolkit](https://www.microsoft.com/en-us/download/details.aspx?id=44570) -- [Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md) -- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) -- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) -- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) -- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Find out how to achieve better backward compatibility for your legacy web applications with the Enterprise Mode Site List. +author: lomayor +ms.author: lomayor +ms.prod: ie11 +ms.assetid: +ms.reviewer: +audience: itpro manager: dansimp +title: Tips and tricks to manage Internet Explorer compatibility +ms.sitesec: library +ms.date: 05/10/2018 +--- + +# Tips and tricks to manage Internet Explorer compatibility + +Find out how to achieve better backward compatibility for your legacy web applications with the Enterprise Mode Site List. + +Jump to: +- [Tips for IT professionals](#tips-for-it-professionals) +- [Tips for web developers](#tips-for-web-developers) + +[Enterprise Mode for Internet Explorer 11](enterprise-mode-overview-for-ie11.md) can be very effective in providing backward compatibility for older web apps. The Enterprise Mode Site List includes the ability to put any web app in any document mode, include IE8 and IE7 Enterprise Modes, without changing a single line of code on the website. + +![Internet Explorer Enterprise Modes and document modes](images/img-enterprise-mode-site-list-xml.jpg) + +Sites in the \ section can be rendered in any document mode, as shown in blue above. Some sites designed for older versions of Internet Explorer may require better backward compatibility, and these can leverage the \ section of the Enterprise Mode Site List. IE8 Enterprise Mode provides higher-fidelity emulation for Internet Explorer 8 by using, among other improvements, the original Internet Explorer 8 user agent string. IE7 Enterprise Mode further improves emulation by adding Compatibility View. + +Compatibility View, first introduced with Internet Explorer 8, is basically a switch. If a webpage has no DOCTYPE, that page will be rendered in Internet Explorer 5 mode. If there is a DOCTYPE, the page will be rendered in Internet Explorer 7 mode. You can effectively get Compatibility View by specifying Internet Explorer 7 in the \ section, as this falls back to Internet Explorer 5 automatically if there's no DOCTYPE, or you can use IE7 Enterprise Mode for even better emulation. + +## Tips for IT professionals + +### Inventory your sites + +Upgrading to a new browser can be a time-consuming and potentially costly venture. To help reduce these costs, you can download the [Enterprise Site Discovery Toolkit](https://www.microsoft.com/download/details.aspx?id=44570), which can help you prioritize which sites you should be testing based on their usage in your enterprise. For example, if the data shows that no one is visiting a particular legacy web app, you may not need to test or fix it. The toolkit is supported on Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11. The toolkit also gives you information about which document mode a page runs in your current browser so you can better understand how to fix that site if it breaks in a newer version of the browser. + +Once you know which sites to test and fix, the following remediation methods may help fix your compatibility issues in Internet Explorer 11 and Windows 10. + +### If you're on Internet Explorer 8 and upgrading to Internet Explorer 11: + +Use the Enterprise Mode Site List to add sites to the Internet Explorer 5, Internet Explorer 7, and Internet Explorer 8 documents modes, as well as IE8 Enterprise Mode and IE7 Enterprise Mode. + +- Sites with the *x-ua-compatible* meta tag or HTTP header set to "IE=edge" may break in Internet Explorer 11 and need to be set to Internet Explorer 8 mode. This is because "edge" in Internet Explorer 8 meant Internet Explorer 8 mode, but "edge" in Internet Explorer 11 means Internet Explorer 11 mode. + +- Sites without a DOCTYPE in zones other than Intranet will default to QME (or "interoperable quirks") rather than Internet Explorer 5 Quirks and may need to be set to Internet Explorer 5 mode. + +- Some sites may need to be added to both Enterprise Mode and Compatibility View to work. You can do this by adding the site to IE7 Enterprise Mode. + +### If you're on Internet Explorer 9 and upgrading to Internet Explorer 11: + +Use the Enterprise Mode Site List to add sites to the Internet Explorer 5, Internet Explorer 7, and Internet Explorer 9 document modes. + +- Sites with the *x-ua-compatible* meta tag or HTTP header set to "IE=edge" may break in Internet Explorer 11 and need to be set to Internet Explorer 9 mode. This is because "edge" in Internet Explorer 9 meant Internet Explorer 9 mode, but "edge" in Internet Explorer 11 means Internet Explorer 11 mode. + +- Sites without a DOCTYPE in zones other than Intranet will default to Interoperable Quirks rather than Internet Explorer 5 Quirks and may need to be set to Internet Explorer 5 mode. + +- If your sites worked in Internet Explorer 9, you won't need IE8 Enterprise Mode or IE7 Enterprise Mode. + +### If you're on Internet Explorer 10 and upgrading to Internet Explorer 11: + +Use the Enterprise Mode Site List to add sites to the Internet Explorer 5, Internet Explorer 7, and Internet Explorer 10 modes. + +- Sites with the *x-ua-compatible* meta tag or HTTP header set to "IE=edge" may break in Internet Explorer 11 and need to be set to Internet Explorer 10 mode. This is because "edge" in Internet Explorer 10 meant Internet Explorer 10 mode, but "edge" in Internet Explorer 11 means Internet Explorer 11 mode. + +- If your sites worked in Internet Explorer 10, you won't need IE8 Enterprise Mode or IE7 Enterprise Mode. + +### If you're on Internet Explorer 11 and upgrading to Windows 10: + +You're all set! You shouldn’t need to make any changes. + +## Tips for web developers + +If your website worked in an older version of Internet Explorer, but no longer works in Internet Explorer 11, you may need to update the site. Here are the set of steps you should take to find the appropriate remediation strategy. + +### Try document modes + +To see if the site works in the Internet Explorer 5, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, or Internet Explorer 11 document modes: + +- Open the site in Internet Explorer 11, load the F12 tools by pressing the **F12** key or by selecting **F12 Developer Tools** from the **Tools** menu, and select the **Emulation** tab. + + ![F12 Developer Tools Emulation tab](images/img-f12-developer-tools-emulation.jpg) + +- Run the site in each document mode until you find the mode in which the site works. + + >[!NOTE] + >You will need to make sure the User agent string dropdown matches the same browser version as the Document mode dropdown. For example, if you were testing to see if the site works in Internet Explorer 10, you should update the Document mode dropdown to 10 and the User agent string dropdown to Internet Explorer 10. + +- If you find a mode in which your site works, you will need to add the site domain, sub-domain, or URL to the Enterprise Mode Site List for the document mode in which the site works, or ask the IT administrator to do so. You can add the *x-ua-compatible* meta tag or HTTP header as well. + +### Try IE8 Enterprise Mode + +If a document mode didn't fix your site, try IE8 Enterprise Mode, which benefits sites written for Internet Explorer 5, Internet Explorer 7, and Internet Explorer 8 document modes. + +- Enable the **Let users turn on and use Enterprise Mode from the Tools menu** policy locally on your machine. To do this: + + - Search for and run **gpedit.msc** + + - Navigate to **Computer Configuration** \> **Administrative Template** \> **Windows Components** \> **Internet Explorer**. + + - Enable the **Let users turn on and use Enterprise Mode from the Tools menu** Group Policy setting. + + After making this change, run **gpupdate.exe /force** to make sure the setting is applied locally. You should also make sure to disable this setting once you're done testing. Alternately, you can use a regkey; see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md) for more information. + +- Restart Internet Explorer 11 and open the site you're testing, then go to **Emulation** tab in the **F12 Developer Tools** and select **Enterprise** from the **Browser profile** dropdown. If the site works, inform the IT administrator that the site needs to be added to the IE8 Enterprise Mode section. + +### Try IE7 Enterprise Mode + +If IE8 Enterprise Mode doesn't work, IE7 Enterprise Mode will give you the Compatibility View behavior that shipped with Internet Explorer 8 with Enterprise Mode. To try this approach: + +- Go to the **Tools** menu, select **Compatibility View Settings**, and add the site to the list. + +- Go to **Emulation** tab in the **F12 Developer Tools** and select **Enterprise** from the **Browser profile** dropdown. + +If the site works, inform the IT administrator that the site needs to be added to the IE7 Enterprise Mode section.\ + +>[!NOTE] +>Adding the same Web path to the Enterprise Mode and sections of the Enterprise Mode Site List will not work, but we will address this in a future update. + +### Update the site for modern web standards + +We recommend that enterprise customers focus their new development on established, modern web standards for better performance and interoperability across devices, and avoid developing sites in older Internet Explorer document modes. We often hear that, due to fact that the Intranet zone defaults to Compatibility View, web developers inadvertently create new sites in the Internet Explorer 7 or Internet Explorer 5 modes in the Intranet zone, depending on whether or not they used a DOCTYPE. As you move your web apps to modern standards, you can enable the **Turn on Internet Explorer Standards Mode for local intranet** Group Policy setting and add those sites that need Internet Explorer 5 or Internet Explorer 7 modes to the Site List. Of course, it is always a good idea to test the app to ensure that these settings work for your environment. + +## Related resources + +- [Document modes](https://msdn.microsoft.com/library/dn384051(v=vs.85).aspx) +- [What is Enterprise Mode?](what-is-enterprise-mode.md) +- [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md) +- [Enterprise Site Discovery Toolkit](https://www.microsoft.com/en-us/download/details.aspx?id=44570) +- [Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md) +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) +- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) diff --git a/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md index b560483fb1..55e4491ac7 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md @@ -1,52 +1,52 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: support -description: Use the topics in this section to learn how to troubleshoot several of the more common problems experienced with Internet Explorer. -author: lomayor -ms.prod: ie11 -ms.assetid: 0361c1a6-3faa-42b2-a588-92439eebeeab -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Troubleshoot Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Troubleshoot Internet Explorer 11 (IE11) - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Use the topics in this section to learn how to troubleshoot several of the more common problems experienced with Internet Explorer. - -## In this section - -|Topic |Description | -|-------|--------------| -|[Setup problems with Internet Explorer 11](setup-problems-with-ie11.md) |Guidance about how to find and understand the error log files created when setup runs. | -|[Install problems with Internet Explorer 11](install-problems-with-ie11.md) |Guidance about how to address potential problems when IE doesn’t finish installing. | -|[Problems after installing Internet Explorer 11](problems-after-installing-ie11.md) |Guidance about how to troubleshoot and help fix instability problems, where IE crashes or seems slow or where Digital Rights Management (DRM) playback doesn’t work. | -|[Auto configuration and auto proxy problems with Internet Explorer 11](auto-configuration-and-auto-proxy-problems-with-ie11.md) |Guidance about how to troubleshoot and help fix problems where branding changes aren’t distributed or where you’re experiencing proxy server setup problems. | -|[User interface problems with Internet Explorer 11](user-interface-problems-with-ie11.md) |Guidance about changes to the IE Customization Wizard, security zones, Favorites, Command, and Status bars, and the search box. | -|[Group Policy problems with Internet Explorer 11](group-policy-problems-ie11.md) |Guidance about how to find the Group Policy Object-related log files for troubleshooting. | -|[.NET Framework problems with Internet Explorer 11](net-framework-problems-with-ie11.md) |Guidance about how to turn managed browser hosting controls back on. | -|[Enhanced Protected Mode problems with Internet Explorer](enhanced-protected-mode-problems-with-ie11.md) |Guidance about how to turn off Enhanced Protected Mode to address compatibility issues. | -|[Fix font rendering problems by turning off natural metrics](turn-off-natural-metrics.md) |Guidance about how to turn off natural metrics to address font rendering problems. | -|[Intranet problems with Internet Explorer 11](intranet-problems-and-ie11.md) |Guidance about how to turn on single-word intranet searches in the address bar. | -|[Browser cache changes and roaming profiles](browser-cache-changes-and-roaming-profiles.md) |Guidance about changes we’ve made to the browser cache to improve the performance, flexibility, reliability, and scalability and how to get the best results while using a roaming profile. | - -  - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: support +description: Use the topics in this section to learn how to troubleshoot several of the more common problems experienced with Internet Explorer. +author: lomayor +ms.prod: ie11 +ms.assetid: 0361c1a6-3faa-42b2-a588-92439eebeeab +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Troubleshoot Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Troubleshoot Internet Explorer 11 (IE11) + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Use the topics in this section to learn how to troubleshoot several of the more common problems experienced with Internet Explorer. + +## In this section + +|Topic |Description | +|-------|--------------| +|[Setup problems with Internet Explorer 11](setup-problems-with-ie11.md) |Guidance about how to find and understand the error log files created when setup runs. | +|[Install problems with Internet Explorer 11](install-problems-with-ie11.md) |Guidance about how to address potential problems when IE doesn’t finish installing. | +|[Problems after installing Internet Explorer 11](problems-after-installing-ie11.md) |Guidance about how to troubleshoot and help fix instability problems, where IE crashes or seems slow or where Digital Rights Management (DRM) playback doesn’t work. | +|[Auto configuration and auto proxy problems with Internet Explorer 11](auto-configuration-and-auto-proxy-problems-with-ie11.md) |Guidance about how to troubleshoot and help fix problems where branding changes aren’t distributed or where you’re experiencing proxy server setup problems. | +|[User interface problems with Internet Explorer 11](user-interface-problems-with-ie11.md) |Guidance about changes to the IE Customization Wizard, security zones, Favorites, Command, and Status bars, and the search box. | +|[Group Policy problems with Internet Explorer 11](group-policy-problems-ie11.md) |Guidance about how to find the Group Policy Object-related log files for troubleshooting. | +|[.NET Framework problems with Internet Explorer 11](net-framework-problems-with-ie11.md) |Guidance about how to turn managed browser hosting controls back on. | +|[Enhanced Protected Mode problems with Internet Explorer](enhanced-protected-mode-problems-with-ie11.md) |Guidance about how to turn off Enhanced Protected Mode to address compatibility issues. | +|[Fix font rendering problems by turning off natural metrics](turn-off-natural-metrics.md) |Guidance about how to turn off natural metrics to address font rendering problems. | +|[Intranet problems with Internet Explorer 11](intranet-problems-and-ie11.md) |Guidance about how to turn on single-word intranet searches in the address bar. | +|[Browser cache changes and roaming profiles](browser-cache-changes-and-roaming-profiles.md) |Guidance about changes we’ve made to the browser cache to improve the performance, flexibility, reliability, and scalability and how to get the best results while using a roaming profile. | + +  + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md index e6bd87fc61..d193f26c68 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md +++ b/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md @@ -1,80 +1,80 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: How to turn Enterprise Mode off temporarily while testing websites and how to turn it off completely if you no longer want to to use it. -author: lomayor -ms.prod: ie11 -ms.assetid: 5027c163-71e0-49b8-9dc0-f0a7310c7ae3 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Turn off Enterprise Mode (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Turn off Enterprise Mode - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -It’s important that you test the sites you’re adding, or considering removing, from your Enterprise Mode site list. To make this testing easier, you can turn off the site list or the entire Enterprise Mode functionality. For example, you might have an intranet site on your list that you’ve upgraded to be compatible with the new web standards . If you test the site while the site list is active, Internet Explorer 11 will automatically switch to Enterprise Mode. By turning off the site list, you can see what the page actually looks like and decide whether to remove it from your site list. - -In addition, if you no longer want your users to be able to turn Enterprise Mode on locally, you can remove Enterprise Mode from the local **Tools** menu. - -**Important**
          -Turning off both of these features turns off Enterprise Mode for your company. Turning off Enterprise Mode also causes any websites included in your employee’s manual site lists to not appear in Enterprise Mode. - - **To turn off the site list using Group Policy** - -1. Open your Group Policy editor, like Group Policy Management Console (GPMC). - -2. Go to the **Use the Enterprise Mode IE website list** setting, and then click **Disabled**.

          - Enterprise Mode will no longer look for the site list, effectively turning off Enterprise Mode. However, if you previously turned on local control for your employees, Enterprise Mode will still be available from the **Tools** menu. You need to turn that part of the functionality off separately. - - **To turn off local control using Group Policy** - -3. Open your Group Policy editor, like Group Policy Management Console (GPMC). - -4. Go to the **Let users turn on and use Enterprise Mode from the Tools menu** setting, and then click **Disable**. - -5. Enterprise Mode no longer shows up on the **Tools** menu for your employees. However, if you are still using an Enterprise Mode site list, all of the globally listed sites will still appear in Enterprise Mode. If you want to turn off all of Enterprise Mode, you will need to also turn off the site list functionality. - - **To turn off the site list using the registry** - -6. Open a registry editor, such as regedit.exe. - -7. Go to `HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode`, and then delete the **SiteList** value.

          - You can also use HKEY_LOCAL_MACHINE, depending whether you want to turn off the Enterprise Mode site list for users or for computers. - -8. Close all and restart all instances of Internet Explorer.

          - IE11 stops looking at the site list for rendering instructions. However, Enterprise Mode is still available to your users locally (if it was turned on). - - **To turn off local control using the registry** - -9. Open a registry editor, such as regedit.exe. - -10. Go `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode`, and then delete the **Enable** value.

          - You can also use HKEY_CURRENT_USER, depending whether you want to turn off Enterprise Mode for users or for computers. - -11. Close and restart all instances of IE.

          - Enterprise Mode is no longer a user option on the **Tools** menu in IE11. However, IE11 still looks at the site list (if it was turned on). - -## Related topics -- [What is Enterprise Mode?](what-is-enterprise-mode.md) -- [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md) -- [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md) -- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: How to turn Enterprise Mode off temporarily while testing websites and how to turn it off completely if you no longer want to to use it. +author: lomayor +ms.prod: ie11 +ms.assetid: 5027c163-71e0-49b8-9dc0-f0a7310c7ae3 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Turn off Enterprise Mode (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Turn off Enterprise Mode + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +It’s important that you test the sites you’re adding, or considering removing, from your Enterprise Mode site list. To make this testing easier, you can turn off the site list or the entire Enterprise Mode functionality. For example, you might have an intranet site on your list that you’ve upgraded to be compatible with the new web standards . If you test the site while the site list is active, Internet Explorer 11 will automatically switch to Enterprise Mode. By turning off the site list, you can see what the page actually looks like and decide whether to remove it from your site list. + +In addition, if you no longer want your users to be able to turn Enterprise Mode on locally, you can remove Enterprise Mode from the local **Tools** menu. + +**Important**
          +Turning off both of these features turns off Enterprise Mode for your company. Turning off Enterprise Mode also causes any websites included in your employee’s manual site lists to not appear in Enterprise Mode. + + **To turn off the site list using Group Policy** + +1. Open your Group Policy editor, like Group Policy Management Console (GPMC). + +2. Go to the **Use the Enterprise Mode IE website list** setting, and then click **Disabled**.

          + Enterprise Mode will no longer look for the site list, effectively turning off Enterprise Mode. However, if you previously turned on local control for your employees, Enterprise Mode will still be available from the **Tools** menu. You need to turn that part of the functionality off separately. + + **To turn off local control using Group Policy** + +3. Open your Group Policy editor, like Group Policy Management Console (GPMC). + +4. Go to the **Let users turn on and use Enterprise Mode from the Tools menu** setting, and then click **Disable**. + +5. Enterprise Mode no longer shows up on the **Tools** menu for your employees. However, if you are still using an Enterprise Mode site list, all of the globally listed sites will still appear in Enterprise Mode. If you want to turn off all of Enterprise Mode, you will need to also turn off the site list functionality. + + **To turn off the site list using the registry** + +6. Open a registry editor, such as regedit.exe. + +7. Go to `HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode`, and then delete the **SiteList** value.

          + You can also use HKEY_LOCAL_MACHINE, depending whether you want to turn off the Enterprise Mode site list for users or for computers. + +8. Close all and restart all instances of Internet Explorer.

          + IE11 stops looking at the site list for rendering instructions. However, Enterprise Mode is still available to your users locally (if it was turned on). + + **To turn off local control using the registry** + +9. Open a registry editor, such as regedit.exe. + +10. Go `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode`, and then delete the **Enable** value.

          + You can also use HKEY_CURRENT_USER, depending whether you want to turn off Enterprise Mode for users or for computers. + +11. Close and restart all instances of IE.

          + Enterprise Mode is no longer a user option on the **Tools** menu in IE11. However, IE11 still looks at the site list (if it was turned on). + +## Related topics +- [What is Enterprise Mode?](what-is-enterprise-mode.md) +- [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md) +- [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md b/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md index c562b6862a..890640ae36 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md +++ b/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md @@ -1,37 +1,37 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: support -description: Turn off natural metrics for Internet Explorer 11 -author: lomayor -ms.prod: ie11 -ms.assetid: e31a27d7-662e-4106-a3d2-c6b0531961d5 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Fix font rendering problems by turning off natural metrics (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Fix font rendering problems by turning off natural metrics -By default, Internet Explorer 11 uses “natural metrics”. Natural metrics use inter-pixel spacing that creates more accurately rendered and readable text, avoiding many common font rendering problems with Windows Internet Explorer 9 or older sites. - -However, you might find that many intranet sites need you to use Windows Graphics Device Interface (GDI) metrics. To avoid potential compatibility issues, you must turn off natural metrics for those sites. - - **To turn off natural metrics** - -- Add the following HTTP header to each site: `X-UA-TextLayoutMetrics: gdi` - -

          -OR-

          - -- Add the following <meta> tag to each site: `` - -Turning off natural metrics automatically turns on GDI metrics. - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: support +description: Turn off natural metrics for Internet Explorer 11 +author: lomayor +ms.prod: ie11 +ms.assetid: e31a27d7-662e-4106-a3d2-c6b0531961d5 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Fix font rendering problems by turning off natural metrics (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Fix font rendering problems by turning off natural metrics +By default, Internet Explorer 11 uses “natural metrics”. Natural metrics use inter-pixel spacing that creates more accurately rendered and readable text, avoiding many common font rendering problems with Windows Internet Explorer 9 or older sites. + +However, you might find that many intranet sites need you to use Windows Graphics Device Interface (GDI) metrics. To avoid potential compatibility issues, you must turn off natural metrics for those sites. + + **To turn off natural metrics** + +- Add the following HTTP header to each site: `X-UA-TextLayoutMetrics: gdi` + +

          -OR-

          + +- Add the following <meta> tag to each site: `` + +Turning off natural metrics automatically turns on GDI metrics. + + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md index ba48d04b38..1a6823e2db 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md +++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md @@ -1,75 +1,75 @@ ---- -title: Turn on Enterprise Mode and use a site list (Internet Explorer 11 for IT Pros) -description: How to turn on Enterprise Mode and specify a site list. -ms.assetid: 800e9c5a-57a6-4d61-a38a-4cb972d833e1 -ms.reviewer: -manager: dansimp -ms.prod: ie11 -ms.mktglfcycl: deploy -ms.pagetype: appcompat -ms.sitesec: library -author: lomayor -ms.author: lomayor -ms.date: 08/14/2017 -ms.localizationpriority: medium - - - - - ---- - - -# Turn on Enterprise Mode and use a site list - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Before you can use a site list with Enterprise Mode, you need to turn the functionality on and set up the system for centralized control. By allowing centralized control, you can create one global list of websites that render using Enterprise Mode. Approximately 65 seconds after Internet Explorer 11 starts, it looks for a properly formatted site list. If a new site list if found, with a different version number than the active list, IE11 loads and uses the newer version. After the initial check, IE11 won’t look for an updated list again until you restart the browser. - ->[!NOTE] ->We recommend that you store and download your website list from a secure web server (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employees' computers so if the centralized file location is unavailable, they can still use Enterprise Mode. - - **To turn on Enterprise Mode using Group Policy** - -1. Open your Group Policy editor and go to the `Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list` setting.

          - Turning this setting on also requires you to create and store a site list. For more information about creating your site list, see the [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics. - - ![local group policy editor for using a site list](images/ie-emie-grouppolicysitelist.png) - -2. Click **Enabled**, and then in the **Options** area, type the location to your site list. - - **To turn on Enterprise Mode using the registry** - -3. **For only the local user:** Open a registry editor, like regedit.exe and go to `HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode`. -

          -OR-

          - For all users on the device: Open a registry editor, like regedit.exe and go to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode. - -4. Edit the `SiteList` registry key to point to where you want to keep your Enterprise Mode site list file. For example: - - ![enterprise mode with site list in the registry](images/ie-emie-registrysitelist.png) - - - **HTTPS location**: `"SiteList"="https://localhost:8080/sites.xml"` - - - **Local network:** `"SiteList"="\\network\shares\sites.xml"` - - - **Local file:** `"SiteList"="file:///c:\\Users\\\\Documents\\testList.xml"` - - All of your managed devices must have access to this location if you want them to be able to access and use Enterprise Mode and your site list. For information about how to create and use an Enterprise Mode site list, see [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md). - -## Related topics -- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) -- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) -- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) -- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) - - - - - - +--- +title: Turn on Enterprise Mode and use a site list (Internet Explorer 11 for IT Pros) +description: How to turn on Enterprise Mode and specify a site list. +ms.assetid: 800e9c5a-57a6-4d61-a38a-4cb972d833e1 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: ie11 +ms.mktglfcycl: deploy +ms.pagetype: appcompat +ms.sitesec: library +author: lomayor +ms.author: lomayor +ms.date: 08/14/2017 +ms.localizationpriority: medium + + + + + +--- + + +# Turn on Enterprise Mode and use a site list + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Before you can use a site list with Enterprise Mode, you need to turn the functionality on and set up the system for centralized control. By allowing centralized control, you can create one global list of websites that render using Enterprise Mode. Approximately 65 seconds after Internet Explorer 11 starts, it looks for a properly formatted site list. If a new site list if found, with a different version number than the active list, IE11 loads and uses the newer version. After the initial check, IE11 won’t look for an updated list again until you restart the browser. + +>[!NOTE] +>We recommend that you store and download your website list from a secure web server (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employees' computers so if the centralized file location is unavailable, they can still use Enterprise Mode. + + **To turn on Enterprise Mode using Group Policy** + +1. Open your Group Policy editor and go to the `Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list` setting.

          + Turning this setting on also requires you to create and store a site list. For more information about creating your site list, see the [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics. + + ![local group policy editor for using a site list](images/ie-emie-grouppolicysitelist.png) + +2. Click **Enabled**, and then in the **Options** area, type the location to your site list. + + **To turn on Enterprise Mode using the registry** + +3. **For only the local user:** Open a registry editor, like regedit.exe and go to `HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode`. +

          -OR-

          + For all users on the device: Open a registry editor, like regedit.exe and go to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode. + +4. Edit the `SiteList` registry key to point to where you want to keep your Enterprise Mode site list file. For example: + + ![enterprise mode with site list in the registry](images/ie-emie-registrysitelist.png) + + - **HTTPS location**: `"SiteList"="https://localhost:8080/sites.xml"` + + - **Local network:** `"SiteList"="\\network\shares\sites.xml"` + + - **Local file:** `"SiteList"="file:///c:\\Users\\\\Documents\\testList.xml"` + + All of your managed devices must have access to this location if you want them to be able to access and use Enterprise Mode and your site list. For information about how to create and use an Enterprise Mode site list, see [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md). + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) +- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md index 830bb995d5..2f52fdfba2 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md +++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md @@ -1,64 +1,64 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Turn on local user control and logging for Enterprise Mode. -author: lomayor -ms.prod: ie11 -ms.assetid: 6622ecce-24b1-497e-894a-e1fd5a8a66d1 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Turn on local control and logging for Enterprise Mode (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Turn on local control and logging for Enterprise Mode - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -You can turn on local control of Enterprise Mode so that your users can turn Enterprise Mode on from the **Tools** menu. Turning on this feature also adds the **Enterprise** browser profile to the **Emulation** tab of the F12 developer tools. - -Besides turning on this feature, you also have the option to provide a URL for Enterprise Mode logging. If you turn logging on, Internet Explorer initiates a simple POST back to the supplied address, including the URL and a specification that **EnterpriseMode** was turned on or off through the **Tools** menu. - - **To turn on local control of Enterprise Mode using Group Policy** - -1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Internet Explorer\\Let users turn on and use Enterprise Mode from the Tools menu** setting. - - ![group policy editor with emie setting](images/ie-emie-editpolicy.png) - -2. Click **Enabled**, and then in the **Options** area, type the location for where to receive reports about when your employees use this functionality to turn Enterprise Mode on or off from the **Tools** menu. - - **To turn on local control of Enterprise Mode using the registry** - -3. Open a registry editor, like regedit.exe and go to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode`. - -4. In the right pane, right-click and click **New**, click **String Value**, and then name the new value **Enable**. - -5. Right-click the **Enable** key, click **Modify**, and then type a **Value data** to point to a server that you can listen to for updates. - - ![edit registry string for data collection location](images/ie-emie-editregistrystring.png) - -Your **Value data** location can be any of the following types: - -- **URL location (like, https://www.emieposturl.com/api/records or https://localhost:13000)**. IE sends a POST message to the URL every time a change is made to Enterprise Mode from the **Tools** menu.

          **Important**
          - The `https://www.emieposturl.com/api/records` example will only work if you’ve downloaded the sample discussed in the [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) topic. If you don’t have the sample, you won’t have the web API. -- **Local network location (like, https://emieposturl/)**. IE sends a POST message to your specified local network location every time a change is made to Enterprise Mode from the **Tools** menu. -- **Empty string**. If you leave the **Value data** box blank; your employees will be able to turn Enterprise Mode on and off from the **Tools** menu, but you won’t collect any logging data. - -For information about how to collect the data provided when your employees turn Enterprise Mode on or off from the **Tools** menu, see [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md). - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Turn on local user control and logging for Enterprise Mode. +author: lomayor +ms.prod: ie11 +ms.assetid: 6622ecce-24b1-497e-894a-e1fd5a8a66d1 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Turn on local control and logging for Enterprise Mode (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Turn on local control and logging for Enterprise Mode + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +You can turn on local control of Enterprise Mode so that your users can turn Enterprise Mode on from the **Tools** menu. Turning on this feature also adds the **Enterprise** browser profile to the **Emulation** tab of the F12 developer tools. + +Besides turning on this feature, you also have the option to provide a URL for Enterprise Mode logging. If you turn logging on, Internet Explorer initiates a simple POST back to the supplied address, including the URL and a specification that **EnterpriseMode** was turned on or off through the **Tools** menu. + + **To turn on local control of Enterprise Mode using Group Policy** + +1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Internet Explorer\\Let users turn on and use Enterprise Mode from the Tools menu** setting. + + ![group policy editor with emie setting](images/ie-emie-editpolicy.png) + +2. Click **Enabled**, and then in the **Options** area, type the location for where to receive reports about when your employees use this functionality to turn Enterprise Mode on or off from the **Tools** menu. + + **To turn on local control of Enterprise Mode using the registry** + +3. Open a registry editor, like regedit.exe and go to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode`. + +4. In the right pane, right-click and click **New**, click **String Value**, and then name the new value **Enable**. + +5. Right-click the **Enable** key, click **Modify**, and then type a **Value data** to point to a server that you can listen to for updates. + + ![edit registry string for data collection location](images/ie-emie-editregistrystring.png) + +Your **Value data** location can be any of the following types: + +- **URL location (like, https://www.emieposturl.com/api/records or https://localhost:13000)**. IE sends a POST message to the URL every time a change is made to Enterprise Mode from the **Tools** menu.

          **Important**
          + The `https://www.emieposturl.com/api/records` example will only work if you’ve downloaded the sample discussed in the [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) topic. If you don’t have the sample, you won’t have the web API. +- **Local network location (like, https://emieposturl/)**. IE sends a POST message to your specified local network location every time a change is made to Enterprise Mode from the **Tools** menu. +- **Empty string**. If you leave the **Value data** box blank; your employees will be able to turn Enterprise Mode on and off from the **Tools** menu, but you won’t collect any logging data. + +For information about how to collect the data provided when your employees turn Enterprise Mode on or off from the **Tools** menu, see [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md). + + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md index 7a9a2bf652..a4121ee693 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md @@ -1,50 +1,50 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: High-level info about some of the new and updated features for Internet Explorer 11. -author: lomayor -ms.prod: ie11 -ms.assetid: f53c6f04-7c60-40e7-9fc5-312220f08156 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: List of updated features and tools - Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# List of updated features and tools - Internet Explorer 11 (IE11) - -**Applies to:** - -- Windows 10 -- Windows 8.1 Update -- Windows 7 with Service Pack 1 (SP1) -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Internet Explorer 11 includes several new features and tools. This topic includes high-level info about the each of them. - -## Updated features and tools -- **Updated web standards.** WebGL, Canvas 2D L2 extensions, fullscreen API, encrypted media extensions, media source extensions, CSS flexible box layout module, mutation observers, like DOM4 and 5.3. - -- **Enhanced Protected Mode.** Extends Protected Mode to further restrict the ability of an attacker to access sensitive or personal information in personal and corporate environments. This feature is turned off by default. For more info, see [Enhanced Protected Mode problems with Internet Explorer](enhanced-protected-mode-problems-with-ie11.md). - -- **Enterprise Mode.** Enterprise Mode, a compatibility mode that runs on IE11 on Windows 8.1 Update and Windows 7 devices, lets websites render using a modified browser configuration that’s designed to emulate Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. For more info, see [What is Enterprise Mode?](what-is-enterprise-mode.md) - -- **Out-of-date ActiveX control blocking**. Helps to keep your ActiveX controls up-to-date, because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. For more info, see [Out-of-date ActiveX control blocking](out-of-date-activex-control-blocking.md). - -- **Do Not Track (DNT) exceptions.** IE11 lets websites ask whether to track users as they browse a website. If the user approves the request, IE records an exception to the "Do Not Track" rule and sends headers to the website that allow tracking. By respecting these headers and requesting exceptions to the default privacy settings, website owners can develop a trusted relationship with their users about privacy. For more info, see [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md). - -- **IE Administration Kit (IEAK).** Lets you create custom, branded versions of IE11. For more info and to download the tool, see [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md). - -- **Unattend Settings.** Lets you update the Unattend.xml file, to customize the home page, favorites, search providers, feeds, Accelerators, Web Slices, and settings for top result searches. For more info, see the [Unattend Settings: Microsoft-Windows-IE-InternetExplorer](https://go.microsoft.com/fwlink/p/?LinkId=263709). - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: High-level info about some of the new and updated features for Internet Explorer 11. +author: lomayor +ms.prod: ie11 +ms.assetid: f53c6f04-7c60-40e7-9fc5-312220f08156 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: List of updated features and tools - Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# List of updated features and tools - Internet Explorer 11 (IE11) + +**Applies to:** + +- Windows 10 +- Windows 8.1 Update +- Windows 7 with Service Pack 1 (SP1) +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Internet Explorer 11 includes several new features and tools. This topic includes high-level info about the each of them. + +## Updated features and tools +- **Updated web standards.** WebGL, Canvas 2D L2 extensions, fullscreen API, encrypted media extensions, media source extensions, CSS flexible box layout module, mutation observers, like DOM4 and 5.3. + +- **Enhanced Protected Mode.** Extends Protected Mode to further restrict the ability of an attacker to access sensitive or personal information in personal and corporate environments. This feature is turned off by default. For more info, see [Enhanced Protected Mode problems with Internet Explorer](enhanced-protected-mode-problems-with-ie11.md). + +- **Enterprise Mode.** Enterprise Mode, a compatibility mode that runs on IE11 on Windows 8.1 Update and Windows 7 devices, lets websites render using a modified browser configuration that’s designed to emulate Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. For more info, see [What is Enterprise Mode?](what-is-enterprise-mode.md) + +- **Out-of-date ActiveX control blocking**. Helps to keep your ActiveX controls up-to-date, because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. For more info, see [Out-of-date ActiveX control blocking](out-of-date-activex-control-blocking.md). + +- **Do Not Track (DNT) exceptions.** IE11 lets websites ask whether to track users as they browse a website. If the user approves the request, IE records an exception to the "Do Not Track" rule and sends headers to the website that allow tracking. By respecting these headers and requesting exceptions to the default privacy settings, website owners can develop a trusted relationship with their users about privacy. For more info, see [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md). + +- **IE Administration Kit (IEAK).** Lets you create custom, branded versions of IE11. For more info and to download the tool, see [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md). + +- **Unattend Settings.** Lets you update the Unattend.xml file, to customize the home page, favorites, search providers, feeds, Accelerators, Web Slices, and settings for top result searches. For more info, see the [Unattend Settings: Microsoft-Windows-IE-InternetExplorer](https://go.microsoft.com/fwlink/p/?LinkId=263709). + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md index b7fde38f3a..ad67aa915b 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md @@ -1,84 +1,84 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Use the topics in this section to learn about how to use the Enterprise Mode Site List Portal. -ms.prod: ie11 -title: Use the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 -ms.reviewer: -manager: dansimp -ms.author: lomayor -author: lomayor ---- - -# Use the Enterprise Mode Site List Portal - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. - -The Enterprise Mode Site List Portal is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management. Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later. - -You can use IE11 and the Enterprise Mode Site List Portal to manage your Enterprise Mode Site List, hosted by the app, with multiple users. - -## Minimum system requirements for portal and test machines -Some of the components in this table might also need additional system resources. Check the component's documentation for more information. - -|Item |Description | -|-----|------------| -|Operating system |Windows 7 or later | -|Memory |16 GB RAM | -|Hard drive space |At least 8 GB of free space, formatted using the NTFS file system for better security | -|Active Directory (AD) |Devices must be domain-joined | -|SQL Server |Microsoft SQL Server Enterprise Edition 2012 or later | -|Visual Studio |Visual Studio 2015 or later | -|Node.js® package manager |npm Developer version or higher | -|Additional server infrastructure |Internet Information Service (IIS) 6.0 or later | - -## Role assignments and available actions -Admins can assign roles to employees for the Enterprise Mode Site List Portal, allowing the employees to perform specific actions, as described in this table. - -|Role assignment |Available actions | -|----------------|------------------| -|Requester |

          • Create a change request


          • Validate changes in the pre-production environment


          • Rollback pre-production and production changes in case of failure


          • Send approval requests


          • View own requests


          • Sign off and close own requests
          | -|Approver

          (includes the App Manager and Group Head roles) |
          • All of the Requester actions, plus:


          • Approve requests
          | -|Administrator |
          • All of the Requester and Approver actions, plus:


          • Add employees to the portal


          • Assign employee roles


          • Approve registrations to the portal


          • Configure portal settings (for example, determine the freeze schedule, determine the pre-production and production XML paths, and determine the attachment upload location)


          • Use the standalone Enterprise Mode Site List Manager page


          • View reports
          | - -## Enterprise Mode Site List Portal workflow by employee role -The following workflow describes how to use the Enterprise Mode Site List Portal. - -1. [The Requester submits a change request for an app](create-change-request-enterprise-mode-portal.md) - -2. [The Requester tests the change request info, verifying its accuracy](verify-changes-preprod-enterprise-mode-portal.md) - -3. [The Approver(s) group accepts the change request](approve-change-request-enterprise-mode-portal.md) - -4. [The Requester schedules the change for the production environment](schedule-production-change-enterprise-mode-portal.md) - -5. [The change is verified against the production site list and signed off](verify-changes-production-enterprise-mode-portal.md) - - -## Related topics -- [Set up the Enterprise Mode Site List Portal](set-up-enterprise-mode-portal.md) - -- [Workflow-based processes for employees using the Enterprise Mode Site List Portal](workflow-processes-enterprise-mode-portal.md) - -- [How to use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md) - -- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) - -- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md) -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Use the topics in this section to learn about how to use the Enterprise Mode Site List Portal. +ms.prod: ie11 +title: Use the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +author: lomayor +--- + +# Use the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. + +The Enterprise Mode Site List Portal is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management. Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later. + +You can use IE11 and the Enterprise Mode Site List Portal to manage your Enterprise Mode Site List, hosted by the app, with multiple users. + +## Minimum system requirements for portal and test machines +Some of the components in this table might also need additional system resources. Check the component's documentation for more information. + +|Item |Description | +|-----|------------| +|Operating system |Windows 7 or later | +|Memory |16 GB RAM | +|Hard drive space |At least 8 GB of free space, formatted using the NTFS file system for better security | +|Active Directory (AD) |Devices must be domain-joined | +|SQL Server |Microsoft SQL Server Enterprise Edition 2012 or later | +|Visual Studio |Visual Studio 2015 or later | +|Node.js® package manager |npm Developer version or higher | +|Additional server infrastructure |Internet Information Service (IIS) 6.0 or later | + +## Role assignments and available actions +Admins can assign roles to employees for the Enterprise Mode Site List Portal, allowing the employees to perform specific actions, as described in this table. + +|Role assignment |Available actions | +|----------------|------------------| +|Requester |
          • Create a change request


          • Validate changes in the pre-production environment


          • Rollback pre-production and production changes in case of failure


          • Send approval requests


          • View own requests


          • Sign off and close own requests
          | +|Approver

          (includes the App Manager and Group Head roles) |
          • All of the Requester actions, plus:


          • Approve requests
          | +|Administrator |
          • All of the Requester and Approver actions, plus:


          • Add employees to the portal


          • Assign employee roles


          • Approve registrations to the portal


          • Configure portal settings (for example, determine the freeze schedule, determine the pre-production and production XML paths, and determine the attachment upload location)


          • Use the standalone Enterprise Mode Site List Manager page


          • View reports
          | + +## Enterprise Mode Site List Portal workflow by employee role +The following workflow describes how to use the Enterprise Mode Site List Portal. + +1. [The Requester submits a change request for an app](create-change-request-enterprise-mode-portal.md) + +2. [The Requester tests the change request info, verifying its accuracy](verify-changes-preprod-enterprise-mode-portal.md) + +3. [The Approver(s) group accepts the change request](approve-change-request-enterprise-mode-portal.md) + +4. [The Requester schedules the change for the production environment](schedule-production-change-enterprise-mode-portal.md) + +5. [The change is verified against the production site list and signed off](verify-changes-production-enterprise-mode-portal.md) + + +## Related topics +- [Set up the Enterprise Mode Site List Portal](set-up-enterprise-mode-portal.md) + +- [Workflow-based processes for employees using the Enterprise Mode Site List Portal](workflow-processes-enterprise-mode-portal.md) + +- [How to use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md) + +- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) + +- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md) +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md index ae87b553de..34f58b78f4 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md +++ b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md @@ -1,70 +1,70 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Use the topics in this section to learn about how to use the Enterprise Mode Site List Manager. -author: lomayor -ms.prod: ie11 -ms.assetid: f4dbed4c-08ff-40b1-ab3f-60d3b6e8ec9b -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 12/04/2017 ---- - - -# Use the Enterprise Mode Site List Manager - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. - -You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode. - -## Enterprise Mode Site List Manager versions -There are currently two versions of the Enterprise Site List Manager, both based on your schema and operating system. Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) or the [Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) tool, based on your operating system. - -|Schema version |Operating system |Enterprise Site List Manager version | -|-----------------|---------------|------------------------------------| -|Enterprise Mode schema, version 2 (v.2) |Windows 10
          -OR-
          Windows 8.1
          -OR-
          Windows 7|Uses the Enterprise Mode Site List Manager (schema v.2) and the v.2 version of the schema. If you import a v.1 version schema into the Enterprise Mode Site List Manager (schema v.2), the XML is saved into the v.2 version of the schema.

          For more info about the v.2 version of the schema, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md).| -|Enterprise Mode schema, version 1 (v.1) |Windows 10
          -OR-
          Windows 8.1
          -OR-
          Windows 7|Uses the Enterprise Mode Site List Manager (schema v.1) and the v.1 version of the schema.

          For more info about the v.1 version of the schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md)| - -## Using the Enterprise Mode Site List Manager -The following topics give you more information about the things that you can do with the Enterprise Mode Site List Manager. - -|Topic |Description | -|------|------------| -|[Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md) |How to add websites to your site list using the Enterprise Mode Site List Manager (schema v.2). | -|[Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md) |How to add websites to your site list using the Enterprise Mode Site List Manager (schema v.1). | -|[Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) |How to add several websites to your site list at the same time, using a text or XML file and the Enterprise Mode Site List Manager (schema v.2). | -|[Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) |How to add several websites to your site list at the same time, using a text or XML file and the WEnterprise Mode Site List Manager (schema v.1). | -|[Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager](edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md) |How to edit the compatibility mode for specific websites.

          This topic applies to both versions of the Enterprise Mode Site List Manager. | -|[Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md) |How to fix common site list validation errors.

          This topic applies to both versions of the Enterprise Mode Site List Manager. | -|[Search your Enterprise Mode site list in the Enterprise Mode Site List Manager](search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to look to see if a site is already in your global Enterprise Mode site list.

          This topic applies to both versions of the Enterprise Mode Site List Manager. | -|[Save your site list to XML in the Enterprise Mode Site List Manager](save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md) |How to save a site list as XML, so you can deploy and use it with your managed systems.

          This topic applies to both versions of the Enterprise Mode Site List Manager. | -|[Export your Enterprise Mode site list from the Enterprise Mode Site List Manager](export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md) |How to export your site list so you can transfer your data and contents to someone else.

          This topic applies to both versions of the Enterprise Mode Site List Manager. | -|[Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](import-into-the-enterprise-mode-site-list-manager.md) |How to import your site list to replace a corrupted or out-of-date list.

          This topic applies to both versions of the Enterprise Mode Site List Manager. | -|[Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to delete a website from your site list.

          This topic applies to both versions of the Enterprise Mode Site List Manager. | -|[Remove all sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to delete all of the websites in a site list.

          This topic applies to both versions of the Enterprise Mode Site List Manager. | - -## Related topics - - -- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) -- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) -- [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) -- [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Use the topics in this section to learn about how to use the Enterprise Mode Site List Manager. +author: lomayor +ms.prod: ie11 +ms.assetid: f4dbed4c-08ff-40b1-ab3f-60d3b6e8ec9b +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 12/04/2017 +--- + + +# Use the Enterprise Mode Site List Manager + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. + +You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode. + +## Enterprise Mode Site List Manager versions +There are currently two versions of the Enterprise Site List Manager, both based on your schema and operating system. Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) or the [Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) tool, based on your operating system. + +|Schema version |Operating system |Enterprise Site List Manager version | +|-----------------|---------------|------------------------------------| +|Enterprise Mode schema, version 2 (v.2) |Windows 10
          -OR-
          Windows 8.1
          -OR-
          Windows 7|Uses the Enterprise Mode Site List Manager (schema v.2) and the v.2 version of the schema. If you import a v.1 version schema into the Enterprise Mode Site List Manager (schema v.2), the XML is saved into the v.2 version of the schema.

          For more info about the v.2 version of the schema, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md).| +|Enterprise Mode schema, version 1 (v.1) |Windows 10
          -OR-
          Windows 8.1
          -OR-
          Windows 7|Uses the Enterprise Mode Site List Manager (schema v.1) and the v.1 version of the schema.

          For more info about the v.1 version of the schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md)| + +## Using the Enterprise Mode Site List Manager +The following topics give you more information about the things that you can do with the Enterprise Mode Site List Manager. + +|Topic |Description | +|------|------------| +|[Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md) |How to add websites to your site list using the Enterprise Mode Site List Manager (schema v.2). | +|[Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md) |How to add websites to your site list using the Enterprise Mode Site List Manager (schema v.1). | +|[Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) |How to add several websites to your site list at the same time, using a text or XML file and the Enterprise Mode Site List Manager (schema v.2). | +|[Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) |How to add several websites to your site list at the same time, using a text or XML file and the WEnterprise Mode Site List Manager (schema v.1). | +|[Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager](edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md) |How to edit the compatibility mode for specific websites.

          This topic applies to both versions of the Enterprise Mode Site List Manager. | +|[Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md) |How to fix common site list validation errors.

          This topic applies to both versions of the Enterprise Mode Site List Manager. | +|[Search your Enterprise Mode site list in the Enterprise Mode Site List Manager](search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to look to see if a site is already in your global Enterprise Mode site list.

          This topic applies to both versions of the Enterprise Mode Site List Manager. | +|[Save your site list to XML in the Enterprise Mode Site List Manager](save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md) |How to save a site list as XML, so you can deploy and use it with your managed systems.

          This topic applies to both versions of the Enterprise Mode Site List Manager. | +|[Export your Enterprise Mode site list from the Enterprise Mode Site List Manager](export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md) |How to export your site list so you can transfer your data and contents to someone else.

          This topic applies to both versions of the Enterprise Mode Site List Manager. | +|[Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](import-into-the-enterprise-mode-site-list-manager.md) |How to import your site list to replace a corrupted or out-of-date list.

          This topic applies to both versions of the Enterprise Mode Site List Manager. | +|[Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to delete a website from your site list.

          This topic applies to both versions of the Enterprise Mode Site List Manager. | +|[Remove all sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to delete all of the websites in a site list.

          This topic applies to both versions of the Enterprise Mode Site List Manager. | + +## Related topics + + +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) +- [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md index 41c083dc6e..992abebb63 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md @@ -1,58 +1,58 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: support -description: Info about where features went in the IEAK11, where the Favorites, Command, and Status bars went, and where the search bar went. -author: lomayor -ms.prod: ie11 -ms.assetid: 7324faff-ccb6-4e14-ad91-af12dbca575e -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: User interface problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# User interface problems with Internet Explorer 11 -Some of the features in both Internet Explorer 11 and IEAK 11 have moved around. Here are some of the more common changes. - -## Where did features go in the Internet Explorer Customization Wizard 11? -Various installation or set up choices can prevent you from seeing certain pages in the Internet Explorer Customization Wizard 11. If, after going through the entire Wizard you still haven't found the screen you were looking for, try: - -- Making sure you picked the right version of IEAK 11 during installation. Most administrators should pick the **Internal** version, which has more screens and options available. - -- Making sure you picked all of the features you wanted from the **Feature Selection** page of the IE Customization Wizard 11. If you don't pick a feature, the associated page won't appear. - -## Where are the security zone settings? -You can see your security zone settings by opening Internet Explorer for the desktop, clicking **Internet Options** from the **Tools** menu, and then clicking **Security**. - -## Where did the Favorites, Command, and Status bars go? -For IE11, the UI has been changed to provide just the controls needed to support essential functionality, hiding anything considered non-essential, such as the **Favorites Bar**, **Command Bar**, **Menu Bar**, and **Status Bar**. This is intended to help focus users on the content of the page, rather than the browser itself. However, if you want these bars to appear, you can turn them back on using Group Policy settings. - - **To turn the toolbars back on** - -- Right click in the IE toolbar heading and choose to turn on the **Command bar**, **Favorites bar**, and **Status bar** from the menu. -

          -OR-

          - In IE, press ALT+V to show the View menu, press T to enter the Toolbars menu, and then press: - - - **C** to turn on the **Command Bar** - - - **F** to turn on the **Favorites Bar** - - - **S** to turn on the **Status Bar** - -## Where did the search box go? -IE11 uses the **One Box** feature, which lets users type search terms directly into the **Address bar**. Any text entered into the **Address bar** that doesn't appear to be a URL is automatically sent to the currently selected search provider. - ->[!NOTE] ->Depending on how you've set up your intranet search, the text entry might resolve to an intranet site. For more information about this, see [Intranet problems with Internet Explorer 11](intranet-problems-and-ie11.md). - - - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: support +description: Info about where features went in the IEAK11, where the Favorites, Command, and Status bars went, and where the search bar went. +author: lomayor +ms.prod: ie11 +ms.assetid: 7324faff-ccb6-4e14-ad91-af12dbca575e +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: User interface problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# User interface problems with Internet Explorer 11 +Some of the features in both Internet Explorer 11 and IEAK 11 have moved around. Here are some of the more common changes. + +## Where did features go in the Internet Explorer Customization Wizard 11? +Various installation or set up choices can prevent you from seeing certain pages in the Internet Explorer Customization Wizard 11. If, after going through the entire Wizard you still haven't found the screen you were looking for, try: + +- Making sure you picked the right version of IEAK 11 during installation. Most administrators should pick the **Internal** version, which has more screens and options available. + +- Making sure you picked all of the features you wanted from the **Feature Selection** page of the IE Customization Wizard 11. If you don't pick a feature, the associated page won't appear. + +## Where are the security zone settings? +You can see your security zone settings by opening Internet Explorer for the desktop, clicking **Internet Options** from the **Tools** menu, and then clicking **Security**. + +## Where did the Favorites, Command, and Status bars go? +For IE11, the UI has been changed to provide just the controls needed to support essential functionality, hiding anything considered non-essential, such as the **Favorites Bar**, **Command Bar**, **Menu Bar**, and **Status Bar**. This is intended to help focus users on the content of the page, rather than the browser itself. However, if you want these bars to appear, you can turn them back on using Group Policy settings. + + **To turn the toolbars back on** + +- Right click in the IE toolbar heading and choose to turn on the **Command bar**, **Favorites bar**, and **Status bar** from the menu. +

          -OR-

          + In IE, press ALT+V to show the View menu, press T to enter the Toolbars menu, and then press: + + - **C** to turn on the **Command Bar** + + - **F** to turn on the **Favorites Bar** + + - **S** to turn on the **Status Bar** + +## Where did the search box go? +IE11 uses the **One Box** feature, which lets users type search terms directly into the **Address bar**. Any text entered into the **Address bar** that doesn't appear to be a URL is automatically sent to the currently selected search provider. + +>[!NOTE] +>Depending on how you've set up your intranet search, the text entry might resolve to an intranet site. For more information about this, see [Intranet problems with Internet Explorer 11](intranet-problems-and-ie11.md). + + + + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md index f003c50e45..2368c10f34 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md +++ b/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md @@ -1,60 +1,60 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -description: Use this section to learn about how to turn on and use IE7 Enterprise Mode or IE8 Enterprise Mode. -author: lomayor -ms.prod: ie11 -ms.assetid: 238ead3d-8920-429a-ac23-02f089c4384a -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Using IE7 Enterprise Mode or IE8 Enterprise Mode (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Using IE7 Enterprise Mode or IE8 Enterprise Mode - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Enterprise Mode gives you a way for your legacy websites and apps to run using emulated versions of Windows Internet Explorer 7 or Windows Internet Explorer 8, while your new sites and apps run using Internet Explorer 11, including modern standards and features. - -Although it’s called IE7 Enterprise Mode, it actually turns on Enterprise Mode along with Internet Explorer 7 or Microsoft Internet Explorer 5 Compatibility View. Compatibility View chooses which document mode to use based on whether there’s a `DOCTYPE` tag in your code: - -- **DOCTYPE tag found.** Webpages render using the Internet Explorer 7 document mode. -- **No DOCTYPE tag found.** Webpages render using the Internet Explorer 5 document mode. - -**Important**
          -Because we’ve added the IE7 Enterprise Mode option, we’ve had to rename the original functionality of Enterprise Mode to be IE8 Enterprise Mode. We’ve also replaced Edge Mode with IE11 Document Mode, so you can explicitly use IE11 on Windows 10. - -## Turning on and using IE7 Enterprise Mode or IE8 Enterprise Mode -For instructions about how to add IE7 Enterprise Mode or IE8 Enterprise Mode to your webpages and apps, see: - -- [Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md) - -- [Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md) - -- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) - -- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) - -For instructions and more info about how to fix your compatibility issues using Enterprise Mode, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). - -## Related topics -- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) -- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) -- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +description: Use this section to learn about how to turn on and use IE7 Enterprise Mode or IE8 Enterprise Mode. +author: lomayor +ms.prod: ie11 +ms.assetid: 238ead3d-8920-429a-ac23-02f089c4384a +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Using IE7 Enterprise Mode or IE8 Enterprise Mode (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Using IE7 Enterprise Mode or IE8 Enterprise Mode + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Enterprise Mode gives you a way for your legacy websites and apps to run using emulated versions of Windows Internet Explorer 7 or Windows Internet Explorer 8, while your new sites and apps run using Internet Explorer 11, including modern standards and features. + +Although it’s called IE7 Enterprise Mode, it actually turns on Enterprise Mode along with Internet Explorer 7 or Microsoft Internet Explorer 5 Compatibility View. Compatibility View chooses which document mode to use based on whether there’s a `DOCTYPE` tag in your code: + +- **DOCTYPE tag found.** Webpages render using the Internet Explorer 7 document mode. +- **No DOCTYPE tag found.** Webpages render using the Internet Explorer 5 document mode. + +**Important**
          +Because we’ve added the IE7 Enterprise Mode option, we’ve had to rename the original functionality of Enterprise Mode to be IE8 Enterprise Mode. We’ve also replaced Edge Mode with IE11 Document Mode, so you can explicitly use IE11 on Windows 10. + +## Turning on and using IE7 Enterprise Mode or IE8 Enterprise Mode +For instructions about how to add IE7 Enterprise Mode or IE8 Enterprise Mode to your webpages and apps, see: + +- [Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md) + +- [Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md) + +- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) + +- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) + +For instructions and more info about how to fix your compatibility issues using Enterprise Mode, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md index b2f95cad98..d744070926 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md +++ b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md @@ -1,66 +1,66 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use IEAK 11 while planning, customizing, and building the custom installation package. -author: lomayor -ms.prod: ie11 -ms.assetid: af93742f-f955-44ab-bfa2-7bf0c99045d3 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Using Internet Explorer Administration Kit 11 (IEAK 11) to create packages (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Using Internet Explorer Administration Kit 11 (IEAK 11) to create packages -Internet Explorer Administration Kit 11 (IEAK 11) helps you set up, deploy, and maintain Internet Explorer 11. - -**Note**
          IEAK 11 works in network environments, with or without Microsoft Active Directory. - -  - -## Plan, Customize, and Build with the IEAK 11 -Consider these activities while planning, customizing, and building the custom installation package. - -### Plan -Before you begin, you should: - -- **Check the operating system requirements.** Check that the requirements for the computer you're building your installation package from, and the computers you're installing IE11 to, all meet the system requirements for IEAK 11 and IE11. For Internet Explorer requirements, see [System requirements and language support for Internet Explorer 11 (IE11)](system-requirements-and-language-support-for-ie11.md). For IEAK 11 requirements, see [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md). - -- **Decide on your distribution method.** Decide how to distribute your custom installation package: Windows Update, System Center System Center 2012 R2 Configuration Manager, or your network. - -- **Gather URLs and branding and custom graphics.** Collect the URLs for your company's own **Home**, **Search**, and **Support** pages, plus any custom branding and graphic files for the browser toolbar button and the **Favorites** list icons. - -- **Identify trusted network servers.** Decide which servers your employees should use to install the custom IE package. These servers need to be listed as trusted sites. - -- **Set up automatic detection and configuration settings.** Decide whether to automatically customize IE11 the first time it's started. - -- **Identify custom components for uninstallation.** Decide whether to include any custom uninstallation programs. Uninstallation programs let your employees remove your custom components through **Uninstall or change a program** in the Control Panel. - -- **Identify ActiveX controls.** Decide if you'll use ActiveX controls in your company. If you already use ActiveX, you should get an inventory of your active controls. - -### Customize and build -After installing IE11 and the IEAK 11, you should: - -- **Prepare your build computer.** Create your build environment on the computer you're using to build the custom package. - -- **Create your branding and custom graphics.** If you don't have any, create custom branding and graphic files for the browser toolbar button and icons in your **Favorites** list. - -- **Specify your servers as trusted sites.** Identify your installation servers as trusted sites, in the **Trusted sites zone** of the **Internet Options** box. - -- **Turn on automatic detection and configuration settings (Optional).** Set up your network so that IE is automatically customized the first time it's started. - -- **Set up custom components for uninstallation.** Create the custom .inf file you'll use to register your custom uninstallation programs. - -- **Set up ActiveX controls.** Add any new ActiveX controls to the Axaa.adm file, using a text editor. - -- **Create a custom browser package.** Create your custom installation package, using IE Customization Wizard 11. For more information about using the wizard, see [Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options](../ie11-ieak/ieak11-wizard-custom-options.md). - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use IEAK 11 while planning, customizing, and building the custom installation package. +author: lomayor +ms.prod: ie11 +ms.assetid: af93742f-f955-44ab-bfa2-7bf0c99045d3 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Using Internet Explorer Administration Kit 11 (IEAK 11) to create packages (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Using Internet Explorer Administration Kit 11 (IEAK 11) to create packages +Internet Explorer Administration Kit 11 (IEAK 11) helps you set up, deploy, and maintain Internet Explorer 11. + +**Note**
          IEAK 11 works in network environments, with or without Microsoft Active Directory. + +  + +## Plan, Customize, and Build with the IEAK 11 +Consider these activities while planning, customizing, and building the custom installation package. + +### Plan +Before you begin, you should: + +- **Check the operating system requirements.** Check that the requirements for the computer you're building your installation package from, and the computers you're installing IE11 to, all meet the system requirements for IEAK 11 and IE11. For Internet Explorer requirements, see [System requirements and language support for Internet Explorer 11 (IE11)](system-requirements-and-language-support-for-ie11.md). For IEAK 11 requirements, see [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md). + +- **Decide on your distribution method.** Decide how to distribute your custom installation package: Windows Update, System Center System Center 2012 R2 Configuration Manager, or your network. + +- **Gather URLs and branding and custom graphics.** Collect the URLs for your company's own **Home**, **Search**, and **Support** pages, plus any custom branding and graphic files for the browser toolbar button and the **Favorites** list icons. + +- **Identify trusted network servers.** Decide which servers your employees should use to install the custom IE package. These servers need to be listed as trusted sites. + +- **Set up automatic detection and configuration settings.** Decide whether to automatically customize IE11 the first time it's started. + +- **Identify custom components for uninstallation.** Decide whether to include any custom uninstallation programs. Uninstallation programs let your employees remove your custom components through **Uninstall or change a program** in the Control Panel. + +- **Identify ActiveX controls.** Decide if you'll use ActiveX controls in your company. If you already use ActiveX, you should get an inventory of your active controls. + +### Customize and build +After installing IE11 and the IEAK 11, you should: + +- **Prepare your build computer.** Create your build environment on the computer you're using to build the custom package. + +- **Create your branding and custom graphics.** If you don't have any, create custom branding and graphic files for the browser toolbar button and icons in your **Favorites** list. + +- **Specify your servers as trusted sites.** Identify your installation servers as trusted sites, in the **Trusted sites zone** of the **Internet Options** box. + +- **Turn on automatic detection and configuration settings (Optional).** Set up your network so that IE is automatically customized the first time it's started. + +- **Set up custom components for uninstallation.** Create the custom .inf file you'll use to register your custom uninstallation programs. + +- **Set up ActiveX controls.** Add any new ActiveX controls to the Axaa.adm file, using a text editor. + +- **Create a custom browser package.** Create your custom installation package, using IE Customization Wizard 11. For more information about using the wizard, see [Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options](../ie11-ieak/ieak11-wizard-custom-options.md). + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md index 6c1dd0c421..a49bf820ae 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md +++ b/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md @@ -1,45 +1,45 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use Setup Information (.inf) files to create installation packages. -author: lomayor -ms.prod: ie11 -ms.assetid: 04fa2ba8-8d84-4af6-ab99-77e4f1961b0e -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Using Setup Information (.inf) files to create packages (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Using Setup Information (.inf) files to create install packages -IEAK 11 uses Setup information (.inf) files to provide uninstallation instructions. Uninstallation instructions let your employees remove components, like files, registry entries, or shortcuts, through the **Uninstall or change a program** box. For details about .inf files, see [INF File Sections and Directives](https://go.microsoft.com/fwlink/p/?LinkId=327959). - - **To add uninstallation instructions to the .inf files** - -- Open the Registry Editor (regedit.exe) and add these registry keys: - ``` - HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\app-name,"DisplayName",,"description" - HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\app-name,"UninstallString",,"command-line" - ``` - Where **"description"** is the name that shows up in the **Uninstall or change a program** box and **"command-line"** is the command that runs after the component is picked. -

          Note
          - Make sure your script removes the uninstallation registry key, too. Otherwise, the component name will continue to show up in the Uninstall or change a program. - -## Limitations -.Inf files have limitations: - -- You can't delete directories. - -- You can't use **RenFiles** to move a file to a different location, it only lets you rename a file in its existing location. For detailed information, see [INF RenFiles Directive](https://go.microsoft.com/fwlink/p/?LinkId=298508). - -- You can't use **CopyFiles** to copy a file to another place on your hard drive, it can only copy files from the source disk to the destination directory. For information, see [INF CopyFiles Directive](https://go.microsoft.com/fwlink/p/?LinkId=298510). - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use Setup Information (.inf) files to create installation packages. +author: lomayor +ms.prod: ie11 +ms.assetid: 04fa2ba8-8d84-4af6-ab99-77e4f1961b0e +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Using Setup Information (.inf) files to create packages (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Using Setup Information (.inf) files to create install packages +IEAK 11 uses Setup information (.inf) files to provide uninstallation instructions. Uninstallation instructions let your employees remove components, like files, registry entries, or shortcuts, through the **Uninstall or change a program** box. For details about .inf files, see [INF File Sections and Directives](https://go.microsoft.com/fwlink/p/?LinkId=327959). + + **To add uninstallation instructions to the .inf files** + +- Open the Registry Editor (regedit.exe) and add these registry keys: + ``` + HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\app-name,"DisplayName",,"description" + HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\app-name,"UninstallString",,"command-line" + ``` + Where **"description"** is the name that shows up in the **Uninstall or change a program** box and **"command-line"** is the command that runs after the component is picked. +

          Note
          + Make sure your script removes the uninstallation registry key, too. Otherwise, the component name will continue to show up in the Uninstall or change a program. + +## Limitations +.Inf files have limitations: + +- You can't delete directories. + +- You can't use **RenFiles** to move a file to a different location, it only lets you rename a file in its existing location. For detailed information, see [INF RenFiles Directive](https://go.microsoft.com/fwlink/p/?LinkId=298508). + +- You can't use **CopyFiles** to copy a file to another place on your hard drive, it can only copy files from the source disk to the destination directory. For information, see [INF CopyFiles Directive](https://go.microsoft.com/fwlink/p/?LinkId=298510). + + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md index b0c9ec8690..5c7c0a3d23 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md @@ -1,70 +1,70 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Details about how to make sure your change request info is accurate within the pre-production environment of the Enterprise Mode Site List Portal. -author: lomayor -ms.prod: ie11 -title: Verify your changes using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 -ms.reviewer: -manager: dansimp -ms.author: lomayor ---- - -# Verify your changes using the Enterprise Mode Site List Portal - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - ->[!Important] ->This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. - -The Requester successfully submits a change request to the Enterprise Mode Site List Portal and then gets an email, including: - -- **EMIE_RegKey**. A batch file that when run, sets the registry key to point to the local pre-production Enterprise Mode Site List. - -- **Test steps**. The suggested steps about how to test the change request details to make sure they're accurate in the pre-production environment. - -- **EMIE_Reset**. A batch file that when run, reverts the changes made to the pre-production registry. - -## Verify and send the change request to Approvers -The Requester tests the changes and then goes back into the Enterprise Mode Site List Portal, **Pre-production verification** page to verify whether the testing was successful. - -**To verify changes and send to the Approver(s)** -1. On the **Pre-production verification** page, the Requester clicks **Successful** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the change request and testing results. - -2. The Requester reviews the pre-defined Approver(s), and then clicks **Send for approval**. - - The Requester, the Approver group, and the Administrator group all get an email, stating that the change request is waiting for approval. - - -**To rollback your pre-production changes** -1. On the **Pre-production verification** page, the Requester clicks **Failed** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the change request and testing results. - -2. Add a description about the issue into the **Issue description** box, and then click **Send failure details**. - - The change request and issue info are sent to the Administrators. - -3. The Requester clicks **Roll back** to roll back the changes in the pre-production environment. - - After the Requester rolls back the changes, the request can be updated and re-submitted. - - -## View rolled back change requests -The original Requester and the Administrator(s) group can view the rolled back change requests. - -**To view the rolled back change request** - -- In the Enterprise Mode Site List Portal, click **Rolled back** from the left pane. - - All rolled back change requests appear, with role assignment determining which ones are visible. - -## Next steps -If the change request is certified as successful, the Requester must next send it to the Approvers for approval. For the Approver-related steps, see the [Approve a change request using the Enterprise Mode Site List Portal](approve-change-request-enterprise-mode-portal.md) topic. +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how to make sure your change request info is accurate within the pre-production environment of the Enterprise Mode Site List Portal. +author: lomayor +ms.prod: ie11 +title: Verify your changes using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +--- + +# Verify your changes using the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +>[!Important] +>This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. + +The Requester successfully submits a change request to the Enterprise Mode Site List Portal and then gets an email, including: + +- **EMIE_RegKey**. A batch file that when run, sets the registry key to point to the local pre-production Enterprise Mode Site List. + +- **Test steps**. The suggested steps about how to test the change request details to make sure they're accurate in the pre-production environment. + +- **EMIE_Reset**. A batch file that when run, reverts the changes made to the pre-production registry. + +## Verify and send the change request to Approvers +The Requester tests the changes and then goes back into the Enterprise Mode Site List Portal, **Pre-production verification** page to verify whether the testing was successful. + +**To verify changes and send to the Approver(s)** +1. On the **Pre-production verification** page, the Requester clicks **Successful** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the change request and testing results. + +2. The Requester reviews the pre-defined Approver(s), and then clicks **Send for approval**. + + The Requester, the Approver group, and the Administrator group all get an email, stating that the change request is waiting for approval. + + +**To rollback your pre-production changes** +1. On the **Pre-production verification** page, the Requester clicks **Failed** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the change request and testing results. + +2. Add a description about the issue into the **Issue description** box, and then click **Send failure details**. + + The change request and issue info are sent to the Administrators. + +3. The Requester clicks **Roll back** to roll back the changes in the pre-production environment. + + After the Requester rolls back the changes, the request can be updated and re-submitted. + + +## View rolled back change requests +The original Requester and the Administrator(s) group can view the rolled back change requests. + +**To view the rolled back change request** + +- In the Enterprise Mode Site List Portal, click **Rolled back** from the left pane. + + All rolled back change requests appear, with role assignment determining which ones are visible. + +## Next steps +If the change request is certified as successful, the Requester must next send it to the Approvers for approval. For the Approver-related steps, see the [Approve a change request using the Enterprise Mode Site List Portal](approve-change-request-enterprise-mode-portal.md) topic. diff --git a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md index ec478a69f7..5678e10583 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md @@ -1,45 +1,45 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Details about how the Requester makes sure that the change request update is accurate within the production environment using the Enterprise Mode Site List Portal. -author: lomayor -ms.prod: ie11 -title: Verify the change request update in the production environment using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 -ms.reviewer: -manager: dansimp -ms.author: lomayor ---- - -# Verify the change request update in the production environment using the Enterprise Mode Site List Portal - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -## Verify and sign off on the update in the production environment -The Requester tests the changes in the production environment and then goes back into the Enterprise Mode Site List Portal, **Production verification** page to verify whether the testing was successful. - -**To verify the changes and sign off** -- On the **Production verification** page, the Requester clicks **Successful**, optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the testing results, optionally includes a description of the change, and then clicks **Sign off**. - - The Requester, Approver group, and Administrator group all get an email, stating that the change request has been signed off. - - -**To rollback production changes** -1. On the **Production verification** page, the Requester clicks **Failed** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the testing results. - -2. Add a description about the issue into the **Change description** box, and then click **Send failure details**. - - The info is sent to the Administrators. - -3. The Requester clicks **Roll back** to roll back the changes in the production environment. - - After the Requester rolls back the changes, the request is automatically handled in the production and pre-production environment site lists. - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how the Requester makes sure that the change request update is accurate within the production environment using the Enterprise Mode Site List Portal. +author: lomayor +ms.prod: ie11 +title: Verify the change request update in the production environment using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +--- + +# Verify the change request update in the production environment using the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +## Verify and sign off on the update in the production environment +The Requester tests the changes in the production environment and then goes back into the Enterprise Mode Site List Portal, **Production verification** page to verify whether the testing was successful. + +**To verify the changes and sign off** +- On the **Production verification** page, the Requester clicks **Successful**, optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the testing results, optionally includes a description of the change, and then clicks **Sign off**. + + The Requester, Approver group, and Administrator group all get an email, stating that the change request has been signed off. + + +**To rollback production changes** +1. On the **Production verification** page, the Requester clicks **Failed** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the testing results. + +2. Add a description about the issue into the **Change description** box, and then click **Send failure details**. + + The info is sent to the Administrators. + +3. The Requester clicks **Roll back** to roll back the changes in the production environment. + + After the Requester rolls back the changes, the request is automatically handled in the production and pre-production environment site lists. + diff --git a/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md index 491687cebc..3c60851368 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md +++ b/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md @@ -1,41 +1,41 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Details about how to view the active Enterprise Mode Site List from the Enterprise Mode Site List Portal. -author: lomayor -ms.prod: ie11 -title: View the apps included in the active Enterprise Mode Site List from the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 -ms.reviewer: -manager: dansimp -ms.author: lomayor ---- - -# View the apps included in the active Enterprise Mode Site List from the Enterprise Mode Site List Portal - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Any employee with access to the Enterprise Mode Site List Portal can view the apps included in the current Enterprise Mode Site List. - -**To view the active Enterprise Mode Site List** -1. Open the Enterprise Mode Site List Portal and click the **Production sites list** icon in the upper-right area of the page. - - The **Production sites list** page appears, with each app showing its URL, the compatibility mode to use, and the assigned browser to open the site. - -2. Click any URL to view the actual site, using the compatibility mode and opening in the correct browser. - - -**To export the active Enterprise Mode Site List** -1. On the **Production sites list** page, click **Export**. - -2. Save the ProductionSiteList.xlsx file. - - The Excel file includes all apps in the current Enterprise Mode Site List, including URL, compatibility mode, and assigned browser. +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how to view the active Enterprise Mode Site List from the Enterprise Mode Site List Portal. +author: lomayor +ms.prod: ie11 +title: View the apps included in the active Enterprise Mode Site List from the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +--- + +# View the apps included in the active Enterprise Mode Site List from the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Any employee with access to the Enterprise Mode Site List Portal can view the apps included in the current Enterprise Mode Site List. + +**To view the active Enterprise Mode Site List** +1. Open the Enterprise Mode Site List Portal and click the **Production sites list** icon in the upper-right area of the page. + + The **Production sites list** page appears, with each app showing its URL, the compatibility mode to use, and the assigned browser to open the site. + +2. Click any URL to view the actual site, using the compatibility mode and opening in the correct browser. + + +**To export the active Enterprise Mode Site List** +1. On the **Production sites list** page, click **Export**. + +2. Save the ProductionSiteList.xlsx file. + + The Excel file includes all apps in the current Enterprise Mode Site List, including URL, compatibility mode, and assigned browser. diff --git a/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md b/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md index f39f6b42eb..30db2d2faa 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md @@ -1,53 +1,53 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Details about how an Administrator can view the available Enterprise Mode reports from the Enterprise Mode Site List Portal. -author: lomayor -ms.prod: ie11 -title: View the available Enterprise Mode reports from the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 -ms.reviewer: -manager: dansimp -ms.author: lomayor ---- - -# View the available Enterprise Mode reports from the Enterprise Mode Site List Portal - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Administrators can view the Microsoft-provided Enterprise Mode reports from the Enterprise Mode Site List Portal. - -**To view the reports** -1. Open the Enterprise Mode Site List Portal and click the **Enterprise Mode reports** icon in the upper-right area of the page. - - The **Enterprise Mode reports** page appears, with each app showing its URL, the compatibility mode to use, and the assigned browser to open the site. - -2. Use the calendars to provide the **From date** and **To date**, determining the span of time the report covers. - -3. Click **Apply**. - - The reports all change to reflect the appropriate timeframe and group, including: - - - **Total number of websites in the site list.** A box at the top of the reports page that tells you the total number of websites included in the Enterprise Mode Sit List. - - - **All websites by docmode.** Shows how many change requests exist, based on the different doc modes included in the **App best viewed in** field. - - - **All websites by browser.** Shows how many apps require which browser, including **IE11**, **MSEdge**, or **None**. - - - **All requests by status.** Shows how many change requests exist, based on each status. - - - **All requests by change type.** Shows how many change requests exist, based on the **Requested change** field. - - - **Request status by group.** Shows how many change requests exist, based on both group and status. - - - **Reasons for request.** Shows how many change request reasons exist, based on the **Reason for request** field. - - - **Requested changes by app name.** Shows what specific apps were **Added to site list**, **Deleted from site list**, or **Updated from site list**. +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how an Administrator can view the available Enterprise Mode reports from the Enterprise Mode Site List Portal. +author: lomayor +ms.prod: ie11 +title: View the available Enterprise Mode reports from the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +--- + +# View the available Enterprise Mode reports from the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Administrators can view the Microsoft-provided Enterprise Mode reports from the Enterprise Mode Site List Portal. + +**To view the reports** +1. Open the Enterprise Mode Site List Portal and click the **Enterprise Mode reports** icon in the upper-right area of the page. + + The **Enterprise Mode reports** page appears, with each app showing its URL, the compatibility mode to use, and the assigned browser to open the site. + +2. Use the calendars to provide the **From date** and **To date**, determining the span of time the report covers. + +3. Click **Apply**. + + The reports all change to reflect the appropriate timeframe and group, including: + + - **Total number of websites in the site list.** A box at the top of the reports page that tells you the total number of websites included in the Enterprise Mode Sit List. + + - **All websites by docmode.** Shows how many change requests exist, based on the different doc modes included in the **App best viewed in** field. + + - **All websites by browser.** Shows how many apps require which browser, including **IE11**, **MSEdge**, or **None**. + + - **All requests by status.** Shows how many change requests exist, based on each status. + + - **All requests by change type.** Shows how many change requests exist, based on the **Requested change** field. + + - **Request status by group.** Shows how many change requests exist, based on both group and status. + + - **Reasons for request.** Shows how many change request reasons exist, based on the **Reason for request** field. + + - **Requested changes by app name.** Shows what specific apps were **Added to site list**, **Deleted from site list**, or **Updated from site list**. diff --git a/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md index 30b5c76f3c..e83c91bf67 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md @@ -1,36 +1,36 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: virtualization -description: Virtualization and compatibility with Internet Explorer 11 -author: lomayor -ms.prod: ie11 -ms.assetid: b0388c04-2584-4b6d-a7a8-4e0476773a80 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Virtualization and compatibility with Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Virtualization and compatibility with Internet Explorer 11 -If your company is considering upgrading to the latest version of Internet Explorer, but is hesitant because of a large number of web apps that need to be tested and moved, we recommend that you consider virtualization. Virtualization lets you set up a virtual environment where you can run earlier versions of IE. - -**Important**
          -We strongly suggest that while you're using virtualization, you also update your web apps so they run natively in the newer version of IE. For more information about how to update your code, see the [Internet Explorer 11 Compatibility Cookbook (Windows)](https://go.microsoft.com/fwlink/p/?LinkId=279707) to learn about the developer features that have been changed or deprecated since Internet Explorer 10. - -The Microsoft-supported options for virtualizing web apps are: - -- **Microsoft Enterprise Desktop Virtualization (MED-V).** Uses Microsoft Virtual PC to provide an enterprise solution for desktop virtualization. With MED-V, you can easily create, deliver, and manage corporate Virtual PC images on any Windows®-based desktop. For more information, see [MED-V](https://go.microsoft.com/fwlink/p/?LinkId=271653). - -- **Client Hyper-V.** Uses the same virtualization technology previously available in Windows Server, but now installed for Windows 8.1. For more information, see [Client Hyper-V](https://go.microsoft.com/fwlink/p/?LinkId=271654).

          -For more information about virtualization options, see [Microsoft Desktop Virtualization](https://go.microsoft.com/fwlink/p/?LinkId=271662). - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: virtualization +description: Virtualization and compatibility with Internet Explorer 11 +author: lomayor +ms.prod: ie11 +ms.assetid: b0388c04-2584-4b6d-a7a8-4e0476773a80 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Virtualization and compatibility with Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Virtualization and compatibility with Internet Explorer 11 +If your company is considering upgrading to the latest version of Internet Explorer, but is hesitant because of a large number of web apps that need to be tested and moved, we recommend that you consider virtualization. Virtualization lets you set up a virtual environment where you can run earlier versions of IE. + +**Important**
          +We strongly suggest that while you're using virtualization, you also update your web apps so they run natively in the newer version of IE. For more information about how to update your code, see the [Internet Explorer 11 Compatibility Cookbook (Windows)](https://go.microsoft.com/fwlink/p/?LinkId=279707) to learn about the developer features that have been changed or deprecated since Internet Explorer 10. + +The Microsoft-supported options for virtualizing web apps are: + +- **Microsoft Enterprise Desktop Virtualization (MED-V).** Uses Microsoft Virtual PC to provide an enterprise solution for desktop virtualization. With MED-V, you can easily create, deliver, and manage corporate Virtual PC images on any Windows®-based desktop. For more information, see [MED-V](https://go.microsoft.com/fwlink/p/?LinkId=271653). + +- **Client Hyper-V.** Uses the same virtualization technology previously available in Windows Server, but now installed for Windows 8.1. For more information, see [Client Hyper-V](https://go.microsoft.com/fwlink/p/?LinkId=271654).

          +For more information about virtualization options, see [Microsoft Desktop Virtualization](https://go.microsoft.com/fwlink/p/?LinkId=271662). + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md index b9089a1624..0212685d25 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md +++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md @@ -1,168 +1,168 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Info about the features included in Enterprise Mode with Internet Explorer 11. -author: lomayor -ms.prod: ie11 -ms.assetid: 3c77e9f3-eb21-46d9-b5aa-f9b2341cfefa -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Enterprise Mode and the Enterprise Mode Site List (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 10/25/2018 ---- - - -# Enterprise Mode and the Enterprise Mode Site List - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Internet Explorer and Microsoft Edge can work together to support your legacy web apps, while still defaulting to the higher bar for security and modern experiences enabled by Microsoft Edge. Working with multiple browsers can be difficult, particularly if you have a substantial number of internal sites. To help manage this dual-browser experience, we are introducing a new web tool specifically targeted towards larger organizations: the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal). - -## Available dual-browser experiences -If you have specific websites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the websites automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work correctly with Microsoft Edge, you can set all intranet sites to open using IE11 automatically. - -Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. - ->[!TIP] -> If you are running an earlier version of Internet Explorer, we recommend upgrading to IE11, so that any legacy apps continue to work correctly. - -For Windows 10 and Windows 10 Mobile, Microsoft Edge is the default browser experience. However, Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List. - - -## What is Enterprise Mode? -Enterprise Mode, a compatibility mode that runs on Internet Explorer 11 on Windows 10, Windows 8.1, and Windows 7 devices, lets websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8. Running in this mode helps to avoid many of the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. - -Many customers identify web app compatibility as a significant cost to upgrading because web apps need to be tested and upgraded before adopting a new browser. The improved compatibility provided by Enterprise Mode can help give customers confidence to upgrade to IE11, letting customers benefit from modern web standards, increased performance, improved security, and better reliability. - -### Enterprise Mode features -Enterprise Mode includes the following features: - -- **Improved web app and website compatibility.** Through improved emulation, Enterprise Mode lets many legacy web apps run unmodified on IE11, supporting several site patterns that aren’t currently supported by existing document modes. - -- **Tool-based management for website lists.** Use the Enterprise Mode Site List Manager to add website domains and domain paths and to specify whether a site renders using Enterprise Mode. -Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) or the [Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378), based on your operating system and schema. - -- **Centralized control.** You can specify the websites or web apps to interpret using Enterprise Mode, through an XML file on a website or stored locally. Domains and paths within those domains can be treated differently, allowing granular control. Use Group Policy to let users turn Enterprise Mode on or off from the Tools menu and to decide whether the Enterprise browser profile appears on the Emulation tab of the F12 developer tools. - - >[!Important] - >All centrally-made decisions override any locally-made choices. - -- **Integrated browsing.** When Enterprise Mode is set up, users can browse the web normally, letting the browser change modes automatically to accommodate Enterprise Mode sites. - -- **Data gathering.** You can configure Enterprise Mode to collect local override data, posting back to a named server. This lets you "crowd source" compatibility testing from key users; gathering their findings to add to your central site list. - -## Enterprise Mode and the Enterprise Mode Site List XML file -The Enterprise Mode Site List is an XML document that specifies a list of sites, their compat mode, and their intended browser. Using [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853), you can automatically start a webpage using a specific browser. In the case of IE11, the webpage can also be launched in a specific compat mode, so it always renders correctly. Your employees can easily view this site list by typing _about:compat_ in either Microsoft Edge or IE11. - -Starting with Windows 10, version 1511 (also known as the Anniversary Update), you can also [restrict IE11 to only the legacy web apps that need it](https://blogs.windows.com/msedgedev/2016/05/19/edge14-ie11-better-together/), automatically sending sites not included in the Enterprise Mode Site List to Microsoft Edge. - -### Site list xml file -This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypflug/9e9961de771d2fcbd86b#file-emie-v2-schema-xml). There are equivalent Enterprise Mode Site List policies for both [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/emie-to-improve-compatibility) and [Internet Explorer 11](turn-on-enterprise-mode-and-use-a-site-list.md). The Microsoft Edge list is used to determine which sites should open in IE11; while the IE11 list is used to determine the compat mode for a site, and which sites should open in Microsoft Edge. We recommend using one list for both browsers, where each policy points to the same XML file location. - -```xml - - - - EnterpriseSiteListManager - 10586 - 20150728.135021 - - - - IE8Enterprise - IE11 - - - default - IE11 - - - IE7Enterprise - IE11 - - - - - IE8Enterprise" - IE11 - - - IE7 - IE11 - - - IE7 - IE11 - - - -``` - -## Enterprise Mode Site List Manager and the Enterprise Mode Site List Portal tools -You can build and manage your Enterprise Mode Site List is by using any generic text editor. However, we’ve also provided a couple tools that can make that process even easier. - -### Enterprise Mode Site List Manager -This tool helps you create error-free XML documents with simple n+1 versioning and URL verification. We recommend using this tool if your site list is relatively small. For more info about this tool, see the Use the [Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics. - -There are 2 versions of this tool, both supported on Windows 7, Windows 8.1, and Windows 10: - -- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501). This is an older version of the schema that you must use if you want to create and update your Enterprise Mode Site List for devices running the v.1 version of the schema. - - We strongly recommend moving to the new schema, v.2. For more info, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md). - -- [Enterprise Mode Site List Manager (schema v.2)](https://www.microsoft.com/download/details.aspx?id=49974). The updated version of the schema, including new functionality. You can use this version of the schema to create and update your Enterprise Mode Site List for devices running the v.2 version of the schema. - - If you open a v.1 version of your Enterprise Mode Site List using this version, it will update the schema to v.2, automatically. For more info, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). - -If your list is too large to add individual sites, or if you have more than one person managing the site list, we recommend using the Enterprise Site List Portal. - -### Enterprise Mode Site List Portal -The [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management. - -In addition to all the functionality of the Enterprise Mode Site List Manager tool, the Enterprise Mode Site List Portal helps you: - -- Manage site lists from any device supporting Windows 7 or greater. - -- Submit change requests. - -- Operate offline through an on-premise solution. - -- Provide role-based governance. - -- Test configuration settings before releasing to a live environment. - -Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later. - -Because the tool is open-source, the source code is readily available for examination and experimentation. We encourage you to [fork the code, submit pull requests, and send us your feedback](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)! For more info about the Enterprise Mode Site List Portal, see the [Use the Enterprise Mode Site List Portal](use-the-enterprise-mode-portal.md) topics. - -## Related topics - -- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) - -- [Technical guidance, tools, and resources on Enterprise browsing](https://technet.microsoft.com/ie) - -- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501) - -- [Enterprise Mode Site List Manager (schema v.2)](https://www.microsoft.com/download/details.aspx?id=49974) - -- [Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) - -- [Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md) - -- [Web Application Compatibility Lab Kit](https://technet.microsoft.com/microsoft-edge/mt612809.aspx) - -- [Microsoft Services Support](https://www.microsoft.com/en-us/microsoftservices/support.aspx) - -- [Find a Microsoft partner on Pinpoint](https://partnercenter.microsoft.com/pcv/search) +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Info about the features included in Enterprise Mode with Internet Explorer 11. +author: lomayor +ms.prod: ie11 +ms.assetid: 3c77e9f3-eb21-46d9-b5aa-f9b2341cfefa +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Enterprise Mode and the Enterprise Mode Site List (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 10/25/2018 +--- + + +# Enterprise Mode and the Enterprise Mode Site List + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Internet Explorer and Microsoft Edge can work together to support your legacy web apps, while still defaulting to the higher bar for security and modern experiences enabled by Microsoft Edge. Working with multiple browsers can be difficult, particularly if you have a substantial number of internal sites. To help manage this dual-browser experience, we are introducing a new web tool specifically targeted towards larger organizations: the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal). + +## Available dual-browser experiences +If you have specific websites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the websites automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work correctly with Microsoft Edge, you can set all intranet sites to open using IE11 automatically. + +Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. + +>[!TIP] +> If you are running an earlier version of Internet Explorer, we recommend upgrading to IE11, so that any legacy apps continue to work correctly. + +For Windows 10 and Windows 10 Mobile, Microsoft Edge is the default browser experience. However, Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List. + + +## What is Enterprise Mode? +Enterprise Mode, a compatibility mode that runs on Internet Explorer 11 on Windows 10, Windows 8.1, and Windows 7 devices, lets websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8. Running in this mode helps to avoid many of the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. + +Many customers identify web app compatibility as a significant cost to upgrading because web apps need to be tested and upgraded before adopting a new browser. The improved compatibility provided by Enterprise Mode can help give customers confidence to upgrade to IE11, letting customers benefit from modern web standards, increased performance, improved security, and better reliability. + +### Enterprise Mode features +Enterprise Mode includes the following features: + +- **Improved web app and website compatibility.** Through improved emulation, Enterprise Mode lets many legacy web apps run unmodified on IE11, supporting several site patterns that aren’t currently supported by existing document modes. + +- **Tool-based management for website lists.** Use the Enterprise Mode Site List Manager to add website domains and domain paths and to specify whether a site renders using Enterprise Mode. +Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) or the [Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378), based on your operating system and schema. + +- **Centralized control.** You can specify the websites or web apps to interpret using Enterprise Mode, through an XML file on a website or stored locally. Domains and paths within those domains can be treated differently, allowing granular control. Use Group Policy to let users turn Enterprise Mode on or off from the Tools menu and to decide whether the Enterprise browser profile appears on the Emulation tab of the F12 developer tools. + + >[!Important] + >All centrally-made decisions override any locally-made choices. + +- **Integrated browsing.** When Enterprise Mode is set up, users can browse the web normally, letting the browser change modes automatically to accommodate Enterprise Mode sites. + +- **Data gathering.** You can configure Enterprise Mode to collect local override data, posting back to a named server. This lets you "crowd source" compatibility testing from key users; gathering their findings to add to your central site list. + +## Enterprise Mode and the Enterprise Mode Site List XML file +The Enterprise Mode Site List is an XML document that specifies a list of sites, their compat mode, and their intended browser. Using [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853), you can automatically start a webpage using a specific browser. In the case of IE11, the webpage can also be launched in a specific compat mode, so it always renders correctly. Your employees can easily view this site list by typing _about:compat_ in either Microsoft Edge or IE11. + +Starting with Windows 10, version 1511 (also known as the Anniversary Update), you can also [restrict IE11 to only the legacy web apps that need it](https://blogs.windows.com/msedgedev/2016/05/19/edge14-ie11-better-together/), automatically sending sites not included in the Enterprise Mode Site List to Microsoft Edge. + +### Site list xml file +This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypflug/9e9961de771d2fcbd86b#file-emie-v2-schema-xml). There are equivalent Enterprise Mode Site List policies for both [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/emie-to-improve-compatibility) and [Internet Explorer 11](turn-on-enterprise-mode-and-use-a-site-list.md). The Microsoft Edge list is used to determine which sites should open in IE11; while the IE11 list is used to determine the compat mode for a site, and which sites should open in Microsoft Edge. We recommend using one list for both browsers, where each policy points to the same XML file location. + +```xml + + + + EnterpriseSiteListManager + 10586 + 20150728.135021 + + + + IE8Enterprise + IE11 + + + default + IE11 + + + IE7Enterprise + IE11 + + + + + IE8Enterprise" + IE11 + + + IE7 + IE11 + + + IE7 + IE11 + + + +``` + +## Enterprise Mode Site List Manager and the Enterprise Mode Site List Portal tools +You can build and manage your Enterprise Mode Site List is by using any generic text editor. However, we’ve also provided a couple tools that can make that process even easier. + +### Enterprise Mode Site List Manager +This tool helps you create error-free XML documents with simple n+1 versioning and URL verification. We recommend using this tool if your site list is relatively small. For more info about this tool, see the Use the [Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics. + +There are 2 versions of this tool, both supported on Windows 7, Windows 8.1, and Windows 10: + +- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501). This is an older version of the schema that you must use if you want to create and update your Enterprise Mode Site List for devices running the v.1 version of the schema. + + We strongly recommend moving to the new schema, v.2. For more info, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md). + +- [Enterprise Mode Site List Manager (schema v.2)](https://www.microsoft.com/download/details.aspx?id=49974). The updated version of the schema, including new functionality. You can use this version of the schema to create and update your Enterprise Mode Site List for devices running the v.2 version of the schema. + + If you open a v.1 version of your Enterprise Mode Site List using this version, it will update the schema to v.2, automatically. For more info, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). + +If your list is too large to add individual sites, or if you have more than one person managing the site list, we recommend using the Enterprise Site List Portal. + +### Enterprise Mode Site List Portal +The [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management. + +In addition to all the functionality of the Enterprise Mode Site List Manager tool, the Enterprise Mode Site List Portal helps you: + +- Manage site lists from any device supporting Windows 7 or greater. + +- Submit change requests. + +- Operate offline through an on-premise solution. + +- Provide role-based governance. + +- Test configuration settings before releasing to a live environment. + +Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later. + +Because the tool is open-source, the source code is readily available for examination and experimentation. We encourage you to [fork the code, submit pull requests, and send us your feedback](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)! For more info about the Enterprise Mode Site List Portal, see the [Use the Enterprise Mode Site List Portal](use-the-enterprise-mode-portal.md) topics. + +## Related topics + +- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) + +- [Technical guidance, tools, and resources on Enterprise browsing](https://technet.microsoft.com/ie) + +- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501) + +- [Enterprise Mode Site List Manager (schema v.2)](https://www.microsoft.com/download/details.aspx?id=49974) + +- [Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) + +- [Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md) + +- [Web Application Compatibility Lab Kit](https://technet.microsoft.com/microsoft-edge/mt612809.aspx) + +- [Microsoft Services Support](https://www.microsoft.com/en-us/microsoftservices/support.aspx) + +- [Find a Microsoft partner on Pinpoint](https://partnercenter.microsoft.com/pcv/search) diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md index f1e454751b..2343973365 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md +++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md @@ -1,152 +1,152 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: support -ms.pagetype: security -description: How to download and use the Internet Explorer 11 Blocker Toolkit to turn off the automatic delivery of IE11 through the Automatic Updates feature of Windows Update. -author: lomayor -ms.author: lomayor -ms.manager: elizapo -ms.prod: ie11 -ms.assetid: fafeaaee-171c-4450-99f7-5cc7f8d7ba91 -ms.reviewer: -manager: dansimp -title: What is the Internet Explorer 11 Blocker Toolkit? (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 05/10/2018 ---- - - -# What is the Internet Explorer 11 Blocker Toolkit? - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -The Internet Explorer 11 Blocker Toolkit lets you turn off the automatic delivery of IE11 through the **Automatic Updates** feature of Windows Update. - ->[!IMPORTANT] ->The IE11 Blocker Toolkit does not stop users from manually installing IE11 from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?linkid=327753). Also, even if you have installed previous versions of the toolkit before, like for Internet Explorer 10, you still need to install this version to prevent the installation of IE11. - -## Install the toolkit - -1. Download the IE11 Blocker Toolkit from [Toolkit to Disable Automatic Delivery of Internet Explorer 11](https://go.microsoft.com/fwlink/p/?LinkId=327745). - -2. Accept the license agreement and store the included four files on your local computer. - -3. Start an elevated Command Prompt by going to **Start**>**All Programs**>**Accessories**> right-clicking on **Command Prompt**, and then choosing **Run as Administrator**. - -4. In the Command Prompt, change to the location where you put the 4 files. - -5. In the Command Prompt, type `ie11_blocker.cmd /B` and press Enter.

          -Wait for the message, **Blocking deployment of IE11 on the local machine. The operation completed successfully.** - -6. Close the Command Prompt. - -For answers to frequently asked questions, see [Internet Explorer 11 Blocker Toolkit: Frequently Asked Questions](https://go.microsoft.com/fwlink/p/?LinkId=314063). - -## Automatic updates -Internet Explorer 11 makes browsing the web faster, easier, safer, and more reliable than ever. To help customers become more secure and up-to-date, Microsoft will distribute Internet Explorer 11 through Automatic Updates and the Windows Update and Microsoft Update sites. Internet Explorer 11 will be available for users of the 32-bit and 64-bit versions of Windows 7 Service Pack 1 (SP1), and 64-bit version of Windows Server 2008 R2 SP1. This article provides an overview of the delivery process and options available for IT administrators to control how and when Internet Explorer 11 is deployed to their organization through Automatic Updates. - -### Automatic delivery process -Internet Explorer 11 only downloads and installs if it’s available for delivery through Automatic Updates; and Automatic Updates only offer Internet Explorer 11 to users with local administrator accounts. User’s without local administrator accounts won’t be prompted to install the update and will continue using their current version of Internet Explorer. - -Internet Explorer 11 replaces Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10. If you decide you don’t want Internet Explorer 11, and you’re running Windows 7 SP1 or Windows Server 2008 R2 with SP1, you can uninstall it from the **View installed updates** section of the **Uninstall an update** page of the Control Panel.  - -### Internet Explorer 11 automatic upgrades - -Internet Explorer 11 is offered through Automatic Updates and Windows Update as an Important update. Users running Windows 7 SP1, who have chosen to download and install updates automatically through Windows Update, are automatically upgraded to Internet Explorer 11. - -Users who were automatically upgraded to Internet Explorer 11 can decide to uninstall Internet Explorer 11. However, Internet Explorer 11 will still appear as an optional update through Windows Update. - -### Options for blocking automatic delivery - -If you use Automatic Updates in your company, but want to stop your users from automatically getting Internet Explorer 11, do one of the following: - -- **Download and use the Internet Explorer 11 Blocker Toolkit.** Includes a Group Policy template and a script that permanently blocks Internet Explorer 11 from being offered by Windows Update or Microsoft Update as a high-priority update. You can download this kit from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722). - - >[!NOTE] - >The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11). - -- **Use an update management solution to control update deployment.** If you already use an update management solution, like [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [System Center 2012 Configuration Manager](https://go.microsoft.com/fwlink/?LinkID=276664), you should use that instead of the Internet Explorer Blocker Toolkit. - ->[!NOTE] ->If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. - - -### Prevent automatic installation of Internet Explorer 11 with WSUS - -Internet Explorer 11 will be released to WSUS as an Update Rollup package. Therefore, if you’ve configured WSUS to “auto-approve” Update Rollup packages, it’ll be automatically approved and installed. To stop Internet Explorer 11 from being automatically approved for installation, you need to: - -1. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**. - -2. Expand *ComputerName*, and then click **Options**. - -3. Click **Automatic Approvals**. - -4. Click the rule that automatically approves an update that is classified as Update Rollup, and then click **Edit.** - - >[!NOTE] - >If you don’t see a rule like this, you most likely haven’t configured WSUS to automatically approve Update Rollups for installation. In this situation, you don’t have to do anything else. - -5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section. - - >[!NOTE] - >The properties for this rule will resemble the following:

          • When an update is in Update Rollups
          • Approve the update for all computers
          - -6. Clear the **Update Rollup** check box, and then click **OK**. - -7. Click **OK** to close the **Automatic Approvals** dialog box. - -After the new Internet Explorer 11 package is available for download, you should manually synchronize the new package to your WSUS server, so that when you re-enable auto-approval it won’t be automatically installed. - -1. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**. - -2. Expand *ComputerName*, and then click **Synchronizations**. - -3. Click **Synchronize Now**. - -4. Expand *ComputerName*, expand **Updates**, and then click **All Updates**. - -5. Choose **Unapproved** in the **Approval**drop down box. - -6. Check to make sure that Microsoft Internet Explorer 11 is listed as an unapproved update. - ->[!NOTE] ->There may be multiple updates, depending on the imported language and operating system updates. - -### Optional - Reset update rollups packages to auto-approve - -1. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**. - -2. Expand *ComputerName*, and then click **Options**. - -3. Click **Automatic Approvals**. - -4. Click the rule that automatically approves updates of different classifications, and then click **Edit**. - -5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section. - -6. Check the **Update Rollups** check box, and then click **OK**. - -7. Click **OK** to close the **Automatic Approvals** dialog box. - ->[!NOTE] ->Because auto-approval rules are only evaluated when an update is first imported into WSUS, turning this rule back on after the Internet Explorer 11 update has been imported and synchronized to the server won’t cause this update to be auto-approved. - - - -## Additional resources - -- [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722) - -- [Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions](../ie11-faq/faq-ie11-blocker-toolkit.md) - -- [Internet Explorer 11 FAQ for IT pros](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11) - -- [Internet Explorer 11 delivery through automatic updates](ie11-delivery-through-automatic-updates.md) - -- [Internet Explorer 11 deployment guide](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/index) +--- +ms.localizationpriority: medium +ms.mktglfcycl: support +ms.pagetype: security +description: How to download and use the Internet Explorer 11 Blocker Toolkit to turn off the automatic delivery of IE11 through the Automatic Updates feature of Windows Update. +author: lomayor +ms.author: lomayor +ms.manager: elizapo +ms.prod: ie11 +ms.assetid: fafeaaee-171c-4450-99f7-5cc7f8d7ba91 +ms.reviewer: +audience: itpro manager: dansimp +title: What is the Internet Explorer 11 Blocker Toolkit? (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 05/10/2018 +--- + + +# What is the Internet Explorer 11 Blocker Toolkit? + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +The Internet Explorer 11 Blocker Toolkit lets you turn off the automatic delivery of IE11 through the **Automatic Updates** feature of Windows Update. + +>[!IMPORTANT] +>The IE11 Blocker Toolkit does not stop users from manually installing IE11 from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?linkid=327753). Also, even if you have installed previous versions of the toolkit before, like for Internet Explorer 10, you still need to install this version to prevent the installation of IE11. + +## Install the toolkit + +1. Download the IE11 Blocker Toolkit from [Toolkit to Disable Automatic Delivery of Internet Explorer 11](https://go.microsoft.com/fwlink/p/?LinkId=327745). + +2. Accept the license agreement and store the included four files on your local computer. + +3. Start an elevated Command Prompt by going to **Start**>**All Programs**>**Accessories**> right-clicking on **Command Prompt**, and then choosing **Run as Administrator**. + +4. In the Command Prompt, change to the location where you put the 4 files. + +5. In the Command Prompt, type `ie11_blocker.cmd /B` and press Enter.

          +Wait for the message, **Blocking deployment of IE11 on the local machine. The operation completed successfully.** + +6. Close the Command Prompt. + +For answers to frequently asked questions, see [Internet Explorer 11 Blocker Toolkit: Frequently Asked Questions](https://go.microsoft.com/fwlink/p/?LinkId=314063). + +## Automatic updates +Internet Explorer 11 makes browsing the web faster, easier, safer, and more reliable than ever. To help customers become more secure and up-to-date, Microsoft will distribute Internet Explorer 11 through Automatic Updates and the Windows Update and Microsoft Update sites. Internet Explorer 11 will be available for users of the 32-bit and 64-bit versions of Windows 7 Service Pack 1 (SP1), and 64-bit version of Windows Server 2008 R2 SP1. This article provides an overview of the delivery process and options available for IT administrators to control how and when Internet Explorer 11 is deployed to their organization through Automatic Updates. + +### Automatic delivery process +Internet Explorer 11 only downloads and installs if it’s available for delivery through Automatic Updates; and Automatic Updates only offer Internet Explorer 11 to users with local administrator accounts. User’s without local administrator accounts won’t be prompted to install the update and will continue using their current version of Internet Explorer. + +Internet Explorer 11 replaces Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10. If you decide you don’t want Internet Explorer 11, and you’re running Windows 7 SP1 or Windows Server 2008 R2 with SP1, you can uninstall it from the **View installed updates** section of the **Uninstall an update** page of the Control Panel.  + +### Internet Explorer 11 automatic upgrades + +Internet Explorer 11 is offered through Automatic Updates and Windows Update as an Important update. Users running Windows 7 SP1, who have chosen to download and install updates automatically through Windows Update, are automatically upgraded to Internet Explorer 11. + +Users who were automatically upgraded to Internet Explorer 11 can decide to uninstall Internet Explorer 11. However, Internet Explorer 11 will still appear as an optional update through Windows Update. + +### Options for blocking automatic delivery + +If you use Automatic Updates in your company, but want to stop your users from automatically getting Internet Explorer 11, do one of the following: + +- **Download and use the Internet Explorer 11 Blocker Toolkit.** Includes a Group Policy template and a script that permanently blocks Internet Explorer 11 from being offered by Windows Update or Microsoft Update as a high-priority update. You can download this kit from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722). + + >[!NOTE] + >The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11). + +- **Use an update management solution to control update deployment.** If you already use an update management solution, like [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [System Center 2012 Configuration Manager](https://go.microsoft.com/fwlink/?LinkID=276664), you should use that instead of the Internet Explorer Blocker Toolkit. + +>[!NOTE] +>If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. + + +### Prevent automatic installation of Internet Explorer 11 with WSUS + +Internet Explorer 11 will be released to WSUS as an Update Rollup package. Therefore, if you’ve configured WSUS to “auto-approve” Update Rollup packages, it’ll be automatically approved and installed. To stop Internet Explorer 11 from being automatically approved for installation, you need to: + +1. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**. + +2. Expand *ComputerName*, and then click **Options**. + +3. Click **Automatic Approvals**. + +4. Click the rule that automatically approves an update that is classified as Update Rollup, and then click **Edit.** + + >[!NOTE] + >If you don’t see a rule like this, you most likely haven’t configured WSUS to automatically approve Update Rollups for installation. In this situation, you don’t have to do anything else. + +5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section. + + >[!NOTE] + >The properties for this rule will resemble the following:

          • When an update is in Update Rollups
          • Approve the update for all computers
          + +6. Clear the **Update Rollup** check box, and then click **OK**. + +7. Click **OK** to close the **Automatic Approvals** dialog box. + +After the new Internet Explorer 11 package is available for download, you should manually synchronize the new package to your WSUS server, so that when you re-enable auto-approval it won’t be automatically installed. + +1. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**. + +2. Expand *ComputerName*, and then click **Synchronizations**. + +3. Click **Synchronize Now**. + +4. Expand *ComputerName*, expand **Updates**, and then click **All Updates**. + +5. Choose **Unapproved** in the **Approval**drop down box. + +6. Check to make sure that Microsoft Internet Explorer 11 is listed as an unapproved update. + +>[!NOTE] +>There may be multiple updates, depending on the imported language and operating system updates. + +### Optional - Reset update rollups packages to auto-approve + +1. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**. + +2. Expand *ComputerName*, and then click **Options**. + +3. Click **Automatic Approvals**. + +4. Click the rule that automatically approves updates of different classifications, and then click **Edit**. + +5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section. + +6. Check the **Update Rollups** check box, and then click **OK**. + +7. Click **OK** to close the **Automatic Approvals** dialog box. + +>[!NOTE] +>Because auto-approval rules are only evaluated when an update is first imported into WSUS, turning this rule back on after the Internet Explorer 11 update has been imported and synchronized to the server won’t cause this update to be auto-approved. + + + +## Additional resources + +- [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722) + +- [Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions](../ie11-faq/faq-ie11-blocker-toolkit.md) + +- [Internet Explorer 11 FAQ for IT pros](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11) + +- [Internet Explorer 11 delivery through automatic updates](ie11-delivery-through-automatic-updates.md) + +- [Internet Explorer 11 deployment guide](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/index) diff --git a/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md index 86d1ead8ce..e9ee67796d 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md @@ -1,46 +1,46 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Use the topics in this section to learn how to perform all of the workflow-related processes in the Enterprise Mode Site List Portal. -author: lomayor -ms.prod: ie11 -title: Workflow-based processes for employees using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 -ms.reviewer: -manager: dansimp -ms.author: lomayor ---- - - -# Workflow-based processes for employees using the Enterprise Mode Site List Portal - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Use the topics in this section to learn how to perform the available Enterprise Mode Site List Portal processes, based on workflow. - -## In this section -|Topic |Description | -|---------------------------------------------------------------|-----------------------------------------------------------------------------------| -|[Create a change request using the Enterprise Mode Site List Portal](create-change-request-enterprise-mode-portal.md)|Details about how the Requester creates a change request in the Enterprise Mode Site List Portal.| -|[Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md)|Details about how the Requester tests a change request in the pre-production environment of the Enterprise Mode Site List Portal.| -|[Approve a change request using the Enterprise Mode Site List Portal](approve-change-request-enterprise-mode-portal.md)|Details about how the Approver(s) approve a change request in the Enterprise Mode Site List Portal.| -|[Schedule approved change requests for production using the Enterprise Mode Site List Portal](schedule-production-change-enterprise-mode-portal.md)|Details about how the Requester schedules the approved change request update in the Enterprise Mode Site List Portal.| -|[Verify the change request update in the production environment using the Enterprise Mode Site List Portal](verify-changes-production-enterprise-mode-portal.md)|Details about how the Requester tests an update in the production environment of the Enterprise Mode Site List Portal.| -|[View the apps currently on the Enterprise Mode Site List](view-apps-enterprise-mode-site-list.md)|Details about how anyone with access to the portal can review the apps already on the active Enterprise Mode Site List.| -|[View the available Enterprise Mode reports from the Enterprise Mode Site List Portal](view-enterprise-mode-reports-for-portal.md) |Details about how the Administrator can view the view the Microsoft-provided Enterprise Mode reports from the Enterprise Mode Site List Portal. | - - -## Related topics -- [Set up the Enterprise Mode Site List Portal](set-up-enterprise-mode-portal.md) - -- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) - -- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md) +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Use the topics in this section to learn how to perform all of the workflow-related processes in the Enterprise Mode Site List Portal. +author: lomayor +ms.prod: ie11 +title: Workflow-based processes for employees using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +--- + + +# Workflow-based processes for employees using the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Use the topics in this section to learn how to perform the available Enterprise Mode Site List Portal processes, based on workflow. + +## In this section +|Topic |Description | +|---------------------------------------------------------------|-----------------------------------------------------------------------------------| +|[Create a change request using the Enterprise Mode Site List Portal](create-change-request-enterprise-mode-portal.md)|Details about how the Requester creates a change request in the Enterprise Mode Site List Portal.| +|[Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md)|Details about how the Requester tests a change request in the pre-production environment of the Enterprise Mode Site List Portal.| +|[Approve a change request using the Enterprise Mode Site List Portal](approve-change-request-enterprise-mode-portal.md)|Details about how the Approver(s) approve a change request in the Enterprise Mode Site List Portal.| +|[Schedule approved change requests for production using the Enterprise Mode Site List Portal](schedule-production-change-enterprise-mode-portal.md)|Details about how the Requester schedules the approved change request update in the Enterprise Mode Site List Portal.| +|[Verify the change request update in the production environment using the Enterprise Mode Site List Portal](verify-changes-production-enterprise-mode-portal.md)|Details about how the Requester tests an update in the production environment of the Enterprise Mode Site List Portal.| +|[View the apps currently on the Enterprise Mode Site List](view-apps-enterprise-mode-site-list.md)|Details about how anyone with access to the portal can review the apps already on the active Enterprise Mode Site List.| +|[View the available Enterprise Mode reports from the Enterprise Mode Site List Portal](view-enterprise-mode-reports-for-portal.md) |Details about how the Administrator can view the view the Microsoft-provided Enterprise Mode reports from the Enterprise Mode Site List Portal. | + + +## Related topics +- [Set up the Enterprise Mode Site List Portal](set-up-enterprise-mode-portal.md) + +- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) + +- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md) diff --git a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md index 0eb0c067b3..9230c868d0 100644 --- a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md +++ b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md @@ -1,203 +1,203 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: explore -description: Frequently asked questions about Internet Explorer 11 for IT Pros -author: lomayor -ms.prod: ie11 -ms.assetid: 140e7d33-584a-44da-8c68-6c1d568e1de3 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Internet Explorer 11 - FAQ for IT Pros (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 10/16/2017 ---- - - -# Internet Explorer 11 - FAQ for IT Pros -Answering frequently asked questions about Internet Explorer 11 (IE11) features, operating system support, integration with the Windows operating system, Group Policy, and general configuration. - -## Frequently Asked Questions - -**Q: What operating system does IE11 run on?** - -- Windows 10 - -- Windows 8.1 - -- Windows Server 2012 R2 - -- Windows 7 with Service Pack 1 (SP1) - -- Windows Server 2008 R2 with Service Pack 1 (SP1) - - -**Q: How do I install IE11 on Windows 10, Windows 8.1, or Windows Server 2012 R2?**
          -IE11 is preinstalled with Windows 8.1 and Windows Server 2012 R2. No additional action is required. - -**Q: How do I install IE11 on Windows 7 with SP1 or Windows Server 2008 R2 with SP1?**
          -You can install IE11 on computers running either Windows 7 with SP1 or Windows Server 2008 R2 with SP1. To download IE11, see the IE11 [home page](https://go.microsoft.com/fwlink/p/?LinkId=290956). - -**Q: How does IE11 integrate with Windows 8.1?**
          -IE11 is the default handler for the HTTP and HTTPS protocols and the default browser for Windows 8.1. There are two experiences in Windows 8.1: Internet Explorer and Internet Explorer for the desktop. IE is the default browser for touch-first, immersive experiences. Internet Explorer for the desktop provides a more traditional window and tab management experience. The underlying platform of IE11 is fully interoperable across both IE and the familiar Internet Explorer for the desktop, letting developers write the same markup for both experiences. - -**Q: What are the new or improved security features?**
          -IE11 offers improvements to Enhanced Protected Mode, password manager, and other security features. IE11 also turns on Transport Layer Security (TLS) 1.2 by default. - -**Q: How is Microsoft supporting modern web standards, such as WebGL?**
          -Microsoft is committed to providing an interoperable web by supporting modern web standards. Doing this lets developers use the same markup across web browsers, helping to reduce development and support costs.

          -Supported web standards include: - -- Web Graphics Library (WebGL) - -- Canvas 2D L2 extensions, including image smoothing using the nearest neighbor, dashed lines, and fill rules - -- Fullscreen API - -- Encrypted media extensions - -- Media source extensions - -- CSS flexible box layout module - -- And mutation observers like DOM4 and 5.3 - -For more information about specific changes and additions, see the [IE11 guide for developers](https://go.microsoft.com/fwlink/p/?LinkId=313188). - -**Q: What test tools exist to test for potential application compatibility issues?**
          -The Compat Inspector tool supports Windows Internet Explorer 9 through IE11. For more information, see [Compat Inspector User Guide](https://go.microsoft.com/fwlink/p/?LinkId=313189). In addition, you can use the new [F12 Developer Tools](https://go.microsoft.com/fwlink/p/?LinkId=313190) that are included with IE11, or the [modern.ie](https://go.microsoft.com/fwlink/p/?linkid=308902) website for Microsoft Edge. - -**Q: Why am I having problems launching my legacy apps with Internet Explorer 11**?
          -It’s most likely because IE no longer starts apps that use managed browser hosting controls, like in the .NET Framework 1.1 and 2.0. You can get IE11 to use managed browser hosting controls again, by: - -- **For x86 systems or for 32-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**. - -- **For x64 systems or for 64-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\Wow6432Node\.NETFramework` registry key and change the **EnableIEHosting** value to **1**. - -For more information, see the [Web Applications](https://go.microsoft.com/fwlink/p/?LinkId=308903) section of the Application Compatibility in the .NET Framework 4.5 page. - -**Q: Is there a compatibility list for IE?**
          -Yes. You can review the XML-based [compatibility version list](https://go.microsoft.com/fwlink/p/?LinkId=403864). - -**Q: What is Enterprise Mode?**
          -Enterprise Mode is a compatibility mode designed for Enterprises. This mode lets websites render using a modified browser configuration that’s designed to avoid the common compatibility problems associated with web apps written and tested on older versions of IE, like Windows Internet Explorer 7 or Windows Internet Explorer 8.

          -For more information, see [Turn on Enterprise Mode and use a site list](../ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md). - -**Q: What is the Enterprise Mode Site List Manager tool?**
          -Enterprise Mode Site List Manager tool gives you a way to add websites to your Enterprise Mode site list, without having to manually code XML.

          -For more information, see all of the topics in [Use the Enterprise Mode Site List Manager](../ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md). - -**Q: Are browser plug-ins supported in IE11?**
          -The immersive version of IE11 provides an add-on–free experience, so browser plugins won't load and dependent content won't be displayed. This doesn't apply to Internet Explorer for the desktop. For more information, see [Browsing Without Plug-ins](https://go.microsoft.com/fwlink/p/?LinkId=242587). However, Internet Explorer for the desktop and IE11 on Windows 7 with SP1 do support browser plugins, including ActiveX controls such as Adobe Flash and Microsoft Silverlight. - -**Q: Is Adobe Flash supported on IE11?**
          -Adobe Flash is included as a platform feature and is available out of the box for Windows 8.1, running on both IE and Internet Explorer for the desktop. Users can turn this feature on or off using the **Manage Add-ons** dialog box, while administrators can turn this feature on or off using the Group Policy setting, **Turn off Adobe Flash in IE and prevent applications from using IE technology to instantiate Flash objects**.

          -**Important**
          -The preinstalled version of Adobe Flash isn't supported on IE11 running on either Windows 7 with SP1 or Windows Server 2008 R2 with SP1. However, you can still download and install the separate Adobe Flash plug-in. - -**Q: Can I replace IE11 on Windows 8.1 with an earlier version?**
          -No. Windows 8.1 doesn't support any of the previous versions of IE. - -**Q: Are there any new Group Policy settings in IE11?**
          -IE11 includes all of the previous Group Policy settings you've used to manage and control web browser configuration since Internet Explorer 9. It also includes the following new Group Policy settings, supporting new features: - -- Turn off Page Prediction - -- Turn on the swiping motion for Internet Explorer for the desktop - -- Allow Microsoft services to provide more relevant and personalized search results - -- Turn off phone number detection - -- Allow IE to use the SPDY/3 network protocol - -- Let users turn on and use Enterprise Mode from the **Tools** menu - -- Use the Enterprise Mode IE website list - -For more information, see [New group policy settings for IE11](../ie11-deploy-guide/new-group-policy-settings-for-ie11.md). - - -**Q: Where can I get more information about IE11 for IT pros?**
          -Visit the [Springboard Series for Microsoft Browsers](https://go.microsoft.com/fwlink/p/?LinkId=313191) webpage on TechNet. - - - -**Q: Can I customize settings for IE on Windows 8.1?**
          -Settings can be customized in the following ways: - -- IE11 **Settings** charm. - -- IE11-related Group Policy settings. - -- IEAK 11 for settings shared by both IE and Internet Explorer for the desktop. - -**Q: Can I make Internet Explorer for the desktop my default browsing experience?**
          -Group Policy settings can be set to open either IE or Internet Explorer for the desktop as the default browser experience. Individual users can configure their own settings in the **Programs** tab of **Internet Options**. The following table shows the settings and results:

          - -|Setting |Result | -|--------|-------| -|Let IE decide |Links open in the same type of experience from where they're launched. For example, clicking a link from a Microsoft Store app, opens IE. However, clicking a link from a desktop app, opens Internet Explorer for the desktop. | -|Always in IE11 |Links always open in IE. | -|Always in Internet Explorer for the desktop |Links always open in Internet Explorer for the desktop. | - - -**Q. Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version?** -Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard. - -IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. Select a language below and download IEAK 11 from the download center: - -| | | | -|---------|---------|---------| -|[English](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi) |[French](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi) |[Norwegian (Bokmål)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi) | -|[Arabic](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ar-sa/ieak.msi) |[Chinese (Simplified)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-cn/ieak.msi) |[Chinese(Traditional)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-tw/ieak.msi) | -|[Czech](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/cs-cz/ieak.msi) |[Danish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/da-dk/ieak.msi) |[Dutch](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nl-nl/ieak.msi) | -|[Finnish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fi-fi/ieak.msi) |[German](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/de-de/ieak.msi) |[Greek](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/el-gr/ieak.msi) | -|[Hebrew](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/he-il/ieak.msi) |[Hungarian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/hu-hu/ieak.msi) |[Italian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/it-it/ieak.msi) | -|[Japanese](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ja-jp/ieak.msi) |[Korean](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ko-kr/ieak.msi) |[Polish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pl-pl/ieak.msi) | -|[Portuguese (Brazil)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-br/ieak.msi) |[Portuguese (Portugal)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-pt/ieak.msi) |[Russian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ru-ru/ieak.msi) | -|[Spanish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/es-es/ieak.msi) |[Swedish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/sv-se/ieak.msi) |[Turkish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/tr-tr/ieak.msi) | - - - - -**Q. What are the different modes available for the Internet Explorer Customization Wizard?** -The IEAK Customization Wizard displays pages based on your licensing mode selection, either **Internal** or **External**. For more information on IEAK Customization Wizard modes, see [Determine the licensing version and features to use in IEAK 11](../ie11-ieak/licensing-version-and-features-ieak11.md). - -The following table displays which pages are available in IEAK 11, based on the licensing mode: - -| **Wizard Pages** | **External** | **Internal** | -|-------------------------------------------|--------------|--------------| -| Welcome to the IEAK | Yes | Yes | -| File Locations | Yes | Yes | -| Platform Selection | Yes | Yes | -| Language Selection | Yes | Yes | -| Package Type Selection | Yes | Yes | -| Feature Selection | Yes | Yes | -| Automatic Version Synchronization | Yes | Yes | -| Custom Components | Yes | Yes | -| Corporate Install | No | Yes | -| User Experience | No | Yes | -| Browser User Interface | Yes | Yes | -| Search Providers | Yes | Yes | -| Important URLs - Home page and Support | Yes | Yes | -| Accelerators | Yes | Yes | -| Favorites, Favorites Bar, and Feeds | Yes | Yes | -| Browsing Options | No | Yes | -| First Run Wizard and Welcome Page Options | Yes | Yes | -| Compatibility View | Yes | Yes | -| Connection Manager | Yes | Yes | -| Connection Settings | Yes | Yes | -| Automatic Configuration | No | Yes | -| Proxy Settings | Yes | Yes | -| Security and Privacy Settings | No | Yes | -| Add a Root Certificate | Yes | No | -| Programs | Yes | Yes | -| Additional Settings | No | Yes | -| Wizard Complete | Yes | Yes | - - -## Related topics -- [Microsoft Edge - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760643) -- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md) -- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md) +--- +ms.localizationpriority: medium +ms.mktglfcycl: explore +description: Frequently asked questions about Internet Explorer 11 for IT Pros +author: lomayor +ms.prod: ie11 +ms.assetid: 140e7d33-584a-44da-8c68-6c1d568e1de3 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Internet Explorer 11 - FAQ for IT Pros (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 10/16/2017 +--- + + +# Internet Explorer 11 - FAQ for IT Pros +Answering frequently asked questions about Internet Explorer 11 (IE11) features, operating system support, integration with the Windows operating system, Group Policy, and general configuration. + +## Frequently Asked Questions + +**Q: What operating system does IE11 run on?** + +- Windows 10 + +- Windows 8.1 + +- Windows Server 2012 R2 + +- Windows 7 with Service Pack 1 (SP1) + +- Windows Server 2008 R2 with Service Pack 1 (SP1) + + +**Q: How do I install IE11 on Windows 10, Windows 8.1, or Windows Server 2012 R2?**
          +IE11 is preinstalled with Windows 8.1 and Windows Server 2012 R2. No additional action is required. + +**Q: How do I install IE11 on Windows 7 with SP1 or Windows Server 2008 R2 with SP1?**
          +You can install IE11 on computers running either Windows 7 with SP1 or Windows Server 2008 R2 with SP1. To download IE11, see the IE11 [home page](https://go.microsoft.com/fwlink/p/?LinkId=290956). + +**Q: How does IE11 integrate with Windows 8.1?**
          +IE11 is the default handler for the HTTP and HTTPS protocols and the default browser for Windows 8.1. There are two experiences in Windows 8.1: Internet Explorer and Internet Explorer for the desktop. IE is the default browser for touch-first, immersive experiences. Internet Explorer for the desktop provides a more traditional window and tab management experience. The underlying platform of IE11 is fully interoperable across both IE and the familiar Internet Explorer for the desktop, letting developers write the same markup for both experiences. + +**Q: What are the new or improved security features?**
          +IE11 offers improvements to Enhanced Protected Mode, password manager, and other security features. IE11 also turns on Transport Layer Security (TLS) 1.2 by default. + +**Q: How is Microsoft supporting modern web standards, such as WebGL?**
          +Microsoft is committed to providing an interoperable web by supporting modern web standards. Doing this lets developers use the same markup across web browsers, helping to reduce development and support costs.

          +Supported web standards include: + +- Web Graphics Library (WebGL) + +- Canvas 2D L2 extensions, including image smoothing using the nearest neighbor, dashed lines, and fill rules + +- Fullscreen API + +- Encrypted media extensions + +- Media source extensions + +- CSS flexible box layout module + +- And mutation observers like DOM4 and 5.3 + +For more information about specific changes and additions, see the [IE11 guide for developers](https://go.microsoft.com/fwlink/p/?LinkId=313188). + +**Q: What test tools exist to test for potential application compatibility issues?**
          +The Compat Inspector tool supports Windows Internet Explorer 9 through IE11. For more information, see [Compat Inspector User Guide](https://go.microsoft.com/fwlink/p/?LinkId=313189). In addition, you can use the new [F12 Developer Tools](https://go.microsoft.com/fwlink/p/?LinkId=313190) that are included with IE11, or the [modern.ie](https://go.microsoft.com/fwlink/p/?linkid=308902) website for Microsoft Edge. + +**Q: Why am I having problems launching my legacy apps with Internet Explorer 11**?
          +It’s most likely because IE no longer starts apps that use managed browser hosting controls, like in the .NET Framework 1.1 and 2.0. You can get IE11 to use managed browser hosting controls again, by: + +- **For x86 systems or for 32-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**. + +- **For x64 systems or for 64-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\Wow6432Node\.NETFramework` registry key and change the **EnableIEHosting** value to **1**. + +For more information, see the [Web Applications](https://go.microsoft.com/fwlink/p/?LinkId=308903) section of the Application Compatibility in the .NET Framework 4.5 page. + +**Q: Is there a compatibility list for IE?**
          +Yes. You can review the XML-based [compatibility version list](https://go.microsoft.com/fwlink/p/?LinkId=403864). + +**Q: What is Enterprise Mode?**
          +Enterprise Mode is a compatibility mode designed for Enterprises. This mode lets websites render using a modified browser configuration that’s designed to avoid the common compatibility problems associated with web apps written and tested on older versions of IE, like Windows Internet Explorer 7 or Windows Internet Explorer 8.

          +For more information, see [Turn on Enterprise Mode and use a site list](../ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md). + +**Q: What is the Enterprise Mode Site List Manager tool?**
          +Enterprise Mode Site List Manager tool gives you a way to add websites to your Enterprise Mode site list, without having to manually code XML.

          +For more information, see all of the topics in [Use the Enterprise Mode Site List Manager](../ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md). + +**Q: Are browser plug-ins supported in IE11?**
          +The immersive version of IE11 provides an add-on–free experience, so browser plugins won't load and dependent content won't be displayed. This doesn't apply to Internet Explorer for the desktop. For more information, see [Browsing Without Plug-ins](https://go.microsoft.com/fwlink/p/?LinkId=242587). However, Internet Explorer for the desktop and IE11 on Windows 7 with SP1 do support browser plugins, including ActiveX controls such as Adobe Flash and Microsoft Silverlight. + +**Q: Is Adobe Flash supported on IE11?**
          +Adobe Flash is included as a platform feature and is available out of the box for Windows 8.1, running on both IE and Internet Explorer for the desktop. Users can turn this feature on or off using the **Manage Add-ons** dialog box, while administrators can turn this feature on or off using the Group Policy setting, **Turn off Adobe Flash in IE and prevent applications from using IE technology to instantiate Flash objects**.

          +**Important**
          +The preinstalled version of Adobe Flash isn't supported on IE11 running on either Windows 7 with SP1 or Windows Server 2008 R2 with SP1. However, you can still download and install the separate Adobe Flash plug-in. + +**Q: Can I replace IE11 on Windows 8.1 with an earlier version?**
          +No. Windows 8.1 doesn't support any of the previous versions of IE. + +**Q: Are there any new Group Policy settings in IE11?**
          +IE11 includes all of the previous Group Policy settings you've used to manage and control web browser configuration since Internet Explorer 9. It also includes the following new Group Policy settings, supporting new features: + +- Turn off Page Prediction + +- Turn on the swiping motion for Internet Explorer for the desktop + +- Allow Microsoft services to provide more relevant and personalized search results + +- Turn off phone number detection + +- Allow IE to use the SPDY/3 network protocol + +- Let users turn on and use Enterprise Mode from the **Tools** menu + +- Use the Enterprise Mode IE website list + +For more information, see [New group policy settings for IE11](../ie11-deploy-guide/new-group-policy-settings-for-ie11.md). + + +**Q: Where can I get more information about IE11 for IT pros?**
          +Visit the [Springboard Series for Microsoft Browsers](https://go.microsoft.com/fwlink/p/?LinkId=313191) webpage on TechNet. + + + +**Q: Can I customize settings for IE on Windows 8.1?**
          +Settings can be customized in the following ways: + +- IE11 **Settings** charm. + +- IE11-related Group Policy settings. + +- IEAK 11 for settings shared by both IE and Internet Explorer for the desktop. + +**Q: Can I make Internet Explorer for the desktop my default browsing experience?**
          +Group Policy settings can be set to open either IE or Internet Explorer for the desktop as the default browser experience. Individual users can configure their own settings in the **Programs** tab of **Internet Options**. The following table shows the settings and results:

          + +|Setting |Result | +|--------|-------| +|Let IE decide |Links open in the same type of experience from where they're launched. For example, clicking a link from a Microsoft Store app, opens IE. However, clicking a link from a desktop app, opens Internet Explorer for the desktop. | +|Always in IE11 |Links always open in IE. | +|Always in Internet Explorer for the desktop |Links always open in Internet Explorer for the desktop. | + + +**Q. Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version?** +Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard. + +IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. Select a language below and download IEAK 11 from the download center: + +| | | | +|---------|---------|---------| +|[English](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi) |[French](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi) |[Norwegian (Bokmål)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi) | +|[Arabic](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ar-sa/ieak.msi) |[Chinese (Simplified)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-cn/ieak.msi) |[Chinese(Traditional)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-tw/ieak.msi) | +|[Czech](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/cs-cz/ieak.msi) |[Danish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/da-dk/ieak.msi) |[Dutch](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nl-nl/ieak.msi) | +|[Finnish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fi-fi/ieak.msi) |[German](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/de-de/ieak.msi) |[Greek](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/el-gr/ieak.msi) | +|[Hebrew](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/he-il/ieak.msi) |[Hungarian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/hu-hu/ieak.msi) |[Italian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/it-it/ieak.msi) | +|[Japanese](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ja-jp/ieak.msi) |[Korean](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ko-kr/ieak.msi) |[Polish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pl-pl/ieak.msi) | +|[Portuguese (Brazil)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-br/ieak.msi) |[Portuguese (Portugal)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-pt/ieak.msi) |[Russian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ru-ru/ieak.msi) | +|[Spanish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/es-es/ieak.msi) |[Swedish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/sv-se/ieak.msi) |[Turkish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/tr-tr/ieak.msi) | + + + + +**Q. What are the different modes available for the Internet Explorer Customization Wizard?** +The IEAK Customization Wizard displays pages based on your licensing mode selection, either **Internal** or **External**. For more information on IEAK Customization Wizard modes, see [Determine the licensing version and features to use in IEAK 11](../ie11-ieak/licensing-version-and-features-ieak11.md). + +The following table displays which pages are available in IEAK 11, based on the licensing mode: + +| **Wizard Pages** | **External** | **Internal** | +|-------------------------------------------|--------------|--------------| +| Welcome to the IEAK | Yes | Yes | +| File Locations | Yes | Yes | +| Platform Selection | Yes | Yes | +| Language Selection | Yes | Yes | +| Package Type Selection | Yes | Yes | +| Feature Selection | Yes | Yes | +| Automatic Version Synchronization | Yes | Yes | +| Custom Components | Yes | Yes | +| Corporate Install | No | Yes | +| User Experience | No | Yes | +| Browser User Interface | Yes | Yes | +| Search Providers | Yes | Yes | +| Important URLs - Home page and Support | Yes | Yes | +| Accelerators | Yes | Yes | +| Favorites, Favorites Bar, and Feeds | Yes | Yes | +| Browsing Options | No | Yes | +| First Run Wizard and Welcome Page Options | Yes | Yes | +| Compatibility View | Yes | Yes | +| Connection Manager | Yes | Yes | +| Connection Settings | Yes | Yes | +| Automatic Configuration | No | Yes | +| Proxy Settings | Yes | Yes | +| Security and Privacy Settings | No | Yes | +| Add a Root Certificate | Yes | No | +| Programs | Yes | Yes | +| Additional Settings | No | Yes | +| Wizard Complete | Yes | Yes | + + +## Related topics +- [Microsoft Edge - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760643) +- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md) +- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md) diff --git a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md index 67093919f3..392e7cc26e 100644 --- a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md +++ b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md @@ -1,120 +1,120 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: explore -description: Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit. -author: lomayor -ms.author: lomayor -ms.prod: ie11 -ms.assetid: -ms.reviewer: -manager: dansimp -title: Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions -ms.sitesec: library -ms.date: 05/10/2018 ---- - -# Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions - -Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit. - ->[!Important] ->If you administer your company’s environment using an update management solution, such as Windows Server Update Services (WSUS) or System Center 2012 Configuration Manager, you don’t need to use the Internet Explorer 11 Blocker Toolkit. Update management solutions let you completely manage your Windows Updates and Microsoft Updates, including your Internet Explorer 11 deployment. - -- [Automatic updates delivery process](#automatic-updates-delivery-process) - -- [How the Internet Explorer 11 Blocker Toolkit works](#how-the-internet-explorer-11-blocker-toolkit-works) - -- [Internet Explorer 11 Blocker Toolkit and other update services](#internet-explorer-11-blocker-toolkit-and-other-update-services) - -## Automatic Updates delivery process - - -**Q. Which users will receive Internet Explorer 11 as an important update?** -A. Users running either Windows 7 with Service Pack 1 (SP1) or the 64-bit version of Windows Server 2008 R2 with Service Pack 1 (SP1) will receive Internet Explorer 11 as an important update, if Automatic Updates are turned on. Windows Update is manually run. Automatic Updates will automatically download and install the Internet Explorer 11 files if it’s turned on. For more information about how Internet Explorer works with Automatic Updates and information about other deployment blocking options, see [Internet Explorer 11 Delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md). - -**Q. When is the Blocker Toolkit available?** -A. The Blocker Toolkit is currently available from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722). - -**Q. What tools can I use to manage Windows Updates and Microsoft Updates in my company?** -A. We encourage anyone who wants full control over their company’s deployment of Windows Updates and Microsoft Updates, to use [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), a free tool for users of Windows Server. You can also use the more advanced configuration management tool, [System Center 2012 Configuration Manager](https://technet.microsoft.com/library/gg682041.aspx). - -**Q. How long does the blocker mechanism work?** -A. The Internet Explorer 11 Blocker Toolkit uses a registry key value to permanently turn off the automatic delivery of Internet Explorer 11. This behavior lasts as long as the registry key value isn’t removed or changed. - -**Q. Why should I use the Internet Explorer 11 Blocker Toolkit to stop delivery of Internet Explorer 11? Why can’t I just disable all of Automatic Updates?** -A. Automatic Updates provide you with ongoing critical security and reliability updates. Turning this feature off can leave your computers more vulnerable. Instead, we suggest that you use an update management solution, such as WSUS, to fully control your environment while leaving this feature running, managing how and when the updates get to your user’s computers. - -The Internet Explorer 11 Blocker Toolkit safely allows Internet Explorer 11 to download and install in companies that can’t use WSUS, Configuration Manager, or -other update management solution. - -**Q. Why don’t we just block URL access to Windows Update or Microsoft Update?** -A. Blocking the Windows Update or Microsoft Update URLs also stops delivery of critical security and reliability updates for all of the supported versions of the Windows operating system; leaving your computers more vulnerable. - -## How the Internet Explorer 11 Blocker Toolkit works - -**Q. How should I test the Internet Explorer 11 Blocker Toolkit in my company?** -A. Because the toolkit only sets a registry key to turn on and off the delivery of Internet Explorer 11, there should be no additional impact or side effects to your environment. No additional testing should be necessary. - -**Q. What’s the registry key used to block delivery of Internet Explorer 11?** -A. HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Setup\\11.0 - -**Q. What’s the registry key name and values?** -The registry key name is **DoNotAllowIE11**, where: - -- A value of **1** turns off the automatic delivery of Internet Explorer 11 using Automatic Updates and turns off the Express install option. - -- Not providing a registry key, or using a value of anything other than **1**, lets the user install Internet Explorer 11 through Automatic Updates or a - manual update. - -**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from manually installing Internet Explorer 11?** -A. No. The Internet Explorer 11 Blocker Toolkit only stops computers from automatically installing Internet Explorer 11 through Automatic Updates. Users can still download and install Internet Explorer 11 from the Microsoft Download Center or from external media. - -**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from automatically upgrading to Internet Explorer 11?** -A. Yes. The Internet Explorer 11 Blocker Toolkit also prevents Automatic Updates from automatically upgrading a computer from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. - -**Q. How does the provided script work?** -A. The script accepts one of two command line options: - -- **Block:** Creates the registry key that stops Internet Explorer 11 from installing through Automatic Updates. - -- **Unblock:** Removes the registry key that stops Internet Explorer 11 from installing through Automatic Updates. - -**Q. What’s the ADM template file used for?** -A. The Administrative Template (.adm file) lets you import the new Group Policy environment and use Group Policy Objects to centrally manage all of the computers in your company. - -**Q. Is the tool localized?** -A. No. The tool isn’t localized, it’s only available in English (en-us). However, it does work, without any modifications, on any language edition of the supported operating systems. - -## Internet Explorer 11 Blocker Toolkit and other update services - -**Q: Is there a version of the Internet Explorer Blocker Toolkit that will prevent automatic installation of IE11?**
          -Yes. The IE11 Blocker Toolkit is available for download. For more information, see [Toolkit to Disable Automatic Delivery of IE11](https://go.microsoft.com/fwlink/p/?LinkId=328195) on the Microsoft Download Center. - -**Q. Does the Internet Explorer 11 blocking mechanism also block delivery of Internet Explorer 11 through update management solutions, like WSUS?** -A. No. You can still deploy Internet Explorer 11 using one of the upgrade management solutions, even if the blocking mechanism is activated. The Internet Explorer 11 Blocker Toolkit is only intended for companies that don’t use upgrade management solutions. - -**Q. If WSUS is set to 'auto-approve' Update Rollup packages (this is not the default configuration), how do I stop Internet Explorer 11 from automatically installing throughout my company?** -A. You only need to change your settings if: - -- You use WSUS to manage updates and allow auto-approvals for Update Rollup installation. - - -and- - -- You have computers running either Windows 7 SP1 or Windows Server 2008 R2 (SP1) with Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 installed. - - -and- - -- You don’t want to upgrade your older versions of Internet Explorer to Internet Explorer 11 right now. - -If these scenarios apply to your company, see [Internet Explorer 11 delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md) for more information on how to prevent automatic installation. - - -## Additional resources - -- [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722) - -- [Internet Explorer 11 FAQ for IT pros](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11) - -- [Internet Explorer 11 delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md) - -- [Internet Explorer 11 deployment guide](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/index) +--- +ms.localizationpriority: medium +ms.mktglfcycl: explore +description: Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit. +author: lomayor +ms.author: lomayor +ms.prod: ie11 +ms.assetid: +ms.reviewer: +audience: itpro manager: dansimp +title: Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions +ms.sitesec: library +ms.date: 05/10/2018 +--- + +# Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions + +Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit. + +>[!Important] +>If you administer your company’s environment using an update management solution, such as Windows Server Update Services (WSUS) or System Center 2012 Configuration Manager, you don’t need to use the Internet Explorer 11 Blocker Toolkit. Update management solutions let you completely manage your Windows Updates and Microsoft Updates, including your Internet Explorer 11 deployment. + +- [Automatic updates delivery process](#automatic-updates-delivery-process) + +- [How the Internet Explorer 11 Blocker Toolkit works](#how-the-internet-explorer-11-blocker-toolkit-works) + +- [Internet Explorer 11 Blocker Toolkit and other update services](#internet-explorer-11-blocker-toolkit-and-other-update-services) + +## Automatic Updates delivery process + + +**Q. Which users will receive Internet Explorer 11 as an important update?** +A. Users running either Windows 7 with Service Pack 1 (SP1) or the 64-bit version of Windows Server 2008 R2 with Service Pack 1 (SP1) will receive Internet Explorer 11 as an important update, if Automatic Updates are turned on. Windows Update is manually run. Automatic Updates will automatically download and install the Internet Explorer 11 files if it’s turned on. For more information about how Internet Explorer works with Automatic Updates and information about other deployment blocking options, see [Internet Explorer 11 Delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md). + +**Q. When is the Blocker Toolkit available?** +A. The Blocker Toolkit is currently available from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722). + +**Q. What tools can I use to manage Windows Updates and Microsoft Updates in my company?** +A. We encourage anyone who wants full control over their company’s deployment of Windows Updates and Microsoft Updates, to use [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), a free tool for users of Windows Server. You can also use the more advanced configuration management tool, [System Center 2012 Configuration Manager](https://technet.microsoft.com/library/gg682041.aspx). + +**Q. How long does the blocker mechanism work?** +A. The Internet Explorer 11 Blocker Toolkit uses a registry key value to permanently turn off the automatic delivery of Internet Explorer 11. This behavior lasts as long as the registry key value isn’t removed or changed. + +**Q. Why should I use the Internet Explorer 11 Blocker Toolkit to stop delivery of Internet Explorer 11? Why can’t I just disable all of Automatic Updates?** +A. Automatic Updates provide you with ongoing critical security and reliability updates. Turning this feature off can leave your computers more vulnerable. Instead, we suggest that you use an update management solution, such as WSUS, to fully control your environment while leaving this feature running, managing how and when the updates get to your user’s computers. + +The Internet Explorer 11 Blocker Toolkit safely allows Internet Explorer 11 to download and install in companies that can’t use WSUS, Configuration Manager, or +other update management solution. + +**Q. Why don’t we just block URL access to Windows Update or Microsoft Update?** +A. Blocking the Windows Update or Microsoft Update URLs also stops delivery of critical security and reliability updates for all of the supported versions of the Windows operating system; leaving your computers more vulnerable. + +## How the Internet Explorer 11 Blocker Toolkit works + +**Q. How should I test the Internet Explorer 11 Blocker Toolkit in my company?** +A. Because the toolkit only sets a registry key to turn on and off the delivery of Internet Explorer 11, there should be no additional impact or side effects to your environment. No additional testing should be necessary. + +**Q. What’s the registry key used to block delivery of Internet Explorer 11?** +A. HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Setup\\11.0 + +**Q. What’s the registry key name and values?** +The registry key name is **DoNotAllowIE11**, where: + +- A value of **1** turns off the automatic delivery of Internet Explorer 11 using Automatic Updates and turns off the Express install option. + +- Not providing a registry key, or using a value of anything other than **1**, lets the user install Internet Explorer 11 through Automatic Updates or a + manual update. + +**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from manually installing Internet Explorer 11?** +A. No. The Internet Explorer 11 Blocker Toolkit only stops computers from automatically installing Internet Explorer 11 through Automatic Updates. Users can still download and install Internet Explorer 11 from the Microsoft Download Center or from external media. + +**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from automatically upgrading to Internet Explorer 11?** +A. Yes. The Internet Explorer 11 Blocker Toolkit also prevents Automatic Updates from automatically upgrading a computer from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. + +**Q. How does the provided script work?** +A. The script accepts one of two command line options: + +- **Block:** Creates the registry key that stops Internet Explorer 11 from installing through Automatic Updates. + +- **Unblock:** Removes the registry key that stops Internet Explorer 11 from installing through Automatic Updates. + +**Q. What’s the ADM template file used for?** +A. The Administrative Template (.adm file) lets you import the new Group Policy environment and use Group Policy Objects to centrally manage all of the computers in your company. + +**Q. Is the tool localized?** +A. No. The tool isn’t localized, it’s only available in English (en-us). However, it does work, without any modifications, on any language edition of the supported operating systems. + +## Internet Explorer 11 Blocker Toolkit and other update services + +**Q: Is there a version of the Internet Explorer Blocker Toolkit that will prevent automatic installation of IE11?**
          +Yes. The IE11 Blocker Toolkit is available for download. For more information, see [Toolkit to Disable Automatic Delivery of IE11](https://go.microsoft.com/fwlink/p/?LinkId=328195) on the Microsoft Download Center. + +**Q. Does the Internet Explorer 11 blocking mechanism also block delivery of Internet Explorer 11 through update management solutions, like WSUS?** +A. No. You can still deploy Internet Explorer 11 using one of the upgrade management solutions, even if the blocking mechanism is activated. The Internet Explorer 11 Blocker Toolkit is only intended for companies that don’t use upgrade management solutions. + +**Q. If WSUS is set to 'auto-approve' Update Rollup packages (this is not the default configuration), how do I stop Internet Explorer 11 from automatically installing throughout my company?** +A. You only need to change your settings if: + +- You use WSUS to manage updates and allow auto-approvals for Update Rollup installation. + + -and- + +- You have computers running either Windows 7 SP1 or Windows Server 2008 R2 (SP1) with Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 installed. + + -and- + +- You don’t want to upgrade your older versions of Internet Explorer to Internet Explorer 11 right now. + +If these scenarios apply to your company, see [Internet Explorer 11 delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md) for more information on how to prevent automatic installation. + + +## Additional resources + +- [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722) + +- [Internet Explorer 11 FAQ for IT pros](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11) + +- [Internet Explorer 11 delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md) + +- [Internet Explorer 11 deployment guide](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/index) diff --git a/browsers/internet-explorer/ie11-faq/faq-ieak11.md b/browsers/internet-explorer/ie11-faq/faq-ieak11.md index da2478e9e8..3af0ec2d32 100644 --- a/browsers/internet-explorer/ie11-faq/faq-ieak11.md +++ b/browsers/internet-explorer/ie11-faq/faq-ieak11.md @@ -1,120 +1,120 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: support -ms.pagetype: security -description: Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions. -author: lomayor -ms.author: lomayor -ms.manager: elizapo -ms.prod: ie11 -ms.assetid: -ms.reviewer: -manager: dansimp -title: IEAK 11 - Frequently Asked Questions -ms.sitesec: library -ms.date: 05/10/2018 ---- - -# IEAK 11 - Frequently Asked Questions - -Get answers to commonly asked questions about the Internet Explorer Administration Kit 11 (IEAK 11), and find links to additional material you might find helpful. - -**What is IEAK 11?** - -IEAK 11 enables you to customize, brand, and distribute customized Internet Explorer 11 browser packages across an organization. Download the kit from the [Internet Explorer Administration Kit (IEAK) information and downloads](../ie11-ieak/ieak-information-and-downloads.md). - -**What are the supported operating systems?** - -You can customize and install IEAK 11 on the following supported operating systems: - -- Windows 8 - -- Windows Server 2012 - -- Windows 7 Service Pack 1 (SP1) - -- Windows Server 2008 R2 Service Pack 1 (SP1) - ->[!Note] ->IEAK 11 does not support building custom packages for Windows RT. - - -**What can I customize with IEAK 11?** - -The IEAK 11 enables you to customize branding and settings for Internet Explorer 11. For PCs running Windows 7, the custom package also includes the Internet Explorer executable. - ->[!Note] ->Internet Explorer 11 is preinstalled on PCs running Windows 8. Therefore, the executable is not included in the customized package. - -**Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version?** -Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard. - ->[!Note] ->IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. To download IEAK 11, see [Internet Explorer Administration Kit (IEAK) information and downloads](../ie11-ieak/ieak-information-and-downloads.md). - -**Q: Is there a version of the Internet Explorer Administration Kit (IEAK) supporting IE11?**
          -Yes. The Internet Explorer Administration Kit 11 (IEAK 11) is available for download. IEAK 11 lets you create custom versions of IE11 for use in your organization. For more information, see the following resources: - -- [Internet Explorer Administration Kit Information and Downloads](https://go.microsoft.com/fwlink/p/?LinkId=214250) on the Internet Explorer TechCenter. - -- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md) - -**What are the different modes available for the Internet Explorer Customization Wizard?** -The IEAK Customization Wizard displays pages based on your licensing mode selection, either **Internal** or **External**. For more information on IEAK Customization Wizard modes, see [What IEAK can do for you](../ie11-ieak/what-ieak-can-do-for-you.md). - -The following table displays which pages are available in IEAK 11, based on the licensing mode: - -| **Wizard Pages** | **External** | **Internal** | -|-------------------------------------------|--------------|--------------| -| Welcome to the IEAK | Yes | Yes | -| File Locations | Yes | Yes | -| Platform Selection | Yes | Yes | -| Language Selection | Yes | Yes | -| Package Type Selection | Yes | Yes | -| Feature Selection | Yes | Yes | -| Automatic Version Synchronization | Yes | Yes | -| Custom Components | Yes | Yes | -| Corporate Install | No | Yes | -| User Experience | No | Yes | -| Browser User Interface | Yes | Yes | -| Search Providers | Yes | Yes | -| Important URLs - Home page and Support | Yes | Yes | -| Accelerators | Yes | Yes | -| Favorites, Favorites Bar, and Feeds | Yes | Yes | -| Browsing Options | No | Yes | -| First Run Wizard and Welcome Page Options | Yes | Yes | -| Compatibility View | Yes | Yes | -| Connection Manager | Yes | Yes | -| Connection Settings | Yes | Yes | -| Automatic Configuration | No | Yes | -| Proxy Settings | Yes | Yes | -| Security and Privacy Settings | No | Yes | -| Add a Root Certificate | Yes | No | -| Programs | Yes | Yes | -| Additional Settings | No | Yes | -| Wizard Complete | Yes | Yes | - - -**Q. Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version?** -Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard. - -IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. Select a language below and download IEAK 11 from the download center: - -| | | | -|---------|---------|---------| -|[English](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi) |[French](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi) |[Norwegian (Bokmål)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi) | -|[Arabic](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ar-sa/ieak.msi) |[Chinese (Simplified)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-cn/ieak.msi) |[Chinese(Traditional)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-tw/ieak.msi) | -|[Czech](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/cs-cz/ieak.msi) |[Danish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/da-dk/ieak.msi) |[Dutch](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nl-nl/ieak.msi) | -|[Finnish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fi-fi/ieak.msi) |[German](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/de-de/ieak.msi) |[Greek](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/el-gr/ieak.msi) | -|[Hebrew](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/he-il/ieak.msi) |[Hungarian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/hu-hu/ieak.msi) |[Italian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/it-it/ieak.msi) | -|[Japanese](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ja-jp/ieak.msi) |[Korean](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ko-kr/ieak.msi) |[Polish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pl-pl/ieak.msi) | -|[Portuguese (Brazil)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-br/ieak.msi) |[Portuguese (Portugal)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-pt/ieak.msi) |[Russian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ru-ru/ieak.msi) | -|[Spanish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/es-es/ieak.msi) |[Swedish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/sv-se/ieak.msi) |[Turkish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/tr-tr/ieak.msi) | - - -## Additional resources - -[Download IEAK 11](https://technet.microsoft.com/microsoft-edge/bb219517) -[IEAK 11 overview](https://technet.microsoft.com/microsoft-edge/dn532244) -[IEAK 11 product documentation](https://docs.microsoft.com/internet-explorer/ie11-ieak/index) -[IEAK 11 licensing guidelines](../ie11-ieak/licensing-version-and-features-ieak11.md) +--- +ms.localizationpriority: medium +ms.mktglfcycl: support +ms.pagetype: security +description: Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions. +author: lomayor +ms.author: lomayor +ms.manager: elizapo +ms.prod: ie11 +ms.assetid: +ms.reviewer: +audience: itpro manager: dansimp +title: IEAK 11 - Frequently Asked Questions +ms.sitesec: library +ms.date: 05/10/2018 +--- + +# IEAK 11 - Frequently Asked Questions + +Get answers to commonly asked questions about the Internet Explorer Administration Kit 11 (IEAK 11), and find links to additional material you might find helpful. + +**What is IEAK 11?** + +IEAK 11 enables you to customize, brand, and distribute customized Internet Explorer 11 browser packages across an organization. Download the kit from the [Internet Explorer Administration Kit (IEAK) information and downloads](../ie11-ieak/ieak-information-and-downloads.md). + +**What are the supported operating systems?** + +You can customize and install IEAK 11 on the following supported operating systems: + +- Windows 8 + +- Windows Server 2012 + +- Windows 7 Service Pack 1 (SP1) + +- Windows Server 2008 R2 Service Pack 1 (SP1) + +>[!Note] +>IEAK 11 does not support building custom packages for Windows RT. + + +**What can I customize with IEAK 11?** + +The IEAK 11 enables you to customize branding and settings for Internet Explorer 11. For PCs running Windows 7, the custom package also includes the Internet Explorer executable. + +>[!Note] +>Internet Explorer 11 is preinstalled on PCs running Windows 8. Therefore, the executable is not included in the customized package. + +**Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version?** +Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard. + +>[!Note] +>IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. To download IEAK 11, see [Internet Explorer Administration Kit (IEAK) information and downloads](../ie11-ieak/ieak-information-and-downloads.md). + +**Q: Is there a version of the Internet Explorer Administration Kit (IEAK) supporting IE11?**
          +Yes. The Internet Explorer Administration Kit 11 (IEAK 11) is available for download. IEAK 11 lets you create custom versions of IE11 for use in your organization. For more information, see the following resources: + +- [Internet Explorer Administration Kit Information and Downloads](https://go.microsoft.com/fwlink/p/?LinkId=214250) on the Internet Explorer TechCenter. + +- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md) + +**What are the different modes available for the Internet Explorer Customization Wizard?** +The IEAK Customization Wizard displays pages based on your licensing mode selection, either **Internal** or **External**. For more information on IEAK Customization Wizard modes, see [What IEAK can do for you](../ie11-ieak/what-ieak-can-do-for-you.md). + +The following table displays which pages are available in IEAK 11, based on the licensing mode: + +| **Wizard Pages** | **External** | **Internal** | +|-------------------------------------------|--------------|--------------| +| Welcome to the IEAK | Yes | Yes | +| File Locations | Yes | Yes | +| Platform Selection | Yes | Yes | +| Language Selection | Yes | Yes | +| Package Type Selection | Yes | Yes | +| Feature Selection | Yes | Yes | +| Automatic Version Synchronization | Yes | Yes | +| Custom Components | Yes | Yes | +| Corporate Install | No | Yes | +| User Experience | No | Yes | +| Browser User Interface | Yes | Yes | +| Search Providers | Yes | Yes | +| Important URLs - Home page and Support | Yes | Yes | +| Accelerators | Yes | Yes | +| Favorites, Favorites Bar, and Feeds | Yes | Yes | +| Browsing Options | No | Yes | +| First Run Wizard and Welcome Page Options | Yes | Yes | +| Compatibility View | Yes | Yes | +| Connection Manager | Yes | Yes | +| Connection Settings | Yes | Yes | +| Automatic Configuration | No | Yes | +| Proxy Settings | Yes | Yes | +| Security and Privacy Settings | No | Yes | +| Add a Root Certificate | Yes | No | +| Programs | Yes | Yes | +| Additional Settings | No | Yes | +| Wizard Complete | Yes | Yes | + + +**Q. Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version?** +Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard. + +IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. Select a language below and download IEAK 11 from the download center: + +| | | | +|---------|---------|---------| +|[English](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi) |[French](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi) |[Norwegian (Bokmål)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi) | +|[Arabic](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ar-sa/ieak.msi) |[Chinese (Simplified)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-cn/ieak.msi) |[Chinese(Traditional)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-tw/ieak.msi) | +|[Czech](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/cs-cz/ieak.msi) |[Danish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/da-dk/ieak.msi) |[Dutch](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nl-nl/ieak.msi) | +|[Finnish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fi-fi/ieak.msi) |[German](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/de-de/ieak.msi) |[Greek](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/el-gr/ieak.msi) | +|[Hebrew](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/he-il/ieak.msi) |[Hungarian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/hu-hu/ieak.msi) |[Italian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/it-it/ieak.msi) | +|[Japanese](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ja-jp/ieak.msi) |[Korean](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ko-kr/ieak.msi) |[Polish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pl-pl/ieak.msi) | +|[Portuguese (Brazil)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-br/ieak.msi) |[Portuguese (Portugal)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-pt/ieak.msi) |[Russian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ru-ru/ieak.msi) | +|[Spanish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/es-es/ieak.msi) |[Swedish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/sv-se/ieak.msi) |[Turkish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/tr-tr/ieak.msi) | + + +## Additional resources + +[Download IEAK 11](https://technet.microsoft.com/microsoft-edge/bb219517) +[IEAK 11 overview](https://technet.microsoft.com/microsoft-edge/dn532244) +[IEAK 11 product documentation](https://docs.microsoft.com/internet-explorer/ie11-ieak/index) +[IEAK 11 licensing guidelines](../ie11-ieak/licensing-version-and-features-ieak11.md) diff --git a/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md index e20d675e6d..2927489c83 100644 --- a/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md @@ -1,45 +1,45 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Accelerators page in the IEAK 11 Customization Wizard to add accelerators to employee devices. -author: lomayor -ms.prod: ie11 -ms.assetid: 208305ad-1bcd-42f3-aca3-0ad1dda7048b -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Accelerators page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Accelerators page in the IEAK 11 Wizard -The **Accelerators** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you add accelerators to your employee computers. Accelerators are contextual menu options that can quickly get to a web service from any webpage. For example, an accelerator can look up a highlighted word in the dictionary or a selected location on a map. - -**Note**
          -The customizations you make on this page apply only to Internet Explorer for the desktop. - - **To use the Accelerators page** - -1. Click **Import** to automatically import your existing accelerators from your current version of IE into this list. - -2. Click **Add** to add more accelerators.

          -The **Add Accelerator** box appears. - -3. Use the **Browse** button to go to your custom accelerator XML file. - -4. Check the **Set this Accelerator as the default for the category** box if you want this accelerator to be the default value that shows up for the category. - -5. Click **Edit** to change your accelerator information, click **Set Default** to make an accelerator the default value for a category, or **Remove** to delete an accelerator. - -6. Click **Next** to go to the [Favorites, Favorites Bar, and Feeds](favorites-favoritesbar-and-feeds-ieak11-wizard.md) page or **Back** to go to the [Important URLs - Home Page and Support](important-urls-home-page-and-support-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Accelerators page in the IEAK 11 Customization Wizard to add accelerators to employee devices. +author: lomayor +ms.prod: ie11 +ms.assetid: 208305ad-1bcd-42f3-aca3-0ad1dda7048b +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Accelerators page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Accelerators page in the IEAK 11 Wizard +The **Accelerators** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you add accelerators to your employee computers. Accelerators are contextual menu options that can quickly get to a web service from any webpage. For example, an accelerator can look up a highlighted word in the dictionary or a selected location on a map. + +**Note**
          +The customizations you make on this page apply only to Internet Explorer for the desktop. + + **To use the Accelerators page** + +1. Click **Import** to automatically import your existing accelerators from your current version of IE into this list. + +2. Click **Add** to add more accelerators.

          +The **Add Accelerator** box appears. + +3. Use the **Browse** button to go to your custom accelerator XML file. + +4. Check the **Set this Accelerator as the default for the category** box if you want this accelerator to be the default value that shows up for the category. + +5. Click **Edit** to change your accelerator information, click **Set Default** to make an accelerator the default value for a category, or **Remove** to delete an accelerator. + +6. Click **Next** to go to the [Favorites, Favorites Bar, and Feeds](favorites-favoritesbar-and-feeds-ieak11-wizard.md) page or **Back** to go to the [Important URLs - Home Page and Support](important-urls-home-page-and-support-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md b/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md index 1e9bb4b8b3..a0d56ae1d9 100644 --- a/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md @@ -1,52 +1,52 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use IEAK 11 to add and approve ActiveX controls for your organization. -author: lomayor -ms.prod: ie11 -ms.assetid: 33040bd1-f0e4-4541-9fbb-16e0c76752ab -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Add and approve ActiveX controls using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Add and approve ActiveX controls using IEAK 11 -There are two main approaches to how you can control the use of ActiveX controls in your company. For more info about ActiveX controls, including how to manage the controls using Group Policy, see [Group Policy and ActiveX installation](../ie11-deploy-guide/activex-installation-using-group-policy.md) in the [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md). - -**Note**
          -ActiveX controls are supported in Internet Explorer for the desktop for Windows 7 and Windows 8.1. They are not supported on the immersive version of Internet Explorer for Windows 8.1. - -## Scenario 1: Limited Internet-only use of ActiveX controls -While you might not care about your employees using ActiveX controls while on your intranet sites, you probably do want to limit ActiveX usage while your employee is on the Internet. By specifying and pre-approving a set of generic controls for use on the Internet, you’re able to let your employees use the Internet, but you can still limit your company’s exposure to potentially hazardous, non-approved ActiveX controls. - -For example, your employees need to access an important Internet site, such as for a business partner or service provider, but there are ActiveX controls on their page. To make sure the site is accessible and functions the way it should, you can visit the site to review the controls, adding them as new entries to your `\Windows\Downloaded Program Files` folder. Then, as part of your browser package, you can enable and approve these ActiveX controls to run on this specific site; while all additional controls are blocked. - -**To add and approve ActiveX controls** - -1. In IE, click **Tools**, and then **Internet Options**. - -2. On the **Security** tab, click the zone that needs to change, and click **Custom Level**. - -3. Go to **Run ActiveX controls and plug-ins**, and then click **Administrator approved**. - -4. Repeat the last two steps until you have configured all the zones you want. - -5. When you run the IEAK 11 Customization Wizard to create a custom package, you'll use the [Additional Settings](additional-settings-ieak11-wizard.md) page, clicking each folder to expand its contents. Then select the check boxes for the controls you want to approve. - -## Scenario 2: Restricted use of ActiveX controls -You can get a higher degree of management over ActiveX controls by listing each of them out and then allowing the browser to use only that set of controls. The biggest challenge to using this method is the extra effort you need to put into figuring out all of the controls, and then actually listing them out. Because of that, we only recommend this approach if your complete set of controls is relatively small. - -After you decide which controls you want to allow, you can specify them as approved by zone, using the process described in the first scenario. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use IEAK 11 to add and approve ActiveX controls for your organization. +author: lomayor +ms.prod: ie11 +ms.assetid: 33040bd1-f0e4-4541-9fbb-16e0c76752ab +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Add and approve ActiveX controls using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Add and approve ActiveX controls using IEAK 11 +There are two main approaches to how you can control the use of ActiveX controls in your company. For more info about ActiveX controls, including how to manage the controls using Group Policy, see [Group Policy and ActiveX installation](../ie11-deploy-guide/activex-installation-using-group-policy.md) in the [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md). + +**Note**
          +ActiveX controls are supported in Internet Explorer for the desktop for Windows 7 and Windows 8.1. They are not supported on the immersive version of Internet Explorer for Windows 8.1. + +## Scenario 1: Limited Internet-only use of ActiveX controls +While you might not care about your employees using ActiveX controls while on your intranet sites, you probably do want to limit ActiveX usage while your employee is on the Internet. By specifying and pre-approving a set of generic controls for use on the Internet, you’re able to let your employees use the Internet, but you can still limit your company’s exposure to potentially hazardous, non-approved ActiveX controls. + +For example, your employees need to access an important Internet site, such as for a business partner or service provider, but there are ActiveX controls on their page. To make sure the site is accessible and functions the way it should, you can visit the site to review the controls, adding them as new entries to your `\Windows\Downloaded Program Files` folder. Then, as part of your browser package, you can enable and approve these ActiveX controls to run on this specific site; while all additional controls are blocked. + +**To add and approve ActiveX controls** + +1. In IE, click **Tools**, and then **Internet Options**. + +2. On the **Security** tab, click the zone that needs to change, and click **Custom Level**. + +3. Go to **Run ActiveX controls and plug-ins**, and then click **Administrator approved**. + +4. Repeat the last two steps until you have configured all the zones you want. + +5. When you run the IEAK 11 Customization Wizard to create a custom package, you'll use the [Additional Settings](additional-settings-ieak11-wizard.md) page, clicking each folder to expand its contents. Then select the check boxes for the controls you want to approve. + +## Scenario 2: Restricted use of ActiveX controls +You can get a higher degree of management over ActiveX controls by listing each of them out and then allowing the browser to use only that set of controls. The biggest challenge to using this method is the extra effort you need to put into figuring out all of the controls, and then actually listing them out. Because of that, we only recommend this approach if your complete set of controls is relatively small. + +After you decide which controls you want to allow, you can specify them as approved by zone, using the process described in the first scenario. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md index 000c0238e4..72e79f106f 100644 --- a/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md @@ -1,29 +1,29 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: We’re sorry. While we continue to recommend that you digitally sign your package, we’ve removed all of the functionality that allowed you to add a root certificate using the Internet Explorer Customization Wizard 11. The wizard page itself will be removed in a future version of the IEAK. -author: lomayor -ms.prod: ie11 -ms.assetid: 7ae4e747-49d2-4551-8790-46a61b5fe838 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Add a Root Certificate page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Add a Root Certificate page in the IEAK 11 Wizard -We’re sorry. While we continue to recommend that you digitally sign your package, we’ve removed all of the functionality that allowed you to add a root certificate using the Internet Explorer Customization Wizard 11. The wizard page itself will be removed in a future version of the IEAK. - -Click **Next** to go to the [Programs](programs-ieak11-wizard.md) page or **Back** to go to the [Security and Privacy Settings](security-and-privacy-settings-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: We’re sorry. While we continue to recommend that you digitally sign your package, we’ve removed all of the functionality that allowed you to add a root certificate using the Internet Explorer Customization Wizard 11. The wizard page itself will be removed in a future version of the IEAK. +author: lomayor +ms.prod: ie11 +ms.assetid: 7ae4e747-49d2-4551-8790-46a61b5fe838 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Add a Root Certificate page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Add a Root Certificate page in the IEAK 11 Wizard +We’re sorry. While we continue to recommend that you digitally sign your package, we’ve removed all of the functionality that allowed you to add a root certificate using the Internet Explorer Customization Wizard 11. The wizard page itself will be removed in a future version of the IEAK. + +Click **Next** to go to the [Programs](programs-ieak11-wizard.md) page or **Back** to go to the [Security and Privacy Settings](security-and-privacy-settings-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md index 59d96545ea..2a15fe18e9 100644 --- a/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md @@ -1,41 +1,41 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Additional Settings page in IEAK 11 Customization Wizard for additional settings that relate to your employee’s desktop, operating system, and security. -author: lomayor -ms.prod: ie11 -ms.assetid: c90054af-7b7f-4b00-b55b-5e5569f65f25 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Additional Settings page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Additional Settings page in the IEAK 11 Wizard -The **Additional Settings** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you pick additional custom, corporate, and Internet settings that relate to your employee’s desktop, operating system, and security. If you don’t change a setting, it’ll be ignored. - -The additional settings appear in administration (.adm) files that are stored in your `:\Program Files\Windows IEAK 11\policies` folder. You can also create your own .adm files with options that can be configured using the wizard. Any edits you make to your own .adm file are stored as .ins files, which are used to build the .inf files for your custom install package. - -You can store your user settings in a central location so your employees that log on from computer to computer can use them. For example if you have an employee that requires low security using a computer that’s typically operated by someone that needs more restrictive permissions. - -You’ll only see this page if you are running the **Internal** version of the IE Customization Wizard 11. - -**To use the Additional Settings page** - -1. Double-click **Custom Settings**, **Corporate Settings**, or **Internet Settings**, and review the included policy or restriction settings. - -2. Pick the setting you want to change, and then update its details. - -3. Click **Next** to go to the [Wizard Complete-Next Steps](wizard-complete-ieak11-wizard.md) page or **Back** to go to the [Programs](programs-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Additional Settings page in IEAK 11 Customization Wizard for additional settings that relate to your employee’s desktop, operating system, and security. +author: lomayor +ms.prod: ie11 +ms.assetid: c90054af-7b7f-4b00-b55b-5e5569f65f25 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Additional Settings page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Additional Settings page in the IEAK 11 Wizard +The **Additional Settings** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you pick additional custom, corporate, and Internet settings that relate to your employee’s desktop, operating system, and security. If you don’t change a setting, it’ll be ignored. + +The additional settings appear in administration (.adm) files that are stored in your `:\Program Files\Windows IEAK 11\policies` folder. You can also create your own .adm files with options that can be configured using the wizard. Any edits you make to your own .adm file are stored as .ins files, which are used to build the .inf files for your custom install package. + +You can store your user settings in a central location so your employees that log on from computer to computer can use them. For example if you have an employee that requires low security using a computer that’s typically operated by someone that needs more restrictive permissions. + +You’ll only see this page if you are running the **Internal** version of the IE Customization Wizard 11. + +**To use the Additional Settings page** + +1. Double-click **Custom Settings**, **Corporate Settings**, or **Internet Settings**, and review the included policy or restriction settings. + +2. Pick the setting you want to change, and then update its details. + +3. Click **Next** to go to the [Wizard Complete-Next Steps](wizard-complete-ieak11-wizard.md) page or **Back** to go to the [Programs](programs-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md index 24d7df97b1..5c77b9bc67 100644 --- a/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md @@ -1,59 +1,59 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Automatic Configuration page in the IEAK 11 Customization Wizard to add URLs to auto-configure IE. -author: lomayor -ms.prod: ie11 -ms.assetid: de5b1dbf-6e4d-4f86-ae08-932f14e606b0 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Automatic Configuration page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Automatic Configuration page in the IEAK 11 Wizard -The **Automatic Configuration** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you provide URLs to the files that’ll automatically configure Internet Explorer 11 for a group of employees or devices. - -**Note**
          -This page only appears if you’re using the **Internal** version of the wizard. - -You can set your proxy settings using Internet setting (.ins) files. You can also configure and maintain your advanced proxy settings using JScript (.js), JavaScript (.jvs), or proxy auto-configuration (.pac) script files. When you provide an auto-proxy script, IE dynamically determines whether to connect directly to a host or to use a proxy server. - -You can use the Domain Name System (DNS) and the Dynamic Host Configuration Protocol (DHCP) naming systems to detect and change a browser’s settings automatically when the employee first starts IE on the network. For more info, see [Set up auto detection for DHCP or DNS servers using IEAK 11](auto-detection-dhcp-or-dns-servers-ieak11.md), or refer to the product documentation for your DNS and DHCP software packages. - -**To check the existing settings on your employee’s devices** - -1. Open IE, click **Tools**, click **Internet Options**, and then click the **Connections** tab. - -2. Click **LAN Settings** and make sure that the **Use automatic configuration script** box is selected, confirming the path and name of the file in the **Address** box. - -**To use the Automatic Configuration page** - -1. Check the **Automatically detect configuration settings** box to automatically detect browser settings. - -2. Check the **Enable Automatic Configuration** box if you plan to automatically change your IE settings after deployment, using configuration files. You can then: - - - Type the length of time (in minutes) for how often settings are to be applied in your company. Putting zero (**0**), or nothing, in this box will cause automatic configuration to only happen when the computer’s restarted. - - - Type the location to your .ins file. You can edit this file directly to make any necessary changes. - - The updates will take effect the next time your employee starts IE, or during your next scheduled update. - - - Type the location to your automatic proxy script file. - - **Note**
          - If you specify URLs for both auto-config and auto-proxy, the auto-proxy URL will be incorporated into the .ins file. The correct form for the URL is `https://share/test.ins`. - -3. Click **Next** to go to the [Proxy Settings](proxy-settings-ieak11-wizard.md) page or **Back** to go to the [Connection Settings](connection-settings-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Automatic Configuration page in the IEAK 11 Customization Wizard to add URLs to auto-configure IE. +author: lomayor +ms.prod: ie11 +ms.assetid: de5b1dbf-6e4d-4f86-ae08-932f14e606b0 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Automatic Configuration page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Automatic Configuration page in the IEAK 11 Wizard +The **Automatic Configuration** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you provide URLs to the files that’ll automatically configure Internet Explorer 11 for a group of employees or devices. + +**Note**
          +This page only appears if you’re using the **Internal** version of the wizard. + +You can set your proxy settings using Internet setting (.ins) files. You can also configure and maintain your advanced proxy settings using JScript (.js), JavaScript (.jvs), or proxy auto-configuration (.pac) script files. When you provide an auto-proxy script, IE dynamically determines whether to connect directly to a host or to use a proxy server. + +You can use the Domain Name System (DNS) and the Dynamic Host Configuration Protocol (DHCP) naming systems to detect and change a browser’s settings automatically when the employee first starts IE on the network. For more info, see [Set up auto detection for DHCP or DNS servers using IEAK 11](auto-detection-dhcp-or-dns-servers-ieak11.md), or refer to the product documentation for your DNS and DHCP software packages. + +**To check the existing settings on your employee’s devices** + +1. Open IE, click **Tools**, click **Internet Options**, and then click the **Connections** tab. + +2. Click **LAN Settings** and make sure that the **Use automatic configuration script** box is selected, confirming the path and name of the file in the **Address** box. + +**To use the Automatic Configuration page** + +1. Check the **Automatically detect configuration settings** box to automatically detect browser settings. + +2. Check the **Enable Automatic Configuration** box if you plan to automatically change your IE settings after deployment, using configuration files. You can then: + + - Type the length of time (in minutes) for how often settings are to be applied in your company. Putting zero (**0**), or nothing, in this box will cause automatic configuration to only happen when the computer’s restarted. + + - Type the location to your .ins file. You can edit this file directly to make any necessary changes. + + The updates will take effect the next time your employee starts IE, or during your next scheduled update. + + - Type the location to your automatic proxy script file. + + **Note**
          + If you specify URLs for both auto-config and auto-proxy, the auto-proxy URL will be incorporated into the .ins file. The correct form for the URL is `https://share/test.ins`. + +3. Click **Next** to go to the [Proxy Settings](proxy-settings-ieak11-wizard.md) page or **Back** to go to the [Connection Settings](connection-settings-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md index 3c1997587f..e858e5228b 100644 --- a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md @@ -1,62 +1,62 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to set up automatic detection for DHCP or DNS servers using IEAK 11 in your organization. -author: lomayor -ms.prod: ie11 -ms.assetid: c6bfe7c4-f452-406f-b47e-b7f0d8c44ae1 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Set up auto detection for DHCP or DNS servers using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Set up auto detection for DHCP or DNS servers using IEAK 11 -Set up your network to automatically detect and customize Internet Explorer 11 when it’s first started. Automatic detection is supported on both Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS), letting your servers detect and set up your employee’s browser settings from a central location, using a configuration URL (.ins file) or a JavaScript proxy configuration file (.js, .jvs, or .pac). - -Before you can set up your environment to use automatic detection, you need to turn the feature on. - -**To turn on the automatic detection feature** - -- Open Internet Explorer Administration Kit 11 (IEAK 11), run the IE Customization Wizard 11 and on the **Automatic Configuration** page, check **Automatically detect configuration settings**. For more information, see [Use the Automatic Configuration page in the IEAK 11 Wizard](auto-config-ieak11-wizard.md). - -## Automatic detection on DHCP and DNS servers -Automatic detection works even if the browser wasn't originally set up or installed by the administrator. - -- **Using DHCP servers:** For local area network (LAN)-based users. This server type lets you specify your global and subnet TCP/IP parameters centrally, defining your users' parameters by using reserved addresses. By doing it this way, a computer can move between subnets, automatically reconfiguring for TCP/IP when it starts. -

          Note
          - Your DHCP servers must support the DHCPINFORM message, to obtain the DHCP options. - -- **Using DNS servers:** For users on dial-up connections. This server type uses a set of protocols and services on a TCP/IP network, which lets users search for other computers by using hierarchical, user-friendly names (hosts), instead of numeric IP addresses. To use this, you have to set up either the host record or the CNAME alias record in the DNS database file. -

          Note
          - DHCP has a higher priority than DNS for automatic configuration. If DHCP provides the URL to a .pac, .jvs, .js, or .ins configuration file, the process stops and the DNS lookup doesn't happen. - -**To set up automatic detection for DHCP servers** - -- Open the [DHCP Administrative Tool](https://go.microsoft.com/fwlink/p/?LinkId=302212), create a new option type, using the code number 252, and then associate it with the URL to your configuration file. For detailed instructions about how to do this, see [Create an option 252 entry in DHCP](https://go.microsoft.com/fwlink/p/?LinkId=294649). - - **Examples:**
          - `https://www.microsoft.com/webproxy.pac`
          - `https://marketing/config.ins`
          - `https://123.4.567.8/account.pac`

          - For more detailed info about how to set up your DHCP server, see your server documentation. - -**To set up automatic detection for DNS servers** - -1. In your DNS database file, the file that’s used to associate your host (computer) names to static IP addresses in a zone, you need to create a host record named, **WPAD**. This record contains entries for all of the hosts that require static mappings, such as workstations, name servers, and mail servers. It also has the IP address to the web server storing your automatic configuration (.js, .jvs, .pac, or .ins) file.

          The syntax is:
          - ` IN A `
          - `corserv IN A 192.55.200.143`
          - `nameserver2 IN A 192.55.200.2`
          - `mailserver1 IN A 192.55.200.51` -

          -OR-

          - Create a canonical name (CNAME) alias record, named WPAD. This record lets you use more than one name to point to a single host, letting you host both an FTP server and a web server on the same computer. It also includes the resolved name (not the IP address) of the server storing your automatic configuration (.pac) file.

          - Note
          For more info about creating a WPAD entry, see Creating a WPAD entry in DNS. - -2. After the database file propagates to the server, the DNS name, `wpad..com` resolves to the server name that includes your automatic configuration file. - -**Note**
          -IE11 creates a default URL template based on the host name,**wpad**. For example, `https://wpad..com/wpad.dat`. Because of this, you need to set up a file or redirection point in your web server **WPAD** record, named **wpad.dat**. The **wpad.dat** record delivers the contents of your automatic configuration file. - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to set up automatic detection for DHCP or DNS servers using IEAK 11 in your organization. +author: lomayor +ms.prod: ie11 +ms.assetid: c6bfe7c4-f452-406f-b47e-b7f0d8c44ae1 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Set up auto detection for DHCP or DNS servers using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Set up auto detection for DHCP or DNS servers using IEAK 11 +Set up your network to automatically detect and customize Internet Explorer 11 when it’s first started. Automatic detection is supported on both Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS), letting your servers detect and set up your employee’s browser settings from a central location, using a configuration URL (.ins file) or a JavaScript proxy configuration file (.js, .jvs, or .pac). + +Before you can set up your environment to use automatic detection, you need to turn the feature on. + +**To turn on the automatic detection feature** + +- Open Internet Explorer Administration Kit 11 (IEAK 11), run the IE Customization Wizard 11 and on the **Automatic Configuration** page, check **Automatically detect configuration settings**. For more information, see [Use the Automatic Configuration page in the IEAK 11 Wizard](auto-config-ieak11-wizard.md). + +## Automatic detection on DHCP and DNS servers +Automatic detection works even if the browser wasn't originally set up or installed by the administrator. + +- **Using DHCP servers:** For local area network (LAN)-based users. This server type lets you specify your global and subnet TCP/IP parameters centrally, defining your users' parameters by using reserved addresses. By doing it this way, a computer can move between subnets, automatically reconfiguring for TCP/IP when it starts. +

          Note
          + Your DHCP servers must support the DHCPINFORM message, to obtain the DHCP options. + +- **Using DNS servers:** For users on dial-up connections. This server type uses a set of protocols and services on a TCP/IP network, which lets users search for other computers by using hierarchical, user-friendly names (hosts), instead of numeric IP addresses. To use this, you have to set up either the host record or the CNAME alias record in the DNS database file. +

          Note
          + DHCP has a higher priority than DNS for automatic configuration. If DHCP provides the URL to a .pac, .jvs, .js, or .ins configuration file, the process stops and the DNS lookup doesn't happen. + +**To set up automatic detection for DHCP servers** + +- Open the [DHCP Administrative Tool](https://go.microsoft.com/fwlink/p/?LinkId=302212), create a new option type, using the code number 252, and then associate it with the URL to your configuration file. For detailed instructions about how to do this, see [Create an option 252 entry in DHCP](https://go.microsoft.com/fwlink/p/?LinkId=294649). + + **Examples:**
          + `https://www.microsoft.com/webproxy.pac`
          + `https://marketing/config.ins`
          + `https://123.4.567.8/account.pac`

          + For more detailed info about how to set up your DHCP server, see your server documentation. + +**To set up automatic detection for DNS servers** + +1. In your DNS database file, the file that’s used to associate your host (computer) names to static IP addresses in a zone, you need to create a host record named, **WPAD**. This record contains entries for all of the hosts that require static mappings, such as workstations, name servers, and mail servers. It also has the IP address to the web server storing your automatic configuration (.js, .jvs, .pac, or .ins) file.

          The syntax is:
          + ` IN A `
          + `corserv IN A 192.55.200.143`
          + `nameserver2 IN A 192.55.200.2`
          + `mailserver1 IN A 192.55.200.51` +

          -OR-

          + Create a canonical name (CNAME) alias record, named WPAD. This record lets you use more than one name to point to a single host, letting you host both an FTP server and a web server on the same computer. It also includes the resolved name (not the IP address) of the server storing your automatic configuration (.pac) file.

          + Note
          For more info about creating a WPAD entry, see Creating a WPAD entry in DNS. + +2. After the database file propagates to the server, the DNS name, `wpad..com` resolves to the server name that includes your automatic configuration file. + +**Note**
          +IE11 creates a default URL template based on the host name,**wpad**. For example, `https://wpad..com/wpad.dat`. Because of this, you need to set up a file or redirection point in your web server **WPAD** record, named **wpad.dat**. The **wpad.dat** record delivers the contents of your automatic configuration file. + diff --git a/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md index 336b704352..9a3f704cf0 100644 --- a/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md @@ -1,48 +1,48 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Automatic Version Synchronization page in the IEAK 11 Customization Wizard to download the IE11 Setup file each time you run the Wizard. -author: lomayor -ms.prod: ie11 -ms.assetid: bfc7685f-843b-49c3-8b9b-07e69705840c -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Automatic Version Synchronization page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Automatic Version Synchronization page in the IEAK 11 Wizard -The **Automatic Version Synchronization** page of the Internet Explorer Customization Wizard 11 runs the synchronization process every time you run the wizard, downloading the Internet Explorer 11 Setup file to your computer. The Setup file includes the required full and express packages. - -**Important**
          -You must run the **Automatic Version Synchronization** page once for each operating system and language combination of IE. - -The **Automatic Version Synchronization** page tells you: - -- **Version available on your machine**. The version of IE11 that’s running on the computer that’s also running the IE Customization Wizard 11. - -- **Latest version available on web**. The most recently released version of the IE Customization Wizard 11. To get this value, the wizard compares the version of IE on your computer to the latest version of IE on the **Downloads** site. If the versions are different, you’ll be asked to update your version of IE. - -- **Disk space required**. The amount of space on your hard drive needed to update the browser. - -- **Disk space available**. The amount of hard drive space available on the computer that’s running the IE Customization Wizard 11. - - -**To use the Automatic Version Synchronization page** - -1. Click **Synchronize**.

          -You might receive a security warning before downloading your Setup file, asking if you want to continue. Click **Run** to continue. - -2. Click **Next** to go to the [Custom Components](custom-components-ieak11-wizard.md) page or **Back** to go to the [Feature Selection](feature-selection-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Automatic Version Synchronization page in the IEAK 11 Customization Wizard to download the IE11 Setup file each time you run the Wizard. +author: lomayor +ms.prod: ie11 +ms.assetid: bfc7685f-843b-49c3-8b9b-07e69705840c +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Automatic Version Synchronization page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Automatic Version Synchronization page in the IEAK 11 Wizard +The **Automatic Version Synchronization** page of the Internet Explorer Customization Wizard 11 runs the synchronization process every time you run the wizard, downloading the Internet Explorer 11 Setup file to your computer. The Setup file includes the required full and express packages. + +**Important**
          +You must run the **Automatic Version Synchronization** page once for each operating system and language combination of IE. + +The **Automatic Version Synchronization** page tells you: + +- **Version available on your machine**. The version of IE11 that’s running on the computer that’s also running the IE Customization Wizard 11. + +- **Latest version available on web**. The most recently released version of the IE Customization Wizard 11. To get this value, the wizard compares the version of IE on your computer to the latest version of IE on the **Downloads** site. If the versions are different, you’ll be asked to update your version of IE. + +- **Disk space required**. The amount of space on your hard drive needed to update the browser. + +- **Disk space available**. The amount of hard drive space available on the computer that’s running the IE Customization Wizard 11. + + +**To use the Automatic Version Synchronization page** + +1. Click **Synchronize**.

          +You might receive a security warning before downloading your Setup file, asking if you want to continue. Click **Run** to continue. + +2. Click **Next** to go to the [Custom Components](custom-components-ieak11-wizard.md) page or **Back** to go to the [Feature Selection](feature-selection-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md b/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md index 4558426d56..9bea8f5c1c 100644 --- a/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md @@ -1,39 +1,39 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: plan -description: A list of steps to follow before you start to create your custom browser installation packages. -author: lomayor -ms.author: lomayor -ms.manager: elizapo -ms.prod: ie11 -ms.assetid: 6ed182b0-46cb-4865-9563-70825be9a5e4 -ms.reviewer: -manager: dansimp -title: Before you start using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 04/24/2018 ---- - - -# Before you start using IEAK 11 - -Before you run IEAK 11 and the Customization Wizard, make sure you have met the following requirements: - -- Have you determined which licensing version of the Internet Explorer Administration Kit 11 to install? For info, see [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md). - -- Do you meet the necessary hardware and software requirements? See [Hardware and software requirements for IEAK 11](hardware-and-software-reqs-ieak11.md). - -- Have you gotten all of the URLs needed to customize your **Home**, **Search**, and **Support** pages? See [Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard](important-urls-home-page-and-support-ieak11-wizard.md). - -- Have you reviewed the security features to determine how to set up and manage them? See [Security features and IEAK 11](security-and-ieak11.md). - -- Have you created a test lab, where you can run the test version of your browser package to make sure it runs properly? - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: plan +description: A list of steps to follow before you start to create your custom browser installation packages. +author: lomayor +ms.author: lomayor +ms.manager: elizapo +ms.prod: ie11 +ms.assetid: 6ed182b0-46cb-4865-9563-70825be9a5e4 +ms.reviewer: +audience: itpro manager: dansimp +title: Before you start using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 04/24/2018 +--- + + +# Before you start using IEAK 11 + +Before you run IEAK 11 and the Customization Wizard, make sure you have met the following requirements: + +- Have you determined which licensing version of the Internet Explorer Administration Kit 11 to install? For info, see [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md). + +- Do you meet the necessary hardware and software requirements? See [Hardware and software requirements for IEAK 11](hardware-and-software-reqs-ieak11.md). + +- Have you gotten all of the URLs needed to customize your **Home**, **Search**, and **Support** pages? See [Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard](important-urls-home-page-and-support-ieak11-wizard.md). + +- Have you reviewed the security features to determine how to set up and manage them? See [Security features and IEAK 11](security-and-ieak11.md). + +- Have you created a test lab, where you can run the test version of your browser package to make sure it runs properly? + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md index 9fa48060a5..7f9c6d989e 100644 --- a/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md @@ -1,54 +1,54 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Use the \[Branding\] .INS file setting to set up your custom branding and setup info in your browser install package. -author: lomayor -ms.prod: ie11 -ms.assetid: cde600c6-29cf-4bd3-afd1-21563d2642df -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Branding .INS file to create custom branding and setup info (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Branding .INS file to create custom branding and setup info -Info about the custom branding and setup information in your browser package. - -|Name |Value | Description | -|-----------|--------------------------------|--------------------------------------------------------------| -|Add on URL | `` |The add-on URL for the product updates command in the browser.| -|BrowserDefault|

          • **0.** Locks down Internet Explorer as the default browser.
          • **1.** Preserves the existing default browser.
          • **2.** Lets the employee decide the default browser.
          | Determines the default browser behavior. | -|CMBitmapName | `` | The file name for the Connection Manager custom bitmap. | -|CMBitmapPath | `` | The full file path to the Connection Manager custom bitmap file. | -|CMProfileName| `` | The name of the Connection Manager profile. | -|CMProfilePath| `` | The full file path to the Connection Manager profile. | -|CMUseCustom |
          • **0.** Don’t use a custom Connection Manager profile.
          • **1.** Use a custom Connection Manager profile.
          | Determines whether to use a custom Connection Manager profile. | -|CompanyName |`` |The name of the company with a valid IEAK 11 license, building this .ins file. | -|EncodeFavs |
          • **0.** Don’t encode the section.
          • **1.** Encode the section.
          |Determines whether to encode the **[Favorites]** section for versions of IE earlier than 5.0. | -|FavoritesDelete |*hexadecimal:* `0x89` |Lets you remove all existing Favorites and Quick Links. | -|FavoritesOnTop |
          • **0.** Don’t put the new item at the top of the **Favorites** menu.
          • **1.** Put the new item at the top of the **Favorites** menu.
          |Determines whether to put new favorite items at the top of the menu. | -|IE4 Welcome Msg |
          • **0.** Don’t go to a **Welcome** page the first time the browser is opened.
          • **1.** Go to a **Welcome** page the first time the browser is opened.
          |Determines whether a **Welcome** page appears. | -|Language ID |`` |Code value for the language used. | -|Language Locale |`` |The locale of the version of IE being customized, as denoted by a four-letter string — for example, EN-us for English. | -|NoIELite |
          • **0.** Don’t optimize the Active Setup Wizard.
          • **1.** Optimize the Active Setup Wizard for download, using existing files, as possible.
          |Determines whether to optimize the Active Setup Wizard for download. | -|SilentInstall |
          • **0.** Run Windows Update Setup interactively.
          • **1.** Run Windows Update Setup non-interactively, but show progress and error messages to the employee.
          |Determines whether Windows Update Setup runs interactively on the employee’s computer.

          **Note**
          This only appears for the **Internal** version of the IEAK 11. | -|StealthInstall |

          • **0.** Run Windows Update Setup showing progress and error messages to the employee.
          • **1.** Run Windows Update Setup without showing error messages to the employee.
          |Determines whether Windows Update Setup shows error messages and dialog boxes.

          **Note**
          This only appears for the **Internal** version of the IEAK 11. | -|Toolbar Bitmap |`` |Full path to the icon bitmap that appears on the browser toolbar. | -|Type |

          • **1.** Internal version. For use on a corporate intranet or network.
          • **2.** External version. For use by ISPs, ICPs, or Developers.
          |The version of IEAK 11 being used. | -|User Agent |`` |String to be appended to the default User Agent string. | -|Version |`` |Version number of the browser. For example, `6,0,0,1`. | -|WebIntegrated |
          • **0.** Don’t include the 4.x integrated shell in your custom package.
          • **1.** Include the 4.x integrated shell in your custom package.
          |Determines whether the IE 4.x integrated shell is included in this package. | -|Win32DownloadSite |`` |URL from where your employees will download the IEsetup.exe file. | -|Window_Title |`` |Customized window title for IE. | -|Window_Title_CN |`` |Company name to be appended to the window title. | -|WizardVersion |`` |Version of the IEAK that created the .ins file. For example, `6.00.0707.2800`. | - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Use the \[Branding\] .INS file setting to set up your custom branding and setup info in your browser install package. +author: lomayor +ms.prod: ie11 +ms.assetid: cde600c6-29cf-4bd3-afd1-21563d2642df +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Branding .INS file to create custom branding and setup info (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Branding .INS file to create custom branding and setup info +Info about the custom branding and setup information in your browser package. + +|Name |Value | Description | +|-----------|--------------------------------|--------------------------------------------------------------| +|Add on URL | `` |The add-on URL for the product updates command in the browser.| +|BrowserDefault|
          • **0.** Locks down Internet Explorer as the default browser.
          • **1.** Preserves the existing default browser.
          • **2.** Lets the employee decide the default browser.
          | Determines the default browser behavior. | +|CMBitmapName | `` | The file name for the Connection Manager custom bitmap. | +|CMBitmapPath | `` | The full file path to the Connection Manager custom bitmap file. | +|CMProfileName| `` | The name of the Connection Manager profile. | +|CMProfilePath| `` | The full file path to the Connection Manager profile. | +|CMUseCustom |
          • **0.** Don’t use a custom Connection Manager profile.
          • **1.** Use a custom Connection Manager profile.
          | Determines whether to use a custom Connection Manager profile. | +|CompanyName |`` |The name of the company with a valid IEAK 11 license, building this .ins file. | +|EncodeFavs |
          • **0.** Don’t encode the section.
          • **1.** Encode the section.
          |Determines whether to encode the **[Favorites]** section for versions of IE earlier than 5.0. | +|FavoritesDelete |*hexadecimal:* `0x89` |Lets you remove all existing Favorites and Quick Links. | +|FavoritesOnTop |
          • **0.** Don’t put the new item at the top of the **Favorites** menu.
          • **1.** Put the new item at the top of the **Favorites** menu.
          |Determines whether to put new favorite items at the top of the menu. | +|IE4 Welcome Msg |
          • **0.** Don’t go to a **Welcome** page the first time the browser is opened.
          • **1.** Go to a **Welcome** page the first time the browser is opened.
          |Determines whether a **Welcome** page appears. | +|Language ID |`` |Code value for the language used. | +|Language Locale |`` |The locale of the version of IE being customized, as denoted by a four-letter string — for example, EN-us for English. | +|NoIELite |
          • **0.** Don’t optimize the Active Setup Wizard.
          • **1.** Optimize the Active Setup Wizard for download, using existing files, as possible.
          |Determines whether to optimize the Active Setup Wizard for download. | +|SilentInstall |
          • **0.** Run Windows Update Setup interactively.
          • **1.** Run Windows Update Setup non-interactively, but show progress and error messages to the employee.
          |Determines whether Windows Update Setup runs interactively on the employee’s computer.

          **Note**
          This only appears for the **Internal** version of the IEAK 11. | +|StealthInstall |

          • **0.** Run Windows Update Setup showing progress and error messages to the employee.
          • **1.** Run Windows Update Setup without showing error messages to the employee.
          |Determines whether Windows Update Setup shows error messages and dialog boxes.

          **Note**
          This only appears for the **Internal** version of the IEAK 11. | +|Toolbar Bitmap |`` |Full path to the icon bitmap that appears on the browser toolbar. | +|Type |

          • **1.** Internal version. For use on a corporate intranet or network.
          • **2.** External version. For use by ISPs, ICPs, or Developers.
          |The version of IEAK 11 being used. | +|User Agent |`` |String to be appended to the default User Agent string. | +|Version |`` |Version number of the browser. For example, `6,0,0,1`. | +|WebIntegrated |
          • **0.** Don’t include the 4.x integrated shell in your custom package.
          • **1.** Include the 4.x integrated shell in your custom package.
          |Determines whether the IE 4.x integrated shell is included in this package. | +|Win32DownloadSite |`` |URL from where your employees will download the IEsetup.exe file. | +|Window_Title |`` |Customized window title for IE. | +|Window_Title_CN |`` |Company name to be appended to the window title. | +|WizardVersion |`` |Version of the IEAK that created the .ins file. For example, `6.00.0707.2800`. | + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md index 5b332edf14..ab8937ec4a 100644 --- a/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md @@ -1,56 +1,56 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Browser User Interface page in the IEAK 11 Customization Wizard to change the toolbar buttons and the title bar. -author: lomayor -ms.prod: ie11 -ms.assetid: c4a18dcd-2e9c-4b5b-bcc5-9b9361a79f0d -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Browser User Interface page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Browser User Interface page in the IEAK 11 Wizard -The **Browser User Interface** page of the Internet Explorer Customization Wizard 11 lets you change the toolbar buttons and the title bar text in IE. - -**Note**
          The customizations you make on this page apply only to Internet Explorer for the desktop. - - **To use the Browser User Interface page** - -1. Check the **Customize Title Bars** box so you can add your custom text to the **Title Bar Text** box.

          -The text shows up in the title bar as **IE provided by** <*your_custom_text*>. - -2. Check the **Delete existing toolbar buttons, if present** box so you can delete all of the toolbar buttons in your employee’s browser, except for the standard buttons installed with IE (which can’t be removed). - -**Note**
          Only Administrators can use this option. - -3. Click **Add** to add new toolbar buttons.

          - The **Browser Toolbar Button Information** box appears. - -4. In the **Toolbar caption** box, type the text that shows up when an employee hovers over your custom button. We recommend no more than 10 characters. - -5. In the **Toolbar action** box, browse to your script or executable file that runs when an employee clicks your custom button. - -6. In the **Toolbar icon** box, browse to the icon file that represents your button while active. This icon must be 20x20 pixels. - -7. Check the **This button should be shown on the toolbar by default** box so your custom button shows by default.

          - This box should be cleared if you want to offer a custom set of buttons, but want your employees to choose whether or not to use them. In this situation, your buttons will show up in the **Customize Toolbars** dialog box, under **Available toolbar buttons**. Your employees can get to this dialog box in IE by clicking **Tools** from the **Command Bar**, clicking **Toolbars**, and then clicking **Customize**. - -8. Click **OK.** - -9. Click **Edit** to change your custom toolbar button or **Remove** to delete the button. The removed button will disappear from your employee’s computer after you apply the updated customization. Only custom toolbar buttons can be removed. - -10. Click **Next** to go to the [Search Providers](search-providers-ieak11-wizard.md) page or **Back** to go to the [User Experience](user-experience-ieak11-wizard.md) page. - - - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Browser User Interface page in the IEAK 11 Customization Wizard to change the toolbar buttons and the title bar. +author: lomayor +ms.prod: ie11 +ms.assetid: c4a18dcd-2e9c-4b5b-bcc5-9b9361a79f0d +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Browser User Interface page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Browser User Interface page in the IEAK 11 Wizard +The **Browser User Interface** page of the Internet Explorer Customization Wizard 11 lets you change the toolbar buttons and the title bar text in IE. + +**Note**
          The customizations you make on this page apply only to Internet Explorer for the desktop. + + **To use the Browser User Interface page** + +1. Check the **Customize Title Bars** box so you can add your custom text to the **Title Bar Text** box.

          +The text shows up in the title bar as **IE provided by** <*your_custom_text*>. + +2. Check the **Delete existing toolbar buttons, if present** box so you can delete all of the toolbar buttons in your employee’s browser, except for the standard buttons installed with IE (which can’t be removed). + +**Note**
          Only Administrators can use this option. + +3. Click **Add** to add new toolbar buttons.

          + The **Browser Toolbar Button Information** box appears. + +4. In the **Toolbar caption** box, type the text that shows up when an employee hovers over your custom button. We recommend no more than 10 characters. + +5. In the **Toolbar action** box, browse to your script or executable file that runs when an employee clicks your custom button. + +6. In the **Toolbar icon** box, browse to the icon file that represents your button while active. This icon must be 20x20 pixels. + +7. Check the **This button should be shown on the toolbar by default** box so your custom button shows by default.

          + This box should be cleared if you want to offer a custom set of buttons, but want your employees to choose whether or not to use them. In this situation, your buttons will show up in the **Customize Toolbars** dialog box, under **Available toolbar buttons**. Your employees can get to this dialog box in IE by clicking **Tools** from the **Command Bar**, clicking **Toolbars**, and then clicking **Customize**. + +8. Click **OK.** + +9. Click **Edit** to change your custom toolbar button or **Remove** to delete the button. The removed button will disappear from your employee’s computer after you apply the updated customization. Only custom toolbar buttons can be removed. + +10. Click **Next** to go to the [Search Providers](search-providers-ieak11-wizard.md) page or **Back** to go to the [User Experience](user-experience-ieak11-wizard.md) page. + + + + + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md index d6404a8966..56922b0838 100644 --- a/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md @@ -1,39 +1,39 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: plan -description: Use the \[BrowserToolbars\] .INS file setting to customize your Internet Explorer toolbar and buttons. -author: lomayor -ms.prod: ie11 -ms.assetid: 83af0558-9df3-4c2e-9350-44f7788efa6d -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the BrowserToolbars .INS file to customize the Internet Explorer toolbar and buttons (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the BrowserToolbars .INS file to customize the Internet Explorer toolbar and buttons -Info about how to customize the Internet Explorer toolbar. - -|Name |Value |Description | -|-----------|---------------------------|-------------| -|Action0 |`` |Path and file name for the executable (.exe) file that's associated with your custom toolbar button. | -|Caption0 |`` |Text that appears as the caption for your custom toolbar button. | -|DeleteButtons |

          • **0.** Don’t delete the existing custom toolbar buttons.
          • **1.** Delete the existing custom toolbar buttons.
          |Determines whether to delete the existing custom toolbar buttons. | -|HotIcon0 |`` |An icon (.ico) file that appears highlighted on the button when the pointer is moved over it. | -|Icon0 |`` |An icon (.ico) file that appears dimmed on the button when the pointer isn’t moved over it. | -|Show0 |
          • **0.** Don’t show the button by default.
          • **1.** Show the button by default.
          |Determines whether to show the new button on the toolbar by default. | -|ToolTipText0 |`` |Tooltip text for the custom toolbar button. | - -  - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: plan +description: Use the \[BrowserToolbars\] .INS file setting to customize your Internet Explorer toolbar and buttons. +author: lomayor +ms.prod: ie11 +ms.assetid: 83af0558-9df3-4c2e-9350-44f7788efa6d +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the BrowserToolbars .INS file to customize the Internet Explorer toolbar and buttons (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the BrowserToolbars .INS file to customize the Internet Explorer toolbar and buttons +Info about how to customize the Internet Explorer toolbar. + +|Name |Value |Description | +|-----------|---------------------------|-------------| +|Action0 |`` |Path and file name for the executable (.exe) file that's associated with your custom toolbar button. | +|Caption0 |`` |Text that appears as the caption for your custom toolbar button. | +|DeleteButtons |
          • **0.** Don’t delete the existing custom toolbar buttons.
          • **1.** Delete the existing custom toolbar buttons.
          |Determines whether to delete the existing custom toolbar buttons. | +|HotIcon0 |`` |An icon (.ico) file that appears highlighted on the button when the pointer is moved over it. | +|Icon0 |`` |An icon (.ico) file that appears dimmed on the button when the pointer isn’t moved over it. | +|Show0 |
          • **0.** Don’t show the button by default.
          • **1.** Show the button by default.
          |Determines whether to show the new button on the toolbar by default. | +|ToolTipText0 |`` |Tooltip text for the custom toolbar button. | + +  + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md index 1b78bbee1d..c1f405ec66 100644 --- a/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md @@ -1,51 +1,51 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Browsing Options page in the IEAK 11 Customization Wizard to manage items in the Favorites, Favorites Bar, and Feeds section. -author: lomayor -ms.prod: ie111 -ms.assetid: d6bd71ba-5df3-4b8c-8bb5-dcbc50fd974e -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Browsing Options page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Browsing Options page in the IEAK 11 Wizard -The **Browsing Options** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you decide how you want to manage items in the **Favorites, Favorites Bar, and Feeds** section, including the Microsoft-provided default items. - -The choices that you make on this page affect only the items shown on the **Favorites, Favorites Bar, and Feeds** page. - -**To use the Browsing Options page** - -1. Decide how you want to manage links that are already installed on your employee’s computer: - - - **Delete all existing items under Favorites, Favorites Bar and Feeds.** Removes all of the links, Web Slices, feeds, and Accelerators on the computer. This includes links and favorites added by you or the employee. Because this removes everything, we recommend that you use this option with caution. - - - **Only delete the items created by the administrator.** Removes only the items that you added for your employees on the **Favorites, Favorites Bar and Feeds** page. - - - **Don’t delete any items.** Doesn’t remove anything. Links Web Slices, feeds, and Accelerators are added to your employee computers at the top of the list, in the order you picked on the **Favorites, Favorites Bar and Feeds** page. - -2. Decide if you don’t want to add the Microsoft-default items: - - - **Favorites.** Checking this box won’t add the Microsoft-defined links. - - - **Web Slices and Links.** Checking this box won’t add the Microsoft-defined Web Slices or links. - - - **Feeds.** Checking this box won’t add the Microsoft-defined RSS feeds. - - - **Accelerators.** Checking this box won’t add the Microsoft-defined Accelerators. - -3. Click **Next** to go to the [First Run Wizard and Welcome Page Options](first-run-and-welcome-page-ieak11-wizard.md) page or **Back** to go to the [Favorites, Favorites Bar, and Feeds](favorites-favoritesbar-and-feeds-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Browsing Options page in the IEAK 11 Customization Wizard to manage items in the Favorites, Favorites Bar, and Feeds section. +author: lomayor +ms.prod: ie111 +ms.assetid: d6bd71ba-5df3-4b8c-8bb5-dcbc50fd974e +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Browsing Options page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Browsing Options page in the IEAK 11 Wizard +The **Browsing Options** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you decide how you want to manage items in the **Favorites, Favorites Bar, and Feeds** section, including the Microsoft-provided default items. + +The choices that you make on this page affect only the items shown on the **Favorites, Favorites Bar, and Feeds** page. + +**To use the Browsing Options page** + +1. Decide how you want to manage links that are already installed on your employee’s computer: + + - **Delete all existing items under Favorites, Favorites Bar and Feeds.** Removes all of the links, Web Slices, feeds, and Accelerators on the computer. This includes links and favorites added by you or the employee. Because this removes everything, we recommend that you use this option with caution. + + - **Only delete the items created by the administrator.** Removes only the items that you added for your employees on the **Favorites, Favorites Bar and Feeds** page. + + - **Don’t delete any items.** Doesn’t remove anything. Links Web Slices, feeds, and Accelerators are added to your employee computers at the top of the list, in the order you picked on the **Favorites, Favorites Bar and Feeds** page. + +2. Decide if you don’t want to add the Microsoft-default items: + + - **Favorites.** Checking this box won’t add the Microsoft-defined links. + + - **Web Slices and Links.** Checking this box won’t add the Microsoft-defined Web Slices or links. + + - **Feeds.** Checking this box won’t add the Microsoft-defined RSS feeds. + + - **Accelerators.** Checking this box won’t add the Microsoft-defined Accelerators. + +3. Click **Next** to go to the [First Run Wizard and Welcome Page Options](first-run-and-welcome-page-ieak11-wizard.md) page or **Back** to go to the [Favorites, Favorites Bar, and Feeds](favorites-favoritesbar-and-feeds-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md index ec0d11f73c..0d0a0bde19 100644 --- a/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md @@ -1,26 +1,26 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Use the \[CabSigning\] .INS file setting to customize the digital signature info for your apps. -author: lomayor -ms.prod: ie11 -ms.assetid: 098707e9-d712-4297-ac68-7d910ca8f43b -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the CabSigning .INS file to customize the digital signature info for your apps (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the CabSigning .INS file to customize the digital signature info for your apps -Info about how to customize the digital signature info for your apps. - -|Name |Value |Description | -|-----------|---------------------------|-------------| -|InfoURL |`` |URL that appears on the **Certificate** dialog box. | -|Name |`` |Company name associated with the certificate. | -|pvkFile |`` |File path to the privacy key file. | -|spcFile |`` |File path to the certificate file.| - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Use the \[CabSigning\] .INS file setting to customize the digital signature info for your apps. +author: lomayor +ms.prod: ie11 +ms.assetid: 098707e9-d712-4297-ac68-7d910ca8f43b +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the CabSigning .INS file to customize the digital signature info for your apps (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the CabSigning .INS file to customize the digital signature info for your apps +Info about how to customize the digital signature info for your apps. + +|Name |Value |Description | +|-----------|---------------------------|-------------| +|InfoURL |`` |URL that appears on the **Certificate** dialog box. | +|Name |`` |Company name associated with the certificate. | +|pvkFile |`` |File path to the privacy key file. | +|spcFile |`` |File path to the certificate file.| + diff --git a/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md index 843f8a478c..7e05be2556 100644 --- a/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md @@ -1,22 +1,22 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: We’re sorry. We’ve removed all of the functionality included on the **Compatibility View** page of the Internet Explorer Customization Wizard 11. -author: lomayor -ms.prod: ie11 -ms.assetid: 51d8f80e-93a5-41e4-9478-b8321458bc30 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Compatibility View page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Compatibility View page in the IEAK 11 Wizard -We’re sorry. We’ve changed the way Compatibility View works in Internet Explorer 11 and have removed all of the functionality included on the **Compatibility View** page of the Internet Explorer Customization Wizard 11. For more info about the changes we’ve made to the Compatibility View functionality, see [Missing the Compatibility View Button](../ie11-deploy-guide/missing-the-compatibility-view-button.md). - -Click **Next** to go to the [Programs](programs-ieak11-wizard.md) page or **Back** to go to the [Security and Privacy Settings](security-and-privacy-settings-ieak11-wizard.md) page. - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: We’re sorry. We’ve removed all of the functionality included on the **Compatibility View** page of the Internet Explorer Customization Wizard 11. +author: lomayor +ms.prod: ie11 +ms.assetid: 51d8f80e-93a5-41e4-9478-b8321458bc30 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Compatibility View page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Compatibility View page in the IEAK 11 Wizard +We’re sorry. We’ve changed the way Compatibility View works in Internet Explorer 11 and have removed all of the functionality included on the **Compatibility View** page of the Internet Explorer Customization Wizard 11. For more info about the changes we’ve made to the Compatibility View functionality, see [Missing the Compatibility View Button](../ie11-deploy-guide/missing-the-compatibility-view-button.md). + +Click **Next** to go to the [Programs](programs-ieak11-wizard.md) page or **Back** to go to the [Security and Privacy Settings](security-and-privacy-settings-ieak11-wizard.md) page. + diff --git a/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md index 80fc96491a..3fbf4b4276 100644 --- a/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md @@ -1,21 +1,21 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: We’re sorry. We’ve removed all of the functionality included on the **Connection Manager** page of the Internet Explorer Customization Wizard 11. -author: lomayor -ms.prod: ie11 -ms.assetid: 1edaa7db-cf6b-4f94-b65f-0feff3d4081a -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Connection Manager page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Connection Manager page in the IEAK 11 Wizard -We're sorry. We've removed all of the functionality included on the Connection Manager page of the Internet Explorer Customization Wizard 11. - -Click **Next** to go to the [Connection Settings](connection-settings-ieak11-wizard.md) page or **Back** to go to the [Compatibility View](compat-view-ieak11-wizard.md) page. - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: We’re sorry. We’ve removed all of the functionality included on the **Connection Manager** page of the Internet Explorer Customization Wizard 11. +author: lomayor +ms.prod: ie11 +ms.assetid: 1edaa7db-cf6b-4f94-b65f-0feff3d4081a +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Connection Manager page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Connection Manager page in the IEAK 11 Wizard +We're sorry. We've removed all of the functionality included on the Connection Manager page of the Internet Explorer Customization Wizard 11. + +Click **Next** to go to the [Connection Settings](connection-settings-ieak11-wizard.md) page or **Back** to go to the [Compatibility View](compat-view-ieak11-wizard.md) page. + diff --git a/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md index 4ef7b729f2..1d7f645f31 100644 --- a/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md @@ -1,41 +1,41 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Connection Settings page in IEAK 11 Customization Wizard to import and preset connection settings on your employee’s computers. -author: lomayor -ms.prod: ie11 -ms.assetid: dc93ebf7-37dc-47c7-adc3-067d07de8b78 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Connection Settings page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Connection Settings page in the IEAK 11 Wizard -The **Connection Settings** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you import the connection settings from your computer, to preset the connection settings on your employee’s computers. - -**Note**
          Using the options on the **Additional Settings** page of the wizard, you can let your employees change their connection settings. For more information see the [Additional Settings](additional-settings-ieak11-wizard.md) page. You can also customize additional connection settings using the **Automatic Configuration** page in the wizard. For more information see the [Automatic Configuration](auto-config-ieak11-wizard.md) page. - -**To view your current connection settings** - -1. Open IE, click the **Tools** menu, click **Internet Options**, and then click the **Connections** tab. - -2. Click **Settings** to view your dial-up settings and click **LAN Settings** to view your network settings. - -**To use the Connection Settings page** - -1. Decide if you want to customize your connection settings. You can pick: - - - **Do not customize Connection Settings.** Pick this option if you don’t want to preset your employee’s connection settings. - - - **Import the current Connection Settings from this machine.** Pick this option to import your connection settings from your computer and use them as the preset for your employee’s connection settings. - - **Note**
          If you want to change any of your settings later, you can click **Modify Settings** to open the **Internet Properties** box, click the **Connection Settings** tab, and make your changes. - -2. Check the **Delete existing Dial-up Connection Settings** box to clear any existing settings on your employee’s computers. - -3. Click **Next** to go to the [Automatic Configuration](auto-config-ieak11-wizard.md) page or **Back** to go to the [Connection Manager](connection-mgr-ieak11-wizard.md) page. - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Connection Settings page in IEAK 11 Customization Wizard to import and preset connection settings on your employee’s computers. +author: lomayor +ms.prod: ie11 +ms.assetid: dc93ebf7-37dc-47c7-adc3-067d07de8b78 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Connection Settings page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Connection Settings page in the IEAK 11 Wizard +The **Connection Settings** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you import the connection settings from your computer, to preset the connection settings on your employee’s computers. + +**Note**
          Using the options on the **Additional Settings** page of the wizard, you can let your employees change their connection settings. For more information see the [Additional Settings](additional-settings-ieak11-wizard.md) page. You can also customize additional connection settings using the **Automatic Configuration** page in the wizard. For more information see the [Automatic Configuration](auto-config-ieak11-wizard.md) page. + +**To view your current connection settings** + +1. Open IE, click the **Tools** menu, click **Internet Options**, and then click the **Connections** tab. + +2. Click **Settings** to view your dial-up settings and click **LAN Settings** to view your network settings. + +**To use the Connection Settings page** + +1. Decide if you want to customize your connection settings. You can pick: + + - **Do not customize Connection Settings.** Pick this option if you don’t want to preset your employee’s connection settings. + + - **Import the current Connection Settings from this machine.** Pick this option to import your connection settings from your computer and use them as the preset for your employee’s connection settings. + + **Note**
          If you want to change any of your settings later, you can click **Modify Settings** to open the **Internet Properties** box, click the **Connection Settings** tab, and make your changes. + +2. Check the **Delete existing Dial-up Connection Settings** box to clear any existing settings on your employee’s computers. + +3. Click **Next** to go to the [Automatic Configuration](auto-config-ieak11-wizard.md) page or **Back** to go to the [Connection Manager](connection-mgr-ieak11-wizard.md) page. + diff --git a/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md index bd63234840..2f510429c0 100644 --- a/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md @@ -1,26 +1,26 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: plan -description: Use the \[ConnectionSettings\] .INS file setting to specify the network connection settings needed to install your custom package. -author: lomayor -ms.prod: ie11 -ms.assetid: 41410300-6ddd-43b2-b9e2-0108a2221355 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the ConnectionSettings .INS file to review the network connections for install (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the ConnectionSettings .INS file to review the network connections for install -Info about the network connection settings used to install your custom package. This section creates a common configuration on all of your employee’s computers. - -|Name |Value |Description | -|-----------|---------------------------|-------------| -|ConnectName0 |`` |Name for the connection. | -|ConnectName1 |`` |Secondary name for the connection. | -|DeleteConnectionSettings |
          • **0.** Don’t remove the connection settings during installation.
          • **1.** Remove the connection settings during installation.

            **Note**
            This only appears for the **Internal** version of the IEAK 11.

          |Determines whether to remove the existing connection settings during installation of your custom package. | -|Option |
          • **0.** Don’t let employees import connection settings.
          • **1.** Let employees import connection settings.
          |Determines whether an employee can import connection settings into the Internet Explorer Customization Wizard. | - +--- +ms.localizationpriority: medium +ms.mktglfcycl: plan +description: Use the \[ConnectionSettings\] .INS file setting to specify the network connection settings needed to install your custom package. +author: lomayor +ms.prod: ie11 +ms.assetid: 41410300-6ddd-43b2-b9e2-0108a2221355 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the ConnectionSettings .INS file to review the network connections for install (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the ConnectionSettings .INS file to review the network connections for install +Info about the network connection settings used to install your custom package. This section creates a common configuration on all of your employee’s computers. + +|Name |Value |Description | +|-----------|---------------------------|-------------| +|ConnectName0 |`` |Name for the connection. | +|ConnectName1 |`` |Secondary name for the connection. | +|DeleteConnectionSettings |
          • **0.** Don’t remove the connection settings during installation.
          • **1.** Remove the connection settings during installation.

            **Note**
            This only appears for the **Internal** version of the IEAK 11.

          |Determines whether to remove the existing connection settings during installation of your custom package. | +|Option |
          • **0.** Don’t let employees import connection settings.
          • **1.** Let employees import connection settings.
          |Determines whether an employee can import connection settings into the Internet Explorer Customization Wizard. | + diff --git a/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md index 21c49dc308..5dab4acabf 100644 --- a/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md @@ -1,24 +1,24 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: plan -description: How to create your folder structure on the computer that you’ll use to build your custom browser package. -author: lomayor -ms.prod: ie11 -ms.assetid: e0d05a4c-099f-4f79-a069-4aa1c28a1080 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Create the build computer folder structure using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Create the build computer folder structure using IEAK 11 -Create your build environment on the computer that you’ll use to build your custom browser package. Your license agreement determines your folder structure and which version of Internet Explorer Administration Kit 11 (IEAK 11) you’ll use: **Internal** or **External**. - -|Name |Version |Description | -|-----------------|----------------------|---------------------------------------------------------| -|`\` |Internal and External |The main, placeholder folder used for all files built by IEAK or that you referenced in your custom package.| -|`\\Dist` |Internal only |Destination directory for your files. You’ll only need this folder if you’re creating your browser package on a network drive. | - +--- +ms.localizationpriority: medium +ms.mktglfcycl: plan +description: How to create your folder structure on the computer that you’ll use to build your custom browser package. +author: lomayor +ms.prod: ie11 +ms.assetid: e0d05a4c-099f-4f79-a069-4aa1c28a1080 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Create the build computer folder structure using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Create the build computer folder structure using IEAK 11 +Create your build environment on the computer that you’ll use to build your custom browser package. Your license agreement determines your folder structure and which version of Internet Explorer Administration Kit 11 (IEAK 11) you’ll use: **Internal** or **External**. + +|Name |Version |Description | +|-----------------|----------------------|---------------------------------------------------------| +|`\` |Internal and External |The main, placeholder folder used for all files built by IEAK or that you referenced in your custom package.| +|`\\Dist` |Internal only |Destination directory for your files. You’ll only need this folder if you’re creating your browser package on a network drive. | + diff --git a/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md index 6931f6e77d..ee5455e665 100644 --- a/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md @@ -1,27 +1,27 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: plan -description: Review this list of tasks and references before you create and deploy your Internet Explorer 11 custom install packages. -author: lomayor -ms.prod: ie11 -ms.assetid: fe71c603-bf07-41e1-a477-ade5b28c9fb3 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Tasks and references to consider before creating and deploying custom packages using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Tasks and references to consider before creating and deploying custom packages using IEAK 11 -Review this list of tasks and references to help you use the Internet Explorer Administration Kit 11 (IEAK 11) to set up, deploy, and manage Internet Explorer 11 in your company. - -|Task |References | -|----------------------------------------|--------------------------------------------------------------| -|Review concepts and requirements, including info about the version and features you'll use. |
          • [Hardware and software requirements for IEAK 11](hardware-and-software-reqs-ieak11.md)
          • [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md)
          • [Before you start using IEAK 11](before-you-create-custom-pkgs-ieak11.md)
          | -|Prep your environment and get all of the info you'll need for running IEAK 11 |
          • [Create the build computer folder structure using IEAK 11](create-build-folder-structure-ieak11.md)
          • [Customize the Toolbar button and Favorites List icons using IEAK 11](guidelines-toolbar-and-favorites-list-ieak11.md)
          • [Before you install your package over your network using IEAK 11](prep-network-install-with-ieak11.md)
          • [Set up auto detection for DHCP or DNS servers using IEAK 11](auto-detection-dhcp-or-dns-servers-ieak11.md)
          • [Register an uninstall app for custom components using IEAK 11](register-uninstall-app-ieak11.md)
          • [Add and approve ActiveX controls using the IEAK 11](add-and-approve-activex-controls-ieak11.md)
          • [Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options](ieak11-wizard-custom-options.md)
          • [Security features and IEAK 11](security-and-ieak11.md)
          | -|Run the Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard |
          • [Use the File Locations page in the IEAK 11 Wizard](file-locations-ieak11-wizard.md)
          • [Use the Platform Selection page in the IEAK 11 Wizard](platform-selection-ieak11-wizard.md)
          • [Use the Language Selection page in the IEAK 11 Wizard](language-selection-ieak11-wizard.md)
          • [Use the Package Type Selection page in the IEAK 11 Wizard](pkg-type-selection-ieak11-wizard.md)
          • [Use the Feature Selection page in the IEAK 11 Wizard](feature-selection-ieak11-wizard.md)
          • [Use the Automatic Version Synchronization page in the IEAK 11 Wizard](auto-version-sync-ieak11-wizard.md)
          • [Use the Custom Components page in the IEAK 11 Wizard](custom-components-ieak11-wizard.md)
          • [Use the Internal Install page in the IEAK 11 Wizard](internal-install-ieak11-wizard.md)
          • [Use the User Experience page in the IEAK 11 Wizard](user-experience-ieak11-wizard.md)
          • [Use the Browser User Interface page in the IEAK 11 Wizard](browser-ui-ieak11-wizard.md)
          • [Use the Search Providers page in the IEAK 11 Wizard](search-providers-ieak11-wizard.md)
          • [Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard](important-urls-home-page-and-support-ieak11-wizard.md)
          • [Use the Accelerators page in the IEAK 11 Wizard](accelerators-ieak11-wizard.md)
          • [Use the Favorites, Favorites Bar, and Feeds page in the IEAK 11 Wizard](favorites-favoritesbar-and-feeds-ieak11-wizard.md)
          • [Use the Browsing Options page in the IEAK 11 Wizard](browsing-options-ieak11-wizard.md)
          • [Use the First Run Wizard and Welcome Page Options page in the IEAK 11 Wizard](first-run-and-welcome-page-ieak11-wizard.md)
          • [Use the Compatibility View page in the IEAK 11 Wizard](compat-view-ieak11-wizard.md)
          • [Use the Connection Manager page in the IEAK 11 Wizard](connection-mgr-ieak11-wizard.md)
          • [Use the Connection Settings page in the IEAK 11 Wizard](connection-settings-ieak11-wizard.md)
          • [Use the Automatic Configuration page in the IEAK 11 Wizard](auto-config-ieak11-wizard.md)
          • [Use the Proxy Settings page in the IEAK 11 Wizard](proxy-settings-ieak11-wizard.md)
          • [Use the Security and Privacy Settings page in the IEAK 11 Wizard](security-and-privacy-settings-ieak11-wizard.md)
          • [Use the Add a Root Certificate page in the IEAK 11 Wizard](add-root-certificate-ieak11-wizard.md)
          • [Use the Programs page in the IEAK 11 Wizard](programs-ieak11-wizard.md)
          • [Use the Additional Settings page in the IEAK 11 Wizard](additional-settings-ieak11-wizard.md)
          • [Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard](wizard-complete-ieak11-wizard.md)
          | -|Review your policy settings and create multiple versions of your install package. |
          • [Create multiple versions of your custom package using IEAK 11](create-multiple-browser-packages-ieak11.md)
          • [Use the RSoP snap-in to review policy settings](rsop-snapin-for-policy-settings-ieak11.md)

            **Note**
            For deployment instructions, additional troubleshooting, and post-installation management, see the [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md)

          | -|Review the general IEAK Customization Wizard 11 information, which applies throughout the process. |
          • [Troubleshoot custom package and IEAK 11 problems](troubleshooting-custom-browser-pkg-ieak11.md)
          • [File types used or created by IEAK 11](file-types-ieak11.md)
          • [Customize Automatic Search using IEAK 11](customize-automatic-search-for-ie.md)
          • [Use the uninstallation .INF files to uninstall custom components](create-uninstall-inf-files-for-custom-components.md)
          • [Using Internet Settings (.INS) files with IEAK 11](using-internet-settings-ins-files.md)
          • [Use proxy auto-configuration (.pac) files with IEAK 11](proxy-auto-config-examples.md)
          • [IExpress Wizard for Windows Server 2008 R2 with SP1](iexpress-wizard-for-win-server.md)
          | - +--- +ms.localizationpriority: medium +ms.mktglfcycl: plan +description: Review this list of tasks and references before you create and deploy your Internet Explorer 11 custom install packages. +author: lomayor +ms.prod: ie11 +ms.assetid: fe71c603-bf07-41e1-a477-ade5b28c9fb3 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Tasks and references to consider before creating and deploying custom packages using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Tasks and references to consider before creating and deploying custom packages using IEAK 11 +Review this list of tasks and references to help you use the Internet Explorer Administration Kit 11 (IEAK 11) to set up, deploy, and manage Internet Explorer 11 in your company. + +|Task |References | +|----------------------------------------|--------------------------------------------------------------| +|Review concepts and requirements, including info about the version and features you'll use. |
          • [Hardware and software requirements for IEAK 11](hardware-and-software-reqs-ieak11.md)
          • [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md)
          • [Before you start using IEAK 11](before-you-create-custom-pkgs-ieak11.md)
          | +|Prep your environment and get all of the info you'll need for running IEAK 11 |
          • [Create the build computer folder structure using IEAK 11](create-build-folder-structure-ieak11.md)
          • [Customize the Toolbar button and Favorites List icons using IEAK 11](guidelines-toolbar-and-favorites-list-ieak11.md)
          • [Before you install your package over your network using IEAK 11](prep-network-install-with-ieak11.md)
          • [Set up auto detection for DHCP or DNS servers using IEAK 11](auto-detection-dhcp-or-dns-servers-ieak11.md)
          • [Register an uninstall app for custom components using IEAK 11](register-uninstall-app-ieak11.md)
          • [Add and approve ActiveX controls using the IEAK 11](add-and-approve-activex-controls-ieak11.md)
          • [Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options](ieak11-wizard-custom-options.md)
          • [Security features and IEAK 11](security-and-ieak11.md)
          | +|Run the Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard |
          • [Use the File Locations page in the IEAK 11 Wizard](file-locations-ieak11-wizard.md)
          • [Use the Platform Selection page in the IEAK 11 Wizard](platform-selection-ieak11-wizard.md)
          • [Use the Language Selection page in the IEAK 11 Wizard](language-selection-ieak11-wizard.md)
          • [Use the Package Type Selection page in the IEAK 11 Wizard](pkg-type-selection-ieak11-wizard.md)
          • [Use the Feature Selection page in the IEAK 11 Wizard](feature-selection-ieak11-wizard.md)
          • [Use the Automatic Version Synchronization page in the IEAK 11 Wizard](auto-version-sync-ieak11-wizard.md)
          • [Use the Custom Components page in the IEAK 11 Wizard](custom-components-ieak11-wizard.md)
          • [Use the Internal Install page in the IEAK 11 Wizard](internal-install-ieak11-wizard.md)
          • [Use the User Experience page in the IEAK 11 Wizard](user-experience-ieak11-wizard.md)
          • [Use the Browser User Interface page in the IEAK 11 Wizard](browser-ui-ieak11-wizard.md)
          • [Use the Search Providers page in the IEAK 11 Wizard](search-providers-ieak11-wizard.md)
          • [Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard](important-urls-home-page-and-support-ieak11-wizard.md)
          • [Use the Accelerators page in the IEAK 11 Wizard](accelerators-ieak11-wizard.md)
          • [Use the Favorites, Favorites Bar, and Feeds page in the IEAK 11 Wizard](favorites-favoritesbar-and-feeds-ieak11-wizard.md)
          • [Use the Browsing Options page in the IEAK 11 Wizard](browsing-options-ieak11-wizard.md)
          • [Use the First Run Wizard and Welcome Page Options page in the IEAK 11 Wizard](first-run-and-welcome-page-ieak11-wizard.md)
          • [Use the Compatibility View page in the IEAK 11 Wizard](compat-view-ieak11-wizard.md)
          • [Use the Connection Manager page in the IEAK 11 Wizard](connection-mgr-ieak11-wizard.md)
          • [Use the Connection Settings page in the IEAK 11 Wizard](connection-settings-ieak11-wizard.md)
          • [Use the Automatic Configuration page in the IEAK 11 Wizard](auto-config-ieak11-wizard.md)
          • [Use the Proxy Settings page in the IEAK 11 Wizard](proxy-settings-ieak11-wizard.md)
          • [Use the Security and Privacy Settings page in the IEAK 11 Wizard](security-and-privacy-settings-ieak11-wizard.md)
          • [Use the Add a Root Certificate page in the IEAK 11 Wizard](add-root-certificate-ieak11-wizard.md)
          • [Use the Programs page in the IEAK 11 Wizard](programs-ieak11-wizard.md)
          • [Use the Additional Settings page in the IEAK 11 Wizard](additional-settings-ieak11-wizard.md)
          • [Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard](wizard-complete-ieak11-wizard.md)
          | +|Review your policy settings and create multiple versions of your install package. |
          • [Create multiple versions of your custom package using IEAK 11](create-multiple-browser-packages-ieak11.md)
          • [Use the RSoP snap-in to review policy settings](rsop-snapin-for-policy-settings-ieak11.md)

            **Note**
            For deployment instructions, additional troubleshooting, and post-installation management, see the [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md)

          | +|Review the general IEAK Customization Wizard 11 information, which applies throughout the process. |
          • [Troubleshoot custom package and IEAK 11 problems](troubleshooting-custom-browser-pkg-ieak11.md)
          • [File types used or created by IEAK 11](file-types-ieak11.md)
          • [Customize Automatic Search using IEAK 11](customize-automatic-search-for-ie.md)
          • [Use the uninstallation .INF files to uninstall custom components](create-uninstall-inf-files-for-custom-components.md)
          • [Using Internet Settings (.INS) files with IEAK 11](using-internet-settings-ins-files.md)
          • [Use proxy auto-configuration (.pac) files with IEAK 11](proxy-auto-config-examples.md)
          • [IExpress Wizard for Windows Server 2008 R2 with SP1](iexpress-wizard-for-win-server.md)
          | + diff --git a/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md index 205ced6016..896d25732d 100644 --- a/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md @@ -1,38 +1,38 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Steps to create multiple versions of your custom browser if you support more than 1 version of Windows, more than 1 language, or have different features in each package. -author: lomayor -ms.prod: ie11 -ms.assetid: 4c5f3503-8c69-4691-ae97-1523091ab333 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Create multiple versions of your custom package using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Create multiple versions of your custom package using IEAK 11 -You'll need to create multiple versions of your custom browser package if: - -- You support more than 1 version of the Windows operating system. - -- You support more than 1 language. - -- You have custom installation packages with only minor differences. For example, having a different phone number or a different set of URLs in the **Favorites** folder. - -The Internet Explorer Customization Wizard 11 stores your original settings in the Install.ins file and will show them each time you re-open the wizard. For more info about .ins files, see [Using Internet Settings (.INS) files with IEAK 11](using-internet-settings-ins-files.md). - -**To create multiple versions of your browser package** - -1. Use the Internet Explorer Customization Wizard 11 to create a custom browser package. For more info about how to run the wizard, start with the [Use the File Locations page in the IEAK 11 Wizard](file-locations-ieak11-wizard.md) topic. - -2. Go to the Cie\Custom folder and rename the Install.ins file to a name that reflects the version. Like, if you need a version for your employees in Texas, you could name the file Texas.ins. - -3. Run the wizard again, choosing the newly renamed folder as the destination directory for your output files.

          -**Important**
          Except for the **Title bar** text, **Favorites**, **Links bar**, **Home** page, and **Search bar**, we recommend that you keep all of your wizard settings the same for all of your build computers. - -4. Repeat this process until you’ve created a package for each version of your custom installation package. - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Steps to create multiple versions of your custom browser if you support more than 1 version of Windows, more than 1 language, or have different features in each package. +author: lomayor +ms.prod: ie11 +ms.assetid: 4c5f3503-8c69-4691-ae97-1523091ab333 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Create multiple versions of your custom package using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Create multiple versions of your custom package using IEAK 11 +You'll need to create multiple versions of your custom browser package if: + +- You support more than 1 version of the Windows operating system. + +- You support more than 1 language. + +- You have custom installation packages with only minor differences. For example, having a different phone number or a different set of URLs in the **Favorites** folder. + +The Internet Explorer Customization Wizard 11 stores your original settings in the Install.ins file and will show them each time you re-open the wizard. For more info about .ins files, see [Using Internet Settings (.INS) files with IEAK 11](using-internet-settings-ins-files.md). + +**To create multiple versions of your browser package** + +1. Use the Internet Explorer Customization Wizard 11 to create a custom browser package. For more info about how to run the wizard, start with the [Use the File Locations page in the IEAK 11 Wizard](file-locations-ieak11-wizard.md) topic. + +2. Go to the Cie\Custom folder and rename the Install.ins file to a name that reflects the version. Like, if you need a version for your employees in Texas, you could name the file Texas.ins. + +3. Run the wizard again, choosing the newly renamed folder as the destination directory for your output files.

          +**Important**
          Except for the **Title bar** text, **Favorites**, **Links bar**, **Home** page, and **Search bar**, we recommend that you keep all of your wizard settings the same for all of your build computers. + +4. Repeat this process until you’ve created a package for each version of your custom installation package. + diff --git a/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md b/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md index 70feb9ac8a..a74479dce6 100644 --- a/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md +++ b/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md @@ -1,29 +1,29 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Use Setup information (.inf) files to uninstall custom components from your custom browser packages. -author: lomayor -ms.prod: ie11 -ms.assetid: 8257aa41-58de-4339-81dd-9f2ffcc10a08 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use Setup information (.inf) files to uninstall custom components (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use uninstallation .INF files to uninstall custom components -The Internet Explorer Administration Kit 11 (IEAK 11) uses Setup information (.inf) files to provide installation instructions for your custom browser packages. You can also use this file to uninstall your custom components by removing the files, registry entries, and shortcuts, and adding your custom component to the list of programs that can be uninstalled from **Uninstall or change a program**. - -**To uninstall your custom components** - -1. Open the Registry Editor and add a new key and value to:
          `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\app-name,"DisplayName",,"description"`

          -Where *description* is the string that’s shown in the **Uninstall or change a program** box. - -2. Add another new key and value to:
          `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\app-name,"UninstallString”",,"command-line"`

          -Where *command-line* is the command that’s run when the component is picked from the **Uninstall or change a program** box. - -Your uninstall script must also remove your key from under the **Uninstall** registry key, so that your component no longer appears in the **Uninstall or change a program** after uninstallation. You can also run just a section of an .inf file by using the Setupx.dll InstallHinfSection entry point. To make this work, your installation script must copy the .inf file to the Windows\Inf folder for your custom component. - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Use Setup information (.inf) files to uninstall custom components from your custom browser packages. +author: lomayor +ms.prod: ie11 +ms.assetid: 8257aa41-58de-4339-81dd-9f2ffcc10a08 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use Setup information (.inf) files to uninstall custom components (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use uninstallation .INF files to uninstall custom components +The Internet Explorer Administration Kit 11 (IEAK 11) uses Setup information (.inf) files to provide installation instructions for your custom browser packages. You can also use this file to uninstall your custom components by removing the files, registry entries, and shortcuts, and adding your custom component to the list of programs that can be uninstalled from **Uninstall or change a program**. + +**To uninstall your custom components** + +1. Open the Registry Editor and add a new key and value to:
          `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\app-name,"DisplayName",,"description"`

          +Where *description* is the string that’s shown in the **Uninstall or change a program** box. + +2. Add another new key and value to:
          `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\app-name,"UninstallString”",,"command-line"`

          +Where *command-line* is the command that’s run when the component is picked from the **Uninstall or change a program** box. + +Your uninstall script must also remove your key from under the **Uninstall** registry key, so that your component no longer appears in the **Uninstall or change a program** after uninstallation. You can also run just a section of an .inf file by using the Setupx.dll InstallHinfSection entry point. To make this work, your installation script must copy the .inf file to the Windows\Inf folder for your custom component. + diff --git a/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md index 515a597c8f..faf527ba94 100644 --- a/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md @@ -1,60 +1,60 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Custom Components page in the IEAK 11 Customization Wizard to add additional components for your employees to install with IE. -author: lomayor -ms.prod: ie11 -ms.assetid: 38a2b90f-c324-4dc8-ad30-8cd3e3e901d7 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Custom Components page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Custom Components page in the IEAK 11 Wizard -The **Custom Components** page of the Internet Explorer Customization Wizard 11 lets you add up to 10 additional components that your employees can install at the same time they install IE. These components can be created by Microsoft or your organization as either compressed cabinet (.cab) or self-extracting executable (.exe) files. If you’re using Microsoft components, make sure you have the latest version and software patches from the [Microsoft Support](https://go.microsoft.com/fwlink/p/?LinkId=258658) site. To include Microsoft Update components, you must bundle the associated files into a custom component. - -**Important**
          You should sign any custom code that’s being downloaded over the Internet. The default settings of Internet Explorer 11 will automatically reject any unsigned code. For more info about digitally signing custom components, see [Security features and IEAK 11](security-and-ieak11.md). - -**To use the Custom Component page** - -1. Click **Add**.

          -The **Add a Custom Component** box appears. - -2. Type in the name of your component and then browse to the location of your file (either .cab or .exe). - -3. Pick when to install the component. This can be before IE, after IE, or after the computer restarts.

          -**Important**
          You should install your component before IE if you need to run a batch file to configure your employee settings. You should install your component after IE if you plan to install software updates.  - -4. Check the **Only install if IE is installed successfully** box if your component should only install if IE installs successfully. For example, if you’re installing a security update that requires IE. - -5. If your component is a .cab file, you must provide the extraction command into the **Command** box. - -6. If your component has its own globally unique identifier (GUID), replace the value in the **GUID** box. Otherwise, keep the automatically generated GUID. - -7. Describe your component using up to 511 characters in the **Description** box. - -8. Type any command-line options that need to run while installing your component into the **Parameters** box. For example, if you want your component to install silently, without prompts. For more info about using options, see [IExpress command-line options](iexpress-command-line-options.md). - -9. Type the value that Microsoft Update Setup uses to check that the component installed successfully into the **Uninstall Key** box. This check is done by comparing your value to the value in the `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ApplicationName` key. - -10. Type a numeric serial number for your component into the **Version** box, using this format: *xxxx*, *xxxxxx*, *xxxx*, *xxxx*. - -11. Click **Add**.

          -The boxes clear and you can add another component. Click **Cancel** to go back to the **Custom Components** page. - -12. Click **Edit** to change your custom component information, **Verify** to make sure the component is digitally signed, or **Remove** to delete the component from your custom installation package. - -13. Click **Next** to go to the [Internal Install](internal-install-ieak11-wizard.md) page or **Back** to go to the [Automatic Version Synchronization](auto-version-sync-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Custom Components page in the IEAK 11 Customization Wizard to add additional components for your employees to install with IE. +author: lomayor +ms.prod: ie11 +ms.assetid: 38a2b90f-c324-4dc8-ad30-8cd3e3e901d7 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Custom Components page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Custom Components page in the IEAK 11 Wizard +The **Custom Components** page of the Internet Explorer Customization Wizard 11 lets you add up to 10 additional components that your employees can install at the same time they install IE. These components can be created by Microsoft or your organization as either compressed cabinet (.cab) or self-extracting executable (.exe) files. If you’re using Microsoft components, make sure you have the latest version and software patches from the [Microsoft Support](https://go.microsoft.com/fwlink/p/?LinkId=258658) site. To include Microsoft Update components, you must bundle the associated files into a custom component. + +**Important**
          You should sign any custom code that’s being downloaded over the Internet. The default settings of Internet Explorer 11 will automatically reject any unsigned code. For more info about digitally signing custom components, see [Security features and IEAK 11](security-and-ieak11.md). + +**To use the Custom Component page** + +1. Click **Add**.

          +The **Add a Custom Component** box appears. + +2. Type in the name of your component and then browse to the location of your file (either .cab or .exe). + +3. Pick when to install the component. This can be before IE, after IE, or after the computer restarts.

          +**Important**
          You should install your component before IE if you need to run a batch file to configure your employee settings. You should install your component after IE if you plan to install software updates.  + +4. Check the **Only install if IE is installed successfully** box if your component should only install if IE installs successfully. For example, if you’re installing a security update that requires IE. + +5. If your component is a .cab file, you must provide the extraction command into the **Command** box. + +6. If your component has its own globally unique identifier (GUID), replace the value in the **GUID** box. Otherwise, keep the automatically generated GUID. + +7. Describe your component using up to 511 characters in the **Description** box. + +8. Type any command-line options that need to run while installing your component into the **Parameters** box. For example, if you want your component to install silently, without prompts. For more info about using options, see [IExpress command-line options](iexpress-command-line-options.md). + +9. Type the value that Microsoft Update Setup uses to check that the component installed successfully into the **Uninstall Key** box. This check is done by comparing your value to the value in the `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ApplicationName` key. + +10. Type a numeric serial number for your component into the **Version** box, using this format: *xxxx*, *xxxxxx*, *xxxx*, *xxxx*. + +11. Click **Add**.

          +The boxes clear and you can add another component. Click **Cancel** to go back to the **Custom Components** page. + +12. Click **Edit** to change your custom component information, **Verify** to make sure the component is digitally signed, or **Remove** to delete the component from your custom installation package. + +13. Click **Next** to go to the [Internal Install](internal-install-ieak11-wizard.md) page or **Back** to go to the [Automatic Version Synchronization](auto-version-sync-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md index ecca772d78..b40640dffa 100644 --- a/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md @@ -1,24 +1,24 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: plan -description: Use the \[CustomBranding\] .INS file setting to specify the location of your branding cabinet (.cab) file. -author: lomayor -ms.prod: ie11 -ms.assetid: 9c74e239-65c5-4aa5-812f-e0ed80c5c2b0 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the CustomBranding .INS file to create custom branding and setup info (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the CustomBranding .INS file to create custom branding and setup info -Provide the URL to your branding cabinet (.cab) file. - - -| Name | Value | Description | -|----------|------------------|------------------------------------------------------------------------------------------------------------------------| -| Branding | `` | The location of your branding cabinet (.cab) file. For example, https://www.<your_server>.net/cabs/branding.cab. | - +--- +ms.localizationpriority: medium +ms.mktglfcycl: plan +description: Use the \[CustomBranding\] .INS file setting to specify the location of your branding cabinet (.cab) file. +author: lomayor +ms.prod: ie11 +ms.assetid: 9c74e239-65c5-4aa5-812f-e0ed80c5c2b0 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the CustomBranding .INS file to create custom branding and setup info (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the CustomBranding .INS file to create custom branding and setup info +Provide the URL to your branding cabinet (.cab) file. + + +| Name | Value | Description | +|----------|------------------|------------------------------------------------------------------------------------------------------------------------| +| Branding | `` | The location of your branding cabinet (.cab) file. For example, https://www.<your_server>.net/cabs/branding.cab. | + diff --git a/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md b/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md index 20a747a5db..5f3eac4aaa 100644 --- a/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md +++ b/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md @@ -1,103 +1,103 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: manage -description: Customize Automatic Search in Internet Explorer so that your employees can type a single word into the Address box to search for frequently used pages. -author: lomayor -ms.prod: ie11 -ms.assetid: 694e2f92-5e08-49dc-b83f-677d61fa918a -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Customize Automatic Search using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Customize Automatic Search for Internet Explorer using IEAK 11 -Internet Explorer lets websites advertise any search provider that uses the open search standard described at the A9 website ( [OpenSearch 1.1 Draft 5](https://go.microsoft.com/fwlink/p/?LinkId=208582)). When IE detects new search providers, the **Search** box becomes active and adds the new providers to the drop-down list of providers. - -Using the **Administrative Templates** section of Group Policy, you can prevent the search box from appearing, you can add a list of acceptable search providers, or you can restrict your employee’s ability to add or remove search providers. - -## Automatic Search Configuration -You can customize Automatic Search so that your employees can type a single word into the **Address** box to search for frequently used pages. For example, you can let a commonly used webpage about invoices appear if an employee types *invoice* into the **Address** box, even if the URL doesn’t include the term. If a website can’t be associated with the term, or if there are multiple matches, a webpage appears showing the top search results. - -**To set up Automatic Search** - -1. Create a script (.asp) file that conditionally looks for search terms, and post it to an intranet server here: https://ieautosearch/response.asp?MT=%1&srch=%2.

          - For info about the acceptable values for the *%1* and *%2* parameters, see the [Automatic Search parameters](#automatic-search-parameters). For an example of the script file, see the [Sample Automatic Search script](#sample-automatic-search-script).

          - **Important**
          If you aren’t using IIS in your company, you’ll need to remap this URL to your script file’s location. - -2. On the **Additional Settings** page of the IEAK 11, click **Internet Settings**, and then click **Advanced Settings**. - -3. Go to the section labeled **Searching** and type *intranet* into the **Search Provider Keyword** box. - -**To redirect to a different site than the one provided by the search results** - -- In the **Advanced Settings** section, go to the section labeled **Searching** and change the **When searching from the address bar** setting to **Just go to the most likely site**. - -**To disable Automatic Search** - -- In the **Advanced Settings** section, go to the section labeled **Searching** and change the **When searching from the address bar** setting to **Do not search from the address bar**. - -### Automatic Search parameters -You must replace the Automatic Search script file parameters, *%1* and *%2* so they’re part of the actual URL. - -|Parameter |Value | -|----------|--------------------------------------------------------| -|1% |The text string typed by an employee into the **Address** bar. | -|2% |The type of search chosen by an employee. This can include:

          • **3.** Display the results and go to the most likely site.
          • **2.** Go to the most likely site.
          • **1.** Display the results in the main window.
          • **0.** Don't search from the **Address** box.
          | - -### Sample Automatic Search script -This is a VBScript-based sample of an .asp Automatic Search script. - -``` -<%@ Language=VBScript %> -<% -' search holds the words typed in the Address bar -' by the user, without the "go" or -' "find" or any delimiters like -' "+" for spaces. -' If the user typed -' "Apple pie," search = "Apple pie." -' If the user typed -' "find Apple pie," search = "Apple pie." - -search = Request.QueryString("MT") -search = UCase(search) -searchOption = Request.QueryString("srch") - -' This is a simple if/then/else -' to redirect the browser to the site -' of your choice based on what the -' user typed. -' Example: expense report is an intranet page -' about filling out an expense report - -if (search = "NEW HIRE") then -Response.Redirect("https://admin/hr/newhireforms.htm") -elseif (search = "LIBRARY CATALOG") then -Response.Redirect("https://library/catalog") -elseif (search = "EXPENSE REPORT") then -Response.Redirect("https://expense") -elseif (search = "LUNCH MENU") then -Response.Redirect("https://cafe/menu/") -else - -' If there is not a match, use the -' default IE autosearch server -Response.Redirect("https://auto.search.msn.com/response.asp?MT=" -+ search + "&srch=" + searchOption + -"&prov=&utf8") -end if -%> -``` - - - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: manage +description: Customize Automatic Search in Internet Explorer so that your employees can type a single word into the Address box to search for frequently used pages. +author: lomayor +ms.prod: ie11 +ms.assetid: 694e2f92-5e08-49dc-b83f-677d61fa918a +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Customize Automatic Search using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Customize Automatic Search for Internet Explorer using IEAK 11 +Internet Explorer lets websites advertise any search provider that uses the open search standard described at the A9 website ( [OpenSearch 1.1 Draft 5](https://go.microsoft.com/fwlink/p/?LinkId=208582)). When IE detects new search providers, the **Search** box becomes active and adds the new providers to the drop-down list of providers. + +Using the **Administrative Templates** section of Group Policy, you can prevent the search box from appearing, you can add a list of acceptable search providers, or you can restrict your employee’s ability to add or remove search providers. + +## Automatic Search Configuration +You can customize Automatic Search so that your employees can type a single word into the **Address** box to search for frequently used pages. For example, you can let a commonly used webpage about invoices appear if an employee types *invoice* into the **Address** box, even if the URL doesn’t include the term. If a website can’t be associated with the term, or if there are multiple matches, a webpage appears showing the top search results. + +**To set up Automatic Search** + +1. Create a script (.asp) file that conditionally looks for search terms, and post it to an intranet server here: https://ieautosearch/response.asp?MT=%1&srch=%2.

          + For info about the acceptable values for the *%1* and *%2* parameters, see the [Automatic Search parameters](#automatic-search-parameters). For an example of the script file, see the [Sample Automatic Search script](#sample-automatic-search-script).

          + **Important**
          If you aren’t using IIS in your company, you’ll need to remap this URL to your script file’s location. + +2. On the **Additional Settings** page of the IEAK 11, click **Internet Settings**, and then click **Advanced Settings**. + +3. Go to the section labeled **Searching** and type *intranet* into the **Search Provider Keyword** box. + +**To redirect to a different site than the one provided by the search results** + +- In the **Advanced Settings** section, go to the section labeled **Searching** and change the **When searching from the address bar** setting to **Just go to the most likely site**. + +**To disable Automatic Search** + +- In the **Advanced Settings** section, go to the section labeled **Searching** and change the **When searching from the address bar** setting to **Do not search from the address bar**. + +### Automatic Search parameters +You must replace the Automatic Search script file parameters, *%1* and *%2* so they’re part of the actual URL. + +|Parameter |Value | +|----------|--------------------------------------------------------| +|1% |The text string typed by an employee into the **Address** bar. | +|2% |The type of search chosen by an employee. This can include:

          • **3.** Display the results and go to the most likely site.
          • **2.** Go to the most likely site.
          • **1.** Display the results in the main window.
          • **0.** Don't search from the **Address** box.
          | + +### Sample Automatic Search script +This is a VBScript-based sample of an .asp Automatic Search script. + +``` +<%@ Language=VBScript %> +<% +' search holds the words typed in the Address bar +' by the user, without the "go" or +' "find" or any delimiters like +' "+" for spaces. +' If the user typed +' "Apple pie," search = "Apple pie." +' If the user typed +' "find Apple pie," search = "Apple pie." + +search = Request.QueryString("MT") +search = UCase(search) +searchOption = Request.QueryString("srch") + +' This is a simple if/then/else +' to redirect the browser to the site +' of your choice based on what the +' user typed. +' Example: expense report is an intranet page +' about filling out an expense report + +if (search = "NEW HIRE") then +Response.Redirect("https://admin/hr/newhireforms.htm") +elseif (search = "LIBRARY CATALOG") then +Response.Redirect("https://library/catalog") +elseif (search = "EXPENSE REPORT") then +Response.Redirect("https://expense") +elseif (search = "LUNCH MENU") then +Response.Redirect("https://cafe/menu/") +else + +' If there is not a match, use the +' default IE autosearch server +Response.Redirect("https://auto.search.msn.com/response.asp?MT=" ++ search + "&srch=" + searchOption + +"&prov=&utf8") +end if +%> +``` + + + + + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md index c1eb4899a4..d3bee115a5 100644 --- a/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md @@ -1,28 +1,28 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Use the \[ExtRegInf\] .INS file setting to specify your Setup information (.inf) files and the installation mode for your custom components. -author: lomayor -ms.prod: ie11 -ms.assetid: 53148422-d784-44dc-811d-ef814b86a4c6 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the ExtRegInf .INS file to specify your installation files and mode (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the ExtRegInf .INS file to specify installation files and mode -Info about how to specify your Setup information (.inf) files and the installation mode for your custom components. - -|Name |Value |Description | -|-----------|---------|------------------------------------------------------------------------------------------------------------------| -|Chat |*string* |The name of the .inf file and the install mode for components. For example, *,chat.inf,DefaultInstall. | -|Conf |*string* |The name of the .inf file and the install mode for components. For example, *,conf.inf,DefaultInstall. | -|Inetres |*string* |The name of the .inf file and the install mode for components. For example, *,inetres.inf,DefaultInstall. | -|Inetset |*string* |The name of the .inf file and the install mode for components. For example, *,inetset.inf,DefaultInstall. | -|Subs |*string* |The name of the .inf file and the install mode for components. For example, *,subs.inf,DefaultInstall. | -|ConnectionSettings |*string* |The name of the .inf file and the install mode for components. For example, *,connect.inf,DefaultInstall. | - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Use the \[ExtRegInf\] .INS file setting to specify your Setup information (.inf) files and the installation mode for your custom components. +author: lomayor +ms.prod: ie11 +ms.assetid: 53148422-d784-44dc-811d-ef814b86a4c6 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the ExtRegInf .INS file to specify your installation files and mode (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the ExtRegInf .INS file to specify installation files and mode +Info about how to specify your Setup information (.inf) files and the installation mode for your custom components. + +|Name |Value |Description | +|-----------|---------|------------------------------------------------------------------------------------------------------------------| +|Chat |*string* |The name of the .inf file and the install mode for components. For example, *,chat.inf,DefaultInstall. | +|Conf |*string* |The name of the .inf file and the install mode for components. For example, *,conf.inf,DefaultInstall. | +|Inetres |*string* |The name of the .inf file and the install mode for components. For example, *,inetres.inf,DefaultInstall. | +|Inetset |*string* |The name of the .inf file and the install mode for components. For example, *,inetset.inf,DefaultInstall. | +|Subs |*string* |The name of the .inf file and the install mode for components. For example, *,subs.inf,DefaultInstall. | +|ConnectionSettings |*string* |The name of the .inf file and the install mode for components. For example, *,connect.inf,DefaultInstall. | + diff --git a/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md index eb28e056bb..e077a6fbed 100644 --- a/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md @@ -1,109 +1,109 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Favorites, Favorites Bar, and Feeds page in IEAK 11 Customization Wizard to add links, web slices, and feeds to your custom browser package. -author: lomayor -ms.prod: ie11 -ms.assetid: 84afa831-5642-4b8f-b7df-212a53ec8fc7 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Favorites, Favorites Bar, and Feeds page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Favorites, Favorites Bar, and Feeds page in the IEAK 11 Wizard -The **Favorites, Favorites Bar, and Feeds** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you add: - -- **Links.** Used so your employees can quickly connect with your important websites. These links can appear in the **Links** folder or on the **Favorites Bar**. - -- **Web Slices.** Used so your employees can subscribe to a section of a webpage, tracking information as it changes, such as for weather reports, stock prices, or the progress of an auction item. - -- **Feeds.** Used so your employees can quickly access your recommended RSS feeds. While you can’t import a folder of RSS feeds, you can add new links. - -Although we provide default items in the **Favorites, Favorites Bar, and Feeds** area, you can remove any of the items, add more items, or add new folders and links as part of your custom package. The customizations you make on this page only apply to Internet Explorer for the desktop. - -**To work with Favorites** - -1. To import your existing folder of links, pick **Favorites**, and then click **Import**. - -2. Go to your existing link folder, most likely in the `\Users\\Favorites` folder, and then click **OK**.

          -The links are imported and added to the **Favorites, Favorites Bar, and Feeds** page, beneath the **Favorites** folder. - -3. To add a new favorite link, pick **Favorites**, and then click **Add URL**.

          -The **Details** box appears. - -4. Type the new link name in the **Name** box. - -5. Type the new URL in the **URL** box. - -6. Optionally, you can add a 16x16 pixel icon to your link by adding the location in the **Icon** box. - -7. Click **OK**. - -8. To add a new **Favorites** folder, pick **Favorites**, and then click **Add Folder**.

          -The **Details** box appears. - -9. Type the folder name into the **Name** box, and then click **OK**. - -10. Click **Edit** to change any of your new information, **Test URL** to test each of your links to make sure they go to the right place, or **Remove** to delete a **Favorites** item. - -11. If you have multiple **Favorites** links, you can update their order in the list. Check the **Add to the top of the list** box, click the link you want to move, and then click **Move Up** or **Move Down**. - -12. Check the **Disable IE Suggested Sites** box to disable the Suggested Sites feature. By turning this on, your employees won’t receive suggested sites based on the sites that they visit. - -13. Continue with the next procedures in this topic to add additional **Favorites Bar** or **RSS Feeds** links, or you can click **Next** to go to the [Browsing Options](browsing-options-ieak11-wizard.md) page or **Back** to go to the [Accelerators](accelerators-ieak11-wizard.md) page. - -**To work with the Favorites Bar** - -1. To import your existing folder of links, pick **Favorites Bar**, and then click **Import**. - -2. Go to your existing link folder, most likely in the `\Users\\Favorites\Favorites Bar` folder, and then click **OK**.

          -The links are imported and added to the **Favorites, Favorites Bar, and Feeds** page, beneath the **Favorites Bar** folder. - -3. To add a new link to the **Favorites Bar**, pick **Favorites Bar**, and then click **Add URL**.

          -The **Details** box appears. - -4. Type the new quick link name in the **Name** box. - -5. Type the new URL in the **URL** box. - -6. Optionally, you can add a 16x16 pixel icon to your link by adding the location in the **Icon** box. - -7. Pick whether your link is a simple **Link**, a **Feed**, or a **Web Slice**, and then click **OK**. - -8. Click **Edit** to change any of your new information, **Test URL** to test each of your links to make sure they go to the right place, or **Remove** to delete a **Favorites Bar** item. - -9. If you have multiple **Favorites Bar** links, you can update their order in the list. Check the **Add to the top of the list** box, click the link you want to move, and then click **Move Up** or **Move Down**. - -10. Check the **Disable IE Suggested Sites** box to disable the Suggested Sites feature. By turning this on, your employees won’t receive suggested sites based on the sites that they visit. - -11. Continue with the next procedures in this topic to add additional **Favorites** or **RSS Feeds** links, or you can click **Next** to go to the [Browsing Options](browsing-options-ieak11-wizard.md) page or **Back** to go to the [Accelerators](accelerators-ieak11-wizard.md) page. - -**To work with RSS Feeds** - -1. To add a new link to the **RSS Feeds**, pick **Favorites Bar**, and then click **Add URL**.

          -The **Details** box appears. - -2. Type the new link name in the **Name** box. - -3. Type the new URL in the **URL** box, and then click **OK**. - -4. Click **Edit** to change any of your new information, **Test URL** to test each of your links to make sure they go to the right place, or **Remove** to delete a **RSS Feeds** item. - -5. If you have multiple **RSS Feeds** links, you can update their order in the list. Check the **Add to the top of the list** box, click the link you want to move, and then click **Move Up** or **Move Down**. - -6. Check the **Disable IE Suggested Sites** box to disable the Suggested Sites feature. By turning this on, your employees won’t receive suggested sites based on the sites that they visit. - -7. Continue with the next procedures in this topic to add additional **Favorites** or **Favorites Bar** links, or you can click **Next** to go to the [Browsing Options](browsing-options-ieak11-wizard.md) page or **Back** to go to the [Accelerators](accelerators-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Favorites, Favorites Bar, and Feeds page in IEAK 11 Customization Wizard to add links, web slices, and feeds to your custom browser package. +author: lomayor +ms.prod: ie11 +ms.assetid: 84afa831-5642-4b8f-b7df-212a53ec8fc7 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Favorites, Favorites Bar, and Feeds page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Favorites, Favorites Bar, and Feeds page in the IEAK 11 Wizard +The **Favorites, Favorites Bar, and Feeds** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you add: + +- **Links.** Used so your employees can quickly connect with your important websites. These links can appear in the **Links** folder or on the **Favorites Bar**. + +- **Web Slices.** Used so your employees can subscribe to a section of a webpage, tracking information as it changes, such as for weather reports, stock prices, or the progress of an auction item. + +- **Feeds.** Used so your employees can quickly access your recommended RSS feeds. While you can’t import a folder of RSS feeds, you can add new links. + +Although we provide default items in the **Favorites, Favorites Bar, and Feeds** area, you can remove any of the items, add more items, or add new folders and links as part of your custom package. The customizations you make on this page only apply to Internet Explorer for the desktop. + +**To work with Favorites** + +1. To import your existing folder of links, pick **Favorites**, and then click **Import**. + +2. Go to your existing link folder, most likely in the `\Users\\Favorites` folder, and then click **OK**.

          +The links are imported and added to the **Favorites, Favorites Bar, and Feeds** page, beneath the **Favorites** folder. + +3. To add a new favorite link, pick **Favorites**, and then click **Add URL**.

          +The **Details** box appears. + +4. Type the new link name in the **Name** box. + +5. Type the new URL in the **URL** box. + +6. Optionally, you can add a 16x16 pixel icon to your link by adding the location in the **Icon** box. + +7. Click **OK**. + +8. To add a new **Favorites** folder, pick **Favorites**, and then click **Add Folder**.

          +The **Details** box appears. + +9. Type the folder name into the **Name** box, and then click **OK**. + +10. Click **Edit** to change any of your new information, **Test URL** to test each of your links to make sure they go to the right place, or **Remove** to delete a **Favorites** item. + +11. If you have multiple **Favorites** links, you can update their order in the list. Check the **Add to the top of the list** box, click the link you want to move, and then click **Move Up** or **Move Down**. + +12. Check the **Disable IE Suggested Sites** box to disable the Suggested Sites feature. By turning this on, your employees won’t receive suggested sites based on the sites that they visit. + +13. Continue with the next procedures in this topic to add additional **Favorites Bar** or **RSS Feeds** links, or you can click **Next** to go to the [Browsing Options](browsing-options-ieak11-wizard.md) page or **Back** to go to the [Accelerators](accelerators-ieak11-wizard.md) page. + +**To work with the Favorites Bar** + +1. To import your existing folder of links, pick **Favorites Bar**, and then click **Import**. + +2. Go to your existing link folder, most likely in the `\Users\\Favorites\Favorites Bar` folder, and then click **OK**.

          +The links are imported and added to the **Favorites, Favorites Bar, and Feeds** page, beneath the **Favorites Bar** folder. + +3. To add a new link to the **Favorites Bar**, pick **Favorites Bar**, and then click **Add URL**.

          +The **Details** box appears. + +4. Type the new quick link name in the **Name** box. + +5. Type the new URL in the **URL** box. + +6. Optionally, you can add a 16x16 pixel icon to your link by adding the location in the **Icon** box. + +7. Pick whether your link is a simple **Link**, a **Feed**, or a **Web Slice**, and then click **OK**. + +8. Click **Edit** to change any of your new information, **Test URL** to test each of your links to make sure they go to the right place, or **Remove** to delete a **Favorites Bar** item. + +9. If you have multiple **Favorites Bar** links, you can update their order in the list. Check the **Add to the top of the list** box, click the link you want to move, and then click **Move Up** or **Move Down**. + +10. Check the **Disable IE Suggested Sites** box to disable the Suggested Sites feature. By turning this on, your employees won’t receive suggested sites based on the sites that they visit. + +11. Continue with the next procedures in this topic to add additional **Favorites** or **RSS Feeds** links, or you can click **Next** to go to the [Browsing Options](browsing-options-ieak11-wizard.md) page or **Back** to go to the [Accelerators](accelerators-ieak11-wizard.md) page. + +**To work with RSS Feeds** + +1. To add a new link to the **RSS Feeds**, pick **Favorites Bar**, and then click **Add URL**.

          +The **Details** box appears. + +2. Type the new link name in the **Name** box. + +3. Type the new URL in the **URL** box, and then click **OK**. + +4. Click **Edit** to change any of your new information, **Test URL** to test each of your links to make sure they go to the right place, or **Remove** to delete a **RSS Feeds** item. + +5. If you have multiple **RSS Feeds** links, you can update their order in the list. Check the **Add to the top of the list** box, click the link you want to move, and then click **Move Up** or **Move Down**. + +6. Check the **Disable IE Suggested Sites** box to disable the Suggested Sites feature. By turning this on, your employees won’t receive suggested sites based on the sites that they visit. + +7. Continue with the next procedures in this topic to add additional **Favorites** or **Favorites Bar** links, or you can click **Next** to go to the [Browsing Options](browsing-options-ieak11-wizard.md) page or **Back** to go to the [Accelerators](accelerators-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md index 634f7bef2e..cd9cbf7a91 100644 --- a/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md @@ -1,26 +1,26 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Use the \[FavoritesEx\] .INS file setting to specify your Favorites icon file, whether Favorites is available offline, and your Favorites URLs. -author: lomayor -ms.prod: ie11 -ms.assetid: 55de376a-d442-478e-8978-3b064407b631 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the FavoritesEx .INS file for your Favorites icon and URLs (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the FavoritesEx .INS file for your Favorites icon and URLs -Info about where you store your **Favorites** icon file, whether your **Favorites** are available offline, and the URLs for each **Favorites** site. - -|Name |Value |Description | -|----------------|-----------------------|--------------------------------------------------------------------------| -|IconFile1 |`` |An icon (.ico file) that represents the **Favorites** item you’re adding. | -|Offline1 |

          • **0.** Makes the **Favorites** item unavailable for offline browsing.
          • **1.** Makes the **Favorites** item available for offline browsing.
          |Determines if the **Favorites** item is available for offline browsing. | -|Title1 |`` |Title for the **Favorites** item. | -|Url1 |`` |URL to the **Favorites** item. | - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Use the \[FavoritesEx\] .INS file setting to specify your Favorites icon file, whether Favorites is available offline, and your Favorites URLs. +author: lomayor +ms.prod: ie11 +ms.assetid: 55de376a-d442-478e-8978-3b064407b631 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the FavoritesEx .INS file for your Favorites icon and URLs (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the FavoritesEx .INS file for your Favorites icon and URLs +Info about where you store your **Favorites** icon file, whether your **Favorites** are available offline, and the URLs for each **Favorites** site. + +|Name |Value |Description | +|----------------|-----------------------|--------------------------------------------------------------------------| +|IconFile1 |`` |An icon (.ico file) that represents the **Favorites** item you’re adding. | +|Offline1 |
          • **0.** Makes the **Favorites** item unavailable for offline browsing.
          • **1.** Makes the **Favorites** item available for offline browsing.
          |Determines if the **Favorites** item is available for offline browsing. | +|Title1 |`` |Title for the **Favorites** item. | +|Url1 |`` |URL to the **Favorites** item. | + diff --git a/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md index 226ffcfaad..78294cd509 100644 --- a/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md @@ -1,64 +1,64 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Feature Selection page in the IEAK 11 Customization Wizard to choose which parts of the setup processes and Internet Explorer 11 to change for your company. -author: lomayor -ms.prod: ie11 -ms.assetid: 9cb8324e-d73b-41ba-ade9-3acc796e21d8 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Feature Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Feature Selection page in the IEAK 11 Wizard -The **Feature Selection** page of the Internet Explorer Customization Wizard 11 lets you choose which parts of the setup processes and Internet Explorer 11 to change for your company, including: - -- **Setup Customizations.** Lets you add custom components, decide which components to install, provide your download site information, and modify the Setup title bar and graphics. - -- **Internal Install.** Lets you decide to install the latest updates, run the malicious Software Removal Tool, and set IE11 as the default browser. - -- **Connection Manager.** Lets you import your Connection Manager Profiles, created by the Connection Manager Administration Kit (CMAK). - -- **Browser User Interface.** Lets you change the toolbar buttons, the title bar, and the general look of the browser. - -- **Search Providers.** Lets you add, remove, and pick a new default search provider for IE11. - -- **Important URLs – Home Page and Support.** Lets you choose multiple **Home** pages that open in different tabs in IE. You can also use this page to change the **Welcome** and **Online Support** pages. - -- **Accelerators.** Lets you import, add, edit, or remove Accelerators, the contextual services that give you quick access to external services from any webpage. - -- **Favorites, Favorites Bar, and Feeds.** Lets you pick which favorites, web slices, and feeds are installed with your custom installation package. - -- **Browsing Options.** Lets you pick how you delete items in the Favorites, Favorites Bar, and Feeds folders, and whether to add the Microsoft default items. - -- **Compatibility View.** Lets you decide whether IE renders content using compatibility mode or standards mode. - -- **Connections Customization.** Lets you set up and deploy custom connections. - -- **Security Zones and Content Ratings.** Lets you control what your employees can view and what’s downloaded to their computer. - -- **Programs.** Lets you pick the default program that’s used automatically by email, HTML, newsgroups, Internet calls, calendars, and contact lists. - -- **Additional Settings.** Lets you pre-set and lockdown specific functionality on your employee’s computer. - -**Note**
          Your choices on this page determine what wizard pages appear. - -**To use the Feature Selection page** - -1. Check the box next to each feature you want to include in your custom installation package.

          -You can also click **Select All** to add, or **Clear All** to remove, all of the features. - -2. Click **Next** to go to the [Automatic Version Synchronization](auto-version-sync-ieak11-wizard.md) page or **Back** to go to the [Package Type Selection](pkg-type-selection-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Feature Selection page in the IEAK 11 Customization Wizard to choose which parts of the setup processes and Internet Explorer 11 to change for your company. +author: lomayor +ms.prod: ie11 +ms.assetid: 9cb8324e-d73b-41ba-ade9-3acc796e21d8 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Feature Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Feature Selection page in the IEAK 11 Wizard +The **Feature Selection** page of the Internet Explorer Customization Wizard 11 lets you choose which parts of the setup processes and Internet Explorer 11 to change for your company, including: + +- **Setup Customizations.** Lets you add custom components, decide which components to install, provide your download site information, and modify the Setup title bar and graphics. + +- **Internal Install.** Lets you decide to install the latest updates, run the malicious Software Removal Tool, and set IE11 as the default browser. + +- **Connection Manager.** Lets you import your Connection Manager Profiles, created by the Connection Manager Administration Kit (CMAK). + +- **Browser User Interface.** Lets you change the toolbar buttons, the title bar, and the general look of the browser. + +- **Search Providers.** Lets you add, remove, and pick a new default search provider for IE11. + +- **Important URLs – Home Page and Support.** Lets you choose multiple **Home** pages that open in different tabs in IE. You can also use this page to change the **Welcome** and **Online Support** pages. + +- **Accelerators.** Lets you import, add, edit, or remove Accelerators, the contextual services that give you quick access to external services from any webpage. + +- **Favorites, Favorites Bar, and Feeds.** Lets you pick which favorites, web slices, and feeds are installed with your custom installation package. + +- **Browsing Options.** Lets you pick how you delete items in the Favorites, Favorites Bar, and Feeds folders, and whether to add the Microsoft default items. + +- **Compatibility View.** Lets you decide whether IE renders content using compatibility mode or standards mode. + +- **Connections Customization.** Lets you set up and deploy custom connections. + +- **Security Zones and Content Ratings.** Lets you control what your employees can view and what’s downloaded to their computer. + +- **Programs.** Lets you pick the default program that’s used automatically by email, HTML, newsgroups, Internet calls, calendars, and contact lists. + +- **Additional Settings.** Lets you pre-set and lockdown specific functionality on your employee’s computer. + +**Note**
          Your choices on this page determine what wizard pages appear. + +**To use the Feature Selection page** + +1. Check the box next to each feature you want to include in your custom installation package.

          +You can also click **Select All** to add, or **Clear All** to remove, all of the features. + +2. Click **Next** to go to the [Automatic Version Synchronization](auto-version-sync-ieak11-wizard.md) page or **Back** to go to the [Package Type Selection](pkg-type-selection-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md index 028e5960f1..2fa0b58cc8 100644 --- a/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md @@ -1,55 +1,55 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the File Locations page in the IEAK 11 Customization Wizard to change the location of your install package and IE11 folders. -author: lomayor -ms.prod: ie11 -ms.assetid: bd0620e1-0e07-4560-95ac-11888c2c389e -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the File Locations page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the File Locations page in the IEAK 11 Wizard -The **File Locations** page of the Internet Explorer Customization Wizard 11 lets you change the location of your folders, including: - -- Where you’ll create and store your custom installation package. - -- Where you’ll download and store Internet Explorer 11. - -**Important**
          -You can create a custom installation package on your hard drive and move it to an Internet or intranet server, or you can create it directly on a server. If you create the package on a web server that’s running from your hard drive, use the path to the web server as the destination folder location. Whatever location you choose, it must be protected by appropriate access control lists (ACLs). If the location is not protected, the custom package may be tampered with. - -**To use the File Locations page** - -1. Browse to the location where you’ll store your finished custom IE installation package and the related subfolders.

          -**Note**
          Subfolders are created for each language version, based on operating system and media type. For example, if your destination folder is `C:\Inetpub\Wwwroot\Cie\Dist`, then the English-language version is created as `C:\Inetpub\Wwwroot\Cie\Dist\Flat\Win32\En` subfolders. - -2. Click **Advanced Options**.

          -The **Advanced Options** box opens and lets you change how the wizard downloads and gets files, and how it imports settings from your .ins file. - -3. Check the box letting IE Customization Wizard 11 look for the latest components, using Automatic Version Synchronization.

          -This option lets the wizard connect to the IE **Downloads** page to look for updated versions of IE since you last ran the wizard.

          -**Important**
          -You must run Automatic Version Synchronization at least once to check for updated components. - -4. Browse to your .ins file location, and then click **Open**.

          -By importing settings from an .ins file, you can re-use existing configurations. This saves you time if your packages have the same or similar settings. - -5. Browse to your component download folder.

          -Automatic Version Synchronization automatically checks the component download folder to see if you have the latest version of IE. To keep this folder up-to-date, you shouldn’t change its location. However, if you want to keep both a previous version of IE and the latest version, we recommend you download the components to a different location. - -6. Click **OK** to close the **Advanced Options** box, and then click **Next** to go to the [Platform Selection](platform-selection-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the File Locations page in the IEAK 11 Customization Wizard to change the location of your install package and IE11 folders. +author: lomayor +ms.prod: ie11 +ms.assetid: bd0620e1-0e07-4560-95ac-11888c2c389e +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the File Locations page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the File Locations page in the IEAK 11 Wizard +The **File Locations** page of the Internet Explorer Customization Wizard 11 lets you change the location of your folders, including: + +- Where you’ll create and store your custom installation package. + +- Where you’ll download and store Internet Explorer 11. + +**Important**
          +You can create a custom installation package on your hard drive and move it to an Internet or intranet server, or you can create it directly on a server. If you create the package on a web server that’s running from your hard drive, use the path to the web server as the destination folder location. Whatever location you choose, it must be protected by appropriate access control lists (ACLs). If the location is not protected, the custom package may be tampered with. + +**To use the File Locations page** + +1. Browse to the location where you’ll store your finished custom IE installation package and the related subfolders.

          +**Note**
          Subfolders are created for each language version, based on operating system and media type. For example, if your destination folder is `C:\Inetpub\Wwwroot\Cie\Dist`, then the English-language version is created as `C:\Inetpub\Wwwroot\Cie\Dist\Flat\Win32\En` subfolders. + +2. Click **Advanced Options**.

          +The **Advanced Options** box opens and lets you change how the wizard downloads and gets files, and how it imports settings from your .ins file. + +3. Check the box letting IE Customization Wizard 11 look for the latest components, using Automatic Version Synchronization.

          +This option lets the wizard connect to the IE **Downloads** page to look for updated versions of IE since you last ran the wizard.

          +**Important**
          +You must run Automatic Version Synchronization at least once to check for updated components. + +4. Browse to your .ins file location, and then click **Open**.

          +By importing settings from an .ins file, you can re-use existing configurations. This saves you time if your packages have the same or similar settings. + +5. Browse to your component download folder.

          +Automatic Version Synchronization automatically checks the component download folder to see if you have the latest version of IE. To keep this folder up-to-date, you shouldn’t change its location. However, if you want to keep both a previous version of IE and the latest version, we recommend you download the components to a different location. + +6. Click **OK** to close the **Advanced Options** box, and then click **Next** to go to the [Platform Selection](platform-selection-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md b/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md index ff726343d3..5dd8eff9da 100644 --- a/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md @@ -1,37 +1,37 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: plan -description: Review the file types that are created and used by tools in the Internet Explorer Administration Kit 11 (IEAK 11). -author: lomayor -ms.prod: ie11 -ms.assetid: e5735074-3e9b-4a00-b1a7-b8fd8baca327 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: File types used or created by IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# File types used or created by IEAK 11 -A list of the file types used or created by tools in IEAK 11: - -|File type |Description | -|----------|-------------------------| -|.adm | An admin file (located at `:\Program Files\Windows IEAK 11\policies`), used by Group Policy to define the system policies and restrictions for Windows. You can use the IEAK 11 to change these settings. | -|.bat |An ASCII text file that contains a sequence of operating system commands, including the parameters and operators supported by the batch command language. When you run the batch file from a command prompt, the computer processes each command sequentially. | -|.bmp, .gif, .jpeg, and .jpg |Image files you can use to customize your toolbar button and favorites list icons. For info, see the [Customize the Toolbar button and Favorites List icons using IEAK 11](guidelines-toolbar-and-favorites-list-ieak11.md) page. | -|.cab |A compressed cabinet (.cab) file, created by the Internet Explorer Customization Wizard 11 to store your custom component files. We highly recommend that your .cab files be signed for security purposes. For more info, see the [Security features and IEAK 11](security-and-ieak11.md) page. | -|.cif |A component info file (IESetup.cif), identifying the new or updated components you're going to install with Internet Explorer. Each component file has an associated *ComponentID* that's used by Windows Update Setup to determine whether a new component or an update exists. | -|.cmp |Connection profile files that are created by the Connection Manager Administration Kit (CMAK). | -|.cms |Service provider files, created by the CMAK tool to specify the configuration of the phone book and many of the other functions of your service profiles. | -|.exe |Executable files that control the setup process, by installing the .cab files that install the custom browser package on your employee's devices. | -|.inf |Setup information files that provide installation instructions for your custom browser packages. For more info, see the [Use the uninstallation .INF files to uninstall custom components](create-uninstall-inf-files-for-custom-components.md) page. | -|.ins |Internet Settings files that specify how to configure your custom browser and its components. You can create multiple versions of your custom package by customizing copies of this file. For more info, see the [Using Internet Settings (.INS) files with IEAK 11](using-internet-settings-ins-files.md) page. | -|.pac |Proxy auto-configuration script files that determine whether to connect directly to a host or to use a proxy server. For more info, see the [Use the Automatic Configuration page in the IEAK 11 Wizard](auto-config-ieak11-wizard.md) page. | -|.js and .jvs |JScript and JavaScript files that let you configure and maintain your advanced proxy settings. For more info, see the [Use the Automatic Configuration page in the IEAK 11 Wizard](auto-config-ieak11-wizard.md) page. | -|.pvk |A file format used by some certification authorities to store the private key of the digital certificate. The public part of the digital certificate is stored in an SPC file, while the private part is stored in the PVK file. For more info, see the **Understanding certificates** section of the [Security features and IEAK 11](security-and-ieak11.md) page. | -|.sed |Connection profile files, created by the CMAK tool, including the instructions for building the self-extracting executable (.exe) file for your service profiles.

          **Important**
          You must never edit a .sed file. | -|.spc |The software publishing certificate file, which includes:

          • The name and other identifying information of the owner of the certificate.
          • The public key associated with the certificate.
          • The serial number.
          • The length of time the certificate is valid.
          • The digital signature of the certification authority that issued the certificate.
          | - +--- +ms.localizationpriority: medium +ms.mktglfcycl: plan +description: Review the file types that are created and used by tools in the Internet Explorer Administration Kit 11 (IEAK 11). +author: lomayor +ms.prod: ie11 +ms.assetid: e5735074-3e9b-4a00-b1a7-b8fd8baca327 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: File types used or created by IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# File types used or created by IEAK 11 +A list of the file types used or created by tools in IEAK 11: + +|File type |Description | +|----------|-------------------------| +|.adm | An admin file (located at `:\Program Files\Windows IEAK 11\policies`), used by Group Policy to define the system policies and restrictions for Windows. You can use the IEAK 11 to change these settings. | +|.bat |An ASCII text file that contains a sequence of operating system commands, including the parameters and operators supported by the batch command language. When you run the batch file from a command prompt, the computer processes each command sequentially. | +|.bmp, .gif, .jpeg, and .jpg |Image files you can use to customize your toolbar button and favorites list icons. For info, see the [Customize the Toolbar button and Favorites List icons using IEAK 11](guidelines-toolbar-and-favorites-list-ieak11.md) page. | +|.cab |A compressed cabinet (.cab) file, created by the Internet Explorer Customization Wizard 11 to store your custom component files. We highly recommend that your .cab files be signed for security purposes. For more info, see the [Security features and IEAK 11](security-and-ieak11.md) page. | +|.cif |A component info file (IESetup.cif), identifying the new or updated components you're going to install with Internet Explorer. Each component file has an associated *ComponentID* that's used by Windows Update Setup to determine whether a new component or an update exists. | +|.cmp |Connection profile files that are created by the Connection Manager Administration Kit (CMAK). | +|.cms |Service provider files, created by the CMAK tool to specify the configuration of the phone book and many of the other functions of your service profiles. | +|.exe |Executable files that control the setup process, by installing the .cab files that install the custom browser package on your employee's devices. | +|.inf |Setup information files that provide installation instructions for your custom browser packages. For more info, see the [Use the uninstallation .INF files to uninstall custom components](create-uninstall-inf-files-for-custom-components.md) page. | +|.ins |Internet Settings files that specify how to configure your custom browser and its components. You can create multiple versions of your custom package by customizing copies of this file. For more info, see the [Using Internet Settings (.INS) files with IEAK 11](using-internet-settings-ins-files.md) page. | +|.pac |Proxy auto-configuration script files that determine whether to connect directly to a host or to use a proxy server. For more info, see the [Use the Automatic Configuration page in the IEAK 11 Wizard](auto-config-ieak11-wizard.md) page. | +|.js and .jvs |JScript and JavaScript files that let you configure and maintain your advanced proxy settings. For more info, see the [Use the Automatic Configuration page in the IEAK 11 Wizard](auto-config-ieak11-wizard.md) page. | +|.pvk |A file format used by some certification authorities to store the private key of the digital certificate. The public part of the digital certificate is stored in an SPC file, while the private part is stored in the PVK file. For more info, see the **Understanding certificates** section of the [Security features and IEAK 11](security-and-ieak11.md) page. | +|.sed |Connection profile files, created by the CMAK tool, including the instructions for building the self-extracting executable (.exe) file for your service profiles.

          **Important**
          You must never edit a .sed file. | +|.spc |The software publishing certificate file, which includes:

          • The name and other identifying information of the owner of the certificate.
          • The public key associated with the certificate.
          • The serial number.
          • The length of time the certificate is valid.
          • The digital signature of the certification authority that issued the certificate.
          | + diff --git a/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md index 292da104da..68b255a273 100644 --- a/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md @@ -1,44 +1,44 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the First Run Wizard and Welcome Page Options page in the IEAK 11 Customization Wizard to set what your employee’s see the first time they log on to IE, based on their operating system. -author: lomayor -ms.prod: ie11 -ms.assetid: 85f856a6-b707-48a9-ba99-3a6e898276a9 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the First Run Wizard and Welcome Page Options page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the First Run Wizard and Welcome Page Options page in the IEAK 11 Wizard -The **First Run Wizard and Welcome Page Options** page of the Internet Explorer Customization Wizard 11 lets you decide what your employee’s see the first time they log on to IE, based on their operating system. - -- **Windows 8.1 Update and newer.** No longer includes a **Welcome** page, so if you pick the **Use Internet Explorer 11 Welcome Page** or the **Use a custom Welcome page** option, IEAK creates an initial **Home** page that loads before all other **Home** pages, as the first tab. This only applies to the Internet Explorer for the desktop. - -- **Windows 7 SP1.** You can disable the first run page for Windows 7 SP1 and then pick a custom **Welcome** page to show instead. If you don’t customize the settings on this page, your employees will see the default IE **Welcome** page. - -**To use the First Run Wizard and Welcome Page Options page** - -1. Check the **Use IE11 First Run wizard (recommended)** box to use the default First Run wizard in IE.

          -Clearing this box lets you use the IE11 **Welcome** page or your custom **Welcome** page. - -2. If you cleared the First Run wizard box, you can decide which **Welcome** page to use: - - - **Use IE11 Welcome Page.** Check this box if you want to use the default IE11 **Welcome** page. - - - **Use a custom Welcome Page.** Check this box if you want to use a custom **Welcome** page. If you choose this option, you need to add the URL to your custom page. - -3. Click **Next** to go to the [Compatibility View](compat-view-ieak11-wizard.md) page or **Back** to go to the [Browsing Options](browsing-options-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the First Run Wizard and Welcome Page Options page in the IEAK 11 Customization Wizard to set what your employee’s see the first time they log on to IE, based on their operating system. +author: lomayor +ms.prod: ie11 +ms.assetid: 85f856a6-b707-48a9-ba99-3a6e898276a9 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the First Run Wizard and Welcome Page Options page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the First Run Wizard and Welcome Page Options page in the IEAK 11 Wizard +The **First Run Wizard and Welcome Page Options** page of the Internet Explorer Customization Wizard 11 lets you decide what your employee’s see the first time they log on to IE, based on their operating system. + +- **Windows 8.1 Update and newer.** No longer includes a **Welcome** page, so if you pick the **Use Internet Explorer 11 Welcome Page** or the **Use a custom Welcome page** option, IEAK creates an initial **Home** page that loads before all other **Home** pages, as the first tab. This only applies to the Internet Explorer for the desktop. + +- **Windows 7 SP1.** You can disable the first run page for Windows 7 SP1 and then pick a custom **Welcome** page to show instead. If you don’t customize the settings on this page, your employees will see the default IE **Welcome** page. + +**To use the First Run Wizard and Welcome Page Options page** + +1. Check the **Use IE11 First Run wizard (recommended)** box to use the default First Run wizard in IE.

          +Clearing this box lets you use the IE11 **Welcome** page or your custom **Welcome** page. + +2. If you cleared the First Run wizard box, you can decide which **Welcome** page to use: + + - **Use IE11 Welcome Page.** Check this box if you want to use the default IE11 **Welcome** page. + + - **Use a custom Welcome Page.** Check this box if you want to use a custom **Welcome** page. If you choose this option, you need to add the URL to your custom page. + +3. Click **Next** to go to the [Compatibility View](compat-view-ieak11-wizard.md) page or **Back** to go to the [Browsing Options](browsing-options-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md b/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md index 10181210d7..d811730cee 100644 --- a/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md @@ -1,28 +1,28 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: plan -description: Customization guidelines for your Internet Explorer toolbar button and Favorites List icons. -author: lomayor -ms.prod: ie11 -ms.assetid: bddc8f23-9ac1-449d-ad71-f77f43ae3b5c -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Customize the toolbar button and Favorites List icons using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Customize the Toolbar button and Favorites List icons using IEAK 11 -Use these customization guidelines to change the browser toolbar button and the **Favorites List** icons, using your own branding and graphics. - -**Important**
          Check your license agreement to make sure this customization is available. - -|Graphic |Type and description | -|-----------------------|----------------------------------------------------------------------| -|Browser toolbar button |2 icon (.ico) files with color images for active and inactive states. | -|Favorites List icons |1 icon (.ico) file for each new URL. | - -Your icons must use the .ico file extension, no other image file extension works. - +--- +ms.localizationpriority: medium +ms.mktglfcycl: plan +description: Customization guidelines for your Internet Explorer toolbar button and Favorites List icons. +author: lomayor +ms.prod: ie11 +ms.assetid: bddc8f23-9ac1-449d-ad71-f77f43ae3b5c +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Customize the toolbar button and Favorites List icons using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Customize the Toolbar button and Favorites List icons using IEAK 11 +Use these customization guidelines to change the browser toolbar button and the **Favorites List** icons, using your own branding and graphics. + +**Important**
          Check your license agreement to make sure this customization is available. + +|Graphic |Type and description | +|-----------------------|----------------------------------------------------------------------| +|Browser toolbar button |2 icon (.ico) files with color images for active and inactive states. | +|Favorites List icons |1 icon (.ico) file for each new URL. | + +Your icons must use the .ico file extension, no other image file extension works. + diff --git a/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md b/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md index 1572c07bcb..59cb1d693e 100644 --- a/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md @@ -1,52 +1,52 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: plan -description: List of supported hardware and software requirements for Internet Explorer 11 and the Internet Explorer Administration Kit 11. -author: lomayor -ms.prod: ie11 -ms.assetid: c50b86dc-7184-43d1-8daf-e750eb88dabb -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Hardware and software requirements for Internet Explorer 11 and the IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Hardware and software requirements for Internet Explorer 11 and the IEAK 11 -Before you can use the Internet Explorer Administration Kit 11 and the Internet Explorer Customization Wizard 11, you must first install Internet Explorer 11. For more info about installing IE11, see the [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md) page. - -## Hardware requirements -Before you start the Internet Explorer Customization Wizard 11, you must check to see how much disk space you have on the drive you're going to use to build the IE11 install package. This drive can be on the same device as the one running the wizard; it just needs to have a secure destination folder. - -Before you start to create your install package, you must meet all of the [Internet Explorer 11 requirements](../ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md), plus: - -- Up to 100 megabytes (MB) of disk space, depending on how many components you include in the installation package. - -- An additional 100 MB of disk space for each custom installation package built. Different media types are considered separate packages. - -## Software requirements -The device you're going to use to build your install packages must be running Internet Explorer 11, on one of these operating systems: - -- Windows 10

          However, you must use the Windows 8.1 target platform and only the "Configuration-only package" is available. - -- Windows 8.1 - -- Windows Server 2012 R2 - -- Windows® 7 Service Pack 1 (SP1) - -- Windows Server 2008 R2 (SP1) - -**Important**
          -The device you're going to use to run IEAK 11 must be running the same version of the operating system as the device where you'll build your install packages. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: plan +description: List of supported hardware and software requirements for Internet Explorer 11 and the Internet Explorer Administration Kit 11. +author: lomayor +ms.prod: ie11 +ms.assetid: c50b86dc-7184-43d1-8daf-e750eb88dabb +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Hardware and software requirements for Internet Explorer 11 and the IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Hardware and software requirements for Internet Explorer 11 and the IEAK 11 +Before you can use the Internet Explorer Administration Kit 11 and the Internet Explorer Customization Wizard 11, you must first install Internet Explorer 11. For more info about installing IE11, see the [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md) page. + +## Hardware requirements +Before you start the Internet Explorer Customization Wizard 11, you must check to see how much disk space you have on the drive you're going to use to build the IE11 install package. This drive can be on the same device as the one running the wizard; it just needs to have a secure destination folder. + +Before you start to create your install package, you must meet all of the [Internet Explorer 11 requirements](../ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md), plus: + +- Up to 100 megabytes (MB) of disk space, depending on how many components you include in the installation package. + +- An additional 100 MB of disk space for each custom installation package built. Different media types are considered separate packages. + +## Software requirements +The device you're going to use to build your install packages must be running Internet Explorer 11, on one of these operating systems: + +- Windows 10

          However, you must use the Windows 8.1 target platform and only the "Configuration-only package" is available. + +- Windows 8.1 + +- Windows Server 2012 R2 + +- Windows® 7 Service Pack 1 (SP1) + +- Windows Server 2008 R2 (SP1) + +**Important**
          +The device you're going to use to run IEAK 11 must be running the same version of the operating system as the device where you'll build your install packages. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md index 705f4822e4..26d3c2806d 100644 --- a/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md @@ -1,32 +1,32 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Use the \[HideCustom\] .INS file setting to decide whether to hide the GUID for each custom component. -author: lomayor -ms.prod: ie11 -ms.assetid: e673f7b1-c3aa-4072-92b0-20c6dc3d9277 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the HideCustom .INS file to hide the GUID for each custom component (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the HideCustom .INS file to hide the GUID for each custom component -Info about whether to hide the globally unique identifier (GUID) for each of your custom components. - -|Name |Value |Description | -|------|-------------------------------------------------------------------------------------|-----------------------------------------------| -|GUID |

          • **0.** Component isn't hidden.
          • **1.** Component is hidden.
          |Determines whether this is a hidden component. | - - - - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Use the \[HideCustom\] .INS file setting to decide whether to hide the GUID for each custom component. +author: lomayor +ms.prod: ie11 +ms.assetid: e673f7b1-c3aa-4072-92b0-20c6dc3d9277 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the HideCustom .INS file to hide the GUID for each custom component (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the HideCustom .INS file to hide the GUID for each custom component +Info about whether to hide the globally unique identifier (GUID) for each of your custom components. + +|Name |Value |Description | +|------|-------------------------------------------------------------------------------------|-----------------------------------------------| +|GUID |
          • **0.** Component isn't hidden.
          • **1.** Component is hidden.
          |Determines whether this is a hidden component. | + + + + + + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md b/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md index 2e6aff92eb..66973a3a25 100644 --- a/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md +++ b/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md @@ -1,68 +1,68 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Reference about the command-line options and return codes for Internet Explorer Setup. -author: lomayor -ms.prod: ie11 -ms.assetid: 40c23024-cb5d-4902-ad1b-6e8a189a699f -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Internet Explorer Setup command-line options and return codes (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Internet Explorer Setup command-line options and return codes -You can use command-line options along with a tool like IExpress to package your custom version of Internet Explorer and to perform a batch installation across your organization. - -## IE Setup command-line options -These command-line options work with IE Setup: - -`[/help] [/passive | /quiet] [/update-no] [/no-default] [/nobackup] [/ieak-full: | /ieak-branding: ] [/norestart | /forcerestart] [/log: ` - -|Parameter (Setup modes) |Description | -|------------------------|-------------------------------------------------------------------------------------------------| -|`/passive` |Runs the install without requiring input from the employee, showing progress and error messages. | -|`/quiet` |Identical to `/passive`, but doesn't show any of the progress or error messages to the employee. | -

          - -|Parameter (Setup options) |Description | -|--------------------------|-------------------------------------------------------------------------------------------------| -|`/update-no` |Doesn't look for Internet Explorer updates. | -|`/no-default` |Doesn't make Internet Explorer the default browser. | -|`/no-backup` |Doesn't back up the files necessary to uninstall IE. | -|`/ieak-full` |Reserved for use by the IEAK 11. | -|`/ieak-branding` |Reserved for use by the IEAK 11. | -

          - -|Parameter (Restart options) |Description | -|----------------------------|--------------------------------------------| -|`/norestart` |Doesn't restart after installation. | -|`/forcerestart` |Restarts after installation. | -

          - -|Parameter (miscellaneous options) |Description | -|----------------------------------|--------------------------------------------| -|`/help` |Provides help info. Can't be used with any other option. | -|`/log ` |Creates a log file about the installation process, at the specified location. | - - -## Windows Setup return and status codes -Windows Setup needs to tell you whether IE successfully installed. However, because IE11wzd.exe is packaged inside your IE11setup.exe file, the return codes can’t be sent directly back to you. Instead, Setup needs to return the information (both success and failure) to the `HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\InstallInfo` registry branch. - -|Subkey |Data type |Value | -|---------|----------|---------------------------------------| -|Complete |String |0 = Success | -|Complete |String |0x80100003 = Files are missing for the requested installation. | -|Complete |String |0x80100001 = Setup partially succeeded. One or more components weren’t downloaded or installed. Check the **FailedComponents** subkey for the list of components. | -|Complete |String |0x80100002 = Setup partially succeeded, but the employee cancelled Setup. One or more components weren’t downloaded or installed. Check the **FailedComponents** subkey for the list of components. | -|FailedComponents |MultiSZ |``Null``Component1 | -|InstallStatus |Binary |0 = Install completed successfully. | -|InstallStatus |Binary |1 = Suspend Setup.
          The employee cancelled Setup and is then asked to confirm:

          • 2 = No, don’t cancel. Resume Setup.
          • 3 = Yes, cancel confirmed. Quit Setup as soon as possible.

          **Important**
          If the cancellation is confirmed, Setup will quit as soon as all of the in-progress tasks are done, like copying or extracting files. | - -## Related topics -- [IExpress Wizard for Windows Server 2008 R2 with SP1](iexpress-wizard-for-win-server.md) -- [Express Wizard command-line options](iexpress-command-line-options.md) - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Reference about the command-line options and return codes for Internet Explorer Setup. +author: lomayor +ms.prod: ie11 +ms.assetid: 40c23024-cb5d-4902-ad1b-6e8a189a699f +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Internet Explorer Setup command-line options and return codes (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Internet Explorer Setup command-line options and return codes +You can use command-line options along with a tool like IExpress to package your custom version of Internet Explorer and to perform a batch installation across your organization. + +## IE Setup command-line options +These command-line options work with IE Setup: + +`[/help] [/passive | /quiet] [/update-no] [/no-default] [/nobackup] [/ieak-full: | /ieak-branding: ] [/norestart | /forcerestart] [/log: ` + +|Parameter (Setup modes) |Description | +|------------------------|-------------------------------------------------------------------------------------------------| +|`/passive` |Runs the install without requiring input from the employee, showing progress and error messages. | +|`/quiet` |Identical to `/passive`, but doesn't show any of the progress or error messages to the employee. | +

          + +|Parameter (Setup options) |Description | +|--------------------------|-------------------------------------------------------------------------------------------------| +|`/update-no` |Doesn't look for Internet Explorer updates. | +|`/no-default` |Doesn't make Internet Explorer the default browser. | +|`/no-backup` |Doesn't back up the files necessary to uninstall IE. | +|`/ieak-full` |Reserved for use by the IEAK 11. | +|`/ieak-branding` |Reserved for use by the IEAK 11. | +

          + +|Parameter (Restart options) |Description | +|----------------------------|--------------------------------------------| +|`/norestart` |Doesn't restart after installation. | +|`/forcerestart` |Restarts after installation. | +

          + +|Parameter (miscellaneous options) |Description | +|----------------------------------|--------------------------------------------| +|`/help` |Provides help info. Can't be used with any other option. | +|`/log ` |Creates a log file about the installation process, at the specified location. | + + +## Windows Setup return and status codes +Windows Setup needs to tell you whether IE successfully installed. However, because IE11wzd.exe is packaged inside your IE11setup.exe file, the return codes can’t be sent directly back to you. Instead, Setup needs to return the information (both success and failure) to the `HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\InstallInfo` registry branch. + +|Subkey |Data type |Value | +|---------|----------|---------------------------------------| +|Complete |String |0 = Success | +|Complete |String |0x80100003 = Files are missing for the requested installation. | +|Complete |String |0x80100001 = Setup partially succeeded. One or more components weren’t downloaded or installed. Check the **FailedComponents** subkey for the list of components. | +|Complete |String |0x80100002 = Setup partially succeeded, but the employee cancelled Setup. One or more components weren’t downloaded or installed. Check the **FailedComponents** subkey for the list of components. | +|FailedComponents |MultiSZ |``Null``Component1 | +|InstallStatus |Binary |0 = Install completed successfully. | +|InstallStatus |Binary |1 = Suspend Setup.
          The employee cancelled Setup and is then asked to confirm:

          • 2 = No, don’t cancel. Resume Setup.
          • 3 = Yes, cancel confirmed. Quit Setup as soon as possible.

          **Important**
          If the cancellation is confirmed, Setup will quit as soon as all of the in-progress tasks are done, like copying or extracting files. | + +## Related topics +- [IExpress Wizard for Windows Server 2008 R2 with SP1](iexpress-wizard-for-win-server.md) +- [Express Wizard command-line options](iexpress-command-line-options.md) + diff --git a/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md b/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md index c876d926bb..956404de2f 100644 --- a/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md +++ b/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md @@ -1,51 +1,51 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: support -ms.pagetype: security -description: The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. Use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment. -author: lomayor -ms.author: lomayor -ms.manager: dougkim -ms.prod: ie11 -ms.assetid: -ms.reviewer: -manager: dansimp -title: Internet Explorer Administration Kit (IEAK) information and downloads -ms.sitesec: library -ms.date: 05/10/2018 ---- - -# Internet Explorer Administration Kit (IEAK) information and downloads - ->Applies to: Windows 10 - -The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment. To find more information on the IEAK, see [What IEAK can do for you](what-ieak-can-do-for-you.md). - - -## Internet Explorer Administration Kit 11 (IEAK 11) - -[IEAK 11 documentation](index.md) - -[IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md) - -[IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.md) - -[Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](before-you-create-custom-pkgs-ieak11.md) - -## Download IEAK - -To download, choose to **Open** the download or **Save** it to your hard drive first. - - -| | | | -|---------|---------|---------| -|[English](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi) |[French](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi) |[Norwegian (Bokmål)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi) | -|[Arabic](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ar-sa/ieak.msi) |[German](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/de-de/ieak.msi) |[Polish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pl-pl/ieak.msi) | -|[Chinese (Simplified)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-cn/ieak.msi) |[Greek](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/el-gr/ieak.msi) |[Portuguese (Brazil)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-br/ieak.msi) | -|[Chinese (Traditional)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-tw/ieak.msi) |[Hebrew](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/he-il/ieak.msi) |[Portuguese (Portugal)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-pt/ieak.msi) | -|[Czech](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/cs-cz/ieak.msi) |[Hungarian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/hu-hu/ieak.msi) |[Russian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ru-ru/ieak.msi) | -|[Danish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/da-dk/ieak.msi) |[Italian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/it-it/ieak.msi) |[Spanish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/es-es/ieak.msi) | -|[Dutch](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nl-nl/ieak.msi) |[Japanese](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ja-jp/ieak.msi) |[Swedish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/sv-se/ieak.msi) | -|[Finnish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fi-fi/ieak.msi) |[Korean](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ko-kr/ieak.msi) |[Turkish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/tr-tr/ieak.msi) | - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: support +ms.pagetype: security +description: The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. Use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment. +author: lomayor +ms.author: lomayor +ms.manager: dougkim +ms.prod: ie11 +ms.assetid: +ms.reviewer: +audience: itpro manager: dansimp +title: Internet Explorer Administration Kit (IEAK) information and downloads +ms.sitesec: library +ms.date: 05/10/2018 +--- + +# Internet Explorer Administration Kit (IEAK) information and downloads + +>Applies to: Windows 10 + +The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment. To find more information on the IEAK, see [What IEAK can do for you](what-ieak-can-do-for-you.md). + + +## Internet Explorer Administration Kit 11 (IEAK 11) + +[IEAK 11 documentation](index.md) + +[IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md) + +[IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.md) + +[Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](before-you-create-custom-pkgs-ieak11.md) + +## Download IEAK + +To download, choose to **Open** the download or **Save** it to your hard drive first. + + +| | | | +|---------|---------|---------| +|[English](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi) |[French](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi) |[Norwegian (Bokmål)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi) | +|[Arabic](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ar-sa/ieak.msi) |[German](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/de-de/ieak.msi) |[Polish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pl-pl/ieak.msi) | +|[Chinese (Simplified)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-cn/ieak.msi) |[Greek](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/el-gr/ieak.msi) |[Portuguese (Brazil)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-br/ieak.msi) | +|[Chinese (Traditional)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-tw/ieak.msi) |[Hebrew](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/he-il/ieak.msi) |[Portuguese (Portugal)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-pt/ieak.msi) | +|[Czech](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/cs-cz/ieak.msi) |[Hungarian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/hu-hu/ieak.msi) |[Russian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ru-ru/ieak.msi) | +|[Danish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/da-dk/ieak.msi) |[Italian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/it-it/ieak.msi) |[Spanish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/es-es/ieak.msi) | +|[Dutch](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nl-nl/ieak.msi) |[Japanese](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ja-jp/ieak.msi) |[Swedish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/sv-se/ieak.msi) | +|[Finnish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fi-fi/ieak.msi) |[Korean](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ko-kr/ieak.msi) |[Turkish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/tr-tr/ieak.msi) | + + diff --git a/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md b/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md index 16275db551..8890f6d65b 100644 --- a/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md +++ b/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md @@ -1,44 +1,44 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: plan -description: Review the options available to help you customize your browser install packages for deployment to your employee's devices. -author: lomayor -ms.prod: ie11 -ms.assetid: 4b804da3-c3ac-4b60-ab1c-99536ff6e31b -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options -Use the Internet Explorer Administration Kit 11 (IEAK 11) and the Internet Explorer Customization Wizard 11 to customize your browser install packages for deployment to your employee's devices. - -## IE Customization Wizard 11 options -IEAK 11 lets you customize a lot of Internet Explorer 11, including the IE and Internet Explorer for the desktop experiences. For more info about the experiences, see [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md). For info about which pages appear in the **Internal** or **External** version of IE Customization Wizard 11, see [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md). - -|Internet Explorer Customization Wizard 11 page |Browser experience |Description | -|-----------------------------------------------|------------------------------------|-----------------------------| -|[Custom Components](custom-components-ieak11-wizard.md) |Internet Explorer for the desktop |Add up to 10 additional components that your employees can install at the same time they install IE. | -|[Internal install](internal-install-ieak11-wizard.md) |Internet Explorer for the desktop |Choose to set IE11 as the default browser.

          **Note**
          This only applies to IE11 on Windows 7 SP1 | -|[User Experience](user-experience-ieak11-wizard.md) |Internet Explorer for the desktop |Control the installation and restart experience for your employees.

          This only applies to IE11 on Windows 7 SP1 | -|[Browser user interface](browser-ui-ieak11-wizard.md) |Internet Explorer for the desktop |Customize your title bars and toolbar buttons. | -|[Search Providers](search-providers-ieak11-wizard.md) |Both |Import and add Search providers. | -|[Important URLs – Home page and Support](important-urls-home-page-and-support-ieak11-wizard.md) |The **Support** page is supported by both experiences. The **Home** page is only supported on Internet Explorer for the desktop. |Add URLs for your **Home** and **Support** pages. | -|[Accelerators](accelerators-ieak11-wizard.md) |Internet Explorer for the desktop |Import and add default accelerators. | -|[Favorites, Favorites Bar and Feeds](favorites-favoritesbar-and-feeds-ieak11-wizard.md) |Internet Explorer for the desktop |Import and add items to the **Favorites** folder, the **Favorites Bar**, and the **Feeds** folder.

          **Note**
          You can turn off the entire **Suggested Sites** feature from this page. | -|[Browsing Options](browsing-options-ieak11-wizard.md) |Doesn't apply. The choices that you make on this page affect only the items shown on the **Favorites, Favorites Bar, and Feeds** page. |Choose how to manage items in the **Favorites** folder, the **Favorites Bar**, and the **Feeds** folder. You can also turn off the Microsoft-default Favorites, Web slices, links, feeds, and accelerators. | -|[First Run Wizard and Welcome Page Options](first-run-and-welcome-page-ieak11-wizard.md) |Internet Explorer for the desktop |Decide if the First Run wizard appears the first time an employee starts IE. You can also use the IE11 **Welcome** page, or link to a custom **Welcome** page. | -|[Compatibility View](compat-view-ieak11-wizard.md) |No longer supported |This functionality has been removed for IE11. For more information, see [Missing the Compatibility View Button](../ie11-deploy-guide/missing-the-compatibility-view-button.md). | -|[Connection Manager](connection-mgr-ieak11-wizard.md) |No longer supported |This functionality has been removed for IE11. | -|[Connection Settings](connection-settings-ieak11-wizard.md) |Both |Choose whether to customize your connection settings. You can also choose to delete old dial-up connection settings. | -|[Automatic Configuration](auto-config-ieak11-wizard.md) |Both |Choose whether to automatically detect configuration settings and whether to turn on and customize automatic configuration. | -|[Proxy Settings](proxy-settings-ieak11-wizard.md) |Both |Turn on and set up your proxy servers.

          **Note**
          We don't support Gopher Server anymore. | -|[Add a Root Certification](add-root-certificate-ieak11-wizard.md) |No longer supported |This functionality has been removed for IE11. | -|[Security and Privacy Settings](security-and-privacy-settings-ieak11-wizard.md) |The **Security Zones and Privacy** settings are supported by both experiences. The **Content Ratings** are only supported on Internet Explorer for the desktop. |Decide if you want to:

          • Customize your security zones and privacy settings

            • -OR-

          • Import your current security zones and privacy settings

            • -AND-

          • Customize your content ratings settings

            • -OR-

          • Import your current content ratings settings
          | -|[Programs](programs-ieak11-wizard.md) |Internet Explorer for the desktop |Decide your default programs or import your current settings. | -|[Additional Settings](additional-settings-ieak11-wizard.md) |Both |Decide how to set up multiple IE settings that appear in the **Internet Options** box. | - +--- +ms.localizationpriority: medium +ms.mktglfcycl: plan +description: Review the options available to help you customize your browser install packages for deployment to your employee's devices. +author: lomayor +ms.prod: ie11 +ms.assetid: 4b804da3-c3ac-4b60-ab1c-99536ff6e31b +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options +Use the Internet Explorer Administration Kit 11 (IEAK 11) and the Internet Explorer Customization Wizard 11 to customize your browser install packages for deployment to your employee's devices. + +## IE Customization Wizard 11 options +IEAK 11 lets you customize a lot of Internet Explorer 11, including the IE and Internet Explorer for the desktop experiences. For more info about the experiences, see [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md). For info about which pages appear in the **Internal** or **External** version of IE Customization Wizard 11, see [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md). + +|Internet Explorer Customization Wizard 11 page |Browser experience |Description | +|-----------------------------------------------|------------------------------------|-----------------------------| +|[Custom Components](custom-components-ieak11-wizard.md) |Internet Explorer for the desktop |Add up to 10 additional components that your employees can install at the same time they install IE. | +|[Internal install](internal-install-ieak11-wizard.md) |Internet Explorer for the desktop |Choose to set IE11 as the default browser.

          **Note**
          This only applies to IE11 on Windows 7 SP1 | +|[User Experience](user-experience-ieak11-wizard.md) |Internet Explorer for the desktop |Control the installation and restart experience for your employees.

          This only applies to IE11 on Windows 7 SP1 | +|[Browser user interface](browser-ui-ieak11-wizard.md) |Internet Explorer for the desktop |Customize your title bars and toolbar buttons. | +|[Search Providers](search-providers-ieak11-wizard.md) |Both |Import and add Search providers. | +|[Important URLs – Home page and Support](important-urls-home-page-and-support-ieak11-wizard.md) |The **Support** page is supported by both experiences. The **Home** page is only supported on Internet Explorer for the desktop. |Add URLs for your **Home** and **Support** pages. | +|[Accelerators](accelerators-ieak11-wizard.md) |Internet Explorer for the desktop |Import and add default accelerators. | +|[Favorites, Favorites Bar and Feeds](favorites-favoritesbar-and-feeds-ieak11-wizard.md) |Internet Explorer for the desktop |Import and add items to the **Favorites** folder, the **Favorites Bar**, and the **Feeds** folder.

          **Note**
          You can turn off the entire **Suggested Sites** feature from this page. | +|[Browsing Options](browsing-options-ieak11-wizard.md) |Doesn't apply. The choices that you make on this page affect only the items shown on the **Favorites, Favorites Bar, and Feeds** page. |Choose how to manage items in the **Favorites** folder, the **Favorites Bar**, and the **Feeds** folder. You can also turn off the Microsoft-default Favorites, Web slices, links, feeds, and accelerators. | +|[First Run Wizard and Welcome Page Options](first-run-and-welcome-page-ieak11-wizard.md) |Internet Explorer for the desktop |Decide if the First Run wizard appears the first time an employee starts IE. You can also use the IE11 **Welcome** page, or link to a custom **Welcome** page. | +|[Compatibility View](compat-view-ieak11-wizard.md) |No longer supported |This functionality has been removed for IE11. For more information, see [Missing the Compatibility View Button](../ie11-deploy-guide/missing-the-compatibility-view-button.md). | +|[Connection Manager](connection-mgr-ieak11-wizard.md) |No longer supported |This functionality has been removed for IE11. | +|[Connection Settings](connection-settings-ieak11-wizard.md) |Both |Choose whether to customize your connection settings. You can also choose to delete old dial-up connection settings. | +|[Automatic Configuration](auto-config-ieak11-wizard.md) |Both |Choose whether to automatically detect configuration settings and whether to turn on and customize automatic configuration. | +|[Proxy Settings](proxy-settings-ieak11-wizard.md) |Both |Turn on and set up your proxy servers.

          **Note**
          We don't support Gopher Server anymore. | +|[Add a Root Certification](add-root-certificate-ieak11-wizard.md) |No longer supported |This functionality has been removed for IE11. | +|[Security and Privacy Settings](security-and-privacy-settings-ieak11-wizard.md) |The **Security Zones and Privacy** settings are supported by both experiences. The **Content Ratings** are only supported on Internet Explorer for the desktop. |Decide if you want to:

          • Customize your security zones and privacy settings

            • -OR-

          • Import your current security zones and privacy settings

            • -AND-

          • Customize your content ratings settings

            • -OR-

          • Import your current content ratings settings
          | +|[Programs](programs-ieak11-wizard.md) |Internet Explorer for the desktop |Decide your default programs or import your current settings. | +|[Additional Settings](additional-settings-ieak11-wizard.md) |Both |Decide how to set up multiple IE settings that appear in the **Internet Options** box. | + diff --git a/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md b/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md index 00e0667eb1..d36ca26c63 100644 --- a/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md +++ b/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md @@ -1,43 +1,43 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Reference about the command-line options for the IExpress Wizard. -author: lomayor -ms.prod: ie11 -ms.assetid: aa16d738-1067-403c-88b3-bada12cf9752 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: IExpress Wizard command-line options (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -**Applies to:** -- Windows Server 2008 R2 with SP1 - -# IExpress Wizard command-line options -Use command-line options with the IExpress Wizard (IExpress.exe) to control your Internet Explorer custom browser package extraction process. - -These command-line options work with IExpress:
          -`Ie11setup /c:"ie11wzd "` - -|Parameter |Action | -|----------|--------------------------------------------------------------------------------------------| -|`/q` |Specifies quiet mode, hiding all of the prompts, while files are being extracted. This option won’t suppress prompts during Setup. | -|`/q:u` |Specifies user-quiet mode, letting some of the progress and error messages appear to the employee. | -|`/q:a` |Specifies administrator-quiet mode, hiding all of the progress and error messages from the employee. | -|`/t:` |Specifies where to store your extracted files. | -|`/c:` |Extracts all of the files without installing them. If `t:/` isn’t used, you’ll be prompted for a storage folder. | -|`/c:` |Specifies the UNC path and name of the Setup .inf or .exe file. | -|`/r:n` |Never restarts the computer after installation. | -|`/r:a` |Always restarts the computer after installation. | -|`/r:s` |Restarts the computer after installation without prompting the employee. | - -For more information, see [Command-line switches for IExpress software update packages](https://go.microsoft.com/fwlink/p/?LinkId=317973). - -## Related topics -- [IExpress Wizard for Windows Server 2008 R2 with SP1](iexpress-wizard-for-win-server.md) -- [Internet Explorer Setup command-line options and return codes](ie-setup-command-line-options-and-return-codes.md) - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Reference about the command-line options for the IExpress Wizard. +author: lomayor +ms.prod: ie11 +ms.assetid: aa16d738-1067-403c-88b3-bada12cf9752 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: IExpress Wizard command-line options (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +**Applies to:** +- Windows Server 2008 R2 with SP1 + +# IExpress Wizard command-line options +Use command-line options with the IExpress Wizard (IExpress.exe) to control your Internet Explorer custom browser package extraction process. + +These command-line options work with IExpress:
          +`Ie11setup /c:"ie11wzd "` + +|Parameter |Action | +|----------|--------------------------------------------------------------------------------------------| +|`/q` |Specifies quiet mode, hiding all of the prompts, while files are being extracted. This option won’t suppress prompts during Setup. | +|`/q:u` |Specifies user-quiet mode, letting some of the progress and error messages appear to the employee. | +|`/q:a` |Specifies administrator-quiet mode, hiding all of the progress and error messages from the employee. | +|`/t:` |Specifies where to store your extracted files. | +|`/c:` |Extracts all of the files without installing them. If `t:/` isn’t used, you’ll be prompted for a storage folder. | +|`/c:` |Specifies the UNC path and name of the Setup .inf or .exe file. | +|`/r:n` |Never restarts the computer after installation. | +|`/r:a` |Always restarts the computer after installation. | +|`/r:s` |Restarts the computer after installation without prompting the employee. | + +For more information, see [Command-line switches for IExpress software update packages](https://go.microsoft.com/fwlink/p/?LinkId=317973). + +## Related topics +- [IExpress Wizard for Windows Server 2008 R2 with SP1](iexpress-wizard-for-win-server.md) +- [Internet Explorer Setup command-line options and return codes](ie-setup-command-line-options-and-return-codes.md) + diff --git a/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md b/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md index 8590dc3ff7..ced5d1a708 100644 --- a/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md +++ b/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md @@ -1,72 +1,72 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Use the IExpress Wizard on Windows Server 2008 R2 with SP1 to create self-extracting files to run your custom Internet Explorer Setup program. -author: lomayor -ms.prod: ie11 -ms.assetid: 5100886d-ec88-4c1c-8cd7-be00da874c57 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: IExpress Wizard for Windows Server 2008 R2 with SP1 (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# IExpress Wizard for Windows Server 2008 R2 with SP1 -Use the IExpress Wizard and its associated command-line options to create self-extracting files that automatically run your custom Internet Explorer Setup (.inf or .exe file) program that’s contained inside. - -## IExpress Wizard location -The IExpress Wizard (Iexpress.exe) is included as part of Windows Server 2008 R2 with Service Pack 1 (SP1), in the `:\Windows\System32` folder. The wizard uses a self-extraction directive (.sed) file to store your package’s information. When you run the wizard, you have the option to start with an existing .sed file or to create a new one. - -## IExpress Wizard features -The IExpress Wizard: - -- Performs silent, unattended installations of your custom IE packages. - -- Supports upgrading IE without removing previous installations. - -- Supports repeated updating or performing clean installations of the same IE build. - -## IExpress Wizard settings -The IExpress Wizard lets you: - -- Decide whether the self-installing package is for administrators or for general employees. - -- Set multiple ways to run the installation command, such as in normal or silent mode. - -- Determine whether the IExpress dynamic-link libraries (.dll files) are updated on an employee’s computer. - -- Determine the compatibility of the installation package, based on the operating system version range, the browser version range, or any application version range. - -- Update and add files to the IExpress package, using the UPDFILE tool, without having to rebuild the package. - -- Replace Runonce with RunOnceEx (if the newer version of Iernonce.dll exists); giving you control over the job run order and status display. - -- Let corporate administrators set up support for roaming employees. - -- Let Internet Content Providers (ICPs) and Internet Service Providers (ISPs) generate packages for preconfigured desktops with custom, current content. - -- Save disk space by cleaning up the hard drive when running in Setup, uninstallation, and maintenance modes. - -- Provide support for multiple download sites. - -- Provide support for internal and external development, customization, expandability, and enhanced debugging. - -- Provide support for the extended character set, beyond single-byte characters (SBCS). - -- Provide support for using the .inf file format to download Internet components. For more information, see [Use the uninstallation .INF files to uninstall custom components](create-uninstall-inf-files-for-custom-components.md). - -## Related topics -- [IExpress command-line options](iexpress-command-line-options.md) -- [Internet Explorer Setup command-line options and return codes](ie-setup-command-line-options-and-return-codes.md) - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Use the IExpress Wizard on Windows Server 2008 R2 with SP1 to create self-extracting files to run your custom Internet Explorer Setup program. +author: lomayor +ms.prod: ie11 +ms.assetid: 5100886d-ec88-4c1c-8cd7-be00da874c57 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: IExpress Wizard for Windows Server 2008 R2 with SP1 (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# IExpress Wizard for Windows Server 2008 R2 with SP1 +Use the IExpress Wizard and its associated command-line options to create self-extracting files that automatically run your custom Internet Explorer Setup (.inf or .exe file) program that’s contained inside. + +## IExpress Wizard location +The IExpress Wizard (Iexpress.exe) is included as part of Windows Server 2008 R2 with Service Pack 1 (SP1), in the `:\Windows\System32` folder. The wizard uses a self-extraction directive (.sed) file to store your package’s information. When you run the wizard, you have the option to start with an existing .sed file or to create a new one. + +## IExpress Wizard features +The IExpress Wizard: + +- Performs silent, unattended installations of your custom IE packages. + +- Supports upgrading IE without removing previous installations. + +- Supports repeated updating or performing clean installations of the same IE build. + +## IExpress Wizard settings +The IExpress Wizard lets you: + +- Decide whether the self-installing package is for administrators or for general employees. + +- Set multiple ways to run the installation command, such as in normal or silent mode. + +- Determine whether the IExpress dynamic-link libraries (.dll files) are updated on an employee’s computer. + +- Determine the compatibility of the installation package, based on the operating system version range, the browser version range, or any application version range. + +- Update and add files to the IExpress package, using the UPDFILE tool, without having to rebuild the package. + +- Replace Runonce with RunOnceEx (if the newer version of Iernonce.dll exists); giving you control over the job run order and status display. + +- Let corporate administrators set up support for roaming employees. + +- Let Internet Content Providers (ICPs) and Internet Service Providers (ISPs) generate packages for preconfigured desktops with custom, current content. + +- Save disk space by cleaning up the hard drive when running in Setup, uninstallation, and maintenance modes. + +- Provide support for multiple download sites. + +- Provide support for internal and external development, customization, expandability, and enhanced debugging. + +- Provide support for the extended character set, beyond single-byte characters (SBCS). + +- Provide support for using the .inf file format to download Internet components. For more information, see [Use the uninstallation .INF files to uninstall custom components](create-uninstall-inf-files-for-custom-components.md). + +## Related topics +- [IExpress command-line options](iexpress-command-line-options.md) +- [Internet Explorer Setup command-line options and return codes](ie-setup-command-line-options-and-return-codes.md) + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md index 0ecb9dcb7f..6e1ac8e67a 100644 --- a/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md @@ -1,39 +1,39 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Important URLs - Home Page and Support page in the IEAK 11 Customization Wizard to choose one or more **Home** pages and an online support page for your customized version of IE. -author: lomayor -ms.prod: ie11 -ms.assetid: 19e34879-ba9d-41bf-806a-3b9b9b752fc1 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard -The **Important URLS – Home Page and Support** page of the Internet Explorer Customization Wizard 11 lets you choose one or more **Home** pages and an online support page for your customized version of IE. - -**To use the Important URLS – Home Page and Support page** - -1. In the **Add a homepage URL** box, type the URL to the page your employees go to when they click the **Home** button, and then click **Add**.

          -If you add multiple **Home** pages, each page appears on a separate tab in the browser. If you don’t add a custom **Home** page, IE uses https://www.msn.com by default. If you want to delete an existing page, click the URL and then click **Remove**. - -2. Check the **Retain previous Home Page (Upgrade)** box if you have employees with previous versions of IE, who need to keep their **Home** page settings when the browser is updated. - -3. Check the **Online support page URL** box to type in the URL to your own support page. Customizing the support page is only supported in Internet Explorer for the desktop. - -4. Click **Next** to go to the [Accelerators](accelerators-ieak11-wizard.md) page or **Back** to go to the [Search Providers](search-providers-ieak11-wizard.md) page. - - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Important URLs - Home Page and Support page in the IEAK 11 Customization Wizard to choose one or more **Home** pages and an online support page for your customized version of IE. +author: lomayor +ms.prod: ie11 +ms.assetid: 19e34879-ba9d-41bf-806a-3b9b9b752fc1 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard +The **Important URLS – Home Page and Support** page of the Internet Explorer Customization Wizard 11 lets you choose one or more **Home** pages and an online support page for your customized version of IE. + +**To use the Important URLS – Home Page and Support page** + +1. In the **Add a homepage URL** box, type the URL to the page your employees go to when they click the **Home** button, and then click **Add**.

          +If you add multiple **Home** pages, each page appears on a separate tab in the browser. If you don’t add a custom **Home** page, IE uses https://www.msn.com by default. If you want to delete an existing page, click the URL and then click **Remove**. + +2. Check the **Retain previous Home Page (Upgrade)** box if you have employees with previous versions of IE, who need to keep their **Home** page settings when the browser is updated. + +3. Check the **Online support page URL** box to type in the URL to your own support page. Customizing the support page is only supported in Internet Explorer for the desktop. + +4. Click **Next** to go to the [Accelerators](accelerators-ieak11-wizard.md) page or **Back** to go to the [Search Providers](search-providers-ieak11-wizard.md) page. + + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/index.md b/browsers/internet-explorer/ie11-ieak/index.md index 74c0cbdb1c..ea51efa9dc 100644 --- a/browsers/internet-explorer/ie11-ieak/index.md +++ b/browsers/internet-explorer/ie11-ieak/index.md @@ -45,4 +45,4 @@ IE11 and IEAK 11 offers differing experiences between Windows 7 and Windows 8.1 - [IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md) - [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md) - [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md) -- [Microsoft Edge - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760643) \ No newline at end of file +- [Microsoft Edge - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760643) diff --git a/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md index d6ec147ebd..59969fe56f 100644 --- a/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md @@ -1,39 +1,39 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Internal Install page in the IEAK 11 Customization Wizard to customize Setup for the default browser and the latest browser updates. -author: lomayor -ms.prod: ie11 -ms.assetid: 33d078e3-75b8-455b-9126-f0d272ed676f -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Internal Install page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Internal Install page in the IEAK 11 Wizard -The **Internal Install** page of the Internet Explorer Customization Wizard 11 lets you customize Setup for the default browser and the latest browser updates, based on your company’s guidelines. - -**Note**
          The customizations made on this page only apply to Internet Explorer for the desktop on Windows 7. - -**To use the Internal Install page** - -1. Pick either: - - - **Allow user to choose.** Lets your employees pick their own default browser.

          -OR-

          - - - **Do not set IE as the default browser.** Won’t set IE as the default browser. However, your employees can still make IE the default. - -2. Click **Next** to go to the [User Experience](user-experience-ieak11-wizard.md) page or **Back** to go to the [Custom Components](custom-components-ieak11-wizard.md). - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Internal Install page in the IEAK 11 Customization Wizard to customize Setup for the default browser and the latest browser updates. +author: lomayor +ms.prod: ie11 +ms.assetid: 33d078e3-75b8-455b-9126-f0d272ed676f +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Internal Install page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Internal Install page in the IEAK 11 Wizard +The **Internal Install** page of the Internet Explorer Customization Wizard 11 lets you customize Setup for the default browser and the latest browser updates, based on your company’s guidelines. + +**Note**
          The customizations made on this page only apply to Internet Explorer for the desktop on Windows 7. + +**To use the Internal Install page** + +1. Pick either: + + - **Allow user to choose.** Lets your employees pick their own default browser.

          -OR-

          + + - **Do not set IE as the default browser.** Won’t set IE as the default browser. However, your employees can still make IE the default. + +2. Click **Next** to go to the [User Experience](user-experience-ieak11-wizard.md) page or **Back** to go to the [Custom Components](custom-components-ieak11-wizard.md). + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md index 5b910085bb..58fd70a9aa 100644 --- a/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md @@ -1,23 +1,23 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Use the \[ISP_Security\] .INS file setting to add the root certificate for your custom Internet Explorer package. -author: lomayor -ms.prod: ie11 -ms.assetid: 4eca2de5-7071-45a2-9c99-75115be00d06 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the ISP_Security .INS file to add your root certificate (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the ISP_Security .INS file to add your root certificate -Info about where you store the root certificate you’re adding to your custom package. - -|Name |Value |Description | -|---------------|-----------------------|------------------------------------------------------------------------------------------| -|RootCertPath |`` |Location and name of the root certificate you want to add to your custom install package. | - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Use the \[ISP_Security\] .INS file setting to add the root certificate for your custom Internet Explorer package. +author: lomayor +ms.prod: ie11 +ms.assetid: 4eca2de5-7071-45a2-9c99-75115be00d06 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the ISP_Security .INS file to add your root certificate (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the ISP_Security .INS file to add your root certificate +Info about where you store the root certificate you’re adding to your custom package. + +|Name |Value |Description | +|---------------|-----------------------|------------------------------------------------------------------------------------------| +|RootCertPath |`` |Location and name of the root certificate you want to add to your custom install package. | + diff --git a/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md index 3132ba6558..a266fcba98 100644 --- a/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md @@ -1,37 +1,37 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Language Selection page in the IEAK 11 Customization Wizard to choose the language for your IEAK 11 custom package. -author: lomayor -ms.prod: ie11 -ms.assetid: f9d4ab57-9b1d-4cbc-9398-63f4938df1f6 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Language Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Language Selection page in the IEAK 11 Wizard -The **Language Selection** page of the Internet Explorer Customization Wizard 11 lets you choose the language for your Internet Explorer Administration Kit 11 (IEAK 11) custom package. You can create custom Internet Explorer 11 packages in any of the languages your operating system version is available in. - -**Important**
          Make sure that the language of your IEAK 11 installation matches the language of your custom IE11 package. If the languages don’t match, IEAK 11 won’t work properly. - -**To use the Language Selection page** - -1. Pick the language you want your custom IE11 installation package to use.

          -You can support as many languages as you want, but each localized version must be in its own install package.

          -**Note**
          To keep your settings across multiple versions of the package, you can pick the same destination folder for all versions. The different language versions are then saved in separate subfolders within that destination folder. Like, for an English version, `C:\Cie\Build1\Flat\Win32_WIN8\en-US\` and for a German version, `C:\Cie\Build1\Flat\Win32_WIN8\de-DE\`. - -2. Click **Next** to go to the [Package Type Selection](pkg-type-selection-ieak11-wizard.md) page or **Back** to go to the [Platform Selection](platform-selection-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Language Selection page in the IEAK 11 Customization Wizard to choose the language for your IEAK 11 custom package. +author: lomayor +ms.prod: ie11 +ms.assetid: f9d4ab57-9b1d-4cbc-9398-63f4938df1f6 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Language Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Language Selection page in the IEAK 11 Wizard +The **Language Selection** page of the Internet Explorer Customization Wizard 11 lets you choose the language for your Internet Explorer Administration Kit 11 (IEAK 11) custom package. You can create custom Internet Explorer 11 packages in any of the languages your operating system version is available in. + +**Important**
          Make sure that the language of your IEAK 11 installation matches the language of your custom IE11 package. If the languages don’t match, IEAK 11 won’t work properly. + +**To use the Language Selection page** + +1. Pick the language you want your custom IE11 installation package to use.

          +You can support as many languages as you want, but each localized version must be in its own install package.

          +**Note**
          To keep your settings across multiple versions of the package, you can pick the same destination folder for all versions. The different language versions are then saved in separate subfolders within that destination folder. Like, for an English version, `C:\Cie\Build1\Flat\Win32_WIN8\en-US\` and for a German version, `C:\Cie\Build1\Flat\Win32_WIN8\de-DE\`. + +2. Click **Next** to go to the [Package Type Selection](pkg-type-selection-ieak11-wizard.md) page or **Back** to go to the [Platform Selection](platform-selection-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md index 2631d361e7..6cc535e14f 100644 --- a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md @@ -1,106 +1,106 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: plan -description: Learn about the version of the IEAK 11 you should run, based on your license agreement. -author: lomayor -ms.author: lomayor -ms.prod: ie11, ieak11 -ms.assetid: 69d25451-08af-4db0-9daa-44ab272acc15 -ms.reviewer: -manager: dansimp -title: Determine the licensing version and features to use in IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 10/23/2018 ---- - - -# Determine the licensing version and features to use in IEAK 11 -In addition to the Software License Terms for the Internet Explorer Administration Kit 11 (IEAK 11, referred to as the "software"), these Guidelines further define how you may and may not use the software to create versions of Internet Explorer 11 with optional customizations (referred to as the "customized browser") for internal use and distribution in accordance with the IEAK 11 Software License Terms. IEAK 11 is for testing purposes only and is not intended to be used in a production environment. - -During installation, you must pick a version of IEAK 11, either **External** or **Internal**, based on your license agreement. Your version selection decides the options you can chose, the steps you follow to deploy your Internet Explorer 11 package, and how you manage the browser after deployment. - -- **External Distribution as an Internet Service Provider (ISP), Internet Content Provider (ICP), or Developer.** If you are an ISP or an ICP, your license agreement also states that you must show the Internet Explorer logo on your packaging and promotional goods, as well as on your website. - >[!IMPORTANT] - >Original Equipment Manufacturers (OEMs) that install IEAK 11 as part of a Windows product, under an OEM license agreement with Microsoft, must use their appropriate Windows OEM Preinstallation document (OPD) as the guide for allowable customizations. - -- **Internal Distribution via a Corporate Intranet.** This version is for network admins that plan to directly deploy IE11 into a corporate environment. - -## Available features by version - -| Feature | Internal | External | -|-------------------------------------------|:--------------------------------------------------------------------------------:|:------------------------------------------------------------------------------------:| -| Welcome screen | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | -| File locations | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | -| Platform selection | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | -| Language selection | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | -| Package type selection | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | -| Feature selection | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | -| Automatic Version Synchronization (AVS) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | -| Custom components | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | -| Internal install | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Not available](https://docs.microsoft.com/microsoft-edge/deploy/images/148766.png) | -| User experience | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Not available](https://docs.microsoft.com/microsoft-edge/deploy/images/148766.png) | -| Browser user interface | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | -| Search providers | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | -| Important URLs – Home page and support | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | -| Accelerators | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | -| Favorites, Favorites bar, and feeds | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | -| Browsing options | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Not available](https://docs.microsoft.com/microsoft-edge/deploy/images/148766.png) | -| First Run wizard and Welcome page options | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | -| Connection manager | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | -| Connection settings | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | -| Automatic configuration | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Not available](https://docs.microsoft.com/microsoft-edge/deploy/images/148766.png) | -| Proxy settings | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | -| Security and privacy settings | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Not available](https://docs.microsoft.com/microsoft-edge/deploy/images/148766.png) | -| Add a root certificate | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Not available](https://docs.microsoft.com/microsoft-edge/deploy/images/148766.png) | -| Programs | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | -| Additional settings | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Not available](https://docs.microsoft.com/microsoft-edge/deploy/images/148766.png) | -| Wizard complete | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | - ---- - - -## Customization guidelines - -Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software. - -- **External Distribution** - This mode is available to anyone who wants to create a customized browser for distribution outside their company (for example, websites, magazines, retailers, non-profit organizations, independent hardware vendors, independent software vendors, Internet service providers, Internet content providers, software developers, and marketers). - -- **Internal Distribution** - This mode is available to companies for the creation and distribution of a customized browser only to their employees over a corporate intranet. - -The table below identifies which customizations you may or may not perform based on the mode you selected. - -| **Feature Name** | **External Distribution** | **Internal Distribution** | -|---------------------------------|:--------------------:|:-------------------:| -| **Custom Components** | Yes | Yes | -| **Title Bar** | Yes | Yes | -| **Favorites** | One folder, containing any number of links. | Any number of folders/links. | -| **Search Provider URLs** | Yes | Yes | -| **Search Guide URL** | No | Yes | -| **Online Support URL** | Yes | Yes | -| **Web Slice** | Suggested maximum five Web Slices. | Any number of Web Slices. | -| **Accelerator** | Search provider Accelerator must be the same as the search provider set for the Search Toolbox. We recommend that Any number of Accelerators/Accelerator Categories. Feature Name External Internal Accelerator category not exceed seven total categories, and each Accelerator category must be unique. We recommend each Accelerator category not have more than two Accelerators. The Accelerator display name should follow the syntax of verb + noun, such as "Map with Bing." | Any number of Accelerators/Accelerator Categories. | -| **Homepage URLs** | Can add a maximum of three. | Unlimited. | -| **First Run Wizard and Welcome Page Options** | Cannot remove Internet Explorer 11 First Run wizard. Can customize **Welcome** page. | Customizable. | -| **RSS Feeds** | One folder, containing any number of links. | Any number of folders/links. | -| **Browsing Options** | No | Yes | -| **Security and Privacy Settings** | No | Can add any number of sites. | -| **Corporate Options** (Latest Updates, Default Browser, Uninstall Info, Additional Settings) | No | Yes | -| **User Experience** (Setup/Restart) | No | Yes | -| **User Agent String** | Yes | Yes | -| **Compatibility View** | Yes | Yes | -| **Connection Settings and Manage** | Yes | Yes | - - -Support for some of the Internet Explorer settings on the wizard pages varies depending on your target operating system. For more information, see [Internet Explorer Customization Wizard 11 options](https://docs.microsoft.com/internet-explorer/ie11-ieak/ieak11-wizard-custom-options). - -## Distribution guidelines - -Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software. - -- **External Distribution** - You shall use commercially reasonable efforts to maintain the quality of (i) any non-Microsoft software distributed with Internet Explorer 11, and (ii) any media used for distribution (for example, optical media, flash drives), at a level that meets or exceeds the highest industry standards. If you distribute add-ons with Internet Explorer 11, those add-ons must comply with the [Microsoft browser extension policy](https://docs.microsoft.com/legal/windows/agreements/microsoft-browser-extension-policy). - -- **Internal Distribution - corporate intranet** - The software is solely for use by your employees within your company's organization and affiliated companies through your corporate intranet. Neither you nor any of your employees may permit redistribution of the software to or for use by third parties other than for third parties such as consultants, contractors, and temporary staff accessing your corporate intranet. +--- +ms.localizationpriority: medium +ms.mktglfcycl: plan +description: Learn about the version of the IEAK 11 you should run, based on your license agreement. +author: lomayor +ms.author: lomayor +ms.prod: ie11, ieak11 +ms.assetid: 69d25451-08af-4db0-9daa-44ab272acc15 +ms.reviewer: +audience: itpro manager: dansimp +title: Determine the licensing version and features to use in IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 10/23/2018 +--- + + +# Determine the licensing version and features to use in IEAK 11 +In addition to the Software License Terms for the Internet Explorer Administration Kit 11 (IEAK 11, referred to as the "software"), these Guidelines further define how you may and may not use the software to create versions of Internet Explorer 11 with optional customizations (referred to as the "customized browser") for internal use and distribution in accordance with the IEAK 11 Software License Terms. IEAK 11 is for testing purposes only and is not intended to be used in a production environment. + +During installation, you must pick a version of IEAK 11, either **External** or **Internal**, based on your license agreement. Your version selection decides the options you can chose, the steps you follow to deploy your Internet Explorer 11 package, and how you manage the browser after deployment. + +- **External Distribution as an Internet Service Provider (ISP), Internet Content Provider (ICP), or Developer.** If you are an ISP or an ICP, your license agreement also states that you must show the Internet Explorer logo on your packaging and promotional goods, as well as on your website. + >[!IMPORTANT] + >Original Equipment Manufacturers (OEMs) that install IEAK 11 as part of a Windows product, under an OEM license agreement with Microsoft, must use their appropriate Windows OEM Preinstallation document (OPD) as the guide for allowable customizations. + +- **Internal Distribution via a Corporate Intranet.** This version is for network admins that plan to directly deploy IE11 into a corporate environment. + +## Available features by version + +| Feature | Internal | External | +|-------------------------------------------|:--------------------------------------------------------------------------------:|:------------------------------------------------------------------------------------:| +| Welcome screen | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +| File locations | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +| Platform selection | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +| Language selection | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +| Package type selection | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +| Feature selection | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +| Automatic Version Synchronization (AVS) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +| Custom components | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +| Internal install | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Not available](https://docs.microsoft.com/microsoft-edge/deploy/images/148766.png) | +| User experience | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Not available](https://docs.microsoft.com/microsoft-edge/deploy/images/148766.png) | +| Browser user interface | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +| Search providers | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +| Important URLs – Home page and support | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +| Accelerators | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +| Favorites, Favorites bar, and feeds | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +| Browsing options | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Not available](https://docs.microsoft.com/microsoft-edge/deploy/images/148766.png) | +| First Run wizard and Welcome page options | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +| Connection manager | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +| Connection settings | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +| Automatic configuration | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Not available](https://docs.microsoft.com/microsoft-edge/deploy/images/148766.png) | +| Proxy settings | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +| Security and privacy settings | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Not available](https://docs.microsoft.com/microsoft-edge/deploy/images/148766.png) | +| Add a root certificate | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Not available](https://docs.microsoft.com/microsoft-edge/deploy/images/148766.png) | +| Programs | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +| Additional settings | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Not available](https://docs.microsoft.com/microsoft-edge/deploy/images/148766.png) | +| Wizard complete | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | + +--- + + +## Customization guidelines + +Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software. + +- **External Distribution** + This mode is available to anyone who wants to create a customized browser for distribution outside their company (for example, websites, magazines, retailers, non-profit organizations, independent hardware vendors, independent software vendors, Internet service providers, Internet content providers, software developers, and marketers). + +- **Internal Distribution** + This mode is available to companies for the creation and distribution of a customized browser only to their employees over a corporate intranet. + +The table below identifies which customizations you may or may not perform based on the mode you selected. + +| **Feature Name** | **External Distribution** | **Internal Distribution** | +|---------------------------------|:--------------------:|:-------------------:| +| **Custom Components** | Yes | Yes | +| **Title Bar** | Yes | Yes | +| **Favorites** | One folder, containing any number of links. | Any number of folders/links. | +| **Search Provider URLs** | Yes | Yes | +| **Search Guide URL** | No | Yes | +| **Online Support URL** | Yes | Yes | +| **Web Slice** | Suggested maximum five Web Slices. | Any number of Web Slices. | +| **Accelerator** | Search provider Accelerator must be the same as the search provider set for the Search Toolbox. We recommend that Any number of Accelerators/Accelerator Categories. Feature Name External Internal Accelerator category not exceed seven total categories, and each Accelerator category must be unique. We recommend each Accelerator category not have more than two Accelerators. The Accelerator display name should follow the syntax of verb + noun, such as "Map with Bing." | Any number of Accelerators/Accelerator Categories. | +| **Homepage URLs** | Can add a maximum of three. | Unlimited. | +| **First Run Wizard and Welcome Page Options** | Cannot remove Internet Explorer 11 First Run wizard. Can customize **Welcome** page. | Customizable. | +| **RSS Feeds** | One folder, containing any number of links. | Any number of folders/links. | +| **Browsing Options** | No | Yes | +| **Security and Privacy Settings** | No | Can add any number of sites. | +| **Corporate Options** (Latest Updates, Default Browser, Uninstall Info, Additional Settings) | No | Yes | +| **User Experience** (Setup/Restart) | No | Yes | +| **User Agent String** | Yes | Yes | +| **Compatibility View** | Yes | Yes | +| **Connection Settings and Manage** | Yes | Yes | + + +Support for some of the Internet Explorer settings on the wizard pages varies depending on your target operating system. For more information, see [Internet Explorer Customization Wizard 11 options](https://docs.microsoft.com/internet-explorer/ie11-ieak/ieak11-wizard-custom-options). + +## Distribution guidelines + +Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software. + +- **External Distribution** + You shall use commercially reasonable efforts to maintain the quality of (i) any non-Microsoft software distributed with Internet Explorer 11, and (ii) any media used for distribution (for example, optical media, flash drives), at a level that meets or exceeds the highest industry standards. If you distribute add-ons with Internet Explorer 11, those add-ons must comply with the [Microsoft browser extension policy](https://docs.microsoft.com/legal/windows/agreements/microsoft-browser-extension-policy). + +- **Internal Distribution - corporate intranet** + The software is solely for use by your employees within your company's organization and affiliated companies through your corporate intranet. Neither you nor any of your employees may permit redistribution of the software to or for use by third parties other than for third parties such as consultants, contractors, and temporary staff accessing your corporate intranet. diff --git a/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md index 1d64dec04f..2aa91f6753 100644 --- a/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md @@ -1,23 +1,23 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Use the \[Media\] .INS file setting to specify the types of media on which your custom install package is available. -author: lomayor -ms.prod: ie11 -ms.assetid: c57bae60-d520-49a9-a77d-da43f7ebe5b8 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Media .INS file to specify your install media (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Media .INS file to specify your install media -The types of media on which your custom install package is available. - -|Name |Value |Description | -|-----|------|-----------------| -|Build_LAN |

          • **0.** Don’t create the LAN-based installation package.
          • **1.** Create the LAN-based installation package.
          |Determines whether you want to create a LAN-based installation package. | - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Use the \[Media\] .INS file setting to specify the types of media on which your custom install package is available. +author: lomayor +ms.prod: ie11 +ms.assetid: c57bae60-d520-49a9-a77d-da43f7ebe5b8 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Media .INS file to specify your install media (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Media .INS file to specify your install media +The types of media on which your custom install package is available. + +|Name |Value |Description | +|-----|------|-----------------| +|Build_LAN |
          • **0.** Don’t create the LAN-based installation package.
          • **1.** Create the LAN-based installation package.
          |Determines whether you want to create a LAN-based installation package. | + diff --git a/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md index eb1096749e..6cd52f789f 100644 --- a/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md @@ -1,39 +1,39 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Package Type Selection page in the IEAK 11 Customization Wizard to pick the media type you’ll use to distribute your custom package. -author: lomayor -ms.prod: ie11 -ms.assetid: dd91f788-d05e-4f45-9fd5-d951abf04f2c -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Package Type Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Package Type Selection page in the IEAK 11 Wizard -The **Package Type Selection** page of the Internet Explorer Customization Wizard 11 lets you pick which type of media you’ll use to distribute your custom installation package. You can pick more than one type, if you need it. - -**Important**
          You can't create a full installation package for deployment to Windows 10 computers. That option only works for computers running Windows 7 or Windows 8.1. - -**To use the File Locations page** - -1. Check the **Full Installation Package** box if you’re going to build your package on, or move your package to, a local area network (LAN). This media package includes the Internet Explorer 11 installation files, and is named **IE11-Setup-Full.exe**, in the `\\FLAT\\` folder.

          -OR-

            - -2. Check the **Configuration-only package** box if you want to update an existing installation of IE11. This media package is named **IE11- Setup-Branding.exe**, in the `\\BrndOnly\\` folder.

          -You can distribute this file on any media format or server. It customizes the IE11 features without re-installing IE.

          -**Important**
          You can’t include custom components in a configuration-only package. - -3. Click **Next** to go to the [Feature Selection](feature-selection-ieak11-wizard.md) page or **Back** to go to the [Language Selection](language-selection-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Package Type Selection page in the IEAK 11 Customization Wizard to pick the media type you’ll use to distribute your custom package. +author: lomayor +ms.prod: ie11 +ms.assetid: dd91f788-d05e-4f45-9fd5-d951abf04f2c +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Package Type Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Package Type Selection page in the IEAK 11 Wizard +The **Package Type Selection** page of the Internet Explorer Customization Wizard 11 lets you pick which type of media you’ll use to distribute your custom installation package. You can pick more than one type, if you need it. + +**Important**
          You can't create a full installation package for deployment to Windows 10 computers. That option only works for computers running Windows 7 or Windows 8.1. + +**To use the File Locations page** + +1. Check the **Full Installation Package** box if you’re going to build your package on, or move your package to, a local area network (LAN). This media package includes the Internet Explorer 11 installation files, and is named **IE11-Setup-Full.exe**, in the `\\FLAT\\` folder.

          -OR-

            + +2. Check the **Configuration-only package** box if you want to update an existing installation of IE11. This media package is named **IE11- Setup-Branding.exe**, in the `\\BrndOnly\\` folder.

          +You can distribute this file on any media format or server. It customizes the IE11 features without re-installing IE.

          +**Important**
          You can’t include custom components in a configuration-only package. + +3. Click **Next** to go to the [Feature Selection](feature-selection-ieak11-wizard.md) page or **Back** to go to the [Language Selection](language-selection-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md index 3cb96c9aa2..efbae636fc 100644 --- a/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md @@ -1,35 +1,35 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Platform Selection page in the IEAK 11 Customization Wizard to pick the specs for your employee devices that will get the install package. -author: lomayor -ms.prod: ie11 -ms.assetid: 9cbf5abd-86f7-42b6-9810-0b606bbe8218 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Platform Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Platform Selection page in the IEAK 11 Wizard -The **Platform Selection** page of the Internet Explorer Customization Wizard 11 lets you pick the operating system and architecture (32-bit or 64-bit) for the devices on which you’re going to install the custom installation package. - -**To use the Platform Selection page** - -1. Pick the operating system and architecture for the devices on which you’re going to install the custom package.

          -You must create individual packages for each supported operating system.

          -**Note**
          To keep your settings across several operating system packages, you can specify the same destination folder. Then, after running the wizard, you can reuse the resulting .ins file. Any additional changes to the .ins file are saved. For more info about using .ins files, see [Using Internet Settings (.INS) files with IEAK 11](using-internet-settings-ins-files.md). For more info about adding in your .ins file, see [Use the File Locations page in the IEAK 11 Wizard](file-locations-ieak11-wizard.md). - -2. Click **Next** to go to the [Language Selection](language-selection-ieak11-wizard.md) page or **Back** to go to the [File Locations](file-locations-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Platform Selection page in the IEAK 11 Customization Wizard to pick the specs for your employee devices that will get the install package. +author: lomayor +ms.prod: ie11 +ms.assetid: 9cbf5abd-86f7-42b6-9810-0b606bbe8218 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Platform Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Platform Selection page in the IEAK 11 Wizard +The **Platform Selection** page of the Internet Explorer Customization Wizard 11 lets you pick the operating system and architecture (32-bit or 64-bit) for the devices on which you’re going to install the custom installation package. + +**To use the Platform Selection page** + +1. Pick the operating system and architecture for the devices on which you’re going to install the custom package.

          +You must create individual packages for each supported operating system.

          +**Note**
          To keep your settings across several operating system packages, you can specify the same destination folder. Then, after running the wizard, you can reuse the resulting .ins file. Any additional changes to the .ins file are saved. For more info about using .ins files, see [Using Internet Settings (.INS) files with IEAK 11](using-internet-settings-ins-files.md). For more info about adding in your .ins file, see [Use the File Locations page in the IEAK 11 Wizard](file-locations-ieak11-wizard.md). + +2. Click **Next** to go to the [Language Selection](language-selection-ieak11-wizard.md) page or **Back** to go to the [File Locations](file-locations-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md b/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md index 4579a356b2..56252cfd10 100644 --- a/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md @@ -1,35 +1,35 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: plan -description: Learn about what you need to do before you deploy your custom browser package using IEAK 11 over your network. -author: lomayor -ms.prod: ie11 -ms.assetid: 2c66d22a-4a94-47cc-82ab-7274abe1dfd6 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Before you install your package over your network using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Before you install your package over your network using IEAK 11 -Employees can install the custom browser package using a network server. However, you must either lower the intranet security level or make the server a trusted site. - -**To lower your intranet security** - -1. In Internet Explorer 11, click **Tools**, **Internet Options**, and then the **Security** tab. - -2. Click **Local intranet**, and then **Sites**. - -3. Uncheck **Automatically detect intranet network**, uncheck **Include all network paths (UNC)**, and then click **OK**. - -**To make your server a trusted site** - -1. From the **Security** tab, click **Trusted sites**, and then **Sites**. - -2. Type the location of the server with the downloadable custom browser package, and then click **Add**. - -3. Repeat this step for every server that will include the custom browser package for download. - +--- +ms.localizationpriority: medium +ms.mktglfcycl: plan +description: Learn about what you need to do before you deploy your custom browser package using IEAK 11 over your network. +author: lomayor +ms.prod: ie11 +ms.assetid: 2c66d22a-4a94-47cc-82ab-7274abe1dfd6 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Before you install your package over your network using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Before you install your package over your network using IEAK 11 +Employees can install the custom browser package using a network server. However, you must either lower the intranet security level or make the server a trusted site. + +**To lower your intranet security** + +1. In Internet Explorer 11, click **Tools**, **Internet Options**, and then the **Security** tab. + +2. Click **Local intranet**, and then **Sites**. + +3. Uncheck **Automatically detect intranet network**, uncheck **Include all network paths (UNC)**, and then click **OK**. + +**To make your server a trusted site** + +1. From the **Security** tab, click **Trusted sites**, and then **Sites**. + +2. Type the location of the server with the downloadable custom browser package, and then click **Add**. + +3. Repeat this step for every server that will include the custom browser package for download. + diff --git a/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md index f3e5a30959..a4d2c384bb 100644 --- a/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md @@ -1,39 +1,39 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Programs page in the IEAK 11 Customization Wizard to pick the default programs to use for Internet services. -author: lomayor -ms.prod: ie11 -ms.assetid: f715668f-a50d-4db0-b578-e6526fbfa1fc -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Programs page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Programs page in the IEAK 11 Wizard -The **Programs** page of the Internet Explorer Customization Wizard 11 lets you pick the default programs to use for Internet services, like email, contact lists, and newsgroups, by importing settings from your computer. - -**Important**
          The customizations you make on this page only apply to Internet Explorer for the desktop. - -**To use the Programs page** - -1. Determine whether you want to customize your connection settings. You can pick: - - - **Do not customize Program Settings.** Pick this option if you don’t want to set program associations for your employee’s devices.

          -OR-

          - - - **Import the current Program Settings.** Pick this option to import the program associations from your device and use them as the preset for your employee’s program settings.

          **Note**
          If you want to change any of your settings, you can click **Modify Settings** to open the **Internet Properties** box, click **Set associations**, and make your changes. - -2. Click **Next** to go to the [Additional Settings](additional-settings-ieak11-wizard.md) page or **Back** to go to the [Add a Root Certificate](add-root-certificate-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Programs page in the IEAK 11 Customization Wizard to pick the default programs to use for Internet services. +author: lomayor +ms.prod: ie11 +ms.assetid: f715668f-a50d-4db0-b578-e6526fbfa1fc +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Programs page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Programs page in the IEAK 11 Wizard +The **Programs** page of the Internet Explorer Customization Wizard 11 lets you pick the default programs to use for Internet services, like email, contact lists, and newsgroups, by importing settings from your computer. + +**Important**
          The customizations you make on this page only apply to Internet Explorer for the desktop. + +**To use the Programs page** + +1. Determine whether you want to customize your connection settings. You can pick: + + - **Do not customize Program Settings.** Pick this option if you don’t want to set program associations for your employee’s devices.

          -OR-

          + + - **Import the current Program Settings.** Pick this option to import the program associations from your device and use them as the preset for your employee’s program settings.

          **Note**
          If you want to change any of your settings, you can click **Modify Settings** to open the **Internet Properties** box, click **Set associations**, and make your changes. + +2. Click **Next** to go to the [Additional Settings](additional-settings-ieak11-wizard.md) page or **Back** to go to the [Add a Root Certificate](add-root-certificate-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md b/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md index 03b4bfee50..347e753856 100644 --- a/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md +++ b/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md @@ -1,181 +1,181 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Learn about how to use a proxy auto-configuration (.pac) file to specify an automatic proxy URL. -author: lomayor -ms.prod: ie11 -ms.assetid: 6c94708d-71bd-44bd-a445-7e6763b374ae -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use proxy auto-configuration (.pac) files with IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use proxy auto-configuration (.pac) files with IEAK 11 -These are various ways you can use a proxy auto-configuration (.pac) file to specify an automatic proxy URL. We've included some examples here to help guide you, but you'll need to change the proxy names, port numbers, and IP addresses to match your organization's info. - -Included examples: -- [Example 1: Connect directly if the host is local](#example-1-connect-directly-if-the-host-is-local) -- [Example 2: Connect directly if the host is inside the firewall](#example-2-connect-directly-if-the-host-is-inside-the-firewall) -- [Example 3: Connect directly if the host name is resolvable](#example-3-connect-directly-if-the-host-name-is-resolvable) -- [Example 4: Connect directly if the host is in specified subnet](#example-4-connect-directly-if-the-host-is-in-specified-subnet) -- [Example 5: Determine the connection type based on the host domain](#example-5-determine-the-connection-type-based-on-the-host-domain) -- [Example 6: Determine the connection type based on the protocol](#example-6-determine-the-connection-type-based-on-the-protocol) -- [Example 7: Determine the proxy server based on the host name matching the IP address](#example-7-determine-the-proxy-server-based-on-the-host-name-matching-the-ip-address) -- [Example 8: Connect using a proxy server if the host IP address matches the specified IP address](#example-8-connect-using-a-proxy-server-if-the-host-ip-address-matches-the-specified-ip-address) -- [Example 9: Connect using a proxy server if there are periods in the host name](#example-9-connect-using-a-proxy-server-if-there-are-periods-in-the-host-name) -- [Example 10: Connect using a proxy server based on specific days of the week](#example-10-connect-using-a-proxy-server-based-on-specific-days-of-the-week) - - -## Example 1: Connect directly if the host is local -In this example, if the host is local, it can connect directly. However, if the server isn't local, it must connect through a proxy server. Specifically, the `isPlainHostName` function looks to see if there are any periods (.) in the host name. If the function finds periods, it means the host isn’t local and it returns false. Otherwise, the function returns true. - -``` javascript -function FindProxyForURL(url, host) - { - if (isPlainHostName(host)) - return "DIRECT"; - else - return "PROXY proxy:80"; - } -``` -## Example 2: Connect directly if the host is inside the firewall -In this example, if the host is inside the firewall, it can connect directly. However, if the server is outside the firewall, it must connect through a proxy server. Specifically, the `localHostOrDomainIs` function only runs for URLs in the local domain. If the host domain name matches the provided domain information, the `dnsDomainIs` function returns true. - -``` javascript -function FindProxyForURL(url, host) - { - if ((isPlainHostName(host) || - dnsDomainIs(host, ".company.com")) && - !localHostOrDomainIs(host, "www.company.com") && - !localHostOrDoaminIs(host, "home.company.com")) - return "DIRECT"; - else - return "PROXY proxy:80"; -} -``` -## Example 3: Connect directly if the host name is resolvable -In this example, if the host name can be resolved, it can connect directly. However, if the name can’t be resolved, the server must connect through a proxy server. Specifically, this function requests the DNS server to resolve the host name it's passed. If the name can be resolved, a direct connection is made. If it can't, the connection is made using a proxy. This is particularly useful when an internal DNS server is used to resolve all internal host names. - -**Important**
          The `isResolvable` function queries a Domain Name System (DNS) server. References to Object Model objects, properties, or methods cause the proxy auto-configuration file to fail silently. For example, the references `window.open(...)`, `alert(...)`, and `password(...)` all cause the proxy auto-configuration file to fail. - -``` javascript -function FindProxyForURL(url, host) - { - if (isResolvable(host)) - return "DIRECT"; - else - return "PROXY proxy:80"; - } -``` - -## Example 4: Connect directly if the host is in specified subnet -In this example, if the host is in a specified subnet, it can connect directly. However, if the server is outside of the specified subnet, it must connect through a proxy server. Specifically, the `isInNet` (host, pattern, mask) function returns true if the host IP address matches the specified pattern. The mask indicates which part of the IP address to match (255=match, 0=ignore). - -**Important**
          The `isInNet` function queries a DNS server. References to Object Model objects, properties, or methods cause the proxy auto-configuration file to fail silently. For example, the references `window.open(...)`, `alert(...)`, and `password(...)` all cause the proxy auto-configuration file to fail. - -``` javascript -function FindProxyForURL(url, host) - { - if (isInNet(host, "999.99.9.9", "255.0.255.0")) - return "DIRECT"; - else - return "PROXY proxy:80"; - } -``` -## Example 5: Determine the connection type based on the host domain -In this example, if the host is local, the server can connect directly. However, if the host isn’t local, this function determines which proxy to use based on the host domain. Specifically, the `shExpMatch(str, shexp)` function returns true if `str` matches the `shexp` using shell expression patterns. This is particularly useful when the host domain name is one of the criteria for proxy selection. - -``` javascript -function FindProxyForURL(url, host) - { - if (isPlainHostName(host)) - return "DIRECT"; - else if (shExpMatch(host, "*.com")) - return "PROXY comproxy:80"; - else if (shExpMatch(host, "*.edu")) - return "PROXY eduproxy:80"; - else - return "PROXY proxy"; - } -``` -## Example 6: Determine the connection type based on the protocol -In this example, the in-use protocol is extracted from the server and used to make a proxy selection. If no protocol match occurs, the server is directly connected. Specifically the `substring` function extracts the specified number of characters from a string. This is particularly useful when protocol is one of the criteria for proxy selection. - -``` javascript -function FindProxyForURL(url, host) - { - if (url.substring(0, 5) == "http:") { - return "PROXY proxy:80"; - } - else if (url.substring(0, 4) == "ftp:") { - return "PROXY fproxy:80"; - } - else if (url.substring(0, 6) == "https:") { - return "PROXY secproxy:8080"; - } - else { - return "DIRECT"; - } - } -``` -## Example 7: Determine the proxy server based on the host name matching the IP address -In this example, the proxy server is selected by translating the host name into an IP address and then comparing the address to a specified string. - -**Important** 
          The `dnsResolve` function queries a DNS server. References to Object Model objects, properties, or methods cause the proxy auto-configuration file to fail silently. For example, the references `window.open(...)`, `alert(...)`, and `password(...)` all cause the proxy auto-configuration file to fail. - -``` javascript -function FindProxyForURL(url, host) - { - if (dnsResolve(host) == "999.99.99.999") { // = https://secproxy - return "PROXY secproxy:8080"; - } - else { - return "PROXY proxy:80"; - } - } -``` -## Example 8: Connect using a proxy server if the host IP address matches the specified IP address -In this example, the proxy server is selected by explicitly getting the IP address and then comparing it to a specified string. If no protocol match occurs, the server makes a direct connection. Specifically, the `myIpAddress` function returns the IP address (in integer-period format) for the host that the browser is running on. - -``` javascript -function FindProxyForURL(url, host) - { - if (myIpAddress() == "999.99.999.99") { - return "PROXY proxy:80"; - } - else { - return "DIRECT"; - } - } -``` -## Example 9: Connect using a proxy server if there are periods in the host name -In this example, the function looks to see if there are periods (.) in the host name. If there are any periods, the connection occurs using a proxy server. If there are no periods, a direct connection occurs. Specifically, the `dnsDomainLevels` function returns an integer equal to the number of periods in the host name. - -**Note**
          This is another way to determine connection types based on host name characteristics. - -``` javascript -function FindProxyForURL(url, host) - { - if (dnsDomainLevels(host) > 0) { // if the number of periods in host > 0 - return "PROXY proxy:80"; - } - return "DIRECT"; - } -``` -## Example 10: Connect using a proxy server based on specific days of the week -In this example, the function decides whether to connect to a proxy server, based on the days of the week. Connecting on days that don’t fall between the specified date parameters let the server make a direct connection. Specifically the `weekdayRange(day1 [,day2] [,GMT] )` function returns whether the current system time falls within the range specified by the parameters `day1`, `day2`, and `GMT`. Only the first parameter is required. The GMT parameter presumes time values are in Greenwich Mean Time rather than the local time zone. This function is particularly useful for situations where you want to use a proxy server for heavy traffic times, but allow a direct connection when traffic is light. - -``` javascript -function FindProxyForURL(url, host) - { - if(weekdayRange("WED", "SAT", "GMT")) - return "PROXY proxy:80"; - else - return "DIRECT"; - } -``` - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Learn about how to use a proxy auto-configuration (.pac) file to specify an automatic proxy URL. +author: lomayor +ms.prod: ie11 +ms.assetid: 6c94708d-71bd-44bd-a445-7e6763b374ae +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use proxy auto-configuration (.pac) files with IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use proxy auto-configuration (.pac) files with IEAK 11 +These are various ways you can use a proxy auto-configuration (.pac) file to specify an automatic proxy URL. We've included some examples here to help guide you, but you'll need to change the proxy names, port numbers, and IP addresses to match your organization's info. + +Included examples: +- [Example 1: Connect directly if the host is local](#example-1-connect-directly-if-the-host-is-local) +- [Example 2: Connect directly if the host is inside the firewall](#example-2-connect-directly-if-the-host-is-inside-the-firewall) +- [Example 3: Connect directly if the host name is resolvable](#example-3-connect-directly-if-the-host-name-is-resolvable) +- [Example 4: Connect directly if the host is in specified subnet](#example-4-connect-directly-if-the-host-is-in-specified-subnet) +- [Example 5: Determine the connection type based on the host domain](#example-5-determine-the-connection-type-based-on-the-host-domain) +- [Example 6: Determine the connection type based on the protocol](#example-6-determine-the-connection-type-based-on-the-protocol) +- [Example 7: Determine the proxy server based on the host name matching the IP address](#example-7-determine-the-proxy-server-based-on-the-host-name-matching-the-ip-address) +- [Example 8: Connect using a proxy server if the host IP address matches the specified IP address](#example-8-connect-using-a-proxy-server-if-the-host-ip-address-matches-the-specified-ip-address) +- [Example 9: Connect using a proxy server if there are periods in the host name](#example-9-connect-using-a-proxy-server-if-there-are-periods-in-the-host-name) +- [Example 10: Connect using a proxy server based on specific days of the week](#example-10-connect-using-a-proxy-server-based-on-specific-days-of-the-week) + + +## Example 1: Connect directly if the host is local +In this example, if the host is local, it can connect directly. However, if the server isn't local, it must connect through a proxy server. Specifically, the `isPlainHostName` function looks to see if there are any periods (.) in the host name. If the function finds periods, it means the host isn’t local and it returns false. Otherwise, the function returns true. + +``` javascript +function FindProxyForURL(url, host) + { + if (isPlainHostName(host)) + return "DIRECT"; + else + return "PROXY proxy:80"; + } +``` +## Example 2: Connect directly if the host is inside the firewall +In this example, if the host is inside the firewall, it can connect directly. However, if the server is outside the firewall, it must connect through a proxy server. Specifically, the `localHostOrDomainIs` function only runs for URLs in the local domain. If the host domain name matches the provided domain information, the `dnsDomainIs` function returns true. + +``` javascript +function FindProxyForURL(url, host) + { + if ((isPlainHostName(host) || + dnsDomainIs(host, ".company.com")) && + !localHostOrDomainIs(host, "www.company.com") && + !localHostOrDoaminIs(host, "home.company.com")) + return "DIRECT"; + else + return "PROXY proxy:80"; +} +``` +## Example 3: Connect directly if the host name is resolvable +In this example, if the host name can be resolved, it can connect directly. However, if the name can’t be resolved, the server must connect through a proxy server. Specifically, this function requests the DNS server to resolve the host name it's passed. If the name can be resolved, a direct connection is made. If it can't, the connection is made using a proxy. This is particularly useful when an internal DNS server is used to resolve all internal host names. + +**Important**
          The `isResolvable` function queries a Domain Name System (DNS) server. References to Object Model objects, properties, or methods cause the proxy auto-configuration file to fail silently. For example, the references `window.open(...)`, `alert(...)`, and `password(...)` all cause the proxy auto-configuration file to fail. + +``` javascript +function FindProxyForURL(url, host) + { + if (isResolvable(host)) + return "DIRECT"; + else + return "PROXY proxy:80"; + } +``` + +## Example 4: Connect directly if the host is in specified subnet +In this example, if the host is in a specified subnet, it can connect directly. However, if the server is outside of the specified subnet, it must connect through a proxy server. Specifically, the `isInNet` (host, pattern, mask) function returns true if the host IP address matches the specified pattern. The mask indicates which part of the IP address to match (255=match, 0=ignore). + +**Important**
          The `isInNet` function queries a DNS server. References to Object Model objects, properties, or methods cause the proxy auto-configuration file to fail silently. For example, the references `window.open(...)`, `alert(...)`, and `password(...)` all cause the proxy auto-configuration file to fail. + +``` javascript +function FindProxyForURL(url, host) + { + if (isInNet(host, "999.99.9.9", "255.0.255.0")) + return "DIRECT"; + else + return "PROXY proxy:80"; + } +``` +## Example 5: Determine the connection type based on the host domain +In this example, if the host is local, the server can connect directly. However, if the host isn’t local, this function determines which proxy to use based on the host domain. Specifically, the `shExpMatch(str, shexp)` function returns true if `str` matches the `shexp` using shell expression patterns. This is particularly useful when the host domain name is one of the criteria for proxy selection. + +``` javascript +function FindProxyForURL(url, host) + { + if (isPlainHostName(host)) + return "DIRECT"; + else if (shExpMatch(host, "*.com")) + return "PROXY comproxy:80"; + else if (shExpMatch(host, "*.edu")) + return "PROXY eduproxy:80"; + else + return "PROXY proxy"; + } +``` +## Example 6: Determine the connection type based on the protocol +In this example, the in-use protocol is extracted from the server and used to make a proxy selection. If no protocol match occurs, the server is directly connected. Specifically the `substring` function extracts the specified number of characters from a string. This is particularly useful when protocol is one of the criteria for proxy selection. + +``` javascript +function FindProxyForURL(url, host) + { + if (url.substring(0, 5) == "http:") { + return "PROXY proxy:80"; + } + else if (url.substring(0, 4) == "ftp:") { + return "PROXY fproxy:80"; + } + else if (url.substring(0, 6) == "https:") { + return "PROXY secproxy:8080"; + } + else { + return "DIRECT"; + } + } +``` +## Example 7: Determine the proxy server based on the host name matching the IP address +In this example, the proxy server is selected by translating the host name into an IP address and then comparing the address to a specified string. + +**Important** 
          The `dnsResolve` function queries a DNS server. References to Object Model objects, properties, or methods cause the proxy auto-configuration file to fail silently. For example, the references `window.open(...)`, `alert(...)`, and `password(...)` all cause the proxy auto-configuration file to fail. + +``` javascript +function FindProxyForURL(url, host) + { + if (dnsResolve(host) == "999.99.99.999") { // = https://secproxy + return "PROXY secproxy:8080"; + } + else { + return "PROXY proxy:80"; + } + } +``` +## Example 8: Connect using a proxy server if the host IP address matches the specified IP address +In this example, the proxy server is selected by explicitly getting the IP address and then comparing it to a specified string. If no protocol match occurs, the server makes a direct connection. Specifically, the `myIpAddress` function returns the IP address (in integer-period format) for the host that the browser is running on. + +``` javascript +function FindProxyForURL(url, host) + { + if (myIpAddress() == "999.99.999.99") { + return "PROXY proxy:80"; + } + else { + return "DIRECT"; + } + } +``` +## Example 9: Connect using a proxy server if there are periods in the host name +In this example, the function looks to see if there are periods (.) in the host name. If there are any periods, the connection occurs using a proxy server. If there are no periods, a direct connection occurs. Specifically, the `dnsDomainLevels` function returns an integer equal to the number of periods in the host name. + +**Note**
          This is another way to determine connection types based on host name characteristics. + +``` javascript +function FindProxyForURL(url, host) + { + if (dnsDomainLevels(host) > 0) { // if the number of periods in host > 0 + return "PROXY proxy:80"; + } + return "DIRECT"; + } +``` +## Example 10: Connect using a proxy server based on specific days of the week +In this example, the function decides whether to connect to a proxy server, based on the days of the week. Connecting on days that don’t fall between the specified date parameters let the server make a direct connection. Specifically the `weekdayRange(day1 [,day2] [,GMT] )` function returns whether the current system time falls within the range specified by the parameters `day1`, `day2`, and `GMT`. Only the first parameter is required. The GMT parameter presumes time values are in Greenwich Mean Time rather than the local time zone. This function is particularly useful for situations where you want to use a proxy server for heavy traffic times, but allow a direct connection when traffic is light. + +``` javascript +function FindProxyForURL(url, host) + { + if(weekdayRange("WED", "SAT", "GMT")) + return "PROXY proxy:80"; + else + return "DIRECT"; + } +``` + diff --git a/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md index 8210cccc8e..5b10604a11 100644 --- a/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md @@ -1,30 +1,30 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Use the \[Proxy\] .INS file setting to define whether to use a proxy server. -author: lomayor -ms.prod: ie11 -ms.assetid: 30b03c2f-e3e5-48d2-9007-e3fd632f3c18 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Proxy .INS file to specify a proxy server (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Proxy .INS file to specify a proxy server -Info about whether to use a proxy server. If yes, this also includes the host names for the proxy server. - -|Name |Value |Description | -|-----|------|------------| -|FTP_Proxy_Server |`` |The host name for the FTP proxy server. | -|Gopher_Proxy_Server |`` |We no longer support Gopher Server. | -|HTTP_Proxy_Server |`` |The host name for the HTTP proxy server. | -|Proxy_Enable |

          • **0.** Don’t use a proxy server.
          • **1.** Use a proxy server.
          |Determines whether to use a proxy server. | -|Proxy_Override |`` |The host name for the proxy server. For example, ``. | -|Secure_Proxy_Server |`` |The host name for the secure proxy server. | -|Socks_Proxy_Server |`` |The host name for the SOCKS proxy server. | -|Use_Same_Proxy |
          • **0.** Don’t use the same proxy server for all services.
          • **1.** Use the same proxy server for all services.
          |Determines whether to use a single proxy server for all services. | - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Use the \[Proxy\] .INS file setting to define whether to use a proxy server. +author: lomayor +ms.prod: ie11 +ms.assetid: 30b03c2f-e3e5-48d2-9007-e3fd632f3c18 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Proxy .INS file to specify a proxy server (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Proxy .INS file to specify a proxy server +Info about whether to use a proxy server. If yes, this also includes the host names for the proxy server. + +|Name |Value |Description | +|-----|------|------------| +|FTP_Proxy_Server |`` |The host name for the FTP proxy server. | +|Gopher_Proxy_Server |`` |We no longer support Gopher Server. | +|HTTP_Proxy_Server |`` |The host name for the HTTP proxy server. | +|Proxy_Enable |
          • **0.** Don’t use a proxy server.
          • **1.** Use a proxy server.
          |Determines whether to use a proxy server. | +|Proxy_Override |`` |The host name for the proxy server. For example, ``. | +|Secure_Proxy_Server |`` |The host name for the secure proxy server. | +|Socks_Proxy_Server |`` |The host name for the SOCKS proxy server. | +|Use_Same_Proxy |
          • **0.** Don’t use the same proxy server for all services.
          • **1.** Use the same proxy server for all services.
          |Determines whether to use a single proxy server for all services. | + diff --git a/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md index 76a1a40aac..8ee40e8323 100644 --- a/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md @@ -1,55 +1,55 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Proxy Settings page in the IEAK 11 Customization Wizard to pick the proxy servers used to connect to required services. -author: lomayor -ms.prod: ie11 -ms.assetid: 1fa1eee3-e97d-41fa-a48c-4a6e0dc8b544 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Proxy Settings page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Proxy Settings page in the IEAK 11 Wizard -The **Proxy Settings** page of the Internet Explorer Customization Wizard 11 lets you pick the proxy servers used by your employees to connect for services required by the custom install package. - -Using a proxy server lets you limit access to the Internet. You can also use the **Additional Settings** page of the wizard to further restrict your employees from changing the proxy settings. - -**To use the Proxy Settings page** - -1. Check the **Enable proxy settings** box if you want to use proxy servers for any of your services. - -2. Type the address of the proxy server you want to use for your services into the **Address of proxy** box. In most cases, a single proxy server is used for all of your services.

          -Proxy locations that don’t begin with a protocol (like, https:// or ftp://) are assumed to be a CERN-type HTTP proxy. For example, the entry *proxy* is treated the same as the entry `https://proxy`. - -3. Type the port for each service. The default value is *80*. - -4. Check the **Use the same proxy server for all addresses** box to use the same proxy server settings for all of your services. - -5. Type any services that shouldn’t use a proxy server into the **Do not use proxy server for addresses beginning with** box.

          -When filling out your exceptions, keep in mind: - - - Proxy bypass entries can begin with a protocol type, such as https://, https://, or ftp://. However, if a protocol type is used, the exception entry applies only to requests for that protocol. - - - Protocol values are not case sensitive and you can use a wildcard character (*) in place of zero or more characters. - - - You must use a semicolon between your entries. - - - This list is limited to **2064** characters. - -6. Check the **Do not use proxy server for local (intranet) addresses** to bypass your proxy servers for all addresses on your intranet. - -7. Click **Next** to go to the [Security and Privacy Settings](security-and-privacy-settings-ieak11-wizard.md) page or **Back** to go to the [Automatic Configuration](auto-config-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Proxy Settings page in the IEAK 11 Customization Wizard to pick the proxy servers used to connect to required services. +author: lomayor +ms.prod: ie11 +ms.assetid: 1fa1eee3-e97d-41fa-a48c-4a6e0dc8b544 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Proxy Settings page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Proxy Settings page in the IEAK 11 Wizard +The **Proxy Settings** page of the Internet Explorer Customization Wizard 11 lets you pick the proxy servers used by your employees to connect for services required by the custom install package. + +Using a proxy server lets you limit access to the Internet. You can also use the **Additional Settings** page of the wizard to further restrict your employees from changing the proxy settings. + +**To use the Proxy Settings page** + +1. Check the **Enable proxy settings** box if you want to use proxy servers for any of your services. + +2. Type the address of the proxy server you want to use for your services into the **Address of proxy** box. In most cases, a single proxy server is used for all of your services.

          +Proxy locations that don’t begin with a protocol (like, https:// or ftp://) are assumed to be a CERN-type HTTP proxy. For example, the entry *proxy* is treated the same as the entry `https://proxy`. + +3. Type the port for each service. The default value is *80*. + +4. Check the **Use the same proxy server for all addresses** box to use the same proxy server settings for all of your services. + +5. Type any services that shouldn’t use a proxy server into the **Do not use proxy server for addresses beginning with** box.

          +When filling out your exceptions, keep in mind: + + - Proxy bypass entries can begin with a protocol type, such as https://, https://, or ftp://. However, if a protocol type is used, the exception entry applies only to requests for that protocol. + + - Protocol values are not case sensitive and you can use a wildcard character (*) in place of zero or more characters. + + - You must use a semicolon between your entries. + + - This list is limited to **2064** characters. + +6. Check the **Do not use proxy server for local (intranet) addresses** to bypass your proxy servers for all addresses on your intranet. + +7. Click **Next** to go to the [Security and Privacy Settings](security-and-privacy-settings-ieak11-wizard.md) page or **Back** to go to the [Automatic Configuration](auto-config-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md b/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md index a58ac249bf..0a26a051db 100644 --- a/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md @@ -1,28 +1,28 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Learn how to register an uninstall app for your custom components, using IEAK 11. -author: lomayor -ms.prod: ie11 -ms.assetid: 4da1d408-af4a-4c89-a491-d6f005fd5005 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Register an uninstall app for custom components using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) -ms.date: 07/27/2017 ---- - - -# Register an uninstall app for custom components using IEAK 11 -Register the uninstall apps for any custom components you’ve included in your Internet Explorer 11 package. Registering these apps lets your employees remove the components later, using **Uninstall or change a program** in the Control Panel. - -## Register your uninstallation program -While you’re running your custom component setup process, your app can add information to the subkeys in the `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ApplicationName` registry key, registering your uninstallation program. - -**Note**
          IE11 also uses this registry key to verify that the component installed successfully during setup. - -|Subkey |Data type |Value | -|-------|----------|-----------| -|DisplayName |*string* |Friendly name for your uninstall app. This name must match your **Uninstall Key** in the **Add a Custom Component** page of the Internet Explorer Customization Wizard 11. For more info, see the [Custom Components](custom-components-ieak11-wizard.md) page. | -|UninstallString |*string* |Full command-line text, including the path, to uninstall your component. You must not use a batch file or a sub-process. | - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Learn how to register an uninstall app for your custom components, using IEAK 11. +author: lomayor +ms.prod: ie11 +ms.assetid: 4da1d408-af4a-4c89-a491-d6f005fd5005 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Register an uninstall app for custom components using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) +ms.date: 07/27/2017 +--- + + +# Register an uninstall app for custom components using IEAK 11 +Register the uninstall apps for any custom components you’ve included in your Internet Explorer 11 package. Registering these apps lets your employees remove the components later, using **Uninstall or change a program** in the Control Panel. + +## Register your uninstallation program +While you’re running your custom component setup process, your app can add information to the subkeys in the `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ApplicationName` registry key, registering your uninstallation program. + +**Note**
          IE11 also uses this registry key to verify that the component installed successfully during setup. + +|Subkey |Data type |Value | +|-------|----------|-----------| +|DisplayName |*string* |Friendly name for your uninstall app. This name must match your **Uninstall Key** in the **Add a Custom Component** page of the Internet Explorer Customization Wizard 11. For more info, see the [Custom Components](custom-components-ieak11-wizard.md) page. | +|UninstallString |*string* |Full command-line text, including the path, to uninstall your component. You must not use a batch file or a sub-process. | + diff --git a/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md b/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md index c740428fd7..db2bad72cd 100644 --- a/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md @@ -1,46 +1,46 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: manage -description: Learn how to use the Resultant Set of Policy (RSoP) snap-in to view your policy settings. -author: lomayor -ms.prod: ie11 -ms.assetid: 0f21b320-e879-4a06-8589-aae6fc264666 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the RSoP snap-in to review policy settings (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Using the Resultant Set of Policy (RSoP) snap-in to review policy settings -After you’ve deployed your custom Internet Explorer package to your employees, you can use the Resultant Set of Policy (RSoP) snap-in to view your created policy settings. The RSoP snap-in is a two-step process. First, you run the RSoP wizard to determine what information should be viewed. Second, you open the specific items in the console window to view the settings. For complete instructions about how to use RSoP, see [Resultant Set of Policy](https://go.microsoft.com/fwlink/p/?LinkId=259479). - -**To add the RSoP snap-in** - -1. On the **Start** screen, type *MMC*.

          -The Microsoft Management Console opens. - -2. Click **File**, and then click **Add/Remove Snap-in**. - -3. In the **Available snap-ins** window, go down to the **Resultant Set of Policy** snap-in option, click **Add**, and then click **OK**.

          -You’re now ready to use the RSoP snap-in from the console. - -**To use the RSoP snap-in** - -1. Right-click **Resultant Set of Policy** and then click **Generate RSoP Data**.

          -You’ll only need to go through the resulting RSoP Wizard first time you run the snap-in. - -2. Click **Next** on the **Welcome** screen. - -3. Under **Computer Configuration**, click **Administrative Templates**, click **Windows Components**, click **IE**, and then click the feature you want to review the policy settings for. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: manage +description: Learn how to use the Resultant Set of Policy (RSoP) snap-in to view your policy settings. +author: lomayor +ms.prod: ie11 +ms.assetid: 0f21b320-e879-4a06-8589-aae6fc264666 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the RSoP snap-in to review policy settings (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Using the Resultant Set of Policy (RSoP) snap-in to review policy settings +After you’ve deployed your custom Internet Explorer package to your employees, you can use the Resultant Set of Policy (RSoP) snap-in to view your created policy settings. The RSoP snap-in is a two-step process. First, you run the RSoP wizard to determine what information should be viewed. Second, you open the specific items in the console window to view the settings. For complete instructions about how to use RSoP, see [Resultant Set of Policy](https://go.microsoft.com/fwlink/p/?LinkId=259479). + +**To add the RSoP snap-in** + +1. On the **Start** screen, type *MMC*.

          +The Microsoft Management Console opens. + +2. Click **File**, and then click **Add/Remove Snap-in**. + +3. In the **Available snap-ins** window, go down to the **Resultant Set of Policy** snap-in option, click **Add**, and then click **OK**.

          +You’re now ready to use the RSoP snap-in from the console. + +**To use the RSoP snap-in** + +1. Right-click **Resultant Set of Policy** and then click **Generate RSoP Data**.

          +You’ll only need to go through the resulting RSoP Wizard first time you run the snap-in. + +2. Click **Next** on the **Welcome** screen. + +3. Under **Computer Configuration**, click **Administrative Templates**, click **Windows Components**, click **IE**, and then click the feature you want to review the policy settings for. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md index 24fb8137bc..2f2c8052cf 100644 --- a/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md @@ -1,56 +1,56 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Search Providers page in the IEAK 11 Customization Wizard to add additional providers and set the default. -author: lomayor -ms.prod: ie11 -ms.assetid: 48cfaba5-f4c0-493c-b656-445311b7bc52 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Search Providers page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Search Providers page in the IEAK 11 Wizard -The **Search Providers** page of the Internet Explorer Customization Wizard 11 lets you add a default search provider (typically, Bing®) and additional providers to your custom version of IE. - -**Note**
          The Internet Explorer Customization Wizard 11 offers improved and extended search settings. However, you can still optionally include support for Search Suggestions and Favicons, as well as Accelerator previews by using an .ins file from a previous version of IEAK. - -**To use the Search Providers page** - -1. Click **Import** to automatically import your existing search providers from your current version of IE into this list. - -2. Click **Add** to add more providers.

          -The **Search Provider** box appears. - -3. In the **Display Name** box, type the text that appears in the **Search Options** menu for the search provider. - -4. In the **URL** box, type the full URL to the search provider, including the https:// prefix. - -5. In the **Favicon URL** box, type the full URL to any icon to associate with your provider. - -6. In the **Suggestions URL (XML)** box, type the associated search suggestions in XML format. - -7. In the **Suggestions URL (JSON)** box, type the associated search suggestions in JavaScript Object Notation format. - -8. In the **Accelerator Preview URL** box, type the associated Accelerator preview URL for each provider, if it’s necessary. - -9. Check the **Display Search Suggestions for this provider** box to turn on search suggestions for the provider, and then click **OK**. - -10. Check the **Search Guide URL Customization** box if you’re going to add your search providers to a custom webpage for your employees. Then, type the URL to the custom webpage in the text box. - -11. Click **Edit** to change your search provider information, click **Set Default** to make a search provider the default for your employees, or **Remove** to delete a search provider. - -12. Click **Next** to go to the [Important URLs - Home Page and Support](important-urls-home-page-and-support-ieak11-wizard.md) page or **Back** to go to the [Browser User Interface](browser-ui-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Search Providers page in the IEAK 11 Customization Wizard to add additional providers and set the default. +author: lomayor +ms.prod: ie11 +ms.assetid: 48cfaba5-f4c0-493c-b656-445311b7bc52 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Search Providers page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Search Providers page in the IEAK 11 Wizard +The **Search Providers** page of the Internet Explorer Customization Wizard 11 lets you add a default search provider (typically, Bing®) and additional providers to your custom version of IE. + +**Note**
          The Internet Explorer Customization Wizard 11 offers improved and extended search settings. However, you can still optionally include support for Search Suggestions and Favicons, as well as Accelerator previews by using an .ins file from a previous version of IEAK. + +**To use the Search Providers page** + +1. Click **Import** to automatically import your existing search providers from your current version of IE into this list. + +2. Click **Add** to add more providers.

          +The **Search Provider** box appears. + +3. In the **Display Name** box, type the text that appears in the **Search Options** menu for the search provider. + +4. In the **URL** box, type the full URL to the search provider, including the https:// prefix. + +5. In the **Favicon URL** box, type the full URL to any icon to associate with your provider. + +6. In the **Suggestions URL (XML)** box, type the associated search suggestions in XML format. + +7. In the **Suggestions URL (JSON)** box, type the associated search suggestions in JavaScript Object Notation format. + +8. In the **Accelerator Preview URL** box, type the associated Accelerator preview URL for each provider, if it’s necessary. + +9. Check the **Display Search Suggestions for this provider** box to turn on search suggestions for the provider, and then click **OK**. + +10. Check the **Search Guide URL Customization** box if you’re going to add your search providers to a custom webpage for your employees. Then, type the URL to the custom webpage in the text box. + +11. Click **Edit** to change your search provider information, click **Set Default** to make a search provider the default for your employees, or **Remove** to delete a search provider. + +12. Click **Next** to go to the [Important URLs - Home Page and Support](important-urls-home-page-and-support-ieak11-wizard.md) page or **Back** to go to the [Browser User Interface](browser-ui-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md b/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md index 8a9dc3eaf9..9db3006a23 100644 --- a/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md @@ -1,65 +1,65 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: plan -description: Learn about the security features available in Internet Explorer 11 and IEAK 11. -author: lomayor -ms.prod: ie11 -ms.assetid: 5b64c9cb-f8da-411a-88e4-fa69dea473e2 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Security features and IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Security features and IEAK 11 -Use Internet Explorer in conjunction with your new and existing security measures, to make sure the computers in your company aren’t compromised while on the Internet. - -## Enhanced Protection Mode -Extends Protected Mode to further restrict the ability of an attacker to access sensitive or personal information in personal and corporate environments, including: - -- Restricting access to higher-level processes in the AppContainer. - -- Improving security against memory safety exploits in 64-bit tab processes. - -This feature is turned off by default. For more info, see [Enhanced Protected Mode problems with Internet Explorer](../ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md). - -## Certificates and Digital Signatures -Web browsers have security features that help protect users from downloading harmful programs. Depending on the security level and the platform that you are using, the user may be prevented from, or warned against, downloading programs that are not digitally signed. Digital signatures show users where programs come from, verify that the programs have not been altered, and ensure that users do not receive unnecessary warnings when installing the custom browser. - -Because of this, the custom .cab files created by the Internet Explorer Customization Wizard should be signed, unless you pre-configure the Local intranet zone with a Low security setting. Any custom components you distribute with your browser package for these platforms should also be signed. - -### Understanding digital certificates -To sign your package and custom programs digitally, you must first obtain a digital certificate. You can obtain a certificate from a certification authority or a privately-controlled certificate server. For more info about obtaining certificates or setting up a certificate server, see the following: - -- Microsoft-trusted certification authorities ([Windows root certificate program requirements](https://go.microsoft.com/fwlink/p/?LinkId=759697)). - -- Certificates overview documentation ([Certificates](https://go.microsoft.com/fwlink/p/?LinkId=759698)). - -- Microsoft Active Directory Certificate Services ( [Active Directory Certificate Services](https://go.microsoft.com/fwlink/p/?LinkId=259521)). - -- Enterprise public key infrastructure (PKI) snap-in documentation ([Enterprise PKI](https://go.microsoft.com/fwlink/p/?LinkId=259526)). - -After you get a certificate, you should note the public and private keys, which are a matched set of keys that are created by the software publisher for encryption and decryption. They are generated on your device at the time the certificate is requested, and your private key is never sent to the certification authority or any other party. - -### Understanding code signing -Code signing varies, depening on how you plan to distribute your custom install package. - -- **If you plan to distribute custom packages over the Internet**, you must sign all custom components and the CMAK profile package (if used). Before you start the Internet Explorer Customization Wizard, make sure that both are signed. Typically, their respective manufacturers will have signed them. Otherwise, you can sign these using the Sign Tool (SignTool.exe) ( [SignTool.exe (Sign Tool)](https://go.microsoft.com/fwlink/p/?LinkId=71298)) or use the File Signing Tool (Signcode.exe) ([Signcode.exe (File Signing Tool)](https://go.microsoft.com/fwlink/p/?LinkId=71299)). You should read the documentation included with these tools for more info about all of the signing options.

          -In addition, after you run the Internet Explorer Customization Wizard, we highly recommend that you sign the IEAK package and the branding.cab file (if you are using it separately from the package). You can do this also using the tools mentioned above. For more information, download Code-Signing Best Practices ([Code-Signing Best Practices](https://go.microsoft.com/fwlink/p/?LinkId=71300)). - -- **If you plan to distribute your custom packages over an intranet**, sign the custom files or preconfigure the Local intranet zone with a Low security setting, because the default security setting does not allow users to download unsigned programs or code. - -### Understanding your private key -Your device creates two keys during the enrollment process of your digital certificate. One is a public key, which is sent to anyone you want to communicate with, and one is a private key, which is stored on your local device and must be kept secret. You use the private key to encrypt your data and the corresponding public key to decrypt it. - -You must keep your private key, private. To do this, we recommend: - -- **Separate test and release signing.** Set up a parallel code signing infrastructure, using test certificates created by an internal test root certificate authority. This helps to ensure that your certificates aren’t stored on an insecure build system, reducing the likelihood that they will be compromised. - -- **Tamper-proof storage.** Save your private keys on secure, tamper-proof hardware devices. - -- **Security.** Protect your private keys using physical security measures, such as cameras and card readers. - +--- +ms.localizationpriority: medium +ms.mktglfcycl: plan +description: Learn about the security features available in Internet Explorer 11 and IEAK 11. +author: lomayor +ms.prod: ie11 +ms.assetid: 5b64c9cb-f8da-411a-88e4-fa69dea473e2 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Security features and IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Security features and IEAK 11 +Use Internet Explorer in conjunction with your new and existing security measures, to make sure the computers in your company aren’t compromised while on the Internet. + +## Enhanced Protection Mode +Extends Protected Mode to further restrict the ability of an attacker to access sensitive or personal information in personal and corporate environments, including: + +- Restricting access to higher-level processes in the AppContainer. + +- Improving security against memory safety exploits in 64-bit tab processes. + +This feature is turned off by default. For more info, see [Enhanced Protected Mode problems with Internet Explorer](../ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md). + +## Certificates and Digital Signatures +Web browsers have security features that help protect users from downloading harmful programs. Depending on the security level and the platform that you are using, the user may be prevented from, or warned against, downloading programs that are not digitally signed. Digital signatures show users where programs come from, verify that the programs have not been altered, and ensure that users do not receive unnecessary warnings when installing the custom browser. + +Because of this, the custom .cab files created by the Internet Explorer Customization Wizard should be signed, unless you pre-configure the Local intranet zone with a Low security setting. Any custom components you distribute with your browser package for these platforms should also be signed. + +### Understanding digital certificates +To sign your package and custom programs digitally, you must first obtain a digital certificate. You can obtain a certificate from a certification authority or a privately-controlled certificate server. For more info about obtaining certificates or setting up a certificate server, see the following: + +- Microsoft-trusted certification authorities ([Windows root certificate program requirements](https://go.microsoft.com/fwlink/p/?LinkId=759697)). + +- Certificates overview documentation ([Certificates](https://go.microsoft.com/fwlink/p/?LinkId=759698)). + +- Microsoft Active Directory Certificate Services ( [Active Directory Certificate Services](https://go.microsoft.com/fwlink/p/?LinkId=259521)). + +- Enterprise public key infrastructure (PKI) snap-in documentation ([Enterprise PKI](https://go.microsoft.com/fwlink/p/?LinkId=259526)). + +After you get a certificate, you should note the public and private keys, which are a matched set of keys that are created by the software publisher for encryption and decryption. They are generated on your device at the time the certificate is requested, and your private key is never sent to the certification authority or any other party. + +### Understanding code signing +Code signing varies, depening on how you plan to distribute your custom install package. + +- **If you plan to distribute custom packages over the Internet**, you must sign all custom components and the CMAK profile package (if used). Before you start the Internet Explorer Customization Wizard, make sure that both are signed. Typically, their respective manufacturers will have signed them. Otherwise, you can sign these using the Sign Tool (SignTool.exe) ( [SignTool.exe (Sign Tool)](https://go.microsoft.com/fwlink/p/?LinkId=71298)) or use the File Signing Tool (Signcode.exe) ([Signcode.exe (File Signing Tool)](https://go.microsoft.com/fwlink/p/?LinkId=71299)). You should read the documentation included with these tools for more info about all of the signing options.

          +In addition, after you run the Internet Explorer Customization Wizard, we highly recommend that you sign the IEAK package and the branding.cab file (if you are using it separately from the package). You can do this also using the tools mentioned above. For more information, download Code-Signing Best Practices ([Code-Signing Best Practices](https://go.microsoft.com/fwlink/p/?LinkId=71300)). + +- **If you plan to distribute your custom packages over an intranet**, sign the custom files or preconfigure the Local intranet zone with a Low security setting, because the default security setting does not allow users to download unsigned programs or code. + +### Understanding your private key +Your device creates two keys during the enrollment process of your digital certificate. One is a public key, which is sent to anyone you want to communicate with, and one is a private key, which is stored on your local device and must be kept secret. You use the private key to encrypt your data and the corresponding public key to decrypt it. + +You must keep your private key, private. To do this, we recommend: + +- **Separate test and release signing.** Set up a parallel code signing infrastructure, using test certificates created by an internal test root certificate authority. This helps to ensure that your certificates aren’t stored on an insecure build system, reducing the likelihood that they will be compromised. + +- **Tamper-proof storage.** Save your private keys on secure, tamper-proof hardware devices. + +- **Security.** Protect your private keys using physical security measures, such as cameras and card readers. + diff --git a/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md index 8dd5b81f5a..007b61208d 100644 --- a/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md @@ -1,43 +1,43 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Security and Privacy Settings page in the IEAK 11 Customization Wizard to manage your security zones, privacy settings, and content ratings. -author: lomayor -ms.prod: ie11 -ms.assetid: cb7cd1df-6a79-42f6-b3a1-8ae467053f82 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Security and Privacy Settings page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Security and Privacy Settings page in the IEAK 11 Wizard -The **Security and Privacy Settings** page of the Internet Explorer Customization Wizard 11 lets you manage your security zones, privacy settings, and content ratings. These settings help restrict the types of content your employees can access from the Internet, including any content that might be considered offensive or otherwise inappropriate in a corporate setting. - -**To use the Security and Privacy Settings page** - -1. Decide if you want to customize your security zones and privacy settings. You can pick: - - - **Do not customize security zones and privacy.** Pick this option if you don’t want to customize your security zones and privacy settings. - - - **Import the current security zones and privacy.** Pick this option to import your security zone and privacy settings from your computer and use them as the preset for your employee’s settings.

          **Note**
          To change your settings, click **Modify Settings** to open the **Internet Properties** box, and then click the **Security** and **Privacy** tabs to make your changes. - -2. Decide if you want to customize your content ratings. You can pick: - - - **Do not customize content ratings.** Pick this option if you don’t want to customize content ratings. - - - **Import the current content ratings settings.** Pick this option to import your content rating settings from your computer and use them as the preset for your employee’s settings.

          **Note**
          Not all Internet content is rated. If you choose to allow users to view unrated sites, some of those sites could contain inappropriate material. To change your settings, click **Modify Settings** to open the **Content Advisor** box, where you can make your changes. - -3. Click **Next** to go to the [Add a Root Certificate](add-root-certificate-ieak11-wizard.md) page or **Back** to go to the [Proxy Settings](proxy-settings-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Security and Privacy Settings page in the IEAK 11 Customization Wizard to manage your security zones, privacy settings, and content ratings. +author: lomayor +ms.prod: ie11 +ms.assetid: cb7cd1df-6a79-42f6-b3a1-8ae467053f82 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Security and Privacy Settings page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Security and Privacy Settings page in the IEAK 11 Wizard +The **Security and Privacy Settings** page of the Internet Explorer Customization Wizard 11 lets you manage your security zones, privacy settings, and content ratings. These settings help restrict the types of content your employees can access from the Internet, including any content that might be considered offensive or otherwise inappropriate in a corporate setting. + +**To use the Security and Privacy Settings page** + +1. Decide if you want to customize your security zones and privacy settings. You can pick: + + - **Do not customize security zones and privacy.** Pick this option if you don’t want to customize your security zones and privacy settings. + + - **Import the current security zones and privacy.** Pick this option to import your security zone and privacy settings from your computer and use them as the preset for your employee’s settings.

          **Note**
          To change your settings, click **Modify Settings** to open the **Internet Properties** box, and then click the **Security** and **Privacy** tabs to make your changes. + +2. Decide if you want to customize your content ratings. You can pick: + + - **Do not customize content ratings.** Pick this option if you don’t want to customize content ratings. + + - **Import the current content ratings settings.** Pick this option to import your content rating settings from your computer and use them as the preset for your employee’s settings.

          **Note**
          Not all Internet content is rated. If you choose to allow users to view unrated sites, some of those sites could contain inappropriate material. To change your settings, click **Modify Settings** to open the **Content Advisor** box, where you can make your changes. + +3. Click **Next** to go to the [Add a Root Certificate](add-root-certificate-ieak11-wizard.md) page or **Back** to go to the [Proxy Settings](proxy-settings-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md index c81c6b6a9d..74e61ad2bb 100644 --- a/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md @@ -1,27 +1,27 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Use the \[Security Imports\] .INS file setting to decide whether to import security info to your custom package. -author: lomayor -ms.prod: ie11 -ms.assetid: 19791c44-aaa7-4f37-9faa-85cbdf29f68e -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Security Imports .INS file to import security info (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Security Imports .INS file to import security info -Info about how to import security information from your local device to your custom package. - -|Name |Value |Description | -|-----|------|------------| -|ImportAuthCode |

          • **0.** Don’t import the existing settings.
          • **1.** Import the existing settings.
          |Whether to import the existing Authenticode settings. | -|ImportRatings |
          • **0.** Don’t import the existing settings.
          • **1.** Import the existing settings.
          |Whether to import the existing Content Ratings settings. | -|ImportSecZones |
          • **0.** Don’t import the existing settings.
          • **1.** Import the existing settings.
          |Whether to import the existing Security Zone settings. | -|ImportSiteCert |
          • **0.** Don’t import the existing authorities.
          • **1.** Import the existing authorities.
          |Whether to import the existing site certification authorities. | -|Win16SiteCerts |
          • **0.** Don’t use the site certificates.
          • **1.** Use the site certificates.
          |Whether to use site certificates for computers running 16-bit versions of Windows. | - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Use the \[Security Imports\] .INS file setting to decide whether to import security info to your custom package. +author: lomayor +ms.prod: ie11 +ms.assetid: 19791c44-aaa7-4f37-9faa-85cbdf29f68e +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Security Imports .INS file to import security info (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Security Imports .INS file to import security info +Info about how to import security information from your local device to your custom package. + +|Name |Value |Description | +|-----|------|------------| +|ImportAuthCode |
          • **0.** Don’t import the existing settings.
          • **1.** Import the existing settings.
          |Whether to import the existing Authenticode settings. | +|ImportRatings |
          • **0.** Don’t import the existing settings.
          • **1.** Import the existing settings.
          |Whether to import the existing Content Ratings settings. | +|ImportSecZones |
          • **0.** Don’t import the existing settings.
          • **1.** Import the existing settings.
          |Whether to import the existing Security Zone settings. | +|ImportSiteCert |
          • **0.** Don’t import the existing authorities.
          • **1.** Import the existing authorities.
          |Whether to import the existing site certification authorities. | +|Win16SiteCerts |
          • **0.** Don’t use the site certificates.
          • **1.** Use the site certificates.
          |Whether to use site certificates for computers running 16-bit versions of Windows. | + diff --git a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md index ca25c64f0e..228805f528 100644 --- a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md @@ -1,123 +1,123 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: support -description: Info about some of the known issues using the Internet Exporer Customization Wizard and a custom Internet Explorer install package. -author: lomayor -ms.author: lomayor -ms.prod: ie11 -ms.assetid: 9e22cc61-6c63-4cab-bfdf-6fe49db945e4 -ms.reviewer: -manager: dansimp -title: Troubleshoot custom package and IEAK 11 problems (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Troubleshoot custom package and IEAK 11 problems -While the Internet Explorer Customization Wizard has been around for quite a while, there are still some known issues that you might encounter while deploying or managing your custom IE install package. - -## I am unable to locate some of the wizard pages -The most common reasons you will not see certain pages is because: - -- **Your licensing agreement with Microsoft.** Your licensing agreement determines whether you install the **Internal** or **External** version of the Internet Explorer Customization Wizard, and there are different features available for each version. For info about which features are available for each version, see [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md). - -- **Your choice of operating system.** Depending on the operating system you picked from the **Platform Selection** page of the wizard, you might not see all of the pages. Some features aren’t available for all operating systems. For more information, see [Use the Platform Selection page in the IEAK 11 Wizard](platform-selection-ieak11-wizard.md). - -- **Your choice of features.** Depending on what you selected from the **Feature Selection** page of the wizard, you might not see all of the pages. You need to make sure that the features you want to customize are all checked. For more information, see [Use the Feature Selection page in the IEAK 11 Wizard](feature-selection-ieak11-wizard.md). - -## Internet Explorer Setup fails on user's devices -Various issues can cause problems during Setup, including missing files, trust issues, or URL monikers. You can troubleshoot these issues by reviewing the Setup log file, located at `IE11\_main.log` from the **Windows** folder (typically, `C:\Windows`). The log file covers the entire Setup process from the moment IE11Setup.exe starts until the last .cab file finishes, providing error codes that you can use to help determine the cause of the failure. - -### Main.log file codes - -|Code |Description | -|-----|------------| -|0 |Initializing, making a temporary folder, and checking disk space. | -|1 |Checking for all dependencies. | -|2 |Downloading files from the server. | -|3 |Copying files from download location to the temporary installation folder. | -|4 |Restarting download and retrying Setup, because of a time-out error or other download error. | -|5 |Checking trust and checking permissions. | -|6 |Extracting files. | -|7 |Running Setup program (an .inf or .exe file). | -|8 |Installation is finished. | -|9 |Download finished, and all files are downloaded. | - -### Main.log error codes - -|Code |Description | -|-----|------------| -|80100003 |Files are missing from the download folder during installation. | -|800bxxxx |An error code starting with 800b is a trust failure. | -|800Cxxxx |An error code starting with 800C is a Urlmon.dll failure. | - - -## Internet Explorer Setup connection times out -Internet Explorer Setup can switch servers during the installation process to maintain maximum throughput or to recover from a non-responsive download site (you receive less than 1 byte in 2 minutes). If the connection times out, but Setup is able to connect to the next download site on the list, your download starts over. If however the connection times out and Setup can’t connect to a different server, it’ll ask if you want to stop the installation or try again. - -To address connection issues (for example, as a result of server problems) where Setup can’t locate another download site by default, we recommend you overwrite your first download server using this workaround: - -``` syntax -\ie11setup.exe /C:"ie11wzd.exe /S:""\ie11setup.exe"" /L:""https://your_Web_server/your_Web_site/ie11sites.dat""" -``` - -Where `` represents the folder location where you stored IE11setup.exe. - -## Users cannot uninstall IE -If you cannot uninstall IE using **Uninstall or change a program** in the Control Panel, it could be because the uninstall information is not on the computer. To fix this issue, you should: - -1. Review the uninstall log file, IE11Uninst.log, located in the `C:\Windows` folder. This log file covers the entire uninstallation process, including every file change, every registry change, and any dialog boxes that are shown. - -2. Try to manually uninstall IE. Go to the backup folder, `:\Windows\$ie11$`, and run the uninstall file, `Spunist.exe`. - -  -## The Internet Explorer Customization Wizard 11 does not work with user names that user double-byte character sets -The customization wizard does not work with user names that use double-byte character sets, such as Chinese or Japanese. To fix this, set the **TEMP** and **TMP** environmental variables to a path that does not use these characters (for example, C:\temp). - -1. Open **System Properties**, click the **Advanced** tab, and then click **Environmental Variables**. -2. Click Edit, and then modify the **TEMP** and **TMP** environmental variables to a non-user profile directory. - -  -## Unicode characters are not supported in IEAK 11 path names -While Unicode characters, such as Emoji, are supported for organization names and other branding items, you must not use Unicode characters in any paths associated with running the Internet Explorer Customization Wizard 11. This includes paths to your IEAK 11 installation and to the storage location for your custom packages after they're built. - -## Internet Explorer branding conflicts when using both Unattend and IEAK 11 to customize Internet Explorer settings -Using both Unattend settings and an IEAK custom package to modify a user's version of Internet Explorer 11 might cause a user to lose personalized settings during an upgrade. For example, many manufacturers configure Internet Explorer using Unattend settings. If a user purchases a laptop, and then signs up for Internet service, their Internet Service Provider (ISP) might provide a version of Internet Explorer that has been branded (for example, with a custom homepage for that ISP) using Internet Explorer Customization Wizard 11. If that user later upgrades to a new version of Internet Explorer, the Unattend settings from the laptop manufacturer will be reapplied, overwriting any settings that the user configured for themselves (such as their homepage). - - -## IEAK 11 does not correctly apply the Delete all existing items under Favorites, Favorites Bar and Feeds option -The Internet Explorer Customization Wizard 11 does not correctly apply the **Delete all existing items under Favorites**, **Favorites Bar and Feeds** option, available on the **Browsing Options** page. - -Selecting to include this feature in your customized Internet Explorer package enables the deletion of existing items in the **Favorites** and **Favorites Bar** areas, but it doesn't enable deletion in the **Feeds** area. In addition, this setting adds a new favorite, titled “Web Slice Gallery” to the **Favorites Bar**. - -## F1 does not activate Help on Automatic Version Synchronization page -Pressing the **F1** button on the **Automatic Version Synchronization** page of the Internet Explorer Customization Wizard 11 does not display the **Help** page. Clicking the **Help** button enables you to open the Help system and view information about this page. - -## Certificate installation does not work on IEAK 11 -IEAK 11 doesn't install certificates added using the Add a Root Certificate page of the Internet Explorer Customization Wizard 11. Administrators can manually install certificates using the Certificates Microsoft Management Console snap-in (Certmgr.msc) or using the command-line tool, Certificate Manager (Certmgr.exe). - ->[!NOTE] ->This applies only when using the External licensing mode of IEAK 11. - -## The Additional Settings page appears in the wrong language when using a localized version of IEAK 11 -When using IEAK 11 in other languages, the settings on the Additional Settings page appear in the language of the target platform, regardless of the IEAK 11 language. - ->[!NOTE] ->This applies only when using the Internal licensing mode of IEAK 11. - -To work around this issue, run the customization wizard following these steps: -1. On the **Language Selection** page, select the language that matches the language of your installed IEAK 11. -2. Click **Next**, and then click **Synchronize** on the Automatic Version Synchronization page. -3. After synchronization is complete, cancel the wizard. -4. Repeat these steps for each platform on the Platform Selection page. - -After performing these steps, you must still do the following each time you synchronize a new language and platform: -1. Open File Explorer to the Program Files\Windows IEAK 11 or Program Files (x86)\Windows IEAK 11 folder. -2. Open the **Policies** folder, and then open the appropriate platform folder. -3. Copy the contents of the matching-language folder into the new language folder. - -After completing these steps, the Additional Settings page matches your wizard’s language. - -## Unable to access feeds stored in a subfolder -Adding feeds using the **Favorites**, **Favorites Bar**, and **Feeds** page of the Internet Explorer 11 Customization Wizard requires that the feeds be stored in a single folder. Creating two levels of folders, and creating the feed in the subfolder, causes the feed to fail. +--- +ms.localizationpriority: medium +ms.mktglfcycl: support +description: Info about some of the known issues using the Internet Exporer Customization Wizard and a custom Internet Explorer install package. +author: lomayor +ms.author: lomayor +ms.prod: ie11 +ms.assetid: 9e22cc61-6c63-4cab-bfdf-6fe49db945e4 +ms.reviewer: +audience: itpro manager: dansimp +title: Troubleshoot custom package and IEAK 11 problems (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Troubleshoot custom package and IEAK 11 problems +While the Internet Explorer Customization Wizard has been around for quite a while, there are still some known issues that you might encounter while deploying or managing your custom IE install package. + +## I am unable to locate some of the wizard pages +The most common reasons you will not see certain pages is because: + +- **Your licensing agreement with Microsoft.** Your licensing agreement determines whether you install the **Internal** or **External** version of the Internet Explorer Customization Wizard, and there are different features available for each version. For info about which features are available for each version, see [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md). + +- **Your choice of operating system.** Depending on the operating system you picked from the **Platform Selection** page of the wizard, you might not see all of the pages. Some features aren’t available for all operating systems. For more information, see [Use the Platform Selection page in the IEAK 11 Wizard](platform-selection-ieak11-wizard.md). + +- **Your choice of features.** Depending on what you selected from the **Feature Selection** page of the wizard, you might not see all of the pages. You need to make sure that the features you want to customize are all checked. For more information, see [Use the Feature Selection page in the IEAK 11 Wizard](feature-selection-ieak11-wizard.md). + +## Internet Explorer Setup fails on user's devices +Various issues can cause problems during Setup, including missing files, trust issues, or URL monikers. You can troubleshoot these issues by reviewing the Setup log file, located at `IE11\_main.log` from the **Windows** folder (typically, `C:\Windows`). The log file covers the entire Setup process from the moment IE11Setup.exe starts until the last .cab file finishes, providing error codes that you can use to help determine the cause of the failure. + +### Main.log file codes + +|Code |Description | +|-----|------------| +|0 |Initializing, making a temporary folder, and checking disk space. | +|1 |Checking for all dependencies. | +|2 |Downloading files from the server. | +|3 |Copying files from download location to the temporary installation folder. | +|4 |Restarting download and retrying Setup, because of a time-out error or other download error. | +|5 |Checking trust and checking permissions. | +|6 |Extracting files. | +|7 |Running Setup program (an .inf or .exe file). | +|8 |Installation is finished. | +|9 |Download finished, and all files are downloaded. | + +### Main.log error codes + +|Code |Description | +|-----|------------| +|80100003 |Files are missing from the download folder during installation. | +|800bxxxx |An error code starting with 800b is a trust failure. | +|800Cxxxx |An error code starting with 800C is a Urlmon.dll failure. | + + +## Internet Explorer Setup connection times out +Internet Explorer Setup can switch servers during the installation process to maintain maximum throughput or to recover from a non-responsive download site (you receive less than 1 byte in 2 minutes). If the connection times out, but Setup is able to connect to the next download site on the list, your download starts over. If however the connection times out and Setup can’t connect to a different server, it’ll ask if you want to stop the installation or try again. + +To address connection issues (for example, as a result of server problems) where Setup can’t locate another download site by default, we recommend you overwrite your first download server using this workaround: + +``` syntax +\ie11setup.exe /C:"ie11wzd.exe /S:""\ie11setup.exe"" /L:""https://your_Web_server/your_Web_site/ie11sites.dat""" +``` + +Where `` represents the folder location where you stored IE11setup.exe. + +## Users cannot uninstall IE +If you cannot uninstall IE using **Uninstall or change a program** in the Control Panel, it could be because the uninstall information is not on the computer. To fix this issue, you should: + +1. Review the uninstall log file, IE11Uninst.log, located in the `C:\Windows` folder. This log file covers the entire uninstallation process, including every file change, every registry change, and any dialog boxes that are shown. + +2. Try to manually uninstall IE. Go to the backup folder, `:\Windows\$ie11$`, and run the uninstall file, `Spunist.exe`. + +  +## The Internet Explorer Customization Wizard 11 does not work with user names that user double-byte character sets +The customization wizard does not work with user names that use double-byte character sets, such as Chinese or Japanese. To fix this, set the **TEMP** and **TMP** environmental variables to a path that does not use these characters (for example, C:\temp). + +1. Open **System Properties**, click the **Advanced** tab, and then click **Environmental Variables**. +2. Click Edit, and then modify the **TEMP** and **TMP** environmental variables to a non-user profile directory. + +  +## Unicode characters are not supported in IEAK 11 path names +While Unicode characters, such as Emoji, are supported for organization names and other branding items, you must not use Unicode characters in any paths associated with running the Internet Explorer Customization Wizard 11. This includes paths to your IEAK 11 installation and to the storage location for your custom packages after they're built. + +## Internet Explorer branding conflicts when using both Unattend and IEAK 11 to customize Internet Explorer settings +Using both Unattend settings and an IEAK custom package to modify a user's version of Internet Explorer 11 might cause a user to lose personalized settings during an upgrade. For example, many manufacturers configure Internet Explorer using Unattend settings. If a user purchases a laptop, and then signs up for Internet service, their Internet Service Provider (ISP) might provide a version of Internet Explorer that has been branded (for example, with a custom homepage for that ISP) using Internet Explorer Customization Wizard 11. If that user later upgrades to a new version of Internet Explorer, the Unattend settings from the laptop manufacturer will be reapplied, overwriting any settings that the user configured for themselves (such as their homepage). + + +## IEAK 11 does not correctly apply the Delete all existing items under Favorites, Favorites Bar and Feeds option +The Internet Explorer Customization Wizard 11 does not correctly apply the **Delete all existing items under Favorites**, **Favorites Bar and Feeds** option, available on the **Browsing Options** page. + +Selecting to include this feature in your customized Internet Explorer package enables the deletion of existing items in the **Favorites** and **Favorites Bar** areas, but it doesn't enable deletion in the **Feeds** area. In addition, this setting adds a new favorite, titled “Web Slice Gallery” to the **Favorites Bar**. + +## F1 does not activate Help on Automatic Version Synchronization page +Pressing the **F1** button on the **Automatic Version Synchronization** page of the Internet Explorer Customization Wizard 11 does not display the **Help** page. Clicking the **Help** button enables you to open the Help system and view information about this page. + +## Certificate installation does not work on IEAK 11 +IEAK 11 doesn't install certificates added using the Add a Root Certificate page of the Internet Explorer Customization Wizard 11. Administrators can manually install certificates using the Certificates Microsoft Management Console snap-in (Certmgr.msc) or using the command-line tool, Certificate Manager (Certmgr.exe). + +>[!NOTE] +>This applies only when using the External licensing mode of IEAK 11. + +## The Additional Settings page appears in the wrong language when using a localized version of IEAK 11 +When using IEAK 11 in other languages, the settings on the Additional Settings page appear in the language of the target platform, regardless of the IEAK 11 language. + +>[!NOTE] +>This applies only when using the Internal licensing mode of IEAK 11. + +To work around this issue, run the customization wizard following these steps: +1. On the **Language Selection** page, select the language that matches the language of your installed IEAK 11. +2. Click **Next**, and then click **Synchronize** on the Automatic Version Synchronization page. +3. After synchronization is complete, cancel the wizard. +4. Repeat these steps for each platform on the Platform Selection page. + +After performing these steps, you must still do the following each time you synchronize a new language and platform: +1. Open File Explorer to the Program Files\Windows IEAK 11 or Program Files (x86)\Windows IEAK 11 folder. +2. Open the **Policies** folder, and then open the appropriate platform folder. +3. Copy the contents of the matching-language folder into the new language folder. + +After completing these steps, the Additional Settings page matches your wizard’s language. + +## Unable to access feeds stored in a subfolder +Adding feeds using the **Favorites**, **Favorites Bar**, and **Feeds** page of the Internet Explorer 11 Customization Wizard requires that the feeds be stored in a single folder. Creating two levels of folders, and creating the feed in the subfolder, causes the feed to fail. diff --git a/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md index 1aec2abb8a..965fda174e 100644 --- a/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md @@ -1,40 +1,40 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Use the \[URL\] .INS file setting to decide whether to use an auto-configured proxy server. -author: dansimp -ms.prod: ie11 -ms.assetid: 05b09dfa-cf11-408d-92c2-b4ae434a59a7 -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Use the URL .INS file to use an auto-configured proxy server (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the URL .INS file to use an auto-configured proxy server -Info about whether to use an auto-configured proxy server. If yes, this also includes the URLs to the pages that appear when your employees first connect to that server. - -|Name |Value |Description | -|-----|------|------------| -|AutoConfig |
          • **0.** Don’t automatically configure the browser.
          • **1.** Automatically configure the browser.
          |Determines whether to automatically configure the customized browser on your employee’s device. | -|AutoConfigJSURL |`` |The URL for the proxy auto-config file (.js or .jvs) | -|AutoConfigTime |*integer* |Automatically configures the browser on your employee’s device after its run for a specified length of time. | -|AutoConfigURL |`` |The URL for the proxy auto-config (.pac) file. | -|FirstHomePage |`` |The page (URL) that appears the first time the custom browser is opened on the employee’s device. | -|Help_Page |`` |The URL to your internal technical support site. | -|Home_Page |`` |The URL to your default **Home** page. | -|NoWelcome |
          • **0.** Display the **Welcome** page.
          • **1.** Don’t display the **Welcome** page.
          |Determines whether to show the **Welcome** page the first time the browser’s used on an employee’s device. | -|Quick_Link_1 |`` |The URL to your first Quick Link. | -|Quick_Link_1_Name |`` |The name of the site associated with Quick_Link_1. | -|Quick_Link_2 |`` |The URL to your second Quick Link. | -|Quick_Link_2_Name |`` |The name of the site associated with Quick_Link_2. | -|Quick_Link_X |`` |The URL to another Quick Link. | -|Quick_Link_X_Icon |`` |A Quick Links icon (.ico) file. | -|Quick_Link_X_Name |`` |The name of the site associated with another Quick Link. | -|Quick_Link_X_Offline |
          • **0.** Don’t make the Quick Links available offline.
          • **1.** Make the Quick Links available offline.
          |Determines whether to make the Quick Links available for offline browsing. | -|Search_Page |`` |The URL to the default search page. | -|UseLocalIns |
          • **0.** Don’t use a local .ins file.
          • **1.** Use a local .ins file.
          |Determines whether to use a local Internet Settings (.ins) file | - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Use the \[URL\] .INS file setting to decide whether to use an auto-configured proxy server. +author: dansimp +ms.prod: ie11 +ms.assetid: 05b09dfa-cf11-408d-92c2-b4ae434a59a7 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +title: Use the URL .INS file to use an auto-configured proxy server (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the URL .INS file to use an auto-configured proxy server +Info about whether to use an auto-configured proxy server. If yes, this also includes the URLs to the pages that appear when your employees first connect to that server. + +|Name |Value |Description | +|-----|------|------------| +|AutoConfig |
          • **0.** Don’t automatically configure the browser.
          • **1.** Automatically configure the browser.
          |Determines whether to automatically configure the customized browser on your employee’s device. | +|AutoConfigJSURL |`` |The URL for the proxy auto-config file (.js or .jvs) | +|AutoConfigTime |*integer* |Automatically configures the browser on your employee’s device after its run for a specified length of time. | +|AutoConfigURL |`` |The URL for the proxy auto-config (.pac) file. | +|FirstHomePage |`` |The page (URL) that appears the first time the custom browser is opened on the employee’s device. | +|Help_Page |`` |The URL to your internal technical support site. | +|Home_Page |`` |The URL to your default **Home** page. | +|NoWelcome |
          • **0.** Display the **Welcome** page.
          • **1.** Don’t display the **Welcome** page.
          |Determines whether to show the **Welcome** page the first time the browser’s used on an employee’s device. | +|Quick_Link_1 |`` |The URL to your first Quick Link. | +|Quick_Link_1_Name |`` |The name of the site associated with Quick_Link_1. | +|Quick_Link_2 |`` |The URL to your second Quick Link. | +|Quick_Link_2_Name |`` |The name of the site associated with Quick_Link_2. | +|Quick_Link_X |`` |The URL to another Quick Link. | +|Quick_Link_X_Icon |`` |A Quick Links icon (.ico) file. | +|Quick_Link_X_Name |`` |The name of the site associated with another Quick Link. | +|Quick_Link_X_Offline |
          • **0.** Don’t make the Quick Links available offline.
          • **1.** Make the Quick Links available offline.
          |Determines whether to make the Quick Links available for offline browsing. | +|Search_Page |`` |The URL to the default search page. | +|UseLocalIns |
          • **0.** Don’t use a local .ins file.
          • **1.** Use a local .ins file.
          |Determines whether to use a local Internet Settings (.ins) file | + diff --git a/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md index b9d51e17e5..ed8f2be8f1 100644 --- a/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md @@ -1,60 +1,60 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the User Experience page in the IEAK 11 Customization Wizard to decide user interaction with the Setup process. -author: dansimp -ms.prod: ie11 -ms.assetid: d3378058-e4f0-4a11-a888-b550af994bfa -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Use the User Experience page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the User Experience page in the IEAK 11 Wizard -The **User Experience** page of the Internet Explorer Customization Wizard 11 lets you decide how much you want your employees to interact with the custom package’s Setup process. - -**Note**
          You’ll only see this page if you are running the **Internal** version of the Internet Explorer Customization Wizard 11.

          The customizations you make on this page only apply to Internet Explorer for the desktop on Windows 7. - -**To use the User Experience page** - -1. Choose how your employee should interact with Setup, including: - - - **Interactive installation**. Lets your employees change installation options while installing your custom package. This experience shows all of the progress and error messages throughout the process. - - - **Hands-free installation**. Lets you make all of the decisions for your employees. However, they’ll still see all of the progress and error messages throughout the process. - - - **Completely silent installation**. Lets you make all of the decisions for your employees and hides all of the progress and error messages. Because this mode is completely silent, if the installation fails, your employees won’t know and they won’t be able to run the installation package again. -

          Both the hands-free and completely silent installation options will: - - - Answer prompts so Setup can continue. - - - Accept the license agreement. - - - Determine that Internet Explorer 11 is installed and not just downloaded. - - - Perform your specific installation type. - - - Install IE in the default location, unless it is already installed. In that case, the new version of the browser is installed in the same location as the previous version. - -2. Choose if your employee’s device will restart at the end of Setup. - - - **Default**. Prompts your employees to restart after installing IE. - - - **No restart**. Doesn’t restart the computer after installing IE. The employee will have to manually restart later. - - - **Force restart**. Automatically restarts the computer after installing IE. - -3. Click **Next** to go to the [Browser User Interface](browser-ui-ieak11-wizard.md) page or **Back** to go to the [Internal Install](internal-install-ieak11-wizard.md) page. - - - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the User Experience page in the IEAK 11 Customization Wizard to decide user interaction with the Setup process. +author: dansimp +ms.prod: ie11 +ms.assetid: d3378058-e4f0-4a11-a888-b550af994bfa +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +title: Use the User Experience page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the User Experience page in the IEAK 11 Wizard +The **User Experience** page of the Internet Explorer Customization Wizard 11 lets you decide how much you want your employees to interact with the custom package’s Setup process. + +**Note**
          You’ll only see this page if you are running the **Internal** version of the Internet Explorer Customization Wizard 11.

          The customizations you make on this page only apply to Internet Explorer for the desktop on Windows 7. + +**To use the User Experience page** + +1. Choose how your employee should interact with Setup, including: + + - **Interactive installation**. Lets your employees change installation options while installing your custom package. This experience shows all of the progress and error messages throughout the process. + + - **Hands-free installation**. Lets you make all of the decisions for your employees. However, they’ll still see all of the progress and error messages throughout the process. + + - **Completely silent installation**. Lets you make all of the decisions for your employees and hides all of the progress and error messages. Because this mode is completely silent, if the installation fails, your employees won’t know and they won’t be able to run the installation package again. +

          Both the hands-free and completely silent installation options will: + + - Answer prompts so Setup can continue. + + - Accept the license agreement. + + - Determine that Internet Explorer 11 is installed and not just downloaded. + + - Perform your specific installation type. + + - Install IE in the default location, unless it is already installed. In that case, the new version of the browser is installed in the same location as the previous version. + +2. Choose if your employee’s device will restart at the end of Setup. + + - **Default**. Prompts your employees to restart after installing IE. + + - **No restart**. Doesn’t restart the computer after installing IE. The employee will have to manually restart later. + + - **Force restart**. Automatically restarts the computer after installing IE. + +3. Click **Next** to go to the [Browser User Interface](browser-ui-ieak11-wizard.md) page or **Back** to go to the [Internal Install](internal-install-ieak11-wizard.md) page. + + + + + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md b/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md index f17c6d7844..3efd12ffa8 100644 --- a/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md +++ b/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md @@ -1,37 +1,37 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Info about how to use Internet Settings (.ins) files and the IEAK 11 to configure your custom browser package. -author: dansimp -ms.prod: ie11 -ms.assetid: a24a7cdb-681e-4f34-a53c-6d8383c5f977 -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Using Internet Settings (.INS) files with IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Using Internet Settings (.INS) files with IEAK 11 -Use the Internet Settings (.ins) files and the Internet Explorer Administration Kit 11 (IEAK 11) to configure your custom browser and its components. You can create multiple versions of your custom package by customizing copies of this file. - -Here's a list of the available .INS file settings: - -|Setting |Description | -|-----------------------------------------|------------------------------------------------------------------------------| -|[Branding](branding-ins-file-setting.md) |Customize the branding and setup information in your browser package. | -|[BrowserToolbars](browsertoolbars-ins-file-setting.md) |Customize the appearance of the IE toolbar. | -|[CabSigning](cabsigning-ins-file-setting.md) |Digital signature information for your programs. | -|[ConnectionSettings](connectionsettings-ins-file-setting.md) |Info about the networking connection settings used to install your custom package. | -|[CustomBranding](custombranding-ins-file-setting.md) |URL location to your branding cabinet (.cab) file. | -|[ExtRegInf](extreginf-ins-file-setting.md) |Names of your Setup information (.inf) files and the installation mode for components. | -|[FavoritesEx](favoritesex-ins-file-setting.md) |Add a path to your icon file for **Favorites**, decide whether **Favorites** are available offline, and add URLs to each**Favorites** site. | -|[HideCustom](hidecustom-ins-file-setting.md) |Whether to hide the globally unique identifier (GUID) for each custom component. | -|[ISP_Security](isp-security-ins-file-setting.md) |The root certificate you’re adding to your custom package. | -|[Media](media-ins-file-setting.md) |Types of media in which your custom installation package is available. | -|[Proxy](proxy-ins-file-setting.md) |Whether to use a proxy server. | -|[Security Imports](security-imports-ins-file-setting.md) |Whether to import security information for your custom package. | -|[URL](url-ins-file-setting.md) |Whether to use an auto-configured proxy server. | - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Info about how to use Internet Settings (.ins) files and the IEAK 11 to configure your custom browser package. +author: dansimp +ms.prod: ie11 +ms.assetid: a24a7cdb-681e-4f34-a53c-6d8383c5f977 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +title: Using Internet Settings (.INS) files with IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Using Internet Settings (.INS) files with IEAK 11 +Use the Internet Settings (.ins) files and the Internet Explorer Administration Kit 11 (IEAK 11) to configure your custom browser and its components. You can create multiple versions of your custom package by customizing copies of this file. + +Here's a list of the available .INS file settings: + +|Setting |Description | +|-----------------------------------------|------------------------------------------------------------------------------| +|[Branding](branding-ins-file-setting.md) |Customize the branding and setup information in your browser package. | +|[BrowserToolbars](browsertoolbars-ins-file-setting.md) |Customize the appearance of the IE toolbar. | +|[CabSigning](cabsigning-ins-file-setting.md) |Digital signature information for your programs. | +|[ConnectionSettings](connectionsettings-ins-file-setting.md) |Info about the networking connection settings used to install your custom package. | +|[CustomBranding](custombranding-ins-file-setting.md) |URL location to your branding cabinet (.cab) file. | +|[ExtRegInf](extreginf-ins-file-setting.md) |Names of your Setup information (.inf) files and the installation mode for components. | +|[FavoritesEx](favoritesex-ins-file-setting.md) |Add a path to your icon file for **Favorites**, decide whether **Favorites** are available offline, and add URLs to each**Favorites** site. | +|[HideCustom](hidecustom-ins-file-setting.md) |Whether to hide the globally unique identifier (GUID) for each custom component. | +|[ISP_Security](isp-security-ins-file-setting.md) |The root certificate you’re adding to your custom package. | +|[Media](media-ins-file-setting.md) |Types of media in which your custom installation package is available. | +|[Proxy](proxy-ins-file-setting.md) |Whether to use a proxy server. | +|[Security Imports](security-imports-ins-file-setting.md) |Whether to import security information for your custom package. | +|[URL](url-ins-file-setting.md) |Whether to use an auto-configured proxy server. | + diff --git a/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md b/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md index 221f4896ab..5e8b4e979e 100644 --- a/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md +++ b/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md @@ -1,68 +1,68 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: support -ms.pagetype: security -description: Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions. -author: dansimp -ms.author: dansimp -ms.manager: elizapo -ms.prod: ie11 -ms.assetid: -ms.reviewer: -manager: dansimp -title: What IEAK can do for you -ms.sitesec: library -ms.date: 05/10/2018 ---- - -# What IEAK can do for you - -Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions. - -IEAK 10 and newer includes the ability to install using one of the following installation modes: - -- Internal - -- External - -## IEAK 11 users -Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions. - -IEAK 10 and newer includes the ability to install using one of the following installation modes: -- Internal -- External - ->[!NOTE] ->IEAK 11 works in network environments, with or without Microsoft Active Directory service. - - -### Corporations -IEAK helps corporate administrators establish version control, centrally distribute and manage browser installation, configure automatic connection profiles, and customize large portions of Internet Explorer, including features, security, communications settings, and other important functionality. - -Corporate administrators install IEAK using Internal mode (for Internet Explorer 10 or newer) or Corporate mode (for Internet Explorer 9 or older). - -### Internet service providers -IEAK helps ISPs customize, deploy and distribute, add third-party add-ons, search providers, and custom components, as well as include web slices and accelerators all as part of a custom Internet Explorer installation package. - -ISPs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Service Provider (ISP) mode (for Internet Explorer 9 or older). - -### Internet content providers -IEAK helps ICPs customize the appearance of Internet Explorer and its Setup program, including letting you add your company name or specific wording to the Title bar, set up a customer support webpage, set up the user home page and search providers, add links to the Favorites and the Explorer bars, add optional components, web slices and accelerators, and determine which compatibility mode Internet Explorer should use. - -ICPs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Content Provider (ICP) mode (for Internet Explorer 9 or older) - -### Independent software vendors -IEAK helps ISVs distribute (and redistribute) a custom version of Internet Explorer that can include custom components, programs, and controls (like the web browser control) that you create for your users. ISVs can also determine home pages, search providers, and add websites to the Favorites bar. - -ISVs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Content Provider (ICP) mode (for Internet Explorer 9 or older). - -## Additional resources - -- [IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.md) -- [Download IEAK 11](ieak-information-and-downloads.md) -- [IEAK 11 overview](index.md) -- [IEAK 11 administrators guide](https://docs.microsoft.com/internet-explorer/ie11-ieak/index) -- [IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md) -- [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md) -- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md) -- [Microsoft Edge - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760643) +--- +ms.localizationpriority: medium +ms.mktglfcycl: support +ms.pagetype: security +description: Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions. +author: dansimp +ms.author: dansimp +ms.manager: elizapo +ms.prod: ie11 +ms.assetid: +ms.reviewer: +audience: itpro manager: dansimp +title: What IEAK can do for you +ms.sitesec: library +ms.date: 05/10/2018 +--- + +# What IEAK can do for you + +Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions. + +IEAK 10 and newer includes the ability to install using one of the following installation modes: + +- Internal + +- External + +## IEAK 11 users +Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions. + +IEAK 10 and newer includes the ability to install using one of the following installation modes: +- Internal +- External + +>[!NOTE] +>IEAK 11 works in network environments, with or without Microsoft Active Directory service. + + +### Corporations +IEAK helps corporate administrators establish version control, centrally distribute and manage browser installation, configure automatic connection profiles, and customize large portions of Internet Explorer, including features, security, communications settings, and other important functionality. + +Corporate administrators install IEAK using Internal mode (for Internet Explorer 10 or newer) or Corporate mode (for Internet Explorer 9 or older). + +### Internet service providers +IEAK helps ISPs customize, deploy and distribute, add third-party add-ons, search providers, and custom components, as well as include web slices and accelerators all as part of a custom Internet Explorer installation package. + +ISPs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Service Provider (ISP) mode (for Internet Explorer 9 or older). + +### Internet content providers +IEAK helps ICPs customize the appearance of Internet Explorer and its Setup program, including letting you add your company name or specific wording to the Title bar, set up a customer support webpage, set up the user home page and search providers, add links to the Favorites and the Explorer bars, add optional components, web slices and accelerators, and determine which compatibility mode Internet Explorer should use. + +ICPs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Content Provider (ICP) mode (for Internet Explorer 9 or older) + +### Independent software vendors +IEAK helps ISVs distribute (and redistribute) a custom version of Internet Explorer that can include custom components, programs, and controls (like the web browser control) that you create for your users. ISVs can also determine home pages, search providers, and add websites to the Favorites bar. + +ISVs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Content Provider (ICP) mode (for Internet Explorer 9 or older). + +## Additional resources + +- [IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.md) +- [Download IEAK 11](ieak-information-and-downloads.md) +- [IEAK 11 overview](index.md) +- [IEAK 11 administrators guide](https://docs.microsoft.com/internet-explorer/ie11-ieak/index) +- [IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md) +- [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md) +- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md) +- [Microsoft Edge - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760643) diff --git a/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md index e32fa2b1da..e81b0eedea 100644 --- a/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md @@ -1,31 +1,31 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Wizard Complete - Next Steps page in the IEAK 11 Customization Wizard to build your custom Internet Explorer install package. -author: dansimp -ms.prod: ie11 -ms.assetid: aaaac88a-2022-4d0b-893c-b2404b45cabc -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard -The **Wizard Complete – Next Steps** page of the Internet Explorer Customization Wizard 11 lets you build your custom installation package, after you click **Finish**. - -In most cases, your next steps will be to prepare your files for installation from your network or from another distribution method. If you haven’t already done it, you’ll need to digitally sign any program or .cab files that are going to be distributed over the Internet or over an intranet that isn’t configured to allow downloads. - -After that, the steps you’ll use to distribute your customized browser will vary, depending on your version of IEAK (Internal or External) and the media you’re using to distribute the package. For more information, see the [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md). - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Wizard Complete - Next Steps page in the IEAK 11 Customization Wizard to build your custom Internet Explorer install package. +author: dansimp +ms.prod: ie11 +ms.assetid: aaaac88a-2022-4d0b-893c-b2404b45cabc +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +title: Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard +The **Wizard Complete – Next Steps** page of the Internet Explorer Customization Wizard 11 lets you build your custom installation package, after you click **Finish**. + +In most cases, your next steps will be to prepare your files for installation from your network or from another distribution method. If you haven’t already done it, you’ll need to digitally sign any program or .cab files that are going to be distributed over the Internet or over an intranet that isn’t configured to allow downloads. + +After that, the steps you’ll use to distribute your customized browser will vary, depending on your version of IEAK (Internal or External) and the media you’re using to distribute the package. For more information, see the [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md). + +  + +  + + + + + diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index d50c95d74f..36cbb30a09 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -1,13 +1,15 @@ # [Microsoft HoloLens](index.md) # [What's new in HoloLens](hololens-whats-new.md) -# [HoloLens in the enterprise: requirements and FAQ](hololens-requirements.md) # [Set up HoloLens](hololens-setup.md) +# Deploy HoloLens in a commercial environment +## [Overview and deployment planning](hololens-requirements.md) +## [Configure HoloLens using a provisioning package](hololens-provisioning.md) +## [Enroll HoloLens in MDM](hololens-enroll-mdm.md) + # Device Management ## [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md) ## [Install localized version of HoloLens](hololens-install-localized.md) -## [Configure HoloLens using a provisioning package](hololens-provisioning.md) -## [Enroll HoloLens in MDM](hololens-enroll-mdm.md) ## [Manage updates to HoloLens](hololens-updates.md) ## [Restore HoloLens 2 using Advanced Recovery Companion](hololens-recovery.md) ## [Use the HoloLens Clicker](hololens-clicker.md) diff --git a/devices/hololens/images/hololens2-side-render-medium.png b/devices/hololens/images/hololens2-side-render-medium.png new file mode 100644 index 0000000000..d4650c05e2 Binary files /dev/null and b/devices/hololens/images/hololens2-side-render-medium.png differ diff --git a/devices/hololens/images/hololens2-side-render-small.png b/devices/hololens/images/hololens2-side-render-small.png new file mode 100644 index 0000000000..a1a612e05a Binary files /dev/null and b/devices/hololens/images/hololens2-side-render-small.png differ diff --git a/devices/hololens/images/hololens2-side-render-xs.png b/devices/hololens/images/hololens2-side-render-xs.png new file mode 100644 index 0000000000..08d5f966cd Binary files /dev/null and b/devices/hololens/images/hololens2-side-render-xs.png differ diff --git a/devices/hololens/index.md b/devices/hololens/index.md index abb50c076e..5aee70afdb 100644 --- a/devices/hololens/index.md +++ b/devices/hololens/index.md @@ -3,6 +3,7 @@ title: Microsoft HoloLens (HoloLens) description: Landing page for HoloLens commercial and enterprise management. ms.prod: hololens ms.sitesec: library +ms.assetid: 0947f5b3-8f0f-42f0-aa27-6d2cad51d040 author: scooley ms.author: scooley ms.topic: article @@ -18,7 +19,9 @@ ms.date: 07/14/2019

          Now, with the introduction of HoloLens 2, every device provides commercial ready management enhanced by the reliability, security, and scalability of cloud and AI services from Microsoft.

          -HoloLens 2 side view +

          To learn more about HoloLens 2 for developers, check out the mixed reality developer documentation.

          + +HoloLens 2 side view ## Guides in this section @@ -26,7 +29,7 @@ ms.date: 07/14/2019 | Guide | Description | | --- | --- | | [Get started with HoloLens](hololens-setup.md) | Set up HoloLens for the first time. | -| [Set up HoloLens in the enterprise](hololens-requirements.md) | Configure HoloLens for scale enterprise deployment and ongoing device management. | +| [Deploy HoloLens in a commercial environment](hololens-requirements.md) | Configure HoloLens for scale enterprise deployment and ongoing device management. | | [Install and manage applications on HoloLens](hololens-install-apps.md) |Install and manage important applications on HoloLens at scale. | | [Recover and troubleshoot HoloLens issues](https://support.microsoft.com/products/hololens) | Learn how to gather logs from HoloLens, recover a misbehaving device, or reset HoloLens when necessary. | | [Get support](https://support.microsoft.com/products/hololens) |Connect with Microsoft support resources for HoloLens in enterprise. | diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md index 3383f10f91..d9a7bc204f 100644 --- a/devices/surface-hub/index.md +++ b/devices/surface-hub/index.md @@ -9,6 +9,7 @@ ms.tgt_pltfrm: na ms.devlang: na ms.topic: landing-page description: "Get started with Microsoft Surface Hub." +localization_priority: High --- # Get started with Surface Hub diff --git a/devices/surface-hub/surface-hub-2s-account.md b/devices/surface-hub/surface-hub-2s-account.md index cb0a6f3943..025b2b8320 100644 --- a/devices/surface-hub/surface-hub-2s-account.md +++ b/devices/surface-hub/surface-hub-2s-account.md @@ -10,7 +10,7 @@ manager: laurawi audience: Admin ms.topic: article ms.date: 06/20/2019 -ms.localizationpriority: Normal +ms.localizationpriority: Medium --- # Create Surface Hub 2S device account diff --git a/devices/surface-hub/surface-hub-2s-adoption-kit.md b/devices/surface-hub/surface-hub-2s-adoption-kit.md index d2d06415f6..119b93ff02 100644 --- a/devices/surface-hub/surface-hub-2s-adoption-kit.md +++ b/devices/surface-hub/surface-hub-2s-adoption-kit.md @@ -10,7 +10,7 @@ manager: laurawi audience: Admin ms.topic: article ms.date: 07/18/2019 -ms.localizationpriority: Normal +ms.localizationpriority: Medium --- # Surface Hub 2S adoption toolkit diff --git a/devices/surface-hub/surface-hub-2s-change-history.md b/devices/surface-hub/surface-hub-2s-change-history.md index 19151f0d9a..a24c8c12e4 100644 --- a/devices/surface-hub/surface-hub-2s-change-history.md +++ b/devices/surface-hub/surface-hub-2s-change-history.md @@ -10,7 +10,7 @@ audience: Admin ms.manager: laurawi ms.topic: article ms.date: 06/20/2019 -ms.localizationpriority: Normal +ms.localizationpriority: Medium --- # Change history for Surface Hub 2S diff --git a/devices/surface-hub/surface-hub-2s-connect.md b/devices/surface-hub/surface-hub-2s-connect.md index 9422e7facc..d3a17d2848 100644 --- a/devices/surface-hub/surface-hub-2s-connect.md +++ b/devices/surface-hub/surface-hub-2s-connect.md @@ -10,7 +10,7 @@ manager: laurawi audience: Admin ms.topic: article ms.date: 06/20/2019 -ms.localizationpriority: Normal +ms.localizationpriority: Medium --- # Connect devices to Surface Hub 2S diff --git a/devices/surface-hub/surface-hub-2s-custom-install.md b/devices/surface-hub/surface-hub-2s-custom-install.md index f42757dc00..020256c627 100644 --- a/devices/surface-hub/surface-hub-2s-custom-install.md +++ b/devices/surface-hub/surface-hub-2s-custom-install.md @@ -10,7 +10,7 @@ manager: laurawi audience: Admin ms.topic: article ms.date: 06/20/2019 -ms.localizationpriority: Normal +ms.localizationpriority: Medium --- # Customize wall mount of Surface Hub 2S diff --git a/devices/surface-hub/surface-hub-2s-deploy-apps-intune.md b/devices/surface-hub/surface-hub-2s-deploy-apps-intune.md index 9aa6e13da6..b52bdc6532 100644 --- a/devices/surface-hub/surface-hub-2s-deploy-apps-intune.md +++ b/devices/surface-hub/surface-hub-2s-deploy-apps-intune.md @@ -10,7 +10,7 @@ manager: laurawi audience: Admin ms.topic: article ms.date: 06/20/2019 -ms.localizationpriority: Normal +ms.localizationpriority: Medium --- # Deploy apps to Surface Hub 2S using Intune diff --git a/devices/surface-hub/surface-hub-2s-deploy-checklist.md b/devices/surface-hub/surface-hub-2s-deploy-checklist.md index 311323fc8f..10fe718f75 100644 --- a/devices/surface-hub/surface-hub-2s-deploy-checklist.md +++ b/devices/surface-hub/surface-hub-2s-deploy-checklist.md @@ -10,7 +10,7 @@ manager: laurawi audience: Admin ms.topic: article ms.date: 06/20/2019 -ms.localizationpriority: Normal +ms.localizationpriority: Medium --- # Surface Hub 2S deployment checklists diff --git a/devices/surface-hub/surface-hub-2s-deploy.md b/devices/surface-hub/surface-hub-2s-deploy.md index 34bea793f6..cd99172ad3 100644 --- a/devices/surface-hub/surface-hub-2s-deploy.md +++ b/devices/surface-hub/surface-hub-2s-deploy.md @@ -10,7 +10,7 @@ manager: laurawi audience: Admin ms.topic: article ms.date: 06/20/2019 -ms.localizationpriority: Normal +ms.localizationpriority: Medium --- # Create provisioning packages for Surface Hub 2S diff --git a/devices/surface-hub/surface-hub-2s-install-mount.md b/devices/surface-hub/surface-hub-2s-install-mount.md index 53a75568d1..7b4e3e3e00 100644 --- a/devices/surface-hub/surface-hub-2s-install-mount.md +++ b/devices/surface-hub/surface-hub-2s-install-mount.md @@ -10,7 +10,7 @@ manager: laurawi audience: Admin ms.topic: article ms.date: 06/20/2019 -ms.localizationpriority: Normal +ms.localizationpriority: Medium --- # Install and mount Surface Hub 2S diff --git a/devices/surface-hub/surface-hub-2s-manage-intune.md b/devices/surface-hub/surface-hub-2s-manage-intune.md index d42810f20f..1749e6cafd 100644 --- a/devices/surface-hub/surface-hub-2s-manage-intune.md +++ b/devices/surface-hub/surface-hub-2s-manage-intune.md @@ -10,7 +10,7 @@ manager: laurawi audience: Admin ms.topic: article ms.date: 06/20/2019 -ms.localizationpriority: Normal +ms.localizationpriority: Medium --- # Manage Surface Hub 2S with Intune diff --git a/devices/surface-hub/surface-hub-2s-manage-passwords.md b/devices/surface-hub/surface-hub-2s-manage-passwords.md index a3bbfababd..3de1d293aa 100644 --- a/devices/surface-hub/surface-hub-2s-manage-passwords.md +++ b/devices/surface-hub/surface-hub-2s-manage-passwords.md @@ -10,7 +10,7 @@ manager: laurawi audience: Admin ms.topic: article ms.date: 06/20/2019 -ms.localizationpriority: Normal +ms.localizationpriority: Medium --- # Manage device account password rotation diff --git a/devices/surface-hub/surface-hub-2s-onprem-powershell.md b/devices/surface-hub/surface-hub-2s-onprem-powershell.md index 7a0d250e73..0d51997eda 100644 --- a/devices/surface-hub/surface-hub-2s-onprem-powershell.md +++ b/devices/surface-hub/surface-hub-2s-onprem-powershell.md @@ -10,7 +10,7 @@ manager: laurawi audience: Admin ms.topic: article ms.date: 06/20/2019 -ms.localizationpriority: Normal +ms.localizationpriority: Medium --- # Configure Surface Hub 2S on-premises accounts with PowerShell diff --git a/devices/surface-hub/surface-hub-2s-onscreen-display.md b/devices/surface-hub/surface-hub-2s-onscreen-display.md index 7a2664bf01..0f5679cd37 100644 --- a/devices/surface-hub/surface-hub-2s-onscreen-display.md +++ b/devices/surface-hub/surface-hub-2s-onscreen-display.md @@ -10,7 +10,7 @@ manager: laurawi audience: Admin ms.topic: article ms.date: 07/09/2019 -ms.localizationpriority: Normal +ms.localizationpriority: Medium --- # Adjust Surface Hub 2S brightness, volume, and input diff --git a/devices/surface-hub/surface-hub-2s-pack-components.md b/devices/surface-hub/surface-hub-2s-pack-components.md index 1ae13b7b75..692f4ee02d 100644 --- a/devices/surface-hub/surface-hub-2s-pack-components.md +++ b/devices/surface-hub/surface-hub-2s-pack-components.md @@ -10,7 +10,7 @@ manager: laurawi audience: Admin ms.topic: article ms.date: 07/1/2019 -ms.localizationpriority: Normal +ms.localizationpriority: Medium --- # How to pack and ship your Surface Hub 2S for service diff --git a/devices/surface-hub/surface-hub-2s-phone-authenticate.md b/devices/surface-hub/surface-hub-2s-phone-authenticate.md index 9773d4a735..ae82ccdf36 100644 --- a/devices/surface-hub/surface-hub-2s-phone-authenticate.md +++ b/devices/surface-hub/surface-hub-2s-phone-authenticate.md @@ -10,7 +10,7 @@ manager: laurawi audience: Admin ms.topic: article ms.date: 06/20/2019 -ms.localizationpriority: Normal +ms.localizationpriority: Medium --- # Configure password-less phone sign-in for Surface Hub 2S diff --git a/devices/surface-hub/surface-hub-2s-port-keypad-overview.md b/devices/surface-hub/surface-hub-2s-port-keypad-overview.md index 92555790c3..05c3c4b37a 100644 --- a/devices/surface-hub/surface-hub-2s-port-keypad-overview.md +++ b/devices/surface-hub/surface-hub-2s-port-keypad-overview.md @@ -10,7 +10,7 @@ manager: laurawi audience: Admin ms.topic: article ms.date: 06/20/2019 -ms.localizationpriority: Normal +ms.localizationpriority: Medium --- # Surface Hub 2S ports and keypad overview diff --git a/devices/surface-hub/surface-hub-2s-prepare-environment.md b/devices/surface-hub/surface-hub-2s-prepare-environment.md index 10b5238246..2b28cab313 100644 --- a/devices/surface-hub/surface-hub-2s-prepare-environment.md +++ b/devices/surface-hub/surface-hub-2s-prepare-environment.md @@ -10,7 +10,7 @@ manager: laurawi audience: Admin ms.topic: article ms.date: 06/20/2019 -ms.localizationpriority: Normal +ms.localizationpriority: Medium --- # Prepare your environment for Surface Hub 2S diff --git a/devices/surface-hub/surface-hub-2s-quick-start.md b/devices/surface-hub/surface-hub-2s-quick-start.md index 518e43405c..d1d20bc7c8 100644 --- a/devices/surface-hub/surface-hub-2s-quick-start.md +++ b/devices/surface-hub/surface-hub-2s-quick-start.md @@ -10,7 +10,7 @@ manager: laurawi audience: Admin ms.topic: article ms.date: 06/20/2019 -ms.localizationpriority: Normal +ms.localizationpriority: Medium --- # Surface Hub 2S quick start diff --git a/devices/surface-hub/surface-hub-2s-recover-reset.md b/devices/surface-hub/surface-hub-2s-recover-reset.md index 263228238b..d055e724cd 100644 --- a/devices/surface-hub/surface-hub-2s-recover-reset.md +++ b/devices/surface-hub/surface-hub-2s-recover-reset.md @@ -10,7 +10,7 @@ manager: laurawi audience: Admin ms.topic: article ms.date: 06/20/2019 -ms.localizationpriority: Normal +ms.localizationpriority: Medium --- # Reset and recovery for Surface Hub 2S diff --git a/devices/surface-hub/surface-hub-2s-secure-with-uefi-semm.md b/devices/surface-hub/surface-hub-2s-secure-with-uefi-semm.md index 49be99e66b..cf7b561dca 100644 --- a/devices/surface-hub/surface-hub-2s-secure-with-uefi-semm.md +++ b/devices/surface-hub/surface-hub-2s-secure-with-uefi-semm.md @@ -10,7 +10,7 @@ manager: laurawi audience: Admin ms.topic: article ms.date: 06/20/2019 -ms.localizationpriority: Normal +ms.localizationpriority: Medium --- # Secure and manage Surface Hub 2S with SEMM and UEFI diff --git a/devices/surface-hub/surface-hub-2s-setup.md b/devices/surface-hub/surface-hub-2s-setup.md index a987a80d26..76e5ac1055 100644 --- a/devices/surface-hub/surface-hub-2s-setup.md +++ b/devices/surface-hub/surface-hub-2s-setup.md @@ -10,7 +10,7 @@ manager: laurawi audience: Admin ms.topic: article ms.date: 07/03/2019 -ms.localizationpriority: Normal +ms.localizationpriority: Medium --- # First time Setup for Surface Hub 2S diff --git a/devices/surface-hub/surface-hub-2s-site-planning.md b/devices/surface-hub/surface-hub-2s-site-planning.md index 09b2344a12..683d732f9a 100644 --- a/devices/surface-hub/surface-hub-2s-site-planning.md +++ b/devices/surface-hub/surface-hub-2s-site-planning.md @@ -10,7 +10,7 @@ manager: laurawi audience: Admin ms.topic: article ms.date: 06/20/2019 -ms.localizationpriority: Normal +ms.localizationpriority: Medium --- # Surface Hub 2S site planning diff --git a/devices/surface-hub/surface-hub-2s-site-readiness-guide.md b/devices/surface-hub/surface-hub-2s-site-readiness-guide.md index db16db4225..e765207b4c 100644 --- a/devices/surface-hub/surface-hub-2s-site-readiness-guide.md +++ b/devices/surface-hub/surface-hub-2s-site-readiness-guide.md @@ -10,7 +10,7 @@ manager: laurawi audience: Admin ms.topic: article ms.date: 06/20/2019 -ms.localizationpriority: Normal +ms.localizationpriority: Medium --- # Surface Hub 2S site readiness guide diff --git a/devices/surface-hub/surface-hub-2s-techspecs.md b/devices/surface-hub/surface-hub-2s-techspecs.md index 89a4871fbb..12955c3afb 100644 --- a/devices/surface-hub/surface-hub-2s-techspecs.md +++ b/devices/surface-hub/surface-hub-2s-techspecs.md @@ -10,7 +10,7 @@ ms.author: robmazz audience: Admin ms.topic: article ms.date: 06/20/2019 -ms.localizationpriority: Normal +ms.localizationpriority: Medium --- # Surface Hub 2S tech specs diff --git a/devices/surface-hub/surface-hub-2s-unpack.md b/devices/surface-hub/surface-hub-2s-unpack.md index f6955de609..474bec14da 100644 --- a/devices/surface-hub/surface-hub-2s-unpack.md +++ b/devices/surface-hub/surface-hub-2s-unpack.md @@ -10,7 +10,7 @@ manager: laurawi audience: Admin ms.topic: article ms.date: 06/20/2019 -ms.localizationpriority: Normal +ms.localizationpriority: Medium --- # Unpack Surface Hub 2S diff --git a/devices/surface-hub/surface-hub-2s-whats-new.md b/devices/surface-hub/surface-hub-2s-whats-new.md index b4c40fddde..2f0dad2a22 100644 --- a/devices/surface-hub/surface-hub-2s-whats-new.md +++ b/devices/surface-hub/surface-hub-2s-whats-new.md @@ -10,7 +10,7 @@ manager: laurawi audience: Admin ms.topic: article ms.date: 06/20/2019 -ms.localizationpriority: Normal +ms.localizationpriority: Medium --- # What's new in Surface Hub 2S for IT admins diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md index 15a51ed349..e74076b642 100644 --- a/devices/surface/TOC.md +++ b/devices/surface/TOC.md @@ -1,6 +1,6 @@ # [Surface](index.md) -## Get started +## [Get started](get-started.md) ## Overview ### [Surface Pro Tech specs](https://www.microsoft.com/surface/devices/surface-pro/tech-specs) diff --git a/devices/surface/get-started.md b/devices/surface/get-started.md index 9294a400bc..07342f0005 100644 --- a/devices/surface/get-started.md +++ b/devices/surface/get-started.md @@ -9,6 +9,7 @@ ms.tgt_pltfrm: na ms.devlang: na ms.topic: landing-page description: "Get started with Microsoft Surface devices" +localization_priority: High --- # Get started with Surface devices diff --git a/devices/surface/index.md b/devices/surface/index.md index b6709b00f1..33fbe6bf0c 100644 --- a/devices/surface/index.md +++ b/devices/surface/index.md @@ -8,7 +8,7 @@ ms.author: robmazz manager: laurawi ms.topic: hub-page keywords: Microsoft Surface, Microsoft Surface Hub, Surface documentation -localization_priority: Normal +localization_priority: High audience: ITPro ms.prod: Surface description: Learn about Microsoft Surface and Surface Hub devices. diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md index dc75df4d5f..cc903e11ec 100644 --- a/windows/deployment/TOC.md +++ b/windows/deployment/TOC.md @@ -295,4 +295,4 @@ #### [Get started with Device Health](update/device-health-get-started.md) #### [Using Device Health](update/device-health-using.md) ### [Enrolling devices in Windows Analytics](update/windows-analytics-get-started.md) -### [Troubleshooting Windows Analytics and FAQ](update/windows-analytics-FAQ-troubleshooting.md) \ No newline at end of file +### [Troubleshooting Windows Analytics and FAQ](update/windows-analytics-FAQ-troubleshooting.md) diff --git a/windows/deployment/Windows-AutoPilot-EULA-note.md b/windows/deployment/Windows-AutoPilot-EULA-note.md index d53ddd69ca..ae15ebea5c 100644 --- a/windows/deployment/Windows-AutoPilot-EULA-note.md +++ b/windows/deployment/Windows-AutoPilot-EULA-note.md @@ -1,24 +1,24 @@ ---- -title: Windows Autopilot EULA dismissal – important information -description: A notice about EULA dismissal through Windows Autopilot -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -ms.localizationpriority: medium -ms.author: greg-lindsay -ms.date: 08/22/2017 -ms.reviewer: -manager: laurawi -author: greg-lindsay -ROBOTS: noindex,nofollow -ms.topic: article ---- -# Windows Autopilot EULA dismissal – important information - ->[!IMPORTANT] ->The information below isn't the EULA. It is a notice of awareness to the administrator that's configuring to skip End User License Agreement (EULA) during the OOBE (Out-of-Box Experience). - -Using this tool allows you to configure individual installations of Windows on devices managed by your organization. You may choose to suppress or hide certain set-up screens that are normally presented to users when setting up Windows, including the EULA acceptance screen. - -By using this function, you agree that suppressing or hiding any screens that are designed to provide users with notice or acceptance of terms means that you, on behalf of your organization or the individual user as the case may be, have consented to the notices and accepted the applicable terms. This includes your agreement to the terms and conditions of the license or notice that would be presented to the user if you did not suppress or hide it using this tool. You and your users may not use the Windows software on those devices if you have not validly acquired a license for the software from Microsoft or its licensed distributors. +--- +title: Windows Autopilot EULA dismissal – important information +description: A notice about EULA dismissal through Windows Autopilot +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +ms.localizationpriority: medium +ms.audience: itpro author: greg-lindsay +ms.date: 08/22/2017 +ms.reviewer: +manager: laurawi +audience: itpro author: greg-lindsay +ROBOTS: noindex,nofollow +ms.topic: article +--- +# Windows Autopilot EULA dismissal – important information + +>[!IMPORTANT] +>The information below isn't the EULA. It is a notice of awareness to the administrator that's configuring to skip End User License Agreement (EULA) during the OOBE (Out-of-Box Experience). + +Using this tool allows you to configure individual installations of Windows on devices managed by your organization. You may choose to suppress or hide certain set-up screens that are normally presented to users when setting up Windows, including the EULA acceptance screen. + +By using this function, you agree that suppressing or hiding any screens that are designed to provide users with notice or acceptance of terms means that you, on behalf of your organization or the individual user as the case may be, have consented to the notices and accepted the applicable terms. This includes your agreement to the terms and conditions of the license or notice that would be presented to the user if you did not suppress or hide it using this tool. You and your users may not use the Windows software on those devices if you have not validly acquired a license for the software from Microsoft or its licensed distributors. diff --git a/windows/deployment/add-store-apps-to-image.md b/windows/deployment/add-store-apps-to-image.md index dfeaba4ae4..a6b6ad9da6 100644 --- a/windows/deployment/add-store-apps-to-image.md +++ b/windows/deployment/add-store-apps-to-image.md @@ -1,85 +1,85 @@ ---- -title: Add Microsoft Store for Business applications to a Windows 10 image -description: This topic describes how to add Microsoft Store for Business applications to a Windows 10 image. -keywords: upgrade, update, windows, windows 10, deploy, store, image, wim -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Add Microsoft Store for Business applications to a Windows 10 image - -**Applies to** - -- Windows 10 - -This topic describes the correct way to add Microsoft Store for Business applications to a Windows 10 image. This will enable you to deploy Windows 10 with pre-installed Microsoft Store for Business apps. - ->[!IMPORTANT] ->In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment. - -## Prerequisites - -* [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md) for the tools required to mount and edit Windows images. - -* Download an offline signed app package and license of the application you would like to add through [Microsoft Store for Business](/store-for-business/distribute-offline-apps#download-an-offline-licensed-app). - -* A Windows Image. For instructions on image creation, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) or [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). - ->[!NOTE] -> If you'd like to add an internal LOB Microsoft Store application, please follow the instructions on **[Sideload LOB apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)**. - -## Adding a Store application to your image - -On a machine where your image file is accessible: -1. Open Windows PowerShell with administrator privileges. -2. Mount the image. At the Windows PowerShell prompt, type: -`Mount-WindowsImage -ImagePath c:\images\myimage.wim -Index 1 -Path C:\test` -3. Use the Add-AppxProvisionedPackage cmdlet in Windows PowerShell to preinstall the app. Use the /PackagePath option to specify the location of the Store package and /LicensePath to specify the location of the license .xml file. In Windows PowerShell, type: -`Add-AppxProvisionedPackage -Path C:\test -PackagePath C:\downloads\appxpackage -LicensePath C:\downloads\appxpackage\license.xml` - ->[!NOTE] ->Paths and file names are examples. Use your paths and file names where appropriate. -> ->Do not dismount the image, as you will return to it later. - -## Editing the Start Layout - -In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment. - -On a test machine: -1. **Install the Microsoft Store for Business application you previously added** to your image. -2. **Pin these apps to the Start screen**, by typing the name of the app, right-clicking and selecting **Pin to Start**. -3. Open Windows PowerShell with administrator privileges. -4. Use `Export-StartLayout -path .xml` where *\\* is the path and name of the xml file your will later import into your Windows Image. -5. Copy the XML file you created to a location accessible by the machine you previously used to add Store applications to your image. - -Now, on the machine where your image file is accessible: -1. Import the Start layout. At the Windows PowerShell prompt, type: -`Import-StartLayout -LayoutPath ".xml" -MountPath "C:\test\"` -2. Save changes and dismount the image. At the Windows PowerShell prompt, type: -`Dismount-WindowsImage -Path c:\test -Save` - ->[!NOTE] ->Paths and file names are examples. Use your paths and file names where appropriate. -> ->For more information on Start customization see [Windows 10 Start Layout Customization](https://blogs.technet.microsoft.com/deploymentguys/2016/03/07/windows-10-start-layout-customization/) - - -## Related topics -* [Customize and export Start layout](/windows/configuration/customize-and-export-start-layout) -* [Export-StartLayout](https://technet.microsoft.com/itpro/powershell/windows/startlayout/export-startlayout) -* [Import-StartLayout](https://technet.microsoft.com/itpro/powershell/windows/startlayout/import-startlayout) -* [Sideload LOB apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10) -* [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) -* [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) -* [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md) - - +--- +title: Add Microsoft Store for Business applications to a Windows 10 image +description: This topic describes how to add Microsoft Store for Business applications to a Windows 10 image. +keywords: upgrade, update, windows, windows 10, deploy, store, image, wim +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Add Microsoft Store for Business applications to a Windows 10 image + +**Applies to** + +- Windows 10 + +This topic describes the correct way to add Microsoft Store for Business applications to a Windows 10 image. This will enable you to deploy Windows 10 with pre-installed Microsoft Store for Business apps. + +>[!IMPORTANT] +>In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment. + +## Prerequisites + +* [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md) for the tools required to mount and edit Windows images. + +* Download an offline signed app package and license of the application you would like to add through [Microsoft Store for Business](/store-for-business/distribute-offline-apps#download-an-offline-licensed-app). + +* A Windows Image. For instructions on image creation, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) or [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). + +>[!NOTE] +> If you'd like to add an internal LOB Microsoft Store application, please follow the instructions on **[Sideload LOB apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)**. + +## Adding a Store application to your image + +On a machine where your image file is accessible: +1. Open Windows PowerShell with administrator privileges. +2. Mount the image. At the Windows PowerShell prompt, type: +`Mount-WindowsImage -ImagePath c:\images\myimage.wim -Index 1 -Path C:\test` +3. Use the Add-AppxProvisionedPackage cmdlet in Windows PowerShell to preinstall the app. Use the /PackagePath option to specify the location of the Store package and /LicensePath to specify the location of the license .xml file. In Windows PowerShell, type: +`Add-AppxProvisionedPackage -Path C:\test -PackagePath C:\downloads\appxpackage -LicensePath C:\downloads\appxpackage\license.xml` + +>[!NOTE] +>Paths and file names are examples. Use your paths and file names where appropriate. +> +>Do not dismount the image, as you will return to it later. + +## Editing the Start Layout + +In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment. + +On a test machine: +1. **Install the Microsoft Store for Business application you previously added** to your image. +2. **Pin these apps to the Start screen**, by typing the name of the app, right-clicking and selecting **Pin to Start**. +3. Open Windows PowerShell with administrator privileges. +4. Use `Export-StartLayout -path .xml` where *\\* is the path and name of the xml file your will later import into your Windows Image. +5. Copy the XML file you created to a location accessible by the machine you previously used to add Store applications to your image. + +Now, on the machine where your image file is accessible: +1. Import the Start layout. At the Windows PowerShell prompt, type: +`Import-StartLayout -LayoutPath ".xml" -MountPath "C:\test\"` +2. Save changes and dismount the image. At the Windows PowerShell prompt, type: +`Dismount-WindowsImage -Path c:\test -Save` + +>[!NOTE] +>Paths and file names are examples. Use your paths and file names where appropriate. +> +>For more information on Start customization see [Windows 10 Start Layout Customization](https://blogs.technet.microsoft.com/deploymentguys/2016/03/07/windows-10-start-layout-customization/) + + +## Related topics +* [Customize and export Start layout](/windows/configuration/customize-and-export-start-layout) +* [Export-StartLayout](https://technet.microsoft.com/itpro/powershell/windows/startlayout/export-startlayout) +* [Import-StartLayout](https://technet.microsoft.com/itpro/powershell/windows/startlayout/import-startlayout) +* [Sideload LOB apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10) +* [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) +* [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) +* [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md) + + diff --git a/windows/deployment/change-history-for-deploy-windows-10.md b/windows/deployment/change-history-for-deploy-windows-10.md index 7f95f18d4c..e6a2e1664a 100644 --- a/windows/deployment/change-history-for-deploy-windows-10.md +++ b/windows/deployment/change-history-for-deploy-windows-10.md @@ -1,160 +1,160 @@ ---- -title: Change history for Deploy Windows 10 (Windows 10) -description: This topic lists new and updated topics in the Deploy Windows 10 documentation for Windows 10 and Windows 10 Mobile. -ms.assetid: 19C50373-6B25-4F5C-A6EF-643D36904349 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.topic: article ---- - -# Change history for Deploy Windows 10 -This topic lists new and updated topics in the [Deploy Windows 10](https://docs.microsoft.com/windows/deployment) documentation for [Windows 10 and Windows 10 Mobile](/windows/windows-10). - -## April 2018 - -New or changed topic | Description ---- | --- -[Install VAMT](volume-activation/install-vamt.md) | Updated the instructions and link for SQL Server Express. - -## November 2017 - -New or changed topic | Description --- | --- - [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) | Added warning that you should not use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml. - -## RELEASE: Windows 10, version 1709 -| New or changed topic | Description | -|----------------------|-------------| -| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | Updated the edition upgrade table to include all other Windows 10 editions previously not on the list and the supported upgrade methods for upgrade path. | -| [Fonts missing after upgrading to Windows 10](windows-10-missing-fonts.md)| New article about the set of fonts that have moved from being included in the default installation image to being included in Optional Features. This article includes the steps for adding these optional font features.| - -## July 2017 -| New or changed topic | Description | -|----------------------|-------------| -| The table of contents for deployment topics was reorganized. - -## June 2017 -| New or changed topic | Description | -|----------------------|-------------| -| [Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) | New | - -## April 2017 -| New or changed topic | Description | -|----------------------|-------------| -| [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) | Updated: The "refresh" and "replace" procedures were swapped in order so that it would not be necessary to save and restore VMs. Also a missing step was added to include the State migration point role. | -| [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)| Updated with minor fixes. | -| [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md)| Updated child topics under this node to include new feature and user interface changes. | -| [Get started with Upgrade Readiness](upgrade/upgrade-readiness-get-started.md)| Added a table summarizing connection scenarios under the Enable data sharing topic. | - - -## RELEASE: Windows 10, version 1703 -The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The provisioning topics have been moved to [Configure Windows 10](/windows/configuration/index). - - -## March 2017 -| New or changed topic | Description | -|----------------------|-------------| -| [What's new in Windows 10 deployment](deploy-whats-new.md) | New | -| [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) | Topic moved under [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) in the table of contents and title adjusted to clarify in-place upgrade. | -| [Upgrade to Windows 10 with System Center Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md) | Topic moved under [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) in the table of contents and title adjusted to clarify in-place upgrade. | -| [Convert MBR partition to GPT](mbr-to-gpt.md) | New | - -## February 2017 -| New or changed topic | Description | -|----------------------|-------------| -| [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) | Multiple topics updated, name changed from Upgrade Analytics to Upgrade Readiness, and other content updates. | -| [USMT Requirements](usmt/usmt-requirements.md) | Updated: Vista support removed and other minor changes | -| [Get started with Upgrade Analytics](upgrade/upgrade-readiness-get-started.md) | Updated structure and content | -| [Upgrade Analytics deployment script](upgrade/upgrade-readiness-deployment-script.md) | Added as a separate page from get started | -| [Use Upgrade Analytics to manage Windows upgrades](upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) | Updated with links to new content and information about the target OS setting | -| [Upgrade Analytics - Upgrade overview](upgrade/upgrade-readiness-upgrade-overview.md) | New | -| [Upgrade Analytics - Step 1: Identify important apps](upgrade/upgrade-readiness-identify-apps.md) | Updated topic title and content | -| [Upgrade Analytics - Step 2: Resolve app and driver issues](upgrade/upgrade-readiness-resolve-issues.md) | New | -| [Upgrade Analytics - Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md) | New | -| [Upgrade Analytics - Additional insights](upgrade/upgrade-readiness-additional-insights.md) | New | - - -## January 2017 -| New or changed topic | Description | -|----------------------|-------------| -| [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) | New | -| [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) | New | -| [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) | New | -| [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) | New (previously published in other topics) | -| [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package) | New (previously published in Hardware Dev Center on MSDN) | -| [Create a provisioning package with multivariant settings](/windows/configuration/provisioning-packages/provisioning-multivariant) | New (previously published in Hardware Dev Center on MSDN) | -| [How provisioning works in Windows 10](/windows/configuration/provisioning-packages/provisioning-how-it-works) | New (previously published in Hardware Dev Center on MSDN) | -| [Install Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) | New (previously published in Hardware Dev Center on MSDN) | -| [NFC-based device provisioning](/windows/configuration/mobile-devices/provisioning-nfc) | New (previously published in Hardware Dev Center on MSDN) | -| [Settings changed when you uninstall a provisioning package](/windows/configuration/provisioning-packages/provisioning-uninstall-package) | New (previously published in Hardware Dev Center on MSDN) | -| [Use a script to install a desktop app in provisioning packages](/windows/configuration/provisioning-packages/provisioning-script-to-install-app) | New (previously published in Hardware Dev Center on MSDN) | -| [Windows ICD command-line interface (reference)](/windows/configuration/provisioning-packages/provisioning-command-line) | New (previously published in Hardware Dev Center on MSDN) | -| [Get started with Upgrade Analytics](upgrade/upgrade-readiness-get-started.md) | Updated exit code table with suggested fixes, and added link to the Upgrade Analytics blog | -| [Provision PCs with common settings for initial deployment (simple provisioning)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment) | Instructions for applying the provisioning package moved to [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) | -| [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates) | Instructions for applying the provisioning package moved to [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) | - - -## October 2016 -| New or changed topic | Description | -|----------------------|-------------| -| [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) | New | - -## September 2016 -| New or changed topic | Description | -|----------------------|-------------| -| [Windows 10 Enterprise E3 in CSP Overview](windows-10-enterprise-e3-overview.md) | New | -| [Get started with Upgrade Analytics](upgrade/upgrade-readiness-get-started.md) | Updated with prerequisites for site discovery | -| [Resolve application and driver issues](upgrade/upgrade-readiness-resolve-issues.md) | Updated with app status info for Ready For Windows | -| [Review site discovery](upgrade/upgrade-readiness-additional-insights.md) | New | - -## RELEASE: Windows 10, version 1607 - -The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added: - -- [Provisioning packages for Windows 10](/windows/configuration/provisioning-packages/provisioning-packages.md) -- [Provision PCs with apps and certificates for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md) -- [Provision PCs with common settings for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md) - -## August 2016 -| New or changed topic | Description | -|----------------------|-------------| -| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | Updated with reboot requirements | - -## July 2016 -| New or changed topic | Description | -|----------------------|-------------| -| [Manage Windows upgrades with Upgrade Analytics](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) | New | - -## June 2016 -| New or changed topic | Description | -|----------------------|-------------| -| [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) | New | -| [User State Migration Tool Technical Reference](usmt/usmt-technical-reference.md) | Updated support statement for Office 2016 | -| [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) | New | - -## May 2016 -| New or changed topic | Description | -|----------------------|-------------| -| [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md) | New | - -## December 2015 -| New or changed topic | Description | -|----------------------|-------------| -| [Activate using Key Management Service](volume-activation/activate-using-key-management-service-vamt.md) | Updated | -| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | Updated | - -## November 2015 -| New or changed topic | Description | -|----------------------|-------------| -| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | New | - -## Related topics -- [Change history for Plan for Windows 10 deployment](/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment) -- [Change history for Access Protection](/windows/access-protection/change-history-for-access-protection) -- [Change history for Device Security](/windows/device-security/change-history-for-device-security) -- [Change history for Threat Protection](/windows/threat-protection/change-history-for-threat-protection) +--- +title: Change history for Deploy Windows 10 (Windows 10) +description: This topic lists new and updated topics in the Deploy Windows 10 documentation for Windows 10 and Windows 10 Mobile. +ms.assetid: 19C50373-6B25-4F5C-A6EF-643D36904349 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Change history for Deploy Windows 10 +This topic lists new and updated topics in the [Deploy Windows 10](https://docs.microsoft.com/windows/deployment) documentation for [Windows 10 and Windows 10 Mobile](/windows/windows-10). + +## April 2018 + +New or changed topic | Description +--- | --- +[Install VAMT](volume-activation/install-vamt.md) | Updated the instructions and link for SQL Server Express. + +## November 2017 + +New or changed topic | Description +-- | --- + [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) | Added warning that you should not use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml. + +## RELEASE: Windows 10, version 1709 +| New or changed topic | Description | +|----------------------|-------------| +| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | Updated the edition upgrade table to include all other Windows 10 editions previously not on the list and the supported upgrade methods for upgrade path. | +| [Fonts missing after upgrading to Windows 10](windows-10-missing-fonts.md)| New article about the set of fonts that have moved from being included in the default installation image to being included in Optional Features. This article includes the steps for adding these optional font features.| + +## July 2017 +| New or changed topic | Description | +|----------------------|-------------| +| The table of contents for deployment topics was reorganized. + +## June 2017 +| New or changed topic | Description | +|----------------------|-------------| +| [Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) | New | + +## April 2017 +| New or changed topic | Description | +|----------------------|-------------| +| [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) | Updated: The "refresh" and "replace" procedures were swapped in order so that it would not be necessary to save and restore VMs. Also a missing step was added to include the State migration point role. | +| [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)| Updated with minor fixes. | +| [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md)| Updated child topics under this node to include new feature and user interface changes. | +| [Get started with Upgrade Readiness](upgrade/upgrade-readiness-get-started.md)| Added a table summarizing connection scenarios under the Enable data sharing topic. | + + +## RELEASE: Windows 10, version 1703 +The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The provisioning topics have been moved to [Configure Windows 10](/windows/configuration/index). + + +## March 2017 +| New or changed topic | Description | +|----------------------|-------------| +| [What's new in Windows 10 deployment](deploy-whats-new.md) | New | +| [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) | Topic moved under [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) in the table of contents and title adjusted to clarify in-place upgrade. | +| [Upgrade to Windows 10 with System Center Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md) | Topic moved under [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) in the table of contents and title adjusted to clarify in-place upgrade. | +| [Convert MBR partition to GPT](mbr-to-gpt.md) | New | + +## February 2017 +| New or changed topic | Description | +|----------------------|-------------| +| [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) | Multiple topics updated, name changed from Upgrade Analytics to Upgrade Readiness, and other content updates. | +| [USMT Requirements](usmt/usmt-requirements.md) | Updated: Vista support removed and other minor changes | +| [Get started with Upgrade Analytics](upgrade/upgrade-readiness-get-started.md) | Updated structure and content | +| [Upgrade Analytics deployment script](upgrade/upgrade-readiness-deployment-script.md) | Added as a separate page from get started | +| [Use Upgrade Analytics to manage Windows upgrades](upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) | Updated with links to new content and information about the target OS setting | +| [Upgrade Analytics - Upgrade overview](upgrade/upgrade-readiness-upgrade-overview.md) | New | +| [Upgrade Analytics - Step 1: Identify important apps](upgrade/upgrade-readiness-identify-apps.md) | Updated topic title and content | +| [Upgrade Analytics - Step 2: Resolve app and driver issues](upgrade/upgrade-readiness-resolve-issues.md) | New | +| [Upgrade Analytics - Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md) | New | +| [Upgrade Analytics - Additional insights](upgrade/upgrade-readiness-additional-insights.md) | New | + + +## January 2017 +| New or changed topic | Description | +|----------------------|-------------| +| [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) | New | +| [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) | New | +| [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) | New | +| [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) | New (previously published in other topics) | +| [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package) | New (previously published in Hardware Dev Center on MSDN) | +| [Create a provisioning package with multivariant settings](/windows/configuration/provisioning-packages/provisioning-multivariant) | New (previously published in Hardware Dev Center on MSDN) | +| [How provisioning works in Windows 10](/windows/configuration/provisioning-packages/provisioning-how-it-works) | New (previously published in Hardware Dev Center on MSDN) | +| [Install Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) | New (previously published in Hardware Dev Center on MSDN) | +| [NFC-based device provisioning](/windows/configuration/mobile-devices/provisioning-nfc) | New (previously published in Hardware Dev Center on MSDN) | +| [Settings changed when you uninstall a provisioning package](/windows/configuration/provisioning-packages/provisioning-uninstall-package) | New (previously published in Hardware Dev Center on MSDN) | +| [Use a script to install a desktop app in provisioning packages](/windows/configuration/provisioning-packages/provisioning-script-to-install-app) | New (previously published in Hardware Dev Center on MSDN) | +| [Windows ICD command-line interface (reference)](/windows/configuration/provisioning-packages/provisioning-command-line) | New (previously published in Hardware Dev Center on MSDN) | +| [Get started with Upgrade Analytics](upgrade/upgrade-readiness-get-started.md) | Updated exit code table with suggested fixes, and added link to the Upgrade Analytics blog | +| [Provision PCs with common settings for initial deployment (simple provisioning)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment) | Instructions for applying the provisioning package moved to [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) | +| [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates) | Instructions for applying the provisioning package moved to [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) | + + +## October 2016 +| New or changed topic | Description | +|----------------------|-------------| +| [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) | New | + +## September 2016 +| New or changed topic | Description | +|----------------------|-------------| +| [Windows 10 Enterprise E3 in CSP Overview](windows-10-enterprise-e3-overview.md) | New | +| [Get started with Upgrade Analytics](upgrade/upgrade-readiness-get-started.md) | Updated with prerequisites for site discovery | +| [Resolve application and driver issues](upgrade/upgrade-readiness-resolve-issues.md) | Updated with app status info for Ready For Windows | +| [Review site discovery](upgrade/upgrade-readiness-additional-insights.md) | New | + +## RELEASE: Windows 10, version 1607 + +The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added: + +- [Provisioning packages for Windows 10](/windows/configuration/provisioning-packages/provisioning-packages.md) +- [Provision PCs with apps and certificates for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md) +- [Provision PCs with common settings for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md) + +## August 2016 +| New or changed topic | Description | +|----------------------|-------------| +| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | Updated with reboot requirements | + +## July 2016 +| New or changed topic | Description | +|----------------------|-------------| +| [Manage Windows upgrades with Upgrade Analytics](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) | New | + +## June 2016 +| New or changed topic | Description | +|----------------------|-------------| +| [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) | New | +| [User State Migration Tool Technical Reference](usmt/usmt-technical-reference.md) | Updated support statement for Office 2016 | +| [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) | New | + +## May 2016 +| New or changed topic | Description | +|----------------------|-------------| +| [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md) | New | + +## December 2015 +| New or changed topic | Description | +|----------------------|-------------| +| [Activate using Key Management Service](volume-activation/activate-using-key-management-service-vamt.md) | Updated | +| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | Updated | + +## November 2015 +| New or changed topic | Description | +|----------------------|-------------| +| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | New | + +## Related topics +- [Change history for Plan for Windows 10 deployment](/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment) +- [Change history for Access Protection](/windows/access-protection/change-history-for-access-protection) +- [Change history for Device Security](/windows/device-security/change-history-for-device-security) +- [Change history for Threat Protection](/windows/threat-protection/change-history-for-threat-protection) diff --git a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md index 839fa8a974..784c5a13fd 100644 --- a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md +++ b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md @@ -1,193 +1,193 @@ ---- -title: Configure a PXE server to load Windows PE (Windows 10) -description: This topic describes how to configure a PXE server to load Windows PE so that it can be used with an image file to install Windows 10 from the network. -keywords: upgrade, update, windows, windows 10, pxe, WinPE, image, wim -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.reviewer: -manager: laurawi -author: greg-lindsay -ms.author: greglin -ms.topic: article ---- - -# Configure a PXE server to load Windows PE - -**Applies to** - -- Windows 10 - -## Summary - -This walkthrough describes how to configure a PXE server to load Windows PE by booting a client computer from the network. Using the Windows PE tools and a Windows 10 image file, you can install Windows 10 from the network. - -## Prerequisites - -- A deployment computer: A computer with the [Windows Assessment and Deployment Kit](https://go.microsoft.com/fwlink/p/?LinkId=526803) (Windows ADK) installed. -- A DHCP server: A DHCP server or DHCP proxy configured to respond to PXE client requests is required. -- A PXE server: A server running the TFTP service that can host Windows PE boot files that the client will download. -- A file server: A server hosting a network file share. - -All four of the roles specified above can be hosted on the same computer or each can be on a separate computer. - -## Step 1: Copy Windows PE source files - -1. On the deployment computer, click **Start**, and type **deployment**. - -2. Right-click **Deployment and Imaging Tools Environment** and then click **Run as administrator**. The Deployment and Imaging Tools Environment shortcut opens a Command Prompt window and automatically sets environment variables to point to all the necessary tools. - -3. Run the following command to copy the base Windows PE files into a new folder. The script requires two arguments: hardware architecture and destination location. The value of **<architecture>** can be **x86**, **amd64**, or **arm** and **<destination>** is a path to a local directory. If the directory does not already exist, it will be created. - - ``` - copype.cmd - ``` - - For example, the following command copies **amd64** architecture files to the **C:\winpe_amd64** directory: - - ``` - copype.cmd amd64 C:\winpe_amd64 - ``` - - The script creates the destination directory structure and copies all the necessary files for that architecture. In the previous example, the following directories are created: - - ``` - C:\winpe_amd64 - C:\winpe_amd64\fwfiles - C:\winpe_amd64\media - C:\winpe_amd64\mount - ``` -4. Mount the base Windows PE image (winpe.wim) to the \mount directory using the DISM tool. Mounting an image file unpacks the file contents into a folder so that you can make changes directly or by using tools such as DISM. See the following example. - - ``` - Dism /mount-image /imagefile:c:\winpe_amd64\media\sources\boot.wim /index:1 /mountdir:C:\winpe_amd64\mount - ``` - Verify that "The operation completed successfully" is displayed. Note: To view currently mounted images, type **dism /get-MountedWiminfo**. - -5. Map a network share to the root TFTP directory on the PXE/TFTP server and create a \Boot folder. Consult your TFTP server documentation to determine the root TFTP server directory, then enable sharing for this directory, and verify it can be accessed on the network. In the following example, the PXE server name is PXE-1 and the TFTP root directory is shared using a network path of **\\\PXE-1\TFTPRoot**: - - ``` - net use y: \\PXE-1\TFTPRoot - y: - md boot - ``` -6. Copy the PXE boot files from the mounted directory to the \boot folder. For example: - - ``` - copy c:\winpe_amd64\mount\windows\boot\pxe\*.* y:\boot - ``` -7. Copy the boot.sdi file to the PXE/TFTP server. - - ``` - copy C:\winpe_amd64\media\boot\boot.sdi y:\boot - ``` -8. Copy the bootable Windows PE image (boot.wim) to the \boot folder. - - ``` - copy C:\winpe_amd64\media\sources\boot.wim y:\boot - ``` -9. (Optional) Copy true type fonts to the \boot folder - - ``` - copy C:\winpe_amd64\media\Boot\Fonts y:\boot\Fonts - ``` - -## Step 2: Configure boot settings and copy the BCD file - -1. Create a BCD store using bcdedit.exe: - - ``` - bcdedit /createstore c:\BCD - ``` -2. Configure RAMDISK settings: - - ``` - bcdedit /store c:\BCD /create {ramdiskoptions} /d "Ramdisk options" - bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdidevice boot - bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdipath \boot\boot.sdi - bcdedit /store c:\BCD /create /d "winpe boot image" /application osloader - ``` - The last command will return a GUID, for example: - ``` - The entry {a4f89c62-2142-11e6-80b6-00155da04110} was successfully created. - ``` - Copy this GUID for use in the next set of commands. In each command shown, replace "GUID1" with your GUID. - -3. Create a new boot application entry for the Windows PE image: - - ``` - bcdedit /store c:\BCD /set {GUID1} device ramdisk=[boot]\boot\boot.wim,{ramdiskoptions} - bcdedit /store c:\BCD /set {GUID1} path \windows\system32\winload.exe - bcdedit /store c:\BCD /set {GUID1} osdevice ramdisk=[boot]\boot\boot.wim,{ramdiskoptions} - bcdedit /store c:\BCD /set {GUID1} systemroot \windows - bcdedit /store c:\BCD /set {GUID1} detecthal Yes - bcdedit /store c:\BCD /set {GUID1} winpe Yes - ``` -4. Configure BOOTMGR settings (remember to replace GUID1 in the third command with your GUID): - - ``` - bcdedit /store c:\BCD /create {bootmgr} /d "boot manager" - bcdedit /store c:\BCD /set {bootmgr} timeout 30 - bcdedit /store c:\BCD -displayorder {GUID1} -addlast - ``` -5. Copy the BCD file to your TFTP server: - - ``` - copy c:\BCD \\PXE-1\TFTPRoot\boot\BCD - ``` - -Your PXE/TFTP server is now configured. You can view the BCD settings that have been configured using the command bcdedit /store <BCD file location> /enum all. See the following example. Note: Your GUID will be different than the one shown below. - -``` -C:\>bcdedit /store C:\BCD /enum all -Windows Boot Manager --------------------- -identifier {bootmgr} -description boot manager -displayorder {a4f89c62-2142-11e6-80b6-00155da04110} -timeout 30 - -Windows Boot Loader -------------------- -identifier {a4f89c62-2142-11e6-80b6-00155da04110} -device ramdisk=[boot]\boot\boot.wim,{ramdiskoptions} -description winpe boot image -osdevice ramdisk=[boot]\boot\boot.wim,{ramdiskoptions} -systemroot \Windows -detecthal Yes -winpe Yes - -Setup Ramdisk Options ---------------------- -identifier {ramdiskoptions} -description ramdisk options -ramdisksdidevice boot -ramdisksdipath \boot\boot.sdi -``` - ->[!TIP] ->If you start the PXE boot process, but receive the error that "The boot configuration data for your PC is missing or contains errors" then verify that \\boot directory is installed under the correct TFTP server root directory. In the example used here the name of this directory is TFTPRoot, but your TFTP server might be different. - -## PXE boot process summary - -The following summarizes the PXE client boot process. - ->The following assumes that you have configured DHCP option 67 (Bootfile Name) to "boot\PXEboot.n12" which enables direct boot to PXE with no user interaction. For more information about DHCP options for network boot, see [Managing Network Boot Programs](https://technet.microsoft.com/library/cc732351.aspx). - -1. A client is directed by DHCP options 066 and 067 to download boot\\PXEboot.n12 from the TFTP server. -2. PXEboot.n12 immediately begins a network boot. -3. The client downloads boot\\bootmgr.exe and the boot\\BCD file from the TFTP server. Note: The BCD store must reside in the \\boot directory on the TFTP server and must be named BCD. -5. Bootmgr.exe reads the BCD operating system entries and downloads boot\\boot.sdi and the Windows PE image (boot\\boot.wim). Optional files that can also be downloaded include true type fonts (boot\\Fonts\\wgl4\_boot.ttf) and the hibernation state file (\\hiberfil.sys) if these files are present. -6. Bootmgr.exe starts Windows PE by calling winload.exe within the Windows PE image. -7. Windows PE loads, a command prompt opens and wpeinit.exe is run to initialize Windows PE. -8. The Windows PE client provides access to tools like imagex, diskpart, and bcdboot using the Windows PE command prompt. Using these tools together with a Windows 10 image file, the destination computer can be formatted properly to load a full Windows 10 operating system. - -See Also ---------- - -#### Concepts - -[Windows PE Walkthroughs](https://technet.microsoft.com/library/cc748899.aspx) +--- +title: Configure a PXE server to load Windows PE (Windows 10) +description: This topic describes how to configure a PXE server to load Windows PE so that it can be used with an image file to install Windows 10 from the network. +keywords: upgrade, update, windows, windows 10, pxe, WinPE, image, wim +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.reviewer: +manager: laurawi +audience: itpro author: greg-lindsay +ms.author: greglin +ms.topic: article +--- + +# Configure a PXE server to load Windows PE + +**Applies to** + +- Windows 10 + +## Summary + +This walkthrough describes how to configure a PXE server to load Windows PE by booting a client computer from the network. Using the Windows PE tools and a Windows 10 image file, you can install Windows 10 from the network. + +## Prerequisites + +- A deployment computer: A computer with the [Windows Assessment and Deployment Kit](https://go.microsoft.com/fwlink/p/?LinkId=526803) (Windows ADK) installed. +- A DHCP server: A DHCP server or DHCP proxy configured to respond to PXE client requests is required. +- A PXE server: A server running the TFTP service that can host Windows PE boot files that the client will download. +- A file server: A server hosting a network file share. + +All four of the roles specified above can be hosted on the same computer or each can be on a separate computer. + +## Step 1: Copy Windows PE source files + +1. On the deployment computer, click **Start**, and type **deployment**. + +2. Right-click **Deployment and Imaging Tools Environment** and then click **Run as administrator**. The Deployment and Imaging Tools Environment shortcut opens a Command Prompt window and automatically sets environment variables to point to all the necessary tools. + +3. Run the following command to copy the base Windows PE files into a new folder. The script requires two arguments: hardware architecture and destination location. The value of **<architecture>** can be **x86**, **amd64**, or **arm** and **<destination>** is a path to a local directory. If the directory does not already exist, it will be created. + + ``` + copype.cmd + ``` + + For example, the following command copies **amd64** architecture files to the **C:\winpe_amd64** directory: + + ``` + copype.cmd amd64 C:\winpe_amd64 + ``` + + The script creates the destination directory structure and copies all the necessary files for that architecture. In the previous example, the following directories are created: + + ``` + C:\winpe_amd64 + C:\winpe_amd64\fwfiles + C:\winpe_amd64\media + C:\winpe_amd64\mount + ``` +4. Mount the base Windows PE image (winpe.wim) to the \mount directory using the DISM tool. Mounting an image file unpacks the file contents into a folder so that you can make changes directly or by using tools such as DISM. See the following example. + + ``` + Dism /mount-image /imagefile:c:\winpe_amd64\media\sources\boot.wim /index:1 /mountdir:C:\winpe_amd64\mount + ``` + Verify that "The operation completed successfully" is displayed. Note: To view currently mounted images, type **dism /get-MountedWiminfo**. + +5. Map a network share to the root TFTP directory on the PXE/TFTP server and create a \Boot folder. Consult your TFTP server documentation to determine the root TFTP server directory, then enable sharing for this directory, and verify it can be accessed on the network. In the following example, the PXE server name is PXE-1 and the TFTP root directory is shared using a network path of **\\\PXE-1\TFTPRoot**: + + ``` + net use y: \\PXE-1\TFTPRoot + y: + md boot + ``` +6. Copy the PXE boot files from the mounted directory to the \boot folder. For example: + + ``` + copy c:\winpe_amd64\mount\windows\boot\pxe\*.* y:\boot + ``` +7. Copy the boot.sdi file to the PXE/TFTP server. + + ``` + copy C:\winpe_amd64\media\boot\boot.sdi y:\boot + ``` +8. Copy the bootable Windows PE image (boot.wim) to the \boot folder. + + ``` + copy C:\winpe_amd64\media\sources\boot.wim y:\boot + ``` +9. (Optional) Copy true type fonts to the \boot folder + + ``` + copy C:\winpe_amd64\media\Boot\Fonts y:\boot\Fonts + ``` + +## Step 2: Configure boot settings and copy the BCD file + +1. Create a BCD store using bcdedit.exe: + + ``` + bcdedit /createstore c:\BCD + ``` +2. Configure RAMDISK settings: + + ``` + bcdedit /store c:\BCD /create {ramdiskoptions} /d "Ramdisk options" + bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdidevice boot + bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdipath \boot\boot.sdi + bcdedit /store c:\BCD /create /d "winpe boot image" /application osloader + ``` + The last command will return a GUID, for example: + ``` + The entry {a4f89c62-2142-11e6-80b6-00155da04110} was successfully created. + ``` + Copy this GUID for use in the next set of commands. In each command shown, replace "GUID1" with your GUID. + +3. Create a new boot application entry for the Windows PE image: + + ``` + bcdedit /store c:\BCD /set {GUID1} device ramdisk=[boot]\boot\boot.wim,{ramdiskoptions} + bcdedit /store c:\BCD /set {GUID1} path \windows\system32\winload.exe + bcdedit /store c:\BCD /set {GUID1} osdevice ramdisk=[boot]\boot\boot.wim,{ramdiskoptions} + bcdedit /store c:\BCD /set {GUID1} systemroot \windows + bcdedit /store c:\BCD /set {GUID1} detecthal Yes + bcdedit /store c:\BCD /set {GUID1} winpe Yes + ``` +4. Configure BOOTMGR settings (remember to replace GUID1 in the third command with your GUID): + + ``` + bcdedit /store c:\BCD /create {bootmgr} /d "boot manager" + bcdedit /store c:\BCD /set {bootmgr} timeout 30 + bcdedit /store c:\BCD -displayorder {GUID1} -addlast + ``` +5. Copy the BCD file to your TFTP server: + + ``` + copy c:\BCD \\PXE-1\TFTPRoot\boot\BCD + ``` + +Your PXE/TFTP server is now configured. You can view the BCD settings that have been configured using the command bcdedit /store <BCD file location> /enum all. See the following example. Note: Your GUID will be different than the one shown below. + +``` +C:\>bcdedit /store C:\BCD /enum all +Windows Boot Manager +-------------------- +identifier {bootmgr} +description boot manager +displayorder {a4f89c62-2142-11e6-80b6-00155da04110} +timeout 30 + +Windows Boot Loader +------------------- +identifier {a4f89c62-2142-11e6-80b6-00155da04110} +device ramdisk=[boot]\boot\boot.wim,{ramdiskoptions} +description winpe boot image +osdevice ramdisk=[boot]\boot\boot.wim,{ramdiskoptions} +systemroot \Windows +detecthal Yes +winpe Yes + +Setup Ramdisk Options +--------------------- +identifier {ramdiskoptions} +description ramdisk options +ramdisksdidevice boot +ramdisksdipath \boot\boot.sdi +``` + +>[!TIP] +>If you start the PXE boot process, but receive the error that "The boot configuration data for your PC is missing or contains errors" then verify that \\boot directory is installed under the correct TFTP server root directory. In the example used here the name of this directory is TFTPRoot, but your TFTP server might be different. + +## PXE boot process summary + +The following summarizes the PXE client boot process. + +>The following assumes that you have configured DHCP option 67 (Bootfile Name) to "boot\PXEboot.n12" which enables direct boot to PXE with no user interaction. For more information about DHCP options for network boot, see [Managing Network Boot Programs](https://technet.microsoft.com/library/cc732351.aspx). + +1. A client is directed by DHCP options 066 and 067 to download boot\\PXEboot.n12 from the TFTP server. +2. PXEboot.n12 immediately begins a network boot. +3. The client downloads boot\\bootmgr.exe and the boot\\BCD file from the TFTP server. Note: The BCD store must reside in the \\boot directory on the TFTP server and must be named BCD. +5. Bootmgr.exe reads the BCD operating system entries and downloads boot\\boot.sdi and the Windows PE image (boot\\boot.wim). Optional files that can also be downloaded include true type fonts (boot\\Fonts\\wgl4\_boot.ttf) and the hibernation state file (\\hiberfil.sys) if these files are present. +6. Bootmgr.exe starts Windows PE by calling winload.exe within the Windows PE image. +7. Windows PE loads, a command prompt opens and wpeinit.exe is run to initialize Windows PE. +8. The Windows PE client provides access to tools like imagex, diskpart, and bcdboot using the Windows PE command prompt. Using these tools together with a Windows 10 image file, the destination computer can be formatted properly to load a full Windows 10 operating system. + +See Also +--------- + +#### Concepts + +[Windows PE Walkthroughs](https://technet.microsoft.com/library/cc748899.aspx) diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index c2e812f355..55c9e3dfac 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -1,252 +1,252 @@ ---- -title: Deploy Windows 10 Enterprise licenses -ms.reviewer: -manager: laurawi -ms.author: greg-lindsay -description: Steps to deploy Windows 10 Enterprise licenses for Windows 10 Enterprise E3 or E5 Subscription Activation, or for Windows 10 Enterprise E3 in CSP -keywords: upgrade, update, task sequence, deploy -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -author: greg-lindsay -ms.topic: article ---- - -# Deploy Windows 10 Enterprise licenses - -This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with [Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md) or [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD). - ->[!NOTE] ->* Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later. ->* Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later. ->* Automatic, non-KMS activation requires Windows 10, version 1803 or later, on a device with a firmware-embedded activation key. - -## Firmware-embedded activation key - -To determine if the computer has a firmware-embedded activation key, type the following command at an elevated Windows PowerShell prompt - -``` -(Get-WmiObject -query ‘select * from SoftwareLicensingService’).OA3xOriginalProductKey -``` - -If the device has a firmware-embedded activation key, it will be displayed in the output. If the output is blank, the device does not have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key. - -## Enabling Subscription Activation with an existing EA - -If you are an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant: - -1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license: -2. **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3 -3. **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5 -4. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant. -5. The admin can now assign subscription licenses to users. - ->Use the following process if you need to update contact information and retrigger activation in order to resend the activation email: - -1. Sign in to the [Microsoft Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). -2. Click on **Subscriptions**. -3. Click on **Online Services Agreement List**. -4. Enter your agreement number, and then click **Search**. -5. Click the **Service Name**. -6. In the **Subscription Contact** section, click the name listed under **Last Name**. -7. Update the contact information, then click **Update Contact Details**. This will trigger a new email. - -Also in this article: -- [Explore the upgrade experience](#explore-the-upgrade-experience): How to upgrade devices using the deployed licenses. -- [Troubleshoot the user experience](#troubleshoot-the-user-experience): Examples of some license activation issues that can be encountered, and how to resolve them. - -## Active Directory synchronization with Azure AD - -You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Enterprise E3 or E5 licenses to users, you need to synchronize the identities in the on-premises ADDS domain with Azure AD. - -You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them. - -**Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](https://www.microsoft.com/en-us/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure. - -![Illustration of Azure Active Directory Connect](images/enterprise-e3-ad-connect.png) - -**Figure 1. On-premises AD DS integrated with Azure AD** - -For more information about integrating on-premises AD DS domains with Azure AD, see the following resources: - -- [Integrating your on-premises identities with Azure Active Directory](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect/) -- [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/) - ->[!NOTE] ->If you are implementing Azure AD, and you already have an on-premises domain, you don't need to integrate with Azure AD, since your main authentication method is your internal AD. If you want to manage all your infrastructure in the cloud, you can safely configure your domain controller remotely to integrate your computers with Azure AD, but you won't be able to apply fine controls using GPO. Azure AD is best suited for the global administration of devices when you don't have any on-premises servers. - -## Preparing for deployment: reviewing requirements - -Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic. - -## Assigning licenses to users - -Upon acquisition of Windows 10 subscription has been completed (Windows 10 Business, E3 or E5), customers will receive an email that will provide guidance on how to use Windows as an online service: - -![profile](images/al01.png) - -The following methods are available to assign licenses: - -1. When you have the required Azure AD subscription, [group-based licensing](https://docs.microsoft.com/azure/active-directory/active-directory-licensing-whatis-azure-portal) is the preferred method to assign Enterprise E3 or E5 licenses to users. -2. You can sign in to portal.office.com and manually assign licenses: - - ![portal](images/al02.png) - -3. You can assign licenses by uploading a spreadsheet. -4. A per-user [PowerShell scripted method](https://social.technet.microsoft.com/wiki/contents/articles/15905.how-to-use-powershell-to-automatically-assign-licenses-to-your-office-365-users.aspx) of assigning licenses is available. -5. Organizations can use synchronized [AD groups](https://ronnydejong.com/2015/03/04/assign-ems-licenses-based-on-local-active-directory-group-membership/) to automatically assign licenses. - -## Explore the upgrade experience - -Now that your subscription has been established and Windows 10 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, (version 1703 or later) to Windows 10 Enterprise. What will the users experience? How will they upgrade their devices? - -### Step 1: Join Windows 10 Pro devices to Azure AD - -Users can join a Windows 10 Pro device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1703. - -**To join a device to Azure AD the first time the device is started** - -1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then click **Next**, as illustrated in **Figure 2**. - - Who owns this PC? page in Windows 10 setup - - **Figure 2. The “Who owns this PC?” page in initial Windows 10 setup** - -2. On the **Choose how you’ll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 3**. - - Choose how you'll connect - page in Windows 10 setup - - **Figure 3. The “Choose how you’ll connect” page in initial Windows 10 setup** - -3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 4**. - - Let's get you signed in - page in Windows 10 setup - - **Figure 4. The “Let’s get you signed in” page in initial Windows 10 setup** - -Now the device is Azure AD joined to the company’s subscription. - -**To join a device to Azure AD when the device already has Windows 10 Pro, version 1703 installed and set up** - ->[!IMPORTANT] ->Make sure that the user you're signing in with is **not** a BUILTIN/Administrator. That user cannot use the `+ Connect` button to join a work or school account. - -1. Go to **Settings > Accounts > Access work or school**, as illustrated in **Figure 5**. - - Connect to work or school configuration - - **Figure 5. Connect to work or school configuration in Settings** - -2. In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 6**. - - Set up a work or school account - - **Figure 6. Set up a work or school account** - -3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 7**. - - Let's get you signed in - dialog box - - **Figure 7. The “Let’s get you signed in” dialog box** - -Now the device is Azure AD joined to the company’s subscription. - -### Step 2: Pro edition activation - ->[!IMPORTANT] ->If your device is running Windows 10, version 1803 or later, this step is not needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key. ->If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**. - - -Windows 10 Pro activated -Figure 7a - Windows 10 Pro activation in Settings - -Windows 10 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only). - - -### Step 3: Sign in using Azure AD account - -Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device. - -Sign in, Windows 10 - -**Figure 8. Sign in by using Azure AD account** - -### Step 4: Verify that Enterprise edition is enabled - -You can verify the Windows 10 Enterprise E3 or E5 subscription in **Settings > Update & Security > Activation**, as illustrated in **Figure 9**. - - -Windows 10 activated and subscription active - -**Figure 9 - Windows 10 Enterprise subscription in Settings** - - -If there are any problems with the Windows 10 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process. - ->[!NOTE] ->If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following: ->Name: Windows(R), Professional edition ->Description: Windows(R) Operating System, RETAIL channel ->Partial Product Key: 3V66T - -## Virtual Desktop Access (VDA) - -Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx). - -Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Enterprise Subscription Activation](vda-subscription-activation.md). - -## Troubleshoot the user experience - -In some instances, users may experience problems with the Windows 10 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows: - -- The existing Windows 10 Pro, version 1703 or 1709 operating system is not activated. This problem does not apply to Windows 10, version 1803 or later. - -- The Windows 10 Enterprise E3 or E5 subscription has lapsed or has been removed. - -Use the following figures to help you troubleshoot when users experience these common problems: - -- [Figure 9](#win-10-activated-subscription-active) (above) illustrates a device in a healthy state, where Windows 10 Pro is activated and the Windows 10 Enterprise subscription is active. - -- [Figure 10](#win-10-not-activated) (below) illustrates a device on which Windows 10 Pro is not activated, but the Windows 10 Enterprise subscription is active. - -- [Figure 11](#subscription-not-active) (below) illustrates a device on which Windows 10 Pro is activated, but the Windows 10 Enterprise subscription is lapsed or removed. - -- [Figure 12](#win-10-not-activated-subscription-not-active) (below) illustrates a device on which Windows 10 Pro license is not activated and the Windows 10 Enterprise subscription is lapsed or removed. - - - -Windows 10 not activated and subscription active -Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings - - - -Windows 10 activated and subscription not active -Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings - - - -Windows 10 not activated and subscription not active -Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings - - -### Review requirements on devices - -Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements. - -**To determine if a device is Azure Active Directory joined:** - -1. Open a command prompt and type **dsregcmd /status**. - -2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory joined. - -**To determine the version of Windows 10:** - -- At a command prompt, type: - **winver** - - A popup window will display the Windows 10 version number and detailed OS build information. - - If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal. +--- +title: Deploy Windows 10 Enterprise licenses +ms.reviewer: +manager: laurawi +ms.audience: itpro author: greg-lindsay +description: Steps to deploy Windows 10 Enterprise licenses for Windows 10 Enterprise E3 or E5 Subscription Activation, or for Windows 10 Enterprise E3 in CSP +keywords: upgrade, update, task sequence, deploy +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: mdt +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Deploy Windows 10 Enterprise licenses + +This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with [Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md) or [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD). + +>[!NOTE] +>* Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later. +>* Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later. +>* Automatic, non-KMS activation requires Windows 10, version 1803 or later, on a device with a firmware-embedded activation key. + +## Firmware-embedded activation key + +To determine if the computer has a firmware-embedded activation key, type the following command at an elevated Windows PowerShell prompt + +``` +(Get-WmiObject -query ‘select * from SoftwareLicensingService’).OA3xOriginalProductKey +``` + +If the device has a firmware-embedded activation key, it will be displayed in the output. If the output is blank, the device does not have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key. + +## Enabling Subscription Activation with an existing EA + +If you are an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant: + +1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license: +2. **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3 +3. **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5 +4. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant. +5. The admin can now assign subscription licenses to users. + +>Use the following process if you need to update contact information and retrigger activation in order to resend the activation email: + +1. Sign in to the [Microsoft Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). +2. Click on **Subscriptions**. +3. Click on **Online Services Agreement List**. +4. Enter your agreement number, and then click **Search**. +5. Click the **Service Name**. +6. In the **Subscription Contact** section, click the name listed under **Last Name**. +7. Update the contact information, then click **Update Contact Details**. This will trigger a new email. + +Also in this article: +- [Explore the upgrade experience](#explore-the-upgrade-experience): How to upgrade devices using the deployed licenses. +- [Troubleshoot the user experience](#troubleshoot-the-user-experience): Examples of some license activation issues that can be encountered, and how to resolve them. + +## Active Directory synchronization with Azure AD + +You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Enterprise E3 or E5 licenses to users, you need to synchronize the identities in the on-premises ADDS domain with Azure AD. + +You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them. + +**Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](https://www.microsoft.com/en-us/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure. + +![Illustration of Azure Active Directory Connect](images/enterprise-e3-ad-connect.png) + +**Figure 1. On-premises AD DS integrated with Azure AD** + +For more information about integrating on-premises AD DS domains with Azure AD, see the following resources: + +- [Integrating your on-premises identities with Azure Active Directory](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect/) +- [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/) + +>[!NOTE] +>If you are implementing Azure AD, and you already have an on-premises domain, you don't need to integrate with Azure AD, since your main authentication method is your internal AD. If you want to manage all your infrastructure in the cloud, you can safely configure your domain controller remotely to integrate your computers with Azure AD, but you won't be able to apply fine controls using GPO. Azure AD is best suited for the global administration of devices when you don't have any on-premises servers. + +## Preparing for deployment: reviewing requirements + +Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic. + +## Assigning licenses to users + +Upon acquisition of Windows 10 subscription has been completed (Windows 10 Business, E3 or E5), customers will receive an email that will provide guidance on how to use Windows as an online service: + +![profile](images/al01.png) + +The following methods are available to assign licenses: + +1. When you have the required Azure AD subscription, [group-based licensing](https://docs.microsoft.com/azure/active-directory/active-directory-licensing-whatis-azure-portal) is the preferred method to assign Enterprise E3 or E5 licenses to users. +2. You can sign in to portal.office.com and manually assign licenses: + + ![portal](images/al02.png) + +3. You can assign licenses by uploading a spreadsheet. +4. A per-user [PowerShell scripted method](https://social.technet.microsoft.com/wiki/contents/articles/15905.how-to-use-powershell-to-automatically-assign-licenses-to-your-office-365-users.aspx) of assigning licenses is available. +5. Organizations can use synchronized [AD groups](https://ronnydejong.com/2015/03/04/assign-ems-licenses-based-on-local-active-directory-group-membership/) to automatically assign licenses. + +## Explore the upgrade experience + +Now that your subscription has been established and Windows 10 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, (version 1703 or later) to Windows 10 Enterprise. What will the users experience? How will they upgrade their devices? + +### Step 1: Join Windows 10 Pro devices to Azure AD + +Users can join a Windows 10 Pro device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1703. + +**To join a device to Azure AD the first time the device is started** + +1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then click **Next**, as illustrated in **Figure 2**. + + Who owns this PC? page in Windows 10 setup + + **Figure 2. The “Who owns this PC?” page in initial Windows 10 setup** + +2. On the **Choose how you’ll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 3**. + + Choose how you'll connect - page in Windows 10 setup + + **Figure 3. The “Choose how you’ll connect” page in initial Windows 10 setup** + +3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 4**. + + Let's get you signed in - page in Windows 10 setup + + **Figure 4. The “Let’s get you signed in” page in initial Windows 10 setup** + +Now the device is Azure AD joined to the company’s subscription. + +**To join a device to Azure AD when the device already has Windows 10 Pro, version 1703 installed and set up** + +>[!IMPORTANT] +>Make sure that the user you're signing in with is **not** a BUILTIN/Administrator. That user cannot use the `+ Connect` button to join a work or school account. + +1. Go to **Settings > Accounts > Access work or school**, as illustrated in **Figure 5**. + + Connect to work or school configuration + + **Figure 5. Connect to work or school configuration in Settings** + +2. In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 6**. + + Set up a work or school account + + **Figure 6. Set up a work or school account** + +3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 7**. + + Let's get you signed in - dialog box + + **Figure 7. The “Let’s get you signed in” dialog box** + +Now the device is Azure AD joined to the company’s subscription. + +### Step 2: Pro edition activation + +>[!IMPORTANT] +>If your device is running Windows 10, version 1803 or later, this step is not needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key. +>If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**. + + +Windows 10 Pro activated +Figure 7a - Windows 10 Pro activation in Settings + +Windows 10 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only). + + +### Step 3: Sign in using Azure AD account + +Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device. + +Sign in, Windows 10 + +**Figure 8. Sign in by using Azure AD account** + +### Step 4: Verify that Enterprise edition is enabled + +You can verify the Windows 10 Enterprise E3 or E5 subscription in **Settings > Update & Security > Activation**, as illustrated in **Figure 9**. + + +Windows 10 activated and subscription active + +**Figure 9 - Windows 10 Enterprise subscription in Settings** + + +If there are any problems with the Windows 10 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process. + +>[!NOTE] +>If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following: +>Name: Windows(R), Professional edition +>Description: Windows(R) Operating System, RETAIL channel +>Partial Product Key: 3V66T + +## Virtual Desktop Access (VDA) + +Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx). + +Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Enterprise Subscription Activation](vda-subscription-activation.md). + +## Troubleshoot the user experience + +In some instances, users may experience problems with the Windows 10 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows: + +- The existing Windows 10 Pro, version 1703 or 1709 operating system is not activated. This problem does not apply to Windows 10, version 1803 or later. + +- The Windows 10 Enterprise E3 or E5 subscription has lapsed or has been removed. + +Use the following figures to help you troubleshoot when users experience these common problems: + +- [Figure 9](#win-10-activated-subscription-active) (above) illustrates a device in a healthy state, where Windows 10 Pro is activated and the Windows 10 Enterprise subscription is active. + +- [Figure 10](#win-10-not-activated) (below) illustrates a device on which Windows 10 Pro is not activated, but the Windows 10 Enterprise subscription is active. + +- [Figure 11](#subscription-not-active) (below) illustrates a device on which Windows 10 Pro is activated, but the Windows 10 Enterprise subscription is lapsed or removed. + +- [Figure 12](#win-10-not-activated-subscription-not-active) (below) illustrates a device on which Windows 10 Pro license is not activated and the Windows 10 Enterprise subscription is lapsed or removed. + + + +Windows 10 not activated and subscription active +Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings + + + +Windows 10 activated and subscription not active +Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings + + + +Windows 10 not activated and subscription not active +Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings + + +### Review requirements on devices + +Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements. + +**To determine if a device is Azure Active Directory joined:** + +1. Open a command prompt and type **dsregcmd /status**. + +2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory joined. + +**To determine the version of Windows 10:** + +- At a command prompt, type: + **winver** + + A popup window will display the Windows 10 version number and detailed OS build information. + + If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal. diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md index 45e5fb53df..1ec460b74e 100644 --- a/windows/deployment/deploy-m365.md +++ b/windows/deployment/deploy-m365.md @@ -1,78 +1,78 @@ ---- -title: Deploy Windows 10 with Microsoft 365 -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Concepts about deploying Windows 10 for M365 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -keywords: deployment, automate, tools, configure, mdt, sccm, M365 -ms.localizationpriority: medium -author: greg-lindsay -ms.topic: article -ms.collection: M365-modern-desktop ---- - -# Deploy Windows 10 with Microsoft 365 - -**Applies to** - -- Windows 10 - -This topic provides a brief overview of Microsoft 365 and describes how to use a free 90-day trial account to review some of the benefits of Microsoft 365. - -[Microsoft 365](https://www.microsoft.com/microsoft-365) is a new offering from Microsoft that combines [Windows 10](https://www.microsoft.com/windows/features) with [Office 365](https://products.office.com/business/explore-office-365-for-business), and [Enterprise Mobility and Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) (EMS). See the [M365 Enterprise poster](#m365-enterprise-poster) for an overview. - -For Windows 10 deployment, Microsoft 365 includes a fantastic deployment advisor that can walk you through the entire process of deploying Windows 10. The wizard supports multiple Windows 10 deployment methods, including: - -- Windows Autopilot -- In-place upgrade -- Deploying Windows 10 upgrade with Intune -- Deploying Windows 10 upgrade with System Center Configuration Manager -- Deploying a computer refresh with System Center Configuration Manager - -## Free trial account - -**If you already have a Microsoft services subscription account and access to the Microsoft 365 Admin Center** - -From the [Microsoft 365 Admin Center](https://portal.office.com), go to Billing and then Purchase services. -In the Enterprise Suites section of the service offerings, you will find Microsoft 365 E3 and Microsoft 365 E5 tiles. -There are "Start Free Trial" options available for your selection by hovering your mouse over the tiles. - -**If you do not already have a Microsoft services subscription** - -You can check out the Microsoft 365 deployment advisor and other resources for free! Just follow the steps below. - ->[!NOTE] ->If you have not run a setup guide before, you will see the **Prepare your environment** guide first. This is to make sure you have basics covered like domain verification and a method for adding users. At the end of the "Prepare your environment" guide, there will be a **Ready to continue** button that sends you to the original guide that was selected. - -1. [Obtain a free M365 trial](https://docs.microsoft.com/office365/admin/try-or-buy-microsoft-365). -2. Check out the [Microsoft 365 deployment advisor](https://portal.office.com/onboarding/Microsoft365DeploymentAdvisor#/). -3. Also check out the [Windows Analytics deployment advisor](https://portal.office.com/onboarding/WindowsAnalyticsDeploymentAdvisor#/). This advisor will walk you through deploying [Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness), [Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), and [Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor). - -That's all there is to it! - -Examples of these two deployment advisors are shown below. - -- [Microsoft 365 deployment advisor example](#microsoft-365-deployment-advisor-example) -- [Windows Analytics deployment advisor example](#windows-analytics-deployment-advisor-example) - -## Microsoft 365 deployment advisor example -![Microsoft 365 deployment advisor](images/m365da.png) - -## Windows Analytics deployment advisor example - - -## M365 Enterprise poster - -[![M365 Enterprise poster](images/m365e.png)](https://aka.ms/m365eposter) - -## Related Topics - -[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
          -[Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) - - - +--- +title: Deploy Windows 10 with Microsoft 365 +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Concepts about deploying Windows 10 for M365 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +keywords: deployment, automate, tools, configure, mdt, sccm, M365 +ms.localizationpriority: medium +audience: itpro author: greg-lindsay +ms.topic: article +ms.collection: M365-modern-desktop +--- + +# Deploy Windows 10 with Microsoft 365 + +**Applies to** + +- Windows 10 + +This topic provides a brief overview of Microsoft 365 and describes how to use a free 90-day trial account to review some of the benefits of Microsoft 365. + +[Microsoft 365](https://www.microsoft.com/microsoft-365) is a new offering from Microsoft that combines [Windows 10](https://www.microsoft.com/windows/features) with [Office 365](https://products.office.com/business/explore-office-365-for-business), and [Enterprise Mobility and Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) (EMS). See the [M365 Enterprise poster](#m365-enterprise-poster) for an overview. + +For Windows 10 deployment, Microsoft 365 includes a fantastic deployment advisor that can walk you through the entire process of deploying Windows 10. The wizard supports multiple Windows 10 deployment methods, including: + +- Windows Autopilot +- In-place upgrade +- Deploying Windows 10 upgrade with Intune +- Deploying Windows 10 upgrade with System Center Configuration Manager +- Deploying a computer refresh with System Center Configuration Manager + +## Free trial account + +**If you already have a Microsoft services subscription account and access to the Microsoft 365 Admin Center** + +From the [Microsoft 365 Admin Center](https://portal.office.com), go to Billing and then Purchase services. +In the Enterprise Suites section of the service offerings, you will find Microsoft 365 E3 and Microsoft 365 E5 tiles. +There are "Start Free Trial" options available for your selection by hovering your mouse over the tiles. + +**If you do not already have a Microsoft services subscription** + +You can check out the Microsoft 365 deployment advisor and other resources for free! Just follow the steps below. + +>[!NOTE] +>If you have not run a setup guide before, you will see the **Prepare your environment** guide first. This is to make sure you have basics covered like domain verification and a method for adding users. At the end of the "Prepare your environment" guide, there will be a **Ready to continue** button that sends you to the original guide that was selected. + +1. [Obtain a free M365 trial](https://docs.microsoft.com/office365/admin/try-or-buy-microsoft-365). +2. Check out the [Microsoft 365 deployment advisor](https://portal.office.com/onboarding/Microsoft365DeploymentAdvisor#/). +3. Also check out the [Windows Analytics deployment advisor](https://portal.office.com/onboarding/WindowsAnalyticsDeploymentAdvisor#/). This advisor will walk you through deploying [Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness), [Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), and [Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor). + +That's all there is to it! + +Examples of these two deployment advisors are shown below. + +- [Microsoft 365 deployment advisor example](#microsoft-365-deployment-advisor-example) +- [Windows Analytics deployment advisor example](#windows-analytics-deployment-advisor-example) + +## Microsoft 365 deployment advisor example +![Microsoft 365 deployment advisor](images/m365da.png) + +## Windows Analytics deployment advisor example + + +## M365 Enterprise poster + +[![M365 Enterprise poster](images/m365e.png)](https://aka.ms/m365eposter) + +## Related Topics + +[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
          +[Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) + + + diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index a26e40feb5..85ffed51b0 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -1,184 +1,184 @@ ---- -title: What's new in Windows 10 deployment -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Changes and new features related to Windows 10 deployment -keywords: deployment, automate, tools, configure, news -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.prod: w10 -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.topic: article ---- - -# What's new in Windows 10 deployment - -**Applies to** -- Windows 10 - -## In this topic - -This topic provides an overview of new solutions and online content related to deploying Windows 10 in your organization. - -- For an all-up overview of new features in Windows 10, see [What's new in Windows 10](https://docs.microsoft.com/windows/whats-new/index). -- For a detailed list of changes to Windows 10 ITPro TechNet library content, see [Online content change history](#online-content-change-history). - -## Recent additions to this page - -[SetupDiag](#setupdiag) 1.4.1 is released.
          -The [Windows ADK for Windows 10, version 1903](https://docs.microsoft.com/windows-hardware/get-started/adk-install) is available.
          -New [Windows Autopilot](#windows-autopilot) content is available.
          -[Windows 10 Subscription Activation](#windows-10-subscription-activation) now supports Windows 10 Education. - -## The Modern Desktop Deployment Center - -The [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) has launched with tons of content to help you with large-scale deployment of Windows 10 and Office 365 ProPlus. - -## Microsoft 365 - -Microsoft 365 is a new offering from Microsoft that combines -- Windows 10 -- Office 365 -- Enterprise Mobility and Security (EMS). - -See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, which now includes a link to download a nifty [M365 Enterprise poster](deploy-m365.md#m365-enterprise-poster). - -## Windows 10 servicing and support - -- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Office 365 ProPlus updates, and Intune content, with System Center Configuration Manager content coming soon! -- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. -- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. -- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally. -- **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again. -- **Improved update notifications**: When there’s an update requiring you to restart your device, you’ll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar. -- **Intelligent active hours**: To further enhance active hours, users will now have the option to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns. -- **Improved update orchestration to improve system responsiveness**: This feature will improve system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions. - -Microsoft previously announced that we are [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. This includes all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Office 365 ProPlus will continue to be supported for 18 months (there is no change for these editions). These support policies are summarized in the table below. - -![Support lifecycle](images/support-cycle.png) - -## Windows 10 Enterprise upgrade - -Windows 10 version 1703 includes a Windows 10 Enterprise E3 and E5 benefit to Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA). These customers can now subscribe users to Windows 10 Enterprise E3 or E5 and activate their subscriptions on up to five devices. Virtual machines can also be activated. For more information, see [Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md). - -Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise to their users. With Windows 10 Enterprise E3 in CSP, small and medium-sized organizations can more easily take advantage of Windows 10 Enterprise features. - -For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) - - -## Deployment solutions and tools - -### Windows Autopilot - -[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose and recover devices. - -The following Windows Autopilot features are available in Windows 10, version 1903 and later: - -- [Windows Autopilot for white glove deployment](https://docs.microsoft.com/windows/deployment/windows-autopilot/white-glove) is new in Windows 10, version 1903. "White glove" deployment enables partners or IT staff to pre-provision devices so they are fully configured and business ready for your users. -- The Intune [enrollment status page](https://docs.microsoft.com/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions​. -- [Cortana voiceover](https://docs.microsoft.com/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs. -- Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE. -- Windows Autopilot will set the [diagnostics data](https://docs.microsoft.com/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE. - -### Windows 10 Subscription Activation - -Windows 10 Education support has been added to Windows 10 Subscription Activation. - -With Windows 10, version 1903, you can step-up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions – Windows 10 Education. For more information, see [Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation). - -### SetupDiag - -[SetupDiag](upgrade/setupdiag.md) is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful. - -SetupDiag version 1.4.1 was released on 5/17/2019. - -### Upgrade Readiness - -The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017. - -Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. - -The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled. - -For more information about Upgrade Readiness, see the following topics: - -- [Windows Analytics blog](https://aka.ms/blog/WindowsAnalytics/) -- [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) - - -### Update Compliance - -Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date. - -Update Compliance is a solution built using OMS Logs and Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues. - -For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md). - -### Device Health - -Device Health is the newest Windows Analytics solution that complements the existing Upgrade Readiness and Update Compliance solutions by helping to identify devices crashes and the cause. Device drivers that are causing crashes are identified along with alternative drivers that might reduce the number of crashes. Windows Information Protection misconfigurations are also identified. For more information, see [Monitor the health of devices with Device Health](update/device-health-monitor.md) - -### MBR2GPT - -MBR2GPT.EXE converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. Previously, it was necessary to image, then wipe and reload a disk to change from MBR format to GPT. - -There are many benefits to converting the partition style of a disk to GPT, including the use of larger disk partitions, added data reliability, and faster boot and shutdown speeds. The GPT format also enables you to use the Unified Extensible Firmware Interface (UEFI) which replaces the Basic Input/Output System (BIOS) firmware interface. Security features of Windows 10 that require UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock. - -For more information, see [MBR2GPT.EXE](mbr-to-gpt.md). - - -### Microsoft Deployment Toolkit (MDT) - -MDT build 8456 (12/19/2018) is available, including support for Windows 10, version 1809, and Windows Server 2019. - -For more information about MDT, see the [MDT resource page](https://docs.microsoft.com/sccm/mdt/). - - -### Windows Assessment and Deployment Kit (ADK) - -The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. See the following topics: - -- [What's new in ADK kits and tools](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-kits-and-tools) -- [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) - - -## Testing and validation guidance - -### Windows 10 deployment proof of concept (PoC) - -The Windows 10 PoC guide enables you to test Windows 10 deployment in a virtual environment and become familiar with deployment tools such as MDT and Configuration Manager. The PoC guide provides step-by-step instructions for installing and using Hyper-V to create a virtual lab environment. The guide makes extensive use of Windows PowerShell to streamline each phase of the installation and setup. - -For more information, see the following guides: - -- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) -- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) -- [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) - - -## Troubleshooting guidance - -[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) was published in October of 2016 and will continue to be updated with new fixes. The topic provides a detailed explanation of the Windows 10 upgrade process and instructions on how to locate, interpret, and resolve specific errors that can be encountered during the upgrade process. - - -## Online content change history - -The following topics provide a change history for Windows 10 ITPro TechNet library content related to deploying and using Windows 10. - -[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) -
          [Change history for Access Protection](/windows/access-protection/change-history-for-access-protection) -
          [Change history for Device Security](/windows/device-security/change-history-for-device-security) -
          [Change history for Threat Protection](/windows/threat-protection/change-history-for-threat-protection) - - -## Related topics - -[Overview of Windows as a service](update/waas-overview.md) -
          [Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md) -
          [Windows 10 release information](https://docs.microsoft.com/windows/windows-10/release-information) -
          [Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/en-us/windows/windows-10-specifications) -
          [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) -
          [Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md) +--- +title: What's new in Windows 10 deployment +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Changes and new features related to Windows 10 deployment +keywords: deployment, automate, tools, configure, news +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.prod: w10 +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# What's new in Windows 10 deployment + +**Applies to** +- Windows 10 + +## In this topic + +This topic provides an overview of new solutions and online content related to deploying Windows 10 in your organization. + +- For an all-up overview of new features in Windows 10, see [What's new in Windows 10](https://docs.microsoft.com/windows/whats-new/index). +- For a detailed list of changes to Windows 10 ITPro TechNet library content, see [Online content change history](#online-content-change-history). + +## Recent additions to this page + +[SetupDiag](#setupdiag) 1.4.1 is released.
          +The [Windows ADK for Windows 10, version 1903](https://docs.microsoft.com/windows-hardware/get-started/adk-install) is available.
          +New [Windows Autopilot](#windows-autopilot) content is available.
          +[Windows 10 Subscription Activation](#windows-10-subscription-activation) now supports Windows 10 Education. + +## The Modern Desktop Deployment Center + +The [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) has launched with tons of content to help you with large-scale deployment of Windows 10 and Office 365 ProPlus. + +## Microsoft 365 + +Microsoft 365 is a new offering from Microsoft that combines +- Windows 10 +- Office 365 +- Enterprise Mobility and Security (EMS). + +See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, which now includes a link to download a nifty [M365 Enterprise poster](deploy-m365.md#m365-enterprise-poster). + +## Windows 10 servicing and support + +- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Office 365 ProPlus updates, and Intune content, with System Center Configuration Manager content coming soon! +- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. +- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. +- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally. +- **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again. +- **Improved update notifications**: When there’s an update requiring you to restart your device, you’ll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar. +- **Intelligent active hours**: To further enhance active hours, users will now have the option to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns. +- **Improved update orchestration to improve system responsiveness**: This feature will improve system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions. + +Microsoft previously announced that we are [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. This includes all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Office 365 ProPlus will continue to be supported for 18 months (there is no change for these editions). These support policies are summarized in the table below. + +![Support lifecycle](images/support-cycle.png) + +## Windows 10 Enterprise upgrade + +Windows 10 version 1703 includes a Windows 10 Enterprise E3 and E5 benefit to Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA). These customers can now subscribe users to Windows 10 Enterprise E3 or E5 and activate their subscriptions on up to five devices. Virtual machines can also be activated. For more information, see [Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md). + +Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise to their users. With Windows 10 Enterprise E3 in CSP, small and medium-sized organizations can more easily take advantage of Windows 10 Enterprise features. + +For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) + + +## Deployment solutions and tools + +### Windows Autopilot + +[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose and recover devices. + +The following Windows Autopilot features are available in Windows 10, version 1903 and later: + +- [Windows Autopilot for white glove deployment](https://docs.microsoft.com/windows/deployment/windows-autopilot/white-glove) is new in Windows 10, version 1903. "White glove" deployment enables partners or IT staff to pre-provision devices so they are fully configured and business ready for your users. +- The Intune [enrollment status page](https://docs.microsoft.com/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions​. +- [Cortana voiceover](https://docs.microsoft.com/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs. +- Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE. +- Windows Autopilot will set the [diagnostics data](https://docs.microsoft.com/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE. + +### Windows 10 Subscription Activation + +Windows 10 Education support has been added to Windows 10 Subscription Activation. + +With Windows 10, version 1903, you can step-up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions – Windows 10 Education. For more information, see [Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation). + +### SetupDiag + +[SetupDiag](upgrade/setupdiag.md) is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful. + +SetupDiag version 1.4.1 was released on 5/17/2019. + +### Upgrade Readiness + +The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017. + +Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. + +The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled. + +For more information about Upgrade Readiness, see the following topics: + +- [Windows Analytics blog](https://aka.ms/blog/WindowsAnalytics/) +- [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) + + +### Update Compliance + +Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date. + +Update Compliance is a solution built using OMS Logs and Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues. + +For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md). + +### Device Health + +Device Health is the newest Windows Analytics solution that complements the existing Upgrade Readiness and Update Compliance solutions by helping to identify devices crashes and the cause. Device drivers that are causing crashes are identified along with alternative drivers that might reduce the number of crashes. Windows Information Protection misconfigurations are also identified. For more information, see [Monitor the health of devices with Device Health](update/device-health-monitor.md) + +### MBR2GPT + +MBR2GPT.EXE converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. Previously, it was necessary to image, then wipe and reload a disk to change from MBR format to GPT. + +There are many benefits to converting the partition style of a disk to GPT, including the use of larger disk partitions, added data reliability, and faster boot and shutdown speeds. The GPT format also enables you to use the Unified Extensible Firmware Interface (UEFI) which replaces the Basic Input/Output System (BIOS) firmware interface. Security features of Windows 10 that require UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock. + +For more information, see [MBR2GPT.EXE](mbr-to-gpt.md). + + +### Microsoft Deployment Toolkit (MDT) + +MDT build 8456 (12/19/2018) is available, including support for Windows 10, version 1809, and Windows Server 2019. + +For more information about MDT, see the [MDT resource page](https://docs.microsoft.com/sccm/mdt/). + + +### Windows Assessment and Deployment Kit (ADK) + +The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. See the following topics: + +- [What's new in ADK kits and tools](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-kits-and-tools) +- [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) + + +## Testing and validation guidance + +### Windows 10 deployment proof of concept (PoC) + +The Windows 10 PoC guide enables you to test Windows 10 deployment in a virtual environment and become familiar with deployment tools such as MDT and Configuration Manager. The PoC guide provides step-by-step instructions for installing and using Hyper-V to create a virtual lab environment. The guide makes extensive use of Windows PowerShell to streamline each phase of the installation and setup. + +For more information, see the following guides: + +- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) +- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) +- [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) + + +## Troubleshooting guidance + +[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) was published in October of 2016 and will continue to be updated with new fixes. The topic provides a detailed explanation of the Windows 10 upgrade process and instructions on how to locate, interpret, and resolve specific errors that can be encountered during the upgrade process. + + +## Online content change history + +The following topics provide a change history for Windows 10 ITPro TechNet library content related to deploying and using Windows 10. + +[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) +
          [Change history for Access Protection](/windows/access-protection/change-history-for-access-protection) +
          [Change history for Device Security](/windows/device-security/change-history-for-device-security) +
          [Change history for Threat Protection](/windows/threat-protection/change-history-for-threat-protection) + + +## Related topics + +[Overview of Windows as a service](update/waas-overview.md) +
          [Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md) +
          [Windows 10 release information](https://docs.microsoft.com/windows/windows-10/release-information) +
          [Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/en-us/windows/windows-10-specifications) +
          [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) +
          [Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md) diff --git a/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md index e667cefd3d..40992cf7a3 100644 --- a/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md +++ b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md @@ -11,6 +11,7 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt +audience: itpro author: greg-lindsay ms.topic: article --- @@ -48,7 +49,7 @@ When the database is populated, you can use the MDT simulation environment to si 1. On PC0001, log on as **CONTOSO\\MDT\_BA**. 2. Modify the C:\\MDT\\CustomSettings.ini file to look like the following: - ```ini + ``` [Settings] Priority=CSettings, CRoles, RApplications, Default [Default] @@ -113,7 +114,7 @@ When the database is populated, you can use the MDT simulation environment to si 3. Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press **Enter** after each command: - ```powershell + ``` powershell Set-Location C:\MDT .\Gather.ps1 diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md index 34e0cf7ef0..944c8ac8aa 100644 --- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md +++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md @@ -11,6 +11,7 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt +audience: itpro author: greg-lindsay ms.topic: article --- @@ -87,7 +88,7 @@ Setting up DFS-R for replication is a quick and straightforward process. You pre When you have multiple deployment servers sharing the same content, you need to configure the Bootstrap.ini file with information about which server to connect to based on where the client is located. In MDT, that can be done by using the DefaultGateway property. 1. On MDT01, using Notepad, navigate to the **E:\\MDTProduction\\Control** folder and modify the Boostrap.ini file to look like this: - ```ini + ``` [Settings] Priority=DefaultGateway, Default [DefaultGateway] @@ -153,7 +154,7 @@ When you have multiple deployment servers sharing the same content, you need to 2. In the **Advanced** tab, set the quota to **8192 MB**. In this scenario the size of the deployment share is known, but you might need to change the values for your environment. A good rule of thumb is to get the size of the 16 largest files and make sure they fit in the staging area. Here is a Windows PowerShell example that calculates the size of the 16 largest files in the E:\\MDTProduction deployment share: - ```powershell + ``` powershell (Get-ChildItem E:\MDTProduction -Recurse | Sort-Object Length -Descending | Select-Object -First 16 | Measure-Object -Property Length -Sum).Sum /1GB ``` diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md index 3728c35d3e..3f8f818281 100644 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md +++ b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md @@ -11,6 +11,7 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt +audience: itpro author: greg-lindsay ms.topic: article --- @@ -36,7 +37,7 @@ Before adding the more advanced components like scripts, databases, and web serv If you have a small test environment, or simply want to assign settings to a very limited number of machines, you can edit the rules to assign settings directly for a given MAC Address. If you have many machines, it makes sense to use the database instead. -```ini +``` [Settings] Priority=MacAddress, Default [Default] @@ -51,7 +52,7 @@ In the preceding sample, you set the PC00075 computer name for a machine with a Another way to assign a computer name is to identify the machine via its serial number. -```ini +``` [Settings] Priority=SerialNumber, Default [Default] @@ -66,7 +67,7 @@ In this sample, you set the PC00075 computer name for a machine with a serial nu You also can configure the rules engine to use a known property, like a serial number, to generate a computer name on the fly. -```ini +``` [Settings] Priority=Default [Default] @@ -83,7 +84,7 @@ Be careful when using the serial number to assign computer names. A serial numbe To avoid assigning a computer name longer than 15 characters, you can configure the rules in more detail by adding VBScript functions, as follows: -```ini +``` [Settings] Priority=Default [Default] @@ -97,7 +98,7 @@ In the preceding sample, you still configure the rules to set the computer name In the rules, you find built-in properties that use a Windows Management Instrumentation (WMI) query to determine whether the machine you are deploying is a laptop, desktop, or server. In this sample, we assume you want to add laptops to different OUs in Active Directory. Note that ByLaptopType is not a reserved word; rather, it is the name of the section to read. -```ini +``` [Settings] Priority=ByLaptopType, Default [Default] diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md b/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md index 23d1a3efae..115f42408d 100644 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md +++ b/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md @@ -11,6 +11,7 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt +audience: itpro author: greg-lindsay ms.topic: article --- @@ -23,7 +24,7 @@ In this topic, you will learn how to configure the MDT rules engine to use a Use You can call a UserExit by referencing the script in your rules. Then you can configure a property to be set to the result of a function of the VBScript. In this example, we have a VBScript named Setname.vbs (provided in the book sample files, in the UserExit folder). -```ini +``` [Settings] Priority=Default [Default] @@ -38,7 +39,7 @@ The UserExit=Setname.vbs calls the script and then assigns the computer name to The Setname.vbs script takes the MAC Address passed from the rules. The script then does some string manipulation to add a prefix (PC) and remove the semicolons from the MAC Address. -```vb +``` Function UserExit(sType, sWhen, sDetail, bSkip) UserExit = Success End Function diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md index 3dc56ce385..4f3771b9d5 100644 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md +++ b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md @@ -1,50 +1,50 @@ ---- -title: Configure MDT settings (Windows 10) -description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. -ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122 -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: customize, customization, deploy, features, tools -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -author: greg-lindsay -ms.topic: article ---- - -# Configure MDT settings - -One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment. -For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof). - -![figure 1](../images/mdt-09-fig01.png) - -Figure 1. The machines used in this topic. - -## In this section - -- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) -- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) -- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) -- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) -- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) -- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) -- [Use web services in MDT](use-web-services-in-mdt.md) -- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) - -## Related topics - -[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) - -[Create a Windows 10 reference image](create-a-windows-10-reference-image.md) - -[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) - -[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) - -[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) - -[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) +--- +title: Configure MDT settings (Windows 10) +description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. +ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122 +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: customize, customization, deploy, features, tools +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: mdt +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Configure MDT settings + +One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment. +For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof). + +![figure 1](../images/mdt-09-fig01.png) + +Figure 1. The machines used in this topic. + +## In this section + +- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) +- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) +- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) +- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) +- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) +- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) +- [Use web services in MDT](use-web-services-in-mdt.md) +- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) + +## Related topics + +[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) + +[Create a Windows 10 reference image](create-a-windows-10-reference-image.md) + +[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) + +[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) + +[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) + +[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) diff --git a/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md index 63152fa7d1..a89f01eda9 100644 --- a/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md +++ b/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md @@ -1,190 +1,190 @@ ---- -title: Create a task sequence with Configuration Manager and MDT (Windows 10) -description: In this topic, you will learn how to create a Microsoft System Center 2012 R2 Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. -ms.assetid: 0b069bec-5be8-47c6-bf64-7a630f41ac98 -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: deploy, upgrade, task sequence, install -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.pagetype: mdt -ms.sitesec: library -author: greg-lindsay -ms.topic: article ---- - -# Create a task sequence with Configuration Manager and MDT - - -**Applies to** - -- Windows 10 - -In this topic, you will learn how to create a Microsoft System Center 2012 R2 Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. Creating task sequences in System Center 2012 R2 Configuration Manager requires many more steps than creating task sequences for MDT Lite Touch installation. Luckily, the MDT wizard helps you through the process and also guides you through creating the needed packages. - -For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard, both of which are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md). - -## Create a task sequence using the MDT Integration Wizard - - -This section walks you through the process of creating a System Center 2012 R2 Configuration Manager task sequence for production use. - -1. On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**. - -2. On the **Choose Template** page, select the **Client Task Sequence** template and click **Next**. - -3. On the **General** page, assign the following settings and then click **Next**: - - * Task sequence name: Windows 10 Enterprise x64 RTM - - * Task sequence comments: Production image with Office 2013 - -4. On the **Details** page, assign the following settings and then click **Next**: - - * Join a Domain - - * Domain: contoso.com - - * Account: CONTOSO\\CM\_JD - - * Password: Passw0rd! - - * Windows Settings - - * User name: Contoso - - * Organization name: Contoso - - * Product key: <blank> - -5. On the **Capture Settings** page, accept the default settings, and click **Next**. - -6. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**. - -7. On the **MDT Package** page, select **Create a new Microsoft Deployment Toolkit Files package**, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\MDT\\MDT**. Then click **Next**. - -8. On the **MDT Details** page, assign the name **MDT** and click **Next**. - -9. On the **OS Image** page, browse and select the **Windows 10 Enterprise x64 RTM** package. Then click **Next**. - -10. On the **Deployment Method** page, accept the default settings and click **Next**. - -11. On the **Client Package** page, browse and select the **OSD / Configuration Manager Client** package. Then click **Next**. - -12. On the **USMT Package** page, browse and select **the OSD / Microsoft Corporation User State Migration Tool for Windows 8 10.0.10240.16384** package. Then click **Next**. - -13. On the **Settings Package** page, select the **Create a new settings package** option, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Settings\\Windows 10 x64 Settings**. Then click **Next**. - -14. On the **Settings Details** page, assign the name **Windows 10 x64 Settings** and click **Next**. - -15. On the **Sysprep Package** page, click **Next** twice. - -16. On the **Confirmation** page, click **Finish**. - -## Edit the task sequence - - -After you create the task sequence, we recommend that you configure the task sequence for an optimal deployment experience. The configurations include enabling support for Unified Extensible Firmware Interface (UEFI), dynamic organizational unit (OU) allocation, computer replace scenarios, and more. - -1. On CM01, using the Configuration Manager Console, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM** task sequence, and select **Edit**. - -2. In the **Install** group, select the **Set Variable for Drive Letter** action and configure the following: - - * OSDPreserveDriveLetter: True - - >[!NOTE] - >If you don't change this value, your Windows installation will end up in E:\\Windows. - -3. In the **Post Install** group, select **Apply Network Settings**, and configure the Domain OU value to use the **Contoso / Workstations** OU (browse for values). - -4. In the **Post Install** group, disable the **Auto Apply Drivers** action. (Disabling is done by selecting the action and, in the **Options** tab, selecting the **Disable this step** check box.) - -5. After the disabled **Post Install / Auto Apply Drivers** action, add a new group name: **Drivers**. - -6. After the **Post Install / Drivers** group, add an **Apply Driver Package** action with the following settings: - - * Name: HP EliteBook 8560w - - * Driver Package: Windows 10 x64 - HP EliteBook 8560w - - * Options: Task Sequence Variable: Model equals HP EliteBook 8560w - - >[!NOTE] - >You also can add a Query WMI condition with the following query: SELECT \* FROM Win32\_ComputerSystem WHERE Model LIKE '%HP EliteBook 8560w%' - - ![Driver package options](../images/fig27-driverpackage.png "Driver package options") - - *Figure 24. The driver package options* - -7. In the **State Restore / Install Applications** group, select the **Install Application** action. - -8. Select the **Install the following applications** option, and add the OSD / Adobe Reader XI - OSD Install application to the list. - - ![Add an application to the task sequence](../images/fig28-addapp.png "Add an application to the task sequence") - - *Figure 25. Add an application to the Configuration Manager task sequence* - -9. In the **State Restore** group, after the **Set Status 5** action, add a **Request State Store** action with the following settings: - - * Restore state from another computer - - * If computer account fails to connect to state store, use the Network Access account - - * Options: Continue on error - - * Options / Condition: - - * Task Sequence Variable - - * USMTLOCAL not equals True - -10. In the **State Restore** group, after the **Restore User State** action, add a **Release State Store** action with the following settings: - - * Options: Continue on error - - * Options / Condition: - - * Task Sequence Variable - - * USMTLOCAL not equals True - -11. Click **OK**. - ->[!NOTE] ->The Request State Store and Release State Store actions need to be added for common computer replace scenarios. - - - -## Move the packages - - -While creating the task sequence with the MDT wizard, a few operating system deployment packages were created. To move these packages to the OSD folder, take the following steps. - -1. On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Application Management**, and then select **Packages**. - -2. Select the **MDT** and **Windows 10 x64 Settings** packages, right-click and select **Move**. - -3. In the **Move Selected Items** dialog box, select the **OSD** folder, and click **OK**. - -## Related topics - - -[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md) - -[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) - -[Create a custom Windows PE boot image with Configuration Manager](../deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md) - -[Add a Windows 10 operating system image using Configuration Manager](../deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md) - -[Create an application to deploy with Windows 10 using Configuration Manager](../deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) - -[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](../deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) - -[Deploy Windows 10 using PXE and Configuration Manager](../deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md) - -[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](../deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) - -[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](../deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) +--- +title: Create a task sequence with Configuration Manager and MDT (Windows 10) +description: In this topic, you will learn how to create a Microsoft System Center 2012 R2 Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. +ms.assetid: 0b069bec-5be8-47c6-bf64-7a630f41ac98 +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: deploy, upgrade, task sequence, install +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.pagetype: mdt +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Create a task sequence with Configuration Manager and MDT + + +**Applies to** + +- Windows 10 + +In this topic, you will learn how to create a Microsoft System Center 2012 R2 Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. Creating task sequences in System Center 2012 R2 Configuration Manager requires many more steps than creating task sequences for MDT Lite Touch installation. Luckily, the MDT wizard helps you through the process and also guides you through creating the needed packages. + +For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard, both of which are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md). + +## Create a task sequence using the MDT Integration Wizard + + +This section walks you through the process of creating a System Center 2012 R2 Configuration Manager task sequence for production use. + +1. On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**. + +2. On the **Choose Template** page, select the **Client Task Sequence** template and click **Next**. + +3. On the **General** page, assign the following settings and then click **Next**: + + * Task sequence name: Windows 10 Enterprise x64 RTM + + * Task sequence comments: Production image with Office 2013 + +4. On the **Details** page, assign the following settings and then click **Next**: + + * Join a Domain + + * Domain: contoso.com + + * Account: CONTOSO\\CM\_JD + + * Password: Passw0rd! + + * Windows Settings + + * User name: Contoso + + * Organization name: Contoso + + * Product key: <blank> + +5. On the **Capture Settings** page, accept the default settings, and click **Next**. + +6. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**. + +7. On the **MDT Package** page, select **Create a new Microsoft Deployment Toolkit Files package**, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\MDT\\MDT**. Then click **Next**. + +8. On the **MDT Details** page, assign the name **MDT** and click **Next**. + +9. On the **OS Image** page, browse and select the **Windows 10 Enterprise x64 RTM** package. Then click **Next**. + +10. On the **Deployment Method** page, accept the default settings and click **Next**. + +11. On the **Client Package** page, browse and select the **OSD / Configuration Manager Client** package. Then click **Next**. + +12. On the **USMT Package** page, browse and select **the OSD / Microsoft Corporation User State Migration Tool for Windows 8 10.0.10240.16384** package. Then click **Next**. + +13. On the **Settings Package** page, select the **Create a new settings package** option, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Settings\\Windows 10 x64 Settings**. Then click **Next**. + +14. On the **Settings Details** page, assign the name **Windows 10 x64 Settings** and click **Next**. + +15. On the **Sysprep Package** page, click **Next** twice. + +16. On the **Confirmation** page, click **Finish**. + +## Edit the task sequence + + +After you create the task sequence, we recommend that you configure the task sequence for an optimal deployment experience. The configurations include enabling support for Unified Extensible Firmware Interface (UEFI), dynamic organizational unit (OU) allocation, computer replace scenarios, and more. + +1. On CM01, using the Configuration Manager Console, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM** task sequence, and select **Edit**. + +2. In the **Install** group, select the **Set Variable for Drive Letter** action and configure the following: + + * OSDPreserveDriveLetter: True + + >[!NOTE] + >If you don't change this value, your Windows installation will end up in E:\\Windows. + +3. In the **Post Install** group, select **Apply Network Settings**, and configure the Domain OU value to use the **Contoso / Workstations** OU (browse for values). + +4. In the **Post Install** group, disable the **Auto Apply Drivers** action. (Disabling is done by selecting the action and, in the **Options** tab, selecting the **Disable this step** check box.) + +5. After the disabled **Post Install / Auto Apply Drivers** action, add a new group name: **Drivers**. + +6. After the **Post Install / Drivers** group, add an **Apply Driver Package** action with the following settings: + + * Name: HP EliteBook 8560w + + * Driver Package: Windows 10 x64 - HP EliteBook 8560w + + * Options: Task Sequence Variable: Model equals HP EliteBook 8560w + + >[!NOTE] + >You also can add a Query WMI condition with the following query: SELECT \* FROM Win32\_ComputerSystem WHERE Model LIKE '%HP EliteBook 8560w%' + + ![Driver package options](../images/fig27-driverpackage.png "Driver package options") + + *Figure 24. The driver package options* + +7. In the **State Restore / Install Applications** group, select the **Install Application** action. + +8. Select the **Install the following applications** option, and add the OSD / Adobe Reader XI - OSD Install application to the list. + + ![Add an application to the task sequence](../images/fig28-addapp.png "Add an application to the task sequence") + + *Figure 25. Add an application to the Configuration Manager task sequence* + +9. In the **State Restore** group, after the **Set Status 5** action, add a **Request State Store** action with the following settings: + + * Restore state from another computer + + * If computer account fails to connect to state store, use the Network Access account + + * Options: Continue on error + + * Options / Condition: + + * Task Sequence Variable + + * USMTLOCAL not equals True + +10. In the **State Restore** group, after the **Restore User State** action, add a **Release State Store** action with the following settings: + + * Options: Continue on error + + * Options / Condition: + + * Task Sequence Variable + + * USMTLOCAL not equals True + +11. Click **OK**. + +>[!NOTE] +>The Request State Store and Release State Store actions need to be added for common computer replace scenarios. + + + +## Move the packages + + +While creating the task sequence with the MDT wizard, a few operating system deployment packages were created. To move these packages to the OSD folder, take the following steps. + +1. On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Application Management**, and then select **Packages**. + +2. Select the **MDT** and **Windows 10 x64 Settings** packages, right-click and select **Move**. + +3. In the **Move Selected Items** dialog box, select the **OSD** folder, and click **OK**. + +## Related topics + + +[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md) + +[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) + +[Create a custom Windows PE boot image with Configuration Manager](../deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md) + +[Add a Windows 10 operating system image using Configuration Manager](../deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md) + +[Create an application to deploy with Windows 10 using Configuration Manager](../deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) + +[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](../deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) + +[Deploy Windows 10 using PXE and Configuration Manager](../deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md) + +[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](../deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) + +[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](../deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md index 1261cd6fbe..8e20ab78c8 100644 --- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md +++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md @@ -11,6 +11,7 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt +audience: itpro author: greg-lindsay ms.topic: article --- @@ -63,7 +64,7 @@ In order to write the reference image back to the deployment share, you need to 1. On MDT01, log on as **CONTOSO\\Administrator**. 2. Modify the NTFS permissions for the **E:\\MDTBuildLab\\Captures** folder by running the following command in an elevated Windows PowerShell prompt: - ``` syntax + ``` icacls E:\MDTBuildLab\Captures /grant '"MDT_BA":(OI)(CI)(M)' ``` @@ -170,7 +171,7 @@ If you need to add many applications, you can take advantage of the PowerShell s 1. On MDT01, log on as **CONTOSO\\Administrator**. 2. Import the snap-in and create the PSDrive by running the following commands in an elevated PowerShell prompt: - ```powershell + ``` powershell Import-Module "C:\Program Files\Microsoft Deployment Toolkit\bin\MicrosoftDeploymentToolkit.psd1" New-PSDrive -Name "DS001" -PSProvider MDTProvider -Root "E:\MDTBuildLab" ``` @@ -182,7 +183,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2005 SP1 2. Create the application by running the following commands in an elevated PowerShell prompt: - ```powershell + ``` powershell $ApplicationName = "Install - Microsoft Visual C++ 2005 SP1 - x86" $CommandLine = "vcredist_x86.exe /Q" $ApplicationSourcePath = "E:\Downloads\VC++2005SP1x86" @@ -196,7 +197,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2005 SP1 1. On MDT01, log on as **CONTOSO\\Administrator**. 2. Create the application by running the following commands in an elevated PowerShell prompt: - ```powershell + ``` powershell $ApplicationName = "Install - Microsoft Visual C++ 2005 SP1 - x64" $CommandLine = "vcredist_x64.exe /Q" $ApplicationSourcePath = "E:\Downloads\VC++2005SP1x64" @@ -210,7 +211,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2008 SP1 1. On MDT01, log on as **CONTOSO\\Administrator**. 2. Create the application by running the following commands in an elevated PowerShell prompt: - ```powershell + ``` powershell $ApplicationName = "Install - Microsoft Visual C++ 2008 SP1 - x86" $CommandLine = "vcredist_x86.exe /Q" $ApplicationSourcePath = "E:\Downloads\VC++2008SP1x86" @@ -224,7 +225,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2008 SP1 1. On MDT01, log on as **CONTOSO\\Administrator**. 2. Create the application by running the following commands in an elevated PowerShell prompt: - ```powershell + ``` powershell $ApplicationName = "Install - Microsoft Visual C++ 2008 SP1 - x64" $CommandLine = "vcredist_x64.exe /Q" $ApplicationSourcePath = "E:\Downloads\VC++2008SP1x64" @@ -238,7 +239,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2010 SP1 1. On MDT01, log on as **CONTOSO\\Administrator**. 2. Create the application by running the following commands in an elevated PowerShell prompt: - ```powershell + ``` powershell $ApplicationName = "Install - Microsoft Visual C++ 2010 SP1 - x86" $CommandLine = "vcredist_x86.exe /Q" $ApplicationSourcePath = "E:\Downloads\VC++2010SP1x86" @@ -252,7 +253,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2010 SP1 1. On MDT01, log on as **CONTOSO\\Administrator**. 2. Create the application by running the following commands in an elevated PowerShell prompt: - ```powershell + ``` powershell $ApplicationName = "Install - Microsoft Visual C++ 2010 SP1 - x64" $CommandLine = "vcredist_x64.exe /Q" $ApplicationSourcePath = "E:\Downloads\VC++2010SP1x64" @@ -266,7 +267,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2012 Upda 1. On MDT01, log on as **CONTOSO\\Administrator**. 2. Create the application by running the following commands in an elevated PowerShell prompt: - ```powershell + ``` powershell $ApplicationName = "Install - Microsoft Visual C++ 2012 Update 4 - x86" $CommandLine = "vcredist_x86.exe /Q" $ApplicationSourcePath = "E:\Downloads\VC++2012Ux86" @@ -280,7 +281,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2012 Upda 1. On MDT01, log on as **CONTOSO\\Administrator**. 2. Create the application by running the following commands in an elevated PowerShell prompt: - ```powershell + ``` powershell $ApplicationName = "Install - Microsoft Visual C++ 2012 Update 4 - x64" $CommandLine = "vcredist_x64.exe /Q" $ApplicationSourcePath = "E:\Downloads\VC++2012Ux64" @@ -405,7 +406,7 @@ In MDT, there are always two rule files: the CustomSettings.ini file and the Boo For that reason, add only a minimal set of rules to Bootstrap.ini, such as which deployment server and share to connect to - the DEPLOYROOT value. Put the other rules in CustomSettings.ini because that file is updated immediately when you click OK. By taking the following steps, you will configure the rules for the MDT Build Lab deployment share: 1. Using the Deployment Workbench, right-click the **MDT Build Lab deployment share** and select **Properties**. 2. Select the **Rules** tab and modify using the following information: - ```ini + ``` [Settings] Priority=Default [Default] @@ -444,7 +445,7 @@ For that reason, add only a minimal set of rules to Bootstrap.ini, such as which 3. Click **Edit Bootstrap.ini** and modify using the following information: - ```ini + ``` [Settings] Priority=Default [Default] @@ -501,7 +502,7 @@ The CustomSettings.ini file is normally stored on the server, in the Deployment The Bootstrap.ini file is available via the deployment share's Properties dialog box, or via the E:\\MDTBuildLab\\Control folder on MDT01. -```ini +``` [Settings] Priority=Default [Default] @@ -529,7 +530,7 @@ So, what are these settings? The CustomSettings.ini file, whose content you see on the Rules tab of the deployment share Properties dialog box, contains most of the properties used in the configuration. -```ini +``` [Settings] Priority=Default [Default] diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index 4624a728aa..238fd0d31e 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -11,6 +11,7 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt +audience: itpro author: greg-lindsay ms.topic: article --- @@ -175,11 +176,13 @@ When you import drivers to the MDT driver repository, MDT creates a single insta - Surface Pro 3 The preceding folder names are selected because they match the actual make and model values that MDT reads from the machines during deployment. You can find out the model values for your machines via the following command in Windows PowerShell: -```powershell + +``` powershell Get-WmiObject -Class:Win32_ComputerSystem ``` Or, you can use this command in a normal command prompt: -``` syntax + +``` wmic csproduct get name ``` @@ -312,7 +315,7 @@ In this section, you will learn how to configure the MDT Build Lab deployment sh 2. Right-click the **MDT Production** deployment share and select **Properties**. 3. Select the **Rules** tab and modify using the following information: - ```ini + ``` [Settings] Priority=Default [Default] @@ -349,7 +352,7 @@ In this section, you will learn how to configure the MDT Build Lab deployment sh ``` 4. Click **Edit Bootstrap.ini** and modify using the following information: - ```ini + ``` [Settings] Priority=Default [Default] @@ -393,7 +396,7 @@ The rules for the MDT Production deployment share are somewhat different from th ### The Bootstrap.ini file This is the MDT Production Bootstrap.ini without the user credentials (except domain information): -```ini +``` [Settings] Priority=Default [Default] @@ -405,7 +408,7 @@ SkipBDDWelcome=YES ### The CustomSettings.ini file This is the CustomSettings.ini file with the new join domain information: -```ini +``` [Settings] Priority=Default [Default] diff --git a/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md index e8646cd0cc..bc6f898741 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md +++ b/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md @@ -1,98 +1,98 @@ ---- -title: Deploy Windows 10 with the Microsoft Deployment Toolkit (Windows 10) -description: This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). -ms.assetid: 837f009c-617e-4b3f-9028-2246067ee0fb -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: deploy, tools, configure, script -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -author: greg-lindsay -ms.pagetype: mdt -ms.topic: article ---- - -# Deploy Windows 10 with the Microsoft Deployment Toolkit - -**Applies to** -- Windows 10 - -This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). - -The Microsoft Deployment Toolkit is a unified collection of tools, processes, and guidance for automating desktop and server deployment. In addition to reducing deployment time and standardizing desktop and server images, MDT enables you to more easily manage security and ongoing configurations. MDT builds on top of the core deployment tools in the Windows Assessment and Deployment Kit (Windows ADK) with additional guidance and features designed to reduce the complexity and time required for deployment in an enterprise environment. -MDT supports the deployment of Windows 10, as well as Windows 7, Windows 8, Windows 8.1, and Windows Server 2012 R2. It also includes support for zero-touch installation (ZTI) with Microsoft System Center 2012 R2 Configuration Manager. - -To download the latest version of MDT, visit the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117). - -## In this section - -- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) -- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) -- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) -- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) -- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) -- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) -- [Configure MDT settings](configure-mdt-settings.md) - -## Proof-of-concept environment - -For the purposes of this guide, and the topics discussed herein, we will use the following servers and client machines: DC01, MDT01, CM01, PC0001, and PC0002. - -![figure 1](../images/mdt-01-fig01.png) - -Figure 1. The servers and machines used for examples in this guide. - -DC01 is a domain controller; the other servers and client machines are members of the domain contoso.com for the fictitious Contoso Corporation. - -![figure 2](../images/mdt-01-fig02.jpg) - -Figure 2. The organizational unit (OU) structure used in this guide. - -### Server details - -- **DC01.** A Windows Server 2012 R2 Standard machine, fully patched with the latest security updates, and configured as Active Directory Domain Controller, DNS Server, and DHCP Server in the contoso.com domain. - - Server name: DC01 - - IP Address: 192.168.1.200 - - Roles: DNS, DHCP, and Domain Controller -- **MDT01.** A Windows Server 2012 R2 Standard machine, fully patched with the latest security updates, and configured as a member server in the contoso.com domain. - - Server name: MDT01 - - IP Address: 192.168.1.210 -- **CM01.** A Windows Server 2012 R2 Standard machine, fully patched with the latest security updates, and configured as a member server in the contoso.com domain. - - Server name: CM01 - - IP Address: 192.168.1.214 - -### Client machine details - -- **PC0001.** A Windows 10 Enterprise x64 machine, fully patched with the latest security updates, and configured as a member in the contoso.com domain. This machine is referenced as the admin workstation. - - Client name: PC0001 - - IP Address: DHCP -- **PC0002.** A Windows 7 SP1 Enterprise x64 machine, fully patched with the latest security updates, and configured as a member in the contoso.com domain. This machine is referenced during the migration scenarios. - - Client name: PC0002 - - IP Address: DHCP - -## Sample files - -The information in this guide is designed to help you deploy Windows 10. In order to help you put the information you learn into practice more quickly, we recommend that you download a small set of sample files for the fictitious Contoso Corporation: -- [Gather.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619361). This sample Windows PowerShell script performs the MDT Gather process in a simulated MDT environment. This allows you to test the MDT gather process and check to see if it is working correctly without performing a full Windows deployment. -- [Set-OUPermissions.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619362). This sample Windows PowerShell script creates a domain account and then configures OU permissions to allow the account to join machines to the domain in the specified OU. -- [MDTSample.zip](https://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT. - -## Related topics - -[Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117) - -[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md) - -[Windows 10 deployment tools](../windows-deployment-scenarios-and-tools.md) - -[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) - -[Deploy Windows To Go in your organization](../deploy-windows-to-go.md) - -[Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10) - -[Volume Activation for Windows 10](../volume-activation/volume-activation-windows-10.md) - +--- +title: Deploy Windows 10 with the Microsoft Deployment Toolkit (Windows 10) +description: This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). +ms.assetid: 837f009c-617e-4b3f-9028-2246067ee0fb +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: deploy, tools, configure, script +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.pagetype: mdt +ms.topic: article +--- + +# Deploy Windows 10 with the Microsoft Deployment Toolkit + +**Applies to** +- Windows 10 + +This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). + +The Microsoft Deployment Toolkit is a unified collection of tools, processes, and guidance for automating desktop and server deployment. In addition to reducing deployment time and standardizing desktop and server images, MDT enables you to more easily manage security and ongoing configurations. MDT builds on top of the core deployment tools in the Windows Assessment and Deployment Kit (Windows ADK) with additional guidance and features designed to reduce the complexity and time required for deployment in an enterprise environment. +MDT supports the deployment of Windows 10, as well as Windows 7, Windows 8, Windows 8.1, and Windows Server 2012 R2. It also includes support for zero-touch installation (ZTI) with Microsoft System Center 2012 R2 Configuration Manager. + +To download the latest version of MDT, visit the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117). + +## In this section + +- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) +- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) +- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) +- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) +- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) +- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) +- [Configure MDT settings](configure-mdt-settings.md) + +## Proof-of-concept environment + +For the purposes of this guide, and the topics discussed herein, we will use the following servers and client machines: DC01, MDT01, CM01, PC0001, and PC0002. + +![figure 1](../images/mdt-01-fig01.png) + +Figure 1. The servers and machines used for examples in this guide. + +DC01 is a domain controller; the other servers and client machines are members of the domain contoso.com for the fictitious Contoso Corporation. + +![figure 2](../images/mdt-01-fig02.jpg) + +Figure 2. The organizational unit (OU) structure used in this guide. + +### Server details + +- **DC01.** A Windows Server 2012 R2 Standard machine, fully patched with the latest security updates, and configured as Active Directory Domain Controller, DNS Server, and DHCP Server in the contoso.com domain. + - Server name: DC01 + - IP Address: 192.168.1.200 + - Roles: DNS, DHCP, and Domain Controller +- **MDT01.** A Windows Server 2012 R2 Standard machine, fully patched with the latest security updates, and configured as a member server in the contoso.com domain. + - Server name: MDT01 + - IP Address: 192.168.1.210 +- **CM01.** A Windows Server 2012 R2 Standard machine, fully patched with the latest security updates, and configured as a member server in the contoso.com domain. + - Server name: CM01 + - IP Address: 192.168.1.214 + +### Client machine details + +- **PC0001.** A Windows 10 Enterprise x64 machine, fully patched with the latest security updates, and configured as a member in the contoso.com domain. This machine is referenced as the admin workstation. + - Client name: PC0001 + - IP Address: DHCP +- **PC0002.** A Windows 7 SP1 Enterprise x64 machine, fully patched with the latest security updates, and configured as a member in the contoso.com domain. This machine is referenced during the migration scenarios. + - Client name: PC0002 + - IP Address: DHCP + +## Sample files + +The information in this guide is designed to help you deploy Windows 10. In order to help you put the information you learn into practice more quickly, we recommend that you download a small set of sample files for the fictitious Contoso Corporation: +- [Gather.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619361). This sample Windows PowerShell script performs the MDT Gather process in a simulated MDT environment. This allows you to test the MDT gather process and check to see if it is working correctly without performing a full Windows deployment. +- [Set-OUPermissions.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619362). This sample Windows PowerShell script creates a domain account and then configures OU permissions to allow the account to join machines to the domain in the specified OU. +- [MDTSample.zip](https://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT. + +## Related topics + +[Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117) + +[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md) + +[Windows 10 deployment tools](../windows-deployment-scenarios-and-tools.md) + +[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) + +[Deploy Windows To Go in your organization](../deploy-windows-to-go.md) + +[Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10) + +[Volume Activation for Windows 10](../volume-activation/volume-activation-windows-10.md) + diff --git a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md index f5c4077436..e7742fa773 100644 --- a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md +++ b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md @@ -1,54 +1,54 @@ ---- -title: Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10) -description: This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), as part of a Windows operating system deployment. -ms.assetid: a256442c-be47-4bb9-a105-c831f58ce3ee -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: deploy, image, feature, install, tools -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -author: greg-lindsay -ms.topic: article ---- - -# Get started with the Microsoft Deployment Toolkit (MDT) - -**Applies to** -- Windows 10 - -This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), as part of a Windows operating system deployment. MDT is one of the most important tools available to IT professionals today. You can use it to create reference images or as a complete deployment solution. MDT also can be used to extend the operating system deployment features available in Microsoft System Center 2012 R2 Configuration Manager. - -In addition to familiarizing you with the features and options available in MDT, this topic will walk you through the process of preparing for deploying Windows 10 using MDT by configuring Active Directory, creating an organizational unit (OU) structure, creating service accounts, configuring log files and folders, and installing the tools needed to view the logs and continue with the deployment process. - -For the purposes of this topic, we will use two machines: DC01 and MDT01. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. MDT01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see -[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof). - -![figure 1](../images/mdt-05-fig01.png) - -Figure 1. The machines used in this topic. - -## In this section - -- [Key features in MDT](key-features-in-mdt.md) -- [MDT Lite Touch components](mdt-lite-touch-components.md) -- [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) - -## Related topics - -[Microsoft Deployment Toolkit downloads and documentation](https://go.microsoft.com/fwlink/p/?LinkId=618117) - -[Create a Windows 10 reference image](create-a-windows-10-reference-image.md) - -[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) - -[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) - -[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) - -[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) - -[Configure MDT settings](configure-mdt-settings.md) +--- +title: Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10) +description: This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), as part of a Windows operating system deployment. +ms.assetid: a256442c-be47-4bb9-a105-c831f58ce3ee +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: deploy, image, feature, install, tools +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: mdt +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Get started with the Microsoft Deployment Toolkit (MDT) + +**Applies to** +- Windows 10 + +This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), as part of a Windows operating system deployment. MDT is one of the most important tools available to IT professionals today. You can use it to create reference images or as a complete deployment solution. MDT also can be used to extend the operating system deployment features available in Microsoft System Center 2012 R2 Configuration Manager. + +In addition to familiarizing you with the features and options available in MDT, this topic will walk you through the process of preparing for deploying Windows 10 using MDT by configuring Active Directory, creating an organizational unit (OU) structure, creating service accounts, configuring log files and folders, and installing the tools needed to view the logs and continue with the deployment process. + +For the purposes of this topic, we will use two machines: DC01 and MDT01. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. MDT01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see +[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof). + +![figure 1](../images/mdt-05-fig01.png) + +Figure 1. The machines used in this topic. + +## In this section + +- [Key features in MDT](key-features-in-mdt.md) +- [MDT Lite Touch components](mdt-lite-touch-components.md) +- [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) + +## Related topics + +[Microsoft Deployment Toolkit downloads and documentation](https://go.microsoft.com/fwlink/p/?LinkId=618117) + +[Create a Windows 10 reference image](create-a-windows-10-reference-image.md) + +[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) + +[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) + +[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) + +[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) + +[Configure MDT settings](configure-mdt-settings.md) diff --git a/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md b/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md index e03f6dbf21..6ebe0fe528 100644 --- a/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md @@ -11,6 +11,7 @@ ms.prod: w10 ms.localizationpriority: medium ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.topic: article --- @@ -27,7 +28,7 @@ MDT is a free, supported download from Microsoft that adds approximately 280 enh As noted above, MDT adds many enhancements to Configuration Manager. While these enhancements are called Zero Touch, that name does not reflect how deployment is conducted. The following sections provide a few samples of the 280 enhancements that MDT adds to Configuration Manager. -> [!Note] +> [!Note] > Microsoft Deployment Toolkit requires you to install [Windows PowerShell 2.0 Engine](https://docs.microsoft.com/powershell/scripting/install/installing-the-windows-powershell-2.0-engine) on your server. ### MDT enables dynamic deployment @@ -37,7 +38,7 @@ When MDT is integrated with Configuration Manager, the task sequence takes addit The task sequence uses instructions that allow you to reduce the number of task sequences in Configuration Manager and instead store settings outside the task sequence. Here are a few examples: - The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is a HP EliteBook 8570w. Note that you don't have to add the package to the task sequence. - ```ini + ``` syntax [Settings] Priority=Model [HP EliteBook 8570w] @@ -45,7 +46,7 @@ The task sequence uses instructions that allow you to reduce the number of task ``` - The following settings instruct the task sequence to put laptops and desktops in different organizational units (OUs) during deployment, assign different computer names, and finally have the task sequence install the Cisco VPN client, but only if the machine is a laptop. - ```ini + ``` syntax [Settings] Priority= ByLaptopType, ByDesktopType [ByLaptopType] diff --git a/windows/deployment/deploy-windows-mdt/key-features-in-mdt.md b/windows/deployment/deploy-windows-mdt/key-features-in-mdt.md index a4f74c153c..f0fe20a593 100644 --- a/windows/deployment/deploy-windows-mdt/key-features-in-mdt.md +++ b/windows/deployment/deploy-windows-mdt/key-features-in-mdt.md @@ -1,66 +1,66 @@ ---- -title: Key features in MDT (Windows 10) -description: The Microsoft Deployment Toolkit (MDT) has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. -ms.assetid: 858e384f-e9db-4a93-9a8b-101a503e4868 -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: deploy, feature, tools, upgrade, migrate, provisioning -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -author: greg-lindsay -ms.topic: article ---- - -# Key features in MDT - -**Applies to** -- Windows 10 - -The Microsoft Deployment Toolkit (MDT) has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. The toolkit has evolved, both in functionality and popularity, and today it is considered fundamental to Windows operating system and enterprise application deployment. - -MDT has many useful features, the most important of which are: -- **Windows Client support.** Supports Windows 7, Windows 8, Windows 8.1, and Windows 10. -- **Windows Server support.** Supports Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. -- **Additional operating systems support.** Supports Windows Thin PC and Windows Embedded POSReady 7, as well as Windows 8.1 Embedded Industry. -- **UEFI support.** Supports deployment to machines using Unified Extensible Firmware Interface (UEFI) version 2.3.1. -- **GPT support.** Supports deployment to machines that require the new GUID (globally unique identifier) partition table (GPT) format. This is related to UEFI. -- **Enhanced Windows PowerShell support.** Provides support for running PowerShell scripts. - - ![figure 2](../images/mdt-05-fig02.png) - - Figure 2. The deployment share mounted as a standard PSDrive allows for administration using PowerShell. - -- **Add local administrator accounts.** Allows you to add multiple user accounts to the local Administrators group on the target computers, either via settings or the deployment wizard. -- **Automated participation in CEIP and WER.** Provides configuration for participation in Windows Customer Experience Improvement Program (CEIP) and Windows Error Reporting (WER). -- **Deploy Windows RE.** Enables deployment of a customized Windows Recovery Environment (Windows RE) as part of the task sequence. -- **Deploy to VHD.** Provides ready-made task sequence templates for deploying Windows into a virtual hard disk (VHD) file. -- **Improved deployment wizard.** Provides additional progress information and a cleaner UI for the Lite Touch Deployment Wizard. -- **Monitoring.** Allows you to see the status of currently running deployments. -- **Apply GPO Pack.** Allows you to deploy local group policy objects created by Microsoft Security Compliance Manager (SCM). -- **Partitioning routines.** Provides improved partitioning routines to ensure that deployments work regardless of the current hard drive structure. -- **Offline BitLocker.** Provides the capability to have BitLocker enabled during the Windows Preinstallation Environment (Windows PE) phase, thus saving hours of encryption time. -- **USMT offline user-state migration.** Provides support for running the User State Migration Tool (USMT) capture offline, during the Windows PE phase of the deployment. - - ![figure 3](../images/mdt-05-fig03.png) - - Figure 3. The offline USMT backup in action. - -- **Install or uninstall Windows roles or features.** Enables you to select roles and features as part of the deployment wizard. MDT also supports uninstall of roles and features. -- **Microsoft System Center 2012 Orchestrator integration.** Provides the capability to use Orchestrator runbooks as part of the task sequence. -- **Support for DaRT.** Supports optional integration of the DaRT components into the boot image. -- **Support for Office 2013.** Provides added support for deploying Microsoft Office Professional Plus 2013. -- **Support for Modern UI app package provisioning.** Provisions applications based on the new Windows app package standard, which is used in Windows 8 and later. -- **Extensibility.** Provides the capability to extend MDT far beyond the built-in features by adding custom scripts, web services, System Center Orchestrator runbooks, PowerShell scripts, and VBScripts. -- **Upgrade task sequence.** Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, refer to the [Microsoft Deployment Toolkit resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117). - -## Related topics - -[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) - -[MDT Lite Touch components](mdt-lite-touch-components.md) -  -  +--- +title: Key features in MDT (Windows 10) +description: The Microsoft Deployment Toolkit (MDT) has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. +ms.assetid: 858e384f-e9db-4a93-9a8b-101a503e4868 +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: deploy, feature, tools, upgrade, migrate, provisioning +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: mdt +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Key features in MDT + +**Applies to** +- Windows 10 + +The Microsoft Deployment Toolkit (MDT) has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. The toolkit has evolved, both in functionality and popularity, and today it is considered fundamental to Windows operating system and enterprise application deployment. + +MDT has many useful features, the most important of which are: +- **Windows Client support.** Supports Windows 7, Windows 8, Windows 8.1, and Windows 10. +- **Windows Server support.** Supports Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. +- **Additional operating systems support.** Supports Windows Thin PC and Windows Embedded POSReady 7, as well as Windows 8.1 Embedded Industry. +- **UEFI support.** Supports deployment to machines using Unified Extensible Firmware Interface (UEFI) version 2.3.1. +- **GPT support.** Supports deployment to machines that require the new GUID (globally unique identifier) partition table (GPT) format. This is related to UEFI. +- **Enhanced Windows PowerShell support.** Provides support for running PowerShell scripts. + + ![figure 2](../images/mdt-05-fig02.png) + + Figure 2. The deployment share mounted as a standard PSDrive allows for administration using PowerShell. + +- **Add local administrator accounts.** Allows you to add multiple user accounts to the local Administrators group on the target computers, either via settings or the deployment wizard. +- **Automated participation in CEIP and WER.** Provides configuration for participation in Windows Customer Experience Improvement Program (CEIP) and Windows Error Reporting (WER). +- **Deploy Windows RE.** Enables deployment of a customized Windows Recovery Environment (Windows RE) as part of the task sequence. +- **Deploy to VHD.** Provides ready-made task sequence templates for deploying Windows into a virtual hard disk (VHD) file. +- **Improved deployment wizard.** Provides additional progress information and a cleaner UI for the Lite Touch Deployment Wizard. +- **Monitoring.** Allows you to see the status of currently running deployments. +- **Apply GPO Pack.** Allows you to deploy local group policy objects created by Microsoft Security Compliance Manager (SCM). +- **Partitioning routines.** Provides improved partitioning routines to ensure that deployments work regardless of the current hard drive structure. +- **Offline BitLocker.** Provides the capability to have BitLocker enabled during the Windows Preinstallation Environment (Windows PE) phase, thus saving hours of encryption time. +- **USMT offline user-state migration.** Provides support for running the User State Migration Tool (USMT) capture offline, during the Windows PE phase of the deployment. + + ![figure 3](../images/mdt-05-fig03.png) + + Figure 3. The offline USMT backup in action. + +- **Install or uninstall Windows roles or features.** Enables you to select roles and features as part of the deployment wizard. MDT also supports uninstall of roles and features. +- **Microsoft System Center 2012 Orchestrator integration.** Provides the capability to use Orchestrator runbooks as part of the task sequence. +- **Support for DaRT.** Supports optional integration of the DaRT components into the boot image. +- **Support for Office 2013.** Provides added support for deploying Microsoft Office Professional Plus 2013. +- **Support for Modern UI app package provisioning.** Provisions applications based on the new Windows app package standard, which is used in Windows 8 and later. +- **Extensibility.** Provides the capability to extend MDT far beyond the built-in features by adding custom scripts, web services, System Center Orchestrator runbooks, PowerShell scripts, and VBScripts. +- **Upgrade task sequence.** Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, refer to the [Microsoft Deployment Toolkit resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117). + +## Related topics + +[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) + +[MDT Lite Touch components](mdt-lite-touch-components.md) +  +  diff --git a/windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md b/windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md index 843e70ad0b..15f4f07658 100644 --- a/windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md +++ b/windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md @@ -1,121 +1,121 @@ ---- -title: MDT Lite Touch components (Windows 10) -description: This topic provides an overview of the features in the Microsoft Deployment Toolkit (MDT) that support Lite Touch Installation (LTI) for Windows 10. -ms.assetid: 7d6fc159-e338-439e-a2e6-1778d0da9089 -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: deploy, install, deployment, boot, log, monitor -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -author: greg-lindsay -ms.topic: article ---- - -# MDT Lite Touch components - -**Applies to** -- Windows 10 - -This topic provides an overview of the features in the Microsoft Deployment Toolkit (MDT) that support Lite Touch Installation (LTI) for Windows 10. An LTI deployment strategy requires very little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disc. -When deploying the Windows operating system using MDT, most of the administration and configuration is done through the Deployment Workbench, but you also can perform many of the tasks using Windows PowerShell. The easiest way to find out how to use PowerShell in MDT is to use the Deployment Workbench to perform an operation and at the end of that task, click View Script. That will give you the PowerShell command. - -![figure 4](../images/mdt-05-fig04.png) - -Figure 4. If you click **View Script** on the right side, you will get the PowerShell code that was used to perform the task. - -## Deployment shares - -A deployment share is essentially a folder on the server that is shared and contains all the setup files and scripts needed for the deployment solution. It also holds the configuration files (called rules) that are gathered when a machine is deployed. These configuration files can reach out to other sources, like a database, external script, or web server to get additional settings for the deployment. For Lite Touch deployments, it is common to have two deployment shares: one for creating the reference images and one for deployment. For Zero Touch, it is common to have only the deployment share for creating reference images because Microsoft System Center 2012 R2 Configuration Manager deploys the image in the production environment. - -## Rules - -The rules (CustomSettings.ini and Bootstrap.ini) make up the brain of MDT. The rules control the Windows Deployment Wizard on the client and, for example, can provide the following settings to the machine being deployed: -- Computer name -- Domain to join, and organizational unit (OU) in Active Directory to hold the computer object -- Whether to enable BitLocker -- Regional settings -You can manage hundreds of settings in the rules. For more information, see the [Microsoft Deployment Toolkit resource center](https://go.microsoft.com/fwlink/p/?LinkId=618117). - -![figure 5](../images/mdt-05-fig05.png) - -Figure 5. Example of a MDT rule. In this example, the new computer name is being calculated based on PC- plus the first seven (Left) characters from the serial number - -## Boot images - -Boot images are the Windows Preinstallation Environment (Windows PE) images that are used to start the deployment. They can be started from a CD or DVD, an ISO file, a USB device, or over the network using a Pre-Boot Execution Environment (PXE) server. The boot images connect to the deployment -share on the server and start the deployment. - -## Operating systems - -Using the Deployment Workbench, you import the operating systems you want to deploy. You can import either the full source (like the full Windows 10 DVD/ISO) or a custom image that you have created. The full-source operating systems are primarily used to create reference images; however, they also can be used for normal deployments. - -## Applications - -Using the Deployment Workbench, you also add the applications you want to deploy. MDT supports virtually every executable Windows file type. The file can be a standard .exe file with command-line switches for an unattended install, a Microsoft Windows Installer (MSI) package, a batch file, or a VBScript. In fact, it can be just about anything that can be executed unattended. MDT also supports the new Universal Windows apps. - -## Driver repository - -You also use the Deployment Workbench to import the drivers your hardware needs into a driver repository that lives on the server, not in the image. - -## Packages - -With the Deployment Workbench, you can add any Microsoft packages that you want to use. The most commonly added packages are language packs, and the Deployment Workbench Packages node works well for those. You also can add security and other updates this way. However, we generally recommend that you use Windows Server Update Services (WSUS) for operating system updates. The rare exceptions are critical hotfixes that are not available via WSUS, packages for the boot image, or any other package that needs to be deployed before the WSUS update process starts. - -## Task sequences - -Task sequences are the heart and soul of the deployment solution. When creating a task sequence, you need to select a template. The templates are located in the Templates folder in the MDT installation directory, and they determine which default actions are present in the sequence. - -You can think of a task sequence as a list of actions that need to be executed in a certain order. Each action can also have conditions. Some examples of actions are as follows: -- **Gather.** Reads configuration settings from the deployment server. -- **Format and Partition.** Creates the partition(s) and formats them. -- **Inject Drivers.** Finds out which drivers the machine needs and downloads them from the central driver repository. -- **Apply Operating System.** Uses ImageX to apply the image. -- **Windows Update.** Connects to a WSUS server and updates the machine. - -## Task sequence templates - -MDT comes with nine default task sequence templates. You can also create your own templates. As long as you store them in the Templates folder, they will be available when you create a new task sequence. -- **Sysprep and Capture task sequence.** Used to run the System Preparation (Sysprep) tool and capture an image of a reference computer. - - **Note**   - It is preferable to use a complete build and capture instead of the Sysprep and Capture task sequence. A complete build and capture can be automated, whereas Sysprep and Capture cannot. - -- **Standard Client task sequence.** The most frequently used task sequence. Used for creating reference images and for deploying clients in production. -- **Standard Client Replace task sequence.** Used to run User State Migration Tool (USMT) backup and the optional full Windows Imaging (WIM) backup action. Can also be used to do a secure wipe of a machine that is going to be decommissioned. -- **Custom task sequence.** As the name implies, a custom task sequence with only one default action (one Install Application action). -- **Standard Server task sequence.** The default task sequence for deploying operating system images to servers. The main difference between this template and the Standard Client task sequence template is that it does not contain any USMT actions because USMT is not supported on servers. -- **Lite Touch OEM task sequence.** Used to preload operating systems images on the computer hard drive. Typically used by computer original equipment manufacturers (OEMs) but some enterprise organizations also use this feature. -- **Post OS Installation task sequence.** A task sequence prepared to run actions after the operating system has been deployed. Very useful for server deployments but not often used for client deployments. -- **Deploy to VHD Client task sequence.** Similar to the Standard Client task sequence template but also creates a virtual hard disk (VHD) file on the target computer and deploys the image to the VHD file. -- **Deploy to VHD Server task sequence.** Same as the Deploy to VHD Client task sequence but for servers. -- **Standard Client Upgrade task sequence.** A simple task sequence template used to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 directly to Windows 10, automatically preserving existing data, settings, applications, and drivers. - -## Selection profiles - -Selection profiles, which are available in the Advanced Configuration node, provide a way to filter content in the Deployment Workbench. Selection profiles are used for several purposes in the Deployment Workbench and in Lite Touch deployments. For example, they can be used to: -- Control which drivers and packages are injected into the Lite Touch (and generic) boot images. -- Control which drivers are injected during the task sequence. -- Control what is included in any media that you create. -- Control what is replicated to other deployment shares. -- Filter which task sequences and applications are displayed in the Deployment Wizard. - -## Logging - -MDT uses many log files during operating system deployments. By default the logs are client side, but by configuring the deployment settings, you can have MDT store them on the server, as well. - -**Note**   -The easiest way to view log files is to use Configuration Manager Trace (CMTrace), which is included in the [System Center 2012 R2 Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). - -## Monitoring - -On the deployment share, you also can enable monitoring. After you enable monitoring, you will see all running deployments in the Monitor node in the Deployment Workbench. - -## Related topics - -[Key features in MDT](key-features-in-mdt.md) - -[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) +--- +title: MDT Lite Touch components (Windows 10) +description: This topic provides an overview of the features in the Microsoft Deployment Toolkit (MDT) that support Lite Touch Installation (LTI) for Windows 10. +ms.assetid: 7d6fc159-e338-439e-a2e6-1778d0da9089 +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: deploy, install, deployment, boot, log, monitor +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: mdt +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# MDT Lite Touch components + +**Applies to** +- Windows 10 + +This topic provides an overview of the features in the Microsoft Deployment Toolkit (MDT) that support Lite Touch Installation (LTI) for Windows 10. An LTI deployment strategy requires very little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disc. +When deploying the Windows operating system using MDT, most of the administration and configuration is done through the Deployment Workbench, but you also can perform many of the tasks using Windows PowerShell. The easiest way to find out how to use PowerShell in MDT is to use the Deployment Workbench to perform an operation and at the end of that task, click View Script. That will give you the PowerShell command. + +![figure 4](../images/mdt-05-fig04.png) + +Figure 4. If you click **View Script** on the right side, you will get the PowerShell code that was used to perform the task. + +## Deployment shares + +A deployment share is essentially a folder on the server that is shared and contains all the setup files and scripts needed for the deployment solution. It also holds the configuration files (called rules) that are gathered when a machine is deployed. These configuration files can reach out to other sources, like a database, external script, or web server to get additional settings for the deployment. For Lite Touch deployments, it is common to have two deployment shares: one for creating the reference images and one for deployment. For Zero Touch, it is common to have only the deployment share for creating reference images because Microsoft System Center 2012 R2 Configuration Manager deploys the image in the production environment. + +## Rules + +The rules (CustomSettings.ini and Bootstrap.ini) make up the brain of MDT. The rules control the Windows Deployment Wizard on the client and, for example, can provide the following settings to the machine being deployed: +- Computer name +- Domain to join, and organizational unit (OU) in Active Directory to hold the computer object +- Whether to enable BitLocker +- Regional settings +You can manage hundreds of settings in the rules. For more information, see the [Microsoft Deployment Toolkit resource center](https://go.microsoft.com/fwlink/p/?LinkId=618117). + +![figure 5](../images/mdt-05-fig05.png) + +Figure 5. Example of a MDT rule. In this example, the new computer name is being calculated based on PC- plus the first seven (Left) characters from the serial number + +## Boot images + +Boot images are the Windows Preinstallation Environment (Windows PE) images that are used to start the deployment. They can be started from a CD or DVD, an ISO file, a USB device, or over the network using a Pre-Boot Execution Environment (PXE) server. The boot images connect to the deployment +share on the server and start the deployment. + +## Operating systems + +Using the Deployment Workbench, you import the operating systems you want to deploy. You can import either the full source (like the full Windows 10 DVD/ISO) or a custom image that you have created. The full-source operating systems are primarily used to create reference images; however, they also can be used for normal deployments. + +## Applications + +Using the Deployment Workbench, you also add the applications you want to deploy. MDT supports virtually every executable Windows file type. The file can be a standard .exe file with command-line switches for an unattended install, a Microsoft Windows Installer (MSI) package, a batch file, or a VBScript. In fact, it can be just about anything that can be executed unattended. MDT also supports the new Universal Windows apps. + +## Driver repository + +You also use the Deployment Workbench to import the drivers your hardware needs into a driver repository that lives on the server, not in the image. + +## Packages + +With the Deployment Workbench, you can add any Microsoft packages that you want to use. The most commonly added packages are language packs, and the Deployment Workbench Packages node works well for those. You also can add security and other updates this way. However, we generally recommend that you use Windows Server Update Services (WSUS) for operating system updates. The rare exceptions are critical hotfixes that are not available via WSUS, packages for the boot image, or any other package that needs to be deployed before the WSUS update process starts. + +## Task sequences + +Task sequences are the heart and soul of the deployment solution. When creating a task sequence, you need to select a template. The templates are located in the Templates folder in the MDT installation directory, and they determine which default actions are present in the sequence. + +You can think of a task sequence as a list of actions that need to be executed in a certain order. Each action can also have conditions. Some examples of actions are as follows: +- **Gather.** Reads configuration settings from the deployment server. +- **Format and Partition.** Creates the partition(s) and formats them. +- **Inject Drivers.** Finds out which drivers the machine needs and downloads them from the central driver repository. +- **Apply Operating System.** Uses ImageX to apply the image. +- **Windows Update.** Connects to a WSUS server and updates the machine. + +## Task sequence templates + +MDT comes with nine default task sequence templates. You can also create your own templates. As long as you store them in the Templates folder, they will be available when you create a new task sequence. +- **Sysprep and Capture task sequence.** Used to run the System Preparation (Sysprep) tool and capture an image of a reference computer. + + **Note**   + It is preferable to use a complete build and capture instead of the Sysprep and Capture task sequence. A complete build and capture can be automated, whereas Sysprep and Capture cannot. + +- **Standard Client task sequence.** The most frequently used task sequence. Used for creating reference images and for deploying clients in production. +- **Standard Client Replace task sequence.** Used to run User State Migration Tool (USMT) backup and the optional full Windows Imaging (WIM) backup action. Can also be used to do a secure wipe of a machine that is going to be decommissioned. +- **Custom task sequence.** As the name implies, a custom task sequence with only one default action (one Install Application action). +- **Standard Server task sequence.** The default task sequence for deploying operating system images to servers. The main difference between this template and the Standard Client task sequence template is that it does not contain any USMT actions because USMT is not supported on servers. +- **Lite Touch OEM task sequence.** Used to preload operating systems images on the computer hard drive. Typically used by computer original equipment manufacturers (OEMs) but some enterprise organizations also use this feature. +- **Post OS Installation task sequence.** A task sequence prepared to run actions after the operating system has been deployed. Very useful for server deployments but not often used for client deployments. +- **Deploy to VHD Client task sequence.** Similar to the Standard Client task sequence template but also creates a virtual hard disk (VHD) file on the target computer and deploys the image to the VHD file. +- **Deploy to VHD Server task sequence.** Same as the Deploy to VHD Client task sequence but for servers. +- **Standard Client Upgrade task sequence.** A simple task sequence template used to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 directly to Windows 10, automatically preserving existing data, settings, applications, and drivers. + +## Selection profiles + +Selection profiles, which are available in the Advanced Configuration node, provide a way to filter content in the Deployment Workbench. Selection profiles are used for several purposes in the Deployment Workbench and in Lite Touch deployments. For example, they can be used to: +- Control which drivers and packages are injected into the Lite Touch (and generic) boot images. +- Control which drivers are injected during the task sequence. +- Control what is included in any media that you create. +- Control what is replicated to other deployment shares. +- Filter which task sequences and applications are displayed in the Deployment Wizard. + +## Logging + +MDT uses many log files during operating system deployments. By default the logs are client side, but by configuring the deployment settings, you can have MDT store them on the server, as well. + +**Note**   +The easiest way to view log files is to use Configuration Manager Trace (CMTrace), which is included in the [System Center 2012 R2 Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). + +## Monitoring + +On the deployment share, you also can enable monitoring. After you enable monitoring, you will see all running deployments in the Monitor node in the Deployment Workbench. + +## Related topics + +[Key features in MDT](key-features-in-mdt.md) + +[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md index 2cf003d4bb..2e1b06b5f4 100644 --- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md @@ -11,6 +11,7 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt +audience: itpro author: greg-lindsay ms.topic: article --- @@ -100,7 +101,7 @@ By default MDT stores the log files locally on the client. In order to capture a 1. On MDT01, log on as **CONTOSO\\Administrator**. 2. Create and share the **E:\\Logs** folder by running the following commands in an elevated Windows PowerShell prompt: - ```powershell + ``` powershell New-Item -Path E:\Logs -ItemType directory New-SmbShare -Name Logs$ -Path E:\Logs -ChangeAccess EVERYONE icacls E:\Logs /grant '"MDT_BA":(OI)(CI)(M)' diff --git a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md index 77ad0897c7..6c0524658f 100644 --- a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md +++ b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md @@ -1,132 +1,132 @@ ---- -title: Refresh a Windows 7 computer with Windows 10 (Windows 10) -description: This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process. -ms.assetid: 2866fb3c-4909-4c25-b083-6fc1f7869f6f -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: reinstallation, customize, template, script, restore -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -author: greg-lindsay -ms.topic: article ---- - -# Refresh a Windows 7 computer with Windows 10 - -**Applies to** -- Windows 10 - -This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process. The refresh scenario, or computer refresh, is a reinstallation of an operating system on the same machine. You can refresh the machine to the same operating system as it is currently running, or to a later version. - -For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0001. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 Standard server. PC0001 is a machine with Windows 7 Service Pack 1 (SP1) that is going to be refreshed into a Windows 10 machine, with data and settings restored. MDT01 and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof). - -![The machines used in this topic](../images/mdt-04-fig01.png "The machines used in this topic") - -Figure 1. The machines used in this topic. - -## The computer refresh process - -Even though a computer will appear, to the end user, to be upgraded, a computer refresh is not, technically, an in-place upgrade. A computer refresh also involves taking care of user data and settings from the old installation and making sure to restore those at the end of the installation. -For a computer refresh with MDT, you use the User State Migration Tool (USMT), which is part of the Windows Assessment and Deployment Kit (ADK) for Windows 10, to migrate user data and settings. To complete a computer refresh you will: - -1. Back up data and settings locally, in a backup folder. - -2. Wipe the partition, except for the backup folder. - -3. Apply the new operating system image. - -4. Install other applications. - -5. Restore data and settings. - -During the computer refresh, USMT uses a feature called Hard-Link Migration Store. When you use this feature, the files are simply linked in the file system, which allows for fast migration, even when there is a lot of data. - ->[!NOTE] ->In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file will contain the entire volume from the computer, and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire machine is not a supported scenario. - -### Multi-user migration - -By default, ScanState in USMT backs up all profiles on the machine, including local computer profiles. If you have a machine that has been in your environment for a while, it likely has several domain-based profiles on it, including those of former users. You can limit which profiles are backed up -by configuring command-line switches to ScanState (added as rules in MDT). - -As an example, the following line configures USMT to migrate only domain user profiles and not profiles from the local SAM account database: ScanStateArgs=/ue:\*\\\* /ui:CONTOSO\\\* - ->[!NOTE] ->You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days. - -### Support for additional settings - -In addition to the command-line switches that control which profiles to migrate, the XML templates control exactly what data is being migrated. You can control data within and outside the user profiles - -## Create a custom User State Migration Tool (USMT) template - -In this section, you learn to migrate additional data using a custom template. You configure the environment to use a custom USMT XML template that will: - -1. Back up the **C:\\Data** folder (including all files and folders). - -2. Scan the local disk for PDF documents (\*.pdf files) and restore them into the **C:\\Data\\PDF Documents** folder on the destination machine. - The custom USMT template is named MigContosoData.xml, and you can find it in the sample files for this documentation, which include: - - * [Gather script](https://go.microsoft.com/fwlink/p/?LinkId=619361) - * [Set-OUPermissions](https://go.microsoft.com/fwlink/p/?LinkId=619362) script - * [MDT Sample Web Service](https://go.microsoft.com/fwlink/p/?LinkId=619363) - -### Add the custom XML template - -In order to use the custom MigContosoData.xml USMT template, you need to copy it to the MDT Production deployment share and update the CustomSettings.ini file. In these steps, we assume you have downloaded the MigContosoData.xml file. -1. Using File Explorer, copy the MigContosoData.xml file to the **E:\\MDTProduction\\Tools\\x64\\USMT5** folder. -2. Using Notepad, edit the E:\\MDTProduction\\Control\\CustomSettings.ini file. After the USMTMigFiles002=MigUser.xml line add the following line: - - ``` syntax - USMTMigFiles003=MigContosoData.xml - ``` -3. Save the CustomSettings.ini file. - -## Refresh a Windows 7 SP1 client - -After adding the additional USMT template and configuring the CustomSettings.ini file to use it, you are now ready to refresh a Windows 7 SP1 client to Windows 10. In these steps, we assume you have a Windows 7 SP1 client named PC0001 in your environment that is ready for a refresh to Windows 10. - ->[!NOTE] ->MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property in the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117). - -### Upgrade (refresh) a Windows 7 SP1 client - -1. On PC0001, log on as **CONTOSO\\Administrator**. Start the Lite Touch Deploy Wizard by executing **\\\\MDT01\\MDTProduction$\\Scripts\\Litetouch.vbs**. Complete the deployment guide using the following settings: - - * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM - * Computer name: <default> - * Specify where to save a complete computer backup: Do not back up the existing computer - >[!NOTE] - >Skip this optional full WIM backup. The USMT backup will still run. - -2. Select one or more applications to install: Install - Adobe Reader XI - x86 - -3. The setup now starts and does the following: - - * Backs up user settings and data using USMT. - * Installs the Windows 10 Enterprise x64 operating system. - * Installs the added application(s). - * Updates the operating system via your local Windows Server Update Services (WSUS) server. - * Restores user settings and data using USMT. - -![Start the computer refresh from the running Windows 7 client](../images/fig2-taskseq.png "Start the computer refresh from the running Windows 7 client") - -Figure 2. Starting the computer refresh from the running Windows 7 SP1 client. - -## Related topics - -[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) - -[Create a Windows 10 reference image](create-a-windows-10-reference-image.md) - -[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) - -[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) - -[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) - -[Configure MDT settings](configure-mdt-settings.md) +--- +title: Refresh a Windows 7 computer with Windows 10 (Windows 10) +description: This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process. +ms.assetid: 2866fb3c-4909-4c25-b083-6fc1f7869f6f +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: reinstallation, customize, template, script, restore +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: mdt +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Refresh a Windows 7 computer with Windows 10 + +**Applies to** +- Windows 10 + +This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process. The refresh scenario, or computer refresh, is a reinstallation of an operating system on the same machine. You can refresh the machine to the same operating system as it is currently running, or to a later version. + +For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0001. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 Standard server. PC0001 is a machine with Windows 7 Service Pack 1 (SP1) that is going to be refreshed into a Windows 10 machine, with data and settings restored. MDT01 and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof). + +![The machines used in this topic](../images/mdt-04-fig01.png "The machines used in this topic") + +Figure 1. The machines used in this topic. + +## The computer refresh process + +Even though a computer will appear, to the end user, to be upgraded, a computer refresh is not, technically, an in-place upgrade. A computer refresh also involves taking care of user data and settings from the old installation and making sure to restore those at the end of the installation. +For a computer refresh with MDT, you use the User State Migration Tool (USMT), which is part of the Windows Assessment and Deployment Kit (ADK) for Windows 10, to migrate user data and settings. To complete a computer refresh you will: + +1. Back up data and settings locally, in a backup folder. + +2. Wipe the partition, except for the backup folder. + +3. Apply the new operating system image. + +4. Install other applications. + +5. Restore data and settings. + +During the computer refresh, USMT uses a feature called Hard-Link Migration Store. When you use this feature, the files are simply linked in the file system, which allows for fast migration, even when there is a lot of data. + +>[!NOTE] +>In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file will contain the entire volume from the computer, and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire machine is not a supported scenario. + +### Multi-user migration + +By default, ScanState in USMT backs up all profiles on the machine, including local computer profiles. If you have a machine that has been in your environment for a while, it likely has several domain-based profiles on it, including those of former users. You can limit which profiles are backed up +by configuring command-line switches to ScanState (added as rules in MDT). + +As an example, the following line configures USMT to migrate only domain user profiles and not profiles from the local SAM account database: ScanStateArgs=/ue:\*\\\* /ui:CONTOSO\\\* + +>[!NOTE] +>You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days. + +### Support for additional settings + +In addition to the command-line switches that control which profiles to migrate, the XML templates control exactly what data is being migrated. You can control data within and outside the user profiles + +## Create a custom User State Migration Tool (USMT) template + +In this section, you learn to migrate additional data using a custom template. You configure the environment to use a custom USMT XML template that will: + +1. Back up the **C:\\Data** folder (including all files and folders). + +2. Scan the local disk for PDF documents (\*.pdf files) and restore them into the **C:\\Data\\PDF Documents** folder on the destination machine. + The custom USMT template is named MigContosoData.xml, and you can find it in the sample files for this documentation, which include: + + * [Gather script](https://go.microsoft.com/fwlink/p/?LinkId=619361) + * [Set-OUPermissions](https://go.microsoft.com/fwlink/p/?LinkId=619362) script + * [MDT Sample Web Service](https://go.microsoft.com/fwlink/p/?LinkId=619363) + +### Add the custom XML template + +In order to use the custom MigContosoData.xml USMT template, you need to copy it to the MDT Production deployment share and update the CustomSettings.ini file. In these steps, we assume you have downloaded the MigContosoData.xml file. +1. Using File Explorer, copy the MigContosoData.xml file to the **E:\\MDTProduction\\Tools\\x64\\USMT5** folder. +2. Using Notepad, edit the E:\\MDTProduction\\Control\\CustomSettings.ini file. After the USMTMigFiles002=MigUser.xml line add the following line: + + ``` syntax + USMTMigFiles003=MigContosoData.xml + ``` +3. Save the CustomSettings.ini file. + +## Refresh a Windows 7 SP1 client + +After adding the additional USMT template and configuring the CustomSettings.ini file to use it, you are now ready to refresh a Windows 7 SP1 client to Windows 10. In these steps, we assume you have a Windows 7 SP1 client named PC0001 in your environment that is ready for a refresh to Windows 10. + +>[!NOTE] +>MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property in the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117). + +### Upgrade (refresh) a Windows 7 SP1 client + +1. On PC0001, log on as **CONTOSO\\Administrator**. Start the Lite Touch Deploy Wizard by executing **\\\\MDT01\\MDTProduction$\\Scripts\\Litetouch.vbs**. Complete the deployment guide using the following settings: + + * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM + * Computer name: <default> + * Specify where to save a complete computer backup: Do not back up the existing computer + >[!NOTE] + >Skip this optional full WIM backup. The USMT backup will still run. + +2. Select one or more applications to install: Install - Adobe Reader XI - x86 + +3. The setup now starts and does the following: + + * Backs up user settings and data using USMT. + * Installs the Windows 10 Enterprise x64 operating system. + * Installs the added application(s). + * Updates the operating system via your local Windows Server Update Services (WSUS) server. + * Restores user settings and data using USMT. + +![Start the computer refresh from the running Windows 7 client](../images/fig2-taskseq.png "Start the computer refresh from the running Windows 7 client") + +Figure 2. Starting the computer refresh from the running Windows 7 SP1 client. + +## Related topics + +[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) + +[Create a Windows 10 reference image](create-a-windows-10-reference-image.md) + +[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) + +[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) + +[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) + +[Configure MDT settings](configure-mdt-settings.md) diff --git a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md index 40360c6fc3..dee4dd39d2 100644 --- a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md +++ b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md @@ -11,6 +11,7 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt +audience: itpro author: greg-lindsay ms.topic: article --- @@ -42,7 +43,7 @@ When preparing for the computer replace, you need to create a folder in which to 1. On MDT01, log on as **CONTOSO\\Administrator**. 2. Create and share the **E:\\MigData** folder by running the following three commands in an elevated Windows PowerShell prompt: - ```powershell + ``` powershell New-Item -Path E:\MigData -ItemType directory New-SmbShare ?Name MigData$ ?Path E:\MigData -ChangeAccess EVERYONE diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md index 233354f110..70a3a46434 100644 --- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md +++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md @@ -11,6 +11,7 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt +audience: itpro author: greg-lindsay ms.topic: article --- @@ -138,12 +139,12 @@ cscript.exe SetConfig.vbs SecurityChip Active When configuring a task sequence to run any BitLocker tool, either directly or using a custom script, it is helpful if you also add some logic to detect whether the BIOS is already configured on the machine. In the following task sequence, we are using a sample script (ZTICheckforTPM.wsf) from the Deployment Guys web page to check the status on the TPM chip. You can download this script from the Deployment Guys Blog post, [Check to see if the TPM is enabled](https://go.microsoft.com/fwlink/p/?LinkId=619549). -We have added these five actions to the task sequence: +In the following task sequence, we added five actions: - **Check TPM Status.** Runs the ZTICheckforTPM.wsf script to determine if TPM is enabled. Depending on the status, the script will set the TPMEnabled and TPMActivated properties to either true or false. - **Configure BIOS for TPM.** Runs the vendor tools (in this case, HP, Dell, and Lenovo). To ensure this action is run only when necessary, add a condition so the action is run only when the TPM chip is not already activated. Use the properties from the ZTICheckforTPM.wsf. - - > [!NOTE] - > It is common for organizations to wrap these tools in scripts to get additional logging and error handling. + **Note**   + It is common for organizations to wrap these tools in scripts to get additional logging and error handling. + - **Restart computer.** Self-explanatory, reboots the computer. - **Check TPM Status.** Runs the ZTICheckforTPM.wsf script one more time. - **Enable BitLocker.** Runs the built-in action to activate BitLocker. diff --git a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md index 8b2e2d3c82..6278b32fe5 100644 --- a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md +++ b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md @@ -11,6 +11,7 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt +audience: itpro author: greg-lindsay ms.topic: article --- @@ -39,7 +40,7 @@ For the purposes of this topic, you already will have either downloaded and inst Figure 6. The C:\\MDT folder with the files added for the simulation environment. 10. Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press Enter after each command: - ```powershell + ``` powershell Set-Location C:\MDT .\Gather.ps1 ``` diff --git a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md index 614153e319..234a716425 100644 --- a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md @@ -1,177 +1,177 @@ ---- -title: Use Orchestrator runbooks with MDT (Windows 10) -description: This topic will show you how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions. -ms.assetid: 68302780-1f6f-4a9c-9407-b14371fdce3f -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: web services, database -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -author: greg-lindsay -ms.topic: article ---- - -# Use Orchestrator runbooks with MDT - -This topic will show you how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions. -MDT can integrate with System Center 2012 R2 Orchestrator, which is a component that ties the Microsoft System Center products together, as well as other products from both Microsoft and third-party vendors. The difference between using Orchestrator and "normal" web services, is that with Orchestrator you have a rich drag-and-drop style interface when building the solution, and little or no coding is required. - -**Note**   -If you are licensed to use Orchestrator, we highly recommend that you start using it. To find out more about licensing options for System Center 2012 R2 and Orchestrator, visit the [System Center 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=619553) website. - -## Orchestrator terminology - -Before diving into the core details, here is a quick course in Orchestrator terminology: -- **Orchestrator Server.** This is a server that executes runbooks. -- **Runbooks.** A runbook is similar to a task sequence; it is a series of instructions based on conditions. Runbooks consist of workflow activities; an activity could be Copy File, Get User from Active Directory, or even Write to Database. -- **Orchestrator Designer.** This is where you build the runbooks. In brief, you do that by creating an empty runbook, dragging in the activities you need, and then connecting them in a workflow with conditions and subscriptions. -- **Subscriptions.** These are variables that come from an earlier activity in the runbook. So if you first execute an activity in which you type in a computer name, you can then subscribe to that value in the next activity. All these variables are accumulated during the execution of the runbook. -- **Orchestrator Console.** This is the Microsoft Silverlight-based web page you can use interactively to execute runbooks. The console listens to TCP port 81 by default. -- **Orchestrator web services.** These are the web services you use in the Microsoft Deployment Toolkit to execute runbooks during deployment. The web services listen to TCP port 82 by default. -- **Integration packs.** These provide additional workflow activities you can import to integrate with other products or solutions, like the rest of Active Directory, other System Center 2012 R2 products, or Microsoft Exchange Server, to name a few. - -**Note**   -To find and download additional integration packs, see [Integration Packs for System Center 2012 - Orchestrator](https://go.microsoft.com/fwlink/p/?LinkId=619554). - -## Create a sample runbook - -This section assumes you have Orchestrator 2012 R2 installed on a server named OR01. In this section, you create a sample runbook, which is used to log some of the MDT deployment information into a text file on OR01. - -1. On OR01, using File Explorer, create the **E:\\Logfile** folder, and grant Users modify permissions (NTFS). -2. In the **E:\\Logfile** folder, create the DeployLog.txt file. - **Note** - Make sure File Explorer is configured to show known file extensions so the file is not named DeployLog.txt.txt. - - ![figure 23](../images/mdt-09-fig23.png) - - Figure 23. The DeployLog.txt file. - -3. Using System Center 2012 R2 Orchestrator Runbook Designer, in the **Runbooks** node, create the **1.0 MDT** folder. - - ![figure 24](../images/mdt-09-fig24.png) - - Figure 24. Folder created in the Runbooks node. - -4. In the **Runbooks** node, right-click the **1.0 MDT** folder, and select **New / Runbook**. -5. On the ribbon bar, click **Check Out**. -6. Right-click the **New Runbook** label, select **Rename**, and assign the name **MDT Sample**. -7. Add (using a drag-and-drop operation) the following items from the **Activities** list to the middle pane: - 1. Runbook Control / Initialize Data - 2. Text File Management / Append Line -8. Connect **Initialize Data** to **Append Line**. - - ![figure 25](../images/mdt-09-fig25.png) - - Figure 25. Activities added and connected. - -9. Right-click the **Initialize Data** activity, and select **Properties** -10. On **the Initialize Data Properties** page, click **Add**, change **Parameter 1** to **OSDComputerName**, and then click **Finish**. - - ![figure 26](../images/mdt-09-fig26.png) - - Figure 26. The Initialize Data Properties window. - -11. Right-click the **Append Line** activity, and select **Properties**. -12. On the **Append Line Properties** page, in the **File** text box, type **E:\\Logfile\\DeployLog.txt**. -13. In the **File** encoding drop-down list, select **ASCII**. -14. In the **Append** area, right-click inside the **Text** text box and select **Expand**. - - ![figure 27](../images/mdt-09-fig27.png) - - Figure 27. Expanding the Text area. - -15. In the blank text box, right-click and select **Subscribe / Published Data**. - - ![figure 28](../images/mdt-09-fig28.png) - - Figure 28. Subscribing to data. - -16. In the **Published Data** window, select the **OSDComputerName** item, and click **OK**. -17. After the **{OSDComputerName from "Initialize Data"}** text, type in **has been deployed at** and, once again, right-click and select **Subscribe / Published Data**. -18. In the **Published Data** window, select the **Show common Published Data** check box, select the **Activity end time** item, and click **OK**. - - ![figure 29](../images/mdt-09-fig29.png) - - Figure 29. The expanded text box after all subscriptions have been added. - -19. On the **Append Line Properties** page, click **Finish**. - ## Test the demo MDT runbook - After the runbook is created, you are ready to test it. -20. On the ribbon bar, click **Runbook Tester**. -21. Click **Run**, and in the **Initialize Data Parameters** dialog box, use the following setting and then click **OK**: - - OSDComputerName: PC0010 -22. Verify that all activities are green (for additional information, see each target). -23. Close the **Runbook Tester**. -24. On the ribbon bar, click **Check In**. - -![figure 30](../images/mdt-09-fig30.png) - -Figure 30. All tests completed. - -## Use the MDT demo runbook from MDT - -1. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, select the **Task Sequences** node, and create a folder named **Orchestrator**. -2. Right-click the **Orchestrator** node, and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - 1. Task sequence ID: OR001 - 2. Task sequence name: Orchestrator Sample - 3. Task sequence comments: <blank> - 4. Template: Custom Task Sequence -3. In the **Orchestrator** node, double-click the **Orchestrator Sample** task sequence, and then select the **Task Sequence** tab. -4. Remove the default **Application Install** action. -5. Add a **Gather** action and select the **Gather only local data (do not process rules)** option. -6. After the **Gather** action, add a **Set Task Sequence Variable** action with the following settings: - 1. Name: Set Task Sequence Variable - 2. Task Sequence Variable: OSDComputerName - 3. Value: %hostname% -7. After the **Set Task Sequence Variable** action, add a new **Execute Orchestrator Runbook** action with the following settings: - 1. Orchestrator Server: OR01.contoso.com - 2. Use Browse to select **1.0 MDT / MDT Sample**. -8. Click **OK**. - -![figure 31](../images/mdt-09-fig31.png) - -Figure 31. The ready-made task sequence. - -## Run the orchestrator sample task sequence - -Since this task sequence just starts a runbook, you can test this on the PC0001 client that you used for the MDT simulation environment. -**Note**   -Make sure the account you are using has permissions to run runbooks on the Orchestrator server. For more information about runbook permissions, see [Runbook Permissions](https://go.microsoft.com/fwlink/p/?LinkId=619555). - -1. On PC0001, log on as **CONTOSO\\MDT\_BA**. -2. Using an elevated command prompt (run as Administrator), type the following command: - - ``` syntax - cscript \\MDT01\MDTProduction$\Scripts\Litetouch.vbs - ``` -3. Complete the Windows Deployment Wizard using the following information: - 1. Task Sequence: Orchestrator Sample - 2. Credentials: - 1. User Name: MDT\_BA - 2. Password: P@ssw0rd - 3. Domain: CONTOSO -4. Wait until the task sequence is completed and then verify that the DeployLog.txt file in the E:\\Logfile folder on OR01 was updated. - -![figure 32](../images/mdt-09-fig32.png) - -Figure 32. The ready-made task sequence. - -## Related topics - -[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) - -[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) - -[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) - -[Simulate a Windows10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) - -[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) - -[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) - -[Use web services in MDT](use-web-services-in-mdt.md) +--- +title: Use Orchestrator runbooks with MDT (Windows 10) +description: This topic will show you how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions. +ms.assetid: 68302780-1f6f-4a9c-9407-b14371fdce3f +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: web services, database +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: mdt +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Use Orchestrator runbooks with MDT + +This topic will show you how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions. +MDT can integrate with System Center 2012 R2 Orchestrator, which is a component that ties the Microsoft System Center products together, as well as other products from both Microsoft and third-party vendors. The difference between using Orchestrator and "normal" web services, is that with Orchestrator you have a rich drag-and-drop style interface when building the solution, and little or no coding is required. + +**Note**   +If you are licensed to use Orchestrator, we highly recommend that you start using it. To find out more about licensing options for System Center 2012 R2 and Orchestrator, visit the [System Center 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=619553) website. + +## Orchestrator terminology + +Before diving into the core details, here is a quick course in Orchestrator terminology: +- **Orchestrator Server.** This is a server that executes runbooks. +- **Runbooks.** A runbook is similar to a task sequence; it is a series of instructions based on conditions. Runbooks consist of workflow activities; an activity could be Copy File, Get User from Active Directory, or even Write to Database. +- **Orchestrator Designer.** This is where you build the runbooks. In brief, you do that by creating an empty runbook, dragging in the activities you need, and then connecting them in a workflow with conditions and subscriptions. +- **Subscriptions.** These are variables that come from an earlier activity in the runbook. So if you first execute an activity in which you type in a computer name, you can then subscribe to that value in the next activity. All these variables are accumulated during the execution of the runbook. +- **Orchestrator Console.** This is the Microsoft Silverlight-based web page you can use interactively to execute runbooks. The console listens to TCP port 81 by default. +- **Orchestrator web services.** These are the web services you use in the Microsoft Deployment Toolkit to execute runbooks during deployment. The web services listen to TCP port 82 by default. +- **Integration packs.** These provide additional workflow activities you can import to integrate with other products or solutions, like the rest of Active Directory, other System Center 2012 R2 products, or Microsoft Exchange Server, to name a few. + +**Note**   +To find and download additional integration packs, see [Integration Packs for System Center 2012 - Orchestrator](https://go.microsoft.com/fwlink/p/?LinkId=619554). + +## Create a sample runbook + +This section assumes you have Orchestrator 2012 R2 installed on a server named OR01. In this section, you create a sample runbook, which is used to log some of the MDT deployment information into a text file on OR01. + +1. On OR01, using File Explorer, create the **E:\\Logfile** folder, and grant Users modify permissions (NTFS). +2. In the **E:\\Logfile** folder, create the DeployLog.txt file. + **Note** + Make sure File Explorer is configured to show known file extensions so the file is not named DeployLog.txt.txt. + + ![figure 23](../images/mdt-09-fig23.png) + + Figure 23. The DeployLog.txt file. + +3. Using System Center 2012 R2 Orchestrator Runbook Designer, in the **Runbooks** node, create the **1.0 MDT** folder. + + ![figure 24](../images/mdt-09-fig24.png) + + Figure 24. Folder created in the Runbooks node. + +4. In the **Runbooks** node, right-click the **1.0 MDT** folder, and select **New / Runbook**. +5. On the ribbon bar, click **Check Out**. +6. Right-click the **New Runbook** label, select **Rename**, and assign the name **MDT Sample**. +7. Add (using a drag-and-drop operation) the following items from the **Activities** list to the middle pane: + 1. Runbook Control / Initialize Data + 2. Text File Management / Append Line +8. Connect **Initialize Data** to **Append Line**. + + ![figure 25](../images/mdt-09-fig25.png) + + Figure 25. Activities added and connected. + +9. Right-click the **Initialize Data** activity, and select **Properties** +10. On **the Initialize Data Properties** page, click **Add**, change **Parameter 1** to **OSDComputerName**, and then click **Finish**. + + ![figure 26](../images/mdt-09-fig26.png) + + Figure 26. The Initialize Data Properties window. + +11. Right-click the **Append Line** activity, and select **Properties**. +12. On the **Append Line Properties** page, in the **File** text box, type **E:\\Logfile\\DeployLog.txt**. +13. In the **File** encoding drop-down list, select **ASCII**. +14. In the **Append** area, right-click inside the **Text** text box and select **Expand**. + + ![figure 27](../images/mdt-09-fig27.png) + + Figure 27. Expanding the Text area. + +15. In the blank text box, right-click and select **Subscribe / Published Data**. + + ![figure 28](../images/mdt-09-fig28.png) + + Figure 28. Subscribing to data. + +16. In the **Published Data** window, select the **OSDComputerName** item, and click **OK**. +17. After the **{OSDComputerName from "Initialize Data"}** text, type in **has been deployed at** and, once again, right-click and select **Subscribe / Published Data**. +18. In the **Published Data** window, select the **Show common Published Data** check box, select the **Activity end time** item, and click **OK**. + + ![figure 29](../images/mdt-09-fig29.png) + + Figure 29. The expanded text box after all subscriptions have been added. + +19. On the **Append Line Properties** page, click **Finish**. + ## Test the demo MDT runbook + After the runbook is created, you are ready to test it. +20. On the ribbon bar, click **Runbook Tester**. +21. Click **Run**, and in the **Initialize Data Parameters** dialog box, use the following setting and then click **OK**: + - OSDComputerName: PC0010 +22. Verify that all activities are green (for additional information, see each target). +23. Close the **Runbook Tester**. +24. On the ribbon bar, click **Check In**. + +![figure 30](../images/mdt-09-fig30.png) + +Figure 30. All tests completed. + +## Use the MDT demo runbook from MDT + +1. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, select the **Task Sequences** node, and create a folder named **Orchestrator**. +2. Right-click the **Orchestrator** node, and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + 1. Task sequence ID: OR001 + 2. Task sequence name: Orchestrator Sample + 3. Task sequence comments: <blank> + 4. Template: Custom Task Sequence +3. In the **Orchestrator** node, double-click the **Orchestrator Sample** task sequence, and then select the **Task Sequence** tab. +4. Remove the default **Application Install** action. +5. Add a **Gather** action and select the **Gather only local data (do not process rules)** option. +6. After the **Gather** action, add a **Set Task Sequence Variable** action with the following settings: + 1. Name: Set Task Sequence Variable + 2. Task Sequence Variable: OSDComputerName + 3. Value: %hostname% +7. After the **Set Task Sequence Variable** action, add a new **Execute Orchestrator Runbook** action with the following settings: + 1. Orchestrator Server: OR01.contoso.com + 2. Use Browse to select **1.0 MDT / MDT Sample**. +8. Click **OK**. + +![figure 31](../images/mdt-09-fig31.png) + +Figure 31. The ready-made task sequence. + +## Run the orchestrator sample task sequence + +Since this task sequence just starts a runbook, you can test this on the PC0001 client that you used for the MDT simulation environment. +**Note**   +Make sure the account you are using has permissions to run runbooks on the Orchestrator server. For more information about runbook permissions, see [Runbook Permissions](https://go.microsoft.com/fwlink/p/?LinkId=619555). + +1. On PC0001, log on as **CONTOSO\\MDT\_BA**. +2. Using an elevated command prompt (run as Administrator), type the following command: + + ``` syntax + cscript \\MDT01\MDTProduction$\Scripts\Litetouch.vbs + ``` +3. Complete the Windows Deployment Wizard using the following information: + 1. Task Sequence: Orchestrator Sample + 2. Credentials: + 1. User Name: MDT\_BA + 2. Password: P@ssw0rd + 3. Domain: CONTOSO +4. Wait until the task sequence is completed and then verify that the DeployLog.txt file in the E:\\Logfile folder on OR01 was updated. + +![figure 32](../images/mdt-09-fig32.png) + +Figure 32. The ready-made task sequence. + +## Related topics + +[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) + +[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) + +[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) + +[Simulate a Windows10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) + +[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) + +[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) + +[Use web services in MDT](use-web-services-in-mdt.md) diff --git a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md index 0c2970d7dc..895381896b 100644 --- a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md +++ b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md @@ -1,96 +1,96 @@ ---- -title: Use the MDT database to stage Windows 10 deployment information (Windows 10) -description: This topic is designed to teach you how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database, rather than include the information in a text file (CustomSettings.ini). -ms.assetid: 8956ab54-90ba-45d3-a384-4fdec72c4d46 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.pagetype: mdt -keywords: database, permissions, settings, configure, deploy -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -author: greg-lindsay -ms.topic: article ---- - -# Use the MDT database to stage Windows 10 deployment information - -This topic is designed to teach you how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database, rather than include the information in a text file (CustomSettings.ini). You can use this process, for example, to add the client machines you want to deploy, specify their computer names and IP addresses, indicate applications to be deployed, and determine many additional settings for the machines. - -## Database prerequisites - -MDT can use either SQL Server Express or full SQL Server, but since the deployment database isn't big, even in large enterprise environments, we recommend using the free SQL Server 2012 SP1 Express database in your environment. - ->[!NOTE] ->Be sure to enable Named Pipes when configuring the SQL Server 2012 SP1 Express database. Although it is a legacy protocol, Named Pipes has proven to work well when connecting from Windows Preinstallation Environment (Windows PE) to the SQL Server database. -  -## Create the deployment database - -The MDT database is by default created and managed from the Deployment Workbench. In these steps, we assume you have installed SQL Server 2012 SP1 Express on MDT01. - ->[!NOTE] ->Since SQL Server 2012 SP1 Express runs by default on a separate instance (SQLEXPRESS), the SQL Server Browser service must be running, and the firewall configured to allow traffic to it. Port 1433 TCP and port 1434 UDP need to be opened for inbound traffic on MDT01. -  -1. On MDT01, using Deployment Workbench, expand the MDT Production deployment share, expand **Advanced Configuration**, right-click **Database**, and select **New Database**. -2. In the New DB Wizard, on the **SQL Server Details** page, enter the following settings and click **Next**: - 1. SQL Server Name: MDT01 - 2. Instance: SQLEXPRESS - 3. Port: <blank> - 4. Network Library: Named Pipes -3. On the **Database** page, select **Create a new database**; in the **Database** field, type **MDT** and click **Next**. -4. On the **SQL Share** page, in the **SQL Share** field, type **Logs$** and click **Next**. Click **Next** again and then click **Finish**. - -![figure 8](../images/mdt-09-fig08.png) - -Figure 8. The MDT database added to MDT01. - -## Configure database permissions - -After creating the database, you need to assign permissions to it. In MDT, the account you used to run the deployment is used to access the database. In this environment, the network access account is MDT\_BA. -1. On MDT01, start SQL Server Management Studio. -2. In the **Connect to Server** dialog box, in the **Server name** list, select **MDT01\\SQLEXPRESS** and click **Connect**. -3. In the **Object Explorer** pane, expand the top-level **Security** node, right-click **Logins**, and select **New Login**. - - ![figure 9](../images/mdt-09-fig09.png) - - Figure 9. The top-level Security node. - -4. On the **Login - New** page, next to the **Login** name field, click **Search**, and search for **CONTOSO\\MDT\_BA**. Then in the left pane, select **User Mapping**. Select the **MDT** database, and assign the following roles: - 1. db\_datareader - 2. public (default) -5. Click **OK**, and close SQL Server Management Studio. - -![figure 10](../images/mdt-09-fig10.png) - -Figure 10. Creating the login and settings permissions to the MDT database. - -## Create an entry in the database - -To start using the database, you add a computer entry and assign a description and computer name. Use the computer's MAC Address as the identifier. -1. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, expand **Advanced Configuration**, and expand **Database**. -2. Right-click **Computers**, select **New**, and add a computer entry with the following settings: - 1. Description: New York Site - PC00075 - 2. MacAddress: <PC00075 MAC Address in the 00:00:00:00:00:00 format> - 3. Details Tab / OSDComputerName: PC00075 - -![figure 11](../images/mdt-09-fig11.png) - -Figure 11. Adding the PC00075 computer to the database. - -## Related topics - -[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) - -[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) - -[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) - -[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) - -[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) - -[Use web services in MDT](use-web-services-in-mdt.md) - -[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) +--- +title: Use the MDT database to stage Windows 10 deployment information (Windows 10) +description: This topic is designed to teach you how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database, rather than include the information in a text file (CustomSettings.ini). +ms.assetid: 8956ab54-90ba-45d3-a384-4fdec72c4d46 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.pagetype: mdt +keywords: database, permissions, settings, configure, deploy +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Use the MDT database to stage Windows 10 deployment information + +This topic is designed to teach you how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database, rather than include the information in a text file (CustomSettings.ini). You can use this process, for example, to add the client machines you want to deploy, specify their computer names and IP addresses, indicate applications to be deployed, and determine many additional settings for the machines. + +## Database prerequisites + +MDT can use either SQL Server Express or full SQL Server, but since the deployment database isn't big, even in large enterprise environments, we recommend using the free SQL Server 2012 SP1 Express database in your environment. + +>[!NOTE] +>Be sure to enable Named Pipes when configuring the SQL Server 2012 SP1 Express database. Although it is a legacy protocol, Named Pipes has proven to work well when connecting from Windows Preinstallation Environment (Windows PE) to the SQL Server database. +  +## Create the deployment database + +The MDT database is by default created and managed from the Deployment Workbench. In these steps, we assume you have installed SQL Server 2012 SP1 Express on MDT01. + +>[!NOTE] +>Since SQL Server 2012 SP1 Express runs by default on a separate instance (SQLEXPRESS), the SQL Server Browser service must be running, and the firewall configured to allow traffic to it. Port 1433 TCP and port 1434 UDP need to be opened for inbound traffic on MDT01. +  +1. On MDT01, using Deployment Workbench, expand the MDT Production deployment share, expand **Advanced Configuration**, right-click **Database**, and select **New Database**. +2. In the New DB Wizard, on the **SQL Server Details** page, enter the following settings and click **Next**: + 1. SQL Server Name: MDT01 + 2. Instance: SQLEXPRESS + 3. Port: <blank> + 4. Network Library: Named Pipes +3. On the **Database** page, select **Create a new database**; in the **Database** field, type **MDT** and click **Next**. +4. On the **SQL Share** page, in the **SQL Share** field, type **Logs$** and click **Next**. Click **Next** again and then click **Finish**. + +![figure 8](../images/mdt-09-fig08.png) + +Figure 8. The MDT database added to MDT01. + +## Configure database permissions + +After creating the database, you need to assign permissions to it. In MDT, the account you used to run the deployment is used to access the database. In this environment, the network access account is MDT\_BA. +1. On MDT01, start SQL Server Management Studio. +2. In the **Connect to Server** dialog box, in the **Server name** list, select **MDT01\\SQLEXPRESS** and click **Connect**. +3. In the **Object Explorer** pane, expand the top-level **Security** node, right-click **Logins**, and select **New Login**. + + ![figure 9](../images/mdt-09-fig09.png) + + Figure 9. The top-level Security node. + +4. On the **Login - New** page, next to the **Login** name field, click **Search**, and search for **CONTOSO\\MDT\_BA**. Then in the left pane, select **User Mapping**. Select the **MDT** database, and assign the following roles: + 1. db\_datareader + 2. public (default) +5. Click **OK**, and close SQL Server Management Studio. + +![figure 10](../images/mdt-09-fig10.png) + +Figure 10. Creating the login and settings permissions to the MDT database. + +## Create an entry in the database + +To start using the database, you add a computer entry and assign a description and computer name. Use the computer's MAC Address as the identifier. +1. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, expand **Advanced Configuration**, and expand **Database**. +2. Right-click **Computers**, select **New**, and add a computer entry with the following settings: + 1. Description: New York Site - PC00075 + 2. MacAddress: <PC00075 MAC Address in the 00:00:00:00:00:00 format> + 3. Details Tab / OSDComputerName: PC00075 + +![figure 11](../images/mdt-09-fig11.png) + +Figure 11. Adding the PC00075 computer to the database. + +## Related topics + +[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) + +[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) + +[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) + +[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) + +[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) + +[Use web services in MDT](use-web-services-in-mdt.md) + +[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) diff --git a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md index 1b7bbba417..4f7de42969 100644 --- a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md +++ b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md @@ -11,6 +11,7 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.pagetype: mdt ms.sitesec: library +audience: itpro author: greg-lindsay ms.topic: article --- @@ -92,7 +93,7 @@ Figure 20. The result from the MDT Sample web service. After verifying the web service using Internet Explorer, you are ready to do the same test in the MDT simulation environment. 1. On PC0001, edit the CustomSettings.ini file in the **C:\\MDT** folder to look like the following: - ```ini + ``` [Settings] Priority=Default, GetComputerName [Default] @@ -108,7 +109,7 @@ After verifying the web service using Internet Explorer, you are ready to do the 2. Save the CustomSettings.ini file. 3. Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press **Enter** after each command: - ```powershell + ``` Set-Location C:\MDT .\Gather.ps1 ``` diff --git a/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md index aa97df75c5..cb8f13a66b 100644 --- a/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md @@ -1,75 +1,75 @@ ---- -title: Add a Windows 10 operating system image using Configuration Manager (Windows 10) -description: Operating system images are typically the production image used for deployment throughout the organization. -ms.assetid: 77f769cc-1a47-4f36-8082-201cd77b8d3b -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: image, deploy, distribute -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -author: greg-lindsay -ms.topic: article ---- - -# Add a Windows 10 operating system image using Configuration Manager - - -**Applies to** - -- Windows 10 versions 1507, 1511 - ->[!IMPORTANT] ->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). ->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10). - -Operating system images are typically the production image used for deployment throughout the organization. This topic shows you how to add a Windows 10 operating system image created with Microsoft System Center 2012 R2 Configuration Manager, and how to distribute the image to a distribution point. - -For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard, as the distribution point. CM01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). Our image is named REFW10-X64-001.wim. For details on building this image, please see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md). - -1. Using File Explorer, in the **E:\\Sources\\OSD\\OS** folder, create a subfolder named **Windows 10 Enterprise x64 RTM**. - -2. Copy the REFW10-X64-001.wim file to the **E:\\Sources\\OSD\\OS\\Windows 10 Enterprise x64 RTM** folder. - - ![figure 17](../images/fig17-win10image.png) - - Figure 17. The Windows 10 image copied to the Sources folder structure. - -3. Using the Configuration Manager Console, in the Software Library workspace, right-click **Operating System Images**, and select **Add Operating System Image**. - -4. On the **Data Source** page, in the **Path:** text box, browse to \\\\CM01\\Sources$\\OSD\\OS\\Windows 10 Enterprise x64 RTM\\REFW10-X64-001.wim and click **Next**. - -5. On the **General** page, assign the name Windows 10 Enterprise x64 RTM and click **Next** twice, and then click **Close**. - -6. Distribute the operating system image to the CM01 distribution point by right-clicking the Windows 10 Enterprise x64 RTM operating system image and selecting **Distribute Content**. - -7. In the Distribute Content Wizard, add the CM01 distribution point. - -8. View the content status for the Windows 10 Enterprise x64 RTM package. Do not continue until the distribution is completed. You also can review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line. - - ![figure 18](../images/fig18-distwindows.png) - - Figure 18. The distributed Windows 10 Enterprise x64 RTM package. - -## Related topics - - -[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md) - -[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) - -[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) - -[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) - -[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) - -[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md) - -[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md) - -[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) - -[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) +--- +title: Add a Windows 10 operating system image using Configuration Manager (Windows 10) +description: Operating system images are typically the production image used for deployment throughout the organization. +ms.assetid: 77f769cc-1a47-4f36-8082-201cd77b8d3b +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: image, deploy, distribute +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Add a Windows 10 operating system image using Configuration Manager + + +**Applies to** + +- Windows 10 versions 1507, 1511 + +>[!IMPORTANT] +>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). +>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10). + +Operating system images are typically the production image used for deployment throughout the organization. This topic shows you how to add a Windows 10 operating system image created with Microsoft System Center 2012 R2 Configuration Manager, and how to distribute the image to a distribution point. + +For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard, as the distribution point. CM01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). Our image is named REFW10-X64-001.wim. For details on building this image, please see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md). + +1. Using File Explorer, in the **E:\\Sources\\OSD\\OS** folder, create a subfolder named **Windows 10 Enterprise x64 RTM**. + +2. Copy the REFW10-X64-001.wim file to the **E:\\Sources\\OSD\\OS\\Windows 10 Enterprise x64 RTM** folder. + + ![figure 17](../images/fig17-win10image.png) + + Figure 17. The Windows 10 image copied to the Sources folder structure. + +3. Using the Configuration Manager Console, in the Software Library workspace, right-click **Operating System Images**, and select **Add Operating System Image**. + +4. On the **Data Source** page, in the **Path:** text box, browse to \\\\CM01\\Sources$\\OSD\\OS\\Windows 10 Enterprise x64 RTM\\REFW10-X64-001.wim and click **Next**. + +5. On the **General** page, assign the name Windows 10 Enterprise x64 RTM and click **Next** twice, and then click **Close**. + +6. Distribute the operating system image to the CM01 distribution point by right-clicking the Windows 10 Enterprise x64 RTM operating system image and selecting **Distribute Content**. + +7. In the Distribute Content Wizard, add the CM01 distribution point. + +8. View the content status for the Windows 10 Enterprise x64 RTM package. Do not continue until the distribution is completed. You also can review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line. + + ![figure 18](../images/fig18-distwindows.png) + + Figure 18. The distributed Windows 10 Enterprise x64 RTM package. + +## Related topics + + +[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md) + +[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) + +[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) + +[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) + +[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) + +[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md) + +[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md) + +[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) + +[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) diff --git a/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md index ef1532183f..ddc3a8a1da 100644 --- a/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md @@ -1,110 +1,110 @@ ---- -title: Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager (Windows 10) -description: In this topic, you will learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. -ms.assetid: 97b3ea46-28d9-407e-8c42-ded2e45e8d5c -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: deploy, task sequence -ms.prod: w10 -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 07/27/2017 -ms.topic: article ---- - -# Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager - - -**Applies to** - -- Windows 10 versions 1507, 1511 - ->[!IMPORTANT] ->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). ->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10). - -In this topic, you will learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. Even though the Windows PE boot image and the Windows 10 operating system contain many out-of-the-box drivers, it is likely you will have to add new or updated drivers to support all your hardware. In this section, you import drivers for both Windows PE and the full Windows 10 operating system. - -For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). - -## Add drivers for Windows PE - - -This section will show you how to import some network and storage drivers for Windows PE. This section assumes you have downloaded some drivers to the E:\\Sources\\OSD\\DriverSources\\WinPE x64 folder on CM01. - -1. On CM01, using the Configuration Manager Console, in the Software Library workspace, right-click the **Drivers** node and select **Import Driver**. - -2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, below the Import all drivers in the following network path (UNC) option, browse to the **\\\\CM01\\Sources$\\OSD\\DriverSources\\WinPE x64** folder and click **Next**. - -3. On the **Specify the details for the imported driver** page, click **Categories**, create a category named **WinPE x64**, and then click **Next**. - -4. On the **Select the packages to add the imported driver** page, click **Next**. - -5. On the **Select drivers to include in the boot image** page, select the **Zero Touch WinPE x64** boot image. Also select the **Update distribution points when finished** check box, and click **Next** twice. - -![Add drivers to Windows PE](../images/fig21-add-drivers.png "Add drivers to Windows PE") - -*Figure 21. Add drivers to Windows PE* - ->[!NOTE] ->The Updating Boot Image part of the wizard will appear to hang when displaying Done. It will complete in a minute or two. - - -## Add drivers for Windows 10 - - -This section illustrates how to add drivers for Windows 10 through an example in which you want to import Windows 10 drivers for the HP EliteBook 8560w model. For the purposes of this section, we assume that you have downloaded the Windows 10 drivers for the HP EliteBook 8560w model and copied them to the E:\\Sources\\OSD\\DriverSources\\Windows 10 x64\\HP EliteBook 8560w folder on CM01. - -1. On CM01, using the Configuration Manager Console, right-click the **Drivers** folder and select **Import Driver**. - -2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, below the Import all drivers in the following network path (UNC) option, browse to the **\\\\CM01\\Sources$\\OSD\\DriverSources\\Windows 10 x64\\HP EliteBook 8560w** folder and click **Next**. - -3. On the **Specify the details for the imported driver** page, click **Categories**, create a category named Windows 10 x64 - HP EliteBook 8560w, and then click **Next**. - - ![Create driver categories](../images/fig22-createcategories.png "Create driver categories") - - *Figure 22. Create driver categories* - -4. On the **Select the packages to add the imported driver** page, click **New Package**, use the following settings for the package, and then click **Next**: - - * Name: Windows 10 x64 - HP EliteBook 8560w - - * Path: \\\\CM01\\Sources$\\OSD\\DriverPackages\\Windows 10 x64\\HP EliteBook 8560w - - >[!NOTE] - >The package path does not yet exist, so you have to type it in. The wizard will create the new package in that folder. - - -5. On the **Select drivers to include in the boot image** page, do not select anything, and click **Next** twice. After the package has been created, click **Close**. - - >[!NOTE] - >If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import. - - ![Drivers imported and a new driver package created](../images/mdt-06-fig26.png "Drivers imported and a new driver package created") - - *Figure 23. Drivers imported and a new driver package created* - -## Related topics - - -[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md) - - -[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) - -[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) - -[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) - -[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) - -[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md) - -[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md) - -[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) - -[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) +--- +title: Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager (Windows 10) +description: In this topic, you will learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. +ms.assetid: 97b3ea46-28d9-407e-8c42-ded2e45e8d5c +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: deploy, task sequence +ms.prod: w10 +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 07/27/2017 +ms.topic: article +--- + +# Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager + + +**Applies to** + +- Windows 10 versions 1507, 1511 + +>[!IMPORTANT] +>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). +>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10). + +In this topic, you will learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. Even though the Windows PE boot image and the Windows 10 operating system contain many out-of-the-box drivers, it is likely you will have to add new or updated drivers to support all your hardware. In this section, you import drivers for both Windows PE and the full Windows 10 operating system. + +For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). + +## Add drivers for Windows PE + + +This section will show you how to import some network and storage drivers for Windows PE. This section assumes you have downloaded some drivers to the E:\\Sources\\OSD\\DriverSources\\WinPE x64 folder on CM01. + +1. On CM01, using the Configuration Manager Console, in the Software Library workspace, right-click the **Drivers** node and select **Import Driver**. + +2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, below the Import all drivers in the following network path (UNC) option, browse to the **\\\\CM01\\Sources$\\OSD\\DriverSources\\WinPE x64** folder and click **Next**. + +3. On the **Specify the details for the imported driver** page, click **Categories**, create a category named **WinPE x64**, and then click **Next**. + +4. On the **Select the packages to add the imported driver** page, click **Next**. + +5. On the **Select drivers to include in the boot image** page, select the **Zero Touch WinPE x64** boot image. Also select the **Update distribution points when finished** check box, and click **Next** twice. + +![Add drivers to Windows PE](../images/fig21-add-drivers.png "Add drivers to Windows PE") + +*Figure 21. Add drivers to Windows PE* + +>[!NOTE] +>The Updating Boot Image part of the wizard will appear to hang when displaying Done. It will complete in a minute or two. + + +## Add drivers for Windows 10 + + +This section illustrates how to add drivers for Windows 10 through an example in which you want to import Windows 10 drivers for the HP EliteBook 8560w model. For the purposes of this section, we assume that you have downloaded the Windows 10 drivers for the HP EliteBook 8560w model and copied them to the E:\\Sources\\OSD\\DriverSources\\Windows 10 x64\\HP EliteBook 8560w folder on CM01. + +1. On CM01, using the Configuration Manager Console, right-click the **Drivers** folder and select **Import Driver**. + +2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, below the Import all drivers in the following network path (UNC) option, browse to the **\\\\CM01\\Sources$\\OSD\\DriverSources\\Windows 10 x64\\HP EliteBook 8560w** folder and click **Next**. + +3. On the **Specify the details for the imported driver** page, click **Categories**, create a category named Windows 10 x64 - HP EliteBook 8560w, and then click **Next**. + + ![Create driver categories](../images/fig22-createcategories.png "Create driver categories") + + *Figure 22. Create driver categories* + +4. On the **Select the packages to add the imported driver** page, click **New Package**, use the following settings for the package, and then click **Next**: + + * Name: Windows 10 x64 - HP EliteBook 8560w + + * Path: \\\\CM01\\Sources$\\OSD\\DriverPackages\\Windows 10 x64\\HP EliteBook 8560w + + >[!NOTE] + >The package path does not yet exist, so you have to type it in. The wizard will create the new package in that folder. + + +5. On the **Select drivers to include in the boot image** page, do not select anything, and click **Next** twice. After the package has been created, click **Close**. + + >[!NOTE] + >If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import. + + ![Drivers imported and a new driver package created](../images/mdt-06-fig26.png "Drivers imported and a new driver package created") + + *Figure 23. Drivers imported and a new driver package created* + +## Related topics + + +[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md) + + +[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) + +[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) + +[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) + +[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) + +[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md) + +[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md) + +[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) + +[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) diff --git a/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md index 3da7e0fa95..34a005a021 100644 --- a/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md @@ -1,117 +1,117 @@ ---- -title: Create a custom Windows PE boot image with Configuration Manager (Windows 10) -description: In Microsoft System Center 2012 R2 Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. -ms.assetid: b9e96974-324d-4fa4-b0ce-33cfc49c4809 -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: tool, customize, deploy, boot image -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -author: greg-lindsay -ms.topic: article ---- - -# Create a custom Windows PE boot image with Configuration Manager - - -**Applies to** - -- Windows 10 versions 1507, 1511 - ->[!IMPORTANT] ->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). ->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10). - -In Microsoft System Center 2012 R2 Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process. - -For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. Both are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). - -## Add DaRT 10 files and prepare to brand the boot image - - -The steps below outline the process for adding DaRT 10 installation files to the MDT installation directory. You also copy a custom background image to be used later. We assume you have downloaded Microsoft Desktop Optimization Pack (MDOP) 2015 and copied the x64 version of MSDaRT10.msi to the C:\\Setup\\DaRT 10 folder. We also assume you have created a custom background image and saved it in C:\\Setup\\Branding on CM01. In this section, we use a custom background image named ContosoBackground.bmp. - -1. Install DaRT 10 (C:\\Setup\\DaRT 10\\MSDaRT10.msi) using the default settings. - -2. Using File Explorer, navigate to the **C:\\Program Files\\Microsoft DaRT\\v10** folder. - -3. Copy the Toolsx64.cab file to the **C:\\Program Files\\Microsoft Deployment Toolkit\\Templates\\Distribution\\Tools\\x64** folder. - -4. Copy the Toolsx86.cab file to the **C:\\Program Files\\Microsoft Deployment Toolkit\\Templates\\Distribution\\Tools\\x86** folder. - -5. Using File Explorer, navigate to the **C:\\Setup** folder. - -6. Copy the **Branding** folder to **E:\\Sources\\OSD**. - -## Create a boot image for Configuration Manager using the MDT wizard - - -By using the MDT wizard to create the boot image in Configuration Manager, you gain additional options for adding components and features to the boot image. In this section, you create a boot image for Configuration Manager using the MDT wizard. - -1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Boot Images**, and select **Create Boot Image using MDT**. - -2. On the **Package Source** page, in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Boot\\Zero Touch WinPE x64** and click **Next**. - - >[!NOTE] - >The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later by the wizard. - -3. On the **General Settings** page, assign the name **Zero Touch WinPE x64** and click **Next**. - -4. On the **Options** page, select the **x64** platform, and click **Next**. - -5. On the **Components** page, in addition to the default selected **Microsoft Data Access Components (MDAC/ADO)** support, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box. - - ![Add the DaRT component to the Configuration Manager boot image](../images/mdt-06-fig16.png "Add the DaRT component to the Configuration Manager boot image") - - Figure 15. Add the DaRT component to the Configuration Manager boot image. - -6. On the **Customization** page, select the **Use a custom background bitmap file** check box, and in the **UNC path:** text box, browse to **\\\\CM01\\Sources$\\OSD\\Branding\\ ContosoBackground.bmp**. Then click **Next** twice. - - >[!NOTE] - >It will take a few minutes to generate the boot image. - -7. Distribute the boot image to the CM01 distribution point by selecting the **Boot images** node, right-clicking the **Zero Touch WinPE x64** boot image, and selecting **Distribute Content**. - -8. In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard. - -9. Using Configuration Manager Trace, review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Do not continue until you can see that the boot image is distributed. Look for the line that reads STATMSG: ID=2301. You also can view Content Status in the Configuration Manager Console by selecting **the Zero Touch WinPE x86** boot image. - - ![Content status for the Zero Touch WinPE x64 boot image](../images/fig16-contentstatus.png "Content status for the Zero Touch WinPE x64 boot image") - - Figure 16. Content status for the Zero Touch WinPE x64 boot image - -10. Using the Configuration Manager Console, right-click the **Zero Touch WinPE x64** boot image and select **Properties**. - -11. In the **Data Source** tab, select the **Deploy this boot image from the PXE-enabled distribution point** check box, and click **OK**. - -12. Using Configuration Manager Trace, review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for this text: Expanding PS10000B to E:\\RemoteInstall\\SMSImages. - -13. Review the **E:\\RemoteInstall\\SMSImages** folder. You should see three folders containing boot images. Two are from the default boot images, and the third folder (PS10000B) is from your new boot image with DaRT. - -## Related topics - - -[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md) - -[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) - -[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) - -[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) - -[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) - -[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md) - -[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md) - -[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) - -[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) - -  - -  +--- +title: Create a custom Windows PE boot image with Configuration Manager (Windows 10) +description: In Microsoft System Center 2012 R2 Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. +ms.assetid: b9e96974-324d-4fa4-b0ce-33cfc49c4809 +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: tool, customize, deploy, boot image +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Create a custom Windows PE boot image with Configuration Manager + + +**Applies to** + +- Windows 10 versions 1507, 1511 + +>[!IMPORTANT] +>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). +>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10). + +In Microsoft System Center 2012 R2 Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process. + +For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. Both are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). + +## Add DaRT 10 files and prepare to brand the boot image + + +The steps below outline the process for adding DaRT 10 installation files to the MDT installation directory. You also copy a custom background image to be used later. We assume you have downloaded Microsoft Desktop Optimization Pack (MDOP) 2015 and copied the x64 version of MSDaRT10.msi to the C:\\Setup\\DaRT 10 folder. We also assume you have created a custom background image and saved it in C:\\Setup\\Branding on CM01. In this section, we use a custom background image named ContosoBackground.bmp. + +1. Install DaRT 10 (C:\\Setup\\DaRT 10\\MSDaRT10.msi) using the default settings. + +2. Using File Explorer, navigate to the **C:\\Program Files\\Microsoft DaRT\\v10** folder. + +3. Copy the Toolsx64.cab file to the **C:\\Program Files\\Microsoft Deployment Toolkit\\Templates\\Distribution\\Tools\\x64** folder. + +4. Copy the Toolsx86.cab file to the **C:\\Program Files\\Microsoft Deployment Toolkit\\Templates\\Distribution\\Tools\\x86** folder. + +5. Using File Explorer, navigate to the **C:\\Setup** folder. + +6. Copy the **Branding** folder to **E:\\Sources\\OSD**. + +## Create a boot image for Configuration Manager using the MDT wizard + + +By using the MDT wizard to create the boot image in Configuration Manager, you gain additional options for adding components and features to the boot image. In this section, you create a boot image for Configuration Manager using the MDT wizard. + +1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Boot Images**, and select **Create Boot Image using MDT**. + +2. On the **Package Source** page, in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Boot\\Zero Touch WinPE x64** and click **Next**. + + >[!NOTE] + >The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later by the wizard. + +3. On the **General Settings** page, assign the name **Zero Touch WinPE x64** and click **Next**. + +4. On the **Options** page, select the **x64** platform, and click **Next**. + +5. On the **Components** page, in addition to the default selected **Microsoft Data Access Components (MDAC/ADO)** support, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box. + + ![Add the DaRT component to the Configuration Manager boot image](../images/mdt-06-fig16.png "Add the DaRT component to the Configuration Manager boot image") + + Figure 15. Add the DaRT component to the Configuration Manager boot image. + +6. On the **Customization** page, select the **Use a custom background bitmap file** check box, and in the **UNC path:** text box, browse to **\\\\CM01\\Sources$\\OSD\\Branding\\ ContosoBackground.bmp**. Then click **Next** twice. + + >[!NOTE] + >It will take a few minutes to generate the boot image. + +7. Distribute the boot image to the CM01 distribution point by selecting the **Boot images** node, right-clicking the **Zero Touch WinPE x64** boot image, and selecting **Distribute Content**. + +8. In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard. + +9. Using Configuration Manager Trace, review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Do not continue until you can see that the boot image is distributed. Look for the line that reads STATMSG: ID=2301. You also can view Content Status in the Configuration Manager Console by selecting **the Zero Touch WinPE x86** boot image. + + ![Content status for the Zero Touch WinPE x64 boot image](../images/fig16-contentstatus.png "Content status for the Zero Touch WinPE x64 boot image") + + Figure 16. Content status for the Zero Touch WinPE x64 boot image + +10. Using the Configuration Manager Console, right-click the **Zero Touch WinPE x64** boot image and select **Properties**. + +11. In the **Data Source** tab, select the **Deploy this boot image from the PXE-enabled distribution point** check box, and click **OK**. + +12. Using Configuration Manager Trace, review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for this text: Expanding PS10000B to E:\\RemoteInstall\\SMSImages. + +13. Review the **E:\\RemoteInstall\\SMSImages** folder. You should see three folders containing boot images. Two are from the default boot images, and the third folder (PS10000B) is from your new boot image with DaRT. + +## Related topics + + +[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md) + +[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) + +[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) + +[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) + +[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) + +[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md) + +[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md) + +[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) + +[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) + +  + +  diff --git a/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md index 5b71404c87..e86096e831 100644 --- a/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md @@ -1,107 +1,107 @@ ---- -title: Create an application to deploy with Windows 10 using Configuration Manager (Windows 10) -description: Microsoft System Center 2012 R2 Configuration Manager supports deploying applications as part of the Windows 10 deployment process. -ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: deployment, task sequence, custom, customize -ms.prod: w10 -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.topic: article ---- - -# Create an application to deploy with Windows 10 using Configuration Manager - - -**Applies to** - -- Windows 10 versions 1507, 1511 - ->[!IMPORTANT] ->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). ->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10). - -Microsoft System Center 2012 R2 Configuration Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in System Center 2012 R2 Configuration Manager that you later configure the task sequence to use. - -For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). - ->[!NOTE] ->Even though the new application model is fully supported to deploy via the task sequence, the most reliable way to deploy software via the task sequence is still the legacy packages, especially if you deploy many applications. - -## Example: Create the Adobe Reader XI application - - -The following steps show you how to create the Adobe Reader XI application. This section assumes that you have downloaded the MSI version of Adobe Reader XI to the C:\\Setup\\Adobe Reader XI folder on CM01. - -1. On CM01, using File Explorer, copy the **C:\\Setup\\Adobe Reader XI** folder to the **E:\\Sources\\Software\\Adobe** folder. - -2. Using the Configuration Manager Console, in the Software Library workspace, expand **Application Management**. - -3. Right-click **Applications** and select **Folder / Create Folder**. Assign the name **OSD**. - -4. Right-click the **OSD** folder, and select **Create Application**. - -5. In the Create Application Wizard, on the **General** page, use the following settings: - - * Automatically detect information about this application from installation files - - * Type: Windows Installer (\*.msi file) - - * Location: \\\\CM01\\Sources$\\Software\\Adobe\\Adobe Reader XI - - * \\AdbeRdr11000\_en\_US.msi - - ![The Create Application Wizard](../images/mdt-06-fig20.png "The Create Application Wizard") - - *Figure 19. The Create Application Wizard* - -6. Click **Next**, and wait while Configuration Manager parses the MSI file. - -7. On the **Import Information** page, review the information and then click **Next**. - -8. On the **General Information** page, name the application Adobe Reader XI - OSD Install, click **Next** twice, and then click **Close**. - - >[!NOTE] - >Because it is not possible to reference an application deployment type in the task sequence, you should have a single deployment type for applications deployed by the task sequence. If you are deploying applications via both the task sequence and normal application deployment, and you have multiple deployment types, you should have two applications of the same software. In this section, you add the "OSD Install" suffix to applications that are deployed via the task sequence. If using packages, you can still reference both package and program in the task sequence. - - ![Add the OSD Install suffix to the application name](../images/mdt-06-fig21.png "Add the OSD Install suffix to the application name") - - *Figure 20. Add the "OSD Install" suffix to the application name* - -9. In the **Applications** node, select the Adobe Reader XI - OSD Install application, and click **Properties** on the ribbon bar. - -10. In the **General Information** tab, select the **Allow this application to be installed from the Install Application task sequence action without being deployed** check box, and click **OK**. - -## Related topics - - -[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md) - -[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) - -[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) - -[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) - -[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) - -[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md) - -[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md) - -[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) - -[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) - - - - - - - - - +--- +title: Create an application to deploy with Windows 10 using Configuration Manager (Windows 10) +description: Microsoft System Center 2012 R2 Configuration Manager supports deploying applications as part of the Windows 10 deployment process. +ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: deployment, task sequence, custom, customize +ms.prod: w10 +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Create an application to deploy with Windows 10 using Configuration Manager + + +**Applies to** + +- Windows 10 versions 1507, 1511 + +>[!IMPORTANT] +>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). +>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10). + +Microsoft System Center 2012 R2 Configuration Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in System Center 2012 R2 Configuration Manager that you later configure the task sequence to use. + +For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). + +>[!NOTE] +>Even though the new application model is fully supported to deploy via the task sequence, the most reliable way to deploy software via the task sequence is still the legacy packages, especially if you deploy many applications. + +## Example: Create the Adobe Reader XI application + + +The following steps show you how to create the Adobe Reader XI application. This section assumes that you have downloaded the MSI version of Adobe Reader XI to the C:\\Setup\\Adobe Reader XI folder on CM01. + +1. On CM01, using File Explorer, copy the **C:\\Setup\\Adobe Reader XI** folder to the **E:\\Sources\\Software\\Adobe** folder. + +2. Using the Configuration Manager Console, in the Software Library workspace, expand **Application Management**. + +3. Right-click **Applications** and select **Folder / Create Folder**. Assign the name **OSD**. + +4. Right-click the **OSD** folder, and select **Create Application**. + +5. In the Create Application Wizard, on the **General** page, use the following settings: + + * Automatically detect information about this application from installation files + + * Type: Windows Installer (\*.msi file) + + * Location: \\\\CM01\\Sources$\\Software\\Adobe\\Adobe Reader XI + + * \\AdbeRdr11000\_en\_US.msi + + ![The Create Application Wizard](../images/mdt-06-fig20.png "The Create Application Wizard") + + *Figure 19. The Create Application Wizard* + +6. Click **Next**, and wait while Configuration Manager parses the MSI file. + +7. On the **Import Information** page, review the information and then click **Next**. + +8. On the **General Information** page, name the application Adobe Reader XI - OSD Install, click **Next** twice, and then click **Close**. + + >[!NOTE] + >Because it is not possible to reference an application deployment type in the task sequence, you should have a single deployment type for applications deployed by the task sequence. If you are deploying applications via both the task sequence and normal application deployment, and you have multiple deployment types, you should have two applications of the same software. In this section, you add the "OSD Install" suffix to applications that are deployed via the task sequence. If using packages, you can still reference both package and program in the task sequence. + + ![Add the OSD Install suffix to the application name](../images/mdt-06-fig21.png "Add the OSD Install suffix to the application name") + + *Figure 20. Add the "OSD Install" suffix to the application name* + +9. In the **Applications** node, select the Adobe Reader XI - OSD Install application, and click **Properties** on the ribbon bar. + +10. In the **General Information** tab, select the **Allow this application to be installed from the Install Application task sequence action without being deployed** check box, and click **OK**. + +## Related topics + + +[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md) + +[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) + +[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) + +[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) + +[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) + +[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md) + +[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md) + +[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) + +[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) + + + + + + + + + diff --git a/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md index 0f7e602594..71be4f7e4b 100644 --- a/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md @@ -1,76 +1,76 @@ ---- -title: Deploy Windows 10 using PXE and Configuration Manager (Windows 10) -description: In this topic, you will learn how to deploy Windows 10 using Microsoft System Center 2012 R2 Configuration Manager deployment packages and task sequences. -ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: deployment, image, UEFI, task sequence -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -author: greg-lindsay -ms.topic: article ---- - -# Deploy Windows 10 using PXE and Configuration Manager - - -**Applies to** - -- Windows 10 versions 1507, 1511 - ->[!IMPORTANT] ->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). ->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10). - -In this topic, you will learn how to deploy Windows 10 using Microsoft System Center 2012 R2 Configuration Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) machine named PC0001. - -For the purposes of this topic, we will use two additional machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. DC01, CM01, and PC0001 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). - -1. Start the PC0001 machine. At the Pre-Boot Execution Environment (PXE) boot menu, press **Enter** to allow it to PXE boot. - - ![figure 31](../images/mdt-06-fig36.png) - - Figure 31. PXE booting PC0001. - -2. On the **Welcome to the Task Sequence Wizard** page, type in the password **Passw0rd!** and click **Next**. - -3. On the **Select a task sequence to run** page, select **Windows 10 Enterprise x64 RTM** and click **Next**. - -4. On the **Edit Task Sequence Variables** page, double-click the **OSDComputerName** variable, and in the **Value** field, type **PC0001** and click **OK**. Then click **Next**. - -![figure 32](../images/mdt-06-fig37.png) - -Figure 32. Typing in the computer name. - -## Related topics - - -[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md) - -[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) - -[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) - -[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) - -[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) - -[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) - -[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md) - -[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) - -[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) - -  - -  - - - - - +--- +title: Deploy Windows 10 using PXE and Configuration Manager (Windows 10) +description: In this topic, you will learn how to deploy Windows 10 using Microsoft System Center 2012 R2 Configuration Manager deployment packages and task sequences. +ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: deployment, image, UEFI, task sequence +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Deploy Windows 10 using PXE and Configuration Manager + + +**Applies to** + +- Windows 10 versions 1507, 1511 + +>[!IMPORTANT] +>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). +>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10). + +In this topic, you will learn how to deploy Windows 10 using Microsoft System Center 2012 R2 Configuration Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) machine named PC0001. + +For the purposes of this topic, we will use two additional machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. DC01, CM01, and PC0001 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). + +1. Start the PC0001 machine. At the Pre-Boot Execution Environment (PXE) boot menu, press **Enter** to allow it to PXE boot. + + ![figure 31](../images/mdt-06-fig36.png) + + Figure 31. PXE booting PC0001. + +2. On the **Welcome to the Task Sequence Wizard** page, type in the password **Passw0rd!** and click **Next**. + +3. On the **Select a task sequence to run** page, select **Windows 10 Enterprise x64 RTM** and click **Next**. + +4. On the **Edit Task Sequence Variables** page, double-click the **OSDComputerName** variable, and in the **Value** field, type **PC0001** and click **OK**. Then click **Next**. + +![figure 32](../images/mdt-06-fig37.png) + +Figure 32. Typing in the computer name. + +## Related topics + + +[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md) + +[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) + +[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) + +[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) + +[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) + +[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) + +[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md) + +[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) + +[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) + +  + +  + + + + + diff --git a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md index 697bd065c4..b933315e49 100644 --- a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md @@ -1,114 +1,114 @@ ---- -title: Deploy Windows 10 with System Center 2012 R2 Configuration Manager (Windows 10) -description: If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. -ms.assetid: eacd7b7b-dde0-423d-97cd-29bde9e8b363 -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: deployment, custom, boot -ms.prod: w10 -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.topic: article ---- - -# Deploy Windows 10 with System Center 2012 R2 Configuration Manager - - -**Applies to** - -- Windows 10 versions 1507, 1511 - ->[!IMPORTANT] ->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). ->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10). - -If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT). - -For the purposes of this topic, we will use four machines: DC01, CM01, PC0003, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 standard. PC0003 and PC0004 are machines with Windows 7 SP1, on which Windows 10 will be deployed via both refresh and replace scenarios. In addition to these four ready-made machines, you could also include a few blank virtual machines to be used for bare-metal deployments. DC01, CM01, PC003, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). - -![figure 1](../images/mdt-06-fig01.png) - -Figure 1. The machines used in this topic. - -## In this section - - -- [Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md) - -- [Prepare for Zero Touch Installation of Windows with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) - -- [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) - -- [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) - -- [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) - -- [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) - -- [Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md) - -- [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md) - -- [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md) - -- [Monitor the Windows 10 deployment with Configuration Manager](monitor-windows-10-deployment-with-configuration-manager.md) - -- [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) - -- [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) - -## Components of Configuration Manager operating system deployment - - -Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are additional components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which is not used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10. - -- **State migration point (SMP).** The state migration point is used to store user state migration data during computer replace scenarios. - -- **Distribution point (DP).** The distribution point is used to store all packages in Configuration Manager, including the operating system deployment-related packages. - -- **Software update point (SUP).** The software update point, which is normally used to deploy updates to existing machines, also can be used to update an operating system as part of the deployment process. You also can use offline servicing to update the image directly on the Configuration Manager server. - -- **Reporting services point.** The reporting services point can be used to monitor the operating system deployment process. - -- **Boot images.** Boot images are the Windows Preinstallation Environment (Windows PE) images Configuration Manager uses to start the deployment. - -- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This is typically the production deployment image. - -- **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md). - -- **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers. - -- **Task sequences.** The task sequences in Configuration Manager look and feel pretty much like the sequences in MDT Lite Touch, and they are used for the same purpose. However, in Configuration Manager the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides additional task sequence templates to Configuration Manager. - - **Note**  Configuration Manager SP1 along with the Windows Assessment and Deployment Kit (ADK) for Windows 10 are required to support management and deployment of Windows 10. - -   - -## See also - - -- [Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117) - -- [Windows deployment tools](../windows-deployment-scenarios-and-tools.md) - -- [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) - -- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) - -- [Deploy Windows To Go in your organization](../deploy-windows-to-go.md) - -- [Sideload Windows Store apps](https://technet.microsoft.com/library/dn613831.aspx) - -- [Windows ADK for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526803) - -  - -  - - - - - +--- +title: Deploy Windows 10 with System Center 2012 R2 Configuration Manager (Windows 10) +description: If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. +ms.assetid: eacd7b7b-dde0-423d-97cd-29bde9e8b363 +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: deployment, custom, boot +ms.prod: w10 +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Deploy Windows 10 with System Center 2012 R2 Configuration Manager + + +**Applies to** + +- Windows 10 versions 1507, 1511 + +>[!IMPORTANT] +>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). +>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10). + +If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT). + +For the purposes of this topic, we will use four machines: DC01, CM01, PC0003, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 standard. PC0003 and PC0004 are machines with Windows 7 SP1, on which Windows 10 will be deployed via both refresh and replace scenarios. In addition to these four ready-made machines, you could also include a few blank virtual machines to be used for bare-metal deployments. DC01, CM01, PC003, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). + +![figure 1](../images/mdt-06-fig01.png) + +Figure 1. The machines used in this topic. + +## In this section + + +- [Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md) + +- [Prepare for Zero Touch Installation of Windows with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) + +- [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) + +- [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) + +- [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) + +- [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) + +- [Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md) + +- [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md) + +- [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md) + +- [Monitor the Windows 10 deployment with Configuration Manager](monitor-windows-10-deployment-with-configuration-manager.md) + +- [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) + +- [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) + +## Components of Configuration Manager operating system deployment + + +Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are additional components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which is not used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10. + +- **State migration point (SMP).** The state migration point is used to store user state migration data during computer replace scenarios. + +- **Distribution point (DP).** The distribution point is used to store all packages in Configuration Manager, including the operating system deployment-related packages. + +- **Software update point (SUP).** The software update point, which is normally used to deploy updates to existing machines, also can be used to update an operating system as part of the deployment process. You also can use offline servicing to update the image directly on the Configuration Manager server. + +- **Reporting services point.** The reporting services point can be used to monitor the operating system deployment process. + +- **Boot images.** Boot images are the Windows Preinstallation Environment (Windows PE) images Configuration Manager uses to start the deployment. + +- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This is typically the production deployment image. + +- **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md). + +- **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers. + +- **Task sequences.** The task sequences in Configuration Manager look and feel pretty much like the sequences in MDT Lite Touch, and they are used for the same purpose. However, in Configuration Manager the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides additional task sequence templates to Configuration Manager. + + **Note**  Configuration Manager SP1 along with the Windows Assessment and Deployment Kit (ADK) for Windows 10 are required to support management and deployment of Windows 10. + +   + +## See also + + +- [Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117) + +- [Windows deployment tools](../windows-deployment-scenarios-and-tools.md) + +- [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) + +- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) + +- [Deploy Windows To Go in your organization](../deploy-windows-to-go.md) + +- [Sideload Windows Store apps](https://technet.microsoft.com/library/dn613831.aspx) + +- [Windows ADK for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526803) + +  + +  + + + + + diff --git a/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md index 2aa2b4e657..097ab5c60f 100644 --- a/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md @@ -10,6 +10,7 @@ ms.prod: w10 ms.localizationpriority: medium ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.topic: article --- @@ -59,7 +60,7 @@ To support additional server-side logging in Configuration Manager, you create a 2. Type the following commands, pressing **Enter** after each one: - ```powershell + ``` New-Item -Path E:\Logs -ItemType directory New-SmbShare -Name Logs$ -Path E:\Logs -ChangeAccess EVERYONE icacls E:\Logs /grant '"CM_NAA":(OI)(CI)(M)' @@ -74,7 +75,7 @@ This section will show you how to configure the rules (the Windows 10 x64 Settin 2. Using Notepad, edit the CustomSetting.ini file with the following settings: - ```ini + ``` [Settings] Priority=Default Properties=OSDMigrateConfigFiles,OSDMigrateMode diff --git a/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md index 5b6ebe684b..c0e59fd398 100644 --- a/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md @@ -1,88 +1,88 @@ ---- -title: Monitor the Windows 10 deployment with Configuration Manager (Windows 10) -description: In this topic, you will learn how to monitor a Windows 10 deployment that was started previously using Microsoft System Center 2012 R2 Configuration Manager and the Microsoft Deployment Toolkit (MDT) Deployment Workbench. -ms.assetid: 4863c6aa-6369-4171-8e1a-b052ca195fce -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: deploy, upgrade -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -author: greg-lindsay -ms.topic: article ---- - -# Monitor the Windows 10 deployment with Configuration Manager - - -**Applies to** - -- Windows 10 versions 1507, 1511 - ->[!IMPORTANT] ->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). ->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10). - -In this topic, you will learn how to monitor a Windows 10 deployment that was started previously using Microsoft System Center 2012 R2 Configuration Manager and the Microsoft Deployment Toolkit (MDT) Deployment Workbench. You will also use the Deployment Workbench to access the computer remotely via the Microsoft Diagnostics and Recovery Toolkit (DaRT) Remote Connection feature. - -For the purposes of this topic, we will use four machines: DC01, CM01, and PC0001. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0001 is a Unified Extensible Firmware Interface (UEFI) machine to which Windows 10 Enterprise has been deployed. DC01, CM01, and PC0001 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). - -To monitor an operating system deployment conducted through System Center 2012 R2 Configuration Manager, you will use the Deployment Workbench in MDT as follows: - -1. On CM01, using the Deployment Workbench, expand **MDT Production**, and use the **Monitoring** node to view the deployment process (press **F5** to refresh). - - >[!NOTE] - >It takes a little while for the task sequence to start reporting monitor information, so if PC0001 does not appear when you press F5 the first time, wait 20 seconds and try again. - - ![PC0001 being deployed by Configuration Manager](../images/mdt-06-fig39.png) - - *Figure 33. PC0001 being deployed by Configuration Manager* - -2. When you see the PC0001 entry, double-click **PC0001**, and then click **DaRT Remote Control** and review the **Remote Control** option. - -3. The task sequence will now run and do the following: - - * Install the Windows 10 operating system. - - * Install the Configuration Manager client and the client hotfix. - - * Join the machine to the domain. - - * Install the application added to the task sequence. - - >[!NOTE] - >You also can use the built-in reports to get information about ongoing deployments. For example, a task sequence report gives you a quick overview of the task sequence progress. -   -4. If time permits, allow the deployment of PC0001 to complete. Then log in as Administrator in the CONTOSO domain and verify that Adobe Reader XI was installed. - -## Related topics - - -[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md) - -[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) - -[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) - -[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) - -[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) - -[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) - -[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md) - -[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) - -[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) - -  - -  - - - - - +--- +title: Monitor the Windows 10 deployment with Configuration Manager (Windows 10) +description: In this topic, you will learn how to monitor a Windows 10 deployment that was started previously using Microsoft System Center 2012 R2 Configuration Manager and the Microsoft Deployment Toolkit (MDT) Deployment Workbench. +ms.assetid: 4863c6aa-6369-4171-8e1a-b052ca195fce +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: deploy, upgrade +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Monitor the Windows 10 deployment with Configuration Manager + + +**Applies to** + +- Windows 10 versions 1507, 1511 + +>[!IMPORTANT] +>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). +>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10). + +In this topic, you will learn how to monitor a Windows 10 deployment that was started previously using Microsoft System Center 2012 R2 Configuration Manager and the Microsoft Deployment Toolkit (MDT) Deployment Workbench. You will also use the Deployment Workbench to access the computer remotely via the Microsoft Diagnostics and Recovery Toolkit (DaRT) Remote Connection feature. + +For the purposes of this topic, we will use four machines: DC01, CM01, and PC0001. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0001 is a Unified Extensible Firmware Interface (UEFI) machine to which Windows 10 Enterprise has been deployed. DC01, CM01, and PC0001 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). + +To monitor an operating system deployment conducted through System Center 2012 R2 Configuration Manager, you will use the Deployment Workbench in MDT as follows: + +1. On CM01, using the Deployment Workbench, expand **MDT Production**, and use the **Monitoring** node to view the deployment process (press **F5** to refresh). + + >[!NOTE] + >It takes a little while for the task sequence to start reporting monitor information, so if PC0001 does not appear when you press F5 the first time, wait 20 seconds and try again. + + ![PC0001 being deployed by Configuration Manager](../images/mdt-06-fig39.png) + + *Figure 33. PC0001 being deployed by Configuration Manager* + +2. When you see the PC0001 entry, double-click **PC0001**, and then click **DaRT Remote Control** and review the **Remote Control** option. + +3. The task sequence will now run and do the following: + + * Install the Windows 10 operating system. + + * Install the Configuration Manager client and the client hotfix. + + * Join the machine to the domain. + + * Install the application added to the task sequence. + + >[!NOTE] + >You also can use the built-in reports to get information about ongoing deployments. For example, a task sequence report gives you a quick overview of the task sequence progress. +   +4. If time permits, allow the deployment of PC0001 to complete. Then log in as Administrator in the CONTOSO domain and verify that Adobe Reader XI was installed. + +## Related topics + + +[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md) + +[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) + +[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) + +[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) + +[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) + +[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) + +[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md) + +[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) + +[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) + +  + +  + + + + + diff --git a/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md index 25b6cb7f73..d7435593a7 100644 --- a/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md @@ -10,6 +10,7 @@ ms.prod: w10 ms.localizationpriority: medium ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.topic: article --- @@ -90,7 +91,7 @@ In order for the Configuration Manager Join Domain Account (CM\_JD) to join mach 2. In an elevated Windows PowerShell prompt (run as Administrator), run the following commands, pressing **Enter** after each command: - ```powershell + ``` Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force Set-Location C:\Setup\Scripts diff --git a/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md index 7ad506f3c0..78e75ded51 100644 --- a/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -1,147 +1,147 @@ ---- -title: Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10) -description: This topic will show you how to use a previously created task sequence to refresh a Windows 7 SP1 client with Windows 10 using Microsoft System Center 2012 R2 Configuration Manager and Microsoft Deployment Toolkit (MDT) 2013 Update 2. -ms.assetid: 57c81667-1019-4711-b3de-15ae9c5387c7 -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: upgrade, install, installation, computer refresh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -author: greg-lindsay -ms.topic: article ---- - -# Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager - - -**Applies to** - -- Windows 10 versions 1507, 1511 - ->[!IMPORTANT] ->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). ->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10). - -This topic will show you how to use a previously created task sequence to refresh a Windows 7 SP1 client with Windows 10 using Microsoft System Center 2012 R2 Configuration Manager and Microsoft Deployment Toolkit (MDT) 2013 Update 2. When refreshing a machine to a later version, it appears as an upgrade to the end user, but technically it is not an in-place upgrade. A computer refresh also involves taking care of user data and settings from the old installation and making sure to restore those at the end of the installation. For more information, see [Refresh a Windows 7 computer with Windows 10](../deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md). - -A computer refresh with System Center 2012 R2 Configuration Manager works the same as it does with MDT Lite Touch installation. Configuration Manager also uses the User State Migration Tool (USMT) from the Windows Assessment and Deployment Kit (Windows ADK) 10 in the background. A computer refresh with Configuration Manager involves the following steps: - -1. Data and settings are backed up locally in a backup folder. - -2. The partition is wiped, except for the backup folder. - -3. The new operating system image is applied. - -4. Other applications are installed. - -5. Data and settings are restored. - -For the purposes of this topic, we will use three machines: DC01, CM01, and PC0003. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0003 is a machine with Windows 7 SP1, on which Windows 10 will be deployed. DC01, CM01, and PC003 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). - -In this topic, we assume that you have a Windows 7 SP1 client named PC0003 with the Configuration Manager client installed. - -## Create a device collection and add the PC0003 computer - - -1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: - - * General - - * Name: Install Windows 10 Enterprise x64 - - * Limited Collection: All Systems - - * Membership rules: - - * Direct rule - - * Resource Class: System Resource - - * Attribute Name: Name - - * Value: PC0003 - - * Select **Resources** - - * Select **PC0003** - -2. Review the Install Windows 10 Enterprise x64 collection. Do not continue until you see the PC0003 machine in the collection. - - >[!NOTE] - >It may take a short while for the collection to refresh; you can view progress via the Colleval.log file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership. - - - -## Create a new deployment - - -Using the Configuration Manager console, in the Software Library workspace, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM**, and then select **Deploy**. Use the following settings: - -- General - - - Collection: Install Windows 10 Enterprise x64 - -- Deployment Settings - - - Purpose: Available - - - Make available to the following: Configuration Manager clients, media and PXE - - >[!NOTE] - >It is not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point. - - - -- Scheduling - - - <default> - -- User Experience - - - <default> - -- Alerts - - - <default> - -- Distribution Points - - - <default> - -## Initiate a computer refresh - - -Now you can start the computer refresh on PC0003. - -1. Using the Configuration Manager console, in the Asset and Compliance workspace, in the Install Windows 10 Enterprise x64 collection, right-click **PC0003** and select **Client Notification / Download Computer Policy**. Click **OK**. - - >[!NOTE] - >The Client Notification feature is new in Configuration Manager. - -2. On PC0003, using the Software Center (begin using the Start screen, or click the **New software is available** balloon in the system tray), select the **Windows 10 Enterprise x64 RTM** deployment and click **INSTALL**. - -3. In the **Software Center** warning dialog box, click **INSTALL OPERATING SYSTEM**. - -## Related topics - - -[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md) - -[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) - -[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) - -[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) - -[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) - -[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) - -[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md) - -[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md) - -[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) +--- +title: Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10) +description: This topic will show you how to use a previously created task sequence to refresh a Windows 7 SP1 client with Windows 10 using Microsoft System Center 2012 R2 Configuration Manager and Microsoft Deployment Toolkit (MDT) 2013 Update 2. +ms.assetid: 57c81667-1019-4711-b3de-15ae9c5387c7 +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: upgrade, install, installation, computer refresh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager + + +**Applies to** + +- Windows 10 versions 1507, 1511 + +>[!IMPORTANT] +>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). +>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10). + +This topic will show you how to use a previously created task sequence to refresh a Windows 7 SP1 client with Windows 10 using Microsoft System Center 2012 R2 Configuration Manager and Microsoft Deployment Toolkit (MDT) 2013 Update 2. When refreshing a machine to a later version, it appears as an upgrade to the end user, but technically it is not an in-place upgrade. A computer refresh also involves taking care of user data and settings from the old installation and making sure to restore those at the end of the installation. For more information, see [Refresh a Windows 7 computer with Windows 10](../deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md). + +A computer refresh with System Center 2012 R2 Configuration Manager works the same as it does with MDT Lite Touch installation. Configuration Manager also uses the User State Migration Tool (USMT) from the Windows Assessment and Deployment Kit (Windows ADK) 10 in the background. A computer refresh with Configuration Manager involves the following steps: + +1. Data and settings are backed up locally in a backup folder. + +2. The partition is wiped, except for the backup folder. + +3. The new operating system image is applied. + +4. Other applications are installed. + +5. Data and settings are restored. + +For the purposes of this topic, we will use three machines: DC01, CM01, and PC0003. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0003 is a machine with Windows 7 SP1, on which Windows 10 will be deployed. DC01, CM01, and PC003 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). + +In this topic, we assume that you have a Windows 7 SP1 client named PC0003 with the Configuration Manager client installed. + +## Create a device collection and add the PC0003 computer + + +1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: + + * General + + * Name: Install Windows 10 Enterprise x64 + + * Limited Collection: All Systems + + * Membership rules: + + * Direct rule + + * Resource Class: System Resource + + * Attribute Name: Name + + * Value: PC0003 + + * Select **Resources** + + * Select **PC0003** + +2. Review the Install Windows 10 Enterprise x64 collection. Do not continue until you see the PC0003 machine in the collection. + + >[!NOTE] + >It may take a short while for the collection to refresh; you can view progress via the Colleval.log file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership. + + + +## Create a new deployment + + +Using the Configuration Manager console, in the Software Library workspace, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM**, and then select **Deploy**. Use the following settings: + +- General + + - Collection: Install Windows 10 Enterprise x64 + +- Deployment Settings + + - Purpose: Available + + - Make available to the following: Configuration Manager clients, media and PXE + + >[!NOTE] + >It is not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point. + + + +- Scheduling + + - <default> + +- User Experience + + - <default> + +- Alerts + + - <default> + +- Distribution Points + + - <default> + +## Initiate a computer refresh + + +Now you can start the computer refresh on PC0003. + +1. Using the Configuration Manager console, in the Asset and Compliance workspace, in the Install Windows 10 Enterprise x64 collection, right-click **PC0003** and select **Client Notification / Download Computer Policy**. Click **OK**. + + >[!NOTE] + >The Client Notification feature is new in Configuration Manager. + +2. On PC0003, using the Software Center (begin using the Start screen, or click the **New software is available** balloon in the system tray), select the **Windows 10 Enterprise x64 RTM** deployment and click **INSTALL**. + +3. In the **Software Center** warning dialog box, click **INSTALL OPERATING SYSTEM**. + +## Related topics + + +[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md) + +[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) + +[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) + +[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) + +[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) + +[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) + +[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md) + +[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md) + +[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) diff --git a/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md index 49c73693ae..45d77e1fa1 100644 --- a/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -1,240 +1,240 @@ ---- -title: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10) -description: In this topic, you will learn how to replacing a Windows 7 SP1 computer using Microsoft System Center 2012 R2 Configuration Manager. -ms.assetid: 3c8a2d53-8f08-475f-923a-bca79ca8ac36 -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: upgrade, install, installation, replace computer, setup -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -author: greg-lindsay -ms.topic: article ---- - -# Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager - - -**Applies to** - -- Windows 10 versions 1507, 1511 - ->[!IMPORTANT] ->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). ->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10). - -In this topic, you will learn how to replace a Windows 7 SP1 computer using Microsoft System Center 2012 R2 Configuration Manager. This process is similar to refreshing a computer, but since you are replacing the machine, you have to run the backup job separately from the deployment of Windows 10. - -For the purposes of this topic, we will use three machines: DC01, CM01, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0004 is a machine with Windows 7 SP1 that will be replaced with a new machine running Windows 10. DC01, CM01, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). - -In this topic, you will create a backup-only task sequence that you run on PC0004, the machine you are replacing. For more information, see [Replace a Windows 7 computer with a Windows 10 computer](../deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md). - -## Create a replace task sequence - - -1. On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**. - -2. On the **Choose Template** page, select the **Client Replace Task Sequence** template and click **Next**. - -3. On the **General** page, assign the following settings and click **Next**: - - * Task sequence name: Replace Task Sequence - - * Task sequence comments: USMT backup only - -4. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**. - -5. On the **MDT Package** page, browse and select the **OSD / MDT** package. Then click **Next**. - -6. On the **USMT Package** page, browse and select the O**SD / Microsoft Corporation User State Migration Tool for Windows 8 10.0.10240.16384** package. Then click **Next**. - -7. On the **Settings Package** page, browse and select the **OSD / Windows 10 x64 Settings** package. Then click **Next**. - -8. On the **Summary** page, review the details and then click **Next**. - -9. On the **Confirmation** page, click **Finish**. - -10. Review the Replace Task Sequence. - >[!NOTE] - >This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the Client Replace Task Sequence template when creating the task sequence. - -![The back-up only task sequence](../images/mdt-06-fig42.png "The back-up only task sequence") - -Figure 34. The backup-only task sequence (named Replace Task Sequence). - -## Associate the new machine with the old computer - - -This section walks you through the process of associating a blank machine, PC0006, with an old machine, PC0004, for the purpose of replacing PC0004 with PC0006. PC0006 can be either a physical or virtual machine. - -1. Make a note of the PC0006 machine's MAC Address. (If PC0006 is a virtual machine, you can see the MAC Address in the virtual machine settings.) In our example, the PC0006 MAC Address is 00:15:5D:0A:6A:96. - -2. Using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Devices**, and then select **Import Computer Information**. - -3. On the **Select Source** page, select **Import single computer** and click **Next**. - -4. On the **Single Computer** page, use the following settings and then click **Next**: - - * Computer Name: PC0006 - - * MAC Address: <the mac address from step 1> - - * Source Computer: PC0004 - - ![Create the computer association](../images/mdt-06-fig43.png "Create the computer association") - - Figure 35. Creating the computer association between PC0004 and PC0006. - -5. On the **User Accounts** page, select **Capture and restore all user accounts** and click **Next**. - -6. On the **Data Preview** page, click **Next**. - -7. On the **Choose Target Collection** page, select the **Install Windows 10 Enterprise x64** collection and click **Next**. - -8. On the **Summary** page, click **Next**, and then click **Close**. - -9. Select the **User State Migration** node and review the computer association in the right pane. - -10. Right-click the **PC0004/PC0006** association and select **View Recovery Information**. Note that a recovery key has been assigned already, but a user state store location has not. - -11. Review the Install Windows 10 Enterprise x64 collection. Do not continue until you see the PC0006 machine in the collection. You might have to update and refresh the collection again. - -## Create a device collection and add the PC0004 computer - - -1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings. - - * General - - * Name: USMT Backup (Replace) - - * Limited Collection: All Systems - - * Membership rules: - - * Direct rule - - * Resource Class: System Resource - - * Attribute Name: Name - - * Value: PC0004 - - * Select **Resources** - - * Select **PC0004** - -2. Review the USMT Backup (Replace) collection. Do not continue until you see the PC0004 machine in the collection. - -## Create a new deployment - - -Using the Configuration Manager console, in the Software Library workspace, select **Task Sequences**, right-click **Replace Task Sequence**, and then select **Deploy**. Use the following settings: - -- General - - - Collection: USMT Backup (Replace) - -- Deployment Settings - - - Purpose: Available - - - Make available to the following: Only Configuration Manager Clients - -- Scheduling - - - <default> - -- User Experience - - - <default> - -- Alerts - - - <default> - -- Distribution Points - - - <default> - -## Verify the backup - - -This section assumes that you have a machine named PC0004 with the Configuration Manager 2012 client installed. - -1. Start the PC0004 machine, and using the Control Panel, start the Configuration Manager applet. - -2. In the **Actions** tab, select the **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, and click **OK**. - - >[!NOTE] - >You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md). - -3. Using the Software Center, select the **Replace Task Sequence** deployment and click **INSTALL**. - -4. In the **Software Center** dialog box, click **INSTALL OPERATING SYSTEM**. - -5. Allow the Replace Task Sequence to complete. It should only take about five minutes. - -6. On CM01, in the **D:\\MigData** folder, verify that a folder was created containing the USMT backup. - -7. Using the Configuration Manager console, in the Asset and Compliance workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. Note that the object now also has a user state store location. - - >[!NOTE] - >It may take a few minutes for the user state store location to be populated. - - - -## Deploy the new computer - - -1. Start the PC0006 virtual machine, press **F12** to Pre-Boot Execution Environment (PXE) boot when prompted. Allow it to boot Windows Preinstallation Environment (Windows PE), and then complete the deployment wizard using the following settings: - - * Password: P@ssw0rd - - * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 Custom Image - -2. The setup now starts and does the following: - - * Installs the Windows 10 operating system - - * Installs the Configuration Manager client - - * Joins it to the domain - - * Installs the applications - - * Restores the PC0004 backup - -When the process is complete, you will have a new Windows 10 machine in your domain with user data and settings restored. - -## Related topics - - -[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md) - -[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) - -[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) - -[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) - -[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) - -[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) - -[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md) - -[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md) - -[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) - - - - - - - - - +--- +title: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10) +description: In this topic, you will learn how to replacing a Windows 7 SP1 computer using Microsoft System Center 2012 R2 Configuration Manager. +ms.assetid: 3c8a2d53-8f08-475f-923a-bca79ca8ac36 +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: upgrade, install, installation, replace computer, setup +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager + + +**Applies to** + +- Windows 10 versions 1507, 1511 + +>[!IMPORTANT] +>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). +>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10). + +In this topic, you will learn how to replace a Windows 7 SP1 computer using Microsoft System Center 2012 R2 Configuration Manager. This process is similar to refreshing a computer, but since you are replacing the machine, you have to run the backup job separately from the deployment of Windows 10. + +For the purposes of this topic, we will use three machines: DC01, CM01, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0004 is a machine with Windows 7 SP1 that will be replaced with a new machine running Windows 10. DC01, CM01, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). + +In this topic, you will create a backup-only task sequence that you run on PC0004, the machine you are replacing. For more information, see [Replace a Windows 7 computer with a Windows 10 computer](../deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md). + +## Create a replace task sequence + + +1. On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**. + +2. On the **Choose Template** page, select the **Client Replace Task Sequence** template and click **Next**. + +3. On the **General** page, assign the following settings and click **Next**: + + * Task sequence name: Replace Task Sequence + + * Task sequence comments: USMT backup only + +4. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**. + +5. On the **MDT Package** page, browse and select the **OSD / MDT** package. Then click **Next**. + +6. On the **USMT Package** page, browse and select the O**SD / Microsoft Corporation User State Migration Tool for Windows 8 10.0.10240.16384** package. Then click **Next**. + +7. On the **Settings Package** page, browse and select the **OSD / Windows 10 x64 Settings** package. Then click **Next**. + +8. On the **Summary** page, review the details and then click **Next**. + +9. On the **Confirmation** page, click **Finish**. + +10. Review the Replace Task Sequence. + >[!NOTE] + >This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the Client Replace Task Sequence template when creating the task sequence. + +![The back-up only task sequence](../images/mdt-06-fig42.png "The back-up only task sequence") + +Figure 34. The backup-only task sequence (named Replace Task Sequence). + +## Associate the new machine with the old computer + + +This section walks you through the process of associating a blank machine, PC0006, with an old machine, PC0004, for the purpose of replacing PC0004 with PC0006. PC0006 can be either a physical or virtual machine. + +1. Make a note of the PC0006 machine's MAC Address. (If PC0006 is a virtual machine, you can see the MAC Address in the virtual machine settings.) In our example, the PC0006 MAC Address is 00:15:5D:0A:6A:96. + +2. Using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Devices**, and then select **Import Computer Information**. + +3. On the **Select Source** page, select **Import single computer** and click **Next**. + +4. On the **Single Computer** page, use the following settings and then click **Next**: + + * Computer Name: PC0006 + + * MAC Address: <the mac address from step 1> + + * Source Computer: PC0004 + + ![Create the computer association](../images/mdt-06-fig43.png "Create the computer association") + + Figure 35. Creating the computer association between PC0004 and PC0006. + +5. On the **User Accounts** page, select **Capture and restore all user accounts** and click **Next**. + +6. On the **Data Preview** page, click **Next**. + +7. On the **Choose Target Collection** page, select the **Install Windows 10 Enterprise x64** collection and click **Next**. + +8. On the **Summary** page, click **Next**, and then click **Close**. + +9. Select the **User State Migration** node and review the computer association in the right pane. + +10. Right-click the **PC0004/PC0006** association and select **View Recovery Information**. Note that a recovery key has been assigned already, but a user state store location has not. + +11. Review the Install Windows 10 Enterprise x64 collection. Do not continue until you see the PC0006 machine in the collection. You might have to update and refresh the collection again. + +## Create a device collection and add the PC0004 computer + + +1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings. + + * General + + * Name: USMT Backup (Replace) + + * Limited Collection: All Systems + + * Membership rules: + + * Direct rule + + * Resource Class: System Resource + + * Attribute Name: Name + + * Value: PC0004 + + * Select **Resources** + + * Select **PC0004** + +2. Review the USMT Backup (Replace) collection. Do not continue until you see the PC0004 machine in the collection. + +## Create a new deployment + + +Using the Configuration Manager console, in the Software Library workspace, select **Task Sequences**, right-click **Replace Task Sequence**, and then select **Deploy**. Use the following settings: + +- General + + - Collection: USMT Backup (Replace) + +- Deployment Settings + + - Purpose: Available + + - Make available to the following: Only Configuration Manager Clients + +- Scheduling + + - <default> + +- User Experience + + - <default> + +- Alerts + + - <default> + +- Distribution Points + + - <default> + +## Verify the backup + + +This section assumes that you have a machine named PC0004 with the Configuration Manager 2012 client installed. + +1. Start the PC0004 machine, and using the Control Panel, start the Configuration Manager applet. + +2. In the **Actions** tab, select the **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, and click **OK**. + + >[!NOTE] + >You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md). + +3. Using the Software Center, select the **Replace Task Sequence** deployment and click **INSTALL**. + +4. In the **Software Center** dialog box, click **INSTALL OPERATING SYSTEM**. + +5. Allow the Replace Task Sequence to complete. It should only take about five minutes. + +6. On CM01, in the **D:\\MigData** folder, verify that a folder was created containing the USMT backup. + +7. Using the Configuration Manager console, in the Asset and Compliance workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. Note that the object now also has a user state store location. + + >[!NOTE] + >It may take a few minutes for the user state store location to be populated. + + + +## Deploy the new computer + + +1. Start the PC0006 virtual machine, press **F12** to Pre-Boot Execution Environment (PXE) boot when prompted. Allow it to boot Windows Preinstallation Environment (Windows PE), and then complete the deployment wizard using the following settings: + + * Password: P@ssw0rd + + * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 Custom Image + +2. The setup now starts and does the following: + + * Installs the Windows 10 operating system + + * Installs the Configuration Manager client + + * Joins it to the domain + + * Installs the applications + + * Restores the PC0004 backup + +When the process is complete, you will have a new Windows 10 machine in your domain with user data and settings restored. + +## Related topics + + +[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md) + +[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) + +[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) + +[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) + +[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) + +[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) + +[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md) + +[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md) + +[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) + + + + + + + + + diff --git a/windows/deployment/deploy-windows-to-go.md b/windows/deployment/deploy-windows-to-go.md index c2241531aa..b54532b820 100644 --- a/windows/deployment/deploy-windows-to-go.md +++ b/windows/deployment/deploy-windows-to-go.md @@ -4,12 +4,14 @@ description: This topic helps you to deploy Windows To Go in your organization. ms.assetid: cfe550be-ffbd-42d1-ab4d-80efae49b07f ms.reviewer: manager: laurawi -ms.author: greg-lindsay +ms.audience: itpro +author: greg-lindsay keywords: deployment, USB, device, BitLocker, workspace, security, data ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mobility +audience: itpro author: greg-lindsay ms.topic: article --- @@ -106,7 +108,7 @@ The following Windows PowerShell cmdlet or cmdlets perform the same function as 2. In the Windows PowerShell session type the following commands to partition a master boot record (MBR) disk for use with a FAT32 system partition and an NTFS-formatted operating system partition. This disk layout can support computers that use either UEFI or BIOS firmware: - ```powershell + ``` # The following command will set $Disk to all USB drives with >20 GB of storage $Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot } @@ -145,7 +147,7 @@ The following Windows PowerShell cmdlet or cmdlets perform the same function as >[!TIP] >The index number must be set correctly to a valid Enterprise image in the .WIM file. - ``` syntax + ``` #The WIM file must contain a sysprep generalized image. dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ ``` @@ -154,14 +156,14 @@ The following Windows PowerShell cmdlet or cmdlets perform the same function as ~~~ -``` syntax +``` W:\Windows\System32\bcdboot W:\Windows /f ALL /s S: ``` ~~~ 5. Apply SAN policy—OFFLINE\_INTERNAL - “4” to prevent the operating system from automatically bringing online any internally connected disk. This is done by creating and saving a **san\_policy.xml** file on the disk. The following example illustrates this step: - ```xml + ``` @@ -193,13 +195,13 @@ W:\Windows\System32\bcdboot W:\Windows /f ALL /s S: 6. Place the **san\_policy.xml** file created in the previous step into the root directory of the Windows partition on the Windows To Go drive (W: from the previous examples) and run the following command: - ``` syntax + ``` Dism.exe /Image:W:\ /Apply-Unattend:W:\san_policy.xml ``` 7. Create an answer file (unattend.xml) that disables the use of Windows Recovery Environment with Windows To Go. You can use the following code sample to create a new answer file or you can paste it into an existing answer file: - ```xml + ``` @@ -299,7 +301,7 @@ Making sure that Windows To Go workspaces are effective when used off premises i 1. Start the host computer and sign in using a user account with privileges to add workstations to the domain and then run the following command from an elevated command prompt replacing the example placeholder parameters (denoted by <>) with the ones applicable for your environment: - ``` syntax + ``` djoin /provision /domain /machine /certtemplate /policynames /savefile /reuse ``` @@ -312,7 +314,7 @@ Making sure that Windows To Go workspaces are effective when used off premises i 4. From the Windows PowerShell command prompt run: - ```powershell + ``` # The following command will set $Disk to all USB drives with >20 GB of storage $Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot } @@ -353,7 +355,7 @@ Making sure that Windows To Go workspaces are effective when used off premises i >[!TIP] >The index number must be set correctly to a valid Enterprise image in the .WIM file. -``` syntax +``` #The WIM file must contain a sysprep generalized image. dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ ``` @@ -361,13 +363,13 @@ dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /ind 6. After those commands have completed, run the following command: - ``` syntax + ``` djoin /requestodj /loadfile C:\example\path\domainmetadatafile /windowspath W:\Windows ``` 7. Next, we will need to edit the unattend.xml file to configure the first run (OOBE) settings. In this example we are hiding the Microsoft Software License Terms (EULA) page, configuring automatic updates to install important and recommended updates automatically, and identifying this workspace as part of a private office network. You can use other OOBE settings that you have configured for your organization if desired. For more information about the OOBE settings, see [OOBE](https://go.microsoft.com/fwlink/p/?LinkId=619172): - ```xml + ``` @@ -460,7 +462,7 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot >[!NOTE] >If you used the [manual method for creating a workspace](https://go.microsoft.com/fwlink/p/?LinkId=619174) you should have already provisioned the Windows To Go drive. If so, you can continue on to the next step. - ```powershell + ``` # The following command will set $Disk to all USB drives with >20 GB of storage $Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot } @@ -499,20 +501,20 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot >[!TIP] >The index number must be set correctly to a valid Enterprise image in the .WIM file. - ``` syntax + ``` #The WIM file must contain a sysprep generalized image. dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ ``` 5. In the same PowerShell session use the following cmdlet to add a recovery key to the drive: - ```powershell + ``` $BitlockerRecoveryProtector = Add-BitLockerKeyProtector W: -RecoveryPasswordProtector ``` 6. Next, use the following cmdlets to save the recovery key to a file: - ```powershell + ``` #The BitLocker Recovery key is essential if for some reason you forget the BitLocker password #This recovery key can also be backed up into Active Directory using manage-bde.exe or the #PowerShell cmdlet Backup-BitLockerKeyProtector. @@ -522,7 +524,7 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot 7. Then, use the following cmdlets to add the password as a secure string. If you omit the password the cmdlet will prompt you for the password before continuing the operation: - ```powershell + ``` # Create a variable to store the password $spwd = ConvertTo-SecureString -String -AsplainText –Force Enable-BitLocker W: -PasswordProtector $spwd @@ -586,7 +588,7 @@ The sample script creates an unattend file that streamlines the deployment proce 3. Configure the PowerShell execution policy. By default PowerShell’s execution policy is set to Restricted; that means that scripts won’t run until you have explicitly given them permission to. To configure PowerShell’s execution policy to allow the script to run, use the following command from an elevated PowerShell prompt: - ```powershell + ``` Set-ExecutionPolicy RemoteSigned ``` @@ -601,7 +603,7 @@ The sample script creates an unattend file that streamlines the deployment proce #### Windows To Go multiple drive provisioning sample script -```powershell +``` <# .SYNOPSIS Windows To Go multiple drive provisioning sample script. @@ -976,7 +978,7 @@ Before provisioning your Windows To Go drive you need to consider if your worksp In the PowerShell provisioning script, after the image has been applied, you can add the following commands that will correctly set the keyboard settings. The following example uses the Japanese keyboard layout: -``` syntax +``` reg load HKLM\WTG-Keyboard ${OSDriveLetter}:\Windows\System32\config\SYSTEM > info.log reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v LayerDriver /d JPN:kbd106dll /t REG_SZ /f reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardIdentifier /d PCAT_106KEY /t REG_SZ /f diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md index df56636175..90bcabb6d6 100644 --- a/windows/deployment/deploy.md +++ b/windows/deployment/deploy.md @@ -1,47 +1,47 @@ ---- -title: Deploy Windows 10 (Windows 10) -description: Deploying Windows 10 for IT professionals. -ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C -ms.reviewer: -manager: laurawi -ms.author: greg-lindsay -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: medium -ms.date: 11/06/2018 -author: greg-lindsay -ms.topic: article ---- - -# Deploy Windows 10 - -Windows 10 upgrade options are discussed and information is provided about planning, testing, and managing your production deployment. Procedures are provided to help you with a new deployment of the Windows 10 operating system, or to upgrade from a previous version of Windows to Windows 10. The following sections and topics are available. - - -|Topic |Description | -|------|------------| -|[Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) |This topic provides an overview of Windows Autopilot deployment, a new zero-touch method for deploying Windows 10 in the enterprise. | -|[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This topic provides information about support for upgrading directly to Windows 10 from a previous operating system. | -|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This topic provides information about support for upgrading from one edition of Windows 10 to another. | -|[Windows 10 volume license media](windows-10-media.md) |This topic provides information about updates to volume licensing media in the current version of Windows 10. | -|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. | -|[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [System Center Configuration Manager](windows-10-poc-sc-config-mgr.md). | -|[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning. | -|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). | -|[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. | -|[Windows 10 deployment tools](windows-10-deployment-tools-reference.md) |Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more. | -|[How to install fonts that are missing after upgrading to Windows 10](windows-10-missing-fonts.md)|Windows 10 introduced changes to the fonts that are included in the image by default. Learn how to install additional fonts from **Optional features** after you install Windows 10 or upgrade from a previous version.| - -## Related topics - -[Modern Destop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) - -  - -  - - - - - +--- +title: Deploy Windows 10 (Windows 10) +description: Deploying Windows 10 for IT professionals. +ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C +ms.reviewer: +manager: laurawi +ms.audience: itpro author: greg-lindsay +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.localizationpriority: medium +ms.date: 11/06/2018 +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Deploy Windows 10 + +Windows 10 upgrade options are discussed and information is provided about planning, testing, and managing your production deployment. Procedures are provided to help you with a new deployment of the Windows 10 operating system, or to upgrade from a previous version of Windows to Windows 10. The following sections and topics are available. + + +|Topic |Description | +|------|------------| +|[Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) |This topic provides an overview of Windows Autopilot deployment, a new zero-touch method for deploying Windows 10 in the enterprise. | +|[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This topic provides information about support for upgrading directly to Windows 10 from a previous operating system. | +|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This topic provides information about support for upgrading from one edition of Windows 10 to another. | +|[Windows 10 volume license media](windows-10-media.md) |This topic provides information about updates to volume licensing media in the current version of Windows 10. | +|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. | +|[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [System Center Configuration Manager](windows-10-poc-sc-config-mgr.md). | +|[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning. | +|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). | +|[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. | +|[Windows 10 deployment tools](windows-10-deployment-tools-reference.md) |Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more. | +|[How to install fonts that are missing after upgrading to Windows 10](windows-10-missing-fonts.md)|Windows 10 introduced changes to the fonts that are included in the image by default. Learn how to install additional fonts from **Optional features** after you install Windows 10 or upgrade from a previous version.| + +## Related topics + +[Modern Destop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) + +  + +  + + + + + diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index c6933b26b5..7f2c14085a 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -1,456 +1,456 @@ ---- -title: MBR2GPT -description: How to use the MBR2GPT tool to convert MBR partitions to GPT -keywords: deploy, troubleshoot, windows, 10, upgrade, partition, mbr, gpt -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.date: 02/13/2018 -ms.reviewer: -manager: laurawi -ms.author: greg-lindsay -ms.localizationpriority: medium -ms.topic: article ---- - -# MBR2GPT.EXE - -**Applies to** -- Windows 10 - -## Summary - -**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **/allowFullOS** option. - ->MBR2GPT.EXE is located in the **Windows\\System32** directory on a computer running Windows 10 version 1703 (also known as the Creator's Update) or later. ->The tool is available in both the full OS environment and Windows PE. To use this tool in a deployment task sequence with Configuration Manager or Microsoft Deployment Toolkit (MDT), you must first update the Windows PE image (winpe.wim, boot.wim) with the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) 1703, or a later version. - -See the following video for a detailed description and demonstration of MBR2GPT. - - - -You can use MBR2GPT to: - -- Convert any attached MBR-formatted system disk to the GPT partition format. You cannot use the tool to convert non-system disks from MBR to GPT. -- Convert an MBR disk with BitLocker-encrypted volumes as long as protection has been suspended. To resume BitLocker after conversion, you will need to delete the existing protectors and recreate them. -- Convert operating system disks that have earlier versions of Windows 10 installed, such as versions 1507, 1511, and 1607. However, you must run the tool while booted into Windows 10 version 1703 or later, and perform an offline conversion. -- Convert an operating system disk from MBR to GPT using Configuration Manager or MDT provided that your task sequence uses Windows PE version 1703 or later. - -Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 are not officially supported. The recommended method to convert these disks is to upgrade the operating system to Windows 10 first, then perform the MBR to GPT conversion. - ->[!IMPORTANT] ->After the disk has been converted to GPT partition style, the firmware must be reconfigured to boot in UEFI mode.
          Make sure that your device supports UEFI before attempting to convert the disk. - -## Disk Prerequisites - -Before any change to the disk is made, MBR2GPT validates the layout and geometry of the selected disk to ensure that: -- The disk is currently using MBR -- There is enough space not occupied by partitions to store the primary and secondary GPTs: - - 16KB + 2 sectors at the front of the disk - - 16KB + 1 sector at the end of the disk -- There are at most 3 primary partitions in the MBR partition table -- One of the partitions is set as active and is the system partition -- The disk does not have any extended/logical partition -- The BCD store on the system partition contains a default OS entry pointing to an OS partition -- The volume IDs can be retrieved for each volume which has a drive letter assigned -- All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the /map command-line option - -If any of these checks fails, the conversion will not proceed and an error will be returned. - -## Syntax - - -
          MBR2GPT /validate|convert [/disk:<diskNumber>] [/logs:<logDirectory>] [/map:<source>=<destination>] [/allowFullOS] -
          - -### Options - -| Option | Description | -|----|-------------| -|/validate| Instructs MBR2GPT.exe to perform only the disk validation steps and report whether the disk is eligible for conversion. | -|/convert| Instructs MBR2GPT.exe to perform the disk validation and to proceed with the conversion if all validation tests pass. | -|/disk:\| Specifies the disk number of the disk to be converted to GPT. If not specified, the system disk is used. The mechanism used is the same as that used by the diskpart.exe tool **SELECT DISK SYSTEM** command.| -|/logs:\| Specifies the directory where MBR2GPT.exe logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it will not be automatically created or overwritten.| -|/map:\=\| Specifies additional partition type mappings between MBR and GPT. The MBR partition number is specified in decimal notation, not hexidecimal. The GPT GUID can contain brackets, for example: **/map:42={af9b60a0-1431-4f62-bc68-3311714a69ad}**. Multiple /map options can be specified if multiple mappings are required. | -|/allowFullOS| By default, MBR2GPT.exe is blocked unless it is run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment.
          **Note**: Since the existing MBR system partition is in use while running the full Windows environment, it cannot be reused. In this case, a new ESP is created by shrinking the OS partition.| - -## Examples - -### Validation example - -In the following example, disk 0 is validated for conversion. Errors and warnings are logged to the default location, **%windir%**. - -``` -X:\>mbr2gpt /validate /disk:0 -MBR2GPT: Attempting to validate disk 0 -MBR2GPT: Retrieving layout of disk -MBR2GPT: Validating layout, disk sector size is: 512 -MBR2GPT: Validation completed successfully -``` - -### Conversion example - -In the following example: - -1. Using DiskPart, the current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0. -2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](https://msdn.microsoft.com/library/windows/desktop/aa363990.aspx) is **07** corresponding to the installable file system (IFS) type. -2. The MBR2GPT tool is used to convert disk 0. -3. The DiskPart tool displays that disk 0 is now using the GPT format. -4. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3). -5. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](https://msdn.microsoft.com/library/windows/desktop/aa365449.aspx) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type. - ->As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition will boot properly. - -``` -X:\>DiskPart - -Microsoft DiskPart version 10.0.15048.0 - -Copyright (C) Microsoft Corporation. -On computer: MININT-K71F13N - -DISKPART> list volume - - Volume ### Ltr Label Fs Type Size Status Info - ---------- --- ----------- ----- ---------- ------- --------- -------- - Volume 0 F CENA_X64FRE UDF DVD-ROM 4027 MB Healthy - Volume 1 C System Rese NTFS Partition 499 MB Healthy - Volume 2 D Windows NTFS Partition 58 GB Healthy - Volume 3 E Recovery NTFS Partition 612 MB Healthy Hidden - -DISKPART> select volume 2 - -Volume 2 is the selected volume. - -DISKPART> list partition - - Partition ### Type Size Offset - ------------- ---------------- ------- ------- - Partition 1 Primary 499 MB 1024 KB -* Partition 2 Primary 58 GB 500 MB - Partition 3 Recovery 612 MB 59 GB - -DISKPART> detail partition - -Partition 2 -Type : 07 -Hidden: No -Active: No -Offset in Bytes: 524288000 - - Volume ### Ltr Label Fs Type Size Status Info - ---------- --- ----------- ----- ---------- ------- --------- -------- -* Volume 2 D Windows NTFS Partition 58 GB Healthy - -DISKPART> exit - -Leaving DiskPart... - -X:\>mbr2gpt /convert /disk:0 - -MBR2GPT will now attempt to convert disk 0. -If conversion is successful the disk can only be booted in GPT mode. -These changes cannot be undone! - -MBR2GPT: Attempting to convert disk 0 -MBR2GPT: Retrieving layout of disk -MBR2GPT: Validating layout, disk sector size is: 512 bytes -MBR2GPT: Trying to shrink the system partition -MBR2GPT: Trying to shrink the OS partition -MBR2GPT: Creating the EFI system partition -MBR2GPT: Installing the new boot files -MBR2GPT: Performing the layout conversion -MBR2GPT: Migrating default boot entry -MBR2GPT: Adding recovery boot entry -MBR2GPT: Fixing drive letter mapping -MBR2GPT: Conversion completed successfully -MBR2GPT: Before the new system can boot properly you need to switch the firmware to boot to UEFI mode! - -X:\>DiskPart - -Microsoft DiskPart version 10.0.15048.0 - -Copyright (C) Microsoft Corporation. -On computer: MININT-K71F13N - -DISKPART> list disk - - Disk ### Status Size Free Dyn Gpt - -------- ------------- ------- ------- --- --- - Disk 0 Online 60 GB 0 B * - -DISKPART> select disk 0 - -Disk 0 is now the selected disk. - -DISKPART> list volume - - Volume ### Ltr Label Fs Type Size Status Info - ---------- --- ----------- ----- ---------- ------- --------- -------- - Volume 0 F CENA_X64FRE UDF DVD-ROM 4027 MB Healthy - Volume 1 D Windows NTFS Partition 58 GB Healthy - Volume 2 C System Rese NTFS Partition 499 MB Healthy Hidden - Volume 3 FAT32 Partition 100 MB Healthy Hidden - Volume 4 E Recovery NTFS Partition 612 MB Healthy Hidden - -DISKPART> select volume 1 - -Volume 1 is the selected volume. - -DISKPART> list partition - - Partition ### Type Size Offset - ------------- ---------------- ------- ------- - Partition 1 Recovery 499 MB 1024 KB -* Partition 2 Primary 58 GB 500 MB - Partition 4 System 100 MB 59 GB - Partition 3 Recovery 612 MB 59 GB - -DISKPART> detail partition - -Partition 2 -Type : ebd0a0a2-b9e5-4433-87c0-68b6b72699c7 -Hidden : No -Required: No -Attrib : 0000000000000000 -Offset in Bytes: 524288000 - - Volume ### Ltr Label Fs Type Size Status Info - ---------- --- ----------- ----- ---------- ------- --------- -------- -* Volume 1 D Windows NTFS Partition 58 GB Healthy -``` - -## Specifications - -### Disk conversion workflow - -The following steps illustrate high-level phases of the MBR-to-GPT conversion process: - -1. Disk validation is performed. -2. The disk is repartitioned to create an EFI system partition (ESP) if one does not already exist. -3. UEFI boot files are installed to the ESP. -4. GPT metatdata and layout information is applied. -5. The boot configuration data (BCD) store is updated. -6. Drive letter assignments are restored. - -### Creating an EFI system partition - -For Windows to remain bootable after the conversion, an EFI system partition (ESP) must be in place. MBR2GPT creates the ESP using the following rules: - -1. The existing MBR system partition is reused if it meets these requirements:
          - a. It is not also the OS or Windows Recovery Environment partition.
          - b. It is at least 100MB (or 260MB for 4K sector size disks) in size.
          - c. It is less than or equal to 1GB in size. This is a safety precaution to ensure it is not a data partition.
          - d. The conversion is not being performed from the full OS. In this case, the existing MBR system partition is in use and cannot be repurposed. -2. If the existing MBR system partition cannot be reused, a new ESP is created by shrinking the OS partition. This new partition has a size of 100MB (or 260MB for 4K sector size disks) and is formatted FAT32. - -If the existing MBR system partition is not reused for the ESP, it is no longer used by the boot process after the conversion. Other partitions are not modified. - ->[!IMPORTANT] ->If the existing MBR system partition is not reused for the ESP, it might be assigned a drive letter. If you do not wish to use this small partition, you must manually hide the drive letter. - -### Partition type mapping and partition attributes - -Since GPT partitions use a different set of type IDs than MBR partitions, each partition on the converted disk must be assigned a new type ID. The partition type mapping follows these rules: - -1. The ESP is always set to partition type PARTITION_SYSTEM_GUID (c12a7328-f81f-11d2-ba4b-00a0c93ec93b). -2. If an MBR partition is of a type that matches one of the entries specified in the /map switch, the specified GPT partition type ID is used. -3. If the MBR partition is of type 0x27, the partition is converted to a GPT partition of type PARTITION_MSFT_RECOVERY_GUID (de94bba4-06d1-4d40-a16a-bfd50179d6ac). -4. All other MBR partitions recognized by Windows are converted to GPT partitions of type PARTITION_BASIC_DATA_GUID (ebd0a0a2-b9e5-4433-87c0-68b6b72699c7). - -In addition to applying the correct partition types, partitions of type PARTITION_MSFT_RECOVERY_GUID also have the following GPT attributes set: -- GPT_ATTRIBUTE_PLATFORM_REQUIRED (0x0000000000000001) -- GPT_BASIC_DATA_ATTRIBUTE_NO_DRIVE_LETTER (0x8000000000000000) - -For more information about partition types, see: -- [GPT partition types](https://msdn.microsoft.com/library/windows/desktop/aa365449.aspx) -- [MBR partition types](https://msdn.microsoft.com/library/windows/desktop/aa363990.aspx) - - -### Persisting drive letter assignments - -The conversion tool will attempt to remap all drive letter assignment information contained in the registry that correspond to the volumes of the converted disk. If a drive letter assignment cannot be restored, an error will be displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter. **Important**: this code runs after the layout conversion has taken place, so the operation cannot be undone at this stage. - -The conversion tool will obtain volume unique ID data before and after the layout conversion, organizing this information into a lookup table. It will then iterate through all the entries in **HKLM\SYSTEM\MountedDevices**, and for each entry do the following: - -1. Check if the unique ID corresponds to any of the unique IDs for any of the volumes that are part of the converted disk. -2. If found, set the value to be the new unique ID, obtained after the layout conversion. -3. If the new unique ID cannot be set and the value name starts with \DosDevices, issue a console and log warning about the need for manual intervention in properly restoring the drive letter assignment. - -## Troubleshooting - -The tool will display status information in its output. Both validation and conversion are clear if any errors are encountered. For example, if one or more partitions do not translate properly, this is displayed and the conversion not performed. To view more detail about any errors that are encountered, see the associated [log files](#logs). - -### Logs - -Four log files are created by the MBR2GPT tool: - -- diagerr.xml -- diagwrn.xml -- setupact.log -- setuperr.log - -These files contain errors and warnings encountered during disk validation and conversion. Information in these files can be helpful in diagnosing problems with the tool. The setupact.log and setuperr.log files will have the most detailed information about disk layouts, processes, and other information pertaining to disk validation and conversion. Note: The setupact*.log files are different than the Windows Setup files that are found in the %Windir%\Panther directory. - -The default location for all these log files in Windows PE is **%windir%**. - -### Interactive help - -To view a list of options available when using the tool, type **mbr2gpt /?** - -The following text is displayed: - -``` - -C:\> mbr2gpt /? - -Converts a disk from MBR to GPT partitioning without modifying or deleting data on the disk. - -MBR2GPT.exe /validate|convert [/disk:] [/logs:] [/map:=] [/allowFullOS] - -Where: - - /validate - - Validates that the selected disk can be converted - without performing the actual conversion. - - /convert - - Validates that the selected disk can be converted - and performs the actual conversion. - - /disk: - - Specifies the disk number of the disk to be processed. - If not specified, the system disk is processed. - - /logs: - - Specifies the directory for logging. By default logs - are created in the %windir% directory. - - /map:= - - Specifies the GPT partition type to be used for a - given MBR partition type not recognized by Windows. - Multiple /map switches are allowed. - - /allowFullOS - - Allows the tool to be used from the full Windows - environment. By default, this tool can only be used - from the Windows Preinstallation Environment. -``` - -### Return codes - -MBR2GPT has the following associated return codes: - -| Return code | Description | -|----|-------------| -|0| Conversion completed successfully.| -|1| Conversion was canceled by the user.| -|2| Conversion failed due to an internal error.| -|3| Conversion failed due to an initialization error.| -|4| Conversion failed due to invalid command-line parameters. | -|5| Conversion failed due to error reading the geometry and layout of the selected disk.| -|6| Conversion failed because one or more volumes on the disk is encrypted.| -|7| Conversion failed because the geometry and layout of the selected disk do not meet requirements.| -|8| Conversion failed due to error while creating the EFI system partition.| -|9| Conversion failed due to error installing boot files.| -|10| Conversion failed due to error while applying GPT layout.| -|100| Conversion to GPT layout succeeded, but some boot configuration data entries could not be restored.| - - -### Determining the partition type - -You can type the following command at a Windows PowerShell prompt to display the disk number and partition type. Example output is also shown: - - -``` -PS C:\> Get-Disk | ft -Auto - -Number Friendly Name Serial Number HealthStatus OperationalStatus Total Size Partition Style ------- ------------- ------------- ------------ ----------------- ---------- --------------- -0 MTFDDAK256MAM-1K1 13050928F47C Healthy Online 238.47 GB MBR -1 ST1000DM003-1ER162 Z4Y3GD8F Healthy Online 931.51 GB GPT -``` - -You can also view the partition type of a disk by opening the Disk Management tool, right-clicking the disk number, clicking **Properties**, and then clicking the **Volumes** tab. See the following example: - -![Volumes](images/mbr2gpt-volume.PNG) - - -If Windows PowerShell and Disk Management are not available, such as when you are using Windows PE, you can determine the partition type at a command prompt with the DiskPart tool. To determine the partition style from a command line, type **diskpart** and then type **list disk**. See the following example: - -``` -X:\>DiskPart - -Microsoft DiskPart version 10.0.15048.0 - -Copyright (C) Microsoft Corporation. -On computer: MININT-K71F13N - -DISKPART> list disk - - Disk ### Status Size Free Dyn Gpt - -------- ------------- ------- ------- --- --- - Disk 0 Online 238 GB 0 B - Disk 1 Online 931 GB 0 B * -``` - -In this example, Disk 0 is formatted with the MBR partition style, and Disk 1 is formatted using GPT. - - -## Known issue - -### MBR2GPT.exe cannot run in Windows PE - -When you start a Windows 10, version 1903-based computer in the Windows Preinstallation Environment (Windows PE), you encounter the following issues: - -**Issue 1** When you run the MBR2GPT.exe command, the process exits without converting the drive. - -**Issue 2** When you manually run the MBR2GPT.exe command in a Command Prompt window, there is no output from the tool. - -**Issue 3** When MBR2GPT.exe runs inside an imaging process such as a System Center Configuration Manager task sequence, an MDT task sequence, or by using a script, you receive the following exit code: 0xC0000135/3221225781. - -#### Cause - -This issue occurs because in Windows 10, version 1903 and later versions, MBR2GPT.exe requires access to the ReAgent.dll file. However, this dll file and its associated libraries are currently not included in the Windows PE boot image for Windows 10, version 1903 and later. - -#### Workaround - -To fix this issue, mount the Windows PE image (WIM), copy the missing file from the [Windows 10, version 1903 Assessment and Development Kit (ADK)](https://go.microsoft.com/fwlink/?linkid=2086042) source, and then commit the changes to the WIM. To do this, follow these steps: - -1. Mount the Windows PE WIM to a path (for example, C:\WinPE_Mount). For more information about how to mount WIM files, see [Mount an image](https://docs.microsoft.com/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#mount-an-image). - -2. Copy the ReAgent files and the ReAgent localization files from the Window 10, version 1903 ADK source folder to the mounted WIM. - - For example, if the ADK is installed to the default location of C:\Program Files (x86)\Windows Kits\10 and the Windows PE image is mounted to C:\WinPE_Mount, run the following commands from an elevated Command Prompt window: - - **Command 1:** - ```cmd - copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\ReAgent*.*" "C:\WinPE_Mount\Windows\System32" - ``` - This command copies three files: - - * ReAgent.admx - * ReAgent.dll - * ReAgent.xml - - **Command 2:** - ```cmd - copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\En-Us\ReAgent*.*" "C:\WinPE_Mount\Windows\System32\En-Us" - ``` - This command copies two files: - * ReAgent.adml - * ReAgent.dll.mui - - > [!NOTE] - > If you aren't using an English version of Windows, replace "En-Us" in the path with the appropriate string that represents the system language. - -3. After you copy all the files, commit the changes and unmount the Windows PE WIM. MBR2GPT.exe now functions as expected in Windows PE. For information about how to unmount WIM files while committing changes, see [Unmounting an image](https://docs.microsoft.com/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#unmounting-an-image). - - -## Related topics - -[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) -
          [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications) -
          [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) +--- +title: MBR2GPT +description: How to use the MBR2GPT tool to convert MBR partitions to GPT +keywords: deploy, troubleshoot, windows, 10, upgrade, partition, mbr, gpt +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.date: 02/13/2018 +ms.reviewer: +manager: laurawi +ms.audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.topic: article +--- + +# MBR2GPT.EXE + +**Applies to** +- Windows 10 + +## Summary + +**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **/allowFullOS** option. + +>MBR2GPT.EXE is located in the **Windows\\System32** directory on a computer running Windows 10 version 1703 (also known as the Creator's Update) or later. +>The tool is available in both the full OS environment and Windows PE. To use this tool in a deployment task sequence with Configuration Manager or Microsoft Deployment Toolkit (MDT), you must first update the Windows PE image (winpe.wim, boot.wim) with the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) 1703, or a later version. + +See the following video for a detailed description and demonstration of MBR2GPT. + + + +You can use MBR2GPT to: + +- Convert any attached MBR-formatted system disk to the GPT partition format. You cannot use the tool to convert non-system disks from MBR to GPT. +- Convert an MBR disk with BitLocker-encrypted volumes as long as protection has been suspended. To resume BitLocker after conversion, you will need to delete the existing protectors and recreate them. +- Convert operating system disks that have earlier versions of Windows 10 installed, such as versions 1507, 1511, and 1607. However, you must run the tool while booted into Windows 10 version 1703 or later, and perform an offline conversion. +- Convert an operating system disk from MBR to GPT using Configuration Manager or MDT provided that your task sequence uses Windows PE version 1703 or later. + +Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 are not officially supported. The recommended method to convert these disks is to upgrade the operating system to Windows 10 first, then perform the MBR to GPT conversion. + +>[!IMPORTANT] +>After the disk has been converted to GPT partition style, the firmware must be reconfigured to boot in UEFI mode.
          Make sure that your device supports UEFI before attempting to convert the disk. + +## Disk Prerequisites + +Before any change to the disk is made, MBR2GPT validates the layout and geometry of the selected disk to ensure that: +- The disk is currently using MBR +- There is enough space not occupied by partitions to store the primary and secondary GPTs: + - 16KB + 2 sectors at the front of the disk + - 16KB + 1 sector at the end of the disk +- There are at most 3 primary partitions in the MBR partition table +- One of the partitions is set as active and is the system partition +- The disk does not have any extended/logical partition +- The BCD store on the system partition contains a default OS entry pointing to an OS partition +- The volume IDs can be retrieved for each volume which has a drive letter assigned +- All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the /map command-line option + +If any of these checks fails, the conversion will not proceed and an error will be returned. + +## Syntax + + +
          MBR2GPT /validate|convert [/disk:<diskNumber>] [/logs:<logDirectory>] [/map:<source>=<destination>] [/allowFullOS] +
          + +### Options + +| Option | Description | +|----|-------------| +|/validate| Instructs MBR2GPT.exe to perform only the disk validation steps and report whether the disk is eligible for conversion. | +|/convert| Instructs MBR2GPT.exe to perform the disk validation and to proceed with the conversion if all validation tests pass. | +|/disk:\| Specifies the disk number of the disk to be converted to GPT. If not specified, the system disk is used. The mechanism used is the same as that used by the diskpart.exe tool **SELECT DISK SYSTEM** command.| +|/logs:\| Specifies the directory where MBR2GPT.exe logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it will not be automatically created or overwritten.| +|/map:\=\| Specifies additional partition type mappings between MBR and GPT. The MBR partition number is specified in decimal notation, not hexidecimal. The GPT GUID can contain brackets, for example: **/map:42={af9b60a0-1431-4f62-bc68-3311714a69ad}**. Multiple /map options can be specified if multiple mappings are required. | +|/allowFullOS| By default, MBR2GPT.exe is blocked unless it is run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment.
          **Note**: Since the existing MBR system partition is in use while running the full Windows environment, it cannot be reused. In this case, a new ESP is created by shrinking the OS partition.| + +## Examples + +### Validation example + +In the following example, disk 0 is validated for conversion. Errors and warnings are logged to the default location, **%windir%**. + +``` +X:\>mbr2gpt /validate /disk:0 +MBR2GPT: Attempting to validate disk 0 +MBR2GPT: Retrieving layout of disk +MBR2GPT: Validating layout, disk sector size is: 512 +MBR2GPT: Validation completed successfully +``` + +### Conversion example + +In the following example: + +1. Using DiskPart, the current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0. +2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](https://msdn.microsoft.com/library/windows/desktop/aa363990.aspx) is **07** corresponding to the installable file system (IFS) type. +2. The MBR2GPT tool is used to convert disk 0. +3. The DiskPart tool displays that disk 0 is now using the GPT format. +4. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3). +5. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](https://msdn.microsoft.com/library/windows/desktop/aa365449.aspx) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type. + +>As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition will boot properly. + +``` +X:\>DiskPart + +Microsoft DiskPart version 10.0.15048.0 + +Copyright (C) Microsoft Corporation. +On computer: MININT-K71F13N + +DISKPART> list volume + + Volume ### Ltr Label Fs Type Size Status Info + ---------- --- ----------- ----- ---------- ------- --------- -------- + Volume 0 F CENA_X64FRE UDF DVD-ROM 4027 MB Healthy + Volume 1 C System Rese NTFS Partition 499 MB Healthy + Volume 2 D Windows NTFS Partition 58 GB Healthy + Volume 3 E Recovery NTFS Partition 612 MB Healthy Hidden + +DISKPART> select volume 2 + +Volume 2 is the selected volume. + +DISKPART> list partition + + Partition ### Type Size Offset + ------------- ---------------- ------- ------- + Partition 1 Primary 499 MB 1024 KB +* Partition 2 Primary 58 GB 500 MB + Partition 3 Recovery 612 MB 59 GB + +DISKPART> detail partition + +Partition 2 +Type : 07 +Hidden: No +Active: No +Offset in Bytes: 524288000 + + Volume ### Ltr Label Fs Type Size Status Info + ---------- --- ----------- ----- ---------- ------- --------- -------- +* Volume 2 D Windows NTFS Partition 58 GB Healthy + +DISKPART> exit + +Leaving DiskPart... + +X:\>mbr2gpt /convert /disk:0 + +MBR2GPT will now attempt to convert disk 0. +If conversion is successful the disk can only be booted in GPT mode. +These changes cannot be undone! + +MBR2GPT: Attempting to convert disk 0 +MBR2GPT: Retrieving layout of disk +MBR2GPT: Validating layout, disk sector size is: 512 bytes +MBR2GPT: Trying to shrink the system partition +MBR2GPT: Trying to shrink the OS partition +MBR2GPT: Creating the EFI system partition +MBR2GPT: Installing the new boot files +MBR2GPT: Performing the layout conversion +MBR2GPT: Migrating default boot entry +MBR2GPT: Adding recovery boot entry +MBR2GPT: Fixing drive letter mapping +MBR2GPT: Conversion completed successfully +MBR2GPT: Before the new system can boot properly you need to switch the firmware to boot to UEFI mode! + +X:\>DiskPart + +Microsoft DiskPart version 10.0.15048.0 + +Copyright (C) Microsoft Corporation. +On computer: MININT-K71F13N + +DISKPART> list disk + + Disk ### Status Size Free Dyn Gpt + -------- ------------- ------- ------- --- --- + Disk 0 Online 60 GB 0 B * + +DISKPART> select disk 0 + +Disk 0 is now the selected disk. + +DISKPART> list volume + + Volume ### Ltr Label Fs Type Size Status Info + ---------- --- ----------- ----- ---------- ------- --------- -------- + Volume 0 F CENA_X64FRE UDF DVD-ROM 4027 MB Healthy + Volume 1 D Windows NTFS Partition 58 GB Healthy + Volume 2 C System Rese NTFS Partition 499 MB Healthy Hidden + Volume 3 FAT32 Partition 100 MB Healthy Hidden + Volume 4 E Recovery NTFS Partition 612 MB Healthy Hidden + +DISKPART> select volume 1 + +Volume 1 is the selected volume. + +DISKPART> list partition + + Partition ### Type Size Offset + ------------- ---------------- ------- ------- + Partition 1 Recovery 499 MB 1024 KB +* Partition 2 Primary 58 GB 500 MB + Partition 4 System 100 MB 59 GB + Partition 3 Recovery 612 MB 59 GB + +DISKPART> detail partition + +Partition 2 +Type : ebd0a0a2-b9e5-4433-87c0-68b6b72699c7 +Hidden : No +Required: No +Attrib : 0000000000000000 +Offset in Bytes: 524288000 + + Volume ### Ltr Label Fs Type Size Status Info + ---------- --- ----------- ----- ---------- ------- --------- -------- +* Volume 1 D Windows NTFS Partition 58 GB Healthy +``` + +## Specifications + +### Disk conversion workflow + +The following steps illustrate high-level phases of the MBR-to-GPT conversion process: + +1. Disk validation is performed. +2. The disk is repartitioned to create an EFI system partition (ESP) if one does not already exist. +3. UEFI boot files are installed to the ESP. +4. GPT metatdata and layout information is applied. +5. The boot configuration data (BCD) store is updated. +6. Drive letter assignments are restored. + +### Creating an EFI system partition + +For Windows to remain bootable after the conversion, an EFI system partition (ESP) must be in place. MBR2GPT creates the ESP using the following rules: + +1. The existing MBR system partition is reused if it meets these requirements:
          + a. It is not also the OS or Windows Recovery Environment partition.
          + b. It is at least 100MB (or 260MB for 4K sector size disks) in size.
          + c. It is less than or equal to 1GB in size. This is a safety precaution to ensure it is not a data partition.
          + d. The conversion is not being performed from the full OS. In this case, the existing MBR system partition is in use and cannot be repurposed. +2. If the existing MBR system partition cannot be reused, a new ESP is created by shrinking the OS partition. This new partition has a size of 100MB (or 260MB for 4K sector size disks) and is formatted FAT32. + +If the existing MBR system partition is not reused for the ESP, it is no longer used by the boot process after the conversion. Other partitions are not modified. + +>[!IMPORTANT] +>If the existing MBR system partition is not reused for the ESP, it might be assigned a drive letter. If you do not wish to use this small partition, you must manually hide the drive letter. + +### Partition type mapping and partition attributes + +Since GPT partitions use a different set of type IDs than MBR partitions, each partition on the converted disk must be assigned a new type ID. The partition type mapping follows these rules: + +1. The ESP is always set to partition type PARTITION_SYSTEM_GUID (c12a7328-f81f-11d2-ba4b-00a0c93ec93b). +2. If an MBR partition is of a type that matches one of the entries specified in the /map switch, the specified GPT partition type ID is used. +3. If the MBR partition is of type 0x27, the partition is converted to a GPT partition of type PARTITION_MSFT_RECOVERY_GUID (de94bba4-06d1-4d40-a16a-bfd50179d6ac). +4. All other MBR partitions recognized by Windows are converted to GPT partitions of type PARTITION_BASIC_DATA_GUID (ebd0a0a2-b9e5-4433-87c0-68b6b72699c7). + +In addition to applying the correct partition types, partitions of type PARTITION_MSFT_RECOVERY_GUID also have the following GPT attributes set: +- GPT_ATTRIBUTE_PLATFORM_REQUIRED (0x0000000000000001) +- GPT_BASIC_DATA_ATTRIBUTE_NO_DRIVE_LETTER (0x8000000000000000) + +For more information about partition types, see: +- [GPT partition types](https://msdn.microsoft.com/library/windows/desktop/aa365449.aspx) +- [MBR partition types](https://msdn.microsoft.com/library/windows/desktop/aa363990.aspx) + + +### Persisting drive letter assignments + +The conversion tool will attempt to remap all drive letter assignment information contained in the registry that correspond to the volumes of the converted disk. If a drive letter assignment cannot be restored, an error will be displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter. **Important**: this code runs after the layout conversion has taken place, so the operation cannot be undone at this stage. + +The conversion tool will obtain volume unique ID data before and after the layout conversion, organizing this information into a lookup table. It will then iterate through all the entries in **HKLM\SYSTEM\MountedDevices**, and for each entry do the following: + +1. Check if the unique ID corresponds to any of the unique IDs for any of the volumes that are part of the converted disk. +2. If found, set the value to be the new unique ID, obtained after the layout conversion. +3. If the new unique ID cannot be set and the value name starts with \DosDevices, issue a console and log warning about the need for manual intervention in properly restoring the drive letter assignment. + +## Troubleshooting + +The tool will display status information in its output. Both validation and conversion are clear if any errors are encountered. For example, if one or more partitions do not translate properly, this is displayed and the conversion not performed. To view more detail about any errors that are encountered, see the associated [log files](#logs). + +### Logs + +Four log files are created by the MBR2GPT tool: + +- diagerr.xml +- diagwrn.xml +- setupact.log +- setuperr.log + +These files contain errors and warnings encountered during disk validation and conversion. Information in these files can be helpful in diagnosing problems with the tool. The setupact.log and setuperr.log files will have the most detailed information about disk layouts, processes, and other information pertaining to disk validation and conversion. Note: The setupact*.log files are different than the Windows Setup files that are found in the %Windir%\Panther directory. + +The default location for all these log files in Windows PE is **%windir%**. + +### Interactive help + +To view a list of options available when using the tool, type **mbr2gpt /?** + +The following text is displayed: + +``` + +C:\> mbr2gpt /? + +Converts a disk from MBR to GPT partitioning without modifying or deleting data on the disk. + +MBR2GPT.exe /validate|convert [/disk:] [/logs:] [/map:=] [/allowFullOS] + +Where: + + /validate + - Validates that the selected disk can be converted + without performing the actual conversion. + + /convert + - Validates that the selected disk can be converted + and performs the actual conversion. + + /disk: + - Specifies the disk number of the disk to be processed. + If not specified, the system disk is processed. + + /logs: + - Specifies the directory for logging. By default logs + are created in the %windir% directory. + + /map:= + - Specifies the GPT partition type to be used for a + given MBR partition type not recognized by Windows. + Multiple /map switches are allowed. + + /allowFullOS + - Allows the tool to be used from the full Windows + environment. By default, this tool can only be used + from the Windows Preinstallation Environment. +``` + +### Return codes + +MBR2GPT has the following associated return codes: + +| Return code | Description | +|----|-------------| +|0| Conversion completed successfully.| +|1| Conversion was canceled by the user.| +|2| Conversion failed due to an internal error.| +|3| Conversion failed due to an initialization error.| +|4| Conversion failed due to invalid command-line parameters. | +|5| Conversion failed due to error reading the geometry and layout of the selected disk.| +|6| Conversion failed because one or more volumes on the disk is encrypted.| +|7| Conversion failed because the geometry and layout of the selected disk do not meet requirements.| +|8| Conversion failed due to error while creating the EFI system partition.| +|9| Conversion failed due to error installing boot files.| +|10| Conversion failed due to error while applying GPT layout.| +|100| Conversion to GPT layout succeeded, but some boot configuration data entries could not be restored.| + + +### Determining the partition type + +You can type the following command at a Windows PowerShell prompt to display the disk number and partition type. Example output is also shown: + + +``` +PS C:\> Get-Disk | ft -Auto + +Number Friendly Name Serial Number HealthStatus OperationalStatus Total Size Partition Style +------ ------------- ------------- ------------ ----------------- ---------- --------------- +0 MTFDDAK256MAM-1K1 13050928F47C Healthy Online 238.47 GB MBR +1 ST1000DM003-1ER162 Z4Y3GD8F Healthy Online 931.51 GB GPT +``` + +You can also view the partition type of a disk by opening the Disk Management tool, right-clicking the disk number, clicking **Properties**, and then clicking the **Volumes** tab. See the following example: + +![Volumes](images/mbr2gpt-volume.PNG) + + +If Windows PowerShell and Disk Management are not available, such as when you are using Windows PE, you can determine the partition type at a command prompt with the DiskPart tool. To determine the partition style from a command line, type **diskpart** and then type **list disk**. See the following example: + +``` +X:\>DiskPart + +Microsoft DiskPart version 10.0.15048.0 + +Copyright (C) Microsoft Corporation. +On computer: MININT-K71F13N + +DISKPART> list disk + + Disk ### Status Size Free Dyn Gpt + -------- ------------- ------- ------- --- --- + Disk 0 Online 238 GB 0 B + Disk 1 Online 931 GB 0 B * +``` + +In this example, Disk 0 is formatted with the MBR partition style, and Disk 1 is formatted using GPT. + + +## Known issue + +### MBR2GPT.exe cannot run in Windows PE + +When you start a Windows 10, version 1903-based computer in the Windows Preinstallation Environment (Windows PE), you encounter the following issues: + +**Issue 1** When you run the MBR2GPT.exe command, the process exits without converting the drive. + +**Issue 2** When you manually run the MBR2GPT.exe command in a Command Prompt window, there is no output from the tool. + +**Issue 3** When MBR2GPT.exe runs inside an imaging process such as a System Center Configuration Manager task sequence, an MDT task sequence, or by using a script, you receive the following exit code: 0xC0000135/3221225781. + +#### Cause + +This issue occurs because in Windows 10, version 1903 and later versions, MBR2GPT.exe requires access to the ReAgent.dll file. However, this dll file and its associated libraries are currently not included in the Windows PE boot image for Windows 10, version 1903 and later. + +#### Workaround + +To fix this issue, mount the Windows PE image (WIM), copy the missing file from the [Windows 10, version 1903 Assessment and Development Kit (ADK)](https://go.microsoft.com/fwlink/?linkid=2086042) source, and then commit the changes to the WIM. To do this, follow these steps: + +1. Mount the Windows PE WIM to a path (for example, C:\WinPE_Mount). For more information about how to mount WIM files, see [Mount an image](https://docs.microsoft.com/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#mount-an-image). + +2. Copy the ReAgent files and the ReAgent localization files from the Window 10, version 1903 ADK source folder to the mounted WIM. + + For example, if the ADK is installed to the default location of C:\Program Files (x86)\Windows Kits\10 and the Windows PE image is mounted to C:\WinPE_Mount, run the following commands from an elevated Command Prompt window: + + **Command 1:** + ```cmd + copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\ReAgent*.*" "C:\WinPE_Mount\Windows\System32" + ``` + This command copies three files: + + * ReAgent.admx + * ReAgent.dll + * ReAgent.xml + + **Command 2:** + ```cmd + copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\En-Us\ReAgent*.*" "C:\WinPE_Mount\Windows\System32\En-Us" + ``` + This command copies two files: + * ReAgent.adml + * ReAgent.dll.mui + + > [!NOTE] + > If you aren't using an English version of Windows, replace "En-Us" in the path with the appropriate string that represents the system language. + +3. After you copy all the files, commit the changes and unmount the Windows PE WIM. MBR2GPT.exe now functions as expected in Windows PE. For information about how to unmount WIM files while committing changes, see [Unmounting an image](https://docs.microsoft.com/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#unmounting-an-image). + + +## Related topics + +[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) +
          [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications) +
          [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) diff --git a/windows/deployment/planning/TOC.md b/windows/deployment/planning/TOC.md index 10bf286e0c..c9dd77d2d6 100644 --- a/windows/deployment/planning/TOC.md +++ b/windows/deployment/planning/TOC.md @@ -37,4 +37,4 @@ ##### [Compatibility Fix Database Management Strategies and Deployment](compatibility-fix-database-management-strategies-and-deployment.md) ##### [Testing Your Application Mitigation Packages](testing-your-application-mitigation-packages.md) #### [Using the Sdbinst.exe Command-Line Tool](using-the-sdbinstexe-command-line-tool.md) -### [Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md) \ No newline at end of file +### [Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md) diff --git a/windows/deployment/planning/act-technical-reference.md b/windows/deployment/planning/act-technical-reference.md index 09b9613ecd..b40be1932a 100644 --- a/windows/deployment/planning/act-technical-reference.md +++ b/windows/deployment/planning/act-technical-reference.md @@ -1,48 +1,48 @@ ---- -title: Application Compatibility Toolkit (ACT) Technical Reference (Windows 10) -description: The Microsoft® Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system. -ms.assetid: d90d38b2-2718-4481-90eb-4480719627ba -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -author: greg-lindsay -ms.topic: article ---- - -# Application Compatibility Toolkit (ACT) Technical Reference - - -**Applies to** -- Windows 10, version 1607 - ->[!IMPORTANT] ->We've replaced the majority of functionality included in the Application Compatibility Toolkit (ACT) with [Windows Analytics](../update/windows-analytics-overview.md), a solution in the Microsoft Operations Management Suite. Windows Analytics gives enterprises the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released. - -Microsoft developed Windows Analytics in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Windows Analytics was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. - -With Windows diagnostic data enabled, Windows Analytics collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. - -Use Windows Analytics to get: -- A visual workflow that guides you from pilot to production -- Detailed computer and application inventory -- Powerful computer level search and drill-downs -- Guidance and insights into application and driver compatibility issues, with suggested fixes -- Data driven application rationalization tools -- Application usage information, allowing targeted validation; workflow to track validation progress and decisions -- Data export to commonly used software deployment tools, including System Center Configuration Manager - -The Windows Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. - -At the same time, we've kept the Standard User Analyzer tool, which helps you test your apps and to monitor API calls for potential compatibility issues, and the Compatibility Administrator, which helps you to resolve potential compatibility issues. - -## In this section - -|Topic |Description | -|------|------------| -|[Standard User Analyzer (SUA) User's Guide](sua-users-guide.md) |The Standard User Analyzer (SUA) helps you test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows. | -|[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) |The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows to your organization. | -|[Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md) |You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions. | +--- +title: Application Compatibility Toolkit (ACT) Technical Reference (Windows 10) +description: The Microsoft® Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system. +ms.assetid: d90d38b2-2718-4481-90eb-4480719627ba +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Application Compatibility Toolkit (ACT) Technical Reference + + +**Applies to** +- Windows 10, version 1607 + +>[!IMPORTANT] +>We've replaced the majority of functionality included in the Application Compatibility Toolkit (ACT) with [Windows Analytics](../update/windows-analytics-overview.md), a solution in the Microsoft Operations Management Suite. Windows Analytics gives enterprises the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released. + +Microsoft developed Windows Analytics in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Windows Analytics was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. + +With Windows diagnostic data enabled, Windows Analytics collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. + +Use Windows Analytics to get: +- A visual workflow that guides you from pilot to production +- Detailed computer and application inventory +- Powerful computer level search and drill-downs +- Guidance and insights into application and driver compatibility issues, with suggested fixes +- Data driven application rationalization tools +- Application usage information, allowing targeted validation; workflow to track validation progress and decisions +- Data export to commonly used software deployment tools, including System Center Configuration Manager + +The Windows Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. + +At the same time, we've kept the Standard User Analyzer tool, which helps you test your apps and to monitor API calls for potential compatibility issues, and the Compatibility Administrator, which helps you to resolve potential compatibility issues. + +## In this section + +|Topic |Description | +|------|------------| +|[Standard User Analyzer (SUA) User's Guide](sua-users-guide.md) |The Standard User Analyzer (SUA) helps you test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows. | +|[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) |The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows to your organization. | +|[Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md) |You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions. | diff --git a/windows/deployment/planning/applying-filters-to-data-in-the-sua-tool.md b/windows/deployment/planning/applying-filters-to-data-in-the-sua-tool.md index 0c31595cdb..5222062842 100644 --- a/windows/deployment/planning/applying-filters-to-data-in-the-sua-tool.md +++ b/windows/deployment/planning/applying-filters-to-data-in-the-sua-tool.md @@ -1,100 +1,100 @@ ---- -title: Applying Filters to Data in the SUA Tool (Windows 10) -description: On the user interface for the Standard User Analyzer (SUA) tool, you can apply filters to the issues that the tool has found so that you can view only the information that interests you. -ms.assetid: 48c39919-3501-405d-bcf5-d2784cbb011f -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Applying Filters to Data in the SUA Tool - - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -On the user interface for the Standard User Analyzer (SUA) tool, you can apply filters to the issues that the tool has found so that you can view only the information that interests you. - -**To apply filters to data in the SUA tool** - -1. Use the SUA tool to test an application. For more information, see [Using the SUA Tool](using-the-sua-tool.md). - -2. After you finish testing, in the SUA tool, click a tab that shows issues that the SUA tool has found. All tabs except the **App Info** tab can show issues. - -3. On the **Options** menu, click a command that corresponds to the filter that you want to apply. The following table describes the commands. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Options menu commandDescription

          Filter Noise

          Filters noise from the issues.

          -

          This command is selected by default.

          Load Noise Filter File

          Opens the Open Noise Filter File dialog box, in which you can load an existing noise filter (.xml) file.

          Export Noise Filter File

          Opens the Save Noise Filter File dialog box, in which you can save filter settings as a noise filter (.xml) file.

          Only Display Records with Application Name in StackTrace

          Filters out records that do not have the application name in the stack trace.

          -

          However, because the SUA tool captures only the first 32 stack frames, this command can also filter out real issues with the application where the call stack is deeper than 32 frames.

          Show More Details in StackTrace

          Shows additional stack frames that are related to the SUA tool, but not related to the diagnosed application.

          Warn Before Deleting AppVerifier Logs

          Displays a warning message before the SUA tool deletes all of the existing SUA-related log files on the computer.

          -

          This command is selected by default.

          Logging

          Provides the following logging-related options:

          -
            -

          • Show or hide log errors.

            • -

          • Show or hide log warnings.

            • -

          • Show or hide log information.

            • -
          -

          To maintain a manageable file size, we recommend that you do not select the option to show informational messages.

          - -   - -  - -  - - - - - +--- +title: Applying Filters to Data in the SUA Tool (Windows 10) +description: On the user interface for the Standard User Analyzer (SUA) tool, you can apply filters to the issues that the tool has found so that you can view only the information that interests you. +ms.assetid: 48c39919-3501-405d-bcf5-d2784cbb011f +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Applying Filters to Data in the SUA Tool + + +**Applies to** + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 +- Windows Server 2008 R2 + +On the user interface for the Standard User Analyzer (SUA) tool, you can apply filters to the issues that the tool has found so that you can view only the information that interests you. + +**To apply filters to data in the SUA tool** + +1. Use the SUA tool to test an application. For more information, see [Using the SUA Tool](using-the-sua-tool.md). + +2. After you finish testing, in the SUA tool, click a tab that shows issues that the SUA tool has found. All tabs except the **App Info** tab can show issues. + +3. On the **Options** menu, click a command that corresponds to the filter that you want to apply. The following table describes the commands. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Options menu commandDescription

          Filter Noise

          Filters noise from the issues.

          +

          This command is selected by default.

          Load Noise Filter File

          Opens the Open Noise Filter File dialog box, in which you can load an existing noise filter (.xml) file.

          Export Noise Filter File

          Opens the Save Noise Filter File dialog box, in which you can save filter settings as a noise filter (.xml) file.

          Only Display Records with Application Name in StackTrace

          Filters out records that do not have the application name in the stack trace.

          +

          However, because the SUA tool captures only the first 32 stack frames, this command can also filter out real issues with the application where the call stack is deeper than 32 frames.

          Show More Details in StackTrace

          Shows additional stack frames that are related to the SUA tool, but not related to the diagnosed application.

          Warn Before Deleting AppVerifier Logs

          Displays a warning message before the SUA tool deletes all of the existing SUA-related log files on the computer.

          +

          This command is selected by default.

          Logging

          Provides the following logging-related options:

          +
            +

          • Show or hide log errors.

            • +

          • Show or hide log warnings.

            • +

          • Show or hide log information.

            • +
          +

          To maintain a manageable file size, we recommend that you do not select the option to show informational messages.

          + +   + +  + +  + + + + + diff --git a/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md b/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md index 95a3a6925a..a202b57844 100644 --- a/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md +++ b/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md @@ -1,238 +1,238 @@ ---- -title: Available Data Types and Operators in Compatibility Administrator (Windows 10) -description: The Compatibility Administrator tool provides a way to query your custom-compatibility databases. -ms.assetid: 67d9c03e-ab9d-4fda-8a55-8c5b90266d3b -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Available Data Types and Operators in Compatibility Administrator - - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -The Compatibility Administrator tool provides a way to query your custom-compatibility databases. - -## Available Data Types - - -Customized-compatibility databases in Compatibility Administrator contain the following data types. - -- **Integer**. A numerical value with no fractional part. All integers are unsigned because none of the attributes can have a negative value. - -- **String**. A series of alphanumeric characters manipulated as a group. - -- **Boolean**. A value of True or False. - -## Available Attributes - - -The following table shows the attributes you can use for querying your customized-compatibility databases in Compatibility Administrator. - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          AttributeDescriptionData type

          APP_NAME

          Name of the application.

          String

          DATABASE_GUID

          Unique ID for your compatibility database.

          String

          DATABASE_INSTALLED

          Specifies if you have installed the database.

          Boolean

          DATABASE_NAME

          Descriptive name of your database.

          String

          DATABASE_PATH

          Location of the database on your computer.

          String

          FIX_COUNT

          Number of compatibility fixes applied to a specific application.

          Integer

          FIX_NAME

          Name of your compatibility fix.

          String

          MATCH_COUNT

          Number of matching files for a specific, fixed application.

          Integer

          MATCHFILE_NAME

          Name of a matching file used to identify a specific, fixed application.

          String

          MODE_COUNT

          Number of compatibility modes applied to a specific, fixed application.

          Integer

          MODE_NAME

          Name of your compatibility mode.

          String

          PROGRAM_APPHELPTYPE

          Type of AppHelp message applied to an entry. The value can be 1 or 2, where 1 enables the program to run and 2 blocks the program.

          Integer

          PROGRAM_DISABLED

          Specifies if you disabled the compatibility fix for an application. If True, Compatibility Administrator does not apply the fixes to the application.

          Boolean

          PROGRAM_GUID

          Unique ID for an application.

          String

          PROGRAM_NAME

          Name of the application that you are fixing.

          String

          - - - -## Available Operators - - -The following table shows the operators that you can use for querying your customized-compatibility databases in the Compatibility Administrator. - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          SymbolDescriptionData typePrecedence

          >

          Greater than

          Integer or string

          1

          >=

          Greater than or equal to

          Integer or string

          1

          <

          Less than

          Integer or string

          1

          <=

          Less than or equal to

          Integer or string

          1

          <>

          Not equal to

          Integer or string

          1

          =

          Equal to

          Integer, string, or Boolean

          1

          HAS

          A special SQL operator used to check if the left-hand operand contains a substring specified by the right-hand operand.

          Left-hand operand. MATCHFILE_NAME, MODE_NAME, FIX_NAME

          -
          -Note

          Only the HAS operator can be applied to the MATCHFILE_NAME, MODE_NAME, and FIX_NAME attributes.

          -
          -
          - -
          -

          Right-hand operand. String

          1

          OR

          Logical OR operator

          Boolean

          2

          AND

          Logical AND operator

          Boolean

          2

          - - - -## Related topics -[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md) - - - - - - - - - +--- +title: Available Data Types and Operators in Compatibility Administrator (Windows 10) +description: The Compatibility Administrator tool provides a way to query your custom-compatibility databases. +ms.assetid: 67d9c03e-ab9d-4fda-8a55-8c5b90266d3b +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Available Data Types and Operators in Compatibility Administrator + + +**Applies to** + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 +- Windows Server 2008 R2 + +The Compatibility Administrator tool provides a way to query your custom-compatibility databases. + +## Available Data Types + + +Customized-compatibility databases in Compatibility Administrator contain the following data types. + +- **Integer**. A numerical value with no fractional part. All integers are unsigned because none of the attributes can have a negative value. + +- **String**. A series of alphanumeric characters manipulated as a group. + +- **Boolean**. A value of True or False. + +## Available Attributes + + +The following table shows the attributes you can use for querying your customized-compatibility databases in Compatibility Administrator. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          AttributeDescriptionData type

          APP_NAME

          Name of the application.

          String

          DATABASE_GUID

          Unique ID for your compatibility database.

          String

          DATABASE_INSTALLED

          Specifies if you have installed the database.

          Boolean

          DATABASE_NAME

          Descriptive name of your database.

          String

          DATABASE_PATH

          Location of the database on your computer.

          String

          FIX_COUNT

          Number of compatibility fixes applied to a specific application.

          Integer

          FIX_NAME

          Name of your compatibility fix.

          String

          MATCH_COUNT

          Number of matching files for a specific, fixed application.

          Integer

          MATCHFILE_NAME

          Name of a matching file used to identify a specific, fixed application.

          String

          MODE_COUNT

          Number of compatibility modes applied to a specific, fixed application.

          Integer

          MODE_NAME

          Name of your compatibility mode.

          String

          PROGRAM_APPHELPTYPE

          Type of AppHelp message applied to an entry. The value can be 1 or 2, where 1 enables the program to run and 2 blocks the program.

          Integer

          PROGRAM_DISABLED

          Specifies if you disabled the compatibility fix for an application. If True, Compatibility Administrator does not apply the fixes to the application.

          Boolean

          PROGRAM_GUID

          Unique ID for an application.

          String

          PROGRAM_NAME

          Name of the application that you are fixing.

          String

          + + + +## Available Operators + + +The following table shows the operators that you can use for querying your customized-compatibility databases in the Compatibility Administrator. + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          SymbolDescriptionData typePrecedence

          >

          Greater than

          Integer or string

          1

          >=

          Greater than or equal to

          Integer or string

          1

          <

          Less than

          Integer or string

          1

          <=

          Less than or equal to

          Integer or string

          1

          <>

          Not equal to

          Integer or string

          1

          =

          Equal to

          Integer, string, or Boolean

          1

          HAS

          A special SQL operator used to check if the left-hand operand contains a substring specified by the right-hand operand.

          Left-hand operand. MATCHFILE_NAME, MODE_NAME, FIX_NAME

          +
          +Note

          Only the HAS operator can be applied to the MATCHFILE_NAME, MODE_NAME, and FIX_NAME attributes.

          +
          +
          + +
          +

          Right-hand operand. String

          1

          OR

          Logical OR operator

          Boolean

          2

          AND

          Logical AND operator

          Boolean

          2

          + + + +## Related topics +[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md) + + + + + + + + + diff --git a/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md b/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md index 1e5afb9a80..0652569347 100644 --- a/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md +++ b/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md @@ -1,54 +1,54 @@ ---- -title: Best practice recommendations for Windows To Go (Windows 10) -description: Best practice recommendations for Windows To Go -ms.assetid: 05e6e0ab-94ed-4c0c-a195-0abd006f0a86 -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: best practices, USB, device, boot -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: mobility -ms.sitesec: library -author: greg-lindsay -ms.topic: article ---- - -# Best practice recommendations for Windows To Go - - -**Applies to** - -- Windows 10 - ->[!IMPORTANT] ->Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. - -The following are the best practice recommendations for using Windows To Go: - -- Always shut down Windows and wait for shutdown to complete before removing the Windows To Go drive. -- Do not insert the Windows To Go drive into a running computer. -- Do not boot the Windows To Go drive from a USB hub. Always insert the Windows To Go drive directly into a port on the computer. -- If available, use a USB 3.0 port with Windows To Go. -- Do not install non-Microsoft core USB drivers on Windows To Go. -- Suspend BitLocker on Windows host computers before changing the BIOS settings to boot from USB and then resume BitLocker protection. - -Additionally, we recommend that when you plan your deployment you should also plan a standard operating procedure for answering questions about which USB drives can be used for Windows To Go and how to enable booting from USB to assist your IT department or help desk in supporting users and work groups that want to use Windows To Go. It may be very helpful for your organization to work with your hardware vendors to create an IT standard for USB drives for use with Windows To Go, so that if groups within your organization want to purchase drives they can quickly determine which ones they should obtain. - -## More information - - -[Windows To Go: feature overview](windows-to-go-overview.md)
          -[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
          -[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
          -[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
          -[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
          - -  - -  - - - - - +--- +title: Best practice recommendations for Windows To Go (Windows 10) +description: Best practice recommendations for Windows To Go +ms.assetid: 05e6e0ab-94ed-4c0c-a195-0abd006f0a86 +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: best practices, USB, device, boot +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: mobility +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Best practice recommendations for Windows To Go + + +**Applies to** + +- Windows 10 + +>[!IMPORTANT] +>Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. + +The following are the best practice recommendations for using Windows To Go: + +- Always shut down Windows and wait for shutdown to complete before removing the Windows To Go drive. +- Do not insert the Windows To Go drive into a running computer. +- Do not boot the Windows To Go drive from a USB hub. Always insert the Windows To Go drive directly into a port on the computer. +- If available, use a USB 3.0 port with Windows To Go. +- Do not install non-Microsoft core USB drivers on Windows To Go. +- Suspend BitLocker on Windows host computers before changing the BIOS settings to boot from USB and then resume BitLocker protection. + +Additionally, we recommend that when you plan your deployment you should also plan a standard operating procedure for answering questions about which USB drives can be used for Windows To Go and how to enable booting from USB to assist your IT department or help desk in supporting users and work groups that want to use Windows To Go. It may be very helpful for your organization to work with your hardware vendors to create an IT standard for USB drives for use with Windows To Go, so that if groups within your organization want to purchase drives they can quickly determine which ones they should obtain. + +## More information + + +[Windows To Go: feature overview](windows-to-go-overview.md)
          +[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
          +[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
          +[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
          +[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
          + +  + +  + + + + + diff --git a/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md b/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md index 12e3ff8140..afb65c8724 100644 --- a/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md +++ b/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md @@ -1,96 +1,96 @@ ---- -title: Change history for Plan for Windows 10 deployment (Windows 10) -description: This topic lists new and updated topics in the Plan for Windows 10 deployment documentation for Windows 10 and Windows 10 Mobile. -ms.assetid: 70D9F4F8-F2A4-4FB4-9459-5B2BE7BCAC66 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: plan -ms.sitesec: library -author: greg-lindsay -ms.date: 07/19/2017 -ms.topic: article ---- - -# Change history for Plan for Windows 10 deployment - - -This topic lists new and updated topics in the [Plan for Windows 10 deployment](index.md) documentation for [Windows 10 and Windows 10 Mobile](/windows/windows-10). - - -## RELEASE: Windows 10, version 1703 - -The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following is a new topic: -- [Windows 10 Enterprise - FAQ for IT Professionals](windows-10-enterprise-faq-itpro.md) - -## January 2017 - -| New or changed topic | Description | -|----------------------|-------------| -| [Windows 10 Infrastructure Requirements](windows-10-infrastructure-requirements.md) | Added link for Windows Server 2008 R2 and Windows 7 activation and a link to Windows Server 2016 Volume Activation Tips | - -## September 2016 - -| New or changed topic | Description | -| --- | --- | -| Windows 10 servicing overview | New content replaced this topic; see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview) | -| Windows Update for Business

          Setup and deployment of Windows Update for Business

          Integration of Windows Update for Business with management solutions | New content replaced these topics; see [Manage updates using Windows Update for Business](https://technet.microsoft.com/itpro/windows/manage/waas-manage-updates-wufb) | - - -## RELEASE: Windows 10, version 1607 - -The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). - - -## July 2016 - - -| New or changed topic | Description | -|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------| -|[Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) (multiple topics) |Redirected deprecated content to the [Upgrade Analytics](../upgrade/manage-windows-upgrades-with-upgrade-readiness.md) content. Only Standard User Analyzer and Compatibility Administrator continue to be supported.| -| [Windows 10 servicing overview](../update/waas-overview.md) | Content on this page was summarized. Detailed content about servicing branches was moved to the [Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md) page. | - - -## May 2016 - - -| New or changed topic | Description | -|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------| -| [Deploy Windows 10 in a school](/education/windows/deploy-windows-10-in-a-school) | New| - -## December 2015 - - -| New or changed topic | Description | -|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------| -| [Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) (multiple topics) | New | - - -## November 2015 - - -| New or changed topic | Description | -|--------------------------------------------------------------------------------------------------|-------------| -| [Chromebook migration guide](/education/windows/chromebook-migration-guide) | New | -| [Windows Update for Business](../update/waas-manage-updates-wufb.md) (multiple topics) | New | -| [Windows To Go: feature overview](windows-to-go-overview.md) (multiple topics) | Updated | - - - -## Related topics - - -[Change history for What's new in Windows 10](/windows/whats-new/change-history-for-what-s-new-in-windows-10) - -[Change history for Deploy Windows 10](../change-history-for-deploy-windows-10.md) - - - - - - - - - - +--- +title: Change history for Plan for Windows 10 deployment (Windows 10) +description: This topic lists new and updated topics in the Plan for Windows 10 deployment documentation for Windows 10 and Windows 10 Mobile. +ms.assetid: 70D9F4F8-F2A4-4FB4-9459-5B2BE7BCAC66 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: plan +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 07/19/2017 +ms.topic: article +--- + +# Change history for Plan for Windows 10 deployment + + +This topic lists new and updated topics in the [Plan for Windows 10 deployment](index.md) documentation for [Windows 10 and Windows 10 Mobile](/windows/windows-10). + + +## RELEASE: Windows 10, version 1703 + +The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following is a new topic: +- [Windows 10 Enterprise - FAQ for IT Professionals](windows-10-enterprise-faq-itpro.md) + +## January 2017 + +| New or changed topic | Description | +|----------------------|-------------| +| [Windows 10 Infrastructure Requirements](windows-10-infrastructure-requirements.md) | Added link for Windows Server 2008 R2 and Windows 7 activation and a link to Windows Server 2016 Volume Activation Tips | + +## September 2016 + +| New or changed topic | Description | +| --- | --- | +| Windows 10 servicing overview | New content replaced this topic; see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview) | +| Windows Update for Business

          Setup and deployment of Windows Update for Business

          Integration of Windows Update for Business with management solutions | New content replaced these topics; see [Manage updates using Windows Update for Business](https://technet.microsoft.com/itpro/windows/manage/waas-manage-updates-wufb) | + + +## RELEASE: Windows 10, version 1607 + +The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). + + +## July 2016 + + +| New or changed topic | Description | +|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------| +|[Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) (multiple topics) |Redirected deprecated content to the [Upgrade Analytics](../upgrade/manage-windows-upgrades-with-upgrade-readiness.md) content. Only Standard User Analyzer and Compatibility Administrator continue to be supported.| +| [Windows 10 servicing overview](../update/waas-overview.md) | Content on this page was summarized. Detailed content about servicing branches was moved to the [Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md) page. | + + +## May 2016 + + +| New or changed topic | Description | +|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------| +| [Deploy Windows 10 in a school](/education/windows/deploy-windows-10-in-a-school) | New| + +## December 2015 + + +| New or changed topic | Description | +|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------| +| [Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) (multiple topics) | New | + + +## November 2015 + + +| New or changed topic | Description | +|--------------------------------------------------------------------------------------------------|-------------| +| [Chromebook migration guide](/education/windows/chromebook-migration-guide) | New | +| [Windows Update for Business](../update/waas-manage-updates-wufb.md) (multiple topics) | New | +| [Windows To Go: feature overview](windows-to-go-overview.md) (multiple topics) | Updated | + + + +## Related topics + + +[Change history for What's new in Windows 10](/windows/whats-new/change-history-for-what-s-new-in-windows-10) + +[Change history for Deploy Windows 10](../change-history-for-deploy-windows-10.md) + + + + + + + + + + diff --git a/windows/deployment/planning/compatibility-administrator-users-guide.md b/windows/deployment/planning/compatibility-administrator-users-guide.md index 36cdd9af10..d19359cc40 100644 --- a/windows/deployment/planning/compatibility-administrator-users-guide.md +++ b/windows/deployment/planning/compatibility-administrator-users-guide.md @@ -1,85 +1,85 @@ ---- -title: Compatibility Administrator User's Guide (Windows 10) -ms.assetid: 0ce05f66-9009-4739-a789-60f3ce380e76 -ms.reviewer: -manager: laurawi -ms.author: greglin -description: -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Compatibility Administrator User's Guide - - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows to your organization. Compatibility Administrator provides the following: - -- Compatibility fixes, compatibility modes, and AppHelp messages that you can use to resolve specific compatibility issues. - -- Tools for creating customized compatibility fixes, compatibility modes, AppHelp messages, and compatibility databases. - -- A query tool that you can use to search for installed compatibility fixes on your local computers. - -The following flowchart shows the steps for using the Compatibility Administrator tool to create your compatibility fixes, compatibility modes, and AppHelp messages. - -![act compatibility admin flowchart](images/dep-win8-l-act-compatadminflowchart.jpg) - -**Important**   -Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to create and work with custom databases for 32-bit applications, and the 64-bit version to create and work with custom databases for 64-bit applications. - - - -## In this section - - - ---- - - - - - - - - - - - - - - - - - - - - -
          TopicDescription

          Using the Compatibility Administrator Tool

          This section provides information about using the Compatibility Administrator tool.

          Managing Application-Compatibility Fixes and Custom Fix Databases

          This section provides information about managing your application-compatibility fixes and custom-compatibility fix databases. This section explains the reasons for using compatibility fixes and how to deploy custom-compatibility fix databases.

          Using the Sdbinst.exe Command-Line Tool

          You must deploy your customized database (.sdb) files to other computers in your organization before your compatibility fixes, compatibility modes, and AppHelp messages are applied. You can deploy your customized database files in several ways, including by using a logon script, by using Group Policy, or by performing file copy operations.

          - - - - - - - - - - - +--- +title: Compatibility Administrator User's Guide (Windows 10) +ms.assetid: 0ce05f66-9009-4739-a789-60f3ce380e76 +ms.reviewer: +manager: laurawi +ms.author: greglin +description: +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Compatibility Administrator User's Guide + + +**Applies to** + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 +- Windows Server 2008 R2 + +The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows to your organization. Compatibility Administrator provides the following: + +- Compatibility fixes, compatibility modes, and AppHelp messages that you can use to resolve specific compatibility issues. + +- Tools for creating customized compatibility fixes, compatibility modes, AppHelp messages, and compatibility databases. + +- A query tool that you can use to search for installed compatibility fixes on your local computers. + +The following flowchart shows the steps for using the Compatibility Administrator tool to create your compatibility fixes, compatibility modes, and AppHelp messages. + +![act compatibility admin flowchart](images/dep-win8-l-act-compatadminflowchart.jpg) + +**Important**   +Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to create and work with custom databases for 32-bit applications, and the 64-bit version to create and work with custom databases for 64-bit applications. + + + +## In this section + + + ++++ + + + + + + + + + + + + + + + + + + + + +
          TopicDescription

          Using the Compatibility Administrator Tool

          This section provides information about using the Compatibility Administrator tool.

          Managing Application-Compatibility Fixes and Custom Fix Databases

          This section provides information about managing your application-compatibility fixes and custom-compatibility fix databases. This section explains the reasons for using compatibility fixes and how to deploy custom-compatibility fix databases.

          Using the Sdbinst.exe Command-Line Tool

          You must deploy your customized database (.sdb) files to other computers in your organization before your compatibility fixes, compatibility modes, and AppHelp messages are applied. You can deploy your customized database files in several ways, including by using a logon script, by using Group Policy, or by performing file copy operations.

          + + + + + + + + + + + diff --git a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md index 14490cadb8..c7052c8a15 100644 --- a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md +++ b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md @@ -9,6 +9,7 @@ ms.prod: w10 ms.mktglfcycl: plan ms.pagetype: appcompat ms.sitesec: library +audience: itpro author: greg-lindsay ms.date: 04/19/2017 ms.topic: article @@ -128,7 +129,7 @@ In order to meet the two requirements above, we recommend that you use one of th ~~~ -``` syntax +``` msidbCustomActionTypeVBScript + msidbCustomActionTypeInScript + msidbCustomActionTypeNoImpersonate = 0x0006 + 0x0400 + 0x0800 = 0x0C06 = 3078 decimal) ``` ~~~ @@ -146,7 +147,7 @@ You must ensure that you call the script at a time when it will receive elevated The following examples show an installation of a custom compatibility-fix database based on an .msi file. -```vb +``` 'InstallSDB.vbs Function Install Dim WshShell diff --git a/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md b/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md index 368687b611..2ea1929b51 100644 --- a/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md +++ b/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md @@ -1,972 +1,972 @@ ---- -title: Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista (Windows 10) -description: You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions. -ms.assetid: cd51c824-557f-462a-83bb-54b0771b7dff -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista - - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions. - -**Important** -The Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator. You must use the 32-bit version for 32-bit applications and the 64-bit version to work for 64-bit applications. You will receive an error message if you try to use the wrong version. - -If you start the Compatibility Administrator as an Administrator (with elevated privileges), all repaired applications can run successfully; however, virtualization and redirection might not occur as expected. To verify that a compatibility fix addresses an issue, you must test the repaired application by running it under the destination user account. - - - -## Compatibility Fixes - - -The following table lists the known compatibility fixes for all Windows operating systems that have been released from Windows Vista through Windows 10. The fixes are listed in alphabetical order. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          FixFix Description

          8And16BitAggregateBlts

          Applications that are mitigated by 8/16-bit mitigation can exhibit performance issues. This layer aggregates all the blt operations and improves performance.

          8And16BitDXMaxWinMode

          Applications that use DX8/9 and are mitigated by the 8/16-bit mitigation are run in a maximized windowed mode. This layer mitigates applications that exhibit graphical corruption in full screen mode.

          8And16BitGDIRedraw

          This fix repairs applications that use GDI and that work in 8-bit color mode. The application is forced to repaint its window on RealizePalette.

          AccelGdipFlush

          This fix increases the speed of GdipFlush, which has perf issues in DWM.

          AoaMp4Converter

          This fix resolves a display issue for the AoA Mp4 Converter.

          BIOSRead

          This problem is indicated when an application cannot access the Device\PhysicalMemory object beyond the kernel-mode drivers, on any of the Windows Server® 2003 operating systems.

          -

          The fix enables OEM executable (.exe) files to use the GetSystemFirmwareTable function instead of the NtOpenSection function when the BIOS is queried for the \Device\Physical memory information..

          BlockRunasInteractiveUser

          This problem occurs when InstallShield creates installers and uninstallers that fail to complete and that generate error messages or warnings.

          -

          The fix blocks InstallShield from setting the value of RunAs registry keys to InteractiveUser Because InteractiveUser no longer has Administrator rights.

          -
          -Note

          For more detailed information about this application fix, see Using the BlockRunAsInteractiveUser Fix.

          -
          -
          - -

          ChangeFolderPathToXPStyle

          This fix is required when an application cannot return shell folder paths when it uses the SHGetFolder API.

          -

          The fix intercepts the SHGetFolder path request to the common appdata file path and returns the Windows® XP-style file path instead of the Windows Vista-style file path.

          ClearLastErrorStatusonIntializeCriticalSection

          This fix is indicated when an application fails to start.

          -

          The fix modifies the InitializeCriticalSection function call so that it checks the NTSTATUS error code, and then sets the last error to ERROR_SUCCESS.

          CopyHKCUSettingsFromOtherUsers

          This problem occurs when an application's installer must run in elevated mode and depends on the HKCU settings that are provided for other users.

          -

          The fix scans the existing user profiles and tries to copy the specified keys into the HKEY_CURRENT_USER registry area.

          -

          You can control this fix further by entering the relevant registry keys as parameters that are separated by the ^ Symbol; for example: Software\MyCompany\Key1^Software\MyCompany\Key2.

          -
          -Note

          For more detailed information about this application fix, see Using the CopyHKCUSettingsFromOtherUsers Fix.

          -
          -
          - -

          CorrectCreateBrushIndirectHatch

          The problem is indicated by an access violation error message that displays and when the application fails when you select or crop an image.

          -

          The fix corrects the brush style hatch value, which is passed to the CreateBrushIndirect() function and enables the information to be correctly interpreted.

          CorrectFilePaths

          The problem is indicated when an application tries to write files to the hard disk and is denied access or receives a file not found or path not found error message.

          -

          The fix modifies the file path names to point to a new location on the hard disk.

          -
          -Note

          For more detailed information about the CorrectFilePaths application fix, see Using the CorrectFilePaths Fix. We recommend that you use this fix together with the CorrectFilePathsUninstall fix if you are applying it to a setup installation file.

          -
          -
          - -

          CorrectFilePathsUninstall

          This problem occurs when an uninstalled application leaves behind files, directories, and links.

          -

          The fix corrects the file paths that are used by the uninstallation process of an application.

          -
          -Note

          For more detailed information about this fix, see Using the CorrectFilePathsUninstall Fix. We recommend that you use this fix together with the CorrectFilePaths fix if you are applying it to a setup installation file.

          -
          -
          - -

          CorrectShellExecuteHWND

          This problem occurs when you start an executable (.exe) and a taskbar item blinks instead of an elevation prompt being opened, or when the application does not provide a valid HWND value when it calls the ShellExecute(Ex) function.

          -

          The fix intercepts the ShellExecute(Ex) calls, and then inspects the HWND value. If the value is invalid, this fix enables the call to use the currently active HWND value.

          -
          -Note

          For more detailed information about the CorrectShellExecuteHWND application fix, see Using the CorrectShellExecuteHWND Fix.

          -
          -
          - -

          CustomNCRender

          This fix instructs DWM to not render the non-client area, thereby forcing the application to do its own NC rendering. This often gives windows an XP look.

          DelayApplyFlag

          This fix applies a KERNEL, USER, or PROCESS flag if the specified DLL is loaded.

          -

          You can control this fix further by typing the following command at the command prompt:

          -

          DLL_Name;Flag_Type;Hexidecimal_Value

          -

          Where the DLL_Name is the name of the specific DLL, including the file extension. Flag_Type is KERNEL, USER, or PROCESS, and a Hexidecimal_Value, starting with 0x and up to 64-bits long.

          -
          -Note

          The PROCESS flag type can have a 32-bit length only. You can separate multiple entries with a backslash ().

          -
          -
          - -

          DeprecatedServiceShim

          The problem is indicated when an application tries to install a service that has a dependency on a deprecated service. An error message displays.

          -

          The fix intercepts the CreateService function calls and removes the deprecated dependency service from the lpDependencies parameter.

          -

          You can control this fix further by typing the following command at the command prompt:

          -

          Deprecated_Service\App_Service/Deprecated_Service2 \App_Service2

          -

          Where Deprecated_Service is the name of the service that has been deprecated and App_Service is the name of the specific application service that is to be modified; for example, NtLmSsp\WMI.

          -
          -Note

          If you do not provide an App_Service name, the deprecated service will be removed from all newly created services.

          -
          -
          - -
          -
          -Note

          You can separate multiple entries with a forward slash (/).

          -
          -
          - -

          DirectXVersionLie

          This problem occurs when an application fails because it does not find the correct version number for DirectX®.

          -

          The fix modifies the DXDIAGN GetProp function call to return the correct DirectX version.

          -

          You can control this fix further by typing the following command at the command prompt:

          -

          MAJORVERSION.MINORVERSION.LETTER

          -

          For example, 9.0.c.

          DetectorDWM8And16Bit

          This fix offeres mitigation for applications that work in 8/16-bit display color mode because these legacy color modes are not supported in Windows 8 .

          Disable8And16BitD3D

          This fix improves performance of 8/16-bit color applications that render using D3D and do not mix directdraw.

          Disable8And16BitModes

          This fix disables 8/16-bit color mitigation and enumeration of 8/16-bit color modes.

          DisableDWM

          The problem occurs when some objects are not drawn or object artifacts remain on the screen in an application.

          -

          The fix temporarily disables the Windows Aero menu theme functionality for unsupported applications.

          -
          -Note

          For more detailed information about this application fix, see Using the DisableDWM Fix.

          -
          -
          - -

          DisableFadeAnimations

          The problem is indicated when an application fade animations, buttons, or other controls do not function properly.

          -

          The fix disables the fade animations functionality for unsupported applications.

          DisableThemeMenus

          The problem is indicated by an application that behaves unpredictably when it tries to detect and use the correct Windows settings.

          -

          The fix temporarily disables the Windows Aero menu theme functionality for unsupported applications.

          DisableWindowsDefender

          The fix disables Windows Defender for security applications that do not work with Windows Defender.

          DWM8And16BitMitigation

          The fix offers mitigation for applications that work in 8/16-bit display color mode because these legacy color modes are not supported in Windows 8.

          DXGICompat

          The fix allows application-specific compatibility instructions to be passed to the DirectX engine.

          DXMaximizedWindowedMode

          Applications that use DX8/9 are run in a maximized windowed mode. This is required for applications that use GDI/DirectDraw in addition to Direct3D.

          ElevateCreateProcess

          The problem is indicated when installations, de-installations, or updates fail because the host process calls the CreateProcess function and it returns an ERROR_ELEVATION_REQUIRED error message.

          -

          The fix handles the error code and attempts to recall the CreateProcess function together with requested elevation. If the fixed application already has a UAC manifest, the error code will be returned unchanged.

          -
          -Note

          For more detailed information about this application fix, see Using the ElevateCreateProcess Fix.

          -
          -
          - -

          EmulateOldPathIsUNC

          The problem occurs when an application fails because of an incorrect UNC path.

          -

          The fix changes the PathIsUNC function to return a value of True for UNC paths in Windows.

          EmulateGetDiskFreeSpace

          The problem is indicated when an application fails to install or to run, and it generates an error message that there is not enough free disk space to install or use the application, even though there is enough free disk space to meet the application requirements.

          -

          The fix determines the amount of free space, so that if the amount of free space is larger than 2 GB, the compatibility fix returns a value of 2 GB, but if the amount of free space is smaller than 2 GB, the compatibility fix returns the actual free space amount.

          -
          -Note

          For more detailed information about this application fix, see Using the EmulateGetDiskFreeSpace Fix.

          -
          -
          - -

          EmulateSorting

          The problem occurs when an application experiences search functionality issues.

          -

          The fix forces applications that use the CompareStringW/LCMapString sorting table to use an older version of the table.

          -
          -Note

          For more detailed information about this e application fix, see Using the EmulateSorting Fix.

          -
          -
          - -

          EmulateSortingWindows61

          The fix emulates the sorting order of Windows 7 and Windows Server 2008 R2 for various APIs.

          EnableRestarts

          The problem is indicated when an application and computer appear to hang because processes cannot end to allow the computer to complete its restart processes.

          -

          The fix enables the computer to restart and finish the installation process by verifying and enabling that the SeShutdownPrivilege service privilege exists.

          -
          -Note

          For more detailed information about this application fix, see Using the EnableRestarts Fix.

          -
          -
          - -

          ExtraAddRefDesktopFolder

          The problem occurs when an application invokes the Release() method too many times and causes an object to be prematurely destroyed.

          -

          The fix counteracts the application's tries to obtain the shell desktop folder by invoking the AddRef() method on the Desktop folder, which is returned by the SHGetDesktopFolder function.

          FailObsoleteShellAPIs

          The problem occurs when an application fails because it generated deprecated API calls.

          -

          The fix either fully implements the obsolete functions or implements the obsolete functions with stubs that fail.

          -
          -Note

          You can type FailAll=1 at the command prompt to suppress the function implementation and force all functions to fail.

          -
          -
          - -

          FailRemoveDirectory

          The problem occurs when an application uninstallation process does not remove all of the application files and folders.

          -

          This fix fails calls to RemoveDirectory() when called with a path matching the one specified in the shim command-line. Only a single path is supported. The path can contain environment variables, but must be an exact path – no partial paths are supported.

          -

          The fix can resolve an issue where an application expects RemoveDirectory() to delete a folder immediately even though a handle is open to it.

          FakeLunaTheme

          The problem occurs when a theme application does not properly display: the colors are washed out or the user interface is not detailed.

          -

          The fix intercepts the GetCurrentThemeName API and returns the value for the Windows XP default theme, (Luna).

          -
          -Note

          For more detailed information about the FakeLunaTheme application fix, see Using the FakeLunaTheme Fix.

          -
          -
          - -

          FlushFile

          This problem is indicated when a file is updated and changes do not immediately appear on the hard disk. Applications cannot see the file changes.

          -

          The fix enables the WriteFile function to call to the FlushFileBuffers APIs, which flush the file cache onto the hard disk.

          FontMigration

          The fix replaces an application-requested font with a better font selection, to avoid text truncation.

          ForceAdminAccess

          The problem occurs when an application fails to function during an explicit administrator check.

          -

          The fix allows the user to temporarily imitate being a part of the Administrators group by returning a value of True during the administrator check.

          -
          -Note

          For more detailed information about this application fix, see Using the ForceAdminAccess Fix.

          -
          -
          - -

          ForceInvalidateOnClose

          The fix invalidates any windows that exist under a closing or hiding window for applications that rely on the invalidation messages.

          ForceLoadMirrorDrvMitigation

          The fix loads the Windows 8 mirror driver mitigation for applications where the mitigation is not automatically applied.

          FreestyleBMX

          The fix resolves an application race condition that is related to window message order.

          GetDriveTypeWHook

          The application presents unusual behavior during installation; for example, the setup program states that it cannot install to a user-specified location.

          -

          The fix changes GetDriveType() so that only the root information appears for the file path. This is required when an application passes an incomplete or badly-formed file path when it tries to retrieve the drive type on which the file path exists.

          GlobalMemoryStatusLie

          The problem is indicated by a Computer memory full error message that displays when you start an application.

          -

          The fix modifies the memory status structure, so that it reports a swap file that is 400 MB, regardless of the true swap file size.

          HandleBadPtr

          The problem is indicated by an access violation error message that displays because an API is performing pointer validation before it uses a parameter.

          -

          The fix supports using lpBuffer validation from the InternetSetOptionA and InternetSetOptionW functions to perform the additional parameter validation.

          HandleMarkedContentNotIndexed

          The problem is indicated by an application that fails when it changes an attribute on a file or directory.

          -

          The fix intercepts any API calls that return file attributes and directories that are invoked from the %TEMP% directory, and resets the FILE_ATTRIBUTE_NOT_CONTENT_INDEXED attribute to its original state.

          HeapClearAllocation

          The problem is indicated when the allocation process shuts down unexpectedly.

          -

          The fix uses zeros to clear out the heap allocation for an application.

          IgnoreAltTab

          The problem occurs when an application fails to function when special key combinations are used.

          -

          The fix intercepts the RegisterRawInputDevices API and prevents the delivery of the WM_INPUT messages. This delivery failure forces the included hooks to be ignored and forces DInput to use Windows-specific hooks.

          -
          -Note

          For more detailed information about this application fix, see Using the IgnoreAltTab Fix.

          -
          -
          - -

          IgnoreChromeSandbox

          The fix allows Google Chrome to run on systems that have ntdll loaded above 4GB.

          IgnoreDirectoryJunction

          The problem is indicated by a read or access violation error message that displays when an application tries to find or open files.

          -

          The fix links the FindNextFileW, FindNextFileA, FindFirstFileExW, FindFirstFileExA, FindFirstFileW and FindFirstFileA APIs to prevent them from returning directory junctions.

          -
          -Note

          Symbolic links appear starting in Windows Vista.

          -
          -
          - -

          IgnoreException

          The problem is indicated when an application stops functioning immediately after it starts, or the application starts with only a cursor appearing on the screen.

          -

          The fix enables the application to ignore specified exceptions. By default, this fix ignores privileged-mode exceptions; however, it can be configured to ignore any exception.

          -

          You can control this fix further by typing the following command at the command prompt:

          -

          Exception1;Exception2

          -

          Where Exception1 and Exception2 are specific exceptions to be ignored. For example: ACCESS_VIOLATION_READ:1;ACCESS_VIOLATION_WRITE:1.

          -
          -Important

          You should use this compatibility fix only if you are certain that it is acceptable to ignore the exception. You might experience additional compatibility issues if you choose to incorrectly ignore an exception.

          -
          -
          - -
          -
          -Note

          For more detailed information about this application fix, see Using the IgnoreException Fix.

          -
          -
          - -

          IgnoreFloatingPointRoundingControl

          This fix enables an application to ignore the rounding control request and to behave as expected in previous versions of the application.

          -

          Before floating point SSE2 support in the C runtime library, the rounding control request was being ignored which would use round to nearest option by default. This shim ignores the rounding control request to support applications relying on old behavior.

          IgnoreFontQuality

          The problem occurs when application text appears to be distorted.

          -

          The fix enables color-keyed fonts to properly work with anti-aliasing.

          IgnoreMessageBox

          The problem is indicated by a message box that displays with debugging or extraneous content when the application runs on an unexpected operating system.

          -

          The fix intercepts the MessageBox* APIs and inspects them for specific message text. If matching text is found, the application continues without showing the message box.

          -
          -Note

          For more detailed information about this application fix, see Using the IgnoreMessageBox Fix.

          -
          -
          - -

          IgnoreMSOXMLMF

          The problem is indicated by an error message that states that the operating system cannot locate the MSVCR80D.DLL file.

          -

          The fix ignores the registered MSOXMLMF.DLL object, which Microsoft® Office 2007 loads into the operating system any time that you load an XML file, and then it fails the CoGetClassObject for its CLSID. This compatibility fix will just ignore the registered MSOXMLMF and fail the CoGetClassObject for its CLSID.

          IgnoreSetROP2

          The fix ignores read-modify-write operations on the desktop to avoid performance issues.

          InstallComponent

          The fix prompts the user to install.Net 3.5 or .Net 2.0 because .Net is not included with Windows 8.

          LoadLibraryRedirect

          The fix forces an application to load system versions of libraries instead of loading redistributable versions that shipped with the application.

          LocalMappedObject

          The problem occurs when an application unsuccessfully tries to create an object in the Global namespace.

          -

          The fix intercepts the function call to create the object and replaces the word Global with Local.

          -
          -Note

          For more detailed information about this application fix, see Using the LocalMappedObject Fix.

          -
          -
          - -

          MakeShortcutRunas

          The problem is indicated when an application fails to uninstall because of access-related errors.

          -

          The fix locates any RunDLL.exe-based uninstallers and forces them to run with different credentials during the application installation. After it applies this fix, the installer will create a shortcut that specifies a matching string to run during the application installation, thereby enabling the uninstallation to occur later.

          -
          -Note

          For more detailed information about this application fix, see Using the MakeShortcutRunas Fix

          -
          -
          - -

          ManageLinks

          The fix intercepts common APIs that are going to a directory or to an executable (.exe) file, and then converts any symbolic or directory junctions before passing it back to the original APIs.

          MirrorDriverWithComposition

          The fix allows mirror drivers to work properly with acceptable performance with desktop composition.

          MoveToCopyFileShim

          The problem occurs when an application experiences security access issues during setup.

          -

          The fix forces the CopyFile APIs to run instead of the MoveFile APIs. CopyFile APIs avoid moving the security descriptor, which enables the application files to get the default descriptor of the destination folder and prevents the security access issue.

          OpenDirectoryAcl

          The problem is indicated by an error message that states that you do not have the appropriate permissions to access the application.

          -

          The fix reduces the security privilege levels on a specified set of files and folders.

          -
          -Note

          For more detailed information about this application fix, see Using the OpenDirectoryACL Fix.

          -
          -
          - -

          PopCapGamesForceResPerf

          The fix resolves the performance issues in PopCap games like Bejeweled2. The performance issues are visible in certain low-end cards at certain resolutions where the 1024x768 buffer is scaled to fit the display resolution.

          PreInstallDriver

          The fix preinstalls drivers for applications that would otherwise try to install or start drivers during the initial start process.

          PreInstallSmarteSECURE

          The fix preinstalls computer-wide CLSIDs for applications that use SmartSECURE copy protection, which would otherwise try to install the CLSIDs during the initial start process.

          ProcessPerfData

          The problem is indicated by an Unhandled Exception error message because the application tried to read the process performance data registry value to determine if another instance of the application is running.

          -

          The fix handles the failure case by passing a fake process performance data registry key, so that the application perceives that it is the only instance running.

          -
          -Note

          This issue seems to occur most frequently with .NET applications.

          -
          -
          - -

          PromoteDAM

          The fix registers an application for power state change notifications.

          PropagateProcessHistory

          The problem occurs when an application incorrectly fails to apply an application fix.

          -

          The fix sets the _PROCESS_HISTORY environment variable so that child processes can look in the parent directory for matching information while searching for application fixes.

          ProtectedAdminCheck

          The problem occurs when an application fails to run because of incorrect Protected Administrator permissions.

          -

          The fix addresses the issues that occur when applications use non-standard Administrator checks, thereby generating false positives for user accounts that are being run as Protected Administrators. In this case, the associated SID exists, but it is set as deny-only.

          RedirectCRTTempFile

          The fix intercepts failing CRT calls that try to create a temporary file at the root of the volume, thereby redirecting the calls to a temporary file in the user's temporary directory.

          RedirectHKCUKeys

          The problem occurs when an application cannot be accessed because of User Account Control (UAC) restrictions.

          -

          The fix duplicates any newly created HKCU keys to other users' HKCU accounts. This fix is generic for UAC restrictions, whereby the HKCU keys are required, but are unavailable to an application at runtime.

          RedirectMP3Codec

          This problem occurs when you cannot play MP3 files.

          -

          The fix intercepts the CoCreateInstance call for the missing filter and then redirects it to a supported version.

          RedirectShortcut

          The problem occurs when an application cannot be accessed by its shortcut, or application shortcuts are not removed during the application uninstallation process.

          -

          The fix redirects all of the shortcuts created during the application setup to appear according to a specified path.

          -
            -

          • Start Menu shortcuts: Appear in the \ProgramData\Microsoft\Windows\Start Menu directory for all users.

            • -

          • Desktop or Quick Launch shortcuts:You must manually place the shortcuts on the individual user's desktop or Quick Launch bar.

            • -
          -

          This issue occurs because of UAC restrictions: specifically, when an application setup runs by using elevated privileges and stores the shortcuts according to the elevated user's context. In this situation, a restricted user cannot access the shortcuts.

          -

          You cannot apply this fix to an .exe file that includes a manifest and provides a runlevel.

          RelaunchElevated

          The problem occurs when installers, uninstallers, or updaters fail when they are started from a host application.

          -

          The fix enables a child .exe file to run with elevated privileges when it is difficult to determine the parent process with either the ElevateCreateProcess fix or by marking the .exe files to RunAsAdmin.

          -
          -Note

          For more detailed information about this application fix, see Using the RelaunchElevated Fix.

          -
          -
          - -

          RetryOpenSCManagerWithReadAccess

          The problem occurs when an application tries to open the Service Control Manager (SCM) and receives an Access Denied error message.

          -

          The fix retries the call and requests a more restricted set of rights that include the following:

          -

          RetryOpenServiceWithReadAccess

          The problem occurs when an Unable to open service due to your application using the OpenService() API to test for the existence of a particular service error message displays.

          -

          The fix retries the OpenService() API call and verifies that the user has Administrator rights, is not a Protected Administrator, and by using read-only access. Applications can test for the existence of a service by calling the OpenService() API but some applications ask for all access when making this check. This fix retries the call but only asking for read-only access. The user needs to be an administrator for this to work

          -
          -Note

          For more detailed information about this application fix, see Using the RetryOpenServiceWithReadAccess Fix.

          -
          -
          - -

          RunAsAdmin

          The problem occurs when an application fails to function by using the Standard User or Protected Administrator account.

          -

          The fix enables the application to run by using elevated privileges. The fix is the equivalent of specifying requireAdministrator in an application manifest.

          -
          -Note

          For more detailed information about this application fix, see Using the RunAsAdmin Fix.

          -
          -
          - -

          RunAsHighest

          The problem occurs when administrators cannot view the read/write version of an application that presents a read-only view to standard users.

          -

          The fix enables the application to run by using the highest available permissions. This is the equivalent of specifying highestAvailable in an application manifest.

          -
          -Note

          For more detailed information about this application fix, see Using the RunAsHighest Fix.

          -
          -
          - -

          RunAsInvoker

          The problem occurs when an application is not detected as requiring elevation.

          -

          The fix enables the application to run by using the privileges that are associated with the creation process, without requiring elevation. This is the equivalent of specifying asInvoker in an application manifest.

          -
          -Note

          For more detailed information about this application fix, see Using the RunAsInvoker Fix.

          -
          -
          - -

          SecuROM7

          The fix repairs applications by using SecuROM7 for copy protection.

          SessionShim

          The fix intercepts API calls from applications that are trying to interact with services that are running in another session, by using the terminal service name prefix (Global or Local) as the parameter.

          -

          At the command prompt, you can supply a list of objects to modify, separating the values by a double backslash (). Or, you can choose not to include any parameters, so that all of the objects are modified.

          -
          -Important

          Users cannot log in as Session 0 (Global Session) in Windows Vista and later. Therefore, applications that require access to Session 0 automatically fail.

          -
          -
          - -
          -
          -Note

          For more detailed information about this application fix, see Using the SessionShim Fix.

          -
          -
          - -

          SetProtocolHandler

          The fix registers an application as a protocol handler.

          -

          You can control this fix further by typing the following command at the command prompt:

          -

          Client;Protocol;App

          -

          Where the Client is the name of the email protocol, Protocol is mailto, and App is the name of the application.

          -
          -Note

          Only the mail client and the mailto protocol are supported. You can separate multiple clients by using a backslash ().

          -
          -
          - -

          SetupCommitFileQueueIgnoreWow

          The problem occurs when a 32-bit setup program fails to install because it requires 64-bit drivers.

          -

          The fix disables the Wow64 file system that is used by the 64-bit editions of Windows, to prevent 32-bit applications from accessing 64-bit file systems during the application setup.

          SharePointDesigner2007

          The fix resolves an application bug that severely slows the application when it runs in DWM.

          ShimViaEAT

          The problem occurs when an application fails, even after applying acompatibility fix that is known to fix an issue. Applications that use unicows.dll or copy protection often present this issue.

          -

          The fix applies the specified compatibility fixes by modifying the export table and by nullifying the use of module inclusion and exclusion.

          -
          -Note

          For more information about this application fix, see Using the ShimViaEAT Fix.

          -
          -
          - -

          ShowWindowIE

          The problem occurs when a web application experiences navigation and display issues because of the tabbing feature.

          -

          The fix intercepts the ShowWindow API call to address the issues that can occur when a web application determines that it is in a child window. This fix calls the real ShowWindow API on the top-level parent window.

          SierraWirelessHideCDROM

          The fix repairs the Sierra Wireless Driver installation, thereby preventing bugcheck.

          Sonique2

          The application uses an invalid window style, which breaks in DWM. This fix replaces the window style with a valid value.

          SpecificInstaller

          The problem occurs when an application installation file fails to be picked up by the GenericInstaller function.

          -

          The fix flags the application as being an installer file (for example, setup.exe), and then prompts for elevation.

          -
          -Note

          For more detailed information about this application fix, see Using the SpecificInstaller Fix.

          -
          -
          - -

          SpecificNonInstaller

          The problem occurs when an application that is not an installer (and has sufficient privileges) generates a false positive from the GenericInstaller function.

          -

          The fix flags the application to exclude it from detection by the GenericInstaller function.

          -
          -Note

          For more detailed information about this application fix, see Using the SpecificNonInstaller Fix.

          -
          -
          - -

          SystemMetricsLie

          The fix replaces SystemMetrics values and SystemParametersInfo values with the values of previous Windows versions.

          TextArt

          The application receives different mouse coordinates with DWM ON versus DWM OFF, which causes the application to hang. This fix resolves the issue.

          TrimDisplayDeviceNames

          The fix trims the names of the display devices that are returned by the EnumDisplayDevices API.

          UIPICompatLogging

          The fix enables the logging of Windows messages from Internet Explorer and other processes.

          UIPIEnableCustomMsgs

          The problem occurs when an application does not properly communicate with other processes because customized Windows messages are not delivered.

          -

          The fix enables customized Windows messages to pass through to the current process from a lower Desktop integrity level. This fix is the equivalent of calling the RegisterWindowMessage function, followed by the ChangeWindowMessageFilter function in the code.

          -

          You can control this fix further by typing the following command at the command prompt:

          -

          MessageString1 MessageString2

          -

          Where MessageString1 and MessageString2 reflect the message strings that can pass.

          -
          -Note

          Multiple message strings must be separated by spaces. For more detailed information about this application fix, see Using the UIPIEnableCustomMsgs Fix.

          -
          -
          - -

          UIPIEnableStandardMsgs

          The problem occurs when an application does not communicate properly with other processes because standard Windows messages are not delivered.

          -

          The fix enables standard Windows messages to pass through to the current process from a lower Desktop integrity level. This fix is the equivalent of calling the ChangeWindowMessageFilter function in the code.

          -

          You can control this fix further by typing the following command at the command prompt:

          -

          1055 1056 1069

          -

          Where 1055 reflects the first message ID, 1056 reflects the second message ID, and 1069 reflects the third message ID that can pass.

          -
          -Note

          Multiple messages can be separated by spaces. For more detailed information about this application fix, see Using the UIPIEnableStandardMsgs Fix [act].

          -
          -
          - -

          VirtualizeDeleteFileLayer

          The fix virtualizes DeleteFile operations for applications that try to delete protected files.

          VirtualizeDesktopPainting

          This fix improves the performance of a number of operations on the Desktop DC while using DWM.

          VirtualRegistry

          The problem is indicated when a Component failed to be located error message displays when an application is started.

          -

          The fix enables the registry functions to allow for virtualization, redirection, expansion values, version spoofing, the simulation of performance data counters, and so on.

          -

          For more detailed information about this application fix, see Using the VirtualRegistry Fix.

          VirtualizeDeleteFile

          The problem occurs when several error messages display and the application cannot delete files.

          -

          The fix makes the application's DeleteFile function call a virtual call in an effort to remedy the UAC and file virtualization issues that were introduced with Windows Vista. This fix also links other file APIs (for example, GetFileAttributes) to ensure that the virtualization of the file is deleted.

          -
          -Note

          For more detailed information about this application fix, see Using the VirtualizeDeleteFile Fix.

          -
          -
          - -

          VirtualizeHKCRLite

          The problem occurs when an application fails to register COM components at runtime.

          -

          The fix redirects the HKCR write calls (HKLM) to the HKCU hive for a per-user COM registration. This operates much like the VirtualRegistry fix when you use the VirtualizeHKCR parameter; however, VirtualizeHKCRLite provides better performance.

          -

          HKCR is a virtual merge of the HKCU\Software\Classes and HKLM\Software\Classes directories. The use of HKCU is preferred if an application is not elevated and is ignored if the application is elevated.

          -

          You typically will use this compatibility fix in conjunction with the VirtualizeRegisterTypeLib fix.

          -

          For more detailed information about this application fix, see Using the VirtualizeHKCRLite Fix.

          VirtualizeRegisterTypeLib

          The fix, when it is used with the VirtualizeHKCRLite fix, ensures that the type library and the COM class registration happen simultaneously. This functions much like the RegistryTypeLib fix when the RegisterTypeLibForUser parameter is used.

          -
          -Note

          For more detailed information about this application fix, see Using the VirtualizeRegisterTypelib Fix.

          -
          -
          - -

          WaveOutIgnoreBadFormat

          This problem is indicated by an error message that states: Unable to initialize sound device from your audio driver; the application then closes.

          -

          The fix enables the application to ignore the format error and continue to function properly.

          WerDisableReportException

          The fix turns off the silent reporting of exceptions to the Windows Error Reporting tool, including those that are reported by Object Linking and Embedding-Database (OLE DB). The fix intercepts the RtlReportException API and returns a STATUS_NOT_SUPPORTED error message.

          Win7RTM/Win8RTM

          The layer provides the application with Windows 7/Windows 8 compatibility mode.

          WinxxRTMVersionLie

          The problem occurs when an application fails because it does not find the correct version number for the required Windows operating system.

          -

          All version lie compatibility fixes address the issue whereby an application fails to function because it is checking for, but not finding, a specific version of the operating system. The version lie fix returns the appropriate operating system version information. For example, the VistaRTMVersionLie returns the Windows Vista version information to the application, regardless of the actual operating system version that is running on the computer.

          Wing32SystoSys32

          The problem is indicated by an error message that states that the WinG library was not properly installed.

          -

          The fix detects whether the WinG32 library exists in the correct directory. If the library is located in the wrong location, this fix copies the information (typically during the runtime of the application) into the %WINDIR% \system32 directory.

          -
          -Important

          The application must have Administrator privileges for this fix to work.

          -
          -
          - -

          WinSrv08R2RTM

          WinXPSP2VersionLie

          The problem occurs when an application experiences issues because of a VB runtime DLL.

          -

          The fix forces the application to follow these steps:

          -
            -

          1. Open the Compatibility Administrator, and then select None for Operating System Mode.

            2. -

          2. On the Compatibility Fixes page, click WinXPSP2VersionLie, and then click Parameters.

            -

            The Options for <fix_name> dialog box appears.

            3. -

          3. Type vbrun60.dll into the Module Name box, click Include, and then click Add.

            4. -

          4. Save the custom database.

            -
            -Note

            For more information about the WinXPSP2VersionLie application fix, see Using the WinXPSP2VersionLie Fix.

            -
            -
            - -
            5. -

          WRPDllRegister

          The application fails when it tries to register a COM component that is released together with Windows Vista and later.

          -

          The fix skips the processes of registering and unregistering WRP-protected COM components when calling the DLLRegisterServer and DLLUnregisterServer functions.

          -

          You can control this fix further by typing the following command at the command prompt:

          -

          Component1.dll;Component2.dll

          -

          Where Component1.dll and Component2.dll reflect the components to be skipped.

          -
          -Note

          For more detailed information about this application fix, see Using the WRPDllRegister Fix.

          -
          -
          - -

          WRPMitigation

          The problem is indicated when an access denied error message displays when the application tries to access a protected operating system resource by using more than read-only access.

          -

          The fix emulates the successful authentication and modification of file and registry APIs, so that the application can continue.

          -
          -Note

          For more detailed information about WRPMitigation, see Using the WRPMitigation Fix.

          -
          -
          - -

          WRPRegDeleteKey

          The problem is indicated by an access denied error message that displays when the application tries to delete a registry key.

          -

          The fix verifies whether the registry key is WRP-protected. If the key is protected, this fix emulates the deletion process.

          XPAfxIsValidAddress

          The fix emulates the behavior of Windows XP for MFC42!AfxIsValidAddress.

          - - - -## Compatibility Modes - - -The following table lists the known compatibility modes. - - ----- - - - - - - - - - - - - - - - - - - - -
          Compatibility Mode NameDescriptionIncluded Compatibility Fixes

          WinSrv03

          Emulates the Windows Server 2003 operating system.

            -

          • Win2k3RTMVersionLie

            • -

          • VirtualRegistry

            • -

          • ElevateCreateProcess

            • -

          • EmulateSorting

            • -

          • FailObsoleteShellAPIs

            • -

          • LoadLibraryCWD

            • -

          • HandleBadPtr

            • -

          • GlobalMemoryStatus2GB

            • -

          • RedirectMP3Codec

            • -

          • EnableLegacyExceptionHandlinginOLE

            • -

          • NoGhost

            • -

          • HardwareAudioMixer

            • -

          WinSrv03Sp1

          Emulates the Windows Server 2003 with Service Pack 1 (SP1) operating system.

            -

          • Win2K3SP1VersionLie

            • -

          • VirtualRegistry

            • -

          • ElevateCreateProcess

            • -

          • EmulateSorting

            • -

          • FailObsoleteShellAPIs

            • -

          • LoadLibraryCWD

            • -

          • HandleBadPtr

            • -

          • EnableLegacyExceptionHandlinginOLE

            • -

          • RedirectMP3Codec

            • -

          • HardwareAudioMixer

            • -
          +--- +title: Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista (Windows 10) +description: You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions. +ms.assetid: cd51c824-557f-462a-83bb-54b0771b7dff +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista + + +**Applies to** + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 +- Windows Server 2008 R2 + +You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions. + +**Important** +The Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator. You must use the 32-bit version for 32-bit applications and the 64-bit version to work for 64-bit applications. You will receive an error message if you try to use the wrong version. + +If you start the Compatibility Administrator as an Administrator (with elevated privileges), all repaired applications can run successfully; however, virtualization and redirection might not occur as expected. To verify that a compatibility fix addresses an issue, you must test the repaired application by running it under the destination user account. + + + +## Compatibility Fixes + + +The following table lists the known compatibility fixes for all Windows operating systems that have been released from Windows Vista through Windows 10. The fixes are listed in alphabetical order. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          FixFix Description

          8And16BitAggregateBlts

          Applications that are mitigated by 8/16-bit mitigation can exhibit performance issues. This layer aggregates all the blt operations and improves performance.

          8And16BitDXMaxWinMode

          Applications that use DX8/9 and are mitigated by the 8/16-bit mitigation are run in a maximized windowed mode. This layer mitigates applications that exhibit graphical corruption in full screen mode.

          8And16BitGDIRedraw

          This fix repairs applications that use GDI and that work in 8-bit color mode. The application is forced to repaint its window on RealizePalette.

          AccelGdipFlush

          This fix increases the speed of GdipFlush, which has perf issues in DWM.

          AoaMp4Converter

          This fix resolves a display issue for the AoA Mp4 Converter.

          BIOSRead

          This problem is indicated when an application cannot access the Device\PhysicalMemory object beyond the kernel-mode drivers, on any of the Windows Server® 2003 operating systems.

          +

          The fix enables OEM executable (.exe) files to use the GetSystemFirmwareTable function instead of the NtOpenSection function when the BIOS is queried for the \Device\Physical memory information..

          BlockRunasInteractiveUser

          This problem occurs when InstallShield creates installers and uninstallers that fail to complete and that generate error messages or warnings.

          +

          The fix blocks InstallShield from setting the value of RunAs registry keys to InteractiveUser Because InteractiveUser no longer has Administrator rights.

          +
          +Note

          For more detailed information about this application fix, see Using the BlockRunAsInteractiveUser Fix.

          +
          +
          + +

          ChangeFolderPathToXPStyle

          This fix is required when an application cannot return shell folder paths when it uses the SHGetFolder API.

          +

          The fix intercepts the SHGetFolder path request to the common appdata file path and returns the Windows® XP-style file path instead of the Windows Vista-style file path.

          ClearLastErrorStatusonIntializeCriticalSection

          This fix is indicated when an application fails to start.

          +

          The fix modifies the InitializeCriticalSection function call so that it checks the NTSTATUS error code, and then sets the last error to ERROR_SUCCESS.

          CopyHKCUSettingsFromOtherUsers

          This problem occurs when an application's installer must run in elevated mode and depends on the HKCU settings that are provided for other users.

          +

          The fix scans the existing user profiles and tries to copy the specified keys into the HKEY_CURRENT_USER registry area.

          +

          You can control this fix further by entering the relevant registry keys as parameters that are separated by the ^ Symbol; for example: Software\MyCompany\Key1^Software\MyCompany\Key2.

          +
          +Note

          For more detailed information about this application fix, see Using the CopyHKCUSettingsFromOtherUsers Fix.

          +
          +
          + +

          CorrectCreateBrushIndirectHatch

          The problem is indicated by an access violation error message that displays and when the application fails when you select or crop an image.

          +

          The fix corrects the brush style hatch value, which is passed to the CreateBrushIndirect() function and enables the information to be correctly interpreted.

          CorrectFilePaths

          The problem is indicated when an application tries to write files to the hard disk and is denied access or receives a file not found or path not found error message.

          +

          The fix modifies the file path names to point to a new location on the hard disk.

          +
          +Note

          For more detailed information about the CorrectFilePaths application fix, see Using the CorrectFilePaths Fix. We recommend that you use this fix together with the CorrectFilePathsUninstall fix if you are applying it to a setup installation file.

          +
          +
          + +

          CorrectFilePathsUninstall

          This problem occurs when an uninstalled application leaves behind files, directories, and links.

          +

          The fix corrects the file paths that are used by the uninstallation process of an application.

          +
          +Note

          For more detailed information about this fix, see Using the CorrectFilePathsUninstall Fix. We recommend that you use this fix together with the CorrectFilePaths fix if you are applying it to a setup installation file.

          +
          +
          + +

          CorrectShellExecuteHWND

          This problem occurs when you start an executable (.exe) and a taskbar item blinks instead of an elevation prompt being opened, or when the application does not provide a valid HWND value when it calls the ShellExecute(Ex) function.

          +

          The fix intercepts the ShellExecute(Ex) calls, and then inspects the HWND value. If the value is invalid, this fix enables the call to use the currently active HWND value.

          +
          +Note

          For more detailed information about the CorrectShellExecuteHWND application fix, see Using the CorrectShellExecuteHWND Fix.

          +
          +
          + +

          CustomNCRender

          This fix instructs DWM to not render the non-client area, thereby forcing the application to do its own NC rendering. This often gives windows an XP look.

          DelayApplyFlag

          This fix applies a KERNEL, USER, or PROCESS flag if the specified DLL is loaded.

          +

          You can control this fix further by typing the following command at the command prompt:

          +

          DLL_Name;Flag_Type;Hexidecimal_Value

          +

          Where the DLL_Name is the name of the specific DLL, including the file extension. Flag_Type is KERNEL, USER, or PROCESS, and a Hexidecimal_Value, starting with 0x and up to 64-bits long.

          +
          +Note

          The PROCESS flag type can have a 32-bit length only. You can separate multiple entries with a backslash ().

          +
          +
          + +

          DeprecatedServiceShim

          The problem is indicated when an application tries to install a service that has a dependency on a deprecated service. An error message displays.

          +

          The fix intercepts the CreateService function calls and removes the deprecated dependency service from the lpDependencies parameter.

          +

          You can control this fix further by typing the following command at the command prompt:

          +

          Deprecated_Service\App_Service/Deprecated_Service2 \App_Service2

          +

          Where Deprecated_Service is the name of the service that has been deprecated and App_Service is the name of the specific application service that is to be modified; for example, NtLmSsp\WMI.

          +
          +Note

          If you do not provide an App_Service name, the deprecated service will be removed from all newly created services.

          +
          +
          + +
          +
          +Note

          You can separate multiple entries with a forward slash (/).

          +
          +
          + +

          DirectXVersionLie

          This problem occurs when an application fails because it does not find the correct version number for DirectX®.

          +

          The fix modifies the DXDIAGN GetProp function call to return the correct DirectX version.

          +

          You can control this fix further by typing the following command at the command prompt:

          +

          MAJORVERSION.MINORVERSION.LETTER

          +

          For example, 9.0.c.

          DetectorDWM8And16Bit

          This fix offeres mitigation for applications that work in 8/16-bit display color mode because these legacy color modes are not supported in Windows 8 .

          Disable8And16BitD3D

          This fix improves performance of 8/16-bit color applications that render using D3D and do not mix directdraw.

          Disable8And16BitModes

          This fix disables 8/16-bit color mitigation and enumeration of 8/16-bit color modes.

          DisableDWM

          The problem occurs when some objects are not drawn or object artifacts remain on the screen in an application.

          +

          The fix temporarily disables the Windows Aero menu theme functionality for unsupported applications.

          +
          +Note

          For more detailed information about this application fix, see Using the DisableDWM Fix.

          +
          +
          + +

          DisableFadeAnimations

          The problem is indicated when an application fade animations, buttons, or other controls do not function properly.

          +

          The fix disables the fade animations functionality for unsupported applications.

          DisableThemeMenus

          The problem is indicated by an application that behaves unpredictably when it tries to detect and use the correct Windows settings.

          +

          The fix temporarily disables the Windows Aero menu theme functionality for unsupported applications.

          DisableWindowsDefender

          The fix disables Windows Defender for security applications that do not work with Windows Defender.

          DWM8And16BitMitigation

          The fix offers mitigation for applications that work in 8/16-bit display color mode because these legacy color modes are not supported in Windows 8.

          DXGICompat

          The fix allows application-specific compatibility instructions to be passed to the DirectX engine.

          DXMaximizedWindowedMode

          Applications that use DX8/9 are run in a maximized windowed mode. This is required for applications that use GDI/DirectDraw in addition to Direct3D.

          ElevateCreateProcess

          The problem is indicated when installations, de-installations, or updates fail because the host process calls the CreateProcess function and it returns an ERROR_ELEVATION_REQUIRED error message.

          +

          The fix handles the error code and attempts to recall the CreateProcess function together with requested elevation. If the fixed application already has a UAC manifest, the error code will be returned unchanged.

          +
          +Note

          For more detailed information about this application fix, see Using the ElevateCreateProcess Fix.

          +
          +
          + +

          EmulateOldPathIsUNC

          The problem occurs when an application fails because of an incorrect UNC path.

          +

          The fix changes the PathIsUNC function to return a value of True for UNC paths in Windows.

          EmulateGetDiskFreeSpace

          The problem is indicated when an application fails to install or to run, and it generates an error message that there is not enough free disk space to install or use the application, even though there is enough free disk space to meet the application requirements.

          +

          The fix determines the amount of free space, so that if the amount of free space is larger than 2 GB, the compatibility fix returns a value of 2 GB, but if the amount of free space is smaller than 2 GB, the compatibility fix returns the actual free space amount.

          +
          +Note

          For more detailed information about this application fix, see Using the EmulateGetDiskFreeSpace Fix.

          +
          +
          + +

          EmulateSorting

          The problem occurs when an application experiences search functionality issues.

          +

          The fix forces applications that use the CompareStringW/LCMapString sorting table to use an older version of the table.

          +
          +Note

          For more detailed information about this e application fix, see Using the EmulateSorting Fix.

          +
          +
          + +

          EmulateSortingWindows61

          The fix emulates the sorting order of Windows 7 and Windows Server 2008 R2 for various APIs.

          EnableRestarts

          The problem is indicated when an application and computer appear to hang because processes cannot end to allow the computer to complete its restart processes.

          +

          The fix enables the computer to restart and finish the installation process by verifying and enabling that the SeShutdownPrivilege service privilege exists.

          +
          +Note

          For more detailed information about this application fix, see Using the EnableRestarts Fix.

          +
          +
          + +

          ExtraAddRefDesktopFolder

          The problem occurs when an application invokes the Release() method too many times and causes an object to be prematurely destroyed.

          +

          The fix counteracts the application's tries to obtain the shell desktop folder by invoking the AddRef() method on the Desktop folder, which is returned by the SHGetDesktopFolder function.

          FailObsoleteShellAPIs

          The problem occurs when an application fails because it generated deprecated API calls.

          +

          The fix either fully implements the obsolete functions or implements the obsolete functions with stubs that fail.

          +
          +Note

          You can type FailAll=1 at the command prompt to suppress the function implementation and force all functions to fail.

          +
          +
          + +

          FailRemoveDirectory

          The problem occurs when an application uninstallation process does not remove all of the application files and folders.

          +

          This fix fails calls to RemoveDirectory() when called with a path matching the one specified in the shim command-line. Only a single path is supported. The path can contain environment variables, but must be an exact path – no partial paths are supported.

          +

          The fix can resolve an issue where an application expects RemoveDirectory() to delete a folder immediately even though a handle is open to it.

          FakeLunaTheme

          The problem occurs when a theme application does not properly display: the colors are washed out or the user interface is not detailed.

          +

          The fix intercepts the GetCurrentThemeName API and returns the value for the Windows XP default theme, (Luna).

          +
          +Note

          For more detailed information about the FakeLunaTheme application fix, see Using the FakeLunaTheme Fix.

          +
          +
          + +

          FlushFile

          This problem is indicated when a file is updated and changes do not immediately appear on the hard disk. Applications cannot see the file changes.

          +

          The fix enables the WriteFile function to call to the FlushFileBuffers APIs, which flush the file cache onto the hard disk.

          FontMigration

          The fix replaces an application-requested font with a better font selection, to avoid text truncation.

          ForceAdminAccess

          The problem occurs when an application fails to function during an explicit administrator check.

          +

          The fix allows the user to temporarily imitate being a part of the Administrators group by returning a value of True during the administrator check.

          +
          +Note

          For more detailed information about this application fix, see Using the ForceAdminAccess Fix.

          +
          +
          + +

          ForceInvalidateOnClose

          The fix invalidates any windows that exist under a closing or hiding window for applications that rely on the invalidation messages.

          ForceLoadMirrorDrvMitigation

          The fix loads the Windows 8 mirror driver mitigation for applications where the mitigation is not automatically applied.

          FreestyleBMX

          The fix resolves an application race condition that is related to window message order.

          GetDriveTypeWHook

          The application presents unusual behavior during installation; for example, the setup program states that it cannot install to a user-specified location.

          +

          The fix changes GetDriveType() so that only the root information appears for the file path. This is required when an application passes an incomplete or badly-formed file path when it tries to retrieve the drive type on which the file path exists.

          GlobalMemoryStatusLie

          The problem is indicated by a Computer memory full error message that displays when you start an application.

          +

          The fix modifies the memory status structure, so that it reports a swap file that is 400 MB, regardless of the true swap file size.

          HandleBadPtr

          The problem is indicated by an access violation error message that displays because an API is performing pointer validation before it uses a parameter.

          +

          The fix supports using lpBuffer validation from the InternetSetOptionA and InternetSetOptionW functions to perform the additional parameter validation.

          HandleMarkedContentNotIndexed

          The problem is indicated by an application that fails when it changes an attribute on a file or directory.

          +

          The fix intercepts any API calls that return file attributes and directories that are invoked from the %TEMP% directory, and resets the FILE_ATTRIBUTE_NOT_CONTENT_INDEXED attribute to its original state.

          HeapClearAllocation

          The problem is indicated when the allocation process shuts down unexpectedly.

          +

          The fix uses zeros to clear out the heap allocation for an application.

          IgnoreAltTab

          The problem occurs when an application fails to function when special key combinations are used.

          +

          The fix intercepts the RegisterRawInputDevices API and prevents the delivery of the WM_INPUT messages. This delivery failure forces the included hooks to be ignored and forces DInput to use Windows-specific hooks.

          +
          +Note

          For more detailed information about this application fix, see Using the IgnoreAltTab Fix.

          +
          +
          + +

          IgnoreChromeSandbox

          The fix allows Google Chrome to run on systems that have ntdll loaded above 4GB.

          IgnoreDirectoryJunction

          The problem is indicated by a read or access violation error message that displays when an application tries to find or open files.

          +

          The fix links the FindNextFileW, FindNextFileA, FindFirstFileExW, FindFirstFileExA, FindFirstFileW and FindFirstFileA APIs to prevent them from returning directory junctions.

          +
          +Note

          Symbolic links appear starting in Windows Vista.

          +
          +
          + +

          IgnoreException

          The problem is indicated when an application stops functioning immediately after it starts, or the application starts with only a cursor appearing on the screen.

          +

          The fix enables the application to ignore specified exceptions. By default, this fix ignores privileged-mode exceptions; however, it can be configured to ignore any exception.

          +

          You can control this fix further by typing the following command at the command prompt:

          +

          Exception1;Exception2

          +

          Where Exception1 and Exception2 are specific exceptions to be ignored. For example: ACCESS_VIOLATION_READ:1;ACCESS_VIOLATION_WRITE:1.

          +
          +Important

          You should use this compatibility fix only if you are certain that it is acceptable to ignore the exception. You might experience additional compatibility issues if you choose to incorrectly ignore an exception.

          +
          +
          + +
          +
          +Note

          For more detailed information about this application fix, see Using the IgnoreException Fix.

          +
          +
          + +

          IgnoreFloatingPointRoundingControl

          This fix enables an application to ignore the rounding control request and to behave as expected in previous versions of the application.

          +

          Before floating point SSE2 support in the C runtime library, the rounding control request was being ignored which would use round to nearest option by default. This shim ignores the rounding control request to support applications relying on old behavior.

          IgnoreFontQuality

          The problem occurs when application text appears to be distorted.

          +

          The fix enables color-keyed fonts to properly work with anti-aliasing.

          IgnoreMessageBox

          The problem is indicated by a message box that displays with debugging or extraneous content when the application runs on an unexpected operating system.

          +

          The fix intercepts the MessageBox* APIs and inspects them for specific message text. If matching text is found, the application continues without showing the message box.

          +
          +Note

          For more detailed information about this application fix, see Using the IgnoreMessageBox Fix.

          +
          +
          + +

          IgnoreMSOXMLMF

          The problem is indicated by an error message that states that the operating system cannot locate the MSVCR80D.DLL file.

          +

          The fix ignores the registered MSOXMLMF.DLL object, which Microsoft® Office 2007 loads into the operating system any time that you load an XML file, and then it fails the CoGetClassObject for its CLSID. This compatibility fix will just ignore the registered MSOXMLMF and fail the CoGetClassObject for its CLSID.

          IgnoreSetROP2

          The fix ignores read-modify-write operations on the desktop to avoid performance issues.

          InstallComponent

          The fix prompts the user to install.Net 3.5 or .Net 2.0 because .Net is not included with Windows 8.

          LoadLibraryRedirect

          The fix forces an application to load system versions of libraries instead of loading redistributable versions that shipped with the application.

          LocalMappedObject

          The problem occurs when an application unsuccessfully tries to create an object in the Global namespace.

          +

          The fix intercepts the function call to create the object and replaces the word Global with Local.

          +
          +Note

          For more detailed information about this application fix, see Using the LocalMappedObject Fix.

          +
          +
          + +

          MakeShortcutRunas

          The problem is indicated when an application fails to uninstall because of access-related errors.

          +

          The fix locates any RunDLL.exe-based uninstallers and forces them to run with different credentials during the application installation. After it applies this fix, the installer will create a shortcut that specifies a matching string to run during the application installation, thereby enabling the uninstallation to occur later.

          +
          +Note

          For more detailed information about this application fix, see Using the MakeShortcutRunas Fix

          +
          +
          + +

          ManageLinks

          The fix intercepts common APIs that are going to a directory or to an executable (.exe) file, and then converts any symbolic or directory junctions before passing it back to the original APIs.

          MirrorDriverWithComposition

          The fix allows mirror drivers to work properly with acceptable performance with desktop composition.

          MoveToCopyFileShim

          The problem occurs when an application experiences security access issues during setup.

          +

          The fix forces the CopyFile APIs to run instead of the MoveFile APIs. CopyFile APIs avoid moving the security descriptor, which enables the application files to get the default descriptor of the destination folder and prevents the security access issue.

          OpenDirectoryAcl

          The problem is indicated by an error message that states that you do not have the appropriate permissions to access the application.

          +

          The fix reduces the security privilege levels on a specified set of files and folders.

          +
          +Note

          For more detailed information about this application fix, see Using the OpenDirectoryACL Fix.

          +
          +
          + +

          PopCapGamesForceResPerf

          The fix resolves the performance issues in PopCap games like Bejeweled2. The performance issues are visible in certain low-end cards at certain resolutions where the 1024x768 buffer is scaled to fit the display resolution.

          PreInstallDriver

          The fix preinstalls drivers for applications that would otherwise try to install or start drivers during the initial start process.

          PreInstallSmarteSECURE

          The fix preinstalls computer-wide CLSIDs for applications that use SmartSECURE copy protection, which would otherwise try to install the CLSIDs during the initial start process.

          ProcessPerfData

          The problem is indicated by an Unhandled Exception error message because the application tried to read the process performance data registry value to determine if another instance of the application is running.

          +

          The fix handles the failure case by passing a fake process performance data registry key, so that the application perceives that it is the only instance running.

          +
          +Note

          This issue seems to occur most frequently with .NET applications.

          +
          +
          + +

          PromoteDAM

          The fix registers an application for power state change notifications.

          PropagateProcessHistory

          The problem occurs when an application incorrectly fails to apply an application fix.

          +

          The fix sets the _PROCESS_HISTORY environment variable so that child processes can look in the parent directory for matching information while searching for application fixes.

          ProtectedAdminCheck

          The problem occurs when an application fails to run because of incorrect Protected Administrator permissions.

          +

          The fix addresses the issues that occur when applications use non-standard Administrator checks, thereby generating false positives for user accounts that are being run as Protected Administrators. In this case, the associated SID exists, but it is set as deny-only.

          RedirectCRTTempFile

          The fix intercepts failing CRT calls that try to create a temporary file at the root of the volume, thereby redirecting the calls to a temporary file in the user's temporary directory.

          RedirectHKCUKeys

          The problem occurs when an application cannot be accessed because of User Account Control (UAC) restrictions.

          +

          The fix duplicates any newly created HKCU keys to other users' HKCU accounts. This fix is generic for UAC restrictions, whereby the HKCU keys are required, but are unavailable to an application at runtime.

          RedirectMP3Codec

          This problem occurs when you cannot play MP3 files.

          +

          The fix intercepts the CoCreateInstance call for the missing filter and then redirects it to a supported version.

          RedirectShortcut

          The problem occurs when an application cannot be accessed by its shortcut, or application shortcuts are not removed during the application uninstallation process.

          +

          The fix redirects all of the shortcuts created during the application setup to appear according to a specified path.

          +
            +

          • Start Menu shortcuts: Appear in the \ProgramData\Microsoft\Windows\Start Menu directory for all users.

            • +

          • Desktop or Quick Launch shortcuts:You must manually place the shortcuts on the individual user's desktop or Quick Launch bar.

            • +
          +

          This issue occurs because of UAC restrictions: specifically, when an application setup runs by using elevated privileges and stores the shortcuts according to the elevated user's context. In this situation, a restricted user cannot access the shortcuts.

          +

          You cannot apply this fix to an .exe file that includes a manifest and provides a runlevel.

          RelaunchElevated

          The problem occurs when installers, uninstallers, or updaters fail when they are started from a host application.

          +

          The fix enables a child .exe file to run with elevated privileges when it is difficult to determine the parent process with either the ElevateCreateProcess fix or by marking the .exe files to RunAsAdmin.

          +
          +Note

          For more detailed information about this application fix, see Using the RelaunchElevated Fix.

          +
          +
          + +

          RetryOpenSCManagerWithReadAccess

          The problem occurs when an application tries to open the Service Control Manager (SCM) and receives an Access Denied error message.

          +

          The fix retries the call and requests a more restricted set of rights that include the following:

          +

          RetryOpenServiceWithReadAccess

          The problem occurs when an Unable to open service due to your application using the OpenService() API to test for the existence of a particular service error message displays.

          +

          The fix retries the OpenService() API call and verifies that the user has Administrator rights, is not a Protected Administrator, and by using read-only access. Applications can test for the existence of a service by calling the OpenService() API but some applications ask for all access when making this check. This fix retries the call but only asking for read-only access. The user needs to be an administrator for this to work

          +
          +Note

          For more detailed information about this application fix, see Using the RetryOpenServiceWithReadAccess Fix.

          +
          +
          + +

          RunAsAdmin

          The problem occurs when an application fails to function by using the Standard User or Protected Administrator account.

          +

          The fix enables the application to run by using elevated privileges. The fix is the equivalent of specifying requireAdministrator in an application manifest.

          +
          +Note

          For more detailed information about this application fix, see Using the RunAsAdmin Fix.

          +
          +
          + +

          RunAsHighest

          The problem occurs when administrators cannot view the read/write version of an application that presents a read-only view to standard users.

          +

          The fix enables the application to run by using the highest available permissions. This is the equivalent of specifying highestAvailable in an application manifest.

          +
          +Note

          For more detailed information about this application fix, see Using the RunAsHighest Fix.

          +
          +
          + +

          RunAsInvoker

          The problem occurs when an application is not detected as requiring elevation.

          +

          The fix enables the application to run by using the privileges that are associated with the creation process, without requiring elevation. This is the equivalent of specifying asInvoker in an application manifest.

          +
          +Note

          For more detailed information about this application fix, see Using the RunAsInvoker Fix.

          +
          +
          + +

          SecuROM7

          The fix repairs applications by using SecuROM7 for copy protection.

          SessionShim

          The fix intercepts API calls from applications that are trying to interact with services that are running in another session, by using the terminal service name prefix (Global or Local) as the parameter.

          +

          At the command prompt, you can supply a list of objects to modify, separating the values by a double backslash (). Or, you can choose not to include any parameters, so that all of the objects are modified.

          +
          +Important

          Users cannot log in as Session 0 (Global Session) in Windows Vista and later. Therefore, applications that require access to Session 0 automatically fail.

          +
          +
          + +
          +
          +Note

          For more detailed information about this application fix, see Using the SessionShim Fix.

          +
          +
          + +

          SetProtocolHandler

          The fix registers an application as a protocol handler.

          +

          You can control this fix further by typing the following command at the command prompt:

          +

          Client;Protocol;App

          +

          Where the Client is the name of the email protocol, Protocol is mailto, and App is the name of the application.

          +
          +Note

          Only the mail client and the mailto protocol are supported. You can separate multiple clients by using a backslash ().

          +
          +
          + +

          SetupCommitFileQueueIgnoreWow

          The problem occurs when a 32-bit setup program fails to install because it requires 64-bit drivers.

          +

          The fix disables the Wow64 file system that is used by the 64-bit editions of Windows, to prevent 32-bit applications from accessing 64-bit file systems during the application setup.

          SharePointDesigner2007

          The fix resolves an application bug that severely slows the application when it runs in DWM.

          ShimViaEAT

          The problem occurs when an application fails, even after applying acompatibility fix that is known to fix an issue. Applications that use unicows.dll or copy protection often present this issue.

          +

          The fix applies the specified compatibility fixes by modifying the export table and by nullifying the use of module inclusion and exclusion.

          +
          +Note

          For more information about this application fix, see Using the ShimViaEAT Fix.

          +
          +
          + +

          ShowWindowIE

          The problem occurs when a web application experiences navigation and display issues because of the tabbing feature.

          +

          The fix intercepts the ShowWindow API call to address the issues that can occur when a web application determines that it is in a child window. This fix calls the real ShowWindow API on the top-level parent window.

          SierraWirelessHideCDROM

          The fix repairs the Sierra Wireless Driver installation, thereby preventing bugcheck.

          Sonique2

          The application uses an invalid window style, which breaks in DWM. This fix replaces the window style with a valid value.

          SpecificInstaller

          The problem occurs when an application installation file fails to be picked up by the GenericInstaller function.

          +

          The fix flags the application as being an installer file (for example, setup.exe), and then prompts for elevation.

          +
          +Note

          For more detailed information about this application fix, see Using the SpecificInstaller Fix.

          +
          +
          + +

          SpecificNonInstaller

          The problem occurs when an application that is not an installer (and has sufficient privileges) generates a false positive from the GenericInstaller function.

          +

          The fix flags the application to exclude it from detection by the GenericInstaller function.

          +
          +Note

          For more detailed information about this application fix, see Using the SpecificNonInstaller Fix.

          +
          +
          + +

          SystemMetricsLie

          The fix replaces SystemMetrics values and SystemParametersInfo values with the values of previous Windows versions.

          TextArt

          The application receives different mouse coordinates with DWM ON versus DWM OFF, which causes the application to hang. This fix resolves the issue.

          TrimDisplayDeviceNames

          The fix trims the names of the display devices that are returned by the EnumDisplayDevices API.

          UIPICompatLogging

          The fix enables the logging of Windows messages from Internet Explorer and other processes.

          UIPIEnableCustomMsgs

          The problem occurs when an application does not properly communicate with other processes because customized Windows messages are not delivered.

          +

          The fix enables customized Windows messages to pass through to the current process from a lower Desktop integrity level. This fix is the equivalent of calling the RegisterWindowMessage function, followed by the ChangeWindowMessageFilter function in the code.

          +

          You can control this fix further by typing the following command at the command prompt:

          +

          MessageString1 MessageString2

          +

          Where MessageString1 and MessageString2 reflect the message strings that can pass.

          +
          +Note

          Multiple message strings must be separated by spaces. For more detailed information about this application fix, see Using the UIPIEnableCustomMsgs Fix.

          +
          +
          + +

          UIPIEnableStandardMsgs

          The problem occurs when an application does not communicate properly with other processes because standard Windows messages are not delivered.

          +

          The fix enables standard Windows messages to pass through to the current process from a lower Desktop integrity level. This fix is the equivalent of calling the ChangeWindowMessageFilter function in the code.

          +

          You can control this fix further by typing the following command at the command prompt:

          +

          1055 1056 1069

          +

          Where 1055 reflects the first message ID, 1056 reflects the second message ID, and 1069 reflects the third message ID that can pass.

          +
          +Note

          Multiple messages can be separated by spaces. For more detailed information about this application fix, see Using the UIPIEnableStandardMsgs Fix [act].

          +
          +
          + +

          VirtualizeDeleteFileLayer

          The fix virtualizes DeleteFile operations for applications that try to delete protected files.

          VirtualizeDesktopPainting

          This fix improves the performance of a number of operations on the Desktop DC while using DWM.

          VirtualRegistry

          The problem is indicated when a Component failed to be located error message displays when an application is started.

          +

          The fix enables the registry functions to allow for virtualization, redirection, expansion values, version spoofing, the simulation of performance data counters, and so on.

          +

          For more detailed information about this application fix, see Using the VirtualRegistry Fix.

          VirtualizeDeleteFile

          The problem occurs when several error messages display and the application cannot delete files.

          +

          The fix makes the application's DeleteFile function call a virtual call in an effort to remedy the UAC and file virtualization issues that were introduced with Windows Vista. This fix also links other file APIs (for example, GetFileAttributes) to ensure that the virtualization of the file is deleted.

          +
          +Note

          For more detailed information about this application fix, see Using the VirtualizeDeleteFile Fix.

          +
          +
          + +

          VirtualizeHKCRLite

          The problem occurs when an application fails to register COM components at runtime.

          +

          The fix redirects the HKCR write calls (HKLM) to the HKCU hive for a per-user COM registration. This operates much like the VirtualRegistry fix when you use the VirtualizeHKCR parameter; however, VirtualizeHKCRLite provides better performance.

          +

          HKCR is a virtual merge of the HKCU\Software\Classes and HKLM\Software\Classes directories. The use of HKCU is preferred if an application is not elevated and is ignored if the application is elevated.

          +

          You typically will use this compatibility fix in conjunction with the VirtualizeRegisterTypeLib fix.

          +

          For more detailed information about this application fix, see Using the VirtualizeHKCRLite Fix.

          VirtualizeRegisterTypeLib

          The fix, when it is used with the VirtualizeHKCRLite fix, ensures that the type library and the COM class registration happen simultaneously. This functions much like the RegistryTypeLib fix when the RegisterTypeLibForUser parameter is used.

          +
          +Note

          For more detailed information about this application fix, see Using the VirtualizeRegisterTypelib Fix.

          +
          +
          + +

          WaveOutIgnoreBadFormat

          This problem is indicated by an error message that states: Unable to initialize sound device from your audio driver; the application then closes.

          +

          The fix enables the application to ignore the format error and continue to function properly.

          WerDisableReportException

          The fix turns off the silent reporting of exceptions to the Windows Error Reporting tool, including those that are reported by Object Linking and Embedding-Database (OLE DB). The fix intercepts the RtlReportException API and returns a STATUS_NOT_SUPPORTED error message.

          Win7RTM/Win8RTM

          The layer provides the application with Windows 7/Windows 8 compatibility mode.

          WinxxRTMVersionLie

          The problem occurs when an application fails because it does not find the correct version number for the required Windows operating system.

          +

          All version lie compatibility fixes address the issue whereby an application fails to function because it is checking for, but not finding, a specific version of the operating system. The version lie fix returns the appropriate operating system version information. For example, the VistaRTMVersionLie returns the Windows Vista version information to the application, regardless of the actual operating system version that is running on the computer.

          Wing32SystoSys32

          The problem is indicated by an error message that states that the WinG library was not properly installed.

          +

          The fix detects whether the WinG32 library exists in the correct directory. If the library is located in the wrong location, this fix copies the information (typically during the runtime of the application) into the %WINDIR% \system32 directory.

          +
          +Important

          The application must have Administrator privileges for this fix to work.

          +
          +
          + +

          WinSrv08R2RTM

          WinXPSP2VersionLie

          The problem occurs when an application experiences issues because of a VB runtime DLL.

          +

          The fix forces the application to follow these steps:

          +
            +

          1. Open the Compatibility Administrator, and then select None for Operating System Mode.

            2. +

          2. On the Compatibility Fixes page, click WinXPSP2VersionLie, and then click Parameters.

            +

            The Options for <fix_name> dialog box appears.

            3. +

          3. Type vbrun60.dll into the Module Name box, click Include, and then click Add.

            4. +

          4. Save the custom database.

            +
            +Note

            For more information about the WinXPSP2VersionLie application fix, see Using the WinXPSP2VersionLie Fix.

            +
            +
            + +
            5. +

          WRPDllRegister

          The application fails when it tries to register a COM component that is released together with Windows Vista and later.

          +

          The fix skips the processes of registering and unregistering WRP-protected COM components when calling the DLLRegisterServer and DLLUnregisterServer functions.

          +

          You can control this fix further by typing the following command at the command prompt:

          +

          Component1.dll;Component2.dll

          +

          Where Component1.dll and Component2.dll reflect the components to be skipped.

          +
          +Note

          For more detailed information about this application fix, see Using the WRPDllRegister Fix.

          +
          +
          + +

          WRPMitigation

          The problem is indicated when an access denied error message displays when the application tries to access a protected operating system resource by using more than read-only access.

          +

          The fix emulates the successful authentication and modification of file and registry APIs, so that the application can continue.

          +
          +Note

          For more detailed information about WRPMitigation, see Using the WRPMitigation Fix.

          +
          +
          + +

          WRPRegDeleteKey

          The problem is indicated by an access denied error message that displays when the application tries to delete a registry key.

          +

          The fix verifies whether the registry key is WRP-protected. If the key is protected, this fix emulates the deletion process.

          XPAfxIsValidAddress

          The fix emulates the behavior of Windows XP for MFC42!AfxIsValidAddress.

          + + + +## Compatibility Modes + + +The following table lists the known compatibility modes. + + +++++ + + + + + + + + + + + + + + + + + + + +
          Compatibility Mode NameDescriptionIncluded Compatibility Fixes

          WinSrv03

          Emulates the Windows Server 2003 operating system.

            +

          • Win2k3RTMVersionLie

            • +

          • VirtualRegistry

            • +

          • ElevateCreateProcess

            • +

          • EmulateSorting

            • +

          • FailObsoleteShellAPIs

            • +

          • LoadLibraryCWD

            • +

          • HandleBadPtr

            • +

          • GlobalMemoryStatus2GB

            • +

          • RedirectMP3Codec

            • +

          • EnableLegacyExceptionHandlinginOLE

            • +

          • NoGhost

            • +

          • HardwareAudioMixer

            • +

          WinSrv03Sp1

          Emulates the Windows Server 2003 with Service Pack 1 (SP1) operating system.

            +

          • Win2K3SP1VersionLie

            • +

          • VirtualRegistry

            • +

          • ElevateCreateProcess

            • +

          • EmulateSorting

            • +

          • FailObsoleteShellAPIs

            • +

          • LoadLibraryCWD

            • +

          • HandleBadPtr

            • +

          • EnableLegacyExceptionHandlinginOLE

            • +

          • RedirectMP3Codec

            • +

          • HardwareAudioMixer

            • +
          diff --git a/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md b/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md index e3aeb700b4..0be29f8a0c 100644 --- a/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md +++ b/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md @@ -1,86 +1,86 @@ ---- -title: Creating a Custom Compatibility Fix in Compatibility Administrator (Windows 10) -description: The Compatibility Administrator tool uses the term fix to describe the combination of compatibility information added to a customized database for a specific application. -ms.assetid: e4f2853a-0e46-49c5-afd7-0ed12f1fe0c2 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Creating a Custom Compatibility Fix in Compatibility Administrator - - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -The Compatibility Administrator tool uses the term *fix* to describe the combination of compatibility information added to a customized database for a specific application. This combination can include single application fixes, groups of fixes that work together as a compatibility mode, and blocking and non-blocking AppHelp messages. - -**Important**   -Fixes apply to a single application only; therefore, you must create multiple fixes if you need to fix the same issue in multiple applications. - - - -## What is a Compatibility Fix? - - -A compatibility fix, previously known as a shim, is a small piece of code that intercepts API calls from applications. The fix transforms the API calls so that the current version of the operating system supports the application in the same way as previous versions of the operating system. This can mean anything from disabling a new feature in the current version of the operating system to emulating a particular behavior of an older version of the Windows API. - -## Searching for Existing Compatibility Fixes - - -The Compatibility Administrator tool has preloaded fixes for many common applications, including known compatibility fixes, compatibility modes, and AppHelp messages. Before you create a new compatibility fix, you can search for an existing application and then copy and paste the known fixes into your customized database. - -**Important**   -Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to create custom databases for 32-bit applications and the 64-bit version to create custom databases for 64-bit applications. - - - -**To search for an existing application** - -1. In the left-side pane of Compatibility Administrator, expand the **Applications** folder and search for your application name. - -2. Click the application name to view the preloaded compatibility fixes, compatibility modes, or AppHelp messages. - -## Creating a New Compatibility Fix - - -If you are unable to find a preloaded compatibility fix for your application, you can create a new one for use by your customized database. - -**To create a new compatibility fix** - -1. In the left-side pane of Compatibility Administrator underneath the **Custom Databases** heading, right-click the name of the database to which you want to apply the compatibility fix, click **Create New**, and then click **Application Fix**. - -2. Type the name of the application to which the compatibility fix applies, type the name of the application vendor, browse to the location of the application file (.exe) on your computer, and then click **Next**. - -3. Select the operating system for which your compatibility fix applies, click any applicable compatibility modes to apply to your compatibility fix, and then click **Next**. - -4. Select any additional compatibility fixes to apply to your compatibility fix, and then click **Next**. - -5. Select any additional criteria to use to match your applications to the AppHelp message, and then click **Finish**. - - By default, Compatibility Administrator selects the basic matching criteria for your application. As a best practice, use a limited set of matching information to represent your application, because it reduces the size of the database. However, make sure you have enough information to correctly identify your application. - -## Related topics -[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) - - - - - - - - - +--- +title: Creating a Custom Compatibility Fix in Compatibility Administrator (Windows 10) +description: The Compatibility Administrator tool uses the term fix to describe the combination of compatibility information added to a customized database for a specific application. +ms.assetid: e4f2853a-0e46-49c5-afd7-0ed12f1fe0c2 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Creating a Custom Compatibility Fix in Compatibility Administrator + + +**Applies to** + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 +- Windows Server 2008 R2 + +The Compatibility Administrator tool uses the term *fix* to describe the combination of compatibility information added to a customized database for a specific application. This combination can include single application fixes, groups of fixes that work together as a compatibility mode, and blocking and non-blocking AppHelp messages. + +**Important**   +Fixes apply to a single application only; therefore, you must create multiple fixes if you need to fix the same issue in multiple applications. + + + +## What is a Compatibility Fix? + + +A compatibility fix, previously known as a shim, is a small piece of code that intercepts API calls from applications. The fix transforms the API calls so that the current version of the operating system supports the application in the same way as previous versions of the operating system. This can mean anything from disabling a new feature in the current version of the operating system to emulating a particular behavior of an older version of the Windows API. + +## Searching for Existing Compatibility Fixes + + +The Compatibility Administrator tool has preloaded fixes for many common applications, including known compatibility fixes, compatibility modes, and AppHelp messages. Before you create a new compatibility fix, you can search for an existing application and then copy and paste the known fixes into your customized database. + +**Important**   +Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to create custom databases for 32-bit applications and the 64-bit version to create custom databases for 64-bit applications. + + + +**To search for an existing application** + +1. In the left-side pane of Compatibility Administrator, expand the **Applications** folder and search for your application name. + +2. Click the application name to view the preloaded compatibility fixes, compatibility modes, or AppHelp messages. + +## Creating a New Compatibility Fix + + +If you are unable to find a preloaded compatibility fix for your application, you can create a new one for use by your customized database. + +**To create a new compatibility fix** + +1. In the left-side pane of Compatibility Administrator underneath the **Custom Databases** heading, right-click the name of the database to which you want to apply the compatibility fix, click **Create New**, and then click **Application Fix**. + +2. Type the name of the application to which the compatibility fix applies, type the name of the application vendor, browse to the location of the application file (.exe) on your computer, and then click **Next**. + +3. Select the operating system for which your compatibility fix applies, click any applicable compatibility modes to apply to your compatibility fix, and then click **Next**. + +4. Select any additional compatibility fixes to apply to your compatibility fix, and then click **Next**. + +5. Select any additional criteria to use to match your applications to the AppHelp message, and then click **Finish**. + + By default, Compatibility Administrator selects the basic matching criteria for your application. As a best practice, use a limited set of matching information to represent your application, because it reduces the size of the database. However, make sure you have enough information to correctly identify your application. + +## Related topics +[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) + + + + + + + + + diff --git a/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md b/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md index ad677faf01..f1f6931c75 100644 --- a/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md +++ b/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md @@ -1,93 +1,93 @@ ---- -title: Creating a Custom Compatibility Mode in Compatibility Administrator (Windows 10) -description: Windows® provides several compatibility modes, groups of compatibility fixes found to resolve many common application-compatibility issues. -ms.assetid: 661a1c0d-267f-4a79-8445-62a9a98d09b0 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Creating a Custom Compatibility Mode in Compatibility Administrator - - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -Windows® provides several *compatibility modes*, groups of compatibility fixes found to resolve many common application-compatibility issues. While working with Compatibility Administrator, you might decide to group some of your individual compatibility fixes into a custom-compatibility mode, which you can then deploy and use on any of your compatibility databases. - -## What Is a Compatibility Mode? - - -A compatibility mode is a group of compatibility fixes. A compatibility fix, previously known as a shim, is a small piece of code that intercepts API calls from applications. The fix transforms the API calls so that the current version of the operating system supports the application in the same way as previous versions of the operating system. This can be anything from disabling a new feature in Windows to emulating a particular behavior of an older version of the Windows API. - -## Searching for Existing Compatibility Modes - - -The Compatibility Administrator tool has preloaded fixes for many common applications, including known compatibility fixes, compatibility modes, and AppHelp messages. Before you create a new compatibility mode, you can search for an existing application and then copy and paste the known fixes into your custom database. - -**Important** -Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to create custom databases for 32-bit applications and the 64-bit version to create custom databases for 64-bit applications. - - - -**To search for an existing application** - -1. In the left-side pane of Compatibility Administrator, expand the **Applications** folder and search for your application name. - -2. Click the application name to view the preloaded compatibility modes, compatibility fixes, or AppHelp messages. - -## Creating a New Compatibility Mode - - -If you are unable to find a preloaded compatibility mode for your application, you can create a new one for use by your custom database. - -**Important** -A compatibility mode includes a set of compatibility fixes and must be deployed as a group. Therefore, you should include only fixes that you intend to deploy together to the database. - - - -**To create a new compatibility mode** - -1. In the left-side pane of Compatibility Administrator, underneath the **Custom Databases** heading, right-click the name of the database to which you will apply the compatibility mode, click **Create New**, and then click **Compatibility Mode**. - -2. Type the name of your custom-compatibility mode into the **Name of the compatibility mode** text box. - -3. Select each of the available compatibility fixes to include in your custom-compatibility mode and then click **>**. - - **Important** - If you are unsure which compatibility fixes to add, you can click **Copy Mode**. The **Select Compatibility Mode** dialog box appears and enables you to select from the preloaded compatibility modes. After you select a compatibility mode and click **OK**, any compatibility fixes that are included in the preloaded compatibility mode will be automatically added to your custom-compatibility mode. - - - -~~~ -If you have any compatibility fixes that require additional parameters, you can select the fix, and then click **Parameters**. The **Options for <Compatibility\_Fix\_Name>** dialog box appears, enabling you to update the parameter fields. -~~~ - -4. After you are done selecting the compatibility fixes to include, click **OK**. - - The compatibility mode is added to your custom database. - -## Related topics -[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) - - - - - - - - - +--- +title: Creating a Custom Compatibility Mode in Compatibility Administrator (Windows 10) +description: Windows® provides several compatibility modes, groups of compatibility fixes found to resolve many common application-compatibility issues. +ms.assetid: 661a1c0d-267f-4a79-8445-62a9a98d09b0 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Creating a Custom Compatibility Mode in Compatibility Administrator + + +**Applies to** + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 +- Windows Server 2008 R2 + +Windows® provides several *compatibility modes*, groups of compatibility fixes found to resolve many common application-compatibility issues. While working with Compatibility Administrator, you might decide to group some of your individual compatibility fixes into a custom-compatibility mode, which you can then deploy and use on any of your compatibility databases. + +## What Is a Compatibility Mode? + + +A compatibility mode is a group of compatibility fixes. A compatibility fix, previously known as a shim, is a small piece of code that intercepts API calls from applications. The fix transforms the API calls so that the current version of the operating system supports the application in the same way as previous versions of the operating system. This can be anything from disabling a new feature in Windows to emulating a particular behavior of an older version of the Windows API. + +## Searching for Existing Compatibility Modes + + +The Compatibility Administrator tool has preloaded fixes for many common applications, including known compatibility fixes, compatibility modes, and AppHelp messages. Before you create a new compatibility mode, you can search for an existing application and then copy and paste the known fixes into your custom database. + +**Important** +Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to create custom databases for 32-bit applications and the 64-bit version to create custom databases for 64-bit applications. + + + +**To search for an existing application** + +1. In the left-side pane of Compatibility Administrator, expand the **Applications** folder and search for your application name. + +2. Click the application name to view the preloaded compatibility modes, compatibility fixes, or AppHelp messages. + +## Creating a New Compatibility Mode + + +If you are unable to find a preloaded compatibility mode for your application, you can create a new one for use by your custom database. + +**Important** +A compatibility mode includes a set of compatibility fixes and must be deployed as a group. Therefore, you should include only fixes that you intend to deploy together to the database. + + + +**To create a new compatibility mode** + +1. In the left-side pane of Compatibility Administrator, underneath the **Custom Databases** heading, right-click the name of the database to which you will apply the compatibility mode, click **Create New**, and then click **Compatibility Mode**. + +2. Type the name of your custom-compatibility mode into the **Name of the compatibility mode** text box. + +3. Select each of the available compatibility fixes to include in your custom-compatibility mode and then click **>**. + + **Important** + If you are unsure which compatibility fixes to add, you can click **Copy Mode**. The **Select Compatibility Mode** dialog box appears and enables you to select from the preloaded compatibility modes. After you select a compatibility mode and click **OK**, any compatibility fixes that are included in the preloaded compatibility mode will be automatically added to your custom-compatibility mode. + + + +~~~ +If you have any compatibility fixes that require additional parameters, you can select the fix, and then click **Parameters**. The **Options for <Compatibility\_Fix\_Name>** dialog box appears, enabling you to update the parameter fields. +~~~ + +4. After you are done selecting the compatibility fixes to include, click **OK**. + + The compatibility mode is added to your custom database. + +## Related topics +[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) + + + + + + + + + diff --git a/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md b/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md index 978794b523..14270c5d3c 100644 --- a/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md +++ b/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md @@ -1,97 +1,97 @@ ---- -title: Creating an AppHelp Message in Compatibility Administrator (Windows 10) -description: The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system. -ms.assetid: 5c6e89f5-1942-4aa4-8439-ccf0ecd02848 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Creating an AppHelp Message in Compatibility Administrator - - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system. - -## Blocking Versus Non-Blocking AppHelp Messages - - -A blocking AppHelp message prevents the application from starting and displays a message to the user. You can define a specific URL where the user can download an updated driver or other fix to resolve the issue. When using a blocking AppHelp message, you must also define the file-matching information to identify the version of the application and enable the corrected version to continue. - -A non-blocking AppHelp message does not prevent the application from starting, but provides a message to the user including information such as security issues, updates to the application, or changes to the location of network resources. - -## Searching for Existing Compatibility Fixes - - -The Compatibility Administrator tool has preloaded fixes for many common applications, including known compatibility fixes, compatibility modes, and AppHelp messages. Before you create a new AppHelp message, you can search for an existing application and then copy and paste the known fixes into your custom database. - -**Important**   -Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to create custom databases for 32-bit applications and the 64-bit version to create custom databases for 64-bit applications. - - - -**To search for an existing application** - -1. In the left-side pane of Compatibility Administrator, expand the **Applications** folder and search for your application name. - -2. Click the application name to view the preloaded AppHelp messages, compatibility fixes, and compatibility modes. - -## Creating a New AppHelp Message - - -If you are unable to find a preloaded AppHelp message for your application, you can create a new one for use by your custom database. - -**To create a new AppHelp message** - -1. In the left-side pane of Compatibility Administrator, below the **Custom Databases** heading, right-click the name of the database to which you will apply the AppHelp message, click **Create New**, and then click **AppHelp Message**. - -2. Type the name of the application to which this AppHelp message applies, type the name of the application vendor, browse to the location of the application file (.exe) on your computer, and then click **Next**. - - The wizard shows the known **Matching Information**, which is used for program identification. - -3. Select any additional criteria to use to match your applications to the AppHelp message, and then click **Next**. - - By default, Compatibility Administrator selects the basic matching criteria for your application. - - The wizard shows the **Enter Message Type** options. - -4. Click one of the following options: - - - **Display a message and allow this program to run**. This is a non-blocking message, which means that you can alert the user that there might be a problem, but the application is not prevented from starting. - - - **Display a message and do not allow this program to run**. This is a blocking message, which means that the application will not start. Instead, this message points the user to a location that provides more information about fixing the issue. - -5. Click **Next**. - - The wizard then shows the **Enter Message Information** fields. - -6. Type the website URL and the message text to appear when the user starts the application, and then click **Finish**. - -## Issues with AppHelp Messages and Computers Running Windows 2000 - - -The following issues might occur with computers running Windows 2000: - -- You might be unable to create a custom AppHelp message. - -- The AppHelp message text used for system database entries might not appear. - -- Copying an AppHelp entry for a system database or a custom-compatibility fix from a system database might cause Compatibility Administrator to hide the descriptive text. - -## Related topics -[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) +--- +title: Creating an AppHelp Message in Compatibility Administrator (Windows 10) +description: The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system. +ms.assetid: 5c6e89f5-1942-4aa4-8439-ccf0ecd02848 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Creating an AppHelp Message in Compatibility Administrator + + +**Applies to** + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 +- Windows Server 2008 R2 + +The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system. + +## Blocking Versus Non-Blocking AppHelp Messages + + +A blocking AppHelp message prevents the application from starting and displays a message to the user. You can define a specific URL where the user can download an updated driver or other fix to resolve the issue. When using a blocking AppHelp message, you must also define the file-matching information to identify the version of the application and enable the corrected version to continue. + +A non-blocking AppHelp message does not prevent the application from starting, but provides a message to the user including information such as security issues, updates to the application, or changes to the location of network resources. + +## Searching for Existing Compatibility Fixes + + +The Compatibility Administrator tool has preloaded fixes for many common applications, including known compatibility fixes, compatibility modes, and AppHelp messages. Before you create a new AppHelp message, you can search for an existing application and then copy and paste the known fixes into your custom database. + +**Important**   +Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to create custom databases for 32-bit applications and the 64-bit version to create custom databases for 64-bit applications. + + + +**To search for an existing application** + +1. In the left-side pane of Compatibility Administrator, expand the **Applications** folder and search for your application name. + +2. Click the application name to view the preloaded AppHelp messages, compatibility fixes, and compatibility modes. + +## Creating a New AppHelp Message + + +If you are unable to find a preloaded AppHelp message for your application, you can create a new one for use by your custom database. + +**To create a new AppHelp message** + +1. In the left-side pane of Compatibility Administrator, below the **Custom Databases** heading, right-click the name of the database to which you will apply the AppHelp message, click **Create New**, and then click **AppHelp Message**. + +2. Type the name of the application to which this AppHelp message applies, type the name of the application vendor, browse to the location of the application file (.exe) on your computer, and then click **Next**. + + The wizard shows the known **Matching Information**, which is used for program identification. + +3. Select any additional criteria to use to match your applications to the AppHelp message, and then click **Next**. + + By default, Compatibility Administrator selects the basic matching criteria for your application. + + The wizard shows the **Enter Message Type** options. + +4. Click one of the following options: + + - **Display a message and allow this program to run**. This is a non-blocking message, which means that you can alert the user that there might be a problem, but the application is not prevented from starting. + + - **Display a message and do not allow this program to run**. This is a blocking message, which means that the application will not start. Instead, this message points the user to a location that provides more information about fixing the issue. + +5. Click **Next**. + + The wizard then shows the **Enter Message Information** fields. + +6. Type the website URL and the message text to appear when the user starts the application, and then click **Finish**. + +## Issues with AppHelp Messages and Computers Running Windows 2000 + + +The following issues might occur with computers running Windows 2000: + +- You might be unable to create a custom AppHelp message. + +- The AppHelp message text used for system database entries might not appear. + +- Copying an AppHelp entry for a system database or a custom-compatibility fix from a system database might cause Compatibility Administrator to hide the descriptive text. + +## Related topics +[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) diff --git a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md index ecd53deb4e..decac6d28e 100644 --- a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md +++ b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md @@ -1,340 +1,340 @@ ---- -title: Deployment considerations for Windows To Go (Windows 10) -description: Deployment considerations for Windows To Go -ms.assetid: dcfc5d96-b96b-44cd-ab65-416b5611c65e -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: deploy, mobile, device, USB, boot, image, workspace, driver -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: mobility -ms.sitesec: library -author: greg-lindsay -ms.topic: article ---- - -# Deployment considerations for Windows To Go - - -**Applies to** - -- Windows 10 - ->[!IMPORTANT] ->Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. - -From the start, Windows To Go was designed to minimize differences between the user experience of working on a laptop and Windows To Go booted from a USB drive. Given that Windows To Go was designed as an enterprise solution, extra consideration was given to the deployment workflows that enterprises already have in place. Additionally, there has been a focus on minimizing the number of differences in deployment between Windows To Go workspaces and laptop PCs. - -**Note**   -Windows To Go does not support operating system upgrades. Windows To Go is designed as a feature that is managed centrally. IT departments that plan to transition from one operating system version to a later version will need to incorporate re-imaging their existing Windows To Go drives as part of their upgrade deployment process. - - - -The following sections discuss the boot experience, deployment methods, and tools that you can use with Windows To Go. - -- [Initial boot experiences](#wtg-initboot) - -- [Image deployment and drive provisioning considerations](#wtg-imagedep) - -- [Application installation and domain join](#wtg-appinstall) - -- [Management of Windows To Go using Group Policy](#bkmk-wtggp) - -- [Supporting booting from USB](#wtg-bootusb) - -- [Updating firmware](#stg-firmware) - -- [Configure Windows To Go startup options](#wtg-startup) - -- [Change firmware settings](#wtg-changefirmware) - -## Initial boot experiences - - -The following diagrams illustrate the two different methods you could use to provide Windows To Go drives to your users. The experiences differ depending on whether the user will be booting the device initially on-premises or off-premises: - -![initial boot on-premises](images/wtg-first-boot-work.gif) - -When a Windows To Go workspace is first used at the workplace, the Windows To Go workspace can be joined to the domain through the normal procedures that occur when a new computer is introduced. It obtains a lease, applicable policies are applied and set, and user account tokens are placed appropriately. BitLocker protection can be applied and the BitLocker recovery key automatically stored in Active Directory Domain Services. The user can access network resources to install software and get access to data sources. When the workspace is subsequently booted at a different location either on or off premises, the configuration required for it to connect back to the work network using either DirectAccess or a virtual private network connection can be configured. It is not necessary to configure the workspace for offline domain join. DirectAccess can make connecting to organizational resources easier, but is not required. - -![initial boot off-premises](images/wtg-first-boot-home.gif) - -When the Windows To Go workspace is going to be used first on an off-premises computer, such as one at the employee’s home, then the IT professional preparing the Windows To Go drives should configure the drive to be able to connect to organizational resources and to maintain the security of the workspace. In this situation, the Windows To Go workspace needs to be configured for offline domain join and BitLocker needs to be enabled before the workspace has been initialized. - -**Tip**   -Applying BitLocker Drive Encryption to the drives before provisioning is a much faster process than encrypting the drives after data has already been stored on them due to a new feature called used-disk space only encryption. For more information, see [What's New in BitLocker](https://go.microsoft.com/fwlink/p/?LinkId=619076). - - - -DirectAccess can be used to ensure that the user can login with their domain credentials without needing a local account. For instructions on setting up a DirectAccess solution, for a small pilot deployment see [Deploy a Single Remote Access Server using the Getting Started Wizard](https://go.microsoft.com/fwlink/p/?LinkId=619077) for a larger scale deployment, see [Deploy Remote Access in an Enterprise](https://go.microsoft.com/fwlink/p/?LinkId=619078). If you do not want to use DirectAccess as an alternative users could log on using a local user account on the Windows To Go workspace and then use a virtual private network for remote access to your organizational network. - -### Image deployment and drive provisioning considerations - -The Image Deployment process can be accomplished either by a centralized IT process for your organization or by individual users creating their own Windows To Go workspaces. You must have local Administrator access and access to a Windows 10 Enterprise or Windows 10 Education image to create a Windows To Go workspace, or you must be using System Center Configuration Manager 2012 Service Pack 1 or later to distribute Windows To Go workspaces to users. The image deployment process takes a blank USB drive and a Windows 10 Enterprise image (WIM) and turns it into a Windows To Go drive. - -![windows to go image deployment](images/wtg-image-deployment.gif) - -The simplest way to provision a Windows To Go drive is to use the Windows To Go Creator. After a single Windows To Go workspace has been created, it can be duplicated as many times as necessary using widely available USB duplicator products as long as the device has not been booted. After the Windows To Go drive is initialized, it should not be duplicated. Alternatively, Windows To Go Workspace Creator can be run multiple times to create multiple Windows To Go drives. - -**Tip**   -When you create your Windows To Go image use sysprep /generalize, just as you do when you deploy Windows 10 to a standard PC. In fact, if appropriate, use the same image for both deployments. - - - -**Driver considerations** - -Windows includes most of the drivers that you will need to support a wide variety of host computers. However, you will occasionally need to download drivers from Windows Update to take advantage of the full functionality of a device. If you are using Windows To Go on a set of known host computers, you can add any additional drivers to the image used on Windows To Go to make Windows To Go drives more quickly usable by your employees. Especially ensure that network drivers are available so that the user can connect to Windows Update to get additional drivers if necessary. - -Wi-Fi network adapter drivers are one of the most important drivers to make sure that you include in your standard image so that users can easily connect to the internet for any additional updates. IT administrators that are attempting to build Windows 10 images for use with Windows To Go should consider adding additional Wi-Fi drivers to their image to ensure that their users have the best chance of still having basic network connectivity when roaming between systems. - -The following list of commonly used Wi-Fi network adapters that are not supported by the default drivers provided with Windows 10 is provided to help you ascertain whether or not you need to add drivers to your image. - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

          Vendor name

          Product description

          HWID

          Windows Update availability

          Broadcom

          802.11abgn Wireless SDIO adapter

          sd\vid_02d0&pid_4330&fn_1

          Contact the system OEM or Broadcom for driver availability.

          Broadcom

          802.11n Network Adapter

          pci\ven_14e4&dev_4331&subsys_00d6106b&rev_02

          Contact the system OEM or Broadcom for driver availability.

          Broadcom

          802.11n Network Adapter

          pci\ven_14e4&dev_4331&subsys_00f5106b&rev_02

          Contact the system OEM or Broadcom for driver availability.

          Broadcom

          802.11n Network Adapter

          pci\ven_14e4&dev_4331&subsys_00ef106b&rev_02

          Contact the system OEM or Broadcom for driver availability.

          Broadcom

          802.11n Network Adapter

          pci\ven_14e4&dev_4331&subsys_00f4106b&rev_02

          Contact the system OEM or Broadcom for driver availability.

          Broadcom

          802.11n Network Adapter

          pci\ven_14e4&dev_4331&subsys_010e106b&rev_02

          Contact the system OEM or Broadcom for driver availability.

          Broadcom

          802.11n Network Adapter

          pci\ven_14e4&dev_4331&subsys_00e4106b&rev_02

          Contact the system OEM or Broadcom for driver availability.

          Broadcom

          802.11n Network Adapter

          pci\ven_14e4&dev_4331&subsys_433114e4&rev_02

          Contact the system OEM or Broadcom for driver availability.

          Broadcom

          802.11n Network Adapter

          pci\ven_14e4&dev_4331&subsys_010f106b&rev_02

          Contact the system OEM or Broadcom for driver availability.

          Marvell

          Yukon 88E8001/8003/8010 PCI Gigabit Ethernet

          pci\ven_11ab&dev_4320&subsys_811a1043

          32-bit driver

          -

          64-bit driver

          Marvell

          Libertas 802.11b/g Wireless

          pci\ven_11ab&dev_1faa&subsys_6b001385&rev_03

          32-bit driver

          -

          64-bit driver

          Qualcomm

          Atheros AR6004 Wireless LAN Adapter

          sd\vid_0271&pid_0401

          32-bit driver

          -

          64-bit driver not available

          Qualcomm

          Atheros AR5BWB222 Wireless Network Adapter

          pci\ven_168c&dev_0034&subsys_20031a56

          32-bit driver

          -

          64-bit driver not available

          Qualcomm

          Atheros AR5BWB222 Wireless Network Adapter

          pci\ven_168c&dev_0034&subsys_020a1028&rev_01

          Contact the system OEM or Qualcom for driver availability.

          Qualcomm

          Atheros AR5005G Wireless Network Adapter

          pci\ven_168c&dev_001a&subsys_04181468&rev_01

          32-bit driver

          -

          64-bit driver

          Ralink

          Wireless-G PCI Adapter

          pci\ven_1814&dev_0301&subsys_00551737&rev_00

          32-bit driver

          -

          64-bit driver

          Ralink

          Turbo Wireless LAN Card

          pci\ven_1814&dev_0301&subsys_25611814&rev_00

          32-bit driver

          -

          64-bit driver

          Ralink

          Wireless LAN Card V1

          pci\ven_1814&dev_0302&subsys_3a711186&rev_00

          32-bit driver

          -

          64-bit driver

          Ralink

          D-Link AirPlus G DWL-G510 Wireless PCI Adapter(rev.C)

          pci\ven_1814&dev_0302&subsys_3c091186&rev_00

          32-bit driver

          -

          64-bit driver

          - - - -IT administrators that want to target Windows To Go images for specific systems should test their images to ensure that the necessary system drivers are in the image, especially for critical functionality like Wi-Fi that is not supported by class drivers. Some consumer devices require OEM specific driver packages, which may not be available on Windows Update. For more information on how to add a driver to a Windows Image, please refer to the [Basic Windows Deployment Step-by-Step Guide](https://go.microsoft.com/fwlink/p/?LinkId=619079). - -### Application installation and domain join - -Unless you are using a customized Windows image that includes unattended installation settings, the initial Windows To Go workspace will not be domain joined and will not contain applications. This is exactly like a new installation of Windows on a desktop or laptop computer. When planning your deployment, you should develop methods to join Windows to Go drives to the domain and install the standard applications that users in your organization require. These methods probably will be similar to the ones used for setting up desktop and laptop computers with domain privileges and applications - -### Management of Windows To Go using Group Policy - -In general, management of Windows To Go workspaces is same as that for desktop and laptop computers. There are Windows To Go specific Group Policy settings that should be considered as part of Windows To Go deployment. Windows To Go Group Policy settings are located at `\\Computer Configuration\Administrative Templates\Windows Components\Portable Operating System\` in the Local Group Policy Editor. - -The use of the Store on Windows To Go workspaces that are running Windows 8 can also be controlled by Group Policy. This policy setting is located at `\\Computer Configuration\Administrative Templates\Windows Components\Store\` in the Local Group Policy Editor. The policy settings have specific implications for Windows To Go that you should be aware of when planning your deployment: - -**Settings for workspaces** - -- **Allow hibernate (S4) when started from a Windows To Go workspace** - - This policy setting specifies whether the PC can use the hibernation sleep state (S4) when started from a Windows To Go workspace. By default, hibernation is disabled when using Windows To Go workspace, so enabling this setting explicitly turns this ability back on. When a computer enters hibernation, the contents of memory are written to disk. When the disk is resumed, it is important that the hardware attached to the system, as well as the disk itself, are unchanged. This is inherently incompatible with roaming between PC hosts. Hibernation should only be used when the Windows To Go workspace is not being used to roam between host PCs. - - **Important**   - For the host-PC to resume correctly when hibernation is enabled the Windows To Go workspace must continue to use the same USB port. - - - -- **Disallow standby sleep states (S1-S3) when starting from a Windows To Go workspace** - - This policy setting specifies whether the PC can use standby sleep states (S1–S3) when started from a Windows To Go workspace. The Sleep state also presents a unique challenge to Windows To Go users. When a computer goes to sleep, it appears as if it is shut down. It could be very easy for a user to think that a Windows To Go workspace in sleep mode was actually shut down and they could remove the Windows To Go drive and take it home. Removing the Windows To Go drive in this scenario is equivalent to an unclean shutdown which may result in the loss of unsaved user data or the corruption on the drive. Moreover, if the user now boots the drive on another PC and brings it back to the first PC which still happens to be in the sleep state, it will lead to an arbitrary crash and eventually corruption of the drive and result in the workspace becoming unusable. If you enable this policy setting, the Windows To Go workspace cannot use the standby states to cause the PC to enter sleep mode. If you disable or do not configure this policy setting, the Windows To Go workspace can place the PC in sleep mode. - -**Settings for host PCs** - -- **Windows To Go Default Startup Options** - - This policy setting controls whether the host computer will boot to Windows To Go if a USB device containing a Windows To Go workspace is connected, and controls whether users can make changes using the **Windows To Go Startup Options** settings dialog. If you enable this policy setting, booting to Windows To Go when a USB device is connected will be enabled and users will not be able to make changes using the **Windows To Go Startup Options** settings dialog. If you disable this policy setting, booting to Windows To Go when a USB device is connected will not be enabled unless a user configures the option manually in the firmware. If you do not configure this policy setting, users who are members of the local Administrators group can enable or disable booting from USB using the **Windows To Go Startup Options** settings dialog. - - **Important**   - Enabling this policy setting will cause PCs running Windows to attempt to boot from any USB device that is inserted into the PC before it is started. - - - -## Supporting booting from USB - - -The biggest hurdle for a user wanting to use Windows To Go is configuring their computer to boot from USB. This is traditionally done by entering the firmware and configuring the appropriate boot order options. To ease the process of making the firmware modifications required for Windows To Go, Windows includes a feature named **Windows To Go Startup Options** that allows a user to configure their computer to boot from USB from within Windows—without ever entering their firmware, as long as their firmware supports booting from USB. - -**Note**   -Enabling a system to always boot from USB first has implications that you should consider. For example, a USB device that includes malware could be booted inadvertently to compromise the system, or multiple USB drives could be plugged in to cause a boot conflict. For this reason, the Windows To Go startup options are disabled by default. In addition, administrator privileges are required to configure Windows To Go startup options. - - - -If you are going to be using a Windows 7 computer as a host-PC, see the wiki article [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkID=618951). - -### Roaming between different firmware types - -Windows supports two types of PC firmware: Unified Extensible Firmware Interface (UEFI), which is the new standard, and legacy BIOS firmware, which was used in most PCs shipping with Windows 7 or earlier version of Windows. Each firmware type has completely different Windows boot components that are incompatible with each other. Beyond the different boot components, Windows supports different partition styles and layout requirements for each type of firmware as shown in the following diagrams. - -![bios layout](images/wtg-mbr-bios.gif)![uefi layout](images/wtg-gpt-uefi.gif) - -This presented a unique challenge for Windows To Go because the firmware type is not easily determined by end-users—a UEFI computer looks just like a legacy BIOS computer and Windows To Go must boot on both types of firmware. - -To enable booting Windows To Go on both types of firmware, a new disk layout is provided for Windows 8 or later that contains both sets of boot components on a FAT32 system partition and a new command-line option was added to bcdboot.exe to support this configuration. The **/f** option is used with the **bcdboot /s** command to specify the firmware type of the target system partition by appending either **UEFI**, **BIOS** or **ALL**. When creating Windows To Go drives manually you must use the **ALL** parameter to provide the Windows To Go drive the ability to boot on both types of firmware. For example, on volume H: (your Windows To Go USB drive letter), you would use the command **bcdboot C:\\windows /s H: /f ALL**. The following diagram illustrates the disk layout that results from that command: - -![firmware roaming disk layout](images/wtg-mbr-firmware-roaming.gif) - -This is the only supported disk configuration for Windows To Go. With this disk configuration, a single Windows To Go drive can be booted on computers with UEFI and legacy BIOS firmware. - -### Configure Windows To Go startup options - -Windows To Go Startup Options is a setting available on Windows 10-based PCs that enables the computer to be booted from a USB without manually changing the firmware settings of the PC. To configure Windows To Go Startup Options you must have administrative rights on the computer and the **Windows To Go Default Startup Options** Group Policy setting must not be configured. - -**To configure Windows To Go startup options** - -1. On the Start screen, type, type **Windows To Go Startup Options**, click **Settings** and then press Enter. - - ![windows to go startup options](images/wtg-startup-options.gif) - -2. Select **Yes** to enable the startup options. - - **Tip**   - If your computer is part of a domain, the Group Policy setting can be used to enable the startup options instead of the dialog. - - - -3. Click **Save Changes**. If the User Account Control dialog box is displayed, confirm that the action it displays is what you want, and then click **Yes**. - -### Change firmware settings - -If you choose to not use the Windows To Go startup options or are using a PC running Windows 7 as your host computer you will need to manually configure the firmware settings. The process used to accomplish this will depend on the firmware type and manufacturer. If your host computer is protected by BitLocker and running Windows 7 you should suspend BitLocker before making the change to the firmware settings. After the firmware settings have been successfully reconfigured, resume BitLocker protection. If you do not suspend BitLocker first, BitLocker will assume that the computer has been tampered with and will boot into BitLocker recovery mode. - -## Related topics - - -[Windows To Go: feature overview](windows-to-go-overview.md) - -[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md) - -[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md) - -[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md) - - - - - - - - - +--- +title: Deployment considerations for Windows To Go (Windows 10) +description: Deployment considerations for Windows To Go +ms.assetid: dcfc5d96-b96b-44cd-ab65-416b5611c65e +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: deploy, mobile, device, USB, boot, image, workspace, driver +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: mobility +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Deployment considerations for Windows To Go + + +**Applies to** + +- Windows 10 + +>[!IMPORTANT] +>Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. + +From the start, Windows To Go was designed to minimize differences between the user experience of working on a laptop and Windows To Go booted from a USB drive. Given that Windows To Go was designed as an enterprise solution, extra consideration was given to the deployment workflows that enterprises already have in place. Additionally, there has been a focus on minimizing the number of differences in deployment between Windows To Go workspaces and laptop PCs. + +**Note**   +Windows To Go does not support operating system upgrades. Windows To Go is designed as a feature that is managed centrally. IT departments that plan to transition from one operating system version to a later version will need to incorporate re-imaging their existing Windows To Go drives as part of their upgrade deployment process. + + + +The following sections discuss the boot experience, deployment methods, and tools that you can use with Windows To Go. + +- [Initial boot experiences](#wtg-initboot) + +- [Image deployment and drive provisioning considerations](#wtg-imagedep) + +- [Application installation and domain join](#wtg-appinstall) + +- [Management of Windows To Go using Group Policy](#bkmk-wtggp) + +- [Supporting booting from USB](#wtg-bootusb) + +- [Updating firmware](#stg-firmware) + +- [Configure Windows To Go startup options](#wtg-startup) + +- [Change firmware settings](#wtg-changefirmware) + +## Initial boot experiences + + +The following diagrams illustrate the two different methods you could use to provide Windows To Go drives to your users. The experiences differ depending on whether the user will be booting the device initially on-premises or off-premises: + +![initial boot on-premises](images/wtg-first-boot-work.gif) + +When a Windows To Go workspace is first used at the workplace, the Windows To Go workspace can be joined to the domain through the normal procedures that occur when a new computer is introduced. It obtains a lease, applicable policies are applied and set, and user account tokens are placed appropriately. BitLocker protection can be applied and the BitLocker recovery key automatically stored in Active Directory Domain Services. The user can access network resources to install software and get access to data sources. When the workspace is subsequently booted at a different location either on or off premises, the configuration required for it to connect back to the work network using either DirectAccess or a virtual private network connection can be configured. It is not necessary to configure the workspace for offline domain join. DirectAccess can make connecting to organizational resources easier, but is not required. + +![initial boot off-premises](images/wtg-first-boot-home.gif) + +When the Windows To Go workspace is going to be used first on an off-premises computer, such as one at the employee’s home, then the IT professional preparing the Windows To Go drives should configure the drive to be able to connect to organizational resources and to maintain the security of the workspace. In this situation, the Windows To Go workspace needs to be configured for offline domain join and BitLocker needs to be enabled before the workspace has been initialized. + +**Tip**   +Applying BitLocker Drive Encryption to the drives before provisioning is a much faster process than encrypting the drives after data has already been stored on them due to a new feature called used-disk space only encryption. For more information, see [What's New in BitLocker](https://go.microsoft.com/fwlink/p/?LinkId=619076). + + + +DirectAccess can be used to ensure that the user can login with their domain credentials without needing a local account. For instructions on setting up a DirectAccess solution, for a small pilot deployment see [Deploy a Single Remote Access Server using the Getting Started Wizard](https://go.microsoft.com/fwlink/p/?LinkId=619077) for a larger scale deployment, see [Deploy Remote Access in an Enterprise](https://go.microsoft.com/fwlink/p/?LinkId=619078). If you do not want to use DirectAccess as an alternative users could log on using a local user account on the Windows To Go workspace and then use a virtual private network for remote access to your organizational network. + +### Image deployment and drive provisioning considerations + +The Image Deployment process can be accomplished either by a centralized IT process for your organization or by individual users creating their own Windows To Go workspaces. You must have local Administrator access and access to a Windows 10 Enterprise or Windows 10 Education image to create a Windows To Go workspace, or you must be using System Center Configuration Manager 2012 Service Pack 1 or later to distribute Windows To Go workspaces to users. The image deployment process takes a blank USB drive and a Windows 10 Enterprise image (WIM) and turns it into a Windows To Go drive. + +![windows to go image deployment](images/wtg-image-deployment.gif) + +The simplest way to provision a Windows To Go drive is to use the Windows To Go Creator. After a single Windows To Go workspace has been created, it can be duplicated as many times as necessary using widely available USB duplicator products as long as the device has not been booted. After the Windows To Go drive is initialized, it should not be duplicated. Alternatively, Windows To Go Workspace Creator can be run multiple times to create multiple Windows To Go drives. + +**Tip**   +When you create your Windows To Go image use sysprep /generalize, just as you do when you deploy Windows 10 to a standard PC. In fact, if appropriate, use the same image for both deployments. + + + +**Driver considerations** + +Windows includes most of the drivers that you will need to support a wide variety of host computers. However, you will occasionally need to download drivers from Windows Update to take advantage of the full functionality of a device. If you are using Windows To Go on a set of known host computers, you can add any additional drivers to the image used on Windows To Go to make Windows To Go drives more quickly usable by your employees. Especially ensure that network drivers are available so that the user can connect to Windows Update to get additional drivers if necessary. + +Wi-Fi network adapter drivers are one of the most important drivers to make sure that you include in your standard image so that users can easily connect to the internet for any additional updates. IT administrators that are attempting to build Windows 10 images for use with Windows To Go should consider adding additional Wi-Fi drivers to their image to ensure that their users have the best chance of still having basic network connectivity when roaming between systems. + +The following list of commonly used Wi-Fi network adapters that are not supported by the default drivers provided with Windows 10 is provided to help you ascertain whether or not you need to add drivers to your image. + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

          Vendor name

          Product description

          HWID

          Windows Update availability

          Broadcom

          802.11abgn Wireless SDIO adapter

          sd\vid_02d0&pid_4330&fn_1

          Contact the system OEM or Broadcom for driver availability.

          Broadcom

          802.11n Network Adapter

          pci\ven_14e4&dev_4331&subsys_00d6106b&rev_02

          Contact the system OEM or Broadcom for driver availability.

          Broadcom

          802.11n Network Adapter

          pci\ven_14e4&dev_4331&subsys_00f5106b&rev_02

          Contact the system OEM or Broadcom for driver availability.

          Broadcom

          802.11n Network Adapter

          pci\ven_14e4&dev_4331&subsys_00ef106b&rev_02

          Contact the system OEM or Broadcom for driver availability.

          Broadcom

          802.11n Network Adapter

          pci\ven_14e4&dev_4331&subsys_00f4106b&rev_02

          Contact the system OEM or Broadcom for driver availability.

          Broadcom

          802.11n Network Adapter

          pci\ven_14e4&dev_4331&subsys_010e106b&rev_02

          Contact the system OEM or Broadcom for driver availability.

          Broadcom

          802.11n Network Adapter

          pci\ven_14e4&dev_4331&subsys_00e4106b&rev_02

          Contact the system OEM or Broadcom for driver availability.

          Broadcom

          802.11n Network Adapter

          pci\ven_14e4&dev_4331&subsys_433114e4&rev_02

          Contact the system OEM or Broadcom for driver availability.

          Broadcom

          802.11n Network Adapter

          pci\ven_14e4&dev_4331&subsys_010f106b&rev_02

          Contact the system OEM or Broadcom for driver availability.

          Marvell

          Yukon 88E8001/8003/8010 PCI Gigabit Ethernet

          pci\ven_11ab&dev_4320&subsys_811a1043

          32-bit driver

          +

          64-bit driver

          Marvell

          Libertas 802.11b/g Wireless

          pci\ven_11ab&dev_1faa&subsys_6b001385&rev_03

          32-bit driver

          +

          64-bit driver

          Qualcomm

          Atheros AR6004 Wireless LAN Adapter

          sd\vid_0271&pid_0401

          32-bit driver

          +

          64-bit driver not available

          Qualcomm

          Atheros AR5BWB222 Wireless Network Adapter

          pci\ven_168c&dev_0034&subsys_20031a56

          32-bit driver

          +

          64-bit driver not available

          Qualcomm

          Atheros AR5BWB222 Wireless Network Adapter

          pci\ven_168c&dev_0034&subsys_020a1028&rev_01

          Contact the system OEM or Qualcom for driver availability.

          Qualcomm

          Atheros AR5005G Wireless Network Adapter

          pci\ven_168c&dev_001a&subsys_04181468&rev_01

          32-bit driver

          +

          64-bit driver

          Ralink

          Wireless-G PCI Adapter

          pci\ven_1814&dev_0301&subsys_00551737&rev_00

          32-bit driver

          +

          64-bit driver

          Ralink

          Turbo Wireless LAN Card

          pci\ven_1814&dev_0301&subsys_25611814&rev_00

          32-bit driver

          +

          64-bit driver

          Ralink

          Wireless LAN Card V1

          pci\ven_1814&dev_0302&subsys_3a711186&rev_00

          32-bit driver

          +

          64-bit driver

          Ralink

          D-Link AirPlus G DWL-G510 Wireless PCI Adapter(rev.C)

          pci\ven_1814&dev_0302&subsys_3c091186&rev_00

          32-bit driver

          +

          64-bit driver

          + + + +IT administrators that want to target Windows To Go images for specific systems should test their images to ensure that the necessary system drivers are in the image, especially for critical functionality like Wi-Fi that is not supported by class drivers. Some consumer devices require OEM specific driver packages, which may not be available on Windows Update. For more information on how to add a driver to a Windows Image, please refer to the [Basic Windows Deployment Step-by-Step Guide](https://go.microsoft.com/fwlink/p/?LinkId=619079). + +### Application installation and domain join + +Unless you are using a customized Windows image that includes unattended installation settings, the initial Windows To Go workspace will not be domain joined and will not contain applications. This is exactly like a new installation of Windows on a desktop or laptop computer. When planning your deployment, you should develop methods to join Windows to Go drives to the domain and install the standard applications that users in your organization require. These methods probably will be similar to the ones used for setting up desktop and laptop computers with domain privileges and applications + +### Management of Windows To Go using Group Policy + +In general, management of Windows To Go workspaces is same as that for desktop and laptop computers. There are Windows To Go specific Group Policy settings that should be considered as part of Windows To Go deployment. Windows To Go Group Policy settings are located at `\\Computer Configuration\Administrative Templates\Windows Components\Portable Operating System\` in the Local Group Policy Editor. + +The use of the Store on Windows To Go workspaces that are running Windows 8 can also be controlled by Group Policy. This policy setting is located at `\\Computer Configuration\Administrative Templates\Windows Components\Store\` in the Local Group Policy Editor. The policy settings have specific implications for Windows To Go that you should be aware of when planning your deployment: + +**Settings for workspaces** + +- **Allow hibernate (S4) when started from a Windows To Go workspace** + + This policy setting specifies whether the PC can use the hibernation sleep state (S4) when started from a Windows To Go workspace. By default, hibernation is disabled when using Windows To Go workspace, so enabling this setting explicitly turns this ability back on. When a computer enters hibernation, the contents of memory are written to disk. When the disk is resumed, it is important that the hardware attached to the system, as well as the disk itself, are unchanged. This is inherently incompatible with roaming between PC hosts. Hibernation should only be used when the Windows To Go workspace is not being used to roam between host PCs. + + **Important**   + For the host-PC to resume correctly when hibernation is enabled the Windows To Go workspace must continue to use the same USB port. + + + +- **Disallow standby sleep states (S1-S3) when starting from a Windows To Go workspace** + + This policy setting specifies whether the PC can use standby sleep states (S1–S3) when started from a Windows To Go workspace. The Sleep state also presents a unique challenge to Windows To Go users. When a computer goes to sleep, it appears as if it is shut down. It could be very easy for a user to think that a Windows To Go workspace in sleep mode was actually shut down and they could remove the Windows To Go drive and take it home. Removing the Windows To Go drive in this scenario is equivalent to an unclean shutdown which may result in the loss of unsaved user data or the corruption on the drive. Moreover, if the user now boots the drive on another PC and brings it back to the first PC which still happens to be in the sleep state, it will lead to an arbitrary crash and eventually corruption of the drive and result in the workspace becoming unusable. If you enable this policy setting, the Windows To Go workspace cannot use the standby states to cause the PC to enter sleep mode. If you disable or do not configure this policy setting, the Windows To Go workspace can place the PC in sleep mode. + +**Settings for host PCs** + +- **Windows To Go Default Startup Options** + + This policy setting controls whether the host computer will boot to Windows To Go if a USB device containing a Windows To Go workspace is connected, and controls whether users can make changes using the **Windows To Go Startup Options** settings dialog. If you enable this policy setting, booting to Windows To Go when a USB device is connected will be enabled and users will not be able to make changes using the **Windows To Go Startup Options** settings dialog. If you disable this policy setting, booting to Windows To Go when a USB device is connected will not be enabled unless a user configures the option manually in the firmware. If you do not configure this policy setting, users who are members of the local Administrators group can enable or disable booting from USB using the **Windows To Go Startup Options** settings dialog. + + **Important**   + Enabling this policy setting will cause PCs running Windows to attempt to boot from any USB device that is inserted into the PC before it is started. + + + +## Supporting booting from USB + + +The biggest hurdle for a user wanting to use Windows To Go is configuring their computer to boot from USB. This is traditionally done by entering the firmware and configuring the appropriate boot order options. To ease the process of making the firmware modifications required for Windows To Go, Windows includes a feature named **Windows To Go Startup Options** that allows a user to configure their computer to boot from USB from within Windows—without ever entering their firmware, as long as their firmware supports booting from USB. + +**Note**   +Enabling a system to always boot from USB first has implications that you should consider. For example, a USB device that includes malware could be booted inadvertently to compromise the system, or multiple USB drives could be plugged in to cause a boot conflict. For this reason, the Windows To Go startup options are disabled by default. In addition, administrator privileges are required to configure Windows To Go startup options. + + + +If you are going to be using a Windows 7 computer as a host-PC, see the wiki article [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkID=618951). + +### Roaming between different firmware types + +Windows supports two types of PC firmware: Unified Extensible Firmware Interface (UEFI), which is the new standard, and legacy BIOS firmware, which was used in most PCs shipping with Windows 7 or earlier version of Windows. Each firmware type has completely different Windows boot components that are incompatible with each other. Beyond the different boot components, Windows supports different partition styles and layout requirements for each type of firmware as shown in the following diagrams. + +![bios layout](images/wtg-mbr-bios.gif)![uefi layout](images/wtg-gpt-uefi.gif) + +This presented a unique challenge for Windows To Go because the firmware type is not easily determined by end-users—a UEFI computer looks just like a legacy BIOS computer and Windows To Go must boot on both types of firmware. + +To enable booting Windows To Go on both types of firmware, a new disk layout is provided for Windows 8 or later that contains both sets of boot components on a FAT32 system partition and a new command-line option was added to bcdboot.exe to support this configuration. The **/f** option is used with the **bcdboot /s** command to specify the firmware type of the target system partition by appending either **UEFI**, **BIOS** or **ALL**. When creating Windows To Go drives manually you must use the **ALL** parameter to provide the Windows To Go drive the ability to boot on both types of firmware. For example, on volume H: (your Windows To Go USB drive letter), you would use the command **bcdboot C:\\windows /s H: /f ALL**. The following diagram illustrates the disk layout that results from that command: + +![firmware roaming disk layout](images/wtg-mbr-firmware-roaming.gif) + +This is the only supported disk configuration for Windows To Go. With this disk configuration, a single Windows To Go drive can be booted on computers with UEFI and legacy BIOS firmware. + +### Configure Windows To Go startup options + +Windows To Go Startup Options is a setting available on Windows 10-based PCs that enables the computer to be booted from a USB without manually changing the firmware settings of the PC. To configure Windows To Go Startup Options you must have administrative rights on the computer and the **Windows To Go Default Startup Options** Group Policy setting must not be configured. + +**To configure Windows To Go startup options** + +1. On the Start screen, type, type **Windows To Go Startup Options**, click **Settings** and then press Enter. + + ![windows to go startup options](images/wtg-startup-options.gif) + +2. Select **Yes** to enable the startup options. + + **Tip**   + If your computer is part of a domain, the Group Policy setting can be used to enable the startup options instead of the dialog. + + + +3. Click **Save Changes**. If the User Account Control dialog box is displayed, confirm that the action it displays is what you want, and then click **Yes**. + +### Change firmware settings + +If you choose to not use the Windows To Go startup options or are using a PC running Windows 7 as your host computer you will need to manually configure the firmware settings. The process used to accomplish this will depend on the firmware type and manufacturer. If your host computer is protected by BitLocker and running Windows 7 you should suspend BitLocker before making the change to the firmware settings. After the firmware settings have been successfully reconfigured, resume BitLocker protection. If you do not suspend BitLocker first, BitLocker will assume that the computer has been tampered with and will boot into BitLocker recovery mode. + +## Related topics + + +[Windows To Go: feature overview](windows-to-go-overview.md) + +[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md) + +[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md) + +[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md) + + + + + + + + + diff --git a/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md b/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md index 97329b8201..efa2cac236 100644 --- a/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md +++ b/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md @@ -1,68 +1,68 @@ ---- -title: Enabling and Disabling Compatibility Fixes in Compatibility Administrator (Windows 10) -description: You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes. -ms.assetid: 6bd4a7c5-0ed9-4a35-948c-c438aa4d6cb6 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Enabling and Disabling Compatibility Fixes in Compatibility Administrator - - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes. - -## Disabling Compatibility Fixes - - -Customized compatibility databases can become quite complex as you add your fixes for the multiple applications found in your organization. Over time, you may find you need to disable a particular fix in your customized database. For example, if a software vendor releases a fix for an issue addressed in one of your compatibility fixes, you must validate that the vendor's fix is correct and that it resolves your issue. To do this, you must temporarily disable the compatibility fix and then test your application. - -**Important**   -Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to work with custom databases for 32-bit applications and the 64-bit version to work with custom databases for 64-bit applications. - - - -**To disable a compatibility fix within a database** - -1. In the left-sde pane of Compatibility Administrator, expand the custom database that includes the compatibility fix that you want to disable, and then select the specific compatibility fix. - - The compatibility fix details appear in the right-hand pane. - -2. On the **Database** menu, click **Disable Entry**. - - **Important**   - When you disable an entry, it will remain disabled even if you do not save the database file. - - - -## Enabling Compatibility Fixes - - -You can enable your disabled compatibility fixes at any time. - -**To enable a compatibility fix within a database** - -1. In the left-side pane of Compatibility Administrator, expand the custom database that includes the compatibility fix that you want to enable, and then select the specific compatibility fix. - - The compatibility fix details appear in the right-side pane. - -2. On the **Database** menu, click **Enable Entry**. - -## Related topics -[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) +--- +title: Enabling and Disabling Compatibility Fixes in Compatibility Administrator (Windows 10) +description: You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes. +ms.assetid: 6bd4a7c5-0ed9-4a35-948c-c438aa4d6cb6 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Enabling and Disabling Compatibility Fixes in Compatibility Administrator + + +**Applies to** + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 +- Windows Server 2008 R2 + +You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes. + +## Disabling Compatibility Fixes + + +Customized compatibility databases can become quite complex as you add your fixes for the multiple applications found in your organization. Over time, you may find you need to disable a particular fix in your customized database. For example, if a software vendor releases a fix for an issue addressed in one of your compatibility fixes, you must validate that the vendor's fix is correct and that it resolves your issue. To do this, you must temporarily disable the compatibility fix and then test your application. + +**Important**   +Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to work with custom databases for 32-bit applications and the 64-bit version to work with custom databases for 64-bit applications. + + + +**To disable a compatibility fix within a database** + +1. In the left-sde pane of Compatibility Administrator, expand the custom database that includes the compatibility fix that you want to disable, and then select the specific compatibility fix. + + The compatibility fix details appear in the right-hand pane. + +2. On the **Database** menu, click **Disable Entry**. + + **Important**   + When you disable an entry, it will remain disabled even if you do not save the database file. + + + +## Enabling Compatibility Fixes + + +You can enable your disabled compatibility fixes at any time. + +**To enable a compatibility fix within a database** + +1. In the left-side pane of Compatibility Administrator, expand the custom database that includes the compatibility fix that you want to enable, and then select the specific compatibility fix. + + The compatibility fix details appear in the right-side pane. + +2. On the **Database** menu, click **Enable Entry**. + +## Related topics +[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) diff --git a/windows/deployment/planning/features-lifecycle.md b/windows/deployment/planning/features-lifecycle.md index 72e45ad5e7..1e0d36aca0 100644 --- a/windows/deployment/planning/features-lifecycle.md +++ b/windows/deployment/planning/features-lifecycle.md @@ -1,39 +1,39 @@ ---- -title: Windows 10 features lifecycle -description: Learn about the lifecycle of Windows 10 features -ms.prod: w10 -ms.mktglfcycl: plan -ms.localizationpriority: medium -ms.sitesec: library -author: greg-lindsay -manager: laurawi -ms.author: greglin -ms.topic: article ---- -# Windows 10 features lifecycle - -- Applies to: Windows 10 - -Each release of Windows 10 contains many new and improved features. Occasionally we also remove features and functionality, usually because there is a better option. - -## Features removed or planned for replacement - -See the following for details about feature support for each release of Windows 10. - -[Windows 10, version 1903](windows-10-1903-removed-features.md)
          -[Windows 10, version 1809](windows-10-1809-removed-features.md)
          -[Windows 10, version 1803](windows-10-1803-removed-features.md)
          -[Windows 10, version 1709](windows-10-1709-removed-features.md)
          -[Windows 10, version 1703](windows-10-1703-removed-features.md) - -Also see: [Windows 10 release information](https://docs.microsoft.com/windows/release-information/) - -## Terminology - -The following terms can be used to describe the status that might be assigned to a feature during its lifecycle. - -- **Deprecation**: The stage of the product lifecycle when a feature or functionality is no longer in active development and may be removed in future releases of a product or online service. -- **End of support**: The stage of the product lifecycle when support and servicing are no longer available for a product. -- **Retirement**: The stage of the product lifecycle when an online service is shut down so that it is no longer available for use. -- **Remove or retire a feature**: The stage of the product lifecycle when a feature or functionality is removed from an online service after it has been deprecated. -- **Replace a feature**: The stage of the product lifecycle when a feature or functionality in an online service is replaced with a different feature or functionality. +--- +title: Windows 10 features lifecycle +description: Learn about the lifecycle of Windows 10 features +ms.prod: w10 +ms.mktglfcycl: plan +ms.localizationpriority: medium +ms.sitesec: library +audience: itpro author: greg-lindsay +manager: laurawi +ms.author: greglin +ms.topic: article +--- +# Windows 10 features lifecycle + +- Applies to: Windows 10 + +Each release of Windows 10 contains many new and improved features. Occasionally we also remove features and functionality, usually because there is a better option. + +## Features removed or planned for replacement + +See the following for details about feature support for each release of Windows 10. + +[Windows 10, version 1903](windows-10-1903-removed-features.md)
          +[Windows 10, version 1809](windows-10-1809-removed-features.md)
          +[Windows 10, version 1803](windows-10-1803-removed-features.md)
          +[Windows 10, version 1709](windows-10-1709-removed-features.md)
          +[Windows 10, version 1703](windows-10-1703-removed-features.md) + +Also see: [Windows 10 release information](https://docs.microsoft.com/windows/release-information/) + +## Terminology + +The following terms can be used to describe the status that might be assigned to a feature during its lifecycle. + +- **Deprecation**: The stage of the product lifecycle when a feature or functionality is no longer in active development and may be removed in future releases of a product or online service. +- **End of support**: The stage of the product lifecycle when support and servicing are no longer available for a product. +- **Retirement**: The stage of the product lifecycle when an online service is shut down so that it is no longer available for use. +- **Remove or retire a feature**: The stage of the product lifecycle when a feature or functionality is removed from an online service after it has been deprecated. +- **Replace a feature**: The stage of the product lifecycle when a feature or functionality in an online service is replaced with a different feature or functionality. diff --git a/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md b/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md index 96bc5e3a59..98986e0bfd 100644 --- a/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md +++ b/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md @@ -1,76 +1,76 @@ ---- -title: Fixing Applications by Using the SUA Tool (Windows 10) -description: On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application. -ms.assetid: 7f5947b1-977b-4d7e-bb52-fbe8e76f6b8b -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Fixing Applications by Using the SUA Tool - - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application. - -**To fix an application by using the SUA tool** - -1. Use the SUA tool to test an application. For more information, see [Using the SUA Tool](using-the-sua-tool.md). - -2. After you finish testing, open the SUA tool. - -3. On the **Mitigation** menu, click the command that corresponds to the action that you want to take. The following table describes the commands. - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Mitigation menu commandDescription

          Apply Mitigations

          Opens the Mitigate AppCompat Issues dialog box, in which you can select the fixes that you intend to apply to the application.

          Undo Mitigations

          Removes the application fixes that you just applied.

          -

          This option is available only after you apply an application fix and before you close the SUA tool. Alternatively, you can manually remove application fixes by using Programs and Features in Control Panel.

          Export Mitigations as Windows Installer file

          Exports your application fixes as a Windows® Installer (.msi) file, which can then be deployed to other computers that are running the application.

          - -   - -  - -  - - - - - +--- +title: Fixing Applications by Using the SUA Tool (Windows 10) +description: On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application. +ms.assetid: 7f5947b1-977b-4d7e-bb52-fbe8e76f6b8b +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Fixing Applications by Using the SUA Tool + + +**Applies to** + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 +- Windows Server 2008 R2 + +On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application. + +**To fix an application by using the SUA tool** + +1. Use the SUA tool to test an application. For more information, see [Using the SUA Tool](using-the-sua-tool.md). + +2. After you finish testing, open the SUA tool. + +3. On the **Mitigation** menu, click the command that corresponds to the action that you want to take. The following table describes the commands. + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Mitigation menu commandDescription

          Apply Mitigations

          Opens the Mitigate AppCompat Issues dialog box, in which you can select the fixes that you intend to apply to the application.

          Undo Mitigations

          Removes the application fixes that you just applied.

          +

          This option is available only after you apply an application fix and before you close the SUA tool. Alternatively, you can manually remove application fixes by using Programs and Features in Control Panel.

          Export Mitigations as Windows Installer file

          Exports your application fixes as a Windows® Installer (.msi) file, which can then be deployed to other computers that are running the application.

          + +   + +  + +  + + + + + diff --git a/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md b/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md index cc28f2ebb0..6159fe34e5 100644 --- a/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md +++ b/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md @@ -1,67 +1,67 @@ ---- -title: Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator (Windows 10) -description: The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. -ms.assetid: 659c9d62-5f32-433d-94aa-12141c01368f -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator - - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. Both the custom databases and the standard databases store the known compatibility fixes, compatibility modes, and AppHelp messages. They also store the required application-matching information for installation on your local computers. - -By default, the Windows® operating system installs a System Application Fix database for use with the Compatibility Administrator. This database can be updated through Windows Update, and is stored in the %WINDIR% \\AppPatch directory. Your custom databases are automatically stored in the %WINDIR% \\AppPatch\\Custom directory and are installed by using the Sdbinst.exe tool provided with the Compatibility Administrator. - -**Important**   -Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to work with custom databases for 32-bit applications and the 64-bit version to work with custom databases for 64-bit applications. - -In addition, you must deploy your databases to your organization’s computers before the included fixes will have any effect on the application issue. For more information about deploying your database, see [Using the Sdbinst.exe Command-Line Tool](using-the-sdbinstexe-command-line-tool.md). - - - -## Installing a Custom Database - - -Installing your custom-compatibility database enables you to fix issues with your installed applications. - -**To install a custom database** - -1. In the left-side pane of Compatibility Administrator, click the custom database to install to your local computers. - -2. On the **File** menu, click **Install**. - - The Compatibility Administrator installs the database, which appears in the **Installed Databases** list. - - The relationship between your database file and an included application occurs in the registry. Every time you start an application, the operating system checks the registry for compatibility-fix information and, if found, retrieves the information from your customized database file. - -## Uninstalling a Custom Database - - -When a custom database is no longer necessary, either because the applications are no longer used or because the vendor has provided a fix that resolves the compatibility issues, you can uninstall the custom database. - -**To uninstall a custom database** - -1. In the **Installed Databases** list, which appears in the left-side pane of Compatibility Administrator, click the database to uninstall from your local computers. - -2. On the **File** menu, click **Uninstall**. - -## Related topics -[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) +--- +title: Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator (Windows 10) +description: The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. +ms.assetid: 659c9d62-5f32-433d-94aa-12141c01368f +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator + + +**Applies to** + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 +- Windows Server 2008 R2 + +The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. Both the custom databases and the standard databases store the known compatibility fixes, compatibility modes, and AppHelp messages. They also store the required application-matching information for installation on your local computers. + +By default, the Windows® operating system installs a System Application Fix database for use with the Compatibility Administrator. This database can be updated through Windows Update, and is stored in the %WINDIR% \\AppPatch directory. Your custom databases are automatically stored in the %WINDIR% \\AppPatch\\Custom directory and are installed by using the Sdbinst.exe tool provided with the Compatibility Administrator. + +**Important**   +Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to work with custom databases for 32-bit applications and the 64-bit version to work with custom databases for 64-bit applications. + +In addition, you must deploy your databases to your organization’s computers before the included fixes will have any effect on the application issue. For more information about deploying your database, see [Using the Sdbinst.exe Command-Line Tool](using-the-sdbinstexe-command-line-tool.md). + + + +## Installing a Custom Database + + +Installing your custom-compatibility database enables you to fix issues with your installed applications. + +**To install a custom database** + +1. In the left-side pane of Compatibility Administrator, click the custom database to install to your local computers. + +2. On the **File** menu, click **Install**. + + The Compatibility Administrator installs the database, which appears in the **Installed Databases** list. + + The relationship between your database file and an included application occurs in the registry. Every time you start an application, the operating system checks the registry for compatibility-fix information and, if found, retrieves the information from your customized database file. + +## Uninstalling a Custom Database + + +When a custom database is no longer necessary, either because the applications are no longer used or because the vendor has provided a fix that resolves the compatibility issues, you can uninstall the custom database. + +**To uninstall a custom database** + +1. In the **Installed Databases** list, which appears in the left-side pane of Compatibility Administrator, click the database to uninstall from your local computers. + +2. On the **File** menu, click **Uninstall**. + +## Related topics +[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) diff --git a/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md b/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md index 086ada5b3c..47e9283fef 100644 --- a/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md +++ b/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md @@ -1,66 +1,66 @@ ---- -title: Managing Application-Compatibility Fixes and Custom Fix Databases (Windows 10) -description: This section provides information about managing your application-compatibility fixes and custom-compatibility fix databases. This section explains the reasons for using compatibility fixes and how to deploy custom-compatibility fix databases. -ms.assetid: 9c2e9396-908e-4a36-ad67-2e40452ce017 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Managing Application-Compatibility Fixes and Custom Fix Databases - - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -This section provides information about managing your application-compatibility fixes and custom-compatibility fix databases. This section explains the reasons for using compatibility fixes and how to deploy custom-compatibility fix databases. - -## In this section - - - ---- - - - - - - - - - - - - - - - - - - - - -
          TopicDescription

          Understanding and Using Compatibility Fixes

          As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change. This can cause problems for applications that relied upon the original implementation. You can avoid compatibility issues by using the Microsoft Windows Application Compatibility (Compatibility Fix) infrastructure to create a specific application fix for a particular version of an application.

          Compatibility Fix Database Management Strategies and Deployment

          After you determine that you will use compatibility fixes in your application-compatibility mitigation strategy, you must define a strategy to manage your custom compatibility-fix database. Typically, you can use one of two approaches:

          Testing Your Application Mitigation Packages

          This topic provides details about testing your application-mitigation packages, including recommendations about how to report your information and how to resolve any outstanding issues.

          - - - -## Related topics -[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) - -[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md) +--- +title: Managing Application-Compatibility Fixes and Custom Fix Databases (Windows 10) +description: This section provides information about managing your application-compatibility fixes and custom-compatibility fix databases. This section explains the reasons for using compatibility fixes and how to deploy custom-compatibility fix databases. +ms.assetid: 9c2e9396-908e-4a36-ad67-2e40452ce017 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Managing Application-Compatibility Fixes and Custom Fix Databases + + +**Applies to** + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 +- Windows Server 2008 R2 + +This section provides information about managing your application-compatibility fixes and custom-compatibility fix databases. This section explains the reasons for using compatibility fixes and how to deploy custom-compatibility fix databases. + +## In this section + + + ++++ + + + + + + + + + + + + + + + + + + + + +
          TopicDescription

          Understanding and Using Compatibility Fixes

          As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change. This can cause problems for applications that relied upon the original implementation. You can avoid compatibility issues by using the Microsoft Windows Application Compatibility (Compatibility Fix) infrastructure to create a specific application fix for a particular version of an application.

          Compatibility Fix Database Management Strategies and Deployment

          After you determine that you will use compatibility fixes in your application-compatibility mitigation strategy, you must define a strategy to manage your custom compatibility-fix database. Typically, you can use one of two approaches:

          Testing Your Application Mitigation Packages

          This topic provides details about testing your application-mitigation packages, including recommendations about how to report your information and how to resolve any outstanding issues.

          + + + +## Related topics +[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) + +[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md) diff --git a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md index c0111f5cee..6dca43c7ac 100644 --- a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md +++ b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md @@ -1,131 +1,131 @@ ---- -title: Prepare your organization for Windows To Go (Windows 10) -description: Prepare your organization for Windows To Go -ms.assetid: f3f3c160-90ad-40a8-aeba-2aedee18f7ff -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: ["mobile, device, USB, deploy"] -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: mobility -ms.sitesec: library -author: greg-lindsay -ms.topic: article ---- - -# Prepare your organization for Windows To Go - - -**Applies to** - -- Windows 10 - ->[!IMPORTANT] ->Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. - -The following information is provided to help you plan and design a new deployment of a Windows To Go in your production environment. It provides answers to the “what”, “why”, and “when” questions an IT professional might have when planning to deploy Windows To Go. - -## What is Windows To Go? - - -Windows To Go is a feature of Windows 10 Enterprise and Windows 10 Education that enables users to boot Windows from a USB-connected external drive. Windows To Go drives can use the same image that enterprises use for their desktops and laptops, and can be managed the same way. Offering a new mobility option, a Windows To Go workspace is not intended to replace desktops or laptops, or supplant other mobility offerings. - -Enterprise customers utilizing Volume Activation Windows licensing will be able to deploy USB drives provisioned with Windows To Go workspace. These drives will be bootable on multiple compatible host computers. Compatible host computers are computers that are: - -- USB boot capable -- Have USB boot enabled in the firmware -- Meet Windows 7 minimum system requirements -- Have compatible processor architectures (for example, x86 or AMD64) as the image used to create the Windows To Go workspace. ARM is not a supported processor for Windows To Go. -- Have firmware architecture that is compatible with the architecture of the image used for the Windows To Go workspace - -Booting a Windows To Go workspace requires no specific software on the host computer. PCs certified for Windows 7 and later can host Windows To Go. - -The following topics will familiarize you with how you can use a Windows To Go workspace and give you an overview of some of the things you should consider in your design. - -## Usage scenarios - - -The following scenarios are examples of situations in which Windows To Go workspaces provide a solution for an IT implementer: - -- **Continuance of operations (COO).** In this scenario, selected employees receive a USB drive with a Windows To Go workspace, which includes all of the applications that the employees use at work. The employees can keep the device at home, in a briefcase, or wherever they want to store it until needed. When the users boot their home computer from the USB drive, it will create a corporate desktop experience so that they can quickly start working. On the very first boot, the employee sees that Windows is installing devices; after that one time, the Windows To Go drive boots like a normal computer. If they have enterprise network access, employees can use a virtual private network (VPN) connection or DirectAccess to access corporate resources. If the enterprise network is available, the Windows To Go workspace will automatically be updated using your standard client management processes. - -- **Contractors and temporary workers.** In this situation, an enterprise IT pro or manager would distribute the Windows To Go drive directly to the worker where they can be assisted with any necessary additional user education needs or address any possible compatibility issues. While the worker is on assignment, they can boot their computer exclusively from the Windows To Go drive and run all applications in that environment until the end of the assignment when the device is returned. No installation of software is required on the worker’s personal computer. - -- **Managed free seating.** The employee is issued a Windows To Go drive that is then used with the host computer assigned to that employee for a given session (this could be a vehicle, workspace, or standalone laptop). When the employee leaves the session, the next time they return they use the same USB flash drive but use a different host computer. - -- **Work from home.** In this situation, the Windows To Go drive can be provisioned for employees using various methods including System Center Configuration Manager or other deployment tools and then distributed to employees. The employee is instructed to boot the Windows To Go drive initially at work, which caches the employee’s credentials on the Windows To Go workspace and allows the initial data synchronization between the enterprise network and the Windows To Go workspace. The user can then bring the Windows To Go drive home where it can be used with their home computer, with or without enterprise network connectivity. - -- **Travel lightly.** In this situation you have employees who are moving from site to site, but who always will have access to a compatible host computer on site. Using Windows To Go workspaces allows them to travel without the need to pack their PC. - -**Note**   -If the employee wants to work offline for the majority of the time, but still maintain the ability to use the drive on the enterprise network, they should be informed of how often the Windows To Go workspace needs to be connected to the enterprise network. Doing so will ensure that the drive retains its access privileges and the workspace’s computer object is not potentially deleted from Active Directory Domain Services (AD DS). - - - -## Infrastructure considerations - - -Because Windows To Go requires no additional software and minimal configuration, the same tools used to deploy images to other PCs can be used by an enterprise to install Windows To Go on a large group of USB devices. Moreover, because Windows To Go is compatible with connectivity and synchronization solutions already in use—such as Remote Desktop, DirectAccess and Folder Redirection—no additional infrastructure or management is necessary for this deployment. A Windows To Go image can be created on a USB drive that is identical to the hard drive inside a desktop. However, you may wish to consider making some modifications to your infrastructure to help make management of Windows To Go drives easier and to be able to identify them as a distinct device group. - -## Activation considerations - - -Windows To Go uses volume activation. You can use either Active Directory-based activation or KMS activation with Windows To Go. The Windows To Go workspace counts as another installation when assessing compliance with application licensing agreements. - -Microsoft software, such as Microsoft Office, distributed to a Windows To Go workspace must also be activated. Office deployment is fully supported on Windows To Go. Please note, due to the retail subscription activation method associated with Office 365 ProPlus, Office 365 ProPlus subscribers are provided volume licensing activation rights for Office Professional Plus 2013 MSI for local installation on the Windows To Go drive. This is available to organizations who purchase Office 365 ProPlus or Office 365 Enterprise SKUs containing Office 365 ProPlus via volume licensing channels. For more information about activating Microsoft Office, see [Volume activation methods in Office 2013](https://go.microsoft.com/fwlink/p/?LinkId=618922). - -You should investigate other software manufacturer’s licensing requirements to ensure they are compatible with roaming usage before deploying them to a Windows To Go workspace. - -**Note**   -Using Multiple Activation Key (MAK) activation is not a supported activation method for Windows To Go as each different PC-host would require separate activation. MAK activation should not be used for activating Windows, Office, or any other application on a Windows To Go drive. - - - -See [Plan for Volume Activation](https://go.microsoft.com/fwlink/p/?LinkId=618923) for more information about these activation methods and how they can be used in your organization. - -## Organizational unit structure and use of Group Policy Objects - - -You may find it beneficial to create additional Active Directory organizational unit (OU) structures to support your Windows To Go deployment; one for host computer accounts and one for Windows To Go workspace computer accounts. Creating an organizational unit for host computers allows you to enable the Windows To Go Startup Options using Group Policy for only the computers that will be used as Windows To Go hosts. Setting this policy helps to prevent computers from being accidentally configured to automatically boot from USB devices and allows closer monitoring and control of those computers which have the ability to boot from a USB device. The organizational unit for Windows To Go workspaces allows you to apply specific policy controls to them, such as the ability to use the Store application, power state controls, and line-of-business application installation. - -If you are deploying Windows To Go workspaces for a scenario in which they are not going to be roaming, but are instead being used on the same host computer, such as with temporary or contract employees, you might wish to enable hibernation or the Windows Store. - -For more information about Group Policy settings that can be used with Windows To Go, see [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md) - -## Computer account management - - -If you configure Windows To Go drives for scenarios where drives may remain unused for extended period of time such as use in continuance of operations scenarios, the AD DS computer account objects that correspond to Windows To Go drives have the potential to become stale and be pruned during maintenance operations. To address this issue, you should either have users log on regularly according to a schedule or modify any maintenance scripts to not clean up computer accounts in the Windows To Go device organizational unit. - -## User account and data management - - -People use computers to work with data and consume content - that is their core function. The data must be stored and retrievable for it to be useful. When users are working in a Windows To Go workspace, they need to have the ability to get to the data that they work with and to keep it accessible when the workspace is not being used. For this reason we recommend that you use folder redirection and offline files to redirect the path of local folders (such as the Documents folder) to a network location, while caching the contents locally for increased speed and availability. We also recommend that you use roaming user profiles to synchronize user specific settings so that users receive the same operating system and application settings when using their Windows To Go workspace and their desktop computer. When a user signs in using a domain account that is set up with a file share as the profile path, the user’s profile is downloaded to the local computer and merged with the local profile (if present). When the user logs off the computer, the local copy of their profile, including any changes, is merged with the server copy of the profile. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](https://go.microsoft.com/fwlink/p/?LinkId=618924). - -Windows To Go is fully integrated with your Microsoft account. Setting synchronization is accomplished by connecting a Microsoft account to a user account. Windows To Go devices fully support this feature and can be managed by Group Policy so that the customization and configurations you prefer will be applied to your Windows To Go workspace. - -## Remote connectivity - - -If you want Windows To Go to be able to connect back to organizational resources when it is being used off-premises a remote connectivity solution must be enabled. Windows Server 2012 DirectAccess can be used as can a virtual private network (VPN) solution. For more information about configuring a remote access solution, see the [Remote Access (DirectAccess, Routing and Remote Access) Overview](https://go.microsoft.com/fwlink/p/?LinkId=618925). - -## Related topics - - -[Windows To Go: feature overview](windows-to-go-overview.md) - -[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md) - -[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md) - -[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md) - - - - - - - - - +--- +title: Prepare your organization for Windows To Go (Windows 10) +description: Prepare your organization for Windows To Go +ms.assetid: f3f3c160-90ad-40a8-aeba-2aedee18f7ff +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: ["mobile, device, USB, deploy"] +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: mobility +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Prepare your organization for Windows To Go + + +**Applies to** + +- Windows 10 + +>[!IMPORTANT] +>Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. + +The following information is provided to help you plan and design a new deployment of a Windows To Go in your production environment. It provides answers to the “what”, “why”, and “when” questions an IT professional might have when planning to deploy Windows To Go. + +## What is Windows To Go? + + +Windows To Go is a feature of Windows 10 Enterprise and Windows 10 Education that enables users to boot Windows from a USB-connected external drive. Windows To Go drives can use the same image that enterprises use for their desktops and laptops, and can be managed the same way. Offering a new mobility option, a Windows To Go workspace is not intended to replace desktops or laptops, or supplant other mobility offerings. + +Enterprise customers utilizing Volume Activation Windows licensing will be able to deploy USB drives provisioned with Windows To Go workspace. These drives will be bootable on multiple compatible host computers. Compatible host computers are computers that are: + +- USB boot capable +- Have USB boot enabled in the firmware +- Meet Windows 7 minimum system requirements +- Have compatible processor architectures (for example, x86 or AMD64) as the image used to create the Windows To Go workspace. ARM is not a supported processor for Windows To Go. +- Have firmware architecture that is compatible with the architecture of the image used for the Windows To Go workspace + +Booting a Windows To Go workspace requires no specific software on the host computer. PCs certified for Windows 7 and later can host Windows To Go. + +The following topics will familiarize you with how you can use a Windows To Go workspace and give you an overview of some of the things you should consider in your design. + +## Usage scenarios + + +The following scenarios are examples of situations in which Windows To Go workspaces provide a solution for an IT implementer: + +- **Continuance of operations (COO).** In this scenario, selected employees receive a USB drive with a Windows To Go workspace, which includes all of the applications that the employees use at work. The employees can keep the device at home, in a briefcase, or wherever they want to store it until needed. When the users boot their home computer from the USB drive, it will create a corporate desktop experience so that they can quickly start working. On the very first boot, the employee sees that Windows is installing devices; after that one time, the Windows To Go drive boots like a normal computer. If they have enterprise network access, employees can use a virtual private network (VPN) connection or DirectAccess to access corporate resources. If the enterprise network is available, the Windows To Go workspace will automatically be updated using your standard client management processes. + +- **Contractors and temporary workers.** In this situation, an enterprise IT pro or manager would distribute the Windows To Go drive directly to the worker where they can be assisted with any necessary additional user education needs or address any possible compatibility issues. While the worker is on assignment, they can boot their computer exclusively from the Windows To Go drive and run all applications in that environment until the end of the assignment when the device is returned. No installation of software is required on the worker’s personal computer. + +- **Managed free seating.** The employee is issued a Windows To Go drive that is then used with the host computer assigned to that employee for a given session (this could be a vehicle, workspace, or standalone laptop). When the employee leaves the session, the next time they return they use the same USB flash drive but use a different host computer. + +- **Work from home.** In this situation, the Windows To Go drive can be provisioned for employees using various methods including System Center Configuration Manager or other deployment tools and then distributed to employees. The employee is instructed to boot the Windows To Go drive initially at work, which caches the employee’s credentials on the Windows To Go workspace and allows the initial data synchronization between the enterprise network and the Windows To Go workspace. The user can then bring the Windows To Go drive home where it can be used with their home computer, with or without enterprise network connectivity. + +- **Travel lightly.** In this situation you have employees who are moving from site to site, but who always will have access to a compatible host computer on site. Using Windows To Go workspaces allows them to travel without the need to pack their PC. + +**Note**   +If the employee wants to work offline for the majority of the time, but still maintain the ability to use the drive on the enterprise network, they should be informed of how often the Windows To Go workspace needs to be connected to the enterprise network. Doing so will ensure that the drive retains its access privileges and the workspace’s computer object is not potentially deleted from Active Directory Domain Services (AD DS). + + + +## Infrastructure considerations + + +Because Windows To Go requires no additional software and minimal configuration, the same tools used to deploy images to other PCs can be used by an enterprise to install Windows To Go on a large group of USB devices. Moreover, because Windows To Go is compatible with connectivity and synchronization solutions already in use—such as Remote Desktop, DirectAccess and Folder Redirection—no additional infrastructure or management is necessary for this deployment. A Windows To Go image can be created on a USB drive that is identical to the hard drive inside a desktop. However, you may wish to consider making some modifications to your infrastructure to help make management of Windows To Go drives easier and to be able to identify them as a distinct device group. + +## Activation considerations + + +Windows To Go uses volume activation. You can use either Active Directory-based activation or KMS activation with Windows To Go. The Windows To Go workspace counts as another installation when assessing compliance with application licensing agreements. + +Microsoft software, such as Microsoft Office, distributed to a Windows To Go workspace must also be activated. Office deployment is fully supported on Windows To Go. Please note, due to the retail subscription activation method associated with Office 365 ProPlus, Office 365 ProPlus subscribers are provided volume licensing activation rights for Office Professional Plus 2013 MSI for local installation on the Windows To Go drive. This is available to organizations who purchase Office 365 ProPlus or Office 365 Enterprise SKUs containing Office 365 ProPlus via volume licensing channels. For more information about activating Microsoft Office, see [Volume activation methods in Office 2013](https://go.microsoft.com/fwlink/p/?LinkId=618922). + +You should investigate other software manufacturer’s licensing requirements to ensure they are compatible with roaming usage before deploying them to a Windows To Go workspace. + +**Note**   +Using Multiple Activation Key (MAK) activation is not a supported activation method for Windows To Go as each different PC-host would require separate activation. MAK activation should not be used for activating Windows, Office, or any other application on a Windows To Go drive. + + + +See [Plan for Volume Activation](https://go.microsoft.com/fwlink/p/?LinkId=618923) for more information about these activation methods and how they can be used in your organization. + +## Organizational unit structure and use of Group Policy Objects + + +You may find it beneficial to create additional Active Directory organizational unit (OU) structures to support your Windows To Go deployment; one for host computer accounts and one for Windows To Go workspace computer accounts. Creating an organizational unit for host computers allows you to enable the Windows To Go Startup Options using Group Policy for only the computers that will be used as Windows To Go hosts. Setting this policy helps to prevent computers from being accidentally configured to automatically boot from USB devices and allows closer monitoring and control of those computers which have the ability to boot from a USB device. The organizational unit for Windows To Go workspaces allows you to apply specific policy controls to them, such as the ability to use the Store application, power state controls, and line-of-business application installation. + +If you are deploying Windows To Go workspaces for a scenario in which they are not going to be roaming, but are instead being used on the same host computer, such as with temporary or contract employees, you might wish to enable hibernation or the Windows Store. + +For more information about Group Policy settings that can be used with Windows To Go, see [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md) + +## Computer account management + + +If you configure Windows To Go drives for scenarios where drives may remain unused for extended period of time such as use in continuance of operations scenarios, the AD DS computer account objects that correspond to Windows To Go drives have the potential to become stale and be pruned during maintenance operations. To address this issue, you should either have users log on regularly according to a schedule or modify any maintenance scripts to not clean up computer accounts in the Windows To Go device organizational unit. + +## User account and data management + + +People use computers to work with data and consume content - that is their core function. The data must be stored and retrievable for it to be useful. When users are working in a Windows To Go workspace, they need to have the ability to get to the data that they work with and to keep it accessible when the workspace is not being used. For this reason we recommend that you use folder redirection and offline files to redirect the path of local folders (such as the Documents folder) to a network location, while caching the contents locally for increased speed and availability. We also recommend that you use roaming user profiles to synchronize user specific settings so that users receive the same operating system and application settings when using their Windows To Go workspace and their desktop computer. When a user signs in using a domain account that is set up with a file share as the profile path, the user’s profile is downloaded to the local computer and merged with the local profile (if present). When the user logs off the computer, the local copy of their profile, including any changes, is merged with the server copy of the profile. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](https://go.microsoft.com/fwlink/p/?LinkId=618924). + +Windows To Go is fully integrated with your Microsoft account. Setting synchronization is accomplished by connecting a Microsoft account to a user account. Windows To Go devices fully support this feature and can be managed by Group Policy so that the customization and configurations you prefer will be applied to your Windows To Go workspace. + +## Remote connectivity + + +If you want Windows To Go to be able to connect back to organizational resources when it is being used off-premises a remote connectivity solution must be enabled. Windows Server 2012 DirectAccess can be used as can a virtual private network (VPN) solution. For more information about configuring a remote access solution, see the [Remote Access (DirectAccess, Routing and Remote Access) Overview](https://go.microsoft.com/fwlink/p/?LinkId=618925). + +## Related topics + + +[Windows To Go: feature overview](windows-to-go-overview.md) + +[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md) + +[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md) + +[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md) + + + + + + + + + diff --git a/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md b/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md index d9d1e66b3a..66a530280c 100644 --- a/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md +++ b/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md @@ -1,79 +1,79 @@ ---- -title: Searching for Fixed Applications in Compatibility Administrator (Windows 10) -description: With the search functionality in Compatibility Administrator, you can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. -ms.assetid: 1051a2dc-0362-43a4-8ae8-07dae39b1cb8 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Searching for Fixed Applications in Compatibility Administrator - - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -With the search functionality in Compatibility Administrator, you can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. This is particularly useful if you are trying to identify applications with a specific compatibility fix or identifying which fixes are applied to a specific application. - -The **Query Compatibility Databases** tool provides additional search options. For more information, see [Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md). - -## Searching for Previously Applied Compatibility Fixes - - -**Important**   -You must perform your search with the correct version of the Compatibility Administrator tool. If you are searching for a 32-bit custom database, you must use the 32-bit version of Compatibility Administrator. If you are searching for a 64-bit custom database, you must use the 64-bit version of Compatibility Administrator. - - - -**To search for previous fixes** - -1. On the Compatibility Administrator toolbar, click **Search**. - -2. Click **Browse** to locate the directory location to search for .exe files. - -3. Select at least one check box from **Entries with Compatibility Fixes**, **Entries with Compatibility Modes**, or **Entries with AppHelp**. - -4. Click **Find Now**. - - The query runs, returning your results in the lower pane. - -## Viewing Your Query Results - - -Your query results display the affected files, the application location, the application name, the type of compatibility fix, and the custom database that provided the fix. - -## Exporting Your Query Results - - -You can export your search results to a text (.txt) file for later review or archival. - -**To export your search results** - -1. In the **Search for Fixes** dialog box, click **Export**. - -2. Browse to the location where you want to store your search result file, and then click **Save**. - -## Related topics -[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) - - - - - - - - - +--- +title: Searching for Fixed Applications in Compatibility Administrator (Windows 10) +description: With the search functionality in Compatibility Administrator, you can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. +ms.assetid: 1051a2dc-0362-43a4-8ae8-07dae39b1cb8 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Searching for Fixed Applications in Compatibility Administrator + + +**Applies to** + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 +- Windows Server 2008 R2 + +With the search functionality in Compatibility Administrator, you can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. This is particularly useful if you are trying to identify applications with a specific compatibility fix or identifying which fixes are applied to a specific application. + +The **Query Compatibility Databases** tool provides additional search options. For more information, see [Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md). + +## Searching for Previously Applied Compatibility Fixes + + +**Important**   +You must perform your search with the correct version of the Compatibility Administrator tool. If you are searching for a 32-bit custom database, you must use the 32-bit version of Compatibility Administrator. If you are searching for a 64-bit custom database, you must use the 64-bit version of Compatibility Administrator. + + + +**To search for previous fixes** + +1. On the Compatibility Administrator toolbar, click **Search**. + +2. Click **Browse** to locate the directory location to search for .exe files. + +3. Select at least one check box from **Entries with Compatibility Fixes**, **Entries with Compatibility Modes**, or **Entries with AppHelp**. + +4. Click **Find Now**. + + The query runs, returning your results in the lower pane. + +## Viewing Your Query Results + + +Your query results display the affected files, the application location, the application name, the type of compatibility fix, and the custom database that provided the fix. + +## Exporting Your Query Results + + +You can export your search results to a text (.txt) file for later review or archival. + +**To export your search results** + +1. In the **Search for Fixes** dialog box, click **Export**. + +2. Browse to the location where you want to store your search result file, and then click **Save**. + +## Related topics +[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) + + + + + + + + + diff --git a/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md b/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md index 6b62b5378a..08b12d19fc 100644 --- a/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md +++ b/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md @@ -1,183 +1,183 @@ ---- -title: Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator (Windows 10) -description: You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature. -ms.assetid: dd213b55-c71c-407a-ad49-33db54f82f22 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator - - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature. - -For information about the Search feature, see [Searching for Fixed Applications in Compatibility Administrator](searching-for-fixed-applications-in-compatibility-administrator.md). However, the Query tool provides more detailed search criteria, including tabs that enable you to search the program properties, the compatibility fix properties, and the fix description. You can perform a search by using SQL SELECT and WHERE clauses, in addition to searching specific types of databases. - -**Important**   -You must perform your search with the correct version of the Compatibility Administrator tool. To use the Query tool to search for a 32-bit custom database, you must use the 32-bit version of Compatibility Administrator. To use the Query tool to search for a 64-bit custom database, you must use the 64-bit version of Compatibility Administrator. - - - -## Querying by Using the Program Properties Tab - - -You can use the **Program Properties** tab of the Query tool to search for any compatibility fix, compatibility mode, or AppHelp for a specific application. - -**To query by using the Program Properties tab** - -1. On the Compatibility Administrator toolbar, click **Query**. - -2. In the **Look in** drop-down list, select the appropriate database type to search. - -3. Type the location of the application you are searching for into the **Search for the Application** field. - - This name should be the same as the name in the **Applications** area (left pane) of Compatibility Administrator. - -4. Type the application executable (.exe) file name into the **Search for the File** box. If you leave this box blank, the percent (%) sign appears as a wildcard to search for any file. - - You must designate the executable name that was given when the compatibility fix was added to the database. - -5. Optionally, select the check box for one of the following types of compatibility fix: - - - **Compatibility Modes** - - - **Compatibility Fixes** - - - **Application Helps** - - **Important**   - If you do not select any of the check boxes, the search will look for all types of compatibility fixes. Do not select multiple check boxes because only applications that match all of the requirements will appear. - - - -6. Click **Find Now**. - - The query runs and the results of the query are displayed in the lower pane. - -## Querying by Using the Fix Properties Tab - - -You can use the **Fix Properties** tab of the Query tool to search for any application affected by a specific compatibility fix or a compatibility mode. For example, you can search for any application affected by the ProfilesSetup compatibility mode. - -**To query by using the Fix Properties tab** - -1. On the Compatibility Administrator toolbar, click **Query**. - -2. Click the **Fix Properties** tab. - -3. In the **Look in** drop-down list, select the appropriate database type to search. - -4. Type the name of the compatibility fix or compatibility mode into the **Search for programs fixed using** field. - - **Note**   - You can use the percent (%) symbol as a wildcard in your fix-properties query, as a substitute for any string of zero or more characters. - - - -5. Select the check box for either **Search in Compatibility Fixes** or **Search in Compatibility Modes**. - - **Important**   - Your text must match the type of compatibility fix or mode for which you are performing the query. For example, entering the name of a compatibility fix and selecting the compatibility mode check box will not return any results. Additionally, if you select both check boxes, the query will search for the fix by compatibility mode and compatibility fix. Only applications that match both requirements appear. - - - -6. Click **Find Now**. - - The query runs and the results of the query are displayed in the lower pane. - -## Querying by Using the Fix Description Tab - - -You can use the **Fix Description** tab of the Query tool to add parameters that enable you to search your compatibility databases by application title or solution description text. - -**To query by using the Fix Description tab** - -1. On the Compatibility Administrator toolbar, click **Query**. - -2. Click the **Fix Description** tab. - -3. In the **Look in** drop-down list, select the appropriate database type to search. - -4. Type your search keywords into the box **Words to look for**. Use commas to separate multiple keywords. - - **Important**   - You cannot use wildcards as part of the Fix Description search query because the default behavior is to search for any entry that meets your search criteria. - - - -5. Refine your search by selecting **Match any word** or **Match all words** from the drop-down list. - -6. Click **Find Now**. - - The query runs and the results of the query are displayed in the lower pane. - -## Querying by Using the Fix Description Tab - - -You can use the **Fix Description** tab of the Query tool to add additional SQL Server SELECT and WHERE clauses to your search criteria. - -**To query by using the Advanced tab** - -1. On the Compatibility Administrator toolbar, click **Query**. - -2. Click the **Advanced** tab. - -3. In the **Look in** drop-down list, select the appropriate database type to search. - -4. Select the appropriate SELECT clause for your search from the **Select clauses** box. For example, **APP\_NAME**. - - The **APP\_NAME** clause appears in the **SELECT** field. You can add as many additional clauses as you require. They will appear as columns in your search results. - -5. Select the appropriate WHERE clause for your search from the **Where clauses** box. For example, **DATABASE\_NAME**. - - The **DATABASE\_NAME =** clause appears in the **WHERE** box. - -6. Type the appropriate clause criteria after the equal (=) sign in the **WHERE** box. For example, **DATABASE\_NAME = "Custom\_Database"**. - - You must surround your clause criteria text with quotation marks (") for the clause to function properly. - -7. Click **Find Now**. - - The query runs and the results of the query are displayed in the lower pane. - -## Exporting Your Search Results - - -You can export any of your search results into a tab-delimited text (.txt) file for later review or for archival purposes. - -**To export your results** - -1. After you have completed your search by using the Query tool, click **Export**. - - The **Save results to a file** dialog box appears. - -2. Browse to the location where you intend to store the search results file, and then click **Save**. - -## Related topics -[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) - - - - - - - - - +--- +title: Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator (Windows 10) +description: You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature. +ms.assetid: dd213b55-c71c-407a-ad49-33db54f82f22 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator + + +**Applies to** + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 +- Windows Server 2008 R2 + +You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature. + +For information about the Search feature, see [Searching for Fixed Applications in Compatibility Administrator](searching-for-fixed-applications-in-compatibility-administrator.md). However, the Query tool provides more detailed search criteria, including tabs that enable you to search the program properties, the compatibility fix properties, and the fix description. You can perform a search by using SQL SELECT and WHERE clauses, in addition to searching specific types of databases. + +**Important**   +You must perform your search with the correct version of the Compatibility Administrator tool. To use the Query tool to search for a 32-bit custom database, you must use the 32-bit version of Compatibility Administrator. To use the Query tool to search for a 64-bit custom database, you must use the 64-bit version of Compatibility Administrator. + + + +## Querying by Using the Program Properties Tab + + +You can use the **Program Properties** tab of the Query tool to search for any compatibility fix, compatibility mode, or AppHelp for a specific application. + +**To query by using the Program Properties tab** + +1. On the Compatibility Administrator toolbar, click **Query**. + +2. In the **Look in** drop-down list, select the appropriate database type to search. + +3. Type the location of the application you are searching for into the **Search for the Application** field. + + This name should be the same as the name in the **Applications** area (left pane) of Compatibility Administrator. + +4. Type the application executable (.exe) file name into the **Search for the File** box. If you leave this box blank, the percent (%) sign appears as a wildcard to search for any file. + + You must designate the executable name that was given when the compatibility fix was added to the database. + +5. Optionally, select the check box for one of the following types of compatibility fix: + + - **Compatibility Modes** + + - **Compatibility Fixes** + + - **Application Helps** + + **Important**   + If you do not select any of the check boxes, the search will look for all types of compatibility fixes. Do not select multiple check boxes because only applications that match all of the requirements will appear. + + + +6. Click **Find Now**. + + The query runs and the results of the query are displayed in the lower pane. + +## Querying by Using the Fix Properties Tab + + +You can use the **Fix Properties** tab of the Query tool to search for any application affected by a specific compatibility fix or a compatibility mode. For example, you can search for any application affected by the ProfilesSetup compatibility mode. + +**To query by using the Fix Properties tab** + +1. On the Compatibility Administrator toolbar, click **Query**. + +2. Click the **Fix Properties** tab. + +3. In the **Look in** drop-down list, select the appropriate database type to search. + +4. Type the name of the compatibility fix or compatibility mode into the **Search for programs fixed using** field. + + **Note**   + You can use the percent (%) symbol as a wildcard in your fix-properties query, as a substitute for any string of zero or more characters. + + + +5. Select the check box for either **Search in Compatibility Fixes** or **Search in Compatibility Modes**. + + **Important**   + Your text must match the type of compatibility fix or mode for which you are performing the query. For example, entering the name of a compatibility fix and selecting the compatibility mode check box will not return any results. Additionally, if you select both check boxes, the query will search for the fix by compatibility mode and compatibility fix. Only applications that match both requirements appear. + + + +6. Click **Find Now**. + + The query runs and the results of the query are displayed in the lower pane. + +## Querying by Using the Fix Description Tab + + +You can use the **Fix Description** tab of the Query tool to add parameters that enable you to search your compatibility databases by application title or solution description text. + +**To query by using the Fix Description tab** + +1. On the Compatibility Administrator toolbar, click **Query**. + +2. Click the **Fix Description** tab. + +3. In the **Look in** drop-down list, select the appropriate database type to search. + +4. Type your search keywords into the box **Words to look for**. Use commas to separate multiple keywords. + + **Important**   + You cannot use wildcards as part of the Fix Description search query because the default behavior is to search for any entry that meets your search criteria. + + + +5. Refine your search by selecting **Match any word** or **Match all words** from the drop-down list. + +6. Click **Find Now**. + + The query runs and the results of the query are displayed in the lower pane. + +## Querying by Using the Fix Description Tab + + +You can use the **Fix Description** tab of the Query tool to add additional SQL Server SELECT and WHERE clauses to your search criteria. + +**To query by using the Advanced tab** + +1. On the Compatibility Administrator toolbar, click **Query**. + +2. Click the **Advanced** tab. + +3. In the **Look in** drop-down list, select the appropriate database type to search. + +4. Select the appropriate SELECT clause for your search from the **Select clauses** box. For example, **APP\_NAME**. + + The **APP\_NAME** clause appears in the **SELECT** field. You can add as many additional clauses as you require. They will appear as columns in your search results. + +5. Select the appropriate WHERE clause for your search from the **Where clauses** box. For example, **DATABASE\_NAME**. + + The **DATABASE\_NAME =** clause appears in the **WHERE** box. + +6. Type the appropriate clause criteria after the equal (=) sign in the **WHERE** box. For example, **DATABASE\_NAME = "Custom\_Database"**. + + You must surround your clause criteria text with quotation marks (") for the clause to function properly. + +7. Click **Find Now**. + + The query runs and the results of the query are displayed in the lower pane. + +## Exporting Your Search Results + + +You can export any of your search results into a tab-delimited text (.txt) file for later review or for archival purposes. + +**To export your results** + +1. After you have completed your search by using the Query tool, click **Export**. + + The **Save results to a file** dialog box appears. + +2. Browse to the location where you intend to store the search results file, and then click **Save**. + +## Related topics +[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) + + + + + + + + + diff --git a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md index 669dea7590..7eeaf18a3f 100644 --- a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md +++ b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md @@ -1,86 +1,86 @@ ---- -title: Security and data protection considerations for Windows To Go (Windows 10) -description: One of the most important requirements to consider when you plan your Windows To Go deployment is to ensure that the data, content, and resources you work with in the Windows To Go workspace is protected and secure. -ms.assetid: 5f27339f-6761-44f4-8c29-9a25cf8e75fe -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: mobile, device, USB, secure, BitLocker -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: mobility, security -ms.sitesec: library -author: greg-lindsay -ms.topic: article ---- - -# Security and data protection considerations for Windows To Go - - -**Applies to** - -- Windows 10 - ->[!IMPORTANT] ->Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. - -One of the most important requirements to consider when you plan your Windows To Go deployment is to ensure that the data, content, and resources you work with in the Windows To Go workspace is protected and secure. - -## Backup and restore - - -As long as you are not saving data on the Windows To Go drive, there is no need for a backup and restore solution for Windows To Go. If you are saving data on the drive and are not using folder redirection and offline files, you should back up all of your data to a network location, such as cloud storage or a network share after each work session. Review the new and improved features described in [Supporting Information Workers with Reliable File Services and Storage](https://go.microsoft.com/fwlink/p/?LinkId=619102) for different solutions you could implement. - -If the USB drive fails for any reason, the standard process to restore the drive to working condition is to reformat and re-provision the drive with Windows To Go, so all data and customization on the drive will be lost. This is another reason why using roaming user profiles, folder redirection and offline files with Windows To Go is strongly recommended. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](https://go.microsoft.com/fwlink/p/?LinkId=618924). - -## BitLocker - - -We recommend that you use BitLocker with your Windows To Go drives to protect the drive from being compromised if the drive is lost or stolen. When BitLocker is enabled, the user must provide a password to unlock the drive and boot the Windows To Go workspace, this helps prevent unauthorized users from booting the drive and using it to gain access to your network resources and confidential data. Because Windows To Go drives are meant to be roamed between computers, the Trusted Platform Module (TPM) cannot be used by BitLocker to protect the drive. Instead, you will be specifying a password that BitLocker will use for disk encryption and decryption. By default, this password must be eight characters in length and can enforce more strict requirements depending on the password complexity requirements defined by your organizations domain controller. - -You can enable BitLocker while using the Windows To Go Creator wizard as part of the drive provisioning process before first use; or it can be enabled afterward by the user from within the Windows To Go workspace. - -**Tip**   -If the Windows To Go Creator wizard is not able to enable BitLocker, see [Why can't I enable BitLocker from Windows To Go Creator?](windows-to-go-frequently-asked-questions.md#wtg-faq-blfail) - - - -If you are using a host computer running Windows 7 that has BitLocker enabled, you should suspend BitLocker before changing the BIOS settings to boot from USB and then resume BitLocker protection. If BitLocker is not suspended first, the next time the computer is started it will boot into recovery mode. - -## Disk discovery and data leakage - - -We recommend that you use the **NoDefaultDriveLetter** attribute when provisioning the USB drive to help prevent accidental data leakage. **NoDefaultDriveLetter** will prevent the host operating system from assigning a drive letter if a user inserts it into a running computer. This means the drive will not appear in Windows Explorer and an AutoPlay prompt will not be displayed to the user. This reduces the likelihood that an end-user will access the offline Windows To Go disk directly from another computer. If you use the Windows To Go Creator to provision a workspace, this attribute will automatically be set for you. - -To prevent accidental data leakage between Windows To Go and the host system Windows 8 has a new SAN policy—OFFLINE\_INTERNAL - “4” to prevent the operating system from automatically bringing online any internally connected disk. The default configuration for Windows To Go has this policy enabled. It is strongly recommended you do not change this policy to allow mounting of internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 operating system, mounting the drive will lead to loss of hibernation state and therefor user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted. - -For more information, see [How to Configure Storage Area Network (SAN) Policy in Windows PE](https://go.microsoft.com/fwlink/p/?LinkId=619103). - -## Security certifications for Windows To Go - - -Windows to Go is a core capability of Windows when it is deployed on the drive and is configured following the guidance for the applicable security certification. Solutions built using Windows To Go can be submitted for additional certifications by the solution provider that cover the solution provider’s specific hardware environment. For more details about Windows security certifications, see the following topics. - -- [Windows Platform Common Criteria Certification](https://go.microsoft.com/fwlink/p/?LinkId=619104) - -- [FIPS 140 Evaluation](https://go.microsoft.com/fwlink/p/?LinkId=619107) - -## Related topics - - -[Windows To Go: feature overview](windows-to-go-overview.md) - -[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md) - -[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md) - -[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md) - - - - - - - - - +--- +title: Security and data protection considerations for Windows To Go (Windows 10) +description: One of the most important requirements to consider when you plan your Windows To Go deployment is to ensure that the data, content, and resources you work with in the Windows To Go workspace is protected and secure. +ms.assetid: 5f27339f-6761-44f4-8c29-9a25cf8e75fe +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: mobile, device, USB, secure, BitLocker +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: mobility, security +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Security and data protection considerations for Windows To Go + + +**Applies to** + +- Windows 10 + +>[!IMPORTANT] +>Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. + +One of the most important requirements to consider when you plan your Windows To Go deployment is to ensure that the data, content, and resources you work with in the Windows To Go workspace is protected and secure. + +## Backup and restore + + +As long as you are not saving data on the Windows To Go drive, there is no need for a backup and restore solution for Windows To Go. If you are saving data on the drive and are not using folder redirection and offline files, you should back up all of your data to a network location, such as cloud storage or a network share after each work session. Review the new and improved features described in [Supporting Information Workers with Reliable File Services and Storage](https://go.microsoft.com/fwlink/p/?LinkId=619102) for different solutions you could implement. + +If the USB drive fails for any reason, the standard process to restore the drive to working condition is to reformat and re-provision the drive with Windows To Go, so all data and customization on the drive will be lost. This is another reason why using roaming user profiles, folder redirection and offline files with Windows To Go is strongly recommended. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](https://go.microsoft.com/fwlink/p/?LinkId=618924). + +## BitLocker + + +We recommend that you use BitLocker with your Windows To Go drives to protect the drive from being compromised if the drive is lost or stolen. When BitLocker is enabled, the user must provide a password to unlock the drive and boot the Windows To Go workspace, this helps prevent unauthorized users from booting the drive and using it to gain access to your network resources and confidential data. Because Windows To Go drives are meant to be roamed between computers, the Trusted Platform Module (TPM) cannot be used by BitLocker to protect the drive. Instead, you will be specifying a password that BitLocker will use for disk encryption and decryption. By default, this password must be eight characters in length and can enforce more strict requirements depending on the password complexity requirements defined by your organizations domain controller. + +You can enable BitLocker while using the Windows To Go Creator wizard as part of the drive provisioning process before first use; or it can be enabled afterward by the user from within the Windows To Go workspace. + +**Tip**   +If the Windows To Go Creator wizard is not able to enable BitLocker, see [Why can't I enable BitLocker from Windows To Go Creator?](windows-to-go-frequently-asked-questions.md#wtg-faq-blfail) + + + +If you are using a host computer running Windows 7 that has BitLocker enabled, you should suspend BitLocker before changing the BIOS settings to boot from USB and then resume BitLocker protection. If BitLocker is not suspended first, the next time the computer is started it will boot into recovery mode. + +## Disk discovery and data leakage + + +We recommend that you use the **NoDefaultDriveLetter** attribute when provisioning the USB drive to help prevent accidental data leakage. **NoDefaultDriveLetter** will prevent the host operating system from assigning a drive letter if a user inserts it into a running computer. This means the drive will not appear in Windows Explorer and an AutoPlay prompt will not be displayed to the user. This reduces the likelihood that an end-user will access the offline Windows To Go disk directly from another computer. If you use the Windows To Go Creator to provision a workspace, this attribute will automatically be set for you. + +To prevent accidental data leakage between Windows To Go and the host system Windows 8 has a new SAN policy—OFFLINE\_INTERNAL - “4” to prevent the operating system from automatically bringing online any internally connected disk. The default configuration for Windows To Go has this policy enabled. It is strongly recommended you do not change this policy to allow mounting of internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 operating system, mounting the drive will lead to loss of hibernation state and therefor user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted. + +For more information, see [How to Configure Storage Area Network (SAN) Policy in Windows PE](https://go.microsoft.com/fwlink/p/?LinkId=619103). + +## Security certifications for Windows To Go + + +Windows to Go is a core capability of Windows when it is deployed on the drive and is configured following the guidance for the applicable security certification. Solutions built using Windows To Go can be submitted for additional certifications by the solution provider that cover the solution provider’s specific hardware environment. For more details about Windows security certifications, see the following topics. + +- [Windows Platform Common Criteria Certification](https://go.microsoft.com/fwlink/p/?LinkId=619104) + +- [FIPS 140 Evaluation](https://go.microsoft.com/fwlink/p/?LinkId=619107) + +## Related topics + + +[Windows To Go: feature overview](windows-to-go-overview.md) + +[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md) + +[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md) + +[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md) + + + + + + + + + diff --git a/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md b/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md index c0541bd6d3..08db3b24d6 100644 --- a/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md +++ b/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md @@ -1,80 +1,80 @@ ---- -title: Showing Messages Generated by the SUA Tool (Windows 10) -description: On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated. -ms.assetid: 767eb7f2-d6c4-414c-a7b3-a997337d904a -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Showing Messages Generated by the SUA Tool - - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated. - -**To show the messages that the SUA tool has generated** - -1. Use the SUA tool to test an application. For more information, see [Using the SUA Tool](using-the-sua-tool.md). - -2. After you finish testing, in the SUA tool, click the **App Info** tab. - -3. On the **View** menu, click the command that corresponds to the messages that you want to see. The following table describes the commands. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          View menu commandDescription

          Error Messages

          When this command is selected, the user interface shows error messages that the SUA tool has generated. Error messages are highlighted in pink.

          -

          This command is selected by default.

          Warning Messages

          When this command is selected, the user interface shows warning messages that the SUA tool has generated. Warning messages are highlighted in yellow.

          Information Messages

          When this command is selected, the user interface shows informational messages that the SUA tool has generated. Informational messages are highlighted in green.

          Detailed Information

          When this command is selected, the user interface shows information that the SUA tool has generated, such as debug, stack trace, stop code, and severity information.

          - -   - -  - -  - - - - - +--- +title: Showing Messages Generated by the SUA Tool (Windows 10) +description: On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated. +ms.assetid: 767eb7f2-d6c4-414c-a7b3-a997337d904a +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Showing Messages Generated by the SUA Tool + + +**Applies to** + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 +- Windows Server 2008 R2 + +On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated. + +**To show the messages that the SUA tool has generated** + +1. Use the SUA tool to test an application. For more information, see [Using the SUA Tool](using-the-sua-tool.md). + +2. After you finish testing, in the SUA tool, click the **App Info** tab. + +3. On the **View** menu, click the command that corresponds to the messages that you want to see. The following table describes the commands. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          View menu commandDescription

          Error Messages

          When this command is selected, the user interface shows error messages that the SUA tool has generated. Error messages are highlighted in pink.

          +

          This command is selected by default.

          Warning Messages

          When this command is selected, the user interface shows warning messages that the SUA tool has generated. Warning messages are highlighted in yellow.

          Information Messages

          When this command is selected, the user interface shows informational messages that the SUA tool has generated. Informational messages are highlighted in green.

          Detailed Information

          When this command is selected, the user interface shows information that the SUA tool has generated, such as debug, stack trace, stop code, and severity information.

          + +   + +  + +  + + + + + diff --git a/windows/deployment/planning/sua-users-guide.md b/windows/deployment/planning/sua-users-guide.md index 7a6dceac00..e0adb30d1a 100644 --- a/windows/deployment/planning/sua-users-guide.md +++ b/windows/deployment/planning/sua-users-guide.md @@ -1,69 +1,69 @@ ---- -title: SUA User's Guide (Windows 10) -description: You can use Standard User Analyzer (SUA) to test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows. -ms.assetid: ea525c25-b557-4ed4-b042-3e4d0e543e10 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# SUA User's Guide - - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -You can use Standard User Analyzer (SUA) to test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows. - -You can use SUA in either of the following ways: - -- **Standard User Analyzer Wizard.** A wizard that guides you through a step-by-step process to locate and fix issues, without options for additional analysis. - -- **Standard User Analyzer Tool.** A full-function tool in which you can perform in-depth analysis and fix issues. - -## In this section - - - ---- - - - - - - - - - - - - - - - - -
          TopicDescription

          Using the SUA Wizard

          The Standard User Analyzer (SUA) Wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA Wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions.

          Using the SUA Tool

          By using the Standard User Analyzer (SUA) tool, you can test your applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.

          - - - - - - - - +--- +title: SUA User's Guide (Windows 10) +description: You can use Standard User Analyzer (SUA) to test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows. +ms.assetid: ea525c25-b557-4ed4-b042-3e4d0e543e10 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# SUA User's Guide + + +**Applies to** + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 +- Windows Server 2008 R2 + +You can use Standard User Analyzer (SUA) to test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows. + +You can use SUA in either of the following ways: + +- **Standard User Analyzer Wizard.** A wizard that guides you through a step-by-step process to locate and fix issues, without options for additional analysis. + +- **Standard User Analyzer Tool.** A full-function tool in which you can perform in-depth analysis and fix issues. + +## In this section + + + ++++ + + + + + + + + + + + + + + + + +
          TopicDescription

          Using the SUA Wizard

          The Standard User Analyzer (SUA) Wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA Wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions.

          Using the SUA Tool

          By using the Standard User Analyzer (SUA) tool, you can test your applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.

          + + + + + + + + diff --git a/windows/deployment/planning/tabs-on-the-sua-tool-interface.md b/windows/deployment/planning/tabs-on-the-sua-tool-interface.md index 3b99031120..d58bf1d2ce 100644 --- a/windows/deployment/planning/tabs-on-the-sua-tool-interface.md +++ b/windows/deployment/planning/tabs-on-the-sua-tool-interface.md @@ -1,105 +1,105 @@ ---- -title: Tabs on the SUA Tool Interface (Windows 10) -description: The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze. -ms.assetid: 0d705321-1d85-4217-bf2c-0ca231ca303b -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Tabs on the SUA Tool Interface - - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze. - -The following table provides a description of each tab on the user interface for the SUA tool. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Tab nameDescription

          App Info

          Provides the following information for the selected application:

          -
            -

          • Debugging information

            • -

          • Error, warning, and informational messages (if they are enabled)

            • -

          • Options for running the application

            • -

          File

          Provides information about access to the file system.

          -

          For example, this tab might show an attempt to write to a file that only administrators can typically access.

          Registry

          Provides information about access to the system registry.

          -

          For example, this tab might show an attempt to write to a registry key that only administrators can typically access.

          INI

          Provides information about WriteProfile API issues.

          -

          For example, in the Calculator tool (Calc.exe) in Windows® XP, when you change the view from Standard to Scientific, Calc.exe calls the WriteProfile API to write to the Windows\Win.ini file. The Win.ini file is writable only for administrators.

          Token

          Provides information about access-token checking.

          -

          For example, this tab might show an explicit check for the Builtin\Administrators security identifier (SID) in the user's access token. This operation may not work for a standard user.

          Privilege

          Provides information about permissions.

          -

          For example, this tab might show an attempt to explicitly enable permissions that do not work for a standard user.

          Name Space

          Provides information about creation of system objects.

          -

          For example, this tab might show an attempt to create a new system object, such as an event or a memory map, in a restricted namespace. Applications that attempt this kind of operation do not function for a standard user.

          Other Objects

          Provides information related to applications accessing objects other than files and registry keys.

          Process

          Provides information about process elevation.

          -

          For example, this tab might show the use of the CreateProcess API to open an executable (.exe) file that, in turn, requires process elevation that will not function for a standard user.

          - -  - -  - -  - - - - - +--- +title: Tabs on the SUA Tool Interface (Windows 10) +description: The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze. +ms.assetid: 0d705321-1d85-4217-bf2c-0ca231ca303b +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Tabs on the SUA Tool Interface + + +**Applies to** + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 +- Windows Server 2008 R2 + +The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze. + +The following table provides a description of each tab on the user interface for the SUA tool. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Tab nameDescription

          App Info

          Provides the following information for the selected application:

          +
            +

          • Debugging information

            • +

          • Error, warning, and informational messages (if they are enabled)

            • +

          • Options for running the application

            • +

          File

          Provides information about access to the file system.

          +

          For example, this tab might show an attempt to write to a file that only administrators can typically access.

          Registry

          Provides information about access to the system registry.

          +

          For example, this tab might show an attempt to write to a registry key that only administrators can typically access.

          INI

          Provides information about WriteProfile API issues.

          +

          For example, in the Calculator tool (Calc.exe) in Windows® XP, when you change the view from Standard to Scientific, Calc.exe calls the WriteProfile API to write to the Windows\Win.ini file. The Win.ini file is writable only for administrators.

          Token

          Provides information about access-token checking.

          +

          For example, this tab might show an explicit check for the Builtin\Administrators security identifier (SID) in the user's access token. This operation may not work for a standard user.

          Privilege

          Provides information about permissions.

          +

          For example, this tab might show an attempt to explicitly enable permissions that do not work for a standard user.

          Name Space

          Provides information about creation of system objects.

          +

          For example, this tab might show an attempt to create a new system object, such as an event or a memory map, in a restricted namespace. Applications that attempt this kind of operation do not function for a standard user.

          Other Objects

          Provides information related to applications accessing objects other than files and registry keys.

          Process

          Provides information about process elevation.

          +

          For example, this tab might show the use of the CreateProcess API to open an executable (.exe) file that, in turn, requires process elevation that will not function for a standard user.

          + +  + +  + +  + + + + + diff --git a/windows/deployment/planning/testing-your-application-mitigation-packages.md b/windows/deployment/planning/testing-your-application-mitigation-packages.md index 3c9115ff8a..180b884748 100644 --- a/windows/deployment/planning/testing-your-application-mitigation-packages.md +++ b/windows/deployment/planning/testing-your-application-mitigation-packages.md @@ -1,92 +1,92 @@ ---- -title: Testing Your Application Mitigation Packages (Windows 10) -description: This topic provides details about testing your application-mitigation packages, including recommendations about how to report your information and how to resolve any outstanding issues. -ms.assetid: ae946f27-d377-4db9-b179-e8875d454ccf -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Testing Your Application Mitigation Packages - - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -This topic provides details about testing your application-mitigation packages, including recommendations about how to report your information and how to resolve any outstanding issues. - -## Testing Your Application Mitigation Packages - - -Testing your application mitigation package strategies is an iterative process, whereby the mitigation strategies that prove unsuccessful will need to be revised and retested. The testing process includes a series of tests in the test environment and one or more pilot deployments in the production environment. - -**To test your mitigation strategies** - -1. Perform the following steps for each of the applications for which you have developed mitigations. - - 1. Test the mitigation strategy in your test environment. - - 2. If the mitigation strategy is unsuccessful, revise the mitigation strategy and perform step 1 again. - - At the end of this step, you will have successfully tested all of your mitigation strategies in your test environment and can move to your pilot deployment environment. - -2. Perform the following steps in the pilot deployments for each of the applications for which you have developed mitigations. - - 1. Test the mitigation strategy in your pilot deployment. - - 2. If the mitigation strategy is unsuccessful, revise the mitigation strategy and perform Step 2 again. - - At the end of this step, you will have successfully tested all of your mitigation strategies in your pilot environment. - -## Reporting the Compatibility Mitigation Status to Stakeholders - - -After testing your application mitigation package, you must communicate your status to the appropriate stakeholders before deployment begins. We recommend that you perform this communication by using the following status ratings. - -- **Resolved application compatibility issues**. This status indicates that the application compatibility issues are resolved and that these applications represent no risk to your environment. - -- **Unresolved application compatibility issues**. This status indicates that there are unresolved issues for the specifically defined applications. Because these applications are a risk to your environment, more discussion is required before you can resolve the compatibility issues. - -- **Changes to user experience**. This status indicates that the fix will change the user experience for the defined applications, possibly requiring your staff to receive further training. More investigation is required before you can resolve the compatibility issues. - -- **Changes in help desk procedures and processes**. This status indicates that the fix will require changes to your help desk's procedures and processes, possibly requiring your support staff to receive further training. More investigation is required before you can resolve the compatibility issues. - -## Resolving Outstanding Compatibility Issues - - -At this point, you probably cannot resolve any unresolved application compatibility issues by automated mitigation methods or by modifying the application. Resolve any outstanding application compatibility issues by using one of the following methods. - -- Apply specific compatibility modes, or run the program as an Administrator, by using the Compatibility Administrator tool. - - **Note**   - For more information about using Compatibility Administrator to apply compatibility fixes and compatibility modes, see [Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md). - - - -- Run the application in a virtual environment. - - Run the application in a version of Windows supported by the application in a virtualized environment. This method ensures application compatibility, because the application is running on a supported operating system. - -- Resolve application compatibility by using non-Microsoft tools. - - If the application was developed in an environment other than Microsoft Visual Studio®, you must use non-Microsoft debugging and analysis tools to help resolve the remaining application compatibility issues. - -- Outsource the application compatibility mitigation. - - If your developers have insufficient resources to resolve the application compatibility issues, outsource the mitigation effort to another organization within your company. - -## Related topics -[Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md) +--- +title: Testing Your Application Mitigation Packages (Windows 10) +description: This topic provides details about testing your application-mitigation packages, including recommendations about how to report your information and how to resolve any outstanding issues. +ms.assetid: ae946f27-d377-4db9-b179-e8875d454ccf +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Testing Your Application Mitigation Packages + + +**Applies to** + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 +- Windows Server 2008 R2 + +This topic provides details about testing your application-mitigation packages, including recommendations about how to report your information and how to resolve any outstanding issues. + +## Testing Your Application Mitigation Packages + + +Testing your application mitigation package strategies is an iterative process, whereby the mitigation strategies that prove unsuccessful will need to be revised and retested. The testing process includes a series of tests in the test environment and one or more pilot deployments in the production environment. + +**To test your mitigation strategies** + +1. Perform the following steps for each of the applications for which you have developed mitigations. + + 1. Test the mitigation strategy in your test environment. + + 2. If the mitigation strategy is unsuccessful, revise the mitigation strategy and perform step 1 again. + + At the end of this step, you will have successfully tested all of your mitigation strategies in your test environment and can move to your pilot deployment environment. + +2. Perform the following steps in the pilot deployments for each of the applications for which you have developed mitigations. + + 1. Test the mitigation strategy in your pilot deployment. + + 2. If the mitigation strategy is unsuccessful, revise the mitigation strategy and perform Step 2 again. + + At the end of this step, you will have successfully tested all of your mitigation strategies in your pilot environment. + +## Reporting the Compatibility Mitigation Status to Stakeholders + + +After testing your application mitigation package, you must communicate your status to the appropriate stakeholders before deployment begins. We recommend that you perform this communication by using the following status ratings. + +- **Resolved application compatibility issues**. This status indicates that the application compatibility issues are resolved and that these applications represent no risk to your environment. + +- **Unresolved application compatibility issues**. This status indicates that there are unresolved issues for the specifically defined applications. Because these applications are a risk to your environment, more discussion is required before you can resolve the compatibility issues. + +- **Changes to user experience**. This status indicates that the fix will change the user experience for the defined applications, possibly requiring your staff to receive further training. More investigation is required before you can resolve the compatibility issues. + +- **Changes in help desk procedures and processes**. This status indicates that the fix will require changes to your help desk's procedures and processes, possibly requiring your support staff to receive further training. More investigation is required before you can resolve the compatibility issues. + +## Resolving Outstanding Compatibility Issues + + +At this point, you probably cannot resolve any unresolved application compatibility issues by automated mitigation methods or by modifying the application. Resolve any outstanding application compatibility issues by using one of the following methods. + +- Apply specific compatibility modes, or run the program as an Administrator, by using the Compatibility Administrator tool. + + **Note**   + For more information about using Compatibility Administrator to apply compatibility fixes and compatibility modes, see [Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md). + + + +- Run the application in a virtual environment. + + Run the application in a version of Windows supported by the application in a virtualized environment. This method ensures application compatibility, because the application is running on a supported operating system. + +- Resolve application compatibility by using non-Microsoft tools. + + If the application was developed in an environment other than Microsoft Visual Studio®, you must use non-Microsoft debugging and analysis tools to help resolve the remaining application compatibility issues. + +- Outsource the application compatibility mitigation. + + If your developers have insufficient resources to resolve the application compatibility issues, outsource the mitigation effort to another organization within your company. + +## Related topics +[Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md) diff --git a/windows/deployment/planning/understanding-and-using-compatibility-fixes.md b/windows/deployment/planning/understanding-and-using-compatibility-fixes.md index 4444a1eef2..42f2b0f0dc 100644 --- a/windows/deployment/planning/understanding-and-using-compatibility-fixes.md +++ b/windows/deployment/planning/understanding-and-using-compatibility-fixes.md @@ -1,101 +1,101 @@ ---- -title: Understanding and Using Compatibility Fixes (Windows 10) -description: As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change. -ms.assetid: 84bf663d-3e0b-4168-99d6-a26e054821b7 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Understanding and Using Compatibility Fixes - - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change. This can cause problems for applications that relied upon the original implementation. You can avoid compatibility issues by using the Microsoft Windows Application Compatibility (Compatibility Fix) infrastructure to create a specific application fix for a particular version of an application. - -## How the Compatibility Fix Infrastructure Works - - -The Compatibility Fix infrastructure uses the linking ability of APIs to redirect an application from Windows code directly to alternative code that implements the compatibility fix. - -The Windows Portable Executable File Format includes headers that contain the data directories that are used to provide a layer of indirection between the application and the linked file. API calls to the external binary files take place through the Import Address Table (IAT), which then directly calls the Windows operating system, as shown in the following figure. - -![act app calls operating system through iat](images/dep-win8-l-act-appcallosthroughiat.jpg) - -Specifically, the process modifies the address of the affected Windows function in the IAT to point to the compatibility fix code, as shown in the following figure. - -![act app redirect with compatibility fix](images/dep-win8-l-act-appredirectwithcompatfix.jpg) - -**Note**   -For statically linked DLLs, the code redirection occurs as the application loads. You can also fix dynamically linked DLLs by hooking into the GetProcAddress API. - - - -## Design Implications of the Compatibility Fix Infrastructure - - -There are important considerations to keep in mind when determining your application fix strategy, due to certain characteristics of the Compatibility Fix infrastructure. - -- The compatibility fix is not part of the Windows operating system (as shown in the previous figure). Therefore, the same security restrictions apply to the compatibility fix as apply to the application code, which means that you cannot use compatibility fixes to bypass any of the security mechanisms of the operating system. Therefore, compatibility fixes do not increase your security exposure, nor do you need to lower your security settings to accommodate compatibility fixes. - -- The Compatibility Fix infrastructure injects additional code into the application before it calls the operating system. This means that any remedy that can be accomplished by a compatibility fix can also be addressed by fixing the application code. - -- The compatibility fixes run as user-mode code inside of a user-mode application process. This means that you cannot use a compatibility fix to fix kernel-mode code issues. For example, you cannot use a compatibility fix to resolve device-driver issues. - - **Note**   - Some antivirus, firewall, and anti-spyware code runs in kernel mode. - - - -## Determining When to Use a Compatibility Fix - - -The decision to use compatibility fixes to remedy your compatibility issues may involve more than just technical issues. The following scenarios reflect other common reasons for using a compatibility fix. - -### Scenario 1 - -**The compatibility issue exists on an application which is no longer supported by the vendor.** - -As in many companies, you may run applications for which the vendor has ended support. In this situation, you cannot have the vendor make the fix, nor can you access the source code to modify the issue yourself. However, it is possible that the use of a compatibility fix might resolve the compatibility issue. - -### Scenario 2 - -**The compatibility issue exists on an internally created application.** - -While it is preferable to fix the application code to resolve the issue, this is not always possible. Your internal team might not be able to fix all of the issues prior to the deployment of the new operating system. Instead, they might choose to employ a compatibility fix anywhere that it is possible. They can then fix the code only for issues that cannot be resolved in this manner. Through this method, your team can modify the application as time permits, without delaying the deployment of the new operating system into your environment. - -### Scenario 3 - -**The compatibility issue exists on an application for which a compatible version is to be released in the near future, or an application that is not critical to the organization, regardless of its version.** - -In the situation where an application is either unimportant to your organization, or for which a newer, compatible version is to be released shortly, you can use a compatibility fix as a temporary solution. This means that you can continue to use the application without delaying the deployment of a new operating system, with the intention of updating your configuration as soon as the new version is released. - -## Determining Which Version of an Application to Fix - - -You can apply a compatibility fix to a particular version of an application, either by using the "up to or including" clause or by selecting that specific version. This means that the next version of the application will not have the compatibility fix automatically applied. This is important, because it allows you to continue to use your application, but it also encourages the vendor to fix the application. - -## Support for Compatibility Fixes - - -Compatibility fixes are shipped as part of the Windows operating system and are updated by using Windows Update. Therefore, they receive the same level of support as Windows itself. - -You can apply the compatibility fixes to any of your applications. However, Microsoft does not provide the tools to use the Compatibility Fix infrastructure to create your own custom fixes. - -## Related topics -[Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md) +--- +title: Understanding and Using Compatibility Fixes (Windows 10) +description: As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change. +ms.assetid: 84bf663d-3e0b-4168-99d6-a26e054821b7 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Understanding and Using Compatibility Fixes + + +**Applies to** + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 +- Windows Server 2008 R2 + +As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change. This can cause problems for applications that relied upon the original implementation. You can avoid compatibility issues by using the Microsoft Windows Application Compatibility (Compatibility Fix) infrastructure to create a specific application fix for a particular version of an application. + +## How the Compatibility Fix Infrastructure Works + + +The Compatibility Fix infrastructure uses the linking ability of APIs to redirect an application from Windows code directly to alternative code that implements the compatibility fix. + +The Windows Portable Executable File Format includes headers that contain the data directories that are used to provide a layer of indirection between the application and the linked file. API calls to the external binary files take place through the Import Address Table (IAT), which then directly calls the Windows operating system, as shown in the following figure. + +![act app calls operating system through iat](images/dep-win8-l-act-appcallosthroughiat.jpg) + +Specifically, the process modifies the address of the affected Windows function in the IAT to point to the compatibility fix code, as shown in the following figure. + +![act app redirect with compatibility fix](images/dep-win8-l-act-appredirectwithcompatfix.jpg) + +**Note**   +For statically linked DLLs, the code redirection occurs as the application loads. You can also fix dynamically linked DLLs by hooking into the GetProcAddress API. + + + +## Design Implications of the Compatibility Fix Infrastructure + + +There are important considerations to keep in mind when determining your application fix strategy, due to certain characteristics of the Compatibility Fix infrastructure. + +- The compatibility fix is not part of the Windows operating system (as shown in the previous figure). Therefore, the same security restrictions apply to the compatibility fix as apply to the application code, which means that you cannot use compatibility fixes to bypass any of the security mechanisms of the operating system. Therefore, compatibility fixes do not increase your security exposure, nor do you need to lower your security settings to accommodate compatibility fixes. + +- The Compatibility Fix infrastructure injects additional code into the application before it calls the operating system. This means that any remedy that can be accomplished by a compatibility fix can also be addressed by fixing the application code. + +- The compatibility fixes run as user-mode code inside of a user-mode application process. This means that you cannot use a compatibility fix to fix kernel-mode code issues. For example, you cannot use a compatibility fix to resolve device-driver issues. + + **Note**   + Some antivirus, firewall, and anti-spyware code runs in kernel mode. + + + +## Determining When to Use a Compatibility Fix + + +The decision to use compatibility fixes to remedy your compatibility issues may involve more than just technical issues. The following scenarios reflect other common reasons for using a compatibility fix. + +### Scenario 1 + +**The compatibility issue exists on an application which is no longer supported by the vendor.** + +As in many companies, you may run applications for which the vendor has ended support. In this situation, you cannot have the vendor make the fix, nor can you access the source code to modify the issue yourself. However, it is possible that the use of a compatibility fix might resolve the compatibility issue. + +### Scenario 2 + +**The compatibility issue exists on an internally created application.** + +While it is preferable to fix the application code to resolve the issue, this is not always possible. Your internal team might not be able to fix all of the issues prior to the deployment of the new operating system. Instead, they might choose to employ a compatibility fix anywhere that it is possible. They can then fix the code only for issues that cannot be resolved in this manner. Through this method, your team can modify the application as time permits, without delaying the deployment of the new operating system into your environment. + +### Scenario 3 + +**The compatibility issue exists on an application for which a compatible version is to be released in the near future, or an application that is not critical to the organization, regardless of its version.** + +In the situation where an application is either unimportant to your organization, or for which a newer, compatible version is to be released shortly, you can use a compatibility fix as a temporary solution. This means that you can continue to use the application without delaying the deployment of a new operating system, with the intention of updating your configuration as soon as the new version is released. + +## Determining Which Version of an Application to Fix + + +You can apply a compatibility fix to a particular version of an application, either by using the "up to or including" clause or by selecting that specific version. This means that the next version of the application will not have the compatibility fix automatically applied. This is important, because it allows you to continue to use your application, but it also encourages the vendor to fix the application. + +## Support for Compatibility Fixes + + +Compatibility fixes are shipped as part of the Windows operating system and are updated by using Windows Update. Therefore, they receive the same level of support as Windows itself. + +You can apply the compatibility fixes to any of your applications. However, Microsoft does not provide the tools to use the Compatibility Fix infrastructure to create your own custom fixes. + +## Related topics +[Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md) diff --git a/windows/deployment/planning/using-the-compatibility-administrator-tool.md b/windows/deployment/planning/using-the-compatibility-administrator-tool.md index 8268db9a1c..b38891eae2 100644 --- a/windows/deployment/planning/using-the-compatibility-administrator-tool.md +++ b/windows/deployment/planning/using-the-compatibility-administrator-tool.md @@ -1,94 +1,94 @@ ---- -title: Using the Compatibility Administrator Tool (Windows 10) -description: This section provides information about using the Compatibility Administrator tool. -ms.assetid: 57271e47-b9b9-4018-a0b5-7115a533166d -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Using the Compatibility Administrator Tool - - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -This section provides information about using the Compatibility Administrator tool. - -## In this section - - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          TopicDescription

          Available Data Types and Operators in Compatibility Administrator

          The Compatibility Administrator tool provides a way to query your custom-compatibility databases.

          Searching for Fixed Applications in Compatibility Administrator

          With the search functionality in Compatibility Administrator, you can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. This is particularly useful if you are trying to identify applications with a specific compatibility fix or identifying which fixes are applied to a specific application.

          Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator

          You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature.

          Creating a Custom Compatibility Fix in Compatibility Administrator

          The Compatibility Administrator tool uses the term fix to describe the combination of compatibility information added to a customized database for a specific application. This combination can include single application fixes, groups of fixes that work together as a compatibility mode, and blocking and non-blocking AppHelp messages.

          Creating a Custom Compatibility Mode in Compatibility Administrator

          Windows® provides several compatibility modes, groups of compatibility fixes found to resolve many common application-compatibility issues. While working with Compatibility Administrator, you might decide to group some of your individual compatibility fixes into a custom-compatibility mode, which you can then deploy and use on any of your compatibility databases.

          Creating an AppHelp Message in Compatibility Administrator

          The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system.

          Viewing the Events Screen in Compatibility Administrator

          The Events screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities.

          Enabling and Disabling Compatibility Fixes in Compatibility Administrator

          You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes.

          Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator

          The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. Both the custom databases and the standard databases store the known compatibility fixes, compatibility modes, and AppHelp messages. They also store the required application-matching information for installation on your local computers.

          - - - - - - - - - - - +--- +title: Using the Compatibility Administrator Tool (Windows 10) +description: This section provides information about using the Compatibility Administrator tool. +ms.assetid: 57271e47-b9b9-4018-a0b5-7115a533166d +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Using the Compatibility Administrator Tool + + +**Applies to** + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 +- Windows Server 2008 R2 + +This section provides information about using the Compatibility Administrator tool. + +## In this section + + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          TopicDescription

          Available Data Types and Operators in Compatibility Administrator

          The Compatibility Administrator tool provides a way to query your custom-compatibility databases.

          Searching for Fixed Applications in Compatibility Administrator

          With the search functionality in Compatibility Administrator, you can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. This is particularly useful if you are trying to identify applications with a specific compatibility fix or identifying which fixes are applied to a specific application.

          Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator

          You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature.

          Creating a Custom Compatibility Fix in Compatibility Administrator

          The Compatibility Administrator tool uses the term fix to describe the combination of compatibility information added to a customized database for a specific application. This combination can include single application fixes, groups of fixes that work together as a compatibility mode, and blocking and non-blocking AppHelp messages.

          Creating a Custom Compatibility Mode in Compatibility Administrator

          Windows® provides several compatibility modes, groups of compatibility fixes found to resolve many common application-compatibility issues. While working with Compatibility Administrator, you might decide to group some of your individual compatibility fixes into a custom-compatibility mode, which you can then deploy and use on any of your compatibility databases.

          Creating an AppHelp Message in Compatibility Administrator

          The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system.

          Viewing the Events Screen in Compatibility Administrator

          The Events screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities.

          Enabling and Disabling Compatibility Fixes in Compatibility Administrator

          You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes.

          Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator

          The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. Both the custom databases and the standard databases store the known compatibility fixes, compatibility modes, and AppHelp messages. They also store the required application-matching information for installation on your local computers.

          + + + + + + + + + + + diff --git a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md index e8da9eedfc..eb092034f3 100644 --- a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md +++ b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md @@ -1,113 +1,113 @@ ---- -title: Using the Sdbinst.exe Command-Line Tool (Windows 10) -description: You must deploy your customized database (.sdb) files to other computers in your organization before your compatibility fixes, compatibility modes, and AppHelp messages are applied. -ms.assetid: c1945425-3f8d-4de8-9d2d-59f801f07034 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Using the Sdbinst.exe Command-Line Tool - - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2016 -- Windows Server 2012 -- Windows Server 2008 R2 - -You must deploy your customized database (.sdb) files to other computers in your organization before your compatibility fixes, compatibility modes, and AppHelp messages are applied. You can deploy your customized database files in several ways, including by using a logon script, by using Group Policy, or by performing file copy operations. - -After you deploy and store the customized databases on each of your local computers, you must register the database files. Until you register the database files, the operating system is unable to identify the available compatibility fixes when starting an application. - -## Command-Line Options for Deploying Customized Database Files - -Sample output from the command `Sdbinst.exe /?` in an elevated CMD window: - -``` -Microsoft Windows [Version 10.0.14393] -(c) 2016 Microsoft Corporation. All rights reserved. - -C:\Windows\system32>Sdbinst.exe /? -Usage: Sdbinst.exe [-?] [-q] [-u] [-g] [-p] [-n[:WIN32|WIN64]] myfile.sdb | {guid} | "name" - - -? - print this help text. - -p - Allow SDBs containing patches. - -q - Quiet mode: prompts are auto-accepted. - -u - Uninstall. - -g {guid} - GUID of file (uninstall only). - -n "name" - Internal name of file (uninstall only). - -C:\Windows\system32>_ -``` - -The command-line options use the following conventions: - -Sdbinst.exe \[-?\] \[-p\] \[-q\] \[-u\] \[-g\] \[-u filepath\] \[-g *GUID*\] \[-n *"name"*\] - -The following table describes the available command-line options. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          OptionDescription

          -?

          Displays the Help for the Sdbinst.exe tool.

          -

          For example,

          -

          sdbinst.exe -?

          -p

          Allows SDBs installation with Patches

          -

          For example,

          -

          sdbinst.exe -p C:\Windows\AppPatch\Myapp.sdb

          -q

          Performs a silent installation with no visible window, status, or warning information. Fatal errors appear only in Event Viewer (Eventvwr.exe).

          -

          For example,

          -

          sdbinst.exe -q

          -u filepath

          Performs an uninstallation of the specified database.

          -

          For example,

          -

          sdbinst.exe -u C:\example.sdb

          -g GUID

          Specifies the customized database to uninstall by a globally unique identifier (GUID).

          -

          For example,

          -

          sdbinst.exe -g 6586cd8f-edc9-4ea8-ad94-afabea7f62e3

          -n "name"

          Specifies the customized database to uninstall by file name.

          -

          For example,

          -

          sdbinst.exe -n "My_Database"

          - -## Related topics -[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) +--- +title: Using the Sdbinst.exe Command-Line Tool (Windows 10) +description: You must deploy your customized database (.sdb) files to other computers in your organization before your compatibility fixes, compatibility modes, and AppHelp messages are applied. +ms.assetid: c1945425-3f8d-4de8-9d2d-59f801f07034 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Using the Sdbinst.exe Command-Line Tool + + +**Applies to** + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2016 +- Windows Server 2012 +- Windows Server 2008 R2 + +You must deploy your customized database (.sdb) files to other computers in your organization before your compatibility fixes, compatibility modes, and AppHelp messages are applied. You can deploy your customized database files in several ways, including by using a logon script, by using Group Policy, or by performing file copy operations. + +After you deploy and store the customized databases on each of your local computers, you must register the database files. Until you register the database files, the operating system is unable to identify the available compatibility fixes when starting an application. + +## Command-Line Options for Deploying Customized Database Files + +Sample output from the command `Sdbinst.exe /?` in an elevated CMD window: + +``` +Microsoft Windows [Version 10.0.14393] +(c) 2016 Microsoft Corporation. All rights reserved. + +C:\Windows\system32>Sdbinst.exe /? +Usage: Sdbinst.exe [-?] [-q] [-u] [-g] [-p] [-n[:WIN32|WIN64]] myfile.sdb | {guid} | "name" + + -? - print this help text. + -p - Allow SDBs containing patches. + -q - Quiet mode: prompts are auto-accepted. + -u - Uninstall. + -g {guid} - GUID of file (uninstall only). + -n "name" - Internal name of file (uninstall only). + +C:\Windows\system32>_ +``` + +The command-line options use the following conventions: + +Sdbinst.exe \[-?\] \[-p\] \[-q\] \[-u\] \[-g\] \[-u filepath\] \[-g *GUID*\] \[-n *"name"*\] + +The following table describes the available command-line options. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          OptionDescription

          -?

          Displays the Help for the Sdbinst.exe tool.

          +

          For example,

          +

          sdbinst.exe -?

          -p

          Allows SDBs installation with Patches

          +

          For example,

          +

          sdbinst.exe -p C:\Windows\AppPatch\Myapp.sdb

          -q

          Performs a silent installation with no visible window, status, or warning information. Fatal errors appear only in Event Viewer (Eventvwr.exe).

          +

          For example,

          +

          sdbinst.exe -q

          -u filepath

          Performs an uninstallation of the specified database.

          +

          For example,

          +

          sdbinst.exe -u C:\example.sdb

          -g GUID

          Specifies the customized database to uninstall by a globally unique identifier (GUID).

          +

          For example,

          +

          sdbinst.exe -g 6586cd8f-edc9-4ea8-ad94-afabea7f62e3

          -n "name"

          Specifies the customized database to uninstall by file name.

          +

          For example,

          +

          sdbinst.exe -n "My_Database"

          + +## Related topics +[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) diff --git a/windows/deployment/planning/using-the-sua-tool.md b/windows/deployment/planning/using-the-sua-tool.md index 98e7f50884..008d9e50a5 100644 --- a/windows/deployment/planning/using-the-sua-tool.md +++ b/windows/deployment/planning/using-the-sua-tool.md @@ -1,92 +1,92 @@ ---- -title: Using the SUA Tool (Windows 10) -description: By using the Standard User Analyzer (SUA) tool, you can test your applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature. -ms.assetid: ebe52061-3816-47f7-a865-07bc5f405f03 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Using the SUA Tool - - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -By using the Standard User Analyzer (SUA) tool, you can test your applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature. - -The SUA Wizard also addresses UAC-related issues. In contrast to the SUA tool, the SUA Wizard guides you through the process step by step, without the in-depth analysis of the SUA tool. For information about the SUA Wizard, see [Using the SUA Wizard](using-the-sua-wizard.md). - -In the SUA tool, you can turn virtualization on and off. When you turn virtualization off, the tested application may function more like the way it does in earlier versions of Windows®. - -In the SUA tool, you can choose to run the application as **Administrator** or as **Standard User**. Depending on your selection, you may locate different types of UAC-related issues. - -## Testing an Application by Using the SUA Tool - - -Before you can use the SUA tool, you must install Application Verifier. You must also install the Microsoft® .NET Framework 3.5 or later. - -The following flowchart shows the process of using the SUA tool. - -![act sua flowchart](images/dep-win8-l-act-suaflowchart.jpg) - -**To collect UAC-related issues by using the SUA tool** - -1. Close any open instance of the SUA tool or SUA Wizard on your computer. - - If there is an existing SUA instance on the computer, the SUA tool opens in log viewer mode instead of normal mode. In log viewer mode, you cannot start applications, which prevents you from collecting UAC issues. - -2. Run the Standard User Analyzer. - -3. In the **Target Application** box, browse to the executable file for the application that you want to analyze, and then double-click to select it. - -4. Clear the **Elevate** check box, and then click **Launch**. - - If a **Permission denied** dialog box appears, click **OK**. The application starts, despite the warning. - -5. Exercise the aspects of the application for which you want to gather information about UAC issues. - -6. Exit the application. - -7. Review the information from the various tabs in the SUA tool. For information about each tab, see [Tabs on the SUA Tool Interface](tabs-on-the-sua-tool-interface.md). - -**To review and apply the recommended mitigations** - -1. In the SUA tool, on the **Mitigation** menu, click **Apply Mitigations**. - -2. Review the recommended compatibility fixes. - -3. Click **Apply**. - - The SUA tool generates a custom compatibility-fix database and automatically applies it to the local computer, so that you can test the fixes to see whether they worked. - -## Related topics -[Tabs on the SUA Tool Interface](tabs-on-the-sua-tool-interface.md) - -[Showing Messages Generated by the SUA Tool](showing-messages-generated-by-the-sua-tool.md) - -[Applying Filters to Data in the SUA Tool](applying-filters-to-data-in-the-sua-tool.md) - -[Fixing Applications by Using the SUA Tool](fixing-applications-by-using-the-sua-tool.md) - -  - -  - - - - - +--- +title: Using the SUA Tool (Windows 10) +description: By using the Standard User Analyzer (SUA) tool, you can test your applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature. +ms.assetid: ebe52061-3816-47f7-a865-07bc5f405f03 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Using the SUA Tool + + +**Applies to** + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 +- Windows Server 2008 R2 + +By using the Standard User Analyzer (SUA) tool, you can test your applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature. + +The SUA Wizard also addresses UAC-related issues. In contrast to the SUA tool, the SUA Wizard guides you through the process step by step, without the in-depth analysis of the SUA tool. For information about the SUA Wizard, see [Using the SUA Wizard](using-the-sua-wizard.md). + +In the SUA tool, you can turn virtualization on and off. When you turn virtualization off, the tested application may function more like the way it does in earlier versions of Windows®. + +In the SUA tool, you can choose to run the application as **Administrator** or as **Standard User**. Depending on your selection, you may locate different types of UAC-related issues. + +## Testing an Application by Using the SUA Tool + + +Before you can use the SUA tool, you must install Application Verifier. You must also install the Microsoft® .NET Framework 3.5 or later. + +The following flowchart shows the process of using the SUA tool. + +![act sua flowchart](images/dep-win8-l-act-suaflowchart.jpg) + +**To collect UAC-related issues by using the SUA tool** + +1. Close any open instance of the SUA tool or SUA Wizard on your computer. + + If there is an existing SUA instance on the computer, the SUA tool opens in log viewer mode instead of normal mode. In log viewer mode, you cannot start applications, which prevents you from collecting UAC issues. + +2. Run the Standard User Analyzer. + +3. In the **Target Application** box, browse to the executable file for the application that you want to analyze, and then double-click to select it. + +4. Clear the **Elevate** check box, and then click **Launch**. + + If a **Permission denied** dialog box appears, click **OK**. The application starts, despite the warning. + +5. Exercise the aspects of the application for which you want to gather information about UAC issues. + +6. Exit the application. + +7. Review the information from the various tabs in the SUA tool. For information about each tab, see [Tabs on the SUA Tool Interface](tabs-on-the-sua-tool-interface.md). + +**To review and apply the recommended mitigations** + +1. In the SUA tool, on the **Mitigation** menu, click **Apply Mitigations**. + +2. Review the recommended compatibility fixes. + +3. Click **Apply**. + + The SUA tool generates a custom compatibility-fix database and automatically applies it to the local computer, so that you can test the fixes to see whether they worked. + +## Related topics +[Tabs on the SUA Tool Interface](tabs-on-the-sua-tool-interface.md) + +[Showing Messages Generated by the SUA Tool](showing-messages-generated-by-the-sua-tool.md) + +[Applying Filters to Data in the SUA Tool](applying-filters-to-data-in-the-sua-tool.md) + +[Fixing Applications by Using the SUA Tool](fixing-applications-by-using-the-sua-tool.md) + +  + +  + + + + + diff --git a/windows/deployment/planning/using-the-sua-wizard.md b/windows/deployment/planning/using-the-sua-wizard.md index f3ecffae97..4070f56802 100644 --- a/windows/deployment/planning/using-the-sua-wizard.md +++ b/windows/deployment/planning/using-the-sua-wizard.md @@ -1,90 +1,90 @@ ---- -title: Using the SUA Wizard (Windows 10) -description: The Standard User Analyzer (SUA) Wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA Wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions. -ms.assetid: 29d07074-3de7-4ace-9a54-678af7255d6c -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Using the SUA Wizard - - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -The Standard User Analyzer (SUA) Wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA Wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions. - -For information about the SUA tool, see [Using the SUA Tool](using-the-sua-tool.md). - -## Testing an Application by Using the SUA Wizard - - -You must install Application Verifier before you can use the SUA Wizard. If Application Verifier is not installed on the computer that is running the SUA Wizard, the SUA Wizard notifies you. You must also install the Microsoft® .NET Framework 3.5 or later before you can use the SUA Wizard. - -The following flowchart shows the process of using the SUA Wizard. - -![act sua wizard flowchart](images/dep-win8-l-act-suawizardflowchart.jpg) - -**To test an application by using the SUA Wizard** - -1. On the computer where the SUA Wizard is installed, log on by using a non-administrator account. - -2. Run the Standard User Analyzer Wizard. - -3. Click **Browse for Application**, browse to the folder that contains the application that you want to test, and then double-click the executable file for the application. - -4. Click **Launch**. - - If you are prompted, elevate your permissions. The SUA Wizard may require elevation of permissions to correctly diagnose the application. - - If a **Permission denied** dialog box appears, click **OK**. The application starts, despite the warning. - -5. In the application, exercise the functionality that you want to test. - -6. After you finish testing, exit the application. - - The SUA Wizard displays a message that asks whether the application ran without any issues. - -7. Click **No**. - - The SUA Wizard shows a list of potential remedies that you might use to fix the application. - -8. Select the fixes that you want to apply, and then click **Launch**. - - The application appears again, with the fixes applied. - -9. Test the application again, and after you finish testing, exit the application. - - The SUA Wizard displays a message that asks whether the application ran without any issues. - -10. If the application ran correctly, click **Yes**. - - The SUA Wizard closes the issue as resolved on the local computer. - - If the remedies do not fix the issue with the application, click **No** again, and the wizard may offer additional remedies. If the additional remedies do not fix the issue, the wizard informs you that there are no more remedies available. For information about how to run the SUA tool for additional investigation, see [Using the SUA Tool](using-the-sua-tool.md). - -## Related topics -[SUA User's Guide](sua-users-guide.md) - -  - -  - - - - - +--- +title: Using the SUA Wizard (Windows 10) +description: The Standard User Analyzer (SUA) Wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA Wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions. +ms.assetid: 29d07074-3de7-4ace-9a54-678af7255d6c +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Using the SUA Wizard + + +**Applies to** + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 +- Windows Server 2008 R2 + +The Standard User Analyzer (SUA) Wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA Wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions. + +For information about the SUA tool, see [Using the SUA Tool](using-the-sua-tool.md). + +## Testing an Application by Using the SUA Wizard + + +You must install Application Verifier before you can use the SUA Wizard. If Application Verifier is not installed on the computer that is running the SUA Wizard, the SUA Wizard notifies you. You must also install the Microsoft® .NET Framework 3.5 or later before you can use the SUA Wizard. + +The following flowchart shows the process of using the SUA Wizard. + +![act sua wizard flowchart](images/dep-win8-l-act-suawizardflowchart.jpg) + +**To test an application by using the SUA Wizard** + +1. On the computer where the SUA Wizard is installed, log on by using a non-administrator account. + +2. Run the Standard User Analyzer Wizard. + +3. Click **Browse for Application**, browse to the folder that contains the application that you want to test, and then double-click the executable file for the application. + +4. Click **Launch**. + + If you are prompted, elevate your permissions. The SUA Wizard may require elevation of permissions to correctly diagnose the application. + + If a **Permission denied** dialog box appears, click **OK**. The application starts, despite the warning. + +5. In the application, exercise the functionality that you want to test. + +6. After you finish testing, exit the application. + + The SUA Wizard displays a message that asks whether the application ran without any issues. + +7. Click **No**. + + The SUA Wizard shows a list of potential remedies that you might use to fix the application. + +8. Select the fixes that you want to apply, and then click **Launch**. + + The application appears again, with the fixes applied. + +9. Test the application again, and after you finish testing, exit the application. + + The SUA Wizard displays a message that asks whether the application ran without any issues. + +10. If the application ran correctly, click **Yes**. + + The SUA Wizard closes the issue as resolved on the local computer. + + If the remedies do not fix the issue with the application, click **No** again, and the wizard may offer additional remedies. If the additional remedies do not fix the issue, the wizard informs you that there are no more remedies available. For information about how to run the SUA tool for additional investigation, see [Using the SUA Tool](using-the-sua-tool.md). + +## Related topics +[SUA User's Guide](sua-users-guide.md) + +  + +  + + + + + diff --git a/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md b/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md index b0cc6e3517..f5419526ab 100644 --- a/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md +++ b/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md @@ -1,59 +1,59 @@ ---- -title: Viewing the Events Screen in Compatibility Administrator (Windows 10) -description: The Events screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities. -ms.assetid: f2b2ada4-1b7b-4558-989d-5b52b40454b3 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Viewing the Events Screen in Compatibility Administrator - - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -The **Events** screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities. - -**Important**   -The **Events** screen only records your activities when the screen is open. If you perform an action before opening the **Events** screen, the action will not appear in the list. - - - -**To open the Events screen** - -- On the **View** menu, click **Events**. - -## Handling Multiple Copies of Compatibility Fixes - - -Compatibility Administrator enables you to copy your compatibility fixes from one database to another, which can become confusing after adding multiple fixes, compatibility modes, and databases. For example, you can copy a fix called MyFix from Database 1 to Database 2. However, if there is already a fix called MyFix in Database 2, Compatibility Administrator renames the fix as MyFix (1) to avoid duplicate names. - -If you open the **Events** screen and then perform the copy operation, you can see a description of the action, along with the time stamp, which enables you to view your fix information without confusion. - -## Related topics -[Creating a Custom Compatibility Mode in Compatibility Administrator](creating-a-custom-compatibility-mode-in-compatibility-administrator.md) - -[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) - - - - - - - - - +--- +title: Viewing the Events Screen in Compatibility Administrator (Windows 10) +description: The Events screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities. +ms.assetid: f2b2ada4-1b7b-4558-989d-5b52b40454b3 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Viewing the Events Screen in Compatibility Administrator + + +**Applies to** + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 +- Windows Server 2008 R2 + +The **Events** screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities. + +**Important**   +The **Events** screen only records your activities when the screen is open. If you perform an action before opening the **Events** screen, the action will not appear in the list. + + + +**To open the Events screen** + +- On the **View** menu, click **Events**. + +## Handling Multiple Copies of Compatibility Fixes + + +Compatibility Administrator enables you to copy your compatibility fixes from one database to another, which can become confusing after adding multiple fixes, compatibility modes, and databases. For example, you can copy a fix called MyFix from Database 1 to Database 2. However, if there is already a fix called MyFix in Database 2, Compatibility Administrator renames the fix as MyFix (1) to avoid duplicate names. + +If you open the **Events** screen and then perform the copy operation, you can see a description of the action, along with the time stamp, which enables you to view your fix information without confusion. + +## Related topics +[Creating a Custom Compatibility Mode in Compatibility Administrator](creating-a-custom-compatibility-mode-in-compatibility-administrator.md) + +[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) + + + + + + + + + diff --git a/windows/deployment/planning/windows-10-1703-removed-features.md b/windows/deployment/planning/windows-10-1703-removed-features.md index 45bac44358..0d09296845 100644 --- a/windows/deployment/planning/windows-10-1703-removed-features.md +++ b/windows/deployment/planning/windows-10-1703-removed-features.md @@ -31,4 +31,4 @@ This list is intended for IT professionals who are updating operating systems in |Windows Information Protection "AllowUserDecryption" policy | X | | |WSUS for Windows Mobile, updates are being transitioned to the new Unified Update Platform (UUP) | X | | |TCPChimney | | X | -|IPsec task offload| | X | \ No newline at end of file +|IPsec task offload| | X | diff --git a/windows/deployment/planning/windows-10-1709-removed-features.md b/windows/deployment/planning/windows-10-1709-removed-features.md index a8ef0ceac2..6126b5272f 100644 --- a/windows/deployment/planning/windows-10-1709-removed-features.md +++ b/windows/deployment/planning/windows-10-1709-removed-features.md @@ -1,46 +1,46 @@ ---- -title: Windows 10, version 1709 removed features -description: Learn about features that will be removed in Windows 10, version 1709 -ms.prod: w10 -ms.mktglfcycl: plan -ms.localizationpriority: medium -ms.sitesec: library -author: greg-lindsay -manager: laurawi -ms.topic: article ---- -# Features that are removed or deprecated in Windows 10, version 1709 - -> Applies to: Windows 10, version 1709 - -The following features and functionalities in the Windows 10, version 1709 are either removed from the product in the current release (*Removed*) or are not in active development and might be removed in future releases. - -This list is intended to help customers consider these removals and deprecations for their own planning. The list is subject to change and may not include every deprecated feature or functionality. - -For more information about a listed feature or functionality and its replacement, see the documentation for that feature. You can also follow the provided links in this table to see additional resources.  - -| Feature | Removed | Not actively developed | -|----------|---------|------------| -|**3D Builder app**
          No longer installed by default. Consider using Print 3D and Paint 3D in its place. However, 3D Builder is still available for download from the Windows Store. | X | | -|**Apndatabase.xml**
          For more information about the replacement database, see the following Hardware Dev Center articles:
          [MO Process to update COSA](/windows-hardware/drivers/mobilebroadband/planning-your-apn-database-submission)
          [COSA FAQ](/windows-hardware/drivers/mobilebroadband/cosa---faq) | X | | -|**Enhanced Mitigation Experience Toolkit (EMET)**
          Use will be blocked. Consider using the [Exploit Protection](https://blogs.windows.com/windowsexperience/2017/06/28/announcing-windows-10-insider-preview-build-16232-pc-build-15228-mobile/#fMH3bUDAb5HEstZ5.97) feature of Windows Defender Exploit Guard as a replacement.| X | | -|**IIS 6 Management Compatibility**
          We recommend that users use alternative scripting tools and a newer management console. | | X | -|**IIS Digest Authentication**
          We recommend that users use alternative authentication methods.| | X | -|**Microsoft Paint**
          Will be available through the Windows Store. Functionality integrated into Paint 3D.| | X | -|**Outlook Express**
          Removing this non-functional legacy code.| X | | -|**Reader app**
          Functionality to be integrated into Microsoft Edge.| X | | -|**Reading List**
          Functionality to be integrated into Microsoft Edge.| X | | -|**Resilient File System (ReFS)**
          Creation ability will be available in the following editions only: Windows 10 Enterprise and Windows 10 Pro for Workstations. Creation ability will be removed from all other editions. All other editions will have Read and Write ability.
          (added: August 17, 2017)| | X | -|**RSA/AES Encryption for IIS**
          We recommend that users use CNG encryption provider.| | X | -|**Screen saver functionality in Themes**
          Disabled in Themes (classified as **Removed** in this table). Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lockscreen features and policies are preferred. | X | X | -|**Sync your settings**
          Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. The "Sync your settings" options and the Enterprise State Roaming feature will continue to work.
          (updated: August 17, 2017) | | X | -|**Syskey.exe**
          Removing this nonsecure security feature. We recommend that users use BitLocker instead. For more information, see the following Knowledge Base article: [4025993 Syskey.exe utility is no longer supported in Windows 10 RS3 and Windows Server 2016 RS3](https://support.microsoft.com/help/4025993/syskey-exe-utility-is-no-longer-supported-in-windows-10-rs3-and-window)| X | | -|**System Image Backup (SIB) Solution**
          We recommend that users use full-disk backup solutions from other vendors.| | X | -|**TCP Offload Engine**
          Removing this legacy code. This functionality was previously transitioned to the Stack TCP Engine. For more information, see the following PFE Platform Blog article: [Why Are We Deprecating Network Performance Features?](https://blogs.technet.microsoft.com/askpfeplat/2017/06/13/why-are-we-deprecating-network-performance-features-kb4014193)| X || -|**Tile Data Layer**
          To be replaced by the Tile Store.| X || -|**TLS RC4 Ciphers**
          To be disabled by default. For more information, see the following Windows IT Center topic: [TLS (Schannel SSP) changes in Windows 10 and Windows Server 2016](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server)|| X| -|**Trusted Platform Module (TPM) Owner Password Management**
          This legacy code to be removed.|| X | -|**Trusted Platform Module (TPM): TPM.msc and TPM Remote Management**
          To be replaced by a new user interface in a future release.| | X | -|**Trusted Platform Module (TPM) Remote Management**
          This legacy code to be removed in a future release.|| X | -|**Windows Hello for Business deployment that uses System Center Configuration Manager**
          Windows Server 2016 Active Directory Federation Services – Registration Authority (ADFS RA) deployment is simpler and provides a better user experience and a more deterministic certificate enrollment experience.|| X | -|**Windows PowerShell 2.0**
          Applications and components should be migrated to PowerShell 5.0+.| | X | +--- +title: Windows 10, version 1709 removed features +description: Learn about features that will be removed in Windows 10, version 1709 +ms.prod: w10 +ms.mktglfcycl: plan +ms.localizationpriority: medium +ms.sitesec: library +audience: itpro author: greg-lindsay +manager: laurawi +ms.topic: article +--- +# Features that are removed or deprecated in Windows 10, version 1709 + +> Applies to: Windows 10, version 1709 + +The following features and functionalities in the Windows 10, version 1709 are either removed from the product in the current release (*Removed*) or are not in active development and might be removed in future releases. + +This list is intended to help customers consider these removals and deprecations for their own planning. The list is subject to change and may not include every deprecated feature or functionality. + +For more information about a listed feature or functionality and its replacement, see the documentation for that feature. You can also follow the provided links in this table to see additional resources.  + +| Feature | Removed | Not actively developed | +|----------|---------|------------| +|**3D Builder app**
          No longer installed by default. Consider using Print 3D and Paint 3D in its place. However, 3D Builder is still available for download from the Windows Store. | X | | +|**Apndatabase.xml**
          For more information about the replacement database, see the following Hardware Dev Center articles:
          [MO Process to update COSA](/windows-hardware/drivers/mobilebroadband/planning-your-apn-database-submission)
          [COSA FAQ](/windows-hardware/drivers/mobilebroadband/cosa---faq) | X | | +|**Enhanced Mitigation Experience Toolkit (EMET)**
          Use will be blocked. Consider using the [Exploit Protection](https://blogs.windows.com/windowsexperience/2017/06/28/announcing-windows-10-insider-preview-build-16232-pc-build-15228-mobile/#fMH3bUDAb5HEstZ5.97) feature of Windows Defender Exploit Guard as a replacement.| X | | +|**IIS 6 Management Compatibility**
          We recommend that users use alternative scripting tools and a newer management console. | | X | +|**IIS Digest Authentication**
          We recommend that users use alternative authentication methods.| | X | +|**Microsoft Paint**
          Will be available through the Windows Store. Functionality integrated into Paint 3D.| | X | +|**Outlook Express**
          Removing this non-functional legacy code.| X | | +|**Reader app**
          Functionality to be integrated into Microsoft Edge.| X | | +|**Reading List**
          Functionality to be integrated into Microsoft Edge.| X | | +|**Resilient File System (ReFS)**
          Creation ability will be available in the following editions only: Windows 10 Enterprise and Windows 10 Pro for Workstations. Creation ability will be removed from all other editions. All other editions will have Read and Write ability.
          (added: August 17, 2017)| | X | +|**RSA/AES Encryption for IIS**
          We recommend that users use CNG encryption provider.| | X | +|**Screen saver functionality in Themes**
          Disabled in Themes (classified as **Removed** in this table). Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lockscreen features and policies are preferred. | X | X | +|**Sync your settings**
          Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. The "Sync your settings" options and the Enterprise State Roaming feature will continue to work.
          (updated: August 17, 2017) | | X | +|**Syskey.exe**
          Removing this nonsecure security feature. We recommend that users use BitLocker instead. For more information, see the following Knowledge Base article: [4025993 Syskey.exe utility is no longer supported in Windows 10 RS3 and Windows Server 2016 RS3](https://support.microsoft.com/help/4025993/syskey-exe-utility-is-no-longer-supported-in-windows-10-rs3-and-window)| X | | +|**System Image Backup (SIB) Solution**
          We recommend that users use full-disk backup solutions from other vendors.| | X | +|**TCP Offload Engine**
          Removing this legacy code. This functionality was previously transitioned to the Stack TCP Engine. For more information, see the following PFE Platform Blog article: [Why Are We Deprecating Network Performance Features?](https://blogs.technet.microsoft.com/askpfeplat/2017/06/13/why-are-we-deprecating-network-performance-features-kb4014193)| X || +|**Tile Data Layer**
          To be replaced by the Tile Store.| X || +|**TLS RC4 Ciphers**
          To be disabled by default. For more information, see the following Windows IT Center topic: [TLS (Schannel SSP) changes in Windows 10 and Windows Server 2016](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server)|| X| +|**Trusted Platform Module (TPM) Owner Password Management**
          This legacy code to be removed.|| X | +|**Trusted Platform Module (TPM): TPM.msc and TPM Remote Management**
          To be replaced by a new user interface in a future release.| | X | +|**Trusted Platform Module (TPM) Remote Management**
          This legacy code to be removed in a future release.|| X | +|**Windows Hello for Business deployment that uses System Center Configuration Manager**
          Windows Server 2016 Active Directory Federation Services – Registration Authority (ADFS RA) deployment is simpler and provides a better user experience and a more deterministic certificate enrollment experience.|| X | +|**Windows PowerShell 2.0**
          Applications and components should be migrated to PowerShell 5.0+.| | X | diff --git a/windows/deployment/planning/windows-10-1803-removed-features.md b/windows/deployment/planning/windows-10-1803-removed-features.md index 4896f94c29..651e7aa5a8 100644 --- a/windows/deployment/planning/windows-10-1803-removed-features.md +++ b/windows/deployment/planning/windows-10-1803-removed-features.md @@ -1,56 +1,56 @@ ---- -title: Windows 10, version 1803 - Features that have been removed -description: Learn about features that will be removed or deprecated in Windows 10, version 1803, or a future release -ms.prod: w10 -ms.mktglfcycl: plan -ms.localizationpriority: medium -ms.sitesec: library -author: greg-lindsay -ms.author: greglin -ms.date: 08/16/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- -# Features removed or planned for replacement starting with Windows 10, version 1803 - -> Applies to: Windows 10, version 1803 - -Each release of Windows 10 adds new features and functionality; we also occasionally remove features and functionality, usually because we've added a better option. Here are the details about the features and functionalities that we removed in Windows 10, version 1803 (also called Windows 10 April 2018 Update). - -> [!TIP] -> - You can get early access to Windows 10 builds by joining the [Windows Insider program](https://insider.windows.com) - this is a great way to test feature changes. -> - Have questions about other releases? Check out the information for [Windows 10, version 1703](windows-10-creators-update-deprecation.md), and [Windows 10, version 1709](windows-10-fall-creators-deprecation.md). - -**The list is subject to change and might not include every affected feature or functionality.** - -## Features we removed in this release - -We've removed the following features and functionalities from the installed product image in Windows 10, version 1803. Applications or code that depend on these features won't function in this release unless you use an alternate method. - -|Feature |Instead you can use...| -|-----------|-------------------- -|Groove Music Pass|[We ended the Groove streaming music service and music track sales through the Microsoft Store in 2017](https://support.microsoft.com/help/4046109/groove-music-and-spotify-faq). The Groove app is being updated to reflect this change. You can still use Groove Music to play the music on your PC or to stream music from OneDrive. You can use Spotify or other music services to stream music on Windows 10, or to buy music to own.| -|People - Suggestions will no longer include unsaved contacts for non-Microsoft accounts|Manually save the contact details for people you send mail to or get mail from.| -|Language control in the Control Panel| Use the Settings app to change your language settings.| -|HomeGroup|We are removing [HomeGroup](https://support.microsoft.com/help/17145) but not your ability to share printers, files, and folders.

          When you update to Windows 10, version 1803, you won't see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (**Settings > Update & Security > Troubleshoot**). Any printers, files, and folders that you shared using HomeGroup **will continue to be shared**.

          Instead of using HomeGroup, you can now share printers, files and folders by using features that are built into Windows 10:
          - [Share your network printer](https://www.bing.com/search?q=share+printer+windows+10)
          - [Share files in File Explorer](https://support.microsoft.com/help/4027674/windows-10-share-files-in-file-explorer) | -|**Connect to suggested open hotspots** option in Wi-Fi settings |We previously [disabled the **Connect to suggested open hotspots** option](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) and are now removing it from the Wi-Fi settings page. You can manually connect to free wireless hotspots with **Network & Internet** settings, from the taskbar or Control Panel, or by using Wi-Fi Settings (for mobile devices).| -|XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer.

          However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you may need to [install XPS Viewer from **Apps and Features** in the Settings app](https://docs.microsoft.com/windows/application-management/add-apps-and-features) or through [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.| - - -## Features we’re no longer developing - -We are no longer actively developing these features and may remove them from a future update. Some features have been replaced with other features or functionality, while others are now available from different sources. - -If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app). - -|Feature |Instead you can use...| -|-----------|---------------------| -|[Software Restriction Policies](https://docs.microsoft.com/windows-server/identity/software-restriction-policies/software-restriction-policies) in Group Policy|Instead of using the Software Restriction Policies through Group Policy, you can use [AppLocker](https://docs.microsoft.com/windows/security/threat-protection/applocker/applocker-overview) or [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control) to control which apps users can access and what code can run in the kernel.| -|[Offline symbol packages](https://docs.microsoft.com/windows-hardware/drivers/debugger/debugger-download-symbols) (Debug symbol MSIs)|We're no longer making the symbol packages available as a downloadable MSI. Instead, the [Microsoft Symbol Server is moving to be an Azure-based symbol store](https://blogs.msdn.microsoft.com/windbg/2017/10/18/update-on-microsofts-symbol-server/). If you need the Windows symbols, connect to the Microsoft Symbol Server to cache your symbols locally or use a manifest file with SymChk.exe on a computer with internet access.| -|Windows Help Viewer (WinHlp32.exe)|All Windows help information is [available online](https://support.microsoft.com/products/windows?os=windows-10). The Windows Help Viewer is no longer supported in Windows 10. If for any reason you see an error message about "help not supported," possibly when using a non-Microsoft application, read [this support article](https://support.microsoft.com/help/917607/error-opening-help-in-windows-based-programs-feature-not-included-or-h) for additional information and any next steps.| -|Contacts feature in File Explorer|We're no longer developing the Contacts feature or the corresponding [Windows Contacts API](https://msdn.microsoft.com/library/ff800913.aspx). Instead, you can use the People app in Windows 10 to maintain your contacts.| -|Phone Companion|Use the **Phone** page in the Settings app. In Windows 10, version 1709, we added the new **Phone** page to help you sync your mobile phone with your PC. It includes all the Phone Companion features.| -|IPv4/6 Transition Technologies (6to4, ISATAP, and Direct Tunnels)|6to4 has been disabled by default since Windows 10, version 1607 (the Anniversary Update), ISATAP has been disabled by default since Windows 10, version 1703 (the Creators Update), and Direct Tunnels has always been disabled by default. Please use native IPv6 support instead.| -|[Layered Service Providers](https://msdn.microsoft.com/library/windows/desktop/bb513664)|Layered Service Providers have been deprecated since Windows 8 and Windows Server 2012. Use the [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510) instead. When you upgrade from an older version of Windows, any layered service providers you're using aren't migrated; you'll need to re-install them after upgrading.| -|Business Scanning, also called Distributed Scan Management (DSM) **(Added 05/03/2018)**|The [Scan Management functionality](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759124(v=ws.11)) was introduced in Windows 7 and enabled secure scanning and the management of scanners in an enterprise. We're no longer investing in this feature, and there are no devices available that support it.| +--- +title: Windows 10, version 1803 - Features that have been removed +description: Learn about features that will be removed or deprecated in Windows 10, version 1803, or a future release +ms.prod: w10 +ms.mktglfcycl: plan +ms.localizationpriority: medium +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.author: greglin +ms.date: 08/16/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- +# Features removed or planned for replacement starting with Windows 10, version 1803 + +> Applies to: Windows 10, version 1803 + +Each release of Windows 10 adds new features and functionality; we also occasionally remove features and functionality, usually because we've added a better option. Here are the details about the features and functionalities that we removed in Windows 10, version 1803 (also called Windows 10 April 2018 Update). + +> [!TIP] +> - You can get early access to Windows 10 builds by joining the [Windows Insider program](https://insider.windows.com) - this is a great way to test feature changes. +> - Have questions about other releases? Check out the information for [Windows 10, version 1703](windows-10-creators-update-deprecation.md), and [Windows 10, version 1709](windows-10-fall-creators-deprecation.md). + +**The list is subject to change and might not include every affected feature or functionality.** + +## Features we removed in this release + +We've removed the following features and functionalities from the installed product image in Windows 10, version 1803. Applications or code that depend on these features won't function in this release unless you use an alternate method. + +|Feature |Instead you can use...| +|-----------|-------------------- +|Groove Music Pass|[We ended the Groove streaming music service and music track sales through the Microsoft Store in 2017](https://support.microsoft.com/help/4046109/groove-music-and-spotify-faq). The Groove app is being updated to reflect this change. You can still use Groove Music to play the music on your PC or to stream music from OneDrive. You can use Spotify or other music services to stream music on Windows 10, or to buy music to own.| +|People - Suggestions will no longer include unsaved contacts for non-Microsoft accounts|Manually save the contact details for people you send mail to or get mail from.| +|Language control in the Control Panel| Use the Settings app to change your language settings.| +|HomeGroup|We are removing [HomeGroup](https://support.microsoft.com/help/17145) but not your ability to share printers, files, and folders.

          When you update to Windows 10, version 1803, you won't see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (**Settings > Update & Security > Troubleshoot**). Any printers, files, and folders that you shared using HomeGroup **will continue to be shared**.

          Instead of using HomeGroup, you can now share printers, files and folders by using features that are built into Windows 10:
          - [Share your network printer](https://www.bing.com/search?q=share+printer+windows+10)
          - [Share files in File Explorer](https://support.microsoft.com/help/4027674/windows-10-share-files-in-file-explorer) | +|**Connect to suggested open hotspots** option in Wi-Fi settings |We previously [disabled the **Connect to suggested open hotspots** option](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) and are now removing it from the Wi-Fi settings page. You can manually connect to free wireless hotspots with **Network & Internet** settings, from the taskbar or Control Panel, or by using Wi-Fi Settings (for mobile devices).| +|XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer.

          However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you may need to [install XPS Viewer from **Apps and Features** in the Settings app](https://docs.microsoft.com/windows/application-management/add-apps-and-features) or through [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.| + + +## Features we’re no longer developing + +We are no longer actively developing these features and may remove them from a future update. Some features have been replaced with other features or functionality, while others are now available from different sources. + +If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app). + +|Feature |Instead you can use...| +|-----------|---------------------| +|[Software Restriction Policies](https://docs.microsoft.com/windows-server/identity/software-restriction-policies/software-restriction-policies) in Group Policy|Instead of using the Software Restriction Policies through Group Policy, you can use [AppLocker](https://docs.microsoft.com/windows/security/threat-protection/applocker/applocker-overview) or [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control) to control which apps users can access and what code can run in the kernel.| +|[Offline symbol packages](https://docs.microsoft.com/windows-hardware/drivers/debugger/debugger-download-symbols) (Debug symbol MSIs)|We're no longer making the symbol packages available as a downloadable MSI. Instead, the [Microsoft Symbol Server is moving to be an Azure-based symbol store](https://blogs.msdn.microsoft.com/windbg/2017/10/18/update-on-microsofts-symbol-server/). If you need the Windows symbols, connect to the Microsoft Symbol Server to cache your symbols locally or use a manifest file with SymChk.exe on a computer with internet access.| +|Windows Help Viewer (WinHlp32.exe)|All Windows help information is [available online](https://support.microsoft.com/products/windows?os=windows-10). The Windows Help Viewer is no longer supported in Windows 10. If for any reason you see an error message about "help not supported," possibly when using a non-Microsoft application, read [this support article](https://support.microsoft.com/help/917607/error-opening-help-in-windows-based-programs-feature-not-included-or-h) for additional information and any next steps.| +|Contacts feature in File Explorer|We're no longer developing the Contacts feature or the corresponding [Windows Contacts API](https://msdn.microsoft.com/library/ff800913.aspx). Instead, you can use the People app in Windows 10 to maintain your contacts.| +|Phone Companion|Use the **Phone** page in the Settings app. In Windows 10, version 1709, we added the new **Phone** page to help you sync your mobile phone with your PC. It includes all the Phone Companion features.| +|IPv4/6 Transition Technologies (6to4, ISATAP, and Direct Tunnels)|6to4 has been disabled by default since Windows 10, version 1607 (the Anniversary Update), ISATAP has been disabled by default since Windows 10, version 1703 (the Creators Update), and Direct Tunnels has always been disabled by default. Please use native IPv6 support instead.| +|[Layered Service Providers](https://msdn.microsoft.com/library/windows/desktop/bb513664)|Layered Service Providers have been deprecated since Windows 8 and Windows Server 2012. Use the [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510) instead. When you upgrade from an older version of Windows, any layered service providers you're using aren't migrated; you'll need to re-install them after upgrading.| +|Business Scanning, also called Distributed Scan Management (DSM) **(Added 05/03/2018)**|The [Scan Management functionality](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759124(v=ws.11)) was introduced in Windows 7 and enabled secure scanning and the management of scanners in an enterprise. We're no longer investing in this feature, and there are no devices available that support it.| diff --git a/windows/deployment/planning/windows-10-1809-removed-features.md b/windows/deployment/planning/windows-10-1809-removed-features.md index e42f426c19..a538532b77 100644 --- a/windows/deployment/planning/windows-10-1809-removed-features.md +++ b/windows/deployment/planning/windows-10-1809-removed-features.md @@ -1,52 +1,52 @@ ---- -title: Windows 10, version 1809 - Features that have been removed -description: Learn about features that will be removed or deprecated in Windows 10, version 1809, or a future release -ms.prod: w10 -ms.mktglfcycl: plan -ms.localizationpriority: medium -ms.sitesec: library -author: greg-lindsay -ms.author: greglin -ms.date: 11/16/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- -# Features removed or planned for replacement starting with Windows 10, version 1809 - -> Applies to: Windows 10, version 1809 - -Each release of Windows 10 adds new features and functionality; we also occasionally remove features and functionality, usually because we've added a better option. Here are the details about the features and functionalities that we removed in Windows 10, version 1809. - -> [!TIP] -> - You can get early access to Windows 10 builds by joining the [Windows Insider program](https://insider.windows.com) - this is a great way to test feature changes. -> - Have questions about other releases? Check out the information for [Windows 10, version 1803](windows-10-1803-removed-features.md), [Windows 10, version 1709](windows-10-fall-creators-deprecation.md), and [Windows 10, version 1703](windows-10-creators-update-deprecation.md). - -**The list is subject to change and might not include every affected feature or functionality.** - -## Features we removed in this release - -We're removing the following features and functionalities from the installed product image in Windows 10, version 1809. Applications or code that depend on these features won't function in this release unless you use an alternate method. - -|Feature |Instead you can use...| -|-----------|-------------------- -|Business Scanning, also called Distributed Scan Management (DSM)|We're removing this secure scanning and scanner management capability - there are no devices that support this feature.| -|[FontSmoothing setting](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-visualeffects-fontsmoothing) in unattend.xml|The FontSmoothing setting let you specify the font antialiasing strategy to use across the system. We've changed Windows 10 to use [ClearType](https://docs.microsoft.com/typography/cleartype/) by default, so we're removing this setting as it is no longer necessary. If you include this setting in the unattend.xml file, it'll be ignored.| -|Hologram app|We've replaced the Hologram app with the [Mixed Reality Viewer](https://support.microsoft.com/help/4041156/windows-10-mixed-reality-help). If you would like to create 3D word art, you can still do that in Paint 3D and view your art in VR or Hololens with the Mixed Reality Viewer.| -|limpet.exe|We're releasing the limpet.exe tool, used to access TPM for Azure connectivity, as open source.| -|Phone Companion|When you update to Windows 10, version 1809, the Phone Companion app will be removed from your PC. Use the **Phone** page in the Settings app to sync your mobile phone with your PC. It includes all the Phone Companion features.| -|Future updates through [Windows Embedded Developer Update](https://docs.microsoft.com/previous-versions/windows/embedded/ff770079\(v=winembedded.60\)) for Windows Embedded Standard 7-SP1 (WES7-SP1) and Windows Embedded Standard 8 (WES8)|We’re no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/Home.aspx). [Learn how](https://techcommunity.microsoft.com/t5/Windows-Embedded/Change-to-the-Windows-Embedded-Developer-Update/ba-p/285704) to get updates from the catalog.| - -## Features we’re no longer developing - -We're no longer actively developing these features and may remove them from a future update. Some features have been replaced with other features or functionality, while others are now available from different sources. - -If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app). - -|Feature |Instead you can use...| -|-----------|---------------------| -|Companion device dynamic lock APIS|The companion device framework (CDF) APIs enable wearables and other devices to unlock a PC. In Windows 10, version 1709, we introduced [Dynamic Lock](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features#dynamic-lock), including an inbox method using Bluetooth to detect whether a user is present and lock or unlock the PC. Because of this, and because third party partners didn't adopt the CDF method, we're no longer developing CDF Dynamic Lock APIs.| -|OneSync service|The OneSync service synchronizes data for the Mail, Calendar, and People apps. We've added a sync engine to the Outlook app that provides the same synchronization.| -|Snipping Tool|The Snipping Tool is an application included in Windows 10 that is used to capture screenshots, either the full screen or a smaller, custom "snip" of the screen. In Windows 10, version 1809, we're [introducing a new universal app, Snip & Sketch](https://blogs.windows.com/windowsexperience/2018/05/03/announcing-windows-10-insider-preview-build-17661/#8xbvP8vMO0lF20AM.97), that provides the same screen snipping abilities, as well as additional features. You can launch Snip & Sketch directly and start a snip from there, or just press WIN + Shift + S. Snip & Sketch can also be launched from the “Screen snip” button in the Action Center. We're no longer developing the Snipping Tool as a separate app but are instead consolidating its functionality into Snip & Sketch.| - - +--- +title: Windows 10, version 1809 - Features that have been removed +description: Learn about features that will be removed or deprecated in Windows 10, version 1809, or a future release +ms.prod: w10 +ms.mktglfcycl: plan +ms.localizationpriority: medium +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.author: greglin +ms.date: 11/16/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- +# Features removed or planned for replacement starting with Windows 10, version 1809 + +> Applies to: Windows 10, version 1809 + +Each release of Windows 10 adds new features and functionality; we also occasionally remove features and functionality, usually because we've added a better option. Here are the details about the features and functionalities that we removed in Windows 10, version 1809. + +> [!TIP] +> - You can get early access to Windows 10 builds by joining the [Windows Insider program](https://insider.windows.com) - this is a great way to test feature changes. +> - Have questions about other releases? Check out the information for [Windows 10, version 1803](windows-10-1803-removed-features.md), [Windows 10, version 1709](windows-10-fall-creators-deprecation.md), and [Windows 10, version 1703](windows-10-creators-update-deprecation.md). + +**The list is subject to change and might not include every affected feature or functionality.** + +## Features we removed in this release + +We're removing the following features and functionalities from the installed product image in Windows 10, version 1809. Applications or code that depend on these features won't function in this release unless you use an alternate method. + +|Feature |Instead you can use...| +|-----------|-------------------- +|Business Scanning, also called Distributed Scan Management (DSM)|We're removing this secure scanning and scanner management capability - there are no devices that support this feature.| +|[FontSmoothing setting](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-visualeffects-fontsmoothing) in unattend.xml|The FontSmoothing setting let you specify the font antialiasing strategy to use across the system. We've changed Windows 10 to use [ClearType](https://docs.microsoft.com/typography/cleartype/) by default, so we're removing this setting as it is no longer necessary. If you include this setting in the unattend.xml file, it'll be ignored.| +|Hologram app|We've replaced the Hologram app with the [Mixed Reality Viewer](https://support.microsoft.com/help/4041156/windows-10-mixed-reality-help). If you would like to create 3D word art, you can still do that in Paint 3D and view your art in VR or Hololens with the Mixed Reality Viewer.| +|limpet.exe|We're releasing the limpet.exe tool, used to access TPM for Azure connectivity, as open source.| +|Phone Companion|When you update to Windows 10, version 1809, the Phone Companion app will be removed from your PC. Use the **Phone** page in the Settings app to sync your mobile phone with your PC. It includes all the Phone Companion features.| +|Future updates through [Windows Embedded Developer Update](https://docs.microsoft.com/previous-versions/windows/embedded/ff770079\(v=winembedded.60\)) for Windows Embedded Standard 7-SP1 (WES7-SP1) and Windows Embedded Standard 8 (WES8)|We’re no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/Home.aspx). [Learn how](https://techcommunity.microsoft.com/t5/Windows-Embedded/Change-to-the-Windows-Embedded-Developer-Update/ba-p/285704) to get updates from the catalog.| + +## Features we’re no longer developing + +We're no longer actively developing these features and may remove them from a future update. Some features have been replaced with other features or functionality, while others are now available from different sources. + +If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app). + +|Feature |Instead you can use...| +|-----------|---------------------| +|Companion device dynamic lock APIS|The companion device framework (CDF) APIs enable wearables and other devices to unlock a PC. In Windows 10, version 1709, we introduced [Dynamic Lock](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features#dynamic-lock), including an inbox method using Bluetooth to detect whether a user is present and lock or unlock the PC. Because of this, and because third party partners didn't adopt the CDF method, we're no longer developing CDF Dynamic Lock APIs.| +|OneSync service|The OneSync service synchronizes data for the Mail, Calendar, and People apps. We've added a sync engine to the Outlook app that provides the same synchronization.| +|Snipping Tool|The Snipping Tool is an application included in Windows 10 that is used to capture screenshots, either the full screen or a smaller, custom "snip" of the screen. In Windows 10, version 1809, we're [introducing a new universal app, Snip & Sketch](https://blogs.windows.com/windowsexperience/2018/05/03/announcing-windows-10-insider-preview-build-17661/#8xbvP8vMO0lF20AM.97), that provides the same screen snipping abilities, as well as additional features. You can launch Snip & Sketch directly and start a snip from there, or just press WIN + Shift + S. Snip & Sketch can also be launched from the “Screen snip” button in the Action Center. We're no longer developing the Snipping Tool as a separate app but are instead consolidating its functionality into Snip & Sketch.| + + diff --git a/windows/deployment/planning/windows-10-1903-removed-features.md b/windows/deployment/planning/windows-10-1903-removed-features.md index 9e5370e4e5..2c73c4bc18 100644 --- a/windows/deployment/planning/windows-10-1903-removed-features.md +++ b/windows/deployment/planning/windows-10-1903-removed-features.md @@ -1,43 +1,43 @@ ---- -title: Windows 10, version 1903 - Features that have been removed -description: Learn about features that will be removed or deprecated in Windows 10, version 1903, or a future release -ms.prod: w10 -ms.mktglfcycl: plan -ms.localizationpriority: medium -ms.sitesec: library -author: greg-lindsay -manager: laurawi -ms.author: greglin -ms.topic: article ---- -# Features removed or planned for replacement starting with Windows 10, version 1903 - -> Applies to: Windows 10, version 1903 - -Each version of Windows 10 adds new features and functionality; occasionally we also remove features and functionality, often because we've added a better option. Below are the details about the features and functionalities that we removed in Windows 10, version 1903. **The list below is subject to change and might not include every affected feature or functionality.** - -**Note**: Join the [Windows Insider program](https://insider.windows.com) to get early access to new Windows 10 builds and test these changes yourself. - -## Features we removed or will remove soon - -The following features and functionalities are removed from the installed product image for Windows 10, version 1903, or are planned for removal in an upcoming release. Applications or code that depend on these features won't function in this release unless you use another method. - - -| Feature | Details | -|---------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| XDDM-based remote display driver | Starting with this release the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote indirect display driver ISVs can reach out to [rdsdev@microsoft.com](mailto:rdsdev@microsoft.com). | -| Desktop messaging app doesn't offer messages sync | The messaging app on Desktop has a sync feature that can be used to sync SMS text messages received from Windows Mobile and keep a copy of them on the Desktop. The sync feature has been removed from all devices. Due to this change, you will only be able to access messages from the device that received the message. | - -## Features we’re no longer developing - -We're no longer actively developing these features and may remove them from a future update. Some features have been replaced with other features or functionality, while others are now available from different sources. - -If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app). - -|Feature |Details| -|-----------|---------------------| -| Taskbar settings roaming| Roaming of taskbar settings is no longer being developed and we plan to disable this capability in a future release| -|Wi-Fi WEP and TKIP|In this release a warning message will appear when connecting to Wi-Fi networks secured with WEP or TKIP, which are not as secure as those using WPA2 or WPA3. In a future release, any connection to a Wi-Fi network using these old ciphers will be disallowed. Wi-Fi routers should be updated to use AES ciphers, available with WPA2 or WPA3. | -|Windows To Go|Windows To Go is no longer being developed.

          The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.| -|Print 3D app|Going forward, 3D Builder is the recommended 3D printing app. To 3D print objects on new Windows devices, customers must first install 3D Builder from the Store.| - +--- +title: Windows 10, version 1903 - Features that have been removed +description: Learn about features that will be removed or deprecated in Windows 10, version 1903, or a future release +ms.prod: w10 +ms.mktglfcycl: plan +ms.localizationpriority: medium +ms.sitesec: library +audience: itpro author: greg-lindsay +manager: laurawi +ms.author: greglin +ms.topic: article +--- +# Features removed or planned for replacement starting with Windows 10, version 1903 + +> Applies to: Windows 10, version 1903 + +Each version of Windows 10 adds new features and functionality; occasionally we also remove features and functionality, often because we've added a better option. Below are the details about the features and functionalities that we removed in Windows 10, version 1903. **The list below is subject to change and might not include every affected feature or functionality.** + +**Note**: Join the [Windows Insider program](https://insider.windows.com) to get early access to new Windows 10 builds and test these changes yourself. + +## Features we removed or will remove soon + +The following features and functionalities are removed from the installed product image for Windows 10, version 1903, or are planned for removal in an upcoming release. Applications or code that depend on these features won't function in this release unless you use another method. + + +| Feature | Details | +|---------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| XDDM-based remote display driver | Starting with this release the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote indirect display driver ISVs can reach out to [rdsdev@microsoft.com](mailto:rdsdev@microsoft.com). | +| Desktop messaging app doesn't offer messages sync | The messaging app on Desktop has a sync feature that can be used to sync SMS text messages received from Windows Mobile and keep a copy of them on the Desktop. The sync feature has been removed from all devices. Due to this change, you will only be able to access messages from the device that received the message. | + +## Features we’re no longer developing + +We're no longer actively developing these features and may remove them from a future update. Some features have been replaced with other features or functionality, while others are now available from different sources. + +If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app). + +|Feature |Details| +|-----------|---------------------| +| Taskbar settings roaming| Roaming of taskbar settings is no longer being developed and we plan to disable this capability in a future release| +|Wi-Fi WEP and TKIP|In this release a warning message will appear when connecting to Wi-Fi networks secured with WEP or TKIP, which are not as secure as those using WPA2 or WPA3. In a future release, any connection to a Wi-Fi network using these old ciphers will be disallowed. Wi-Fi routers should be updated to use AES ciphers, available with WPA2 or WPA3. | +|Windows To Go|Windows To Go is no longer being developed.

          The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.| +|Print 3D app|Going forward, 3D Builder is the recommended 3D printing app. To 3D print objects on new Windows devices, customers must first install 3D Builder from the Store.| + diff --git a/windows/deployment/planning/windows-10-compatibility.md b/windows/deployment/planning/windows-10-compatibility.md index 11a81f2181..464e7e03de 100644 --- a/windows/deployment/planning/windows-10-compatibility.md +++ b/windows/deployment/planning/windows-10-compatibility.md @@ -1,60 +1,60 @@ ---- -title: Windows 10 compatibility (Windows 10) -description: Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. -ms.assetid: 829BE5B5-330A-4702-807A-8908B4FC94E8 -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: deploy, upgrade, update, appcompat -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.localizationpriority: medium -ms.sitesec: library -author: greg-lindsay -ms.topic: article ---- - -# Windows 10 compatibility - - -**Applies to** - -- Windows 10 - -Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. - -For full system requirements, see [Windows 10 specifications](https://go.microsoft.com/fwlink/p/?LinkId=625077). Some driver updates may be required for Windows 10. - -Existing desktop (Win32) application compatibility is also expected to be strong, with most existing applications working without any changes. Some applications that interface with Windows at a low level, those that use undocumented APIs, or those that do not follow recommended coding practices could experience issues. - -Existing Windows Store (WinRT) apps created for Windows 8 and Windows 8.1 should also continue to work, because compatibility can be validated against all the apps that have been submitted to the Windows Store. - -For web apps and sites, modern HTML5-based sites should also have a high degree of compatibility and excellent performance through the new Microsoft Edge browser, while older web apps and sites can continue to use Internet Explorer 11 and the Enterprise Mode features that were first introduced in Windows 7 and Windows 8.1 and are still present in Windows 10. For more information about Internet Explorer and Enterprise Mode, see the [Internet Explorer 11 Deployment Guide for IT Pros.](https://go.microsoft.com/fwlink/p/?LinkId=734031) - -## Recommended application testing process - - -Historically, organizations have performed extensive, and often exhaustive, testing of the applications they use before deployment of a new Windows version, service pack, or any other significant update. With Windows 10, organizations are encouraged to leverage more optimized testing processes, which reflects the higher levels of compatibility that are expected. At a high level: - -- Identify mission-critical applications and websites, those that are absolutely essential to the organization’s operations. Focus testing efforts on this subset of applications, early in the Windows development cycle (for example, with Windows Insider Program builds) to identify potential issues. Report any issues you encounter with the Windows Feedback tool, so that these issues can be addressed prior to the next Windows release. - -- For less critical applications, leverage an “internal flighting” or pilot-based approach, by deploying new Windows upgrades to groups of machines, growing gradually in size and potential impact, to verify compatibility with hardware and software. Reactively address issues before you expand the pilot to more machines. - -## Related topics - - -[Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md) - -[Windows 10 deployment considerations](windows-10-deployment-considerations.md) - -[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) - -  - -  - - - - - +--- +title: Windows 10 compatibility (Windows 10) +description: Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. +ms.assetid: 829BE5B5-330A-4702-807A-8908B4FC94E8 +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: deploy, upgrade, update, appcompat +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat +ms.localizationpriority: medium +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Windows 10 compatibility + + +**Applies to** + +- Windows 10 + +Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. + +For full system requirements, see [Windows 10 specifications](https://go.microsoft.com/fwlink/p/?LinkId=625077). Some driver updates may be required for Windows 10. + +Existing desktop (Win32) application compatibility is also expected to be strong, with most existing applications working without any changes. Some applications that interface with Windows at a low level, those that use undocumented APIs, or those that do not follow recommended coding practices could experience issues. + +Existing Windows Store (WinRT) apps created for Windows 8 and Windows 8.1 should also continue to work, because compatibility can be validated against all the apps that have been submitted to the Windows Store. + +For web apps and sites, modern HTML5-based sites should also have a high degree of compatibility and excellent performance through the new Microsoft Edge browser, while older web apps and sites can continue to use Internet Explorer 11 and the Enterprise Mode features that were first introduced in Windows 7 and Windows 8.1 and are still present in Windows 10. For more information about Internet Explorer and Enterprise Mode, see the [Internet Explorer 11 Deployment Guide for IT Pros.](https://go.microsoft.com/fwlink/p/?LinkId=734031) + +## Recommended application testing process + + +Historically, organizations have performed extensive, and often exhaustive, testing of the applications they use before deployment of a new Windows version, service pack, or any other significant update. With Windows 10, organizations are encouraged to leverage more optimized testing processes, which reflects the higher levels of compatibility that are expected. At a high level: + +- Identify mission-critical applications and websites, those that are absolutely essential to the organization’s operations. Focus testing efforts on this subset of applications, early in the Windows development cycle (for example, with Windows Insider Program builds) to identify potential issues. Report any issues you encounter with the Windows Feedback tool, so that these issues can be addressed prior to the next Windows release. + +- For less critical applications, leverage an “internal flighting” or pilot-based approach, by deploying new Windows upgrades to groups of machines, growing gradually in size and potential impact, to verify compatibility with hardware and software. Reactively address issues before you expand the pilot to more machines. + +## Related topics + + +[Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md) + +[Windows 10 deployment considerations](windows-10-deployment-considerations.md) + +[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) + +  + +  + + + + + diff --git a/windows/deployment/planning/windows-10-deployment-considerations.md b/windows/deployment/planning/windows-10-deployment-considerations.md index e21d82200b..a1156b67f9 100644 --- a/windows/deployment/planning/windows-10-deployment-considerations.md +++ b/windows/deployment/planning/windows-10-deployment-considerations.md @@ -1,144 +1,144 @@ ---- -title: Windows 10 deployment considerations (Windows 10) -description: There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications. -ms.assetid: A8DD6B37-1E11-4CD6-B588-92C2404219FE -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: deploy, upgrade, update, in-place -ms.prod: w10 -ms.localizationpriority: medium -ms.mktglfcycl: plan -ms.sitesec: library -author: greg-lindsay -ms.topic: article ---- - -# Windows 10 deployment considerations - - -**Applies to** - -- Windows 10 - -There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications. - -For many years, organizations have deployed new versions of Windows using a “wipe and load” deployment process. At a high level, this process captures existing data and settings from the existing device, deploys a new custom-built Windows image to a PC, injects hardware drivers, reinstalls applications, and finally restores the data and settings. With Windows 10, this process is still fully supported, and for some deployment scenarios is still necessary. - -Windows 10 also introduces two additional scenarios that organizations should consider: - -- **In-place upgrade**, which provides a simple, automated process that leverages the Windows setup process to automatically upgrade from an earlier version of Windows. This process automatically migrates existing data, settings, drivers, and applications. - -- **Dynamic provisioning**, which enables organizations to configure new Windows 10 devices for organization use without having to deploy a new custom organization image to the device. - - Both of these scenarios eliminate the image creation process altogether, which can greatly simplify the deployment process. - - So how do you choose? At a high level: - - ---- - - - - - - - - - - - - - - - - - - - - -
          Consider ...For these scenarios
          In-place upgrade
            -

          • When you want to keep all (or at least most) existing applications

            • -

          • When you do not plan to significantly change the device configuration (for example, BIOS to UEFI) or operating system configuration (for example, x86 to x64, language changes, Administrators to non-Administrators, Active Directory domain consolidations)

            • -

          • To migrate from Windows 10 to a later Windows 10 release

            • -
          Traditional wipe-and-load
            -

          • When you upgrade significant numbers of applications along with the new Windows OS

            • -

          • When you make significant device or operating system configuration changes

            • -

          • When you “start clean”. For example, scenarios where it is not necessary to preserve existing apps or data (for example, call centers) or when you move from unmanaged to well-managed PCs

            • -

          • When you migrate from Windows Vista or other previous operating system versions

            • -
          Dynamic provisioning
            -

          • For new devices, especially in “choose your own device” scenarios when simple configuration (not reimaging) is all that is required

            • -

          • When used in combination with a management tool (for example, an MDM service like Microsoft Intune) that enables self-service installation of user-specific or role-specific apps

            • -
          - -  - -## Migration from previous Windows versions - - -For existing PCs running Windows 7 or Windows 8.1, in-place upgrade is the recommended method for Windows 10 deployment and should be used whenever possible. Although wipe-and-load (OS refresh) deployments are still fully supported (and necessary in some scenarios, as mentioned previously), in-place upgrade is simpler and faster, and enables a faster Windows 10 deployment overall. - -Note that the original Windows 8 release is only supported until January 2016. Organizations that do not think they can complete a full Windows 10 migration by that date should deploy Windows 8.1 now and consider Windows 10 after Windows 8 has been removed from the environment. - -For existing Windows PCs running Windows Vista, you can perform wipe-and-load (OS refresh) deployments when you use compatible hardware. - -Note that to take advantage of the limited-time free upgrade offer for PCs running Windows 7, Windows 8, or Windows 8.1, you must leverage an in-place upgrade, either from Windows Update or by using the upgrade media available from the [Windows 10 software download page](https://go.microsoft.com/fwlink/p/?LinkId=625073) to acquire a new Windows 10 license from the Windows Store. For more information, refer to the [Windows 10 FAQ](https://go.microsoft.com/fwlink/p/?LinkId=625074). - -For organizations with Software Assurance for Windows, both in-place upgrade or wipe-and-load can be leveraged (with in-place upgrade being the preferred method, as previously discussed). - -For organizations that do not take advantage of the free upgrade offer and are not enrolled in Software Assurance for Windows, Windows 10 upgrade licenses are available for purchase through existing Volume License (VL) agreements. - -## Setup of new computers - - -For new computers acquired with Windows 10 preinstalled, you can leverage dynamic provisioning scenarios to transform the device from its initial state into a fully-configured organization PC. There are two primary dynamic provisioning scenarios you can use: - -- **User-driven, from the cloud.** By joining a device into Azure Active Directory and leveraging the automatic mobile device management (MDM) provisioning capabilities at the same time, an end user can initiate the provisioning process themselves just by entering the Azure Active Directory account and password (called their “work or school account” within Windows 10). The MDM service can then transform the device into a fully-configured organization PC. For more information, see [Azure Active Directory integration with MDM](https://go.microsoft.com/fwlink/p/?LinkId=625075). - -- **IT admin-driven, using new tools.** Using the new Windows Imaging and Configuration Designer (ICD) tool, IT administrators can create provisioning packages that can be applied to a computer to transform it into a fully-configured organization PC. For more information, see [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=625076). - -In either of these scenarios, you can make a variety of configuration changes to the PC: - -- Transform the edition (SKU) of Windows 10 that is in use. - -- Apply configuration and settings to the device (for example, security settings, device restrictions, policies, Wi-Fi and VPN profiles, certificates, and so on). - -- Install apps, language packs, and updates. - -- Enroll the device in a management solution (applicable for IT admin-driven scenarios, configuring the device just enough to allow the management tool to take over configuration and ongoing management). - -## Stay up to date - - -For computers already running Windows 10 on the Semi-Annual Channel, new upgrades will periodically be deployed, approximately two to three times per year. You can deploy these upgrades by using a variety of methods: - -- Windows Update or Windows Update for Business, for devices where you want to receive updates directly from the Internet. - -- Windows Server Update Services (WSUS), for devices configured to pull updates from internal servers after they are approved (deploying like an update). Note that this will require updates to WSUS, which are only available for Windows Server 2012 and Windows Server 2012 R2, not previous versions. - -- System Center Configuration Manager task sequences (with Configuration Manager 2012, 2012 R2, and later versions). - -- System Center Configuration Manager vNext software update capabilities (deploying like an update). - -Note that these upgrades (which are installed differently than monthly updates) will leverage an in-place upgrade process. Unlike updates, which are relatively small, these upgrades will include a full operating system image (around 3 GB for 64-bit operating systems), which requires time (1-2 hours) and disk space (approximately 10 GB) to complete. Ensure that the deployment method you use can support the required network bandwidth and/or disk space requirements. - -Over time, this upgrade process will be optimized to reduce the overall time and network bandwidth consumed. - -## Related topics - - -[Windows 10 compatibility](windows-10-compatibility.md) - -[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) - -  - -  - - - - - +--- +title: Windows 10 deployment considerations (Windows 10) +description: There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications. +ms.assetid: A8DD6B37-1E11-4CD6-B588-92C2404219FE +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: deploy, upgrade, update, in-place +ms.prod: w10 +ms.localizationpriority: medium +ms.mktglfcycl: plan +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Windows 10 deployment considerations + + +**Applies to** + +- Windows 10 + +There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications. + +For many years, organizations have deployed new versions of Windows using a “wipe and load” deployment process. At a high level, this process captures existing data and settings from the existing device, deploys a new custom-built Windows image to a PC, injects hardware drivers, reinstalls applications, and finally restores the data and settings. With Windows 10, this process is still fully supported, and for some deployment scenarios is still necessary. + +Windows 10 also introduces two additional scenarios that organizations should consider: + +- **In-place upgrade**, which provides a simple, automated process that leverages the Windows setup process to automatically upgrade from an earlier version of Windows. This process automatically migrates existing data, settings, drivers, and applications. + +- **Dynamic provisioning**, which enables organizations to configure new Windows 10 devices for organization use without having to deploy a new custom organization image to the device. + + Both of these scenarios eliminate the image creation process altogether, which can greatly simplify the deployment process. + + So how do you choose? At a high level: + + ++++ + + + + + + + + + + + + + + + + + + + + +
          Consider ...For these scenarios
          In-place upgrade
            +

          • When you want to keep all (or at least most) existing applications

            • +

          • When you do not plan to significantly change the device configuration (for example, BIOS to UEFI) or operating system configuration (for example, x86 to x64, language changes, Administrators to non-Administrators, Active Directory domain consolidations)

            • +

          • To migrate from Windows 10 to a later Windows 10 release

            • +
          Traditional wipe-and-load
            +

          • When you upgrade significant numbers of applications along with the new Windows OS

            • +

          • When you make significant device or operating system configuration changes

            • +

          • When you “start clean”. For example, scenarios where it is not necessary to preserve existing apps or data (for example, call centers) or when you move from unmanaged to well-managed PCs

            • +

          • When you migrate from Windows Vista or other previous operating system versions

            • +
          Dynamic provisioning
            +

          • For new devices, especially in “choose your own device” scenarios when simple configuration (not reimaging) is all that is required

            • +

          • When used in combination with a management tool (for example, an MDM service like Microsoft Intune) that enables self-service installation of user-specific or role-specific apps

            • +
          + +  + +## Migration from previous Windows versions + + +For existing PCs running Windows 7 or Windows 8.1, in-place upgrade is the recommended method for Windows 10 deployment and should be used whenever possible. Although wipe-and-load (OS refresh) deployments are still fully supported (and necessary in some scenarios, as mentioned previously), in-place upgrade is simpler and faster, and enables a faster Windows 10 deployment overall. + +Note that the original Windows 8 release is only supported until January 2016. Organizations that do not think they can complete a full Windows 10 migration by that date should deploy Windows 8.1 now and consider Windows 10 after Windows 8 has been removed from the environment. + +For existing Windows PCs running Windows Vista, you can perform wipe-and-load (OS refresh) deployments when you use compatible hardware. + +Note that to take advantage of the limited-time free upgrade offer for PCs running Windows 7, Windows 8, or Windows 8.1, you must leverage an in-place upgrade, either from Windows Update or by using the upgrade media available from the [Windows 10 software download page](https://go.microsoft.com/fwlink/p/?LinkId=625073) to acquire a new Windows 10 license from the Windows Store. For more information, refer to the [Windows 10 FAQ](https://go.microsoft.com/fwlink/p/?LinkId=625074). + +For organizations with Software Assurance for Windows, both in-place upgrade or wipe-and-load can be leveraged (with in-place upgrade being the preferred method, as previously discussed). + +For organizations that do not take advantage of the free upgrade offer and are not enrolled in Software Assurance for Windows, Windows 10 upgrade licenses are available for purchase through existing Volume License (VL) agreements. + +## Setup of new computers + + +For new computers acquired with Windows 10 preinstalled, you can leverage dynamic provisioning scenarios to transform the device from its initial state into a fully-configured organization PC. There are two primary dynamic provisioning scenarios you can use: + +- **User-driven, from the cloud.** By joining a device into Azure Active Directory and leveraging the automatic mobile device management (MDM) provisioning capabilities at the same time, an end user can initiate the provisioning process themselves just by entering the Azure Active Directory account and password (called their “work or school account” within Windows 10). The MDM service can then transform the device into a fully-configured organization PC. For more information, see [Azure Active Directory integration with MDM](https://go.microsoft.com/fwlink/p/?LinkId=625075). + +- **IT admin-driven, using new tools.** Using the new Windows Imaging and Configuration Designer (ICD) tool, IT administrators can create provisioning packages that can be applied to a computer to transform it into a fully-configured organization PC. For more information, see [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=625076). + +In either of these scenarios, you can make a variety of configuration changes to the PC: + +- Transform the edition (SKU) of Windows 10 that is in use. + +- Apply configuration and settings to the device (for example, security settings, device restrictions, policies, Wi-Fi and VPN profiles, certificates, and so on). + +- Install apps, language packs, and updates. + +- Enroll the device in a management solution (applicable for IT admin-driven scenarios, configuring the device just enough to allow the management tool to take over configuration and ongoing management). + +## Stay up to date + + +For computers already running Windows 10 on the Semi-Annual Channel, new upgrades will periodically be deployed, approximately two to three times per year. You can deploy these upgrades by using a variety of methods: + +- Windows Update or Windows Update for Business, for devices where you want to receive updates directly from the Internet. + +- Windows Server Update Services (WSUS), for devices configured to pull updates from internal servers after they are approved (deploying like an update). Note that this will require updates to WSUS, which are only available for Windows Server 2012 and Windows Server 2012 R2, not previous versions. + +- System Center Configuration Manager task sequences (with Configuration Manager 2012, 2012 R2, and later versions). + +- System Center Configuration Manager vNext software update capabilities (deploying like an update). + +Note that these upgrades (which are installed differently than monthly updates) will leverage an in-place upgrade process. Unlike updates, which are relatively small, these upgrades will include a full operating system image (around 3 GB for 64-bit operating systems), which requires time (1-2 hours) and disk space (approximately 10 GB) to complete. Ensure that the deployment method you use can support the required network bandwidth and/or disk space requirements. + +Over time, this upgrade process will be optimized to reduce the overall time and network bandwidth consumed. + +## Related topics + + +[Windows 10 compatibility](windows-10-compatibility.md) + +[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) + +  + +  + + + + + diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md index f8e27483fe..2900db198c 100644 --- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md +++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md @@ -1,134 +1,134 @@ ---- -title: Windows 10 Enterprise FAQ for IT pros (Windows 10) -description: Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise. -keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage updates, Windows as a service, servicing channels, deployment tools -ms.prod: w10 -ms.mktglfcycl: plan -ms.localizationpriority: medium -ms.sitesec: library -author: greg-lindsay -ms.date: 08/18/2017 -ms.reviewer: -manager: laurawi -ms.author: greglin -author: greg-lindsay -ms.topic: article ---- - -# Windows 10 Enterprise: FAQ for IT professionals - -Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise. - -## Download and requirements - -### Where can I download Windows 10 Enterprise? - -If you have Windows volume licenses with Software Assurance, or if you have purchased licenses for Windows 10 Enterprise volume licenses, you can download 32-bit and 64-bit versions of Windows 10 Enterprise from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). If you do not have current Software Assurance for Windows and would like to purchase volume licenses for Windows 10 Enterprise, contact your preferred Microsoft Reseller or see [How to purchase through Volume Licensing](https://www.microsoft.com/en-us/Licensing/how-to-buy/how-to-buy.aspx). - -### What are the system requirements? - -For details, see [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752). - -### What are the hardware requirements for Windows 10? - -Most computers that are compatible with Windows 8.1 will be compatible with Windows 10. You may need to install updated drivers in Windows 10 for your devices to properly function. See [Windows 10 specifications](https://www.microsoft.com/windows/windows-10-specifications) for more information. - -### Can I evaluate Windows 10 Enterprise? - -Yes, a 90-day evaluation of Windows 10 Enterprise is available through the [TechNet Evaluation Center](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise). The evaluation is available in Chinese (Simplified), Chinese (Traditional), French, German, Italian, Japanese, Korean, Portuguese (Brazil), and Spanish (Spain, International Sort). We highly recommend that organizations make use of the Windows 10 Enterprise 90-day Evaluation to try out deployment and management scenarios, test compatibility with hardware and applications, and to get hands on experience with Windows 10 Enterprise features. - -## Drivers and compatibility - -### Where can I find drivers for my devices for Windows 10 Enterprise? - -For many devices, drivers will be automatically installed in Windows 10 and there will be no need for additional action. -- For some devices, Windows 10 may be unable to install drivers that are required for operation. If your device drivers are not automatically installed, visit the manufacturer’s support website for your device to download and manually install the drivers. If Windows 10 drivers are not available, the most up-to-date drivers for Windows 8.1 will often work in Windows 10. -- For some devices, the manufacturer may provide more up-to-date drivers or drivers that enable additional functionality than the drivers installed by Windows 10. Always follow the recommendations of the device manufacturer for optimal performance and stability. -- Some computer manufacturers provide packs of drivers for easy implementation in management and deployment solutions like the Microsoft Deployment Toolkit (MDT) or Microsoft System Center Configuration Manager. These driver packs contain all of the drivers needed for each device and can greatly simplify the process of deploying Windows to a new make or model of computer. Driver packs for some common manufacturers include: - - [HP driver pack](http://www8.hp.com/us/en/ads/clientmanagement/drivers-pack.html) - - [Dell driver packs for enterprise client OS deployment](http://en.community.dell.com/techcenter/enterprise-client/w/wiki/2065.dell-command-deploy-driver-packs-for-enterprise-client-os-deployment) - - [Lenovo Configuration Manager and MDT package index](https://support.lenovo.com/us/en/documents/ht074984) - - [Panasonic Driver Pack for Enterprise](http://pc-dl.panasonic.co.jp/itn/drivers/driver_packages.html) - -### Where can I find out if an application or device is compatible with Windows 10? - -Many existing Win32 and Win64 applications already run reliably on Windows 10 without any changes. You can also expect strong compatibility and support for Web apps and devices. The [Ready for Windows](https://www.readyforwindows.com/) website lists software solutions that are supported and in use for Windows 10. You can find additional guidance to help with application compatibility at [Windows 10 application compatibility](https://technet.microsoft.com/windows/mt703793) on the Windows IT Center. - -### Is there an easy way to assess if my organization’s devices are ready to upgrade to Windows 10? - -[Windows Analytics Upgrade Readiness](https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics) (formerly known as Upgrade Analytics) provides powerful insights and recommendations about the computers, applications, and drivers in your organization, at no extra cost and without additional infrastructure requirements. This new service guides you through your upgrade and feature update projects using a workflow based on Microsoft recommended practices. Up-to-date inventory data allows you to balance cost and risk in your upgrade projects. You can find additional product information at [Windows Analytics](https://www.microsoft.com/en-us/WindowsForBusiness/Windows-Analytics). - -## Administration and deployment - -### Which deployment tools support Windows 10? - -Updated versions of Microsoft deployment tools, including MDT, Configuration Manager, and the Windows Assessment and Deployment Kit (Windows ADK) have been released to support Windows 10. -- [MDT](https://www.microsoft.com/mdt) is Microsoft’s recommended collection of tools, processes, and guidance for automating desktop and server deployment. -- Configuration Manager simplifies the deployment and management of Windows 10. If you are not currently using Configuration Manager, you can download a free 180-day trial of [System Center Configuration Manager and Endpoint Protection (current branch)](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) from the TechNet Evaluation Center. -- The [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#winADK) has tools that allow you to customize Windows images for large-scale deployment, and test system quality and performance. You can download the latest version of the Windows ADK for Windows 10 from the Hardware Dev Center. - -### Can I upgrade computers from Windows 7 or Windows 8.1 without deploying a new image? - -Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device using MDT and/or Configuration Manager. For more information, see [Upgrade to Windows 10 with System Center Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager) or [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit). - -### Can I upgrade from Windows 7 Enterprise or Windows 8.1 Enterprise to Windows 10 Enterprise for free? - -If you have Windows 7 Enterprise or Windows 8.1 Enterprise and current Windows 10 Enterprise E3 or E5 subscription, you are entitled to the upgrade to Windows 10 Enterprise through the rights of Software Assurance. You can find your product keys and installation media at the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). - -For devices that are licensed under a volume license agreement for Windows that does not include Software Assurance, new licenses will be required to upgrade these devices to Windows 10. - -## Managing updates - -### What is Windows as a service? - -The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time. For more information, see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview). - -### How is servicing different with Windows as a service? - -Traditional Windows servicing has included several release types: major revisions (e.g., the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10, there are two release types: feature updates that add new functionality two to three times per year, and quality updates that provide security and reliability fixes at least once a month. - -### What are the servicing channels? - -To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers two servicing channels for Windows 10: Semi-Annual Channel, and Long-Term Servicing Channel (LTSC). For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). For more information on each channel, see [servicing channels](/windows/deployment/update/waas-overview#servicing-channels). - -### What tools can I use to manage Windows as a service updates? - -There are many tools are available. You can choose from these: -- Windows Update -- Windows Update for Business -- Windows Server Update Services -- System Center Configuration Manager - -For more information on pros and cons for these tools, see [Servicing Tools](/windows/deployment/update/waas-overview#servicing-tools). - -## User experience - -### Where can I find information about new features and changes in Windows 10 Enterprise? - -For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index) and [What's new in Windows 10, version 1703](/windows/whats-new/whats-new-windows-10-version-1703) in the Docs library. - -Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://blogs.technet.microsoft.com/windowsitpro/). Here you’ll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10. - -To find out which version of Windows 10 is right for your organization, you can also [compare Windows editions](https://www.microsoft.com/WindowsForBusiness/Compare). - -### How will people in my organization adjust to using Windows 10 Enterprise after upgrading from Windows 7 or Windows 8.1? - -Windows 10 combines the best aspects of the user experience from Windows 8.1 and Windows 7 to make using Windows simple and straightforward. Users of Windows 7 will find the Start menu in the same location as they always have. In the same place, users of Windows 8.1 will find the live tiles from their Start screen, accessible by the Start button in the same way as they were accessed in Windows 8.1. To help you make the transition a seamless one, download the [Windows 10 Adoption Planning Kit](https://info.microsoft.com/Windows10AdoptionPlanningKit) and see our [end user readiness](https://technet.microsoft.com/windows/dn621092) resources. - -### How does Windows 10 help people work with applications and data across a variety of devices? - -The desktop experience in Windows 10 has been improved to provide a better experience for people that use a traditional mouse and keyboard. Key changes include: -- Start menu is a launching point for access to apps. -- Universal apps now open in windows instead of full screen. -- [Multitasking is improved with adjustable Snap](http://blogs.windows.com/bloggingwindows/2015/06/04/arrange-your-windows-in-a-snap/), which allows you to have more than two windows side-by-side on the same screen and to customize how those windows are arranged. -- Tablet Mode to simplify using Windows with a finger or pen by using touch input. - -## Help and support - -### Where can I ask a question about Windows 10? - -Use the following resources for additional information about Windows 10. -- If you are an IT professional or if you have a question about administering, managing, or deploying Windows 10 in your organization or business, visit the [Windows 10 IT Professional forums](https://social.technet.microsoft.com/forums/home?category=windows10itpro) on TechNet. -- If you are an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](https://answers.microsoft.com/windows/forum/windows_10). -- If you are a developer or if you have a question about making apps for Windows 10, visit the [Windows Desktop Development forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsdesktopdev) or [Windows and Windows phone apps forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsapps) on MSDN. -- If you have a question about Internet Explorer, visit the [Internet Explorer forums](https://social.technet.microsoft.com/forums/ie/en-us/home) on TechNet. +--- +title: Windows 10 Enterprise FAQ for IT pros (Windows 10) +description: Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise. +keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage updates, Windows as a service, servicing channels, deployment tools +ms.prod: w10 +ms.mktglfcycl: plan +ms.localizationpriority: medium +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 08/18/2017 +ms.reviewer: +manager: laurawi +ms.author: greglin +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Windows 10 Enterprise: FAQ for IT professionals + +Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise. + +## Download and requirements + +### Where can I download Windows 10 Enterprise? + +If you have Windows volume licenses with Software Assurance, or if you have purchased licenses for Windows 10 Enterprise volume licenses, you can download 32-bit and 64-bit versions of Windows 10 Enterprise from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). If you do not have current Software Assurance for Windows and would like to purchase volume licenses for Windows 10 Enterprise, contact your preferred Microsoft Reseller or see [How to purchase through Volume Licensing](https://www.microsoft.com/en-us/Licensing/how-to-buy/how-to-buy.aspx). + +### What are the system requirements? + +For details, see [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752). + +### What are the hardware requirements for Windows 10? + +Most computers that are compatible with Windows 8.1 will be compatible with Windows 10. You may need to install updated drivers in Windows 10 for your devices to properly function. See [Windows 10 specifications](https://www.microsoft.com/windows/windows-10-specifications) for more information. + +### Can I evaluate Windows 10 Enterprise? + +Yes, a 90-day evaluation of Windows 10 Enterprise is available through the [TechNet Evaluation Center](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise). The evaluation is available in Chinese (Simplified), Chinese (Traditional), French, German, Italian, Japanese, Korean, Portuguese (Brazil), and Spanish (Spain, International Sort). We highly recommend that organizations make use of the Windows 10 Enterprise 90-day Evaluation to try out deployment and management scenarios, test compatibility with hardware and applications, and to get hands on experience with Windows 10 Enterprise features. + +## Drivers and compatibility + +### Where can I find drivers for my devices for Windows 10 Enterprise? + +For many devices, drivers will be automatically installed in Windows 10 and there will be no need for additional action. +- For some devices, Windows 10 may be unable to install drivers that are required for operation. If your device drivers are not automatically installed, visit the manufacturer’s support website for your device to download and manually install the drivers. If Windows 10 drivers are not available, the most up-to-date drivers for Windows 8.1 will often work in Windows 10. +- For some devices, the manufacturer may provide more up-to-date drivers or drivers that enable additional functionality than the drivers installed by Windows 10. Always follow the recommendations of the device manufacturer for optimal performance and stability. +- Some computer manufacturers provide packs of drivers for easy implementation in management and deployment solutions like the Microsoft Deployment Toolkit (MDT) or Microsoft System Center Configuration Manager. These driver packs contain all of the drivers needed for each device and can greatly simplify the process of deploying Windows to a new make or model of computer. Driver packs for some common manufacturers include: + - [HP driver pack](http://www8.hp.com/us/en/ads/clientmanagement/drivers-pack.html) + - [Dell driver packs for enterprise client OS deployment](http://en.community.dell.com/techcenter/enterprise-client/w/wiki/2065.dell-command-deploy-driver-packs-for-enterprise-client-os-deployment) + - [Lenovo Configuration Manager and MDT package index](https://support.lenovo.com/us/en/documents/ht074984) + - [Panasonic Driver Pack for Enterprise](http://pc-dl.panasonic.co.jp/itn/drivers/driver_packages.html) + +### Where can I find out if an application or device is compatible with Windows 10? + +Many existing Win32 and Win64 applications already run reliably on Windows 10 without any changes. You can also expect strong compatibility and support for Web apps and devices. The [Ready for Windows](https://www.readyforwindows.com/) website lists software solutions that are supported and in use for Windows 10. You can find additional guidance to help with application compatibility at [Windows 10 application compatibility](https://technet.microsoft.com/windows/mt703793) on the Windows IT Center. + +### Is there an easy way to assess if my organization’s devices are ready to upgrade to Windows 10? + +[Windows Analytics Upgrade Readiness](https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics) (formerly known as Upgrade Analytics) provides powerful insights and recommendations about the computers, applications, and drivers in your organization, at no extra cost and without additional infrastructure requirements. This new service guides you through your upgrade and feature update projects using a workflow based on Microsoft recommended practices. Up-to-date inventory data allows you to balance cost and risk in your upgrade projects. You can find additional product information at [Windows Analytics](https://www.microsoft.com/en-us/WindowsForBusiness/Windows-Analytics). + +## Administration and deployment + +### Which deployment tools support Windows 10? + +Updated versions of Microsoft deployment tools, including MDT, Configuration Manager, and the Windows Assessment and Deployment Kit (Windows ADK) have been released to support Windows 10. +- [MDT](https://www.microsoft.com/mdt) is Microsoft’s recommended collection of tools, processes, and guidance for automating desktop and server deployment. +- Configuration Manager simplifies the deployment and management of Windows 10. If you are not currently using Configuration Manager, you can download a free 180-day trial of [System Center Configuration Manager and Endpoint Protection (current branch)](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) from the TechNet Evaluation Center. +- The [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#winADK) has tools that allow you to customize Windows images for large-scale deployment, and test system quality and performance. You can download the latest version of the Windows ADK for Windows 10 from the Hardware Dev Center. + +### Can I upgrade computers from Windows 7 or Windows 8.1 without deploying a new image? + +Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device using MDT and/or Configuration Manager. For more information, see [Upgrade to Windows 10 with System Center Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager) or [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit). + +### Can I upgrade from Windows 7 Enterprise or Windows 8.1 Enterprise to Windows 10 Enterprise for free? + +If you have Windows 7 Enterprise or Windows 8.1 Enterprise and current Windows 10 Enterprise E3 or E5 subscription, you are entitled to the upgrade to Windows 10 Enterprise through the rights of Software Assurance. You can find your product keys and installation media at the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). + +For devices that are licensed under a volume license agreement for Windows that does not include Software Assurance, new licenses will be required to upgrade these devices to Windows 10. + +## Managing updates + +### What is Windows as a service? + +The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time. For more information, see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview). + +### How is servicing different with Windows as a service? + +Traditional Windows servicing has included several release types: major revisions (e.g., the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10, there are two release types: feature updates that add new functionality two to three times per year, and quality updates that provide security and reliability fixes at least once a month. + +### What are the servicing channels? + +To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers two servicing channels for Windows 10: Semi-Annual Channel, and Long-Term Servicing Channel (LTSC). For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). For more information on each channel, see [servicing channels](/windows/deployment/update/waas-overview#servicing-channels). + +### What tools can I use to manage Windows as a service updates? + +There are many tools are available. You can choose from these: +- Windows Update +- Windows Update for Business +- Windows Server Update Services +- System Center Configuration Manager + +For more information on pros and cons for these tools, see [Servicing Tools](/windows/deployment/update/waas-overview#servicing-tools). + +## User experience + +### Where can I find information about new features and changes in Windows 10 Enterprise? + +For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index) and [What's new in Windows 10, version 1703](/windows/whats-new/whats-new-windows-10-version-1703) in the Docs library. + +Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://blogs.technet.microsoft.com/windowsitpro/). Here you’ll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10. + +To find out which version of Windows 10 is right for your organization, you can also [compare Windows editions](https://www.microsoft.com/WindowsForBusiness/Compare). + +### How will people in my organization adjust to using Windows 10 Enterprise after upgrading from Windows 7 or Windows 8.1? + +Windows 10 combines the best aspects of the user experience from Windows 8.1 and Windows 7 to make using Windows simple and straightforward. Users of Windows 7 will find the Start menu in the same location as they always have. In the same place, users of Windows 8.1 will find the live tiles from their Start screen, accessible by the Start button in the same way as they were accessed in Windows 8.1. To help you make the transition a seamless one, download the [Windows 10 Adoption Planning Kit](https://info.microsoft.com/Windows10AdoptionPlanningKit) and see our [end user readiness](https://technet.microsoft.com/windows/dn621092) resources. + +### How does Windows 10 help people work with applications and data across a variety of devices? + +The desktop experience in Windows 10 has been improved to provide a better experience for people that use a traditional mouse and keyboard. Key changes include: +- Start menu is a launching point for access to apps. +- Universal apps now open in windows instead of full screen. +- [Multitasking is improved with adjustable Snap](http://blogs.windows.com/bloggingwindows/2015/06/04/arrange-your-windows-in-a-snap/), which allows you to have more than two windows side-by-side on the same screen and to customize how those windows are arranged. +- Tablet Mode to simplify using Windows with a finger or pen by using touch input. + +## Help and support + +### Where can I ask a question about Windows 10? + +Use the following resources for additional information about Windows 10. +- If you are an IT professional or if you have a question about administering, managing, or deploying Windows 10 in your organization or business, visit the [Windows 10 IT Professional forums](https://social.technet.microsoft.com/forums/home?category=windows10itpro) on TechNet. +- If you are an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](https://answers.microsoft.com/windows/forum/windows_10). +- If you are a developer or if you have a question about making apps for Windows 10, visit the [Windows Desktop Development forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsdesktopdev) or [Windows and Windows phone apps forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsapps) on MSDN. +- If you have a question about Internet Explorer, visit the [Internet Explorer forums](https://social.technet.microsoft.com/forums/ie/en-us/home) on TechNet. diff --git a/windows/deployment/planning/windows-10-fall-creators-removed-features.md b/windows/deployment/planning/windows-10-fall-creators-removed-features.md index e343e3390c..bec34fa0f2 100644 --- a/windows/deployment/planning/windows-10-fall-creators-removed-features.md +++ b/windows/deployment/planning/windows-10-fall-creators-removed-features.md @@ -1,87 +1,87 @@ ---- -title: Windows 10 Fall Creators Update - Features removed or planned for removal -description: Which features were removed in Windows 10 Fall Creators Update (version 1709)? Which features are we thinking of removing in the future? -ms.prod: w10 -ms.mktglfcycl: plan -ms.localizationpriority: medium -ms.sitesec: library -author: greg-lindsay -ms.date: 10/09/2017 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.topic: article ---- -# Features removed or planned for replacement starting with Windows 10 Fall Creators Update (version 1709) - -> Applies to: Windows 10, version 1709 - -Each release of Windows 10 adds new features and functionality; we also occasionally remove features and functionality, usually because we've added a better option. Read on for details about the features and functionalities that we removed in Windows 10 Fall Creators Update (version 1709). This list also includes information about features and functionality that we're considering removing in a future release of Windows 10. This list is intended to make you aware of current and future changes and inform your planning. **The list is subject to change and might not include every affected feature or functionality.** - -## Features removed from Windows 10 Fall Creators Update -We've removed the following features and functionalities from the installed product image in Windows 10, version 1709. Applications, code, or usage that depend on these features won't function in this release unless you employ an alternate method. - -### 3D Builder -No longer installed by default, [3D Builder](https://www.microsoft.com/store/p/3d-builder/9wzdncrfj3t6) is still available for download from the Microsoft Store. You can also consider using Print 3D and Paint 3D in its place. - -### APN database (Apndatabase.xml) -Replaced by the Country and Operator Settings Asset (COSA) database. For more information, see the following Hardware Dev Center articles: -- [Planning your COSA/APN database submission](/windows-hardware/drivers/mobilebroadband/planning-your-apn-database-submission) -- [COSA – FAQ](/windows-hardware/drivers/mobilebroadband/cosa---faq) - -### Enhanced Mitigation Experience Toolkit (EMET) -Removed from the image, and you're blocked from using it. Consider using the [Exploit Protection feature of Windows Defender Exploit Guard](/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) as a replacement. See the [Announcing Windows 10 Insider Preview Build 16232 for PC + Build 15228 for Mobile](https://blogs.windows.com/windowsexperience/2017/06/28/announcing-windows-10-insider-preview-build-16232-pc-build-15228-mobile/) for details. - -### Outlook Express -Removed this non-functional code. - -### Reader app -Integrated the Reader functionality into Microsoft Edge. - -### Reading list -Integrated the Reading list functionality into Microsoft Edge. - -### Resilient File System (ReFS) -We changed the way that ReFS works, based on the edition of Windows 10 you have. We didn't **remove** ReFS, but how you can use ReFS depends on your edition. - -If you have Windows 10 Enterprise or Windows 10 Pro for Workstations: You can create, read, and write volumes. - -If you have any other edition of Windows 10: You can read and write volumes, but you can't create volumes. If you need to create volumes, upgrade to the Enterprise or Pro for Workstations edition. - -### Syskey.exe -Removed this security feature. Instead, we recommend using [BitLocker](/device-security/bitlocker/bitlocker-overview). For more information, see [4025993 Syskey.exe utility is no longer supported in Windows 10 RS3 and Windows Server 2016 RS3](https://support.microsoft.com/help/4025993/syskey-exe-utility-is-no-longer-supported-in-windows-10-rs3-and-window). - -### TCP Offload Engine -Removed this code. The TCP Offload Engine functionality is now available in the Stack TCP Engine. For more information, see [Why Are We Deprecating Network Performance Features (KB4014193)?](https://blogs.technet.microsoft.com/askpfeplat/2017/06/13/why-are-we-deprecating-network-performance-features-kb4014193/) - -### TPM Owner Password Management -Removed this code. - -## Features being considered for replacement starting after Windows Fall Creators Update -We are considering removing the following features and functionalities from the installed product image, starting with releases after Windows 10, version 1709. Eventually, we might completely remove them and replace them with other features or functionality (or, in some instances, make them available from different sources). These features and functionalities are *still available* in this release, but **you should begin planning now to either use alternate methods or to replace any applications, code, or usage that depend on these features.** - -If you have feedback to share about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app). - -### IIS 6 Management Compatibility -We're considering replacing the following specific DISM features: - -- IIS 6 Metabase Compatibility (Web-Metabase) -- IIS 6 Management Console (Web-Lgcy-Mgmt-Console) -- IIS 6 Scripting Tools (Web-Lgcy-Scripting) -- IIS 6 WMI Compatibility (Web-WMI) - -Instead of IIS 6 Metabase Compatibility (which acts as an emulation layer between IIS 6-based metabase scripts and the file-based configuration used by IIS 7 or newer versions) you should start migrating management scripts to target IIS file-based configuration directly, by using tools such as the Microsoft.Web.Administration namespace. - -You should also start migration from IIS 6.0 or earlier versions, and move to the [latest version of IIS](/iis/get-started/whats-new-in-iis-10/new-features-introduced-in-iis-10). - -### IIS Digest Authentication -We're considering removing the IIS Digest Authentication method. Instead, you should start using other authentication methods, such as [Client Certificate Mapping](/iis/manage/configuring-security/configuring-one-to-one-client-certificate-mappings) or [Windows Authentication](/iis/configuration/system.webServer/security/authentication/windowsAuthentication/). - -### Microsoft Paint -We're considering removing MS Paint from the basic installed product image - that means it won't be installed by default. **You'll still be able to get the app separately from the [Microsoft Store](https://www.microsoft.com/store/b/home) for free.** Alternately, you can get [Paint 3D](https://www.microsoft.com/store/p/paint-3d/9nblggh5fv99) and [3D Builder](https://www.microsoft.com/store/p/3d-builder/9wzdncrfj3t6) from the Microsoft Store today; both of these offer the same functionality as Microsoft Paint, plus additional features. - -### RSA/AES Encryption for IIS -We're considering removing RSA/AES encryption because the superior [Cryptography API: Next Generation (CNG)](https://msdn.microsoft.com/library/windows/desktop/bb931354(v=vs.85).aspx) method is already available. - -### Sync your settings -We're considering making changes to the back-end storage that will affect the sync process: [Enterprise State Roaming](/azure/active-directory/active-directory-windows-enterprise-state-roaming-overview) and all other users will use a single cloud storage system. Both the "Sync your settings" options and the Enterprise State Roaming feature will continue to work. +--- +title: Windows 10 Fall Creators Update - Features removed or planned for removal +description: Which features were removed in Windows 10 Fall Creators Update (version 1709)? Which features are we thinking of removing in the future? +ms.prod: w10 +ms.mktglfcycl: plan +ms.localizationpriority: medium +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 10/09/2017 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.topic: article +--- +# Features removed or planned for replacement starting with Windows 10 Fall Creators Update (version 1709) + +> Applies to: Windows 10, version 1709 + +Each release of Windows 10 adds new features and functionality; we also occasionally remove features and functionality, usually because we've added a better option. Read on for details about the features and functionalities that we removed in Windows 10 Fall Creators Update (version 1709). This list also includes information about features and functionality that we're considering removing in a future release of Windows 10. This list is intended to make you aware of current and future changes and inform your planning. **The list is subject to change and might not include every affected feature or functionality.** + +## Features removed from Windows 10 Fall Creators Update +We've removed the following features and functionalities from the installed product image in Windows 10, version 1709. Applications, code, or usage that depend on these features won't function in this release unless you employ an alternate method. + +### 3D Builder +No longer installed by default, [3D Builder](https://www.microsoft.com/store/p/3d-builder/9wzdncrfj3t6) is still available for download from the Microsoft Store. You can also consider using Print 3D and Paint 3D in its place. + +### APN database (Apndatabase.xml) +Replaced by the Country and Operator Settings Asset (COSA) database. For more information, see the following Hardware Dev Center articles: +- [Planning your COSA/APN database submission](/windows-hardware/drivers/mobilebroadband/planning-your-apn-database-submission) +- [COSA – FAQ](/windows-hardware/drivers/mobilebroadband/cosa---faq) + +### Enhanced Mitigation Experience Toolkit (EMET) +Removed from the image, and you're blocked from using it. Consider using the [Exploit Protection feature of Windows Defender Exploit Guard](/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) as a replacement. See the [Announcing Windows 10 Insider Preview Build 16232 for PC + Build 15228 for Mobile](https://blogs.windows.com/windowsexperience/2017/06/28/announcing-windows-10-insider-preview-build-16232-pc-build-15228-mobile/) for details. + +### Outlook Express +Removed this non-functional code. + +### Reader app +Integrated the Reader functionality into Microsoft Edge. + +### Reading list +Integrated the Reading list functionality into Microsoft Edge. + +### Resilient File System (ReFS) +We changed the way that ReFS works, based on the edition of Windows 10 you have. We didn't **remove** ReFS, but how you can use ReFS depends on your edition. + +If you have Windows 10 Enterprise or Windows 10 Pro for Workstations: You can create, read, and write volumes. + +If you have any other edition of Windows 10: You can read and write volumes, but you can't create volumes. If you need to create volumes, upgrade to the Enterprise or Pro for Workstations edition. + +### Syskey.exe +Removed this security feature. Instead, we recommend using [BitLocker](/device-security/bitlocker/bitlocker-overview). For more information, see [4025993 Syskey.exe utility is no longer supported in Windows 10 RS3 and Windows Server 2016 RS3](https://support.microsoft.com/help/4025993/syskey-exe-utility-is-no-longer-supported-in-windows-10-rs3-and-window). + +### TCP Offload Engine +Removed this code. The TCP Offload Engine functionality is now available in the Stack TCP Engine. For more information, see [Why Are We Deprecating Network Performance Features (KB4014193)?](https://blogs.technet.microsoft.com/askpfeplat/2017/06/13/why-are-we-deprecating-network-performance-features-kb4014193/) + +### TPM Owner Password Management +Removed this code. + +## Features being considered for replacement starting after Windows Fall Creators Update +We are considering removing the following features and functionalities from the installed product image, starting with releases after Windows 10, version 1709. Eventually, we might completely remove them and replace them with other features or functionality (or, in some instances, make them available from different sources). These features and functionalities are *still available* in this release, but **you should begin planning now to either use alternate methods or to replace any applications, code, or usage that depend on these features.** + +If you have feedback to share about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app). + +### IIS 6 Management Compatibility +We're considering replacing the following specific DISM features: + +- IIS 6 Metabase Compatibility (Web-Metabase) +- IIS 6 Management Console (Web-Lgcy-Mgmt-Console) +- IIS 6 Scripting Tools (Web-Lgcy-Scripting) +- IIS 6 WMI Compatibility (Web-WMI) + +Instead of IIS 6 Metabase Compatibility (which acts as an emulation layer between IIS 6-based metabase scripts and the file-based configuration used by IIS 7 or newer versions) you should start migrating management scripts to target IIS file-based configuration directly, by using tools such as the Microsoft.Web.Administration namespace. + +You should also start migration from IIS 6.0 or earlier versions, and move to the [latest version of IIS](/iis/get-started/whats-new-in-iis-10/new-features-introduced-in-iis-10). + +### IIS Digest Authentication +We're considering removing the IIS Digest Authentication method. Instead, you should start using other authentication methods, such as [Client Certificate Mapping](/iis/manage/configuring-security/configuring-one-to-one-client-certificate-mappings) or [Windows Authentication](/iis/configuration/system.webServer/security/authentication/windowsAuthentication/). + +### Microsoft Paint +We're considering removing MS Paint from the basic installed product image - that means it won't be installed by default. **You'll still be able to get the app separately from the [Microsoft Store](https://www.microsoft.com/store/b/home) for free.** Alternately, you can get [Paint 3D](https://www.microsoft.com/store/p/paint-3d/9nblggh5fv99) and [3D Builder](https://www.microsoft.com/store/p/3d-builder/9wzdncrfj3t6) from the Microsoft Store today; both of these offer the same functionality as Microsoft Paint, plus additional features. + +### RSA/AES Encryption for IIS +We're considering removing RSA/AES encryption because the superior [Cryptography API: Next Generation (CNG)](https://msdn.microsoft.com/library/windows/desktop/bb931354(v=vs.85).aspx) method is already available. + +### Sync your settings +We're considering making changes to the back-end storage that will affect the sync process: [Enterprise State Roaming](/azure/active-directory/active-directory-windows-enterprise-state-roaming-overview) and all other users will use a single cloud storage system. Both the "Sync your settings" options and the Enterprise State Roaming feature will continue to work. diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md index e3f1be89ba..36c030bdcf 100644 --- a/windows/deployment/planning/windows-10-infrastructure-requirements.md +++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md @@ -1,133 +1,133 @@ ---- -title: Windows 10 infrastructure requirements (Windows 10) -description: There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. -ms.assetid: B0FA27D9-A206-4E35-9AE6-74E70748BE64 -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: deploy, upgrade, update, hardware -ms.prod: w10 -ms.mktglfcycl: plan -ms.localizationpriority: medium -ms.sitesec: library -author: greg-lindsay -ms.topic: article ---- - -# Windows 10 infrastructure requirements - - -**Applies to** - -- Windows 10 - -There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. - -## High-level requirements - - -For initial Windows 10 deployments, as well as subsequent Windows 10 upgrades, ensure that sufficient disk space is available for distribution of the Windows 10 installation files (about 3 GB for Windows 10 x64 images, slightly smaller for x86). Also, be sure to take into account the network impact of moving these large images to each PC; you may need to leverage local server storage. - -For persistent VDI environments, carefully consider the I/O impact from upgrading large numbers of PCs in a short period of time. Ensure that upgrades are performed in smaller numbers, or during off-peak time periods. (For pooled VDI environments, a better approach is to replace the base image with a new version.) - -## Deployment tools - - -A new version of the Assessment and Deployment Toolkit (ADK) has been released to support Windows 10. This new version, available for download [here](https://go.microsoft.com/fwlink/p/?LinkId=526740), is required for Windows 10; you should not use earlier versions of the ADK to deploy Windows 10. It also supports the deployment of Windows 7, Windows 8, and Windows 8.1. - -Significant enhancements in the ADK for Windows 10 include new runtime provisioning capabilities, which leverage the Windows Imaging and Configuration Designer (Windows ICD), as well as updated versions of existing deployment tools (DISM, USMT, Windows PE, and more). - -Microsoft Deployment Toolkit 2013 Update 1, available for download [here](https://go.microsoft.com/fwlink/p/?LinkId=625079), has also been updated to support Windows 10 and the new ADK; older versions do not support Windows 10. New in this release is task sequence support for Windows 10 in-place upgrades. - -For System Center Configuration Manager, Windows 10 support is offered with various releases: - -| Release | Windows 10 management? | Windows 10 deployment? | -|---------------------------------------------|------------------------|------------------------------------------------| -| System Center Configuration Manager 2007 | Yes, with a hotfix | No | -| System Center Configuration Manager 2012 | Yes, with SP2 and CU1 | Yes, with SP2, CU1, and the ADK for Windows 10 | -| System Center Configuration Manager 2012 R2 | Yes, with SP1 and CU1 | Yes, with SP1, CU1, and the ADK for Windows 10 | - - ->Note: Configuration Manager 2012 supports Windows 10 version 1507 (build 10.0.10240) and 1511 (build 10.0.10586) for the lifecycle of these builds. Future releases of Windows 10 CB/CBB are not supported With Configuration Manager 2012, and will require System Center Configuration Manager current branch for supported management. -  - -For more details about System Center Configuration Manager support for Windows 10, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md). - -## Management tools - - -In addition to System Center Configuration Manager, Windows 10 also leverages other tools for management. For Windows Server and Active Directory, existing supported versions are fully supported for Windows 10. New Group Policy templates will be needed to configure new settings available in Windows 10; these templates are available in the Windows 10 media images, and are available as a separate download [here](https://go.microsoft.com/fwlink/p/?LinkId=625081). See [Group Policy settings reference](https://go.microsoft.com/fwlink/p/?LinkId=625082) for a list of the new and modified policy settings. If you are using a central policy store, follow the steps outlined [here](https://go.microsoft.com/fwlink/p/?LinkId=625083) to update the ADMX files stored in that central store. - -No new Active Directory schema updates or specific functional levels are currently required for core Windows 10 product functionality, although subsequent upgrades could require these to support new features. - -Microsoft Desktop Optimization Pack (MDOP) has been updated to support Windows 10. The minimum versions required to support Windows 10 are as follows: - -| Product | Required version | -|----------------------------------------------------------|--------------------------| -| Advanced Group Policy Management (AGPM) | AGPM 4.0 Service Pack 3 | -| Application Virtualization (App-V) | App-V 5.1 | -| Diagnostics and Recovery Toolkit (DaRT) | DaRT 10 | -| Microsoft BitLocker Administration and Monitoring (MBAM) | MBAM 2.5 SP1 (2.5 is OK) | -| User Experience Virtualization (UE-V) | UE-V 2.1 SP1 | - -  - -For more information, see the [MDOP TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=625090). - -For devices you manage with mobile device management (MDM) solutions such as Microsoft Intune, existing capabilities (provided initially in Windows 8.1) are fully supported in Windows 10; new Windows 10 MDM settings and capabilities will require updates to the MDM services. See [Mobile device management](https://go.microsoft.com/fwlink/p/?LinkId=625084) for more information. - -Windows Server Update Services (WSUS) requires some additional configuration to receive updates for Windows 10. Use the Windows Server Update Services admin tool and follow these instructions: - -1. Select the **Options** node, and then click **Products and Classifications**. - -2. In the **Products** tree, select the **Windows 10** and **Windows 10 LTSB** products and any other Windows 10-related items that you want. Click **OK**. - -3. From the **Synchronizations** node, right-click and choose **Synchronize Now**. - -![figure 1](images/fig4-wsuslist.png) - -Figure 1. WSUS product list with Windows 10 choices - -Because Windows 10 updates are cumulative in nature, each month’s new update will supersede the previous month's. Consider leveraging “express installation” packages to reduce the size of the payload that needs to be sent to each PC each month; see [Express installation files](https://go.microsoft.com/fwlink/p/?LinkId=625086) for more information. (Note that this will increase the amount of disk storage needed by WSUS, and impacts all operating systems being managed with WSUS.) - -## Activation - - -Windows 10 volume license editions of Windows 10 will continue to support all existing activation methods (KMS, MAK, and AD-based activation). An update will be required for existing KMS servers: - -| Product | Required update | -|----------------------------------------|---------------------------------------------------------------------------------------------| -| Windows 10 | None | -| Windows Server 2012 R2 and Windows 8.1 | [https://support.microsoft.com/kb/3058168](https://go.microsoft.com/fwlink/p/?LinkId=625087) | -| Windows Server 2012 and Windows 8 | [https://support.microsoft.com/kb/3058168](https://go.microsoft.com/fwlink/p/?LinkId=625087) | -| Windows Server 2008 R2 and Windows 7 | [https://support.microsoft.com/kb/3079821](https://support.microsoft.com/kb/3079821) | - -  - -Also see: [Windows Server 2016 Volume Activation Tips](https://blogs.technet.microsoft.com/askcore/2016/10/19/windows-server-2016-volume-activation-tips/) - -Additionally, new product keys will be needed for all types of volume license activation (KMS, MAK, and AD-based Activation); these keys are available on the Volume Licensing Service Center (VLSC) for customers with rights to the Windows 10 operating system. To find the needed keys: - -- Sign into the [Volume Licensing Service Center (VLSC)](https://go.microsoft.com/fwlink/p/?LinkId=625088) at with a Microsoft account that has appropriate rights. - -- For KMS keys, click **Licenses** and then select **Relationship Summary**. Click the appropriate active license ID, and then select **Product Keys** near the right side of the page. For KMS running on Windows Server, find the **Windows Srv 2012R2 DataCtr/Std KMS for Windows 10** product key; for KMS running on client operating systems, find the **Windows 10** product key. - -- For MAK keys, click **Downloads and Keys**, and then filter the list by using **Windows 10** as a product. Click the **Key** link next to an appropriate list entry (for example, **Windows 10 Enterprise** or **Windows 10 Enterprise LTSB**) to view the available MAK keys. (You can also find keys for KMS running on Windows 10 in this list. These keys will not work on Windows servers running KMS.) - -Note that Windows 10 Enterprise and Windows 10 Enterprise LTSB installations use different MAK keys. But you can use the same KMS server or Active Directory-based activation environment for both; the KMS keys obtained from the Volume Licensing Service Center will work with both. - -## Related topics - - -[Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md) -
          [Windows 10 deployment considerations](windows-10-deployment-considerations.md) -
          [Windows 10 compatibility](windows-10-compatibility.md) - -  - -  - - - - - +--- +title: Windows 10 infrastructure requirements (Windows 10) +description: There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. +ms.assetid: B0FA27D9-A206-4E35-9AE6-74E70748BE64 +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: deploy, upgrade, update, hardware +ms.prod: w10 +ms.mktglfcycl: plan +ms.localizationpriority: medium +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Windows 10 infrastructure requirements + + +**Applies to** + +- Windows 10 + +There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. + +## High-level requirements + + +For initial Windows 10 deployments, as well as subsequent Windows 10 upgrades, ensure that sufficient disk space is available for distribution of the Windows 10 installation files (about 3 GB for Windows 10 x64 images, slightly smaller for x86). Also, be sure to take into account the network impact of moving these large images to each PC; you may need to leverage local server storage. + +For persistent VDI environments, carefully consider the I/O impact from upgrading large numbers of PCs in a short period of time. Ensure that upgrades are performed in smaller numbers, or during off-peak time periods. (For pooled VDI environments, a better approach is to replace the base image with a new version.) + +## Deployment tools + + +A new version of the Assessment and Deployment Toolkit (ADK) has been released to support Windows 10. This new version, available for download [here](https://go.microsoft.com/fwlink/p/?LinkId=526740), is required for Windows 10; you should not use earlier versions of the ADK to deploy Windows 10. It also supports the deployment of Windows 7, Windows 8, and Windows 8.1. + +Significant enhancements in the ADK for Windows 10 include new runtime provisioning capabilities, which leverage the Windows Imaging and Configuration Designer (Windows ICD), as well as updated versions of existing deployment tools (DISM, USMT, Windows PE, and more). + +Microsoft Deployment Toolkit 2013 Update 1, available for download [here](https://go.microsoft.com/fwlink/p/?LinkId=625079), has also been updated to support Windows 10 and the new ADK; older versions do not support Windows 10. New in this release is task sequence support for Windows 10 in-place upgrades. + +For System Center Configuration Manager, Windows 10 support is offered with various releases: + +| Release | Windows 10 management? | Windows 10 deployment? | +|---------------------------------------------|------------------------|------------------------------------------------| +| System Center Configuration Manager 2007 | Yes, with a hotfix | No | +| System Center Configuration Manager 2012 | Yes, with SP2 and CU1 | Yes, with SP2, CU1, and the ADK for Windows 10 | +| System Center Configuration Manager 2012 R2 | Yes, with SP1 and CU1 | Yes, with SP1, CU1, and the ADK for Windows 10 | + + +>Note: Configuration Manager 2012 supports Windows 10 version 1507 (build 10.0.10240) and 1511 (build 10.0.10586) for the lifecycle of these builds. Future releases of Windows 10 CB/CBB are not supported With Configuration Manager 2012, and will require System Center Configuration Manager current branch for supported management. +  + +For more details about System Center Configuration Manager support for Windows 10, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md). + +## Management tools + + +In addition to System Center Configuration Manager, Windows 10 also leverages other tools for management. For Windows Server and Active Directory, existing supported versions are fully supported for Windows 10. New Group Policy templates will be needed to configure new settings available in Windows 10; these templates are available in the Windows 10 media images, and are available as a separate download [here](https://go.microsoft.com/fwlink/p/?LinkId=625081). See [Group Policy settings reference](https://go.microsoft.com/fwlink/p/?LinkId=625082) for a list of the new and modified policy settings. If you are using a central policy store, follow the steps outlined [here](https://go.microsoft.com/fwlink/p/?LinkId=625083) to update the ADMX files stored in that central store. + +No new Active Directory schema updates or specific functional levels are currently required for core Windows 10 product functionality, although subsequent upgrades could require these to support new features. + +Microsoft Desktop Optimization Pack (MDOP) has been updated to support Windows 10. The minimum versions required to support Windows 10 are as follows: + +| Product | Required version | +|----------------------------------------------------------|--------------------------| +| Advanced Group Policy Management (AGPM) | AGPM 4.0 Service Pack 3 | +| Application Virtualization (App-V) | App-V 5.1 | +| Diagnostics and Recovery Toolkit (DaRT) | DaRT 10 | +| Microsoft BitLocker Administration and Monitoring (MBAM) | MBAM 2.5 SP1 (2.5 is OK) | +| User Experience Virtualization (UE-V) | UE-V 2.1 SP1 | + +  + +For more information, see the [MDOP TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=625090). + +For devices you manage with mobile device management (MDM) solutions such as Microsoft Intune, existing capabilities (provided initially in Windows 8.1) are fully supported in Windows 10; new Windows 10 MDM settings and capabilities will require updates to the MDM services. See [Mobile device management](https://go.microsoft.com/fwlink/p/?LinkId=625084) for more information. + +Windows Server Update Services (WSUS) requires some additional configuration to receive updates for Windows 10. Use the Windows Server Update Services admin tool and follow these instructions: + +1. Select the **Options** node, and then click **Products and Classifications**. + +2. In the **Products** tree, select the **Windows 10** and **Windows 10 LTSB** products and any other Windows 10-related items that you want. Click **OK**. + +3. From the **Synchronizations** node, right-click and choose **Synchronize Now**. + +![figure 1](images/fig4-wsuslist.png) + +Figure 1. WSUS product list with Windows 10 choices + +Because Windows 10 updates are cumulative in nature, each month’s new update will supersede the previous month's. Consider leveraging “express installation” packages to reduce the size of the payload that needs to be sent to each PC each month; see [Express installation files](https://go.microsoft.com/fwlink/p/?LinkId=625086) for more information. (Note that this will increase the amount of disk storage needed by WSUS, and impacts all operating systems being managed with WSUS.) + +## Activation + + +Windows 10 volume license editions of Windows 10 will continue to support all existing activation methods (KMS, MAK, and AD-based activation). An update will be required for existing KMS servers: + +| Product | Required update | +|----------------------------------------|---------------------------------------------------------------------------------------------| +| Windows 10 | None | +| Windows Server 2012 R2 and Windows 8.1 | [https://support.microsoft.com/kb/3058168](https://go.microsoft.com/fwlink/p/?LinkId=625087) | +| Windows Server 2012 and Windows 8 | [https://support.microsoft.com/kb/3058168](https://go.microsoft.com/fwlink/p/?LinkId=625087) | +| Windows Server 2008 R2 and Windows 7 | [https://support.microsoft.com/kb/3079821](https://support.microsoft.com/kb/3079821) | + +  + +Also see: [Windows Server 2016 Volume Activation Tips](https://blogs.technet.microsoft.com/askcore/2016/10/19/windows-server-2016-volume-activation-tips/) + +Additionally, new product keys will be needed for all types of volume license activation (KMS, MAK, and AD-based Activation); these keys are available on the Volume Licensing Service Center (VLSC) for customers with rights to the Windows 10 operating system. To find the needed keys: + +- Sign into the [Volume Licensing Service Center (VLSC)](https://go.microsoft.com/fwlink/p/?LinkId=625088) at with a Microsoft account that has appropriate rights. + +- For KMS keys, click **Licenses** and then select **Relationship Summary**. Click the appropriate active license ID, and then select **Product Keys** near the right side of the page. For KMS running on Windows Server, find the **Windows Srv 2012R2 DataCtr/Std KMS for Windows 10** product key; for KMS running on client operating systems, find the **Windows 10** product key. + +- For MAK keys, click **Downloads and Keys**, and then filter the list by using **Windows 10** as a product. Click the **Key** link next to an appropriate list entry (for example, **Windows 10 Enterprise** or **Windows 10 Enterprise LTSB**) to view the available MAK keys. (You can also find keys for KMS running on Windows 10 in this list. These keys will not work on Windows servers running KMS.) + +Note that Windows 10 Enterprise and Windows 10 Enterprise LTSB installations use different MAK keys. But you can use the same KMS server or Active Directory-based activation environment for both; the KMS keys obtained from the Volume Licensing Service Center will work with both. + +## Related topics + + +[Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md) +
          [Windows 10 deployment considerations](windows-10-deployment-considerations.md) +
          [Windows 10 compatibility](windows-10-compatibility.md) + +  + +  + + + + + diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md index ad2f37a743..c48af35d6e 100644 --- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md +++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md @@ -1,462 +1,462 @@ ---- -title: Windows To Go frequently asked questions (Windows 10) -description: Windows To Go frequently asked questions -ms.assetid: bfdfb824-4a19-4401-b369-22c5e6ca9d6e -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: FAQ, mobile, device, USB -ms.prod: w10 -ms.mktglfcycl: deploy -ms.pagetype: mobility -ms.sitesec: library -author: greg-lindsay -ms.topic: article ---- - -# Windows To Go: frequently asked questions - - -**Applies to** - -- Windows 10 - ->[!IMPORTANT] ->Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. - -The following list identifies some commonly asked questions about Windows To Go. - -- [What is Windows To Go?](#wtg-faq-whatis) - -- [Does Windows To Go rely on virtualization?](#wtg-faq-virt) - -- [Who should use Windows To Go?](#wtg-faq-who) - -- [How can Windows To Go be deployed in an organization?](#wtg-faq-deploy) - -- [Is Windows To Go supported on both USB 2.0 and USB 3.0 drives?](#wtg-faq-usbvs) - -- [Is Windows To Go supported on USB 2.0 and USB 3.0 ports?](#wtg-faq-usbports) - -- [How do I identify a USB 3.0 port?](#wtg-faq-usb3port) - -- [Does Windows To Go run faster on a USB 3.0 port?](#wtg-faq-usb3speed) - -- [Can the user self-provision Windows To Go?](#wtg-faq-selfpro) - -- [How can Windows To Go be managed in an organization?](#wtg-faq-mng) - -- [How do I make my computer boot from USB?](#wtf-faq-startup) - -- [Why isn’t my computer booting from USB?](#wtg-faq-noboot) - -- [What happens if I remove my Windows To Go drive while it is running?](#wtg-faq-surprise) - -- [Can I use BitLocker to protect my Windows To Go drive?](#wtg-faq-bitlocker) - -- [Why can’t I enable BitLocker from Windows To Go Creator?](#wtg-faq-blfail) - -- [What power states does Windows To Go support?](#wtg-faq-power) - -- [Why is hibernation disabled in Windows To Go?](#wtg-faq-hibernate) - -- [Does Windows To Go support crash dump analysis?](#wtg-faq-crashdump) - -- [Do “Windows To Go Startup Options” work with dual boot computers?](#wtg-faq-dualboot) - -- [I plugged my Windows To Go drive into a running computer and I can’t see the partitions on the drive. Why not?](#wtg-faq-diskpart) - -- [I’m booted into Windows To Go, but I can’t browse to the internal hard drive of the host computer. Why not?](#wtg-faq-san4) - -- [Why does my Windows To Go drive have an MBR disk format with a FAT32 system partition?](#wtg-faq-fatmbr) - -- [Is Windows To Go secure if I use it on an untrusted machine?](#wtg-faq-malhost) - -- [Does Windows To Go work with ARM processors?](#wtg-faq-arm) - -- [Can I synchronize data from Windows To Go with my other computer?](#wtg-faq-datasync) - -- [What size USB Flash Drive do I need to make a Windows To Go drive?](#wtg-faq-usbsz) - -- [Do I need to activate Windows To Go every time I roam?](#wtg-faq-roamact) - -- [Can I use all Windows features on Windows To Go?](#wtg-faq-features) - -- [Can I use all my applications on Windows To Go?](#wtg-faq-approam) - -- [Does Windows To Go work slower than standard Windows?](#wtg-faq-slow) - -- [If I lose my Windows To Go drive, will my data be safe?](#wtg-faq-safeloss) - -- [Can I boot Windows To Go on a Mac?](#wtg-faq-mac) - -- [Are there any APIs that allow applications to identify a Windows To Go workspace?](#wtg-faq-api) - -- [How is Windows To Go licensed?](#wtg-faq-lic) - -- [Does Windows Recovery Environment work with Windows To Go? What’s the guidance for recovering a Windows To Go drive?](#wtg-faq-recovery) - -- [Why won’t Windows To Go work on a computer running Windows XP or Windows Vista?](#wtg-faq-oldos) - -- [Why does the operating system on the host computer matter?](#wtg-faq-oldos2) - -- [My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go?](#wtg-faq-blreckey) - -- [I decided to stop using a drive for Windows To Go and reformatted it – why doesn’t it have a drive letter assigned and how can I fix it?](#wtg-faq-reformat) - -- [Why do I keep on getting the message “Installing devices…” when I boot Windows To Go?](#bkmk-roamconflict) - -- [How do I upgrade the operating system on my Windows To Go drive?](#bkmk-upgradewtg) - -## What is Windows To Go? - - -Windows To Go is a feature for users of Windows 10 Enterprise and Windows 10 Education that enables users to boot a full version of Windows from external USB drives on host PCs. - -## Does Windows To Go rely on virtualization? - - -No. Windows To Go is a native instance of Windows 10 that runs from a USB device. It is just like a laptop hard drive with Windows 8 that has been put into a USB enclosure. - -## Who should use Windows To Go? - - -Windows To Go was designed for enterprise usage and targets scenarios such as continuance of operations, contractors, managed free seating, traveling workers, and work from home. - -## How can Windows To Go be deployed in an organization? - - -Windows To Go can be deployed using standard Windows deployment tools like Diskpart and DISM. The prerequisites for deploying Windows To Go are: - -- A Windows To Go recommended USB drive to provision; See the list of currently available USB drives at [Hardware considerations for Windows To Go](windows-to-go-overview.md#wtg-hardware) - -- A Windows 10 Enterprise or Windows 10 Education image - -- A Windows 10 Enterprise, Windows 10 Education or Windows 10 Professional host PC that can be used to provision new USB keys - -You can use a Windows PowerShell script to target several drives and scale your deployment for a large number of Windows To Go drives. You can also use a USB duplicator to duplicate a Windows To Go drive after it has been provisioned if you are creating a large number of drives. See the [Windows To Go Step by Step](https://go.microsoft.com/fwlink/p/?LinkId=618950) article on the TechNet wiki for a walkthrough of the drive creation process. - -## Is Windows To Go supported on both USB 2.0 and USB 3.0 drives? - - -No. Windows To Go is supported on USB 3.0 drives that are certified for Windows To Go. - -## Is Windows To Go supported on USB 2.0 and USB 3.0 ports? - - -Yes. Windows To Go is fully supported on either USB 2.0 ports or USB 3.0 ports on PCs certified for Windows 7 or later. - -## How do I identify a USB 3.0 port? - - -USB 3.0 ports are usually marked blue or carry a SS marking on the side. - -## Does Windows To Go run faster on a USB 3.0 port? - - -Yes. Because USB 3.0 offers significantly faster speeds than USB 2.0, a Windows To Go drive running on a USB 3.0 port will operate considerably faster. This speed increase applies to both drive provisioning and when the drive is being used as a workspace. - -## Can the user self-provision Windows To Go? - - -Yes, if the user has administrator permissions they can self-provision a Windows To Go drive using the Windows To Go Creator wizard which is included in Windows 10 Enterprise, Windows 10 Education and Windows 10 Professional. Additionally, System Center 2012 Configuration Manager SP1 and later releases includes support for user self-provisioning of Windows To Go drives. Configuration Manager can be downloaded for evaluation from the [Microsoft TechNet Evaluation Center](https://go.microsoft.com/fwlink/p/?LinkID=618746). - -## How can Windows To Go be managed in an organization? - - -Windows To Go can be deployed and managed like a traditional desktop PC using standard Windows enterprise software distribution tools like System Center Configuration Manager. Computer and user settings for Windows To Go workspaces can be managed using Group Policy setting also in the same manner that you manage Group Policy settings for other PCs in your organization. Windows To Go workspaces can be configured to connect to the organizational resources remotely using DirectAccess or a virtual private network connection so that they can connect securely to your network. - -## How do I make my computer boot from USB? - - -For host computers running Windows 10 - -- Using Cortana, search for **Windows To Go startup options**, and then press Enter. -- In the **Windows To Go Startup Options** dialog box, select **Yes**, and then click **Save Changes** to configure the computer to boot from USB. - -For host computers running Windows 8 or Windows 8.1: - -Press **Windows logo key+W** and then search for **Windows To Go startup options** and then press Enter. - -In the **Windows To Go Startup Options** dialog box select **Yes** and then click **Save Changes** to configure the computer to boot from USB. - -**Note**   -Your IT department can use Group Policy to configure Windows To Go Startup Options in your organization. - - - -If the host computer is running an earlier version of the Windows operating system need to configure the computer to boot from USB manually. - -To do this, early during boot time (usually when you see the manufacturer’s logo), enter your firmware/BIOS setup. (This method to enter firmware/BIOS setup differs with different computer manufacturers, but is usually entered by pressing one of the function keys, such as F12, F2, F1, Esc, and so forth. You should check the manufacturer’s site to be sure if you do not know which key to use to enter firmware setup.) - -After you have entered firmware setup, make sure that boot from USB is enabled. Then change the boot order to boot from USB drives first. - -Alternatively, if your computer supports it, you can try to use the one-time boot menu (often F12), to select USB boot on a per-boot basis. - -For more detailed instructions, see the wiki article, [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkID=618951). - -**Warning**   -Configuring a computer to boot from USB will cause your computer to attempt to boot from any bootable USB device connected to your computer. This potentially includes malicious devices. Users should be informed of this risk and instructed to not have any bootable USB storage devices plugged in to their computers except for their Windows To Go drive. - - - -## Why isn’t my computer booting from USB? - - -Computers certified for Windows 7 and later are required to have support for USB boot. Check to see if any of the following items apply to your situation: - -1. Ensure that your computer has the latest BIOS installed and the BIOS is configured to boot from a USB device. - -2. Ensure that the Windows To Go drive is connected directly to a USB port on the computer. Many computers don’t support booting from a device connected to a USB 3 PCI add-on card or external USB hubs. - -3. If the computer is not booting from a USB 3.0 port, try to boot from a USB 2.0 port. - -If none of these items enable the computer to boot from USB, contact the hardware manufacturer for additional support. - -## What happens if I remove my Windows To Go drive while it is running? - - -If the Windows To Go drive is removed, the computer will freeze and the user will have 60 seconds to reinsert the Windows To Go drive. If the Windows To Go drive is reinserted into the same port it was removed from, Windows will resume at the point where the drive was removed. If the USB drive is not reinserted, or is reinserted into a different port, the host computer will turn off after 60 seconds. - -**Warning**   -You should never remove your Windows To Go drive when your workspace is running. The computer freeze is a safety measure to help mitigate the risk of accidental removal. Removing the Windows To Go drive without shutting down the Windows To Go workspace could result in corruption of the Windows To Go drive. - - - -## Can I use BitLocker to protect my Windows To Go drive? - - -Yes. In Windows 8 and later, BitLocker has added support for using a password to protect operating system drives. This means that you can use a password to secure your Windows To Go workspace and you will be prompted to enter this password every time you use the Windows To Go workspace. - -## Why can’t I enable BitLocker from Windows To Go Creator? - - -Several different Group Policies control the use of BitLocker on your organizations computers. These policies are located in the **Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** folder of the local Group Policy editor. The folder contains three sub-folders for fixed, operating system and removable data drive types. - -When you are using Windows To Go Creator, the Windows To Go drive is considered a removable data drive by BitLocker. Review the following setting to see if these settings apply in your situation: - -1. **Control use of BitLocker on removable drives** - - If this setting is disabled BitLocker cannot be used with removable drives, so the Windows To Go Creator wizard will fail if it attempts to enable BitLocker on the Windows To Go drive. - -2. **Configure use of smart cards on removable data drives** - - If this setting is enabled and the option **Require use of smart cards on removable data drives** is also selected the creator wizard might fail if you have not already signed on using your smart card credentials before starting the Windows To Go Creator wizard. - -3. **Configure use of passwords for removable data drives** - - If this setting is enabled and the **Require password complexity option** is selected the computer must be able to connect to the domain controller to verify that the password specified meets the password complexity requirements. If the connection is not available, the Windows To Go Creator wizard will fail to enable BitLocker. - -Additionally, the Windows To Go Creator will disable the BitLocker option if the drive does not have any volumes. In this situation, you should initialize the drive and create a volume using the Disk Management console before provisioning the drive with Windows To Go. - -## What power states does Windows To Go support? - - -Windows To Go supports all power states except the hibernate class of power states, which include hybrid boot, hybrid sleep, and hibernate. This default behavior can be modified by using Group Policy settings to enable hibernation of the Windows To Go workspace. - -## Why is hibernation disabled in Windows To Go? - - -When a Windows To Go workspace is hibernated, it will only successfully resume on the exact same hardware. Therefore, if a Windows To Go workspace is hibernated on one computer and roamed to another, the hibernation state (and therefore user state) will be lost. To prevent this from happening, the default settings for a Windows To Go workspace disable hibernation. If you are confident that you will only attempt to resume on the same computer, you can enable hibernation using the Windows To Go Group Policy setting, **Allow hibernate (S4) when started from a Windows To Go workspace** that is located at **\\\\Computer Configuration\\Administrative Templates\\Windows Components\\Portable Operating System\\** in the Local Group Policy Editor (gpedit.msc). - -## Does Windows To Go support crash dump analysis? - - -Yes. Windows 8 and later support crash dump stack analysis for both USB 2.0 and 3.0. - -## Do “Windows To Go Startup Options” work with dual boot computers? - - -Yes, if both operating systems are running the Windows 8 operating system. Enabling “Windows To Go Startup Options” should cause the computer to boot from the Windows To Go workspace when the drive is plugged in before the computer is turned on. - -If you have configured a dual boot computer with a Windows operating system and another operating system it might work occasionally and fail occasionally. Using this configuration is unsupported. - -## I plugged my Windows To Go drive into a running computer and I can’t see the partitions on the drive. Why not? - - -Windows To Go Creator and the recommended deployment steps for Windows To Go set the NO\_DEFAULT\_DRIVE\_LETTER flag on the Windows To Go drive. This flag prevents Windows from automatically assigning drive letters to the partitions on the Windows To Go drive. That’s why you can’t see the partitions on the drive when you plug your Windows To Go drive into a running computer. This helps prevent accidental data leakage between the Windows To Go drive and the host computer. If you really need to access the files on the Windows To Go drive from a running computer, you can use diskmgmt.msc or diskpart to assign a drive letter. - -**Warning**   -It is strongly recommended that you do not plug your Windows To Go drive into a running computer. If the computer is compromised, your Windows To Go workspace can also be compromised. - - - -## I’m booted into Windows To Go, but I can’t browse to the internal hard drive of the host computer. Why not? - - -Windows To Go Creator and the recommended deployment steps for Windows To Go set SAN Policy 4 on Windows To Go drive. This policy prevents Windows from automatically mounting internal disk drives. That’s why you can’t see the internal hard drives of the host computer when you are booted into Windows To Go. This is done to prevent accidental data leakage between Windows To Go and the host system. This policy also prevents potential corruption on the host drives or data loss if the host operating system is in a hibernation state. If you really need to access the files on the internal hard drive, you can use diskmgmt.msc to mount the internal drive. - -**Warning**   -It is strongly recommended that you do not mount internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 or later operating system, mounting the drive will lead to loss of hibernation state and therefor user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted. - - - -## Why does my Windows To Go drive have an MBR disk format with a FAT32 system partition? - - -This is done to allow Windows To Go to boot from UEFI and legacy systems. - -## Is Windows To Go secure if I use it on an untrusted computer? - - -While you are more secure than if you use a completely untrusted operating system, you are still vulnerable to attacks from the firmware or anything that runs before Windows To Go starts. If you plug your Windows To Go drive into a running untrusted computer, your Windows To Go drive can be compromised because any malicious software that might be active on the computer can access the drive. - -## Does Windows To Go work with ARM processors? - - -No. Windows RT is a specialized version of Windows designed for ARM processors. Windows To Go is currently only supported on PCs with x86 or x64-based processors. - -## Can I synchronize data from Windows To Go with my other computer? - - -To get your data across all your computers, we recommend using folder redirection and client side caching to store copies of your data on a server while giving you offline access to the files you need. - -## What size USB flash drive do I need to make a Windows To Go drive? - - -The size constraints are the same as full Windows. To ensure that you have enough space for Windows, your data, and your applications, we recommend USB drives that are a minimum of 20 GB in size. - -## Do I need to activate Windows To Go every time I roam? - - -No, Windows To Go requires volume activation; either using the [Key Management Service](https://go.microsoft.com/fwlink/p/?LinkId=619051) (KMS) server in your organization or using [Active Directory](https://go.microsoft.com/fwlink/p/?LinkId=619053) based volume activation. The Windows To Go workspace will not need to be reactivated every time you roam. KMS activates Windows on a local network, eliminating the need for individual computers to connect to Microsoft. To remain activated, KMS client computers must renew their activation by connecting to the KMS host on periodic basis. This typically occurs as soon as the user has access to the corporate network (either through a direct connection on-premises or a through remote connection using DirectAccess or a virtual private network connection), once activated the machine will not need to be activated again until the activation validity interval has passed. In a KMS configuration the activation validity interval is 180 days. - -## Can I use all Windows features on Windows To Go? - - -Yes, with some minor exceptions, you can use all Windows features with your Windows To Go workspace. The only currently unsupported features are using the Windows Recovery Environment and PC Reset & Refresh. - -## Can I use all my applications on Windows To Go? - - -Yes. Because your Windows To Go workspace is a full Windows 10 environment, all applications that work with Windows 10 should work in your Windows To Go workspace. However, any applications that use hardware binding (usually for licensing and/or digital rights management reasons) may not run when you roam your Windows To Go drive between different host computers, and you may have to use those applications on the same host computer every time. - -## Does Windows To Go work slower than standard Windows? - - -If you are using a USB 3.0 port and a Windows To Go certified device, there should be no perceivable difference between standard Windows and Windows To Go. However, if you are booting from a USB 2.0 port, you may notice some slowdown since USB 2.0 transfer speeds are slower than SATA speeds. - -## If I lose my Windows To Go drive, will my data be safe? - - -Yes! If you enable BitLocker on your Windows To Go drive, all your data will be encrypted and protected and a malicious user will not be able to access your data without your password. If you don’t enable BitLocker, your data will be vulnerable if you lose your Windows To Go drive. - -## Can I boot Windows To Go on a Mac? - - -We are committed to give customers a consistent and quality Windows 10 experience with Windows To Go. Windows To Go supports host devices certified for use with Windows 7 or later. Because Mac computers are not certified for use with Windows 7 or later, using Windows To Go is not supported on a Mac. - -## Are there any APIs that allow applications to identify a Windows To Go workspace? - - -Yes. You can use a combination of identifiers to determine if the currently running operating system is a Windows To Go workspace. First, check if the **PortableOperatingSystem** property is true. When that value is true it means that the operating system was booted from an external USB device. - -Next, check if the **OperatingSystemSKU** property is equal to **4** (for Windows 10 Enterprise) or **121** (for Windows 10 Education). The combination of those two properties represents a Windows To Go workspace environment. - -For more information, see the MSDN article on the [Win32\_OperatingSystem class](https://go.microsoft.com/fwlink/p/?LinkId=619059). - -## How is Windows To Go licensed? - - -Windows To Go allows organization to support the use of privately owned PCs at the home or office with more secure access to their organizational resources. With Windows To Go use rights under [Software Assurance](https://go.microsoft.com/fwlink/p/?LinkId=619062), an employee will be able to use Windows To Go on any company PC licensed with Software Assurance as well as from their home PC. - -## Does Windows Recovery Environment work with Windows To Go? What’s the guidance for recovering a Windows To Go drive? - - -No, use of Windows Recovery Environment is not supported on Windows To Go. It is recommended that you implement user state virtualization technologies like Folder Redirection to centralize and back up user data in the data center. If any corruption occurs on a Windows To Go drive, you should re-provision the workspace. - -## Why won’t Windows To Go work on a computer running Windows XP or Windows Vista? - - -Actually it might. If you have purchased a computer certified for Windows 7 or later and then installed an older operating system, Windows To Go will boot and run as expected as long as you have configured the firmware to boot from USB. However, if the computer was certified for Windows XP or Windows Vista, it might not meet the hardware requirements for Windows To Go to run. Typically computers certified for Windows Vista and earlier operating systems have less memory, less processing power, reduced video rendering, and slower USB ports. - -## Why does the operating system on the host computer matter? - - -It doesn’t other than to help visually identify if the PC has compatible hardware. For a PC to be certified for Windows 7 or later it had to support booting from USB. If a computer cannot boot from USB there is no way that it can be used with Windows To Go. The Windows To Go workspace is a full Windows 10 environment, so all of the hardware requirements of Windows 10 with respect to processing speed, memory usage, and graphics rendering need to be supported to be assured that it will work as expected. - -## My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go? - - -The default BitLocker protection profile in Windows 7 monitors the host computer for changes to the boot order as part of protecting the computer from tampering. When you change the boot order of the host computer to enable it to boot from the Windows To Go drive, the BitLocker system measurements will reflect that change and boot into recovery mode so that the computer can be inspected if necessary. - -You can reset the BitLocker system measurements to incorporate the new boot order using the following steps: - -1. Log on to the host computer using an account with administrator privileges. - -2. Click **Start**, click **Control Panel**, click **System and Security**, and then click **BitLocker Drive Encryption**. - -3. Click **Suspend Protection** for the operating system drive. - - A message is displayed, informing you that your data will not be protected while BitLocker is suspended and asking if you want to suspend BitLocker Drive Encryption. Click **Yes** to continue and suspend BitLocker on the drive. - -4. Restart the computer and enter the firmware settings to reset the boot order to boot from USB first. For more information on changing the boot order in the BIOS, see [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951) on the TechNet wiki. - -5. Restart the computer again and then log on to the host computer using an account with administrator privileges. (Neither your Windows To Go drive nor any other USB drive should be inserted.) - -6. Click **Start**, click **Control Panel**, click **System and Security**, and then click **BitLocker Drive Encryption**. - -7. Click **Resume Protection** to re-enable BitLocker protection. - -The host computer will now be able to be booted from a USB drive without triggering recovery mode. - -**Note**   -The default BitLocker protection profile in Windows 8 or later does not monitor the boot order. - - - -## I decided to stop using a drive for Windows To Go and reformatted it – why doesn’t it have a drive letter assigned and how can I fix it? - - -Reformatting the drive erases the data on the drive, but doesn’t reconfigure the volume attributes. When a drive is provisioned for use as a Windows To Go drive the NODEFAULTDRIVELETTER attribute is set on the volume. To remove this attribute, use the following steps: - -1. Open a command prompt with full administrator permissions. - - **Note**   - If your user account is a member of the Administrators group, but is not the Administrator account itself, then, by default, the programs that you run only have standard user permissions unless you explicitly choose to elevate them. - - - -2. Start the [diskpart](https://go.microsoft.com/fwlink/p/?LinkId=619070) command interpreter, by typing `diskpart` at the command prompt. - -3. Use the `select disk` command to identify the drive. If you do not know the drive number, use the `list` command to display the list of disks available. - -4. After selecting the disk, run the `clean` command to remove all data, formatting, and initialization information from the drive. - -## Why do I keep on getting the message “Installing devices…” when I boot Windows To Go? - - -One of the challenges involved in moving the Windows To Go drive between PCs while seamlessly booting Windows with access to all of their applications and data is that for Windows to be fully functional, specific drivers need to be installed for the hardware in each machine that runs Windows. Windows 8 or later has a process called respecialize which will identify new drivers that need to be loaded for the new PC and disable drivers which are not present on the new configuration. In general this feature is reliable and efficient when roaming between PCs of widely varying hardware configurations. - -In certain cases, third party drivers for different hardware models or versions can reuse device ID’s, driver file names, registry keys (or any other operating system constructs which do not support side-by-side storage) for similar hardware. For example, Touchpad drivers on different laptops often reuse the same device ID’s, and video cards from the same manufacturer may often reuse service names. Windows handles these situations by marking the non-present device node with a flag that indicates the existing driver needs to be reinstalled before continuing to install the new driver. - -This process will occur on any boot that a new driver is found and a driver conflict is detected. In some cases that will result in a respecialize progress message “Installing devices…” displaying every time that a Windows to Go drive is roamed between two PCs which require conflicting drivers. - -## How do I upgrade the operating system on my Windows To Go drive? - - -There is no support in Windows for upgrading a Windows To Go drive. Deployed Windows To Go drives with older versions of Windows will need to be re-imaged with a new version of Windows in order to transition to the new operating system version. - -## Additional resources - - -- [Windows 10 forums](https://go.microsoft.com/fwlink/p/?LinkId=618949) - -- [Windows To Go Step by Step Wiki](https://go.microsoft.com/fwlink/p/?LinkId=618950) - -- [Windows To Go: feature overview](windows-to-go-overview.md) - -- [Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md) - -- [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md) - -- [Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md) - - - - - - - - - +--- +title: Windows To Go frequently asked questions (Windows 10) +description: Windows To Go frequently asked questions +ms.assetid: bfdfb824-4a19-4401-b369-22c5e6ca9d6e +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: FAQ, mobile, device, USB +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: mobility +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Windows To Go: frequently asked questions + + +**Applies to** + +- Windows 10 + +>[!IMPORTANT] +>Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. + +The following list identifies some commonly asked questions about Windows To Go. + +- [What is Windows To Go?](#wtg-faq-whatis) + +- [Does Windows To Go rely on virtualization?](#wtg-faq-virt) + +- [Who should use Windows To Go?](#wtg-faq-who) + +- [How can Windows To Go be deployed in an organization?](#wtg-faq-deploy) + +- [Is Windows To Go supported on both USB 2.0 and USB 3.0 drives?](#wtg-faq-usbvs) + +- [Is Windows To Go supported on USB 2.0 and USB 3.0 ports?](#wtg-faq-usbports) + +- [How do I identify a USB 3.0 port?](#wtg-faq-usb3port) + +- [Does Windows To Go run faster on a USB 3.0 port?](#wtg-faq-usb3speed) + +- [Can the user self-provision Windows To Go?](#wtg-faq-selfpro) + +- [How can Windows To Go be managed in an organization?](#wtg-faq-mng) + +- [How do I make my computer boot from USB?](#wtf-faq-startup) + +- [Why isn’t my computer booting from USB?](#wtg-faq-noboot) + +- [What happens if I remove my Windows To Go drive while it is running?](#wtg-faq-surprise) + +- [Can I use BitLocker to protect my Windows To Go drive?](#wtg-faq-bitlocker) + +- [Why can’t I enable BitLocker from Windows To Go Creator?](#wtg-faq-blfail) + +- [What power states does Windows To Go support?](#wtg-faq-power) + +- [Why is hibernation disabled in Windows To Go?](#wtg-faq-hibernate) + +- [Does Windows To Go support crash dump analysis?](#wtg-faq-crashdump) + +- [Do “Windows To Go Startup Options” work with dual boot computers?](#wtg-faq-dualboot) + +- [I plugged my Windows To Go drive into a running computer and I can’t see the partitions on the drive. Why not?](#wtg-faq-diskpart) + +- [I’m booted into Windows To Go, but I can’t browse to the internal hard drive of the host computer. Why not?](#wtg-faq-san4) + +- [Why does my Windows To Go drive have an MBR disk format with a FAT32 system partition?](#wtg-faq-fatmbr) + +- [Is Windows To Go secure if I use it on an untrusted machine?](#wtg-faq-malhost) + +- [Does Windows To Go work with ARM processors?](#wtg-faq-arm) + +- [Can I synchronize data from Windows To Go with my other computer?](#wtg-faq-datasync) + +- [What size USB Flash Drive do I need to make a Windows To Go drive?](#wtg-faq-usbsz) + +- [Do I need to activate Windows To Go every time I roam?](#wtg-faq-roamact) + +- [Can I use all Windows features on Windows To Go?](#wtg-faq-features) + +- [Can I use all my applications on Windows To Go?](#wtg-faq-approam) + +- [Does Windows To Go work slower than standard Windows?](#wtg-faq-slow) + +- [If I lose my Windows To Go drive, will my data be safe?](#wtg-faq-safeloss) + +- [Can I boot Windows To Go on a Mac?](#wtg-faq-mac) + +- [Are there any APIs that allow applications to identify a Windows To Go workspace?](#wtg-faq-api) + +- [How is Windows To Go licensed?](#wtg-faq-lic) + +- [Does Windows Recovery Environment work with Windows To Go? What’s the guidance for recovering a Windows To Go drive?](#wtg-faq-recovery) + +- [Why won’t Windows To Go work on a computer running Windows XP or Windows Vista?](#wtg-faq-oldos) + +- [Why does the operating system on the host computer matter?](#wtg-faq-oldos2) + +- [My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go?](#wtg-faq-blreckey) + +- [I decided to stop using a drive for Windows To Go and reformatted it – why doesn’t it have a drive letter assigned and how can I fix it?](#wtg-faq-reformat) + +- [Why do I keep on getting the message “Installing devices…” when I boot Windows To Go?](#bkmk-roamconflict) + +- [How do I upgrade the operating system on my Windows To Go drive?](#bkmk-upgradewtg) + +## What is Windows To Go? + + +Windows To Go is a feature for users of Windows 10 Enterprise and Windows 10 Education that enables users to boot a full version of Windows from external USB drives on host PCs. + +## Does Windows To Go rely on virtualization? + + +No. Windows To Go is a native instance of Windows 10 that runs from a USB device. It is just like a laptop hard drive with Windows 8 that has been put into a USB enclosure. + +## Who should use Windows To Go? + + +Windows To Go was designed for enterprise usage and targets scenarios such as continuance of operations, contractors, managed free seating, traveling workers, and work from home. + +## How can Windows To Go be deployed in an organization? + + +Windows To Go can be deployed using standard Windows deployment tools like Diskpart and DISM. The prerequisites for deploying Windows To Go are: + +- A Windows To Go recommended USB drive to provision; See the list of currently available USB drives at [Hardware considerations for Windows To Go](windows-to-go-overview.md#wtg-hardware) + +- A Windows 10 Enterprise or Windows 10 Education image + +- A Windows 10 Enterprise, Windows 10 Education or Windows 10 Professional host PC that can be used to provision new USB keys + +You can use a Windows PowerShell script to target several drives and scale your deployment for a large number of Windows To Go drives. You can also use a USB duplicator to duplicate a Windows To Go drive after it has been provisioned if you are creating a large number of drives. See the [Windows To Go Step by Step](https://go.microsoft.com/fwlink/p/?LinkId=618950) article on the TechNet wiki for a walkthrough of the drive creation process. + +## Is Windows To Go supported on both USB 2.0 and USB 3.0 drives? + + +No. Windows To Go is supported on USB 3.0 drives that are certified for Windows To Go. + +## Is Windows To Go supported on USB 2.0 and USB 3.0 ports? + + +Yes. Windows To Go is fully supported on either USB 2.0 ports or USB 3.0 ports on PCs certified for Windows 7 or later. + +## How do I identify a USB 3.0 port? + + +USB 3.0 ports are usually marked blue or carry a SS marking on the side. + +## Does Windows To Go run faster on a USB 3.0 port? + + +Yes. Because USB 3.0 offers significantly faster speeds than USB 2.0, a Windows To Go drive running on a USB 3.0 port will operate considerably faster. This speed increase applies to both drive provisioning and when the drive is being used as a workspace. + +## Can the user self-provision Windows To Go? + + +Yes, if the user has administrator permissions they can self-provision a Windows To Go drive using the Windows To Go Creator wizard which is included in Windows 10 Enterprise, Windows 10 Education and Windows 10 Professional. Additionally, System Center 2012 Configuration Manager SP1 and later releases includes support for user self-provisioning of Windows To Go drives. Configuration Manager can be downloaded for evaluation from the [Microsoft TechNet Evaluation Center](https://go.microsoft.com/fwlink/p/?LinkID=618746). + +## How can Windows To Go be managed in an organization? + + +Windows To Go can be deployed and managed like a traditional desktop PC using standard Windows enterprise software distribution tools like System Center Configuration Manager. Computer and user settings for Windows To Go workspaces can be managed using Group Policy setting also in the same manner that you manage Group Policy settings for other PCs in your organization. Windows To Go workspaces can be configured to connect to the organizational resources remotely using DirectAccess or a virtual private network connection so that they can connect securely to your network. + +## How do I make my computer boot from USB? + + +For host computers running Windows 10 + +- Using Cortana, search for **Windows To Go startup options**, and then press Enter. +- In the **Windows To Go Startup Options** dialog box, select **Yes**, and then click **Save Changes** to configure the computer to boot from USB. + +For host computers running Windows 8 or Windows 8.1: + +Press **Windows logo key+W** and then search for **Windows To Go startup options** and then press Enter. + +In the **Windows To Go Startup Options** dialog box select **Yes** and then click **Save Changes** to configure the computer to boot from USB. + +**Note**   +Your IT department can use Group Policy to configure Windows To Go Startup Options in your organization. + + + +If the host computer is running an earlier version of the Windows operating system need to configure the computer to boot from USB manually. + +To do this, early during boot time (usually when you see the manufacturer’s logo), enter your firmware/BIOS setup. (This method to enter firmware/BIOS setup differs with different computer manufacturers, but is usually entered by pressing one of the function keys, such as F12, F2, F1, Esc, and so forth. You should check the manufacturer’s site to be sure if you do not know which key to use to enter firmware setup.) + +After you have entered firmware setup, make sure that boot from USB is enabled. Then change the boot order to boot from USB drives first. + +Alternatively, if your computer supports it, you can try to use the one-time boot menu (often F12), to select USB boot on a per-boot basis. + +For more detailed instructions, see the wiki article, [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkID=618951). + +**Warning**   +Configuring a computer to boot from USB will cause your computer to attempt to boot from any bootable USB device connected to your computer. This potentially includes malicious devices. Users should be informed of this risk and instructed to not have any bootable USB storage devices plugged in to their computers except for their Windows To Go drive. + + + +## Why isn’t my computer booting from USB? + + +Computers certified for Windows 7 and later are required to have support for USB boot. Check to see if any of the following items apply to your situation: + +1. Ensure that your computer has the latest BIOS installed and the BIOS is configured to boot from a USB device. + +2. Ensure that the Windows To Go drive is connected directly to a USB port on the computer. Many computers don’t support booting from a device connected to a USB 3 PCI add-on card or external USB hubs. + +3. If the computer is not booting from a USB 3.0 port, try to boot from a USB 2.0 port. + +If none of these items enable the computer to boot from USB, contact the hardware manufacturer for additional support. + +## What happens if I remove my Windows To Go drive while it is running? + + +If the Windows To Go drive is removed, the computer will freeze and the user will have 60 seconds to reinsert the Windows To Go drive. If the Windows To Go drive is reinserted into the same port it was removed from, Windows will resume at the point where the drive was removed. If the USB drive is not reinserted, or is reinserted into a different port, the host computer will turn off after 60 seconds. + +**Warning**   +You should never remove your Windows To Go drive when your workspace is running. The computer freeze is a safety measure to help mitigate the risk of accidental removal. Removing the Windows To Go drive without shutting down the Windows To Go workspace could result in corruption of the Windows To Go drive. + + + +## Can I use BitLocker to protect my Windows To Go drive? + + +Yes. In Windows 8 and later, BitLocker has added support for using a password to protect operating system drives. This means that you can use a password to secure your Windows To Go workspace and you will be prompted to enter this password every time you use the Windows To Go workspace. + +## Why can’t I enable BitLocker from Windows To Go Creator? + + +Several different Group Policies control the use of BitLocker on your organizations computers. These policies are located in the **Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** folder of the local Group Policy editor. The folder contains three sub-folders for fixed, operating system and removable data drive types. + +When you are using Windows To Go Creator, the Windows To Go drive is considered a removable data drive by BitLocker. Review the following setting to see if these settings apply in your situation: + +1. **Control use of BitLocker on removable drives** + + If this setting is disabled BitLocker cannot be used with removable drives, so the Windows To Go Creator wizard will fail if it attempts to enable BitLocker on the Windows To Go drive. + +2. **Configure use of smart cards on removable data drives** + + If this setting is enabled and the option **Require use of smart cards on removable data drives** is also selected the creator wizard might fail if you have not already signed on using your smart card credentials before starting the Windows To Go Creator wizard. + +3. **Configure use of passwords for removable data drives** + + If this setting is enabled and the **Require password complexity option** is selected the computer must be able to connect to the domain controller to verify that the password specified meets the password complexity requirements. If the connection is not available, the Windows To Go Creator wizard will fail to enable BitLocker. + +Additionally, the Windows To Go Creator will disable the BitLocker option if the drive does not have any volumes. In this situation, you should initialize the drive and create a volume using the Disk Management console before provisioning the drive with Windows To Go. + +## What power states does Windows To Go support? + + +Windows To Go supports all power states except the hibernate class of power states, which include hybrid boot, hybrid sleep, and hibernate. This default behavior can be modified by using Group Policy settings to enable hibernation of the Windows To Go workspace. + +## Why is hibernation disabled in Windows To Go? + + +When a Windows To Go workspace is hibernated, it will only successfully resume on the exact same hardware. Therefore, if a Windows To Go workspace is hibernated on one computer and roamed to another, the hibernation state (and therefore user state) will be lost. To prevent this from happening, the default settings for a Windows To Go workspace disable hibernation. If you are confident that you will only attempt to resume on the same computer, you can enable hibernation using the Windows To Go Group Policy setting, **Allow hibernate (S4) when started from a Windows To Go workspace** that is located at **\\\\Computer Configuration\\Administrative Templates\\Windows Components\\Portable Operating System\\** in the Local Group Policy Editor (gpedit.msc). + +## Does Windows To Go support crash dump analysis? + + +Yes. Windows 8 and later support crash dump stack analysis for both USB 2.0 and 3.0. + +## Do “Windows To Go Startup Options” work with dual boot computers? + + +Yes, if both operating systems are running the Windows 8 operating system. Enabling “Windows To Go Startup Options” should cause the computer to boot from the Windows To Go workspace when the drive is plugged in before the computer is turned on. + +If you have configured a dual boot computer with a Windows operating system and another operating system it might work occasionally and fail occasionally. Using this configuration is unsupported. + +## I plugged my Windows To Go drive into a running computer and I can’t see the partitions on the drive. Why not? + + +Windows To Go Creator and the recommended deployment steps for Windows To Go set the NO\_DEFAULT\_DRIVE\_LETTER flag on the Windows To Go drive. This flag prevents Windows from automatically assigning drive letters to the partitions on the Windows To Go drive. That’s why you can’t see the partitions on the drive when you plug your Windows To Go drive into a running computer. This helps prevent accidental data leakage between the Windows To Go drive and the host computer. If you really need to access the files on the Windows To Go drive from a running computer, you can use diskmgmt.msc or diskpart to assign a drive letter. + +**Warning**   +It is strongly recommended that you do not plug your Windows To Go drive into a running computer. If the computer is compromised, your Windows To Go workspace can also be compromised. + + + +## I’m booted into Windows To Go, but I can’t browse to the internal hard drive of the host computer. Why not? + + +Windows To Go Creator and the recommended deployment steps for Windows To Go set SAN Policy 4 on Windows To Go drive. This policy prevents Windows from automatically mounting internal disk drives. That’s why you can’t see the internal hard drives of the host computer when you are booted into Windows To Go. This is done to prevent accidental data leakage between Windows To Go and the host system. This policy also prevents potential corruption on the host drives or data loss if the host operating system is in a hibernation state. If you really need to access the files on the internal hard drive, you can use diskmgmt.msc to mount the internal drive. + +**Warning**   +It is strongly recommended that you do not mount internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 or later operating system, mounting the drive will lead to loss of hibernation state and therefor user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted. + + + +## Why does my Windows To Go drive have an MBR disk format with a FAT32 system partition? + + +This is done to allow Windows To Go to boot from UEFI and legacy systems. + +## Is Windows To Go secure if I use it on an untrusted computer? + + +While you are more secure than if you use a completely untrusted operating system, you are still vulnerable to attacks from the firmware or anything that runs before Windows To Go starts. If you plug your Windows To Go drive into a running untrusted computer, your Windows To Go drive can be compromised because any malicious software that might be active on the computer can access the drive. + +## Does Windows To Go work with ARM processors? + + +No. Windows RT is a specialized version of Windows designed for ARM processors. Windows To Go is currently only supported on PCs with x86 or x64-based processors. + +## Can I synchronize data from Windows To Go with my other computer? + + +To get your data across all your computers, we recommend using folder redirection and client side caching to store copies of your data on a server while giving you offline access to the files you need. + +## What size USB flash drive do I need to make a Windows To Go drive? + + +The size constraints are the same as full Windows. To ensure that you have enough space for Windows, your data, and your applications, we recommend USB drives that are a minimum of 20 GB in size. + +## Do I need to activate Windows To Go every time I roam? + + +No, Windows To Go requires volume activation; either using the [Key Management Service](https://go.microsoft.com/fwlink/p/?LinkId=619051) (KMS) server in your organization or using [Active Directory](https://go.microsoft.com/fwlink/p/?LinkId=619053) based volume activation. The Windows To Go workspace will not need to be reactivated every time you roam. KMS activates Windows on a local network, eliminating the need for individual computers to connect to Microsoft. To remain activated, KMS client computers must renew their activation by connecting to the KMS host on periodic basis. This typically occurs as soon as the user has access to the corporate network (either through a direct connection on-premises or a through remote connection using DirectAccess or a virtual private network connection), once activated the machine will not need to be activated again until the activation validity interval has passed. In a KMS configuration the activation validity interval is 180 days. + +## Can I use all Windows features on Windows To Go? + + +Yes, with some minor exceptions, you can use all Windows features with your Windows To Go workspace. The only currently unsupported features are using the Windows Recovery Environment and PC Reset & Refresh. + +## Can I use all my applications on Windows To Go? + + +Yes. Because your Windows To Go workspace is a full Windows 10 environment, all applications that work with Windows 10 should work in your Windows To Go workspace. However, any applications that use hardware binding (usually for licensing and/or digital rights management reasons) may not run when you roam your Windows To Go drive between different host computers, and you may have to use those applications on the same host computer every time. + +## Does Windows To Go work slower than standard Windows? + + +If you are using a USB 3.0 port and a Windows To Go certified device, there should be no perceivable difference between standard Windows and Windows To Go. However, if you are booting from a USB 2.0 port, you may notice some slowdown since USB 2.0 transfer speeds are slower than SATA speeds. + +## If I lose my Windows To Go drive, will my data be safe? + + +Yes! If you enable BitLocker on your Windows To Go drive, all your data will be encrypted and protected and a malicious user will not be able to access your data without your password. If you don’t enable BitLocker, your data will be vulnerable if you lose your Windows To Go drive. + +## Can I boot Windows To Go on a Mac? + + +We are committed to give customers a consistent and quality Windows 10 experience with Windows To Go. Windows To Go supports host devices certified for use with Windows 7 or later. Because Mac computers are not certified for use with Windows 7 or later, using Windows To Go is not supported on a Mac. + +## Are there any APIs that allow applications to identify a Windows To Go workspace? + + +Yes. You can use a combination of identifiers to determine if the currently running operating system is a Windows To Go workspace. First, check if the **PortableOperatingSystem** property is true. When that value is true it means that the operating system was booted from an external USB device. + +Next, check if the **OperatingSystemSKU** property is equal to **4** (for Windows 10 Enterprise) or **121** (for Windows 10 Education). The combination of those two properties represents a Windows To Go workspace environment. + +For more information, see the MSDN article on the [Win32\_OperatingSystem class](https://go.microsoft.com/fwlink/p/?LinkId=619059). + +## How is Windows To Go licensed? + + +Windows To Go allows organization to support the use of privately owned PCs at the home or office with more secure access to their organizational resources. With Windows To Go use rights under [Software Assurance](https://go.microsoft.com/fwlink/p/?LinkId=619062), an employee will be able to use Windows To Go on any company PC licensed with Software Assurance as well as from their home PC. + +## Does Windows Recovery Environment work with Windows To Go? What’s the guidance for recovering a Windows To Go drive? + + +No, use of Windows Recovery Environment is not supported on Windows To Go. It is recommended that you implement user state virtualization technologies like Folder Redirection to centralize and back up user data in the data center. If any corruption occurs on a Windows To Go drive, you should re-provision the workspace. + +## Why won’t Windows To Go work on a computer running Windows XP or Windows Vista? + + +Actually it might. If you have purchased a computer certified for Windows 7 or later and then installed an older operating system, Windows To Go will boot and run as expected as long as you have configured the firmware to boot from USB. However, if the computer was certified for Windows XP or Windows Vista, it might not meet the hardware requirements for Windows To Go to run. Typically computers certified for Windows Vista and earlier operating systems have less memory, less processing power, reduced video rendering, and slower USB ports. + +## Why does the operating system on the host computer matter? + + +It doesn’t other than to help visually identify if the PC has compatible hardware. For a PC to be certified for Windows 7 or later it had to support booting from USB. If a computer cannot boot from USB there is no way that it can be used with Windows To Go. The Windows To Go workspace is a full Windows 10 environment, so all of the hardware requirements of Windows 10 with respect to processing speed, memory usage, and graphics rendering need to be supported to be assured that it will work as expected. + +## My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go? + + +The default BitLocker protection profile in Windows 7 monitors the host computer for changes to the boot order as part of protecting the computer from tampering. When you change the boot order of the host computer to enable it to boot from the Windows To Go drive, the BitLocker system measurements will reflect that change and boot into recovery mode so that the computer can be inspected if necessary. + +You can reset the BitLocker system measurements to incorporate the new boot order using the following steps: + +1. Log on to the host computer using an account with administrator privileges. + +2. Click **Start**, click **Control Panel**, click **System and Security**, and then click **BitLocker Drive Encryption**. + +3. Click **Suspend Protection** for the operating system drive. + + A message is displayed, informing you that your data will not be protected while BitLocker is suspended and asking if you want to suspend BitLocker Drive Encryption. Click **Yes** to continue and suspend BitLocker on the drive. + +4. Restart the computer and enter the firmware settings to reset the boot order to boot from USB first. For more information on changing the boot order in the BIOS, see [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951) on the TechNet wiki. + +5. Restart the computer again and then log on to the host computer using an account with administrator privileges. (Neither your Windows To Go drive nor any other USB drive should be inserted.) + +6. Click **Start**, click **Control Panel**, click **System and Security**, and then click **BitLocker Drive Encryption**. + +7. Click **Resume Protection** to re-enable BitLocker protection. + +The host computer will now be able to be booted from a USB drive without triggering recovery mode. + +**Note**   +The default BitLocker protection profile in Windows 8 or later does not monitor the boot order. + + + +## I decided to stop using a drive for Windows To Go and reformatted it – why doesn’t it have a drive letter assigned and how can I fix it? + + +Reformatting the drive erases the data on the drive, but doesn’t reconfigure the volume attributes. When a drive is provisioned for use as a Windows To Go drive the NODEFAULTDRIVELETTER attribute is set on the volume. To remove this attribute, use the following steps: + +1. Open a command prompt with full administrator permissions. + + **Note**   + If your user account is a member of the Administrators group, but is not the Administrator account itself, then, by default, the programs that you run only have standard user permissions unless you explicitly choose to elevate them. + + + +2. Start the [diskpart](https://go.microsoft.com/fwlink/p/?LinkId=619070) command interpreter, by typing `diskpart` at the command prompt. + +3. Use the `select disk` command to identify the drive. If you do not know the drive number, use the `list` command to display the list of disks available. + +4. After selecting the disk, run the `clean` command to remove all data, formatting, and initialization information from the drive. + +## Why do I keep on getting the message “Installing devices…” when I boot Windows To Go? + + +One of the challenges involved in moving the Windows To Go drive between PCs while seamlessly booting Windows with access to all of their applications and data is that for Windows to be fully functional, specific drivers need to be installed for the hardware in each machine that runs Windows. Windows 8 or later has a process called respecialize which will identify new drivers that need to be loaded for the new PC and disable drivers which are not present on the new configuration. In general this feature is reliable and efficient when roaming between PCs of widely varying hardware configurations. + +In certain cases, third party drivers for different hardware models or versions can reuse device ID’s, driver file names, registry keys (or any other operating system constructs which do not support side-by-side storage) for similar hardware. For example, Touchpad drivers on different laptops often reuse the same device ID’s, and video cards from the same manufacturer may often reuse service names. Windows handles these situations by marking the non-present device node with a flag that indicates the existing driver needs to be reinstalled before continuing to install the new driver. + +This process will occur on any boot that a new driver is found and a driver conflict is detected. In some cases that will result in a respecialize progress message “Installing devices…” displaying every time that a Windows to Go drive is roamed between two PCs which require conflicting drivers. + +## How do I upgrade the operating system on my Windows To Go drive? + + +There is no support in Windows for upgrading a Windows To Go drive. Deployed Windows To Go drives with older versions of Windows will need to be re-imaged with a new version of Windows in order to transition to the new operating system version. + +## Additional resources + + +- [Windows 10 forums](https://go.microsoft.com/fwlink/p/?LinkId=618949) + +- [Windows To Go Step by Step Wiki](https://go.microsoft.com/fwlink/p/?LinkId=618950) + +- [Windows To Go: feature overview](windows-to-go-overview.md) + +- [Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md) + +- [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md) + +- [Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md) + + + + + + + + + diff --git a/windows/deployment/planning/windows-to-go-overview.md b/windows/deployment/planning/windows-to-go-overview.md index cb03e1e4d1..3ed1e2e88c 100644 --- a/windows/deployment/planning/windows-to-go-overview.md +++ b/windows/deployment/planning/windows-to-go-overview.md @@ -1,284 +1,284 @@ ---- -title: Windows To Go feature overview (Windows 10) -description: Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs. -ms.assetid: 9df82b03-acba-442c-801d-56db241f8d42 -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: workspace, mobile, installation, image, USB, device, image, edu -ms.prod: w10 -ms.mktglfcycl: deploy -ms.pagetype: mobility, edu -ms.sitesec: library -author: greg-lindsay -ms.topic: article ---- - -# Windows To Go: feature overview - - -**Applies to** - -- Windows 10 - ->[!IMPORTANT] ->Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. - -Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs. - -PCs that meet the Windows 7 or later [certification requirements](https://go.microsoft.com/fwlink/p/?LinkId=618711) can run Windows 10 in a Windows To Go workspace, regardless of the operating system running on the PC. Windows To Go workspaces can use the same image enterprises use for their desktops and laptops and can be managed the same way. Windows To Go is not intended to replace desktops, laptops or supplant other mobility offerings. Rather, it provides support for efficient use of resources for alternative workplace scenarios. There are some additional considerations that you should keep in mind before you start to use Windows To Go: - -- [Differences between Windows To Go and a typical installation of Windows](#bkmk-wtgdif) -- [Roaming with Windows To Go](#bkmk-wtgroam) -- [Prepare for Windows To Go](#wtg-prep-intro) -- [Hardware considerations for Windows To Go](#wtg-hardware) - -**Note**   -Windows To Go is not supported on Windows RT. - - - -## Differences between Windows To Go and a typical installation of Windows - - -Windows To Go workspace operates just like any other installation of Windows with a few exceptions. These exceptions are: - -- **Internal disks are offline.** To ensure data isn’t accidentally disclosed, internal hard disks on the host computer are offline by default when booted into a Windows To Go workspace. Similarly if a Windows To Go drive is inserted into a running system, the Windows To Go drive will not be listed in Windows Explorer. - -- **Trusted Platform Module (TPM) is not used.** When using BitLocker Drive Encryption a pre-operating system boot password will be used for security rather than the TPM since the TPM is tied to a specific computer and Windows To Go drives will move between computers. - -- **Hibernate is disabled by default.** To ensure that the Windows To Go workspace is able to move between computers easily, hibernation is disabled by default. Hibernation can be re-enabled by using Group Policy settings. - -- **Windows Recovery Environment is not available.** In the rare case that you need to recover your Windows To Go drive, you should re-image it with a fresh image of Windows. - -- **Refreshing or resetting a Windows To Go workspace is not supported.** Resetting to the manufacturer’s standard for the computer doesn’t apply when running a Windows To Go workspace, so the feature was disabled. - -- **Upgrading a Windows To Go workspace is not supported.** Older Windows 8 or Windows 8.1 Windows To Go workspaces cannot be upgraded to Windows 10 workspaces, nor can Windows 10 Windows To Go workspaces be upgraded to future versions of Windows 10. For new versions, the workspace needs to be re-imaged with a fresh image of Windows. - -## Roaming with Windows To Go - - -Windows To Go drives can be booted on multiple computers. When a Windows To Go workspace is first booted on a host computer it will detect all hardware on the computer and install any needed drivers. When the Windows To Go workspace is subsequently booted on that host computer it will be able to identify the host computer and load the correct set of drivers automatically. - -The applications that you want to use from the Windows To Go workspace should be tested to make sure they also support roaming. Some applications bind to the computer hardware which will cause difficulties if the workspace is being used with multiple host computers. - -## Prepare for Windows To Go - - -Enterprises install Windows on a large group of computers either by using configuration management software (such as System Center Configuration Manager), or by using standard Windows deployment tools such as DiskPart and the Deployment Image Servicing and Management (DISM) tool. - -These same tools can be used to provision Windows To Go drive, just as you would if you were planning for provisioning a new class of mobile PCs. You can use the [Windows Assessment and Deployment Kit](https://go.microsoft.com/fwlink/p/?LinkId=526803) to review deployment tools available. - -**Important**   -Make sure you use the versions of the deployment tools provided for the version of Windows you are deploying. There have been many enhancements made to support Windows To Go. Using versions of the deployment tools released for earlier versions of Windows to provision a Windows To Go drive is not supported. - - - -As you decide what to include in your Windows To Go image, be sure to consider the following questions: - -Are there any drivers that you need to inject into the image? - -How will data be stored and synchronized to appropriate locations from the USB device? - -Are there any applications that are incompatible with Windows To Go roaming that should not be included in the image? - -What should be the architecture of the image - 32bit/64bit? - -What remote connectivity solution should be supported in the image if Windows To Go is used outside the corporate network? - -For more information about designing and planning your Windows To Go deployment, see [Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md). - -## Hardware considerations for Windows To Go - - -**For USB drives** - -The devices listed in this section have been specially optimized and certified for Windows To Go and meet the necessary requirements for booting and running a full version of Windows 10 from a USB drive. The optimizations for Windows To Go include the following: - -- Windows To Go certified USB drives are built for high random read/write speeds and support the thousands of random access I/O operations per second required for running normal Windows workloads smoothly. - -- Windows To Go certified USB drives have been tuned to ensure they boot and run on hardware certified for use with Windows 7 and later. - -- Windows To Go certified USB drives are built to last. Certified USB drives are backed with manufacturer warranties and should continue operating under normal usage. Refer to the manufacturer websites for warranty details. - -As of the date of publication, the following are the USB drives currently certified for use as Windows To Go drives: - -**Warning**   -Using a USB drive that has not been certified is not supported - - - -- IronKey Workspace W700 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w700.html](https://go.microsoft.com/fwlink/p/?LinkId=618714)) - -- IronKey Workspace W500 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w500.html](https://go.microsoft.com/fwlink/p/?LinkId=618717)) - -- IronKey Workspace W300 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w300.html](https://go.microsoft.com/fwlink/p/?LinkId=618718)) - -- Kingston DataTraveler Workspace for Windows To Go ([http://www.kingston.com/wtg/](https://go.microsoft.com/fwlink/p/?LinkId=618719)) - -- Spyrus Portable Workplace ([http://www.spyruswtg.com/](https://go.microsoft.com/fwlink/p/?LinkId=618720)) - - We recommend that you run the Spyrus Deployment Suite for Windows To Go to provision the Spyrus Portable Workplace. - -- Spyrus Secure Portable Workplace ([http://www.spyruswtg.com/](https://go.microsoft.com/fwlink/p/?LinkId=618720)) - - **Important**   - You must use the Spyrus Deployment Suite for Windows To Go to provision the Spyrus Secure Portable Workplace. For more information about the Spyrus Deployment Suite for Windows To Go please refer to [http://www.spyruswtg.com/](https://go.microsoft.com/fwlink/p/?LinkId=618720). - - - -- Spyrus Worksafe ([http://www.spyruswtg.com/](https://go.microsoft.com/fwlink/p/?LinkId=618720)) - - **Tip**   - This device contains an embedded smart card. - - - -- Super Talent Express RC4 for Windows To Go - - -and- - - Super Talent Express RC8 for Windows To Go - - ([http://www.supertalent.com/wtg/](https://go.microsoft.com/fwlink/p/?LinkId=618721)) - -- Western Digital My Passport Enterprise ([http://www.wd.com/wtg](https://go.microsoft.com/fwlink/p/?LinkId=618722)) - - We recommend that you run the WD Compass utility to prepare the Western Digital My Passport Enterprise drive for provisioning with Windows To Go.  For more information about the WD Compass utility please refer to [http://www.wd.com/wtg](https://go.microsoft.com/fwlink/p/?LinkId=618722) - -**For host computers** - -When assessing the use of a PC as a host for a Windows To Go workspace you should consider the following criteria: - -- Hardware that has been certified for use with Windows 7or later operating systems will work well with Windows To Go. - -- Running a Windows To Go workspace from a computer that is running Windows RT is not a supported scenario. - -- Running a Windows To Go workspace on a Mac computer is not a supported scenario. - -The following table details the characteristics that the host computer must have to be used with Windows To Go: - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          ItemRequirement

          Boot process

          Capable of USB boot

          Firmware

          USB boot enabled. (PCs certified for use with Windows 7 or later can be configured to boot directly from USB, check with the hardware manufacturer if you are unsure of the ability of your PC to boot from USB)

          Processor architecture

          Must support the image on the Windows To Go drive

          External USB Hubs

          Not supported; connect the Windows To Go drive directly to the host machine

          Processor

          1 Ghz or faster

          RAM

          2 GB or greater

          Graphics

          DirectX 9 graphics device with WDDM 1.2 or greater driver

          USB port

          USB 2.0 port or greater

          - - - -**Checking for architectural compatibility between the host PC and the Windows To Go drive** - -In addition to the USB boot support in the BIOS, the Windows 10 image on your Windows To Go drive must be compatible with the processor architecture and the firmware of the host PC as shown in the table below. - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Host PC Firmware TypeHost PC Processor ArchitectureCompatible Windows To Go Image Architecture

          Legacy BIOS

          32-bit

          32-bit only

          Legacy BIOS

          64-bit

          32-bit and 64-bit

          UEFI BIOS

          32-bit

          32-bit only

          UEFI BIOS

          64-bit

          64-bit only

          - - - -## Additional resources - - -- [Windows 10 forums](https://go.microsoft.com/fwlink/p/?LinkId=618949) - -- [Windows To Go Step by Step Wiki](https://go.microsoft.com/fwlink/p/?LinkId=618950) - -- [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951) - -## Related topics - - -- [Deploy Windows To Go in your organization](https://go.microsoft.com/fwlink/p/?LinkId=619975) - -- [Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md) - -- [Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md) - -- [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md) - -- [Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md) - -- [Best practice recommendations for Windows To Go](best-practice-recommendations-for-windows-to-go.md) - - - - - - - - - +--- +title: Windows To Go feature overview (Windows 10) +description: Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs. +ms.assetid: 9df82b03-acba-442c-801d-56db241f8d42 +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: workspace, mobile, installation, image, USB, device, image, edu +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: mobility, edu +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Windows To Go: feature overview + + +**Applies to** + +- Windows 10 + +>[!IMPORTANT] +>Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. + +Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs. + +PCs that meet the Windows 7 or later [certification requirements](https://go.microsoft.com/fwlink/p/?LinkId=618711) can run Windows 10 in a Windows To Go workspace, regardless of the operating system running on the PC. Windows To Go workspaces can use the same image enterprises use for their desktops and laptops and can be managed the same way. Windows To Go is not intended to replace desktops, laptops or supplant other mobility offerings. Rather, it provides support for efficient use of resources for alternative workplace scenarios. There are some additional considerations that you should keep in mind before you start to use Windows To Go: + +- [Differences between Windows To Go and a typical installation of Windows](#bkmk-wtgdif) +- [Roaming with Windows To Go](#bkmk-wtgroam) +- [Prepare for Windows To Go](#wtg-prep-intro) +- [Hardware considerations for Windows To Go](#wtg-hardware) + +**Note**   +Windows To Go is not supported on Windows RT. + + + +## Differences between Windows To Go and a typical installation of Windows + + +Windows To Go workspace operates just like any other installation of Windows with a few exceptions. These exceptions are: + +- **Internal disks are offline.** To ensure data isn’t accidentally disclosed, internal hard disks on the host computer are offline by default when booted into a Windows To Go workspace. Similarly if a Windows To Go drive is inserted into a running system, the Windows To Go drive will not be listed in Windows Explorer. + +- **Trusted Platform Module (TPM) is not used.** When using BitLocker Drive Encryption a pre-operating system boot password will be used for security rather than the TPM since the TPM is tied to a specific computer and Windows To Go drives will move between computers. + +- **Hibernate is disabled by default.** To ensure that the Windows To Go workspace is able to move between computers easily, hibernation is disabled by default. Hibernation can be re-enabled by using Group Policy settings. + +- **Windows Recovery Environment is not available.** In the rare case that you need to recover your Windows To Go drive, you should re-image it with a fresh image of Windows. + +- **Refreshing or resetting a Windows To Go workspace is not supported.** Resetting to the manufacturer’s standard for the computer doesn’t apply when running a Windows To Go workspace, so the feature was disabled. + +- **Upgrading a Windows To Go workspace is not supported.** Older Windows 8 or Windows 8.1 Windows To Go workspaces cannot be upgraded to Windows 10 workspaces, nor can Windows 10 Windows To Go workspaces be upgraded to future versions of Windows 10. For new versions, the workspace needs to be re-imaged with a fresh image of Windows. + +## Roaming with Windows To Go + + +Windows To Go drives can be booted on multiple computers. When a Windows To Go workspace is first booted on a host computer it will detect all hardware on the computer and install any needed drivers. When the Windows To Go workspace is subsequently booted on that host computer it will be able to identify the host computer and load the correct set of drivers automatically. + +The applications that you want to use from the Windows To Go workspace should be tested to make sure they also support roaming. Some applications bind to the computer hardware which will cause difficulties if the workspace is being used with multiple host computers. + +## Prepare for Windows To Go + + +Enterprises install Windows on a large group of computers either by using configuration management software (such as System Center Configuration Manager), or by using standard Windows deployment tools such as DiskPart and the Deployment Image Servicing and Management (DISM) tool. + +These same tools can be used to provision Windows To Go drive, just as you would if you were planning for provisioning a new class of mobile PCs. You can use the [Windows Assessment and Deployment Kit](https://go.microsoft.com/fwlink/p/?LinkId=526803) to review deployment tools available. + +**Important**   +Make sure you use the versions of the deployment tools provided for the version of Windows you are deploying. There have been many enhancements made to support Windows To Go. Using versions of the deployment tools released for earlier versions of Windows to provision a Windows To Go drive is not supported. + + + +As you decide what to include in your Windows To Go image, be sure to consider the following questions: + +Are there any drivers that you need to inject into the image? + +How will data be stored and synchronized to appropriate locations from the USB device? + +Are there any applications that are incompatible with Windows To Go roaming that should not be included in the image? + +What should be the architecture of the image - 32bit/64bit? + +What remote connectivity solution should be supported in the image if Windows To Go is used outside the corporate network? + +For more information about designing and planning your Windows To Go deployment, see [Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md). + +## Hardware considerations for Windows To Go + + +**For USB drives** + +The devices listed in this section have been specially optimized and certified for Windows To Go and meet the necessary requirements for booting and running a full version of Windows 10 from a USB drive. The optimizations for Windows To Go include the following: + +- Windows To Go certified USB drives are built for high random read/write speeds and support the thousands of random access I/O operations per second required for running normal Windows workloads smoothly. + +- Windows To Go certified USB drives have been tuned to ensure they boot and run on hardware certified for use with Windows 7 and later. + +- Windows To Go certified USB drives are built to last. Certified USB drives are backed with manufacturer warranties and should continue operating under normal usage. Refer to the manufacturer websites for warranty details. + +As of the date of publication, the following are the USB drives currently certified for use as Windows To Go drives: + +**Warning**   +Using a USB drive that has not been certified is not supported + + + +- IronKey Workspace W700 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w700.html](https://go.microsoft.com/fwlink/p/?LinkId=618714)) + +- IronKey Workspace W500 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w500.html](https://go.microsoft.com/fwlink/p/?LinkId=618717)) + +- IronKey Workspace W300 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w300.html](https://go.microsoft.com/fwlink/p/?LinkId=618718)) + +- Kingston DataTraveler Workspace for Windows To Go ([http://www.kingston.com/wtg/](https://go.microsoft.com/fwlink/p/?LinkId=618719)) + +- Spyrus Portable Workplace ([http://www.spyruswtg.com/](https://go.microsoft.com/fwlink/p/?LinkId=618720)) + + We recommend that you run the Spyrus Deployment Suite for Windows To Go to provision the Spyrus Portable Workplace. + +- Spyrus Secure Portable Workplace ([http://www.spyruswtg.com/](https://go.microsoft.com/fwlink/p/?LinkId=618720)) + + **Important**   + You must use the Spyrus Deployment Suite for Windows To Go to provision the Spyrus Secure Portable Workplace. For more information about the Spyrus Deployment Suite for Windows To Go please refer to [http://www.spyruswtg.com/](https://go.microsoft.com/fwlink/p/?LinkId=618720). + + + +- Spyrus Worksafe ([http://www.spyruswtg.com/](https://go.microsoft.com/fwlink/p/?LinkId=618720)) + + **Tip**   + This device contains an embedded smart card. + + + +- Super Talent Express RC4 for Windows To Go + + -and- + + Super Talent Express RC8 for Windows To Go + + ([http://www.supertalent.com/wtg/](https://go.microsoft.com/fwlink/p/?LinkId=618721)) + +- Western Digital My Passport Enterprise ([http://www.wd.com/wtg](https://go.microsoft.com/fwlink/p/?LinkId=618722)) + + We recommend that you run the WD Compass utility to prepare the Western Digital My Passport Enterprise drive for provisioning with Windows To Go.  For more information about the WD Compass utility please refer to [http://www.wd.com/wtg](https://go.microsoft.com/fwlink/p/?LinkId=618722) + +**For host computers** + +When assessing the use of a PC as a host for a Windows To Go workspace you should consider the following criteria: + +- Hardware that has been certified for use with Windows 7or later operating systems will work well with Windows To Go. + +- Running a Windows To Go workspace from a computer that is running Windows RT is not a supported scenario. + +- Running a Windows To Go workspace on a Mac computer is not a supported scenario. + +The following table details the characteristics that the host computer must have to be used with Windows To Go: + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          ItemRequirement

          Boot process

          Capable of USB boot

          Firmware

          USB boot enabled. (PCs certified for use with Windows 7 or later can be configured to boot directly from USB, check with the hardware manufacturer if you are unsure of the ability of your PC to boot from USB)

          Processor architecture

          Must support the image on the Windows To Go drive

          External USB Hubs

          Not supported; connect the Windows To Go drive directly to the host machine

          Processor

          1 Ghz or faster

          RAM

          2 GB or greater

          Graphics

          DirectX 9 graphics device with WDDM 1.2 or greater driver

          USB port

          USB 2.0 port or greater

          + + + +**Checking for architectural compatibility between the host PC and the Windows To Go drive** + +In addition to the USB boot support in the BIOS, the Windows 10 image on your Windows To Go drive must be compatible with the processor architecture and the firmware of the host PC as shown in the table below. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Host PC Firmware TypeHost PC Processor ArchitectureCompatible Windows To Go Image Architecture

          Legacy BIOS

          32-bit

          32-bit only

          Legacy BIOS

          64-bit

          32-bit and 64-bit

          UEFI BIOS

          32-bit

          32-bit only

          UEFI BIOS

          64-bit

          64-bit only

          + + + +## Additional resources + + +- [Windows 10 forums](https://go.microsoft.com/fwlink/p/?LinkId=618949) + +- [Windows To Go Step by Step Wiki](https://go.microsoft.com/fwlink/p/?LinkId=618950) + +- [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951) + +## Related topics + + +- [Deploy Windows To Go in your organization](https://go.microsoft.com/fwlink/p/?LinkId=619975) + +- [Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md) + +- [Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md) + +- [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md) + +- [Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md) + +- [Best practice recommendations for Windows To Go](best-practice-recommendations-for-windows-to-go.md) + + + + + + + + + diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md index d1cbcb8b7a..530c47ce6f 100644 --- a/windows/deployment/s-mode.md +++ b/windows/deployment/s-mode.md @@ -1,57 +1,57 @@ ---- -title: Windows 10 Pro in S mode -description: Overview of Windows 10 Pro/Enterprise in S mode. What is S mode for Enterprise customers? -keywords: Windows 10 S, S mode, Windows S mode, Windows 10 S mode, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Enterprise in S mode, Windows 10 Pro/Enterprise in S mode -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.prod: w10 -ms.sitesec: library -ms.pagetype: deploy -ms.date: 12/05/2018 -ms.reviewer: -manager: laurawi -ms.author: greg-lindsay -author: greg-lindsay -ms.topic: article ---- - -# Windows 10 in S mode - What is it? -S mode is an evolution of the S SKU introduced with Windows 10 April 2018 Update. It's a configuration that's available on all Windows Editions when enabled at the time of manufacturing. The edition of Windows can be upgrade at any time as shown below. However, the switch from S mode is a onetime switch and can only be undone by a wipe and reload of the OS. - -![Configuration and features of S mode](images/smodeconfig.png) - -## S mode key features -**Microsoft-verified security** - -With Windows 10 in S mode, you’ll find your favorite applications, such as Office, Evernote, and Spotify in the Microsoft Store where they’re Microsoft-verified for security. You can also feel secure when you’re online. Microsoft Edge, your default browser, gives you protection against phishing and socially engineered malware. - -**Performance that lasts** - -Start-ups are quick, and S mode is built to keep them that way. With Microsoft Edge as your browser, your online experience is fast and secure. Plus, you’ll enjoy a smooth, responsive experience, whether you’re streaming HD video, opening apps, or being productive on the go. - -**Choice and flexibility** - -Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don’t find exactly what you want, you can easily [switch out of S mode](https://docs.microsoft.com/windows/deployment/windows-10-pro-in-s-mode) to Windows 10 Home, Pro, or Enterprise editions at any time and search the web for more choices, as shown below. - -![Switching out of S mode flow chart](images/s-mode-flow-chart.png) - - -## Deployment - -Windows 10 in S mode is built for [modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management) which means using [Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot). Windows Autopilot lets you deploy the device directly to a user without IT having to touch the physical device. Instead of manually deploying a custom image, Windows Autopilot will start with a generic PC that can only be used to join the company domain; policies are then deployed automatically through mobile device management to customize the device to the user and the desired environment. Devices are shipped in S mode; you can either keep them in S mode or use Windows Autopilot to switch the device out of S mode during the first run process or later using mobile device management, if desired. - -## Keep line of business apps functioning with Desktop Bridge - -Worried about your line of business apps not working in S mode? [Desktop Bridge](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-root) enables you to convert your line of business apps to a packaged app with UWP manifest. After testing and validating you can distribute the app through the Microsoft Store, making it ideal for Windows 10 in S mode. - -## Repackage Win32 apps into the MSIX format - -The [MSIX Packaging Tool](https://docs.microsoft.com/windows/application-management/msix-app-packaging-tool), available from the Microsoft Store, enables you to repackage existing Win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your device and upload to the Microsoft Store. This is another way to get your apps ready to run on Windows 10 in S mode. - - -## Related links - -- [Consumer applications for S mode](https://www.microsoft.com/en-us/windows/s-mode) -- [S mode devices](https://www.microsoft.com/en-us/windows/view-all-devices) -- [Windows Defender Application Control deployment guide](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide) -- [Windows Defender Advanced Threat Protection](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) +--- +title: Windows 10 Pro in S mode +description: Overview of Windows 10 Pro/Enterprise in S mode. What is S mode for Enterprise customers? +keywords: Windows 10 S, S mode, Windows S mode, Windows 10 S mode, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Enterprise in S mode, Windows 10 Pro/Enterprise in S mode +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.prod: w10 +ms.sitesec: library +ms.pagetype: deploy +ms.date: 12/05/2018 +ms.reviewer: +manager: laurawi +ms.audience: itpro author: greg-lindsay +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Windows 10 in S mode - What is it? +S mode is an evolution of the S SKU introduced with Windows 10 April 2018 Update. It's a configuration that's available on all Windows Editions when enabled at the time of manufacturing. The edition of Windows can be upgrade at any time as shown below. However, the switch from S mode is a onetime switch and can only be undone by a wipe and reload of the OS. + +![Configuration and features of S mode](images/smodeconfig.png) + +## S mode key features +**Microsoft-verified security** + +With Windows 10 in S mode, you’ll find your favorite applications, such as Office, Evernote, and Spotify in the Microsoft Store where they’re Microsoft-verified for security. You can also feel secure when you’re online. Microsoft Edge, your default browser, gives you protection against phishing and socially engineered malware. + +**Performance that lasts** + +Start-ups are quick, and S mode is built to keep them that way. With Microsoft Edge as your browser, your online experience is fast and secure. Plus, you’ll enjoy a smooth, responsive experience, whether you’re streaming HD video, opening apps, or being productive on the go. + +**Choice and flexibility** + +Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don’t find exactly what you want, you can easily [switch out of S mode](https://docs.microsoft.com/windows/deployment/windows-10-pro-in-s-mode) to Windows 10 Home, Pro, or Enterprise editions at any time and search the web for more choices, as shown below. + +![Switching out of S mode flow chart](images/s-mode-flow-chart.png) + + +## Deployment + +Windows 10 in S mode is built for [modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management) which means using [Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot). Windows Autopilot lets you deploy the device directly to a user without IT having to touch the physical device. Instead of manually deploying a custom image, Windows Autopilot will start with a generic PC that can only be used to join the company domain; policies are then deployed automatically through mobile device management to customize the device to the user and the desired environment. Devices are shipped in S mode; you can either keep them in S mode or use Windows Autopilot to switch the device out of S mode during the first run process or later using mobile device management, if desired. + +## Keep line of business apps functioning with Desktop Bridge + +Worried about your line of business apps not working in S mode? [Desktop Bridge](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-root) enables you to convert your line of business apps to a packaged app with UWP manifest. After testing and validating you can distribute the app through the Microsoft Store, making it ideal for Windows 10 in S mode. + +## Repackage Win32 apps into the MSIX format + +The [MSIX Packaging Tool](https://docs.microsoft.com/windows/application-management/msix-app-packaging-tool), available from the Microsoft Store, enables you to repackage existing Win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your device and upload to the Microsoft Store. This is another way to get your apps ready to run on Windows 10 in S mode. + + +## Related links + +- [Consumer applications for S mode](https://www.microsoft.com/en-us/windows/s-mode) +- [S mode devices](https://www.microsoft.com/en-us/windows/view-all-devices) +- [Windows Defender Application Control deployment guide](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide) +- [Windows Defender Advanced Threat Protection](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) diff --git a/windows/deployment/update/PSFxWhitepaper.md b/windows/deployment/update/PSFxWhitepaper.md index a4ce531e9b..dc4e379e29 100644 --- a/windows/deployment/update/PSFxWhitepaper.md +++ b/windows/deployment/update/PSFxWhitepaper.md @@ -1,206 +1,206 @@ ---- -title: Windows Updates using forward and reverse differentials -description: A technique to produce compact software updates optimized for any origin and destination revision pair -keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greglin -ms.date: 10/18/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Windows Updates using forward and reverse differentials - - -Windows 10 monthly quality updates are cumulative, containing all previously -released fixes to ensure consistency and simplicity. For an operating system -platform like Windows 10, which stays in support for multiple years, the size of -monthly quality updates can quickly grow large, thus directly impacting network -bandwidth consumption. - -Today, this problem is addressed by using express downloads, where differential -downloads for every changed file in the update are generated based on selected -historical revisions plus the base version. In this paper, we introduce a new -technique to build compact software update packages that are applicable to any -revision of the base version, and then describe how Windows 10 quality updates -uses this technique. - -## General Terms - -The following general terms apply throughout this document: - -- *Base version*: A major software release with significant changes, such as - Windows 10, version 1809 (Windows 10 Build 17763.1) - -- *Revision*: Minor releases in between the major version releases, such as - KB4464330 (Windows 10 Build 17763.55) - -- *Baseless Patch Storage Files (Baseless PSF)*: Patch storage files that - contain full binaries or files - -## Introduction - -In this paper, we introduce a new technique that can produce compact software -updates optimized for any origin/destination revision pair. It does this by -calculating forward the differential of a changed file from the base version and -its reverse differential back to the base version. Both forward and reverse -differentials are then packaged as an update and distributed to the endpoints -running the software to be updated. The update package contents can be symbolized as follows: - -![Symbolic representation of update package contents. a box containing two expressions: delta sub zero transform to sub N, followed delta sub N transform to sub zero](images/PSF1.png) - -The endpoints that have the base version of the file (V0) hydrate the target -revision (VN) by applying a simple transformation: - -![Equation: V sub zero + delta sub zero transform to sub N = V sub n](images/PSF2.png) - -The endpoints that have revision N of the file (VN), hydrate the target revision -(VR) by applying the following set of transformations: - -![Equation 1: V sub n + delta sub n transform to 0 = V sun 0; Equation 2: V sub zero + delta sub 0 transform to R = V sub R](images/PSF3.png) - -The endpoints retain the reverse differentials for the software revision they -are on, so that it can be used for hydrating and applying next revision update. - -By using a common baseline, this technique produces a single update package with -numerous advantages: - -- Compact in size - -- Applicable to all baselines - -- Simple to build - -- Efficient to install - -- Redistributable - -Historically, download sizes of Windows 10 quality updates (Windows 10, version -1803 and older supported versions of Windows 10) are optimized by using express -download. Express download is optimized such that updating Windows 10 systems -will download the minimum number of bytes. This is achieved by generating -differentials for every updated file based on selected historical base revisions -of the same file + its base or RTM version. - -For example, if the October monthly quality update has updated Notepad.exe, -differentials for Notepad.exe file changes from September to October, August to -October, July to October, June to October, and from the original feature release -to October are generated. All these differentials are stored in a Patch Storage -File (PSF, also referred to as “express download files”) and hosted or cached on -Windows Update or other update management or distribution servers (for example, -Windows Server Update Services (WSUS), System Center Configuration Manager, or a -non-Microsoft update management or distribution server that supports express -updates). A device leveraging express updates uses network protocol to determine -optimal differentials, then downloads only what is needed from the update -distribution endpoints. - -The flipside of express download is that the size of PSF files can be very large -depending on the number of historical baselines against which differentials were -calculated. Downloading and caching large PSF files to on-premises or remote -update distribution servers is problematic for most organizations, hence they -are unable to leverage express updates to keep their fleet of devices running -Windows 10 up to date. Secondly, due to the complexity of generating -differentials and size of the express files that need to be cached on update -distribution servers, it is only feasible to generate express download files for -the most common baselines, thus express updates are only applicable to selected -baselines. Finally, calculation of optimal differentials is expensive in terms -of system memory utilization, especially for low-cost systems, impacting their -ability to download and apply an update seamlessly. - -In the following sections, we describe how Windows 10 quality updates will -leverage this technique based on forward and reverse differentials for newer -releases of Windows 10 and Windows Server to overcome the challenges with -express downloads. - -## High-level Design - -### Update packaging - -Windows 10 quality update packages will contain forward differentials from -quality update RTM baselines (∆RTM→N) and reverse differentials back to RTM -(∆N→RTM) for each file that has changed since RTM. By using the RTM version as -the baseline, we ensure that all devices will have an identical payload. Update -package metadata, content manifests, and forward and reverse differentials will -be packaged into a cabinet file (.cab). This .cab file, and the applicability -logic, will also be wrapped in Microsoft Standalone Update (.msu) format. - -There can be cases where new files are added to the system during servicing. -These files will not have RTM baselines, thus forward and reverse differentials -cannot be used. In these scenarios, null differentials will be used to handle -servicing. Null differentials are the slightly compressed and optimized version -of the full binaries. Update packages can have either -forward or reverse differentials, or null differential of any given binary in -them. The following image symbolizes the content of a Windows 10 quality update installer: - -![Outer box labeled .msu containing two sub-boxes: 1) Applicability Logic, 2) box labeled .cab containg four sub-boxes: 1) update metadata, 2) content manifests, 3) delta sub RTM transform to sub N (file 1, file2, etc.), and 4) delta sub N transform to RTM (file 1, file 2, etc.)](images/PSF4.png) - -### Hydration and installation - -Once the usual applicability checks are performed on the update package and are -determined to be applicable, the Windows component servicing infrastructure will -hydrate the full files during pre-installation and then proceed with the usual -installation process. - -Below is a high-level sequence of activities that the component servicing -infrastructure will run in a transaction to complete installation of the update: - -- Identify all files that are required to install the update. - -- Hydrate each of necessary files using current version (VN) of the file, - reverse differential (VN--->RTM) of the file back to quality update RTM/base - version and forward differential (VRTM--->R) from feature update RTM/base - version to the target version. Also, use null differential hydration to - hydrate null compressed files. - -- Stage the hydrated files (full file), forward differentials (under ‘f’ - folder) and reverse differentials (under ‘r’ folder) or null compressed - files (under ‘n’ folder) in the component store (%windir%\\WinSxS folder). - -- Resolve any dependencies and install components. - -- Clean up older state (VN-1); the previous state VN is retained for - uninstallation and restoration or repair. - -### **Resilient Hydration** - -To ensure resiliency against component store corruption or missing files that -could occur due to susceptibility of certain types of hardware to file system -corruption, a corruption repair service has been traditionally used to recover -the component store automatically (“automatic corruption repair”) or on demand -(“manual corruption repair”) using an online or local repair source. This -service will continue to offer the ability to repair and recover content for -hydration and successfully install an update, if needed. - -When corruption is detected during update operations, automatic corruption -repair will start as usual and use the Baseless Patch Storage File published to -Windows Update for each update to fix corrupted manifests, binary differentials, -or hydrated or full files. Baseless patch storage files will contain reverse and -forward differentials and full files for each updated component. Integrity of -the repair files will be hash verified. - -Corruption repair will use the component manifest to detect missing files and -get hashes for corruption detection. During update installation, new registry -flags for each differential staged on the machine will be set. When automatic -corruption repair runs, it will scan hydrated files using the manifest and -differential files using the flags. If the differential cannot be found or -verified, it will be added to the list of corruptions to repair. - -### Lazy automatic corruption repair - -“Lazy automatic corruption repair” runs during update operations to detect -corrupted binaries and differentials. While applying an update, if hydration of -any file fails, "lazy" automatic corruption repair automatically starts, -identifies the corrupted binary or differential file, and then adds it to the -corruption list. Later, the update operation continues as far as it can go, so -that "lazy" automatic corruption repair can collect as many corrupted files to fix -as possible. At the end of the hydration section, the update fails, and -automatic corruption repair starts. Automatic corruption repair runs as usual -and at the end of its operation, adds the corruption list generated by "lazy" -automatic corruption repair on top of the new list to repair. Automatic -corruption repair then repairs the files on the corruption list and installation -of the update will succeed on the next attempt. +--- +title: Windows Updates using forward and reverse differentials +description: A technique to produce compact software updates optimized for any origin and destination revision pair +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.author: greglin +ms.date: 10/18/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Windows Updates using forward and reverse differentials + + +Windows 10 monthly quality updates are cumulative, containing all previously +released fixes to ensure consistency and simplicity. For an operating system +platform like Windows 10, which stays in support for multiple years, the size of +monthly quality updates can quickly grow large, thus directly impacting network +bandwidth consumption. + +Today, this problem is addressed by using express downloads, where differential +downloads for every changed file in the update are generated based on selected +historical revisions plus the base version. In this paper, we introduce a new +technique to build compact software update packages that are applicable to any +revision of the base version, and then describe how Windows 10 quality updates +uses this technique. + +## General Terms + +The following general terms apply throughout this document: + +- *Base version*: A major software release with significant changes, such as + Windows 10, version 1809 (Windows 10 Build 17763.1) + +- *Revision*: Minor releases in between the major version releases, such as + KB4464330 (Windows 10 Build 17763.55) + +- *Baseless Patch Storage Files (Baseless PSF)*: Patch storage files that + contain full binaries or files + +## Introduction + +In this paper, we introduce a new technique that can produce compact software +updates optimized for any origin/destination revision pair. It does this by +calculating forward the differential of a changed file from the base version and +its reverse differential back to the base version. Both forward and reverse +differentials are then packaged as an update and distributed to the endpoints +running the software to be updated. The update package contents can be symbolized as follows: + +![Symbolic representation of update package contents. a box containing two expressions: delta sub zero transform to sub N, followed delta sub N transform to sub zero](images/PSF1.png) + +The endpoints that have the base version of the file (V0) hydrate the target +revision (VN) by applying a simple transformation: + +![Equation: V sub zero + delta sub zero transform to sub N = V sub n](images/PSF2.png) + +The endpoints that have revision N of the file (VN), hydrate the target revision +(VR) by applying the following set of transformations: + +![Equation 1: V sub n + delta sub n transform to 0 = V sun 0; Equation 2: V sub zero + delta sub 0 transform to R = V sub R](images/PSF3.png) + +The endpoints retain the reverse differentials for the software revision they +are on, so that it can be used for hydrating and applying next revision update. + +By using a common baseline, this technique produces a single update package with +numerous advantages: + +- Compact in size + +- Applicable to all baselines + +- Simple to build + +- Efficient to install + +- Redistributable + +Historically, download sizes of Windows 10 quality updates (Windows 10, version +1803 and older supported versions of Windows 10) are optimized by using express +download. Express download is optimized such that updating Windows 10 systems +will download the minimum number of bytes. This is achieved by generating +differentials for every updated file based on selected historical base revisions +of the same file + its base or RTM version. + +For example, if the October monthly quality update has updated Notepad.exe, +differentials for Notepad.exe file changes from September to October, August to +October, July to October, June to October, and from the original feature release +to October are generated. All these differentials are stored in a Patch Storage +File (PSF, also referred to as “express download files”) and hosted or cached on +Windows Update or other update management or distribution servers (for example, +Windows Server Update Services (WSUS), System Center Configuration Manager, or a +non-Microsoft update management or distribution server that supports express +updates). A device leveraging express updates uses network protocol to determine +optimal differentials, then downloads only what is needed from the update +distribution endpoints. + +The flipside of express download is that the size of PSF files can be very large +depending on the number of historical baselines against which differentials were +calculated. Downloading and caching large PSF files to on-premises or remote +update distribution servers is problematic for most organizations, hence they +are unable to leverage express updates to keep their fleet of devices running +Windows 10 up to date. Secondly, due to the complexity of generating +differentials and size of the express files that need to be cached on update +distribution servers, it is only feasible to generate express download files for +the most common baselines, thus express updates are only applicable to selected +baselines. Finally, calculation of optimal differentials is expensive in terms +of system memory utilization, especially for low-cost systems, impacting their +ability to download and apply an update seamlessly. + +In the following sections, we describe how Windows 10 quality updates will +leverage this technique based on forward and reverse differentials for newer +releases of Windows 10 and Windows Server to overcome the challenges with +express downloads. + +## High-level Design + +### Update packaging + +Windows 10 quality update packages will contain forward differentials from +quality update RTM baselines (∆RTM→N) and reverse differentials back to RTM +(∆N→RTM) for each file that has changed since RTM. By using the RTM version as +the baseline, we ensure that all devices will have an identical payload. Update +package metadata, content manifests, and forward and reverse differentials will +be packaged into a cabinet file (.cab). This .cab file, and the applicability +logic, will also be wrapped in Microsoft Standalone Update (.msu) format. + +There can be cases where new files are added to the system during servicing. +These files will not have RTM baselines, thus forward and reverse differentials +cannot be used. In these scenarios, null differentials will be used to handle +servicing. Null differentials are the slightly compressed and optimized version +of the full binaries. Update packages can have either +forward or reverse differentials, or null differential of any given binary in +them. The following image symbolizes the content of a Windows 10 quality update installer: + +![Outer box labeled .msu containing two sub-boxes: 1) Applicability Logic, 2) box labeled .cab containg four sub-boxes: 1) update metadata, 2) content manifests, 3) delta sub RTM transform to sub N (file 1, file2, etc.), and 4) delta sub N transform to RTM (file 1, file 2, etc.)](images/PSF4.png) + +### Hydration and installation + +Once the usual applicability checks are performed on the update package and are +determined to be applicable, the Windows component servicing infrastructure will +hydrate the full files during pre-installation and then proceed with the usual +installation process. + +Below is a high-level sequence of activities that the component servicing +infrastructure will run in a transaction to complete installation of the update: + +- Identify all files that are required to install the update. + +- Hydrate each of necessary files using current version (VN) of the file, + reverse differential (VN--->RTM) of the file back to quality update RTM/base + version and forward differential (VRTM--->R) from feature update RTM/base + version to the target version. Also, use null differential hydration to + hydrate null compressed files. + +- Stage the hydrated files (full file), forward differentials (under ‘f’ + folder) and reverse differentials (under ‘r’ folder) or null compressed + files (under ‘n’ folder) in the component store (%windir%\\WinSxS folder). + +- Resolve any dependencies and install components. + +- Clean up older state (VN-1); the previous state VN is retained for + uninstallation and restoration or repair. + +### **Resilient Hydration** + +To ensure resiliency against component store corruption or missing files that +could occur due to susceptibility of certain types of hardware to file system +corruption, a corruption repair service has been traditionally used to recover +the component store automatically (“automatic corruption repair”) or on demand +(“manual corruption repair”) using an online or local repair source. This +service will continue to offer the ability to repair and recover content for +hydration and successfully install an update, if needed. + +When corruption is detected during update operations, automatic corruption +repair will start as usual and use the Baseless Patch Storage File published to +Windows Update for each update to fix corrupted manifests, binary differentials, +or hydrated or full files. Baseless patch storage files will contain reverse and +forward differentials and full files for each updated component. Integrity of +the repair files will be hash verified. + +Corruption repair will use the component manifest to detect missing files and +get hashes for corruption detection. During update installation, new registry +flags for each differential staged on the machine will be set. When automatic +corruption repair runs, it will scan hydrated files using the manifest and +differential files using the flags. If the differential cannot be found or +verified, it will be added to the list of corruptions to repair. + +### Lazy automatic corruption repair + +“Lazy automatic corruption repair” runs during update operations to detect +corrupted binaries and differentials. While applying an update, if hydration of +any file fails, "lazy" automatic corruption repair automatically starts, +identifies the corrupted binary or differential file, and then adds it to the +corruption list. Later, the update operation continues as far as it can go, so +that "lazy" automatic corruption repair can collect as many corrupted files to fix +as possible. At the end of the hydration section, the update fails, and +automatic corruption repair starts. Automatic corruption repair runs as usual +and at the end of its operation, adds the corruption list generated by "lazy" +automatic corruption repair on top of the new list to repair. Automatic +corruption repair then repairs the files on the corruption list and installation +of the update will succeed on the next attempt. diff --git a/windows/deployment/update/WIP4Biz-intro.md b/windows/deployment/update/WIP4Biz-intro.md index 101adcbb48..20ecac8ae7 100644 --- a/windows/deployment/update/WIP4Biz-intro.md +++ b/windows/deployment/update/WIP4Biz-intro.md @@ -1,74 +1,74 @@ ---- -title: Introduction to the Windows Insider Program for Business -description: Introduction to the Windows Insider Program for Business and why IT Pros should join it -keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, WiP4Biz, enterprise, rings, flight -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greg-lindsay -ms.date: 03/01/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Introduction to the Windows Insider Program for Business - - -**Applies to** - -- Windows 10 - -> **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -For many IT Pros, it's valuable to have visibility into feature updates early--before they’re available in the Semi-Annual Channel. With Windows 10, feature flighting enables participants in the Windows Insider Preview program can consume and deploy preproduction code to test devices, gaining early visibility into the next build. This is better for your organization because you can test the early builds of Windows 10 to discover possible issues with the code or with device and app compatibility in your organization before the update is ever publicly available. We at Microsoft also appreciate it because Insiders can report issues back to us in time for us to make improvements in a release before it is more generally available. - -The Windows Insider Program for Business gives you the opportunity to: - -* Get early access to Windows Insider Preview Builds. -* Provide feedback to Microsoft in real time by using the Feedback Hub app. -* Sign in with corporate credentials (Azure Active Directory) and increase the visibility of your organization's feedback with Microsoft – especially on features that support your productivity and business needs. -* Register your Azure Active Directory domain in the program, allowing you to cover all users within your organization with just one registration. -* Starting with Windows 10, version 1709, enable, disable, defer, and pause the installation of preview builds through policies. -* Track feedback provided through the Feedback Hub App across your organization. - -Microsoft recommends that all organizations have at least a few devices enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans, and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub App. - -The Windows Insider Program doesn't replace Semi-Annual Channel deployments in an organization. Rather, it provides IT Pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft. - - -[![Illustration showing the Windows Insider PreviewFast Ring for exploration, the Slow Ring for validation, the Semi-Annual Channel Targeted ring for Pilot deployment, and the Semi-Annual Channel for broad deployment](images/WIP4Biz_deployment.png)](images/WIP4Biz_deployment.png)
          -Windows 10 Insider Preview builds enable organizations to prepare sooner for Windows Semi-Annual releases and reduce the overall validation effort required with traditional deployments. - - -## Explore new Windows 10 features in Insider Previews -Windows 10 Insider Preview builds offer organizations a valuable and exciting opportunity to evaluate new Windows features well before general release. What’s more, by providing feedback to Microsoft on these features, you and other Insiders in your organization can help shape Windows for your specific business needs. Here’s how to get the most out of your feature exploration: - -|Objective |Feature exploration| -|---------|---------| -|Release channel |**Fast Ring:** Insider Preview builds in the Fast Ring are released approximately once a week and contain the very latest features. This makes them ideal for feature exploration.| -|Users | Because Fast Ring builds are released so early in the development cycle, we recommend limiting feature exploration in your organization to IT administrators and developers running Insider Preview builds on secondary devices. | -|Tasks | - Install and manage Insider Preview builds on devices (per device or centrally across multiple devices)
          - Explore new features in Windows designed for organizations, including new features related to current and planned line of business applications
          - Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) for a summary of current features. | -|Feedback | - Provide feedback via [Feedback Hub app](insiderhub://home/). This helps us make adjustments to features as quickly as possible.
          - Encourage users to sign into the Feedback Hub using their AAD work accounts. This enables both you and Microsoft to track feedback submitted by users within your specific organization. (Note: This tracking is only visible to Microsoft and registered Insiders within your organization’s domain.)
          - [Learn how to provide effective feedback in the Feedback Hub](https://insider.windows.com/en-us/how-to-feedback/) | - -## Validate Insider Preview builds -Along with exploring new features, you also have the option to validate your apps and infrastructure on Insider Preview builds. This activity can play an important role in your [Windows 10 deployment strategy](https://docs.microsoft.com/windows/deployment/update/waas-windows-insider-for-business). Early validation has several benefits: - -- Get a head start on your Windows validation process -- Identify issues sooner to accelerate your Windows deployment -- Engage Microsoft earlier for help with potential compatibility issues -- Deploy Windows 10 Semi-Annual releases faster and more confidently -- Maximize the 18-month support Window that comes with each Semi-Annual release. - - - -|Objective |Feature exploration| -|---------|---------| -|Release channel |**Slow Ring:** Insider Preview builds in the Slow Ring are released approximately once a month. They are more stable than Fast Ring releases, making them better suited for validation purposes. Slow Ring releases can be run on either secondary or primary production devices by skilled users.| -|Users | Application and infrastructure validation: In addition to Insiders who might have participated in feature exploration, we also recommend including a small group of application users from each business department to ensure a representative sample.| -|Tasks | Application and infrastructure validation: Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) and [Windows Insider Tech Community](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/bd-p/WindowsInsiderProgram) pages for updates on current issues and fixes. | -|Feedback | Application and infrastructure validation:Provide feedback in the Feedback Hub app and also inform app vendors of any significant issues. | -|Guidance | Application and infrastructure validation:
          - [Use Upgrade Readiness to create an app inventory and identify mission-critical apps](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-identify-apps)
          - [Use Device Health to identify problem devices and device drivers](https://docs.microsoft.com/windows/deployment/update/device-health-monitor)
          - [Windows 10 application compatibility](https://technet.microsoft.com/windows/mt703793)| - +--- +title: Introduction to the Windows Insider Program for Business +description: Introduction to the Windows Insider Program for Business and why IT Pros should join it +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, WiP4Biz, enterprise, rings, flight +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.audience: itpro author: greg-lindsay +ms.date: 03/01/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Introduction to the Windows Insider Program for Business + + +**Applies to** + +- Windows 10 + +> **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + +For many IT Pros, it's valuable to have visibility into feature updates early--before they’re available in the Semi-Annual Channel. With Windows 10, feature flighting enables participants in the Windows Insider Preview program can consume and deploy preproduction code to test devices, gaining early visibility into the next build. This is better for your organization because you can test the early builds of Windows 10 to discover possible issues with the code or with device and app compatibility in your organization before the update is ever publicly available. We at Microsoft also appreciate it because Insiders can report issues back to us in time for us to make improvements in a release before it is more generally available. + +The Windows Insider Program for Business gives you the opportunity to: + +* Get early access to Windows Insider Preview Builds. +* Provide feedback to Microsoft in real time by using the Feedback Hub app. +* Sign in with corporate credentials (Azure Active Directory) and increase the visibility of your organization's feedback with Microsoft – especially on features that support your productivity and business needs. +* Register your Azure Active Directory domain in the program, allowing you to cover all users within your organization with just one registration. +* Starting with Windows 10, version 1709, enable, disable, defer, and pause the installation of preview builds through policies. +* Track feedback provided through the Feedback Hub App across your organization. + +Microsoft recommends that all organizations have at least a few devices enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans, and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub App. + +The Windows Insider Program doesn't replace Semi-Annual Channel deployments in an organization. Rather, it provides IT Pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft. + + +[![Illustration showing the Windows Insider PreviewFast Ring for exploration, the Slow Ring for validation, the Semi-Annual Channel Targeted ring for Pilot deployment, and the Semi-Annual Channel for broad deployment](images/WIP4Biz_deployment.png)](images/WIP4Biz_deployment.png)
          +Windows 10 Insider Preview builds enable organizations to prepare sooner for Windows Semi-Annual releases and reduce the overall validation effort required with traditional deployments. + + +## Explore new Windows 10 features in Insider Previews +Windows 10 Insider Preview builds offer organizations a valuable and exciting opportunity to evaluate new Windows features well before general release. What’s more, by providing feedback to Microsoft on these features, you and other Insiders in your organization can help shape Windows for your specific business needs. Here’s how to get the most out of your feature exploration: + +|Objective |Feature exploration| +|---------|---------| +|Release channel |**Fast Ring:** Insider Preview builds in the Fast Ring are released approximately once a week and contain the very latest features. This makes them ideal for feature exploration.| +|Users | Because Fast Ring builds are released so early in the development cycle, we recommend limiting feature exploration in your organization to IT administrators and developers running Insider Preview builds on secondary devices. | +|Tasks | - Install and manage Insider Preview builds on devices (per device or centrally across multiple devices)
          - Explore new features in Windows designed for organizations, including new features related to current and planned line of business applications
          - Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) for a summary of current features. | +|Feedback | - Provide feedback via [Feedback Hub app](insiderhub://home/). This helps us make adjustments to features as quickly as possible.
          - Encourage users to sign into the Feedback Hub using their AAD work accounts. This enables both you and Microsoft to track feedback submitted by users within your specific organization. (Note: This tracking is only visible to Microsoft and registered Insiders within your organization’s domain.)
          - [Learn how to provide effective feedback in the Feedback Hub](https://insider.windows.com/en-us/how-to-feedback/) | + +## Validate Insider Preview builds +Along with exploring new features, you also have the option to validate your apps and infrastructure on Insider Preview builds. This activity can play an important role in your [Windows 10 deployment strategy](https://docs.microsoft.com/windows/deployment/update/waas-windows-insider-for-business). Early validation has several benefits: + +- Get a head start on your Windows validation process +- Identify issues sooner to accelerate your Windows deployment +- Engage Microsoft earlier for help with potential compatibility issues +- Deploy Windows 10 Semi-Annual releases faster and more confidently +- Maximize the 18-month support Window that comes with each Semi-Annual release. + + + +|Objective |Feature exploration| +|---------|---------| +|Release channel |**Slow Ring:** Insider Preview builds in the Slow Ring are released approximately once a month. They are more stable than Fast Ring releases, making them better suited for validation purposes. Slow Ring releases can be run on either secondary or primary production devices by skilled users.| +|Users | Application and infrastructure validation: In addition to Insiders who might have participated in feature exploration, we also recommend including a small group of application users from each business department to ensure a representative sample.| +|Tasks | Application and infrastructure validation: Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) and [Windows Insider Tech Community](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/bd-p/WindowsInsiderProgram) pages for updates on current issues and fixes. | +|Feedback | Application and infrastructure validation:Provide feedback in the Feedback Hub app and also inform app vendors of any significant issues. | +|Guidance | Application and infrastructure validation:
          - [Use Upgrade Readiness to create an app inventory and identify mission-critical apps](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-identify-apps)
          - [Use Device Health to identify problem devices and device drivers](https://docs.microsoft.com/windows/deployment/update/device-health-monitor)
          - [Windows 10 application compatibility](https://technet.microsoft.com/windows/mt703793)| + diff --git a/windows/deployment/update/change-history-for-update-windows-10.md b/windows/deployment/update/change-history-for-update-windows-10.md index e6962491e6..135d1670a5 100644 --- a/windows/deployment/update/change-history-for-update-windows-10.md +++ b/windows/deployment/update/change-history-for-update-windows-10.md @@ -1,52 +1,52 @@ ---- -title: Change history for Update Windows 10 (Windows 10) -description: This topic lists new and updated topics in the Update Windows 10 documentation for Windows 10 and Windows 10 Mobile. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.author: greglin -ms.date: 09/18/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Change history for Update Windows 10 - -This topic lists new and updated topics in the [Update Windows 10](index.md) documentation for [Deploy and Update Windows 10](https://docs.microsoft.com/windows/deployment). - ->If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history). - -## September 2018 - -| New or changed topic | Description | -| --- | --- | -| [Get started with Windows Update](windows-update-overview.md) | New | - - -## RELEASE: Windows 10, version 1709 - -The topics in this library have been updated for Windows 10, version 1709 (also known as the Fall Creators Update). - -## September 2017 - -| New or changed topic | Description | -| --- | --- | -| [Olympia Corp](olympia/olympia-enrollment-guidelines.md) | New | - -## July 2017 - -All topics were updated to reflect the new [naming changes](waas-overview.md#naming-changes). - -## May 2017 - -| New or changed topic | Description | -| --- | --- | -| [Manage additional Windows Update settings](waas-wu-settings.md) | New | - -## RELEASE: Windows 10, version 1703 - -The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following new topics have been added: -* [Windows Insider Program for Business](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-get-started) -* [Windows Insider Program for Business](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-register) +--- +title: Change history for Update Windows 10 (Windows 10) +description: This topic lists new and updated topics in the Update Windows 10 documentation for Windows 10 and Windows 10 Mobile. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.author: greglin +ms.date: 09/18/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Change history for Update Windows 10 + +This topic lists new and updated topics in the [Update Windows 10](index.md) documentation for [Deploy and Update Windows 10](https://docs.microsoft.com/windows/deployment). + +>If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history). + +## September 2018 + +| New or changed topic | Description | +| --- | --- | +| [Get started with Windows Update](windows-update-overview.md) | New | + + +## RELEASE: Windows 10, version 1709 + +The topics in this library have been updated for Windows 10, version 1709 (also known as the Fall Creators Update). + +## September 2017 + +| New or changed topic | Description | +| --- | --- | +| [Olympia Corp](olympia/olympia-enrollment-guidelines.md) | New | + +## July 2017 + +All topics were updated to reflect the new [naming changes](waas-overview.md#naming-changes). + +## May 2017 + +| New or changed topic | Description | +| --- | --- | +| [Manage additional Windows Update settings](waas-wu-settings.md) | New | + +## RELEASE: Windows 10, version 1703 + +The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following new topics have been added: +* [Windows Insider Program for Business](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-get-started) +* [Windows Insider Program for Business](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-register) diff --git a/windows/deployment/update/device-health-get-started.md b/windows/deployment/update/device-health-get-started.md index a81062fdc3..eb1b10ab08 100644 --- a/windows/deployment/update/device-health-get-started.md +++ b/windows/deployment/update/device-health-get-started.md @@ -1,78 +1,78 @@ ---- -title: Get started with Device Health -description: Configure Device Health in Azure Monitor to monitor health (such as crashes and sign-in failures) for your Windows 10 devices. -keywords: Device Health, oms, operations management suite, prerequisites, requirements, monitoring, crash, drivers, azure -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.date: 10/29/2018 -ms.reviewer: -manager: laurawi -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.localizationpriority: medium -ms.collection: M365-analytics -ms.topic: article ---- - -# Get started with Device Health - -This topic explains the steps necessary to configure your environment for Windows Analytics Device Health. - -- [Get started with Device Health](#get-started-with-device-health) - - [Add the Device Health solution to your Azure subscription](#add-the-device-health-solution-to-your-azure-subscription) - - [Enroll devices in Windows Analytics](#enroll-devices-in-windows-analytics) - - [Use Device Health to monitor device crashes, app crashes, sign-in failures, and more](#use-device-health-to-monitor-device-crashes-app-crashes-sign-in-failures-and-more) - - [Related topics](#related-topics) - - - -## Add the Device Health solution to your Azure subscription - -Device Health is offered as a *solution* which you link to a new or existing [Azure Monitor](https://azure.microsoft.com/services/monitor/) *workspace* within your Azure *subscription*. To configure this, follows these steps: - -1. Sign in to the [Azure Portal](https://portal.azure.com) with your work or school account or a Microsoft account. If you don't already have an Azure subscription you can create one (including free trial options) through the portal. - - >[!NOTE] - > Device Health is included at no additional cost with Windows 10 [education and enterprise licensing](https://docs.microsoft.com/windows/deployment/update/device-health-monitor#device-health-licensing). An Azure subscription is required for managing and using Device Health, but no Azure charges are expected to accrue to the subscription as a result of using Device Health. - -2. In the Azure portal select **Create a resource**, search for "Device Health", and then select **Create** on the **Device Health** solution. - ![Azure portal page highlighting + Create a resource and with Device Health selected](images/CreateSolution-Part1-Marketplace.png) - - ![Azure portal showing Device Health fly-in and Create button highlighted(images/CreateSolution-Part2-Create.png)](images/CreateSolution-Part2-Create.png) -3. Choose an existing workspace or create a new workspace to host the Device Health solution. - ![Azure portal showing Azure Monitor workspace fly-in](images/CreateSolution-Part3-Workspace.png) - - If you are using other Windows Analytics solutions (Upgrade Readiness or Update Compliance) you should add Device Health to the same workspace. - - If you are creating a new workspace, and your organization does not have policies governing naming conventions and structure, consider the following workspace settings to get started: - - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*. - - For the resource group setting select **Create new** and use the same name you chose for your new workspace. - - For the location setting, choose the Azure region where you would prefer the data to be stored. - - For the pricing tier select **per GB**. -4. Now that you have selected a workspace, you can go back to the Device Health blade and select **Create**. - ![Azure portal showing workspace selected and with Create button highlighted](images/CreateSolution-Part4-WorkspaceSelected.png) -5. Watch for a Notification (in the Azure portal) that "Deployment 'Microsoft.DeviceHealth' to resource group 'YourResourceGroupName' was successful." and then select **Go to resource** This might take several minutes to appear. - ![Azure portal all services page with Azure Monitor found and selected as favorite](images/CreateSolution-Part5-GoToResource.png) - - Suggestion: Choose the **Pin to Dashboard** option to make it easy to navigate to your newly added Device Health solution. - - Suggestion: If a "resource unavailable" error occurs when navigating to the solution, try again after one hour. - -## Enroll devices in Windows Analytics - -Once you've added Device Health to a workspace in your Azure subscription, you can start enrolling the devices in your organization. For Device Health there are two key steps for enrollment: -1. Deploy your CommercialID (from Device Health Settings page) to your Windows 10 devices (typically using Group Policy or similar) -2. Ensure the Windows Diagnostic Data setting on devices is set to Enhanced or Full (typically using Group Policy or similar). Note that the [Limit Enhanced](https://docs.microsoft.com/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields) policy can substantially reduce the amount of diagnostic data shared with Microsoft while still allowing Device Health to function. -For full enrollment instructions and troubleshooting, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). - -After enrolling your devices (by deploying your CommercialID and Windows Diagnostic Data settings), it may take 48-72 hours for the first data to appear in the solution. Until then, the Device Health tile will show "Performing Assessment." - -## Use Device Health to monitor device crashes, app crashes, sign-in failures, and more - -Once your devices are enrolled and data is flowing, you can move on to [Using Device Health](device-health-using.md). - ->[!NOTE] ->You can remove the Device Health solution from your workspace if you no longer want to monitor your organization’s devices. Windows diagnostic data will continue to be shared with Microsoft as normal as per the diagnostic data sharing settings on the devices. - -## Related topics - -[Use Device Health to monitor frequency and causes of device crashes](device-health-using.md)
          -For the latest information on Windows Analytics, including new features and usage tips, see the [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics) +--- +title: Get started with Device Health +description: Configure Device Health in Azure Monitor to monitor health (such as crashes and sign-in failures) for your Windows 10 devices. +keywords: Device Health, oms, operations management suite, prerequisites, requirements, monitoring, crash, drivers, azure +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.date: 10/29/2018 +ms.reviewer: +manager: laurawi +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.localizationpriority: medium +ms.collection: M365-analytics +ms.topic: article +--- + +# Get started with Device Health + +This topic explains the steps necessary to configure your environment for Windows Analytics Device Health. + +- [Get started with Device Health](#get-started-with-device-health) + - [Add the Device Health solution to your Azure subscription](#add-the-device-health-solution-to-your-azure-subscription) + - [Enroll devices in Windows Analytics](#enroll-devices-in-windows-analytics) + - [Use Device Health to monitor device crashes, app crashes, sign-in failures, and more](#use-device-health-to-monitor-device-crashes-app-crashes-sign-in-failures-and-more) + - [Related topics](#related-topics) + + + +## Add the Device Health solution to your Azure subscription + +Device Health is offered as a *solution* which you link to a new or existing [Azure Monitor](https://azure.microsoft.com/services/monitor/) *workspace* within your Azure *subscription*. To configure this, follows these steps: + +1. Sign in to the [Azure Portal](https://portal.azure.com) with your work or school account or a Microsoft account. If you don't already have an Azure subscription you can create one (including free trial options) through the portal. + + >[!NOTE] + > Device Health is included at no additional cost with Windows 10 [education and enterprise licensing](https://docs.microsoft.com/windows/deployment/update/device-health-monitor#device-health-licensing). An Azure subscription is required for managing and using Device Health, but no Azure charges are expected to accrue to the subscription as a result of using Device Health. + +2. In the Azure portal select **Create a resource**, search for "Device Health", and then select **Create** on the **Device Health** solution. + ![Azure portal page highlighting + Create a resource and with Device Health selected](images/CreateSolution-Part1-Marketplace.png) + + ![Azure portal showing Device Health fly-in and Create button highlighted(images/CreateSolution-Part2-Create.png)](images/CreateSolution-Part2-Create.png) +3. Choose an existing workspace or create a new workspace to host the Device Health solution. + ![Azure portal showing Azure Monitor workspace fly-in](images/CreateSolution-Part3-Workspace.png) + - If you are using other Windows Analytics solutions (Upgrade Readiness or Update Compliance) you should add Device Health to the same workspace. + - If you are creating a new workspace, and your organization does not have policies governing naming conventions and structure, consider the following workspace settings to get started: + - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*. + - For the resource group setting select **Create new** and use the same name you chose for your new workspace. + - For the location setting, choose the Azure region where you would prefer the data to be stored. + - For the pricing tier select **per GB**. +4. Now that you have selected a workspace, you can go back to the Device Health blade and select **Create**. + ![Azure portal showing workspace selected and with Create button highlighted](images/CreateSolution-Part4-WorkspaceSelected.png) +5. Watch for a Notification (in the Azure portal) that "Deployment 'Microsoft.DeviceHealth' to resource group 'YourResourceGroupName' was successful." and then select **Go to resource** This might take several minutes to appear. + ![Azure portal all services page with Azure Monitor found and selected as favorite](images/CreateSolution-Part5-GoToResource.png) + - Suggestion: Choose the **Pin to Dashboard** option to make it easy to navigate to your newly added Device Health solution. + - Suggestion: If a "resource unavailable" error occurs when navigating to the solution, try again after one hour. + +## Enroll devices in Windows Analytics + +Once you've added Device Health to a workspace in your Azure subscription, you can start enrolling the devices in your organization. For Device Health there are two key steps for enrollment: +1. Deploy your CommercialID (from Device Health Settings page) to your Windows 10 devices (typically using Group Policy or similar) +2. Ensure the Windows Diagnostic Data setting on devices is set to Enhanced or Full (typically using Group Policy or similar). Note that the [Limit Enhanced](https://docs.microsoft.com/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields) policy can substantially reduce the amount of diagnostic data shared with Microsoft while still allowing Device Health to function. +For full enrollment instructions and troubleshooting, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). + +After enrolling your devices (by deploying your CommercialID and Windows Diagnostic Data settings), it may take 48-72 hours for the first data to appear in the solution. Until then, the Device Health tile will show "Performing Assessment." + +## Use Device Health to monitor device crashes, app crashes, sign-in failures, and more + +Once your devices are enrolled and data is flowing, you can move on to [Using Device Health](device-health-using.md). + +>[!NOTE] +>You can remove the Device Health solution from your workspace if you no longer want to monitor your organization’s devices. Windows diagnostic data will continue to be shared with Microsoft as normal as per the diagnostic data sharing settings on the devices. + +## Related topics + +[Use Device Health to monitor frequency and causes of device crashes](device-health-using.md)
          +For the latest information on Windows Analytics, including new features and usage tips, see the [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics) diff --git a/windows/deployment/update/device-health-monitor.md b/windows/deployment/update/device-health-monitor.md index 8fe9a785eb..027f6cd65b 100644 --- a/windows/deployment/update/device-health-monitor.md +++ b/windows/deployment/update/device-health-monitor.md @@ -1,84 +1,84 @@ ---- -title: Monitor the health of devices with Device Health -ms.reviewer: -manager: laurawi -description: You can use Device Health in Azure Portal to monitor the frequency and causes of crashes and misbehaving apps on devices in your network. -keywords: oms, operations management suite, wdav, health, log analytics -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: medium -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-analytics -ms.topic: article ---- - -# Monitor the health of devices with Device Health - -## Introduction - -Device Health is the newest Windows Analytics solution that complements the existing Upgrade Readiness and Update Compliance solutions by providing IT with reports on some common problems the end users might experience so they can be proactively remediated, thus saving support calls and improving end-user productivity. - -Like Upgrade Readiness and Update Compliance, Device Health is a solution built in Azure Portal, a cloud-based monitoring and automation service that has a flexible servicing subscription based on data usage and retention. This release is free for customers to try and will not incur charges on your Azure Portal workspace for its use. For more information about Azure Portal, see [Windows Analytics in the Azure Portal](windows-analytics-azure-portal.md) . - -Device Health uses Windows diagnostic data that is part of all Windows 10 devices. If you have already employed Upgrade Readiness or Update Compliance solutions, all you need to do is select Device Health from the Azure Portal solution gallery and add it to your Azure Portal workspace. Device Health requires enhanced diagnostic data, so you might need to implement this policy if you've not already done so. - - -Device Health provides the following: - -- Identification of devices that crash frequently, and therefore might need to be rebuilt or replaced -- Identification of device drivers that are causing device crashes, with suggestions of alternative versions of those drivers that might reduce the number of crashes -- Notification of Windows Information Protection misconfigurations that send prompts to end users -- No need for new complex customized infrastructure, thanks to cloud-connected access using Windows 10 diagnostic data - -See the following topics in this guide for detailed information about configuring and using the Device Health solution: - -- [Get started with Device Health](device-health-get-started.md): How to add Device Health to your environment. -- [Using Device Health](device-health-using.md): How to begin using Device Health. - -An overview of the processes used by the Device Health solution is provided below. - -## Device Health licensing - -Use of Windows Analytics Device Health requires one of the following licenses: - -- Windows 10 Enterprise or Windows 10 Education per-device with active Software Assurance -- Windows 10 Enterprise E3 or E5 per-device or per-user subscription (including Microsoft 365 F1, E3, or E5) -- Windows 10 Education A3 or A5 (including Microsoft 365 Education A3 or A5) -- Windows VDA E3 or E5 per-device or per-user subscription - - -You don't have to install Windows 10 Enterprise on a per-device basis--you just need enough of the above licenses for the number of devices using Device Health. - - -## Device Health architecture - -The Device Health architecture and data flow is summarized by the following five-step process: - - - -**(1)** User computers send diagnostic data to a secure Microsoft data center using the Microsoft Data Management Service.
          -**(2)** Diagnostic data is analyzed by the Microsoft Telemetry Service.
          -**(3)** Diagnostic data is pushed from the Microsoft Telemetry Service to your Azure Portal workspace.
          -**(4)** Diagnostic data is available in the Device Health solution.
          -**(5)** You are now able to proactively monitor Device Health issues in your environment.
          - -These steps are illustrated in following diagram: - - [![](images/analytics-architecture.png)](images/analytics-architecture.png) - ->[!NOTE] ->This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). - - - -  -## Related topics - -[Get started with Device Health](device-health-get-started.md) - -[Use Device Health to monitor frequency and causes of device crashes](device-health-using.md) - -For the latest information on Windows Analytics, including new features and usage tips, see the [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics) +--- +title: Monitor the health of devices with Device Health +ms.reviewer: +manager: laurawi +description: You can use Device Health in Azure Portal to monitor the frequency and causes of crashes and misbehaving apps on devices in your network. +keywords: oms, operations management suite, wdav, health, log analytics +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.localizationpriority: medium +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-analytics +ms.topic: article +--- + +# Monitor the health of devices with Device Health + +## Introduction + +Device Health is the newest Windows Analytics solution that complements the existing Upgrade Readiness and Update Compliance solutions by providing IT with reports on some common problems the end users might experience so they can be proactively remediated, thus saving support calls and improving end-user productivity. + +Like Upgrade Readiness and Update Compliance, Device Health is a solution built in Azure Portal, a cloud-based monitoring and automation service that has a flexible servicing subscription based on data usage and retention. This release is free for customers to try and will not incur charges on your Azure Portal workspace for its use. For more information about Azure Portal, see [Windows Analytics in the Azure Portal](windows-analytics-azure-portal.md) . + +Device Health uses Windows diagnostic data that is part of all Windows 10 devices. If you have already employed Upgrade Readiness or Update Compliance solutions, all you need to do is select Device Health from the Azure Portal solution gallery and add it to your Azure Portal workspace. Device Health requires enhanced diagnostic data, so you might need to implement this policy if you've not already done so. + + +Device Health provides the following: + +- Identification of devices that crash frequently, and therefore might need to be rebuilt or replaced +- Identification of device drivers that are causing device crashes, with suggestions of alternative versions of those drivers that might reduce the number of crashes +- Notification of Windows Information Protection misconfigurations that send prompts to end users +- No need for new complex customized infrastructure, thanks to cloud-connected access using Windows 10 diagnostic data + +See the following topics in this guide for detailed information about configuring and using the Device Health solution: + +- [Get started with Device Health](device-health-get-started.md): How to add Device Health to your environment. +- [Using Device Health](device-health-using.md): How to begin using Device Health. + +An overview of the processes used by the Device Health solution is provided below. + +## Device Health licensing + +Use of Windows Analytics Device Health requires one of the following licenses: + +- Windows 10 Enterprise or Windows 10 Education per-device with active Software Assurance +- Windows 10 Enterprise E3 or E5 per-device or per-user subscription (including Microsoft 365 F1, E3, or E5) +- Windows 10 Education A3 or A5 (including Microsoft 365 Education A3 or A5) +- Windows VDA E3 or E5 per-device or per-user subscription + + +You don't have to install Windows 10 Enterprise on a per-device basis--you just need enough of the above licenses for the number of devices using Device Health. + + +## Device Health architecture + +The Device Health architecture and data flow is summarized by the following five-step process: + + + +**(1)** User computers send diagnostic data to a secure Microsoft data center using the Microsoft Data Management Service.
          +**(2)** Diagnostic data is analyzed by the Microsoft Telemetry Service.
          +**(3)** Diagnostic data is pushed from the Microsoft Telemetry Service to your Azure Portal workspace.
          +**(4)** Diagnostic data is available in the Device Health solution.
          +**(5)** You are now able to proactively monitor Device Health issues in your environment.
          + +These steps are illustrated in following diagram: + + [![](images/analytics-architecture.png)](images/analytics-architecture.png) + +>[!NOTE] +>This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). + + + +  +## Related topics + +[Get started with Device Health](device-health-get-started.md) + +[Use Device Health to monitor frequency and causes of device crashes](device-health-using.md) + +For the latest information on Windows Analytics, including new features and usage tips, see the [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics) diff --git a/windows/deployment/update/feature-update-conclusion.md b/windows/deployment/update/feature-update-conclusion.md index 7b26d6be23..7cd119e52b 100644 --- a/windows/deployment/update/feature-update-conclusion.md +++ b/windows/deployment/update/feature-update-conclusion.md @@ -1,24 +1,24 @@ ---- -title: Best practices for feature updates - conclusion -description: Final thoughts about how to deploy feature updates -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greglin -ms.date: 07/09/2018 -ms.reviewer: -manager: laurawi -ms.collection: M365-modern-desktop -ms.topic: article ---- - -# Conclusion - -**Applies to**: Windows 10 - -Mission critical devices that need to be online 24x7 pose unique challenges for the IT Pro looking to stay current with the latest Windows 10 feature update. Because these devices are online continually, providing mission critical services, with only a small window of time available to apply feature updates, specific procedures are required to effectively keep these devices current, with as little downtime as possible. - -Whether you have defined servicing windows at your disposal where feature updates can be installed automatically, or you require user initiated installs by a technician, this whitepaper provides guidelines for either approach. Improvements are continually being made to Windows 10 setup to reduce device offline time for feature updates. This whitepaper will be updated as enhancements become available to improve the overall servicing approach and experience. - +--- +title: Best practices for feature updates - conclusion +description: Final thoughts about how to deploy feature updates +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.author: greglin +ms.date: 07/09/2018 +ms.reviewer: +manager: laurawi +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Conclusion + +**Applies to**: Windows 10 + +Mission critical devices that need to be online 24x7 pose unique challenges for the IT Pro looking to stay current with the latest Windows 10 feature update. Because these devices are online continually, providing mission critical services, with only a small window of time available to apply feature updates, specific procedures are required to effectively keep these devices current, with as little downtime as possible. + +Whether you have defined servicing windows at your disposal where feature updates can be installed automatically, or you require user initiated installs by a technician, this whitepaper provides guidelines for either approach. Improvements are continually being made to Windows 10 setup to reduce device offline time for feature updates. This whitepaper will be updated as enhancements become available to improve the overall servicing approach and experience. + diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md index b945d2692b..0fbe54bae5 100644 --- a/windows/deployment/update/feature-update-maintenance-window.md +++ b/windows/deployment/update/feature-update-maintenance-window.md @@ -1,261 +1,261 @@ ---- -title: Best practices - deploy feature updates during maintenance windows -description: Learn how to deploy feature updates during a maintenance window -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greglin -ms.date: 07/09/2018 -ms.reviewer: -manager: laurawi -ms.collection: M365-modern-desktop -ms.topic: article ---- - -# Deploy feature updates during maintenance windows - -**Applies to**: Windows 10 - -Use the following information to deploy feature updates during a maintenance window. - -## Get ready to deploy feature updates - -### Step 1: Configure maintenance windows - -1. In the Configuration Manager console, choose **Assets and Compliance> Device Collections**. -2. In the **Device Collections** list, select the collection for which you intended to deploy the feature update(s). -3. On the **Home** tab, in the **Properties** group, choose **Properties**. -4. In the **Maintenance Windows** tab of the `` Properties dialog box, choose the New icon. -5. Complete the `` Schedule dialog. -6. Select from the Apply this schedule to drop-down list. -7. Choose **OK** and then close the **\ Properties** dialog box. - -### Step 2: Review computer restart device settings - -If you’re not suppressing computer restarts and the feature update will be installed when no users are present, consider deploying a custom client settings policy to your feature update target collection to shorten the settings below or consider the total duration of these settings when defining your maintenance window duration. - -For example, by default, 90 minutes will be honored before the system is rebooted after the feature update install. If users will not be impacted by the user logoff or restart, there is no need to wait a full 90 minutes before rebooting the computer. If a delay and notification is needed, ensure that the maintenance window takes this into account along with the total time needed to install the feature update. - ->[!NOTE] -> The following settings must be shorter in duration than the shortest maintenance window applied to the computer. ->- **Display a temporary notification to the user that indicates the interval before the user is logged off or the computer restarts (minutes).** ->- **Display a dialog box that the user cannot close, which displays the countdown interval before the user is logged off or the computer restarts (minutes).** - -### Step 3: Enable Peer Cache - -Use **Peer Cache** to help manage deployment of content to clients in remote locations. Peer Cache is a built-in Configuration Manager solution that enables clients to share content with other clients directly from their local cache. - -[Enable Configuration Manager client in full OS to share content](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#enable-configuration-manager-client-in-full-os-to-share-content) if you have clients in remote locations that would benefit from downloading feature update content from a peer instead of downloading it from a distribution point (or Microsoft Update). - -### Step 4: Override the default Windows setup priority (Windows 10, version 1709 and later) - -If you’re deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted. - -%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini - -``` -[SetupConfig] -Priority=Normal -``` - -You can use the new [Run Scripts](https://docs.microsoft.com/sccm/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices. - -``` -#Parameters -Param( - [string] $PriorityValue = "Normal" - ) - -#Variable for ini file path -$iniFilePath = "$env:SystemDrive\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini" - -#Variables for SetupConfig -$iniSetupConfigSlogan = "[SetupConfig]" -$iniSetupConfigKeyValuePair =@{"Priority"=$PriorityValue;} - -#Init SetupConfig content -$iniSetupConfigContent = @" -$iniSetupConfigSlogan -"@ - -#Build SetupConfig content with settings -foreach ($k in $iniSetupConfigKeyValuePair.Keys) -{ - $val = $iniSetupConfigKeyValuePair[$k] - - $iniSetupConfigContent = $iniSetupConfigContent.Insert($iniSetupConfigContent.Length, "`r`n$k=$val") -} - -#Write content to file -New-Item $iniFilePath -ItemType File -Value $iniSetupConfigContent -Force - -Disclaimer -Sample scripts are not supported under any Microsoft standard support program or service. The sample scripts is -provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without -limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk -arising out of the use or performance of the sample script and documentation remains with you. In no event shall -Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable -for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, -loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample script -or documentation, even if Microsoft has been advised of the possibility of such damages. -``` - ->[!NOTE] ->If you elect not to override the default setup priority, you will need to increase the [maximum run time](https://docs.microsoft.com/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value. - -## Manually deploy feature updates - -The following sections provide the steps to manually deploy a feature update. - -### Step 1: Specify search criteria for feature updates -There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying feature updates is to identify the feature updates that you want to deploy. - -1. In the Configuration Manager console, click **Software Library**. -2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed. -3. In the search pane, filter to identify the feature updates that you need by using one or both of the following steps: - - In the search text box, type a search string that will filter the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update. - - Click **Add Criteria**, select the criteria that you want to use to filter software updates, click **Add**, and then provide the values for the criteria. For example, Title contains 1803, Required is greater than or equal to 1, and Language equals English. - -4. Save the search for future use. - -### Step 2: Download the content for the feature update(s) -Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment. - -1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**. -2. Choose the feature update(s) to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select Download. - - The **Download Software Updates Wizard** opens. -3. On the **Deployment Package** page, configure the following settings: - **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings: - - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters. - - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. - - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. - - >[!NOTE] - >The deployment package source location that you specify cannot be used by another software deployment package. - - >[!IMPORTANT] - >The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files. - - >[!IMPORTANT] - >You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. - - Click **Next**. -4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](https://docs.microsoft.com/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs). - - >[!NOTE] - >The Distribution Points page is available only when you create a new software update deployment package. -5. On the **Distribution Settings** page, specify the following settings: - - - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority. - - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). - - **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options: - - **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point. - - **Download only content changes to the distribution point**: Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point. - - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting. - - For more information about prestaging content to distribution points, see [Use Prestaged content](https://docs.microsoft.com/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage). - Click **Next**. -6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options: - - - **Download software updates from the Internet**: Select this setting to download the software updates from the location on the Internet. This is the default setting. - - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access. - - >[!NOTE] - >When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard. - - Click **Next**. -7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page. -8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates. -9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click Close. - -#### To monitor content status -1. To monitor the content status for the feature updates, click **Monitoring** in the Configuration Manager console. -2. In the Monitoring workspace, expand **Distribution Status**, and then click **Content Status**. -3. Select the feature update package that you previously identified to download the feature updates. -4. On the **Home** tab, in the Content group, click **View Status**. - -### Step 3: Deploy the feature update(s) -After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s). - -1. In the Configuration Manager console, click **Software Library**. -2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. -3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**. - - The **Deploy Software Updates Wizard** opens. -4. On the General page, configure the following settings: - - **Name**: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: **Microsoft Software Updates - \\** - - **Description**: Specify a description for the deployment. The description provides an overview of the deployment and any other relevant information that helps to identify and differentiate the deployment among others in Configuration Manager site. The description field is optional, has a limit of 256 characters, and has a blank value by default. - - **Software Update/Software Update Group**: Verify that the displayed software update group, or software update, is correct. - - **Select Deployment Template**: Specify whether to apply a previously saved deployment template. You can configure a deployment template to contain multiple common software update deployment properties and then apply the template when you deploy subsequent software updates to ensure consistency across similar deployments and to save time. - - **Collection**: Specify the collection for the deployment, as applicable. Members of the collection receive the feature updates that are defined in the deployment. -5. On the Deployment Settings page, configure the following settings: - - - **Type of deployment**: Specify the deployment type for the software update deployment. Select **Required** to create a mandatory software update deployment in which the feature updates are automatically installed on clients before a configured installation deadline. - - >[!IMPORTANT] - > After you create the software update deployment, you cannot later change the type of deployment. - - >[!NOTE] - >A software update group deployed as Required will be downloaded in background and honor BITS settings, if configured. - - - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when Type of deployment is set to Required. - - >[!WARNING] - >Before you can use this option, computers and networks must be configured for Wake On LAN. - - - **Detail level**: Specify the level of detail for the state messages that are reported by client computers. -6. On the Scheduling page, configure the following settings: - - - **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console. - - >[!NOTE] - >When you select local time, and then select **As soon as possible** for the **Software available time** or **Installation deadline**, the current time on the computer running the Configuration Manager console is used to evaluate when updates are available or when they are installed on a client. If the client is in a different time zone, these actions will occur when the client's time reaches the evaluation time. - - - **Software available time**: Select **As soon as possible** to specify when the software updates will be available to clients: - - **As soon as possible**: Select this setting to make the software updates in the deployment available to clients as soon as possible. When the deployment is created, the client policy is updated, the clients are made aware of the deployment at their next client policy polling cycle, and then the software updates are available for installation. - - **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment. - - >[!NOTE] - >You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page. - - - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. Set the date and time value to correspond with your defined maintenance window for the target collection. Allow sufficient time for clients to download the content in advance of the deadline. Adjust accordingly if clients in your environment will need additional download time. E.g., slow or unreliable network links. - - >[!NOTE] - >The actual installation deadline time is the specific time that you configure plus a random amount of time up to 2 hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Configure the Computer Agent client setting, Disable deadline randomization to disable the installation randomization delay for the required software updates to allow a greater chance for the installation to start and complete within your defined maintenance window. For more information, see [Computer Agent](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#computer-agent). -7. On the User Experience page, configure the following settings: - - **User notifications**: Specify whether to display notification of the software updates in Software Center on the client computer at the configured **Software available time** and whether to display user notifications on the client computers. When **Type of deployment** is set to **Available** on the Deployment Settings page, you cannot select **Hide in Software Center and all notifications**. - - **Deadline behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. For more information about maintenance windows, see [How to use maintenance windows](https://docs.microsoft.com/sccm/core/clients/manage/collections/use-maintenance-windows). - - **Device restart behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation. - - >[!IMPORTANT] - >Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation. - - **Write filter handling for Windows Embedded devices**: When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. - - >[!NOTE] - >When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. - - **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window. -8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page. - - >[!NOTE] - >You can review recent software updates alerts from the Software Updates node in the Software Library workspace. -9. On the Download Settings page, configure the following settings: - - Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location. - - Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point. - - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache). - - **If software updates are not available on distribution point in current, neighbor or site groups, download content from Microsoft Updates**: Select this setting to have clients that are connected to the intranet download software updates from Microsoft Update if software updates are not available on distribution points. Internet-based clients can always go to Microsoft Update for software updates content. - - Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. - - >[!NOTE] - >Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). -10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting. -11. Click **Next** to deploy the feature update(s). - -### Step 4: Monitor the deployment status -After you deploy the feature update(s), you can monitor the deployment status. Use the following procedure to monitor the deployment status: - -1. In the Configuration Manager console, navigate to **Monitoring > Overview > Deployments**. -2. Click the software update group or software update for which you want to monitor the deployment status. -3. On the **Home** tab, in the **Deployment** group, click **View Status**. +--- +title: Best practices - deploy feature updates during maintenance windows +description: Learn how to deploy feature updates during a maintenance window +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.author: greglin +ms.date: 07/09/2018 +ms.reviewer: +manager: laurawi +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Deploy feature updates during maintenance windows + +**Applies to**: Windows 10 + +Use the following information to deploy feature updates during a maintenance window. + +## Get ready to deploy feature updates + +### Step 1: Configure maintenance windows + +1. In the Configuration Manager console, choose **Assets and Compliance> Device Collections**. +2. In the **Device Collections** list, select the collection for which you intended to deploy the feature update(s). +3. On the **Home** tab, in the **Properties** group, choose **Properties**. +4. In the **Maintenance Windows** tab of the `` Properties dialog box, choose the New icon. +5. Complete the `` Schedule dialog. +6. Select from the Apply this schedule to drop-down list. +7. Choose **OK** and then close the **\ Properties** dialog box. + +### Step 2: Review computer restart device settings + +If you’re not suppressing computer restarts and the feature update will be installed when no users are present, consider deploying a custom client settings policy to your feature update target collection to shorten the settings below or consider the total duration of these settings when defining your maintenance window duration. + +For example, by default, 90 minutes will be honored before the system is rebooted after the feature update install. If users will not be impacted by the user logoff or restart, there is no need to wait a full 90 minutes before rebooting the computer. If a delay and notification is needed, ensure that the maintenance window takes this into account along with the total time needed to install the feature update. + +>[!NOTE] +> The following settings must be shorter in duration than the shortest maintenance window applied to the computer. +>- **Display a temporary notification to the user that indicates the interval before the user is logged off or the computer restarts (minutes).** +>- **Display a dialog box that the user cannot close, which displays the countdown interval before the user is logged off or the computer restarts (minutes).** + +### Step 3: Enable Peer Cache + +Use **Peer Cache** to help manage deployment of content to clients in remote locations. Peer Cache is a built-in Configuration Manager solution that enables clients to share content with other clients directly from their local cache. + +[Enable Configuration Manager client in full OS to share content](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#enable-configuration-manager-client-in-full-os-to-share-content) if you have clients in remote locations that would benefit from downloading feature update content from a peer instead of downloading it from a distribution point (or Microsoft Update). + +### Step 4: Override the default Windows setup priority (Windows 10, version 1709 and later) + +If you’re deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted. + +%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini + +``` +[SetupConfig] +Priority=Normal +``` + +You can use the new [Run Scripts](https://docs.microsoft.com/sccm/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices. + +``` +#Parameters +Param( + [string] $PriorityValue = "Normal" + ) + +#Variable for ini file path +$iniFilePath = "$env:SystemDrive\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini" + +#Variables for SetupConfig +$iniSetupConfigSlogan = "[SetupConfig]" +$iniSetupConfigKeyValuePair =@{"Priority"=$PriorityValue;} + +#Init SetupConfig content +$iniSetupConfigContent = @" +$iniSetupConfigSlogan +"@ + +#Build SetupConfig content with settings +foreach ($k in $iniSetupConfigKeyValuePair.Keys) +{ + $val = $iniSetupConfigKeyValuePair[$k] + + $iniSetupConfigContent = $iniSetupConfigContent.Insert($iniSetupConfigContent.Length, "`r`n$k=$val") +} + +#Write content to file +New-Item $iniFilePath -ItemType File -Value $iniSetupConfigContent -Force + +Disclaimer +Sample scripts are not supported under any Microsoft standard support program or service. The sample scripts is +provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without +limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk +arising out of the use or performance of the sample script and documentation remains with you. In no event shall +Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable +for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, +loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample script +or documentation, even if Microsoft has been advised of the possibility of such damages. +``` + +>[!NOTE] +>If you elect not to override the default setup priority, you will need to increase the [maximum run time](https://docs.microsoft.com/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value. + +## Manually deploy feature updates + +The following sections provide the steps to manually deploy a feature update. + +### Step 1: Specify search criteria for feature updates +There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying feature updates is to identify the feature updates that you want to deploy. + +1. In the Configuration Manager console, click **Software Library**. +2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed. +3. In the search pane, filter to identify the feature updates that you need by using one or both of the following steps: + - In the search text box, type a search string that will filter the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update. + - Click **Add Criteria**, select the criteria that you want to use to filter software updates, click **Add**, and then provide the values for the criteria. For example, Title contains 1803, Required is greater than or equal to 1, and Language equals English. + +4. Save the search for future use. + +### Step 2: Download the content for the feature update(s) +Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment. + +1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**. +2. Choose the feature update(s) to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select Download. + + The **Download Software Updates Wizard** opens. +3. On the **Deployment Package** page, configure the following settings: + **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings: + - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters. + - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. + - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. + + >[!NOTE] + >The deployment package source location that you specify cannot be used by another software deployment package. + + >[!IMPORTANT] + >The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files. + + >[!IMPORTANT] + >You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. + + Click **Next**. +4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](https://docs.microsoft.com/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs). + + >[!NOTE] + >The Distribution Points page is available only when you create a new software update deployment package. +5. On the **Distribution Settings** page, specify the following settings: + + - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority. + - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). + - **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options: + - **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point. + - **Download only content changes to the distribution point**: Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point. + - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting. + + For more information about prestaging content to distribution points, see [Use Prestaged content](https://docs.microsoft.com/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage). + Click **Next**. +6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options: + + - **Download software updates from the Internet**: Select this setting to download the software updates from the location on the Internet. This is the default setting. + - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access. + + >[!NOTE] + >When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard. + + Click **Next**. +7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page. +8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates. +9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click Close. + +#### To monitor content status +1. To monitor the content status for the feature updates, click **Monitoring** in the Configuration Manager console. +2. In the Monitoring workspace, expand **Distribution Status**, and then click **Content Status**. +3. Select the feature update package that you previously identified to download the feature updates. +4. On the **Home** tab, in the Content group, click **View Status**. + +### Step 3: Deploy the feature update(s) +After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s). + +1. In the Configuration Manager console, click **Software Library**. +2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. +3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**. + + The **Deploy Software Updates Wizard** opens. +4. On the General page, configure the following settings: + - **Name**: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: **Microsoft Software Updates - \\** + - **Description**: Specify a description for the deployment. The description provides an overview of the deployment and any other relevant information that helps to identify and differentiate the deployment among others in Configuration Manager site. The description field is optional, has a limit of 256 characters, and has a blank value by default. + - **Software Update/Software Update Group**: Verify that the displayed software update group, or software update, is correct. + - **Select Deployment Template**: Specify whether to apply a previously saved deployment template. You can configure a deployment template to contain multiple common software update deployment properties and then apply the template when you deploy subsequent software updates to ensure consistency across similar deployments and to save time. + - **Collection**: Specify the collection for the deployment, as applicable. Members of the collection receive the feature updates that are defined in the deployment. +5. On the Deployment Settings page, configure the following settings: + + - **Type of deployment**: Specify the deployment type for the software update deployment. Select **Required** to create a mandatory software update deployment in which the feature updates are automatically installed on clients before a configured installation deadline. + + >[!IMPORTANT] + > After you create the software update deployment, you cannot later change the type of deployment. + + >[!NOTE] + >A software update group deployed as Required will be downloaded in background and honor BITS settings, if configured. + + - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when Type of deployment is set to Required. + + >[!WARNING] + >Before you can use this option, computers and networks must be configured for Wake On LAN. + + - **Detail level**: Specify the level of detail for the state messages that are reported by client computers. +6. On the Scheduling page, configure the following settings: + + - **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console. + + >[!NOTE] + >When you select local time, and then select **As soon as possible** for the **Software available time** or **Installation deadline**, the current time on the computer running the Configuration Manager console is used to evaluate when updates are available or when they are installed on a client. If the client is in a different time zone, these actions will occur when the client's time reaches the evaluation time. + + - **Software available time**: Select **As soon as possible** to specify when the software updates will be available to clients: + - **As soon as possible**: Select this setting to make the software updates in the deployment available to clients as soon as possible. When the deployment is created, the client policy is updated, the clients are made aware of the deployment at their next client policy polling cycle, and then the software updates are available for installation. + - **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment. + + >[!NOTE] + >You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page. + + - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. Set the date and time value to correspond with your defined maintenance window for the target collection. Allow sufficient time for clients to download the content in advance of the deadline. Adjust accordingly if clients in your environment will need additional download time. E.g., slow or unreliable network links. + + >[!NOTE] + >The actual installation deadline time is the specific time that you configure plus a random amount of time up to 2 hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Configure the Computer Agent client setting, Disable deadline randomization to disable the installation randomization delay for the required software updates to allow a greater chance for the installation to start and complete within your defined maintenance window. For more information, see [Computer Agent](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#computer-agent). +7. On the User Experience page, configure the following settings: + - **User notifications**: Specify whether to display notification of the software updates in Software Center on the client computer at the configured **Software available time** and whether to display user notifications on the client computers. When **Type of deployment** is set to **Available** on the Deployment Settings page, you cannot select **Hide in Software Center and all notifications**. + - **Deadline behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. For more information about maintenance windows, see [How to use maintenance windows](https://docs.microsoft.com/sccm/core/clients/manage/collections/use-maintenance-windows). + - **Device restart behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation. + + >[!IMPORTANT] + >Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation. + - **Write filter handling for Windows Embedded devices**: When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. + + >[!NOTE] + >When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. + - **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window. +8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page. + + >[!NOTE] + >You can review recent software updates alerts from the Software Updates node in the Software Library workspace. +9. On the Download Settings page, configure the following settings: + - Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location. + - Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point. + - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache). + - **If software updates are not available on distribution point in current, neighbor or site groups, download content from Microsoft Updates**: Select this setting to have clients that are connected to the intranet download software updates from Microsoft Update if software updates are not available on distribution points. Internet-based clients can always go to Microsoft Update for software updates content. + - Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. + + >[!NOTE] + >Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). +10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting. +11. Click **Next** to deploy the feature update(s). + +### Step 4: Monitor the deployment status +After you deploy the feature update(s), you can monitor the deployment status. Use the following procedure to monitor the deployment status: + +1. In the Configuration Manager console, navigate to **Monitoring > Overview > Deployments**. +2. Click the software update group or software update for which you want to monitor the deployment status. +3. On the **Home** tab, in the **Deployment** group, click **View Status**. diff --git a/windows/deployment/update/feature-update-mission-critical.md b/windows/deployment/update/feature-update-mission-critical.md index f3cf3adf07..61469bed82 100644 --- a/windows/deployment/update/feature-update-mission-critical.md +++ b/windows/deployment/update/feature-update-mission-critical.md @@ -1,43 +1,43 @@ ---- -title: Best practices and recommendations for deploying Windows 10 Feature updates to mission critical devices -description: Learn how to deploy feature updates to your mission critical devices -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greglin -ms.date: 07/10/2018 -ms.reviewer: -manager: laurawi -ms.collection: M365-modern-desktop -ms.topic: article ---- - -# Best practices and recommendations for deploying Windows 10 Feature updates to mission critical devices - -**Applies to**: Windows 10 - -Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often aren’t the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the System Center Configuration Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates. - -For simplicity, we will outline the steps to deploy a feature update manually. If you prefer an automated approach, please see [Using Windows 10 servicing plans to deploy Windows 10 feature updates](waas-manage-updates-configuration-manager.md#use-windows-10-servicing-plans-to-deploy-windows-10-feature-updates). - -Devices and shared workstations that are online and available 24 hours a day, 7 days a week, can be serviced via one of two primary methods: - -- **Service during maintenance windows** – Devices that have established maintenance windows will need to have feature updates scheduled to fit within these windows. -- **Service only when manually initiated** – Devices that need physical verification of the availability to update will need to have updates manually initiated by a technician. - -You can use Configuration Manager to deploy feature updates to Windows 10 devices in two ways. The first option is to use the software updates feature. The second option is to use a task sequence to deploy feature updates. There are times when deploying a Windows 10 feature update requires the use of a task sequence—for example: - -- **Upgrade to the next LTSC release.** With the LTSC servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade. -- **Additional required tasks.** When deploying a feature update requires additional steps (e.g., suspending disk encryption, updating applications), you can use task sequences to orchestrate the additional steps. Software updates do not have the ability to add steps to their deployments. -- **Language pack installs.** When deploying a feature update requires the installation of additional language packs, you can use task sequences to orchestrate the installation. Software updates do not have the ability to natively install language packs. - -If you need to leverage a task sequence to deploy feature updates, please see [Using a task sequence to deploy Windows 10 updates](waas-manage-updates-configuration-manager.md#use-a-task-sequence-to-deploy-windows-10-updates) for more information. If you find that your requirement for a task sequence is based solely on the need to run additional tasks preformed pre-install or pre-commit, please see the new [run custom actions](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) functionality first introduced with Windows 10, version 1803. You may be able to leverage this functionality with the software updates deployment method. - -Use the following information: - - -- [Deploy feature updates during maintenance windows](feature-update-maintenance-window.md) -- [Deploy feature updates for user-initiated installations](feature-update-user-install.md) -- [Conclusion](feature-update-conclusion.md) +--- +title: Best practices and recommendations for deploying Windows 10 Feature updates to mission critical devices +description: Learn how to deploy feature updates to your mission critical devices +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.author: greglin +ms.date: 07/10/2018 +ms.reviewer: +manager: laurawi +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Best practices and recommendations for deploying Windows 10 Feature updates to mission critical devices + +**Applies to**: Windows 10 + +Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often aren’t the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the System Center Configuration Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates. + +For simplicity, we will outline the steps to deploy a feature update manually. If you prefer an automated approach, please see [Using Windows 10 servicing plans to deploy Windows 10 feature updates](waas-manage-updates-configuration-manager.md#use-windows-10-servicing-plans-to-deploy-windows-10-feature-updates). + +Devices and shared workstations that are online and available 24 hours a day, 7 days a week, can be serviced via one of two primary methods: + +- **Service during maintenance windows** – Devices that have established maintenance windows will need to have feature updates scheduled to fit within these windows. +- **Service only when manually initiated** – Devices that need physical verification of the availability to update will need to have updates manually initiated by a technician. + +You can use Configuration Manager to deploy feature updates to Windows 10 devices in two ways. The first option is to use the software updates feature. The second option is to use a task sequence to deploy feature updates. There are times when deploying a Windows 10 feature update requires the use of a task sequence—for example: + +- **Upgrade to the next LTSC release.** With the LTSC servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade. +- **Additional required tasks.** When deploying a feature update requires additional steps (e.g., suspending disk encryption, updating applications), you can use task sequences to orchestrate the additional steps. Software updates do not have the ability to add steps to their deployments. +- **Language pack installs.** When deploying a feature update requires the installation of additional language packs, you can use task sequences to orchestrate the installation. Software updates do not have the ability to natively install language packs. + +If you need to leverage a task sequence to deploy feature updates, please see [Using a task sequence to deploy Windows 10 updates](waas-manage-updates-configuration-manager.md#use-a-task-sequence-to-deploy-windows-10-updates) for more information. If you find that your requirement for a task sequence is based solely on the need to run additional tasks preformed pre-install or pre-commit, please see the new [run custom actions](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) functionality first introduced with Windows 10, version 1803. You may be able to leverage this functionality with the software updates deployment method. + +Use the following information: + + +- [Deploy feature updates during maintenance windows](feature-update-maintenance-window.md) +- [Deploy feature updates for user-initiated installations](feature-update-user-install.md) +- [Conclusion](feature-update-conclusion.md) diff --git a/windows/deployment/update/feature-update-user-install.md b/windows/deployment/update/feature-update-user-install.md index 8f1ed4e10d..8b7e286eab 100644 --- a/windows/deployment/update/feature-update-user-install.md +++ b/windows/deployment/update/feature-update-user-install.md @@ -4,6 +4,7 @@ description: Learn how to manually deploy feature updates ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +audience: itpro author: greg-lindsay ms.localizationpriority: medium ms.author: greglin diff --git a/windows/deployment/update/fod-and-lang-packs.md b/windows/deployment/update/fod-and-lang-packs.md index 9940f89253..9d1e2e68e3 100644 --- a/windows/deployment/update/fod-and-lang-packs.md +++ b/windows/deployment/update/fod-and-lang-packs.md @@ -1,26 +1,26 @@ ---- -title: Windows 10 - How to make FoD and language packs available when you're using WSUS/SCCM -description: Learn how to make FoD and language packs available when you're using WSUS/SCCM -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: article -ms.author: greglin -author: greg-lindsay -ms.localizationpriority: medium -ms.date: 03/13/2019 -ms.reviewer: -manager: laurawi -ms.topic: article ---- -# How to make Features on Demand and language packs available when you're using WSUS/SCCM - -> Applies to: Windows 10 - -As of Windows 10 version 1709, you cannot use Windows Server Update Services (WSUS) to host [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (FOD) and language packs for Windows 10 clients locally. Instead, you can enforce a Group Policy setting that tells the clients to pull them directly from Windows Update. You can also host FOD and language packs on a network share, but starting with Windows 10 version 1809, FOD and language packs can only be installed from Windows Update. - -For Windows domain environments running WSUS or SCCM, change the **Specify settings for optional component installation and component repair** policy to enable downloading FOD and language packs from Windows Update. This setting is located in `Computer Configuration\Administrative Templates\System` in the Group Policy Editor. - -Changing this policy does not affect how other updates are distributed. They continue to come from WSUS or SCCM as you have scheduled them. - -Learn about other client management options, including using Group Policy and administrative templates, in [Manage clients in Windows 10](https://docs.microsoft.com/windows/client-management/). +--- +title: Windows 10 - How to make FoD and language packs available when you're using WSUS/SCCM +description: Learn how to make FoD and language packs available when you're using WSUS/SCCM +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: article +ms.author: greglin +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.date: 03/13/2019 +ms.reviewer: +manager: laurawi +ms.topic: article +--- +# How to make Features on Demand and language packs available when you're using WSUS/SCCM + +> Applies to: Windows 10 + +As of Windows 10 version 1709, you cannot use Windows Server Update Services (WSUS) to host [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (FOD) and language packs for Windows 10 clients locally. Instead, you can enforce a Group Policy setting that tells the clients to pull them directly from Windows Update. You can also host FOD and language packs on a network share, but starting with Windows 10 version 1809, FOD and language packs can only be installed from Windows Update. + +For Windows domain environments running WSUS or SCCM, change the **Specify settings for optional component installation and component repair** policy to enable downloading FOD and language packs from Windows Update. This setting is located in `Computer Configuration\Administrative Templates\System` in the Group Policy Editor. + +Changing this policy does not affect how other updates are distributed. They continue to come from WSUS or SCCM as you have scheduled them. + +Learn about other client management options, including using Group Policy and administrative templates, in [Manage clients in Windows 10](https://docs.microsoft.com/windows/client-management/). diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md index 34a10dc134..0cce8e0389 100644 --- a/windows/deployment/update/how-windows-update-works.md +++ b/windows/deployment/update/how-windows-update-works.md @@ -1,146 +1,146 @@ ---- -title: How Windows Update works -description: Learn how Windows Update works, including architecture and troubleshooting -ms.prod: w10 -ms.mktglfcycl: -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greglin -ms.date: 09/18/2018 -ms.reviewer: -manager: laurawi -ms.collection: M365-modern-desktop -ms.topic: article ---- - -# How does Windows Update work? - ->Applies to: Windows 10 - -The Windows Update workflow has four core areas of functionality: - -### Scan - -1. Orchestrator schedules the scan. -2. Orchestrator verifies admin approvals and policies for download. - - -### Download -1. Orchestrator initiates downloads. -2. Windows Update downloads manifest files and provides them to the arbiter. -3. The arbiter evaluates the manifest and tells the Windows Update client to download files. -4. Windows Update client downloads files in a temporary folder. -5. The arbiter stages the downloaded files. - - -### Install -1. Orchestrator initates the installation. -2. The arbiter calls the installer to install the package. - - -### Commit -1. Orchestrator initiates a restart. -2. The arbiter finalizes before the restart. - - -## How updating works -During the updating process, the Windows Update Orchestrator operates in the background to scan, download, and install updates. It does this automatically, according to your settings, and in a silent manner that doesn’t disrupt your computer usage. - -## Scanning updates -![Windows Update scanning step](images/update-scan-step.png) - -The Windows Update Orchestrator on your PC checks the Microsoft Update server or your WSUS endpoint for new updates at random intervals. The randomization ensures that the Windows Update server isn't overloaded with requests all at the same time. The Update Orchestrator searches only for updates that have been added since the last time updates were searched, allowing it to find updates quickly and efficiently. - -When checking for updates, the Windows Update Orchestrator evaluates whether the update is appropriate for your computer using guidelines defined by the publisher of the update, for example, Microsoft Office including enterprise group policies. - -Make sure you're familiar with the following terminology related to Windows Update scan: - -|Term|Definition| -|----|----------| -|Update|We use this term to mean a lot of different things, but in this context it's the actual patch or change.| -|Bundle update|An update that contains 1-N child updates; doesn't contain payload itself.| -|Child update|Leaf update that's bundled by another update; contains payload.| -|Detectoid update|A special 'update' that contains "IsInstalled" applicability rule only and no payload. Used for prereq evaluation.| -|Category update|A special 'detectoid' that has always true IsInstalled rule. Used for grouping updates and for client to filter updates. | -|Full scan|Scan with empty datastore.| -|Delta scan|Scan with updates from previous scan already cached in datastore.| -|Online scan|Scan that hits network and goes against server on cloud. | -|Offline scan|Scan that doesn't hit network and goes against local datastore. Only useful if online scan has been performed before. | -|CatScan|Category scan where caller can specify a categoryId to get updates published under the categoryId.| -|AppCatScan|Category scan where caller can specify an AppCategoryId to get apps published under the appCategoryId.| -|Software sync|Part of the scan that looks at software updates only (OS and apps).| -|Driver sync|Part of the scan that looks at Driver updates only. This is run after Software sync and is optional.| -|ProductSync|Attributes based sync, where client provides a list of device, product and caller attributes ahead of time to allow service to evaluate applicability in the cloud. | - -### How Windows Update scanning works - -Windows Update takes the following sets of actions when it runs a scan. - -#### Starts the scan for updates -When users start scanning in Windows Update through the Settings panel, the following occurs: - -- The scan first generates a “ComApi” message. The caller (Windows Defender Antivirus) tells the WU engine to scan for updates. -- "Agent" messages: queueing the scan, then actually starting the work: - - Updates are identified by the different IDs ("Id = 10", "Id = 11") and from the different thread ID numbers. - - Windows Update uses the thread ID filtering to concentrate on one particular task. - - ![Windows Update scan log 1](images/update-scan-log-1.png) - -#### Identifies service IDs - -- Service IDs indicate which update source is being scanned. - Note The next screen shot shows Microsoft Update and the Flighting service. - -- The Windows Update engine treats every service as a separate entity, even though multiple services may contain the same updates. - ![Windows Update scan log 2](images/update-scan-log-2.png) -- Common service IDs - - >[!IMPORTANT] - >ServiceId here identifies a client abstraction, not any specific service in the cloud. No assumption should be made of which server a serviceId is pointing to, it's totally controlled by the SLS responses. - -|Service|ServiceId| -|-------|---------| -|Unspecified / Default|WU, MU or WSUS
          00000000-0000-0000-0000-000000000000 | -|WU|9482F4B4-E343-43B6-B170-9A65BC822C77| -|MU|7971f918-a847-4430-9279-4a52d1efe18d| -|Store|855E8A7C-ECB4-4CA3-B045-1DFA50104289| -|OS Flighting|8B24B027-1DEE-BABB-9A95-3517DFB9C552| -|WSUS or SCCM|Via ServerSelection::ssManagedServer
          3DA21691-E39D-4da6-8A4B-B43877BCB1B7 | -|Offline scan service|Via IUpdateServiceManager::AddScanPackageService| - -#### Finds network faults -Common update failure is caused due to network issues. To find the root of the issue: - -- Look for "ProtocolTalker" messages to see client-server sync network traffic. -- "SOAP faults" can be either client- or server-side issues; read the message. -- The WU client uses SLS (Service Locator Service) to discover the configurations and endpoints of Microsoft network update sources – WU, MU, Flighting. - - >[!NOTE] - >Warning messages for SLS can be ignored if the search is against WSUS/SCCM. - -- On sites that only use WSUS/SCCM, the SLS may be blocked at the firewall. In this case the SLS request will fail, and can’t scan against Windows Update or Microsoft Update but can still scan against WSUS/SCCM, since it’s locally configured. - ![Windows Update scan log 3](images/update-scan-log-3.png) - -## Downloading updates -![Windows Update download step](images/update-download-step.png) - -Once the Windows Update Orchestrator determines which updates apply to your computer, it will begin downloading the updates, if you have selected the option to automatically download updates. It does this in the background without interrupting your normal use of the computer. - -To ensure that your other downloads aren’t affected or slowed down because updates are downloading, Windows Update uses the Delivery Optimization (DO) technology which downloads updates and reduces bandwidth consumption. - -For more information see [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md). - -## Installing updates -![Windows Update install step](images/update-install-step.png) - -When an update is applicable, the "Arbiter" and metadata are downloaded. Depending on your Windows Update settings, when downloading is complete, the Arbiter will gather details from the device, and compare that with the downloaded metadata to create an "action list". - -The action list describes all the files needed from WU, and what the install agent (such as CBS or Setup) should do with them. The action list is provided to the install agent along with the payload to begin the installation. - -## Committing Updates -![Windows Update commit step](images/update-commit-step.png) - -When the option to automatically install updates is configured, the Windows Update Orchestrator, in most cases, automatically restarts the PC for you after installing the updates. This is necessary because your PC may be insecure, or not fully updated, until a restart is completed. You can use Group Policy settings, mobile device management (MDM), or the registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. - -For more information see [Manage device restarts after updates](waas-restart.md). +--- +title: How Windows Update works +description: Learn how Windows Update works, including architecture and troubleshooting +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.author: greglin +ms.date: 09/18/2018 +ms.reviewer: +manager: laurawi +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# How does Windows Update work? + +>Applies to: Windows 10 + +The Windows Update workflow has four core areas of functionality: + +### Scan + +1. Orchestrator schedules the scan. +2. Orchestrator verifies admin approvals and policies for download. + + +### Download +1. Orchestrator initiates downloads. +2. Windows Update downloads manifest files and provides them to the arbiter. +3. The arbiter evaluates the manifest and tells the Windows Update client to download files. +4. Windows Update client downloads files in a temporary folder. +5. The arbiter stages the downloaded files. + + +### Install +1. Orchestrator initates the installation. +2. The arbiter calls the installer to install the package. + + +### Commit +1. Orchestrator initiates a restart. +2. The arbiter finalizes before the restart. + + +## How updating works +During the updating process, the Windows Update Orchestrator operates in the background to scan, download, and install updates. It does this automatically, according to your settings, and in a silent manner that doesn’t disrupt your computer usage. + +## Scanning updates +![Windows Update scanning step](images/update-scan-step.png) + +The Windows Update Orchestrator on your PC checks the Microsoft Update server or your WSUS endpoint for new updates at random intervals. The randomization ensures that the Windows Update server isn't overloaded with requests all at the same time. The Update Orchestrator searches only for updates that have been added since the last time updates were searched, allowing it to find updates quickly and efficiently. + +When checking for updates, the Windows Update Orchestrator evaluates whether the update is appropriate for your computer using guidelines defined by the publisher of the update, for example, Microsoft Office including enterprise group policies. + +Make sure you're familiar with the following terminology related to Windows Update scan: + +|Term|Definition| +|----|----------| +|Update|We use this term to mean a lot of different things, but in this context it's the actual patch or change.| +|Bundle update|An update that contains 1-N child updates; doesn't contain payload itself.| +|Child update|Leaf update that's bundled by another update; contains payload.| +|Detectoid update|A special 'update' that contains "IsInstalled" applicability rule only and no payload. Used for prereq evaluation.| +|Category update|A special 'detectoid' that has always true IsInstalled rule. Used for grouping updates and for client to filter updates. | +|Full scan|Scan with empty datastore.| +|Delta scan|Scan with updates from previous scan already cached in datastore.| +|Online scan|Scan that hits network and goes against server on cloud. | +|Offline scan|Scan that doesn't hit network and goes against local datastore. Only useful if online scan has been performed before. | +|CatScan|Category scan where caller can specify a categoryId to get updates published under the categoryId.| +|AppCatScan|Category scan where caller can specify an AppCategoryId to get apps published under the appCategoryId.| +|Software sync|Part of the scan that looks at software updates only (OS and apps).| +|Driver sync|Part of the scan that looks at Driver updates only. This is run after Software sync and is optional.| +|ProductSync|Attributes based sync, where client provides a list of device, product and caller attributes ahead of time to allow service to evaluate applicability in the cloud. | + +### How Windows Update scanning works + +Windows Update takes the following sets of actions when it runs a scan. + +#### Starts the scan for updates +When users start scanning in Windows Update through the Settings panel, the following occurs: + +- The scan first generates a “ComApi” message. The caller (Windows Defender Antivirus) tells the WU engine to scan for updates. +- "Agent" messages: queueing the scan, then actually starting the work: + - Updates are identified by the different IDs ("Id = 10", "Id = 11") and from the different thread ID numbers. + - Windows Update uses the thread ID filtering to concentrate on one particular task. + + ![Windows Update scan log 1](images/update-scan-log-1.png) + +#### Identifies service IDs + +- Service IDs indicate which update source is being scanned. + Note The next screen shot shows Microsoft Update and the Flighting service. + +- The Windows Update engine treats every service as a separate entity, even though multiple services may contain the same updates. + ![Windows Update scan log 2](images/update-scan-log-2.png) +- Common service IDs + + >[!IMPORTANT] + >ServiceId here identifies a client abstraction, not any specific service in the cloud. No assumption should be made of which server a serviceId is pointing to, it's totally controlled by the SLS responses. + +|Service|ServiceId| +|-------|---------| +|Unspecified / Default|WU, MU or WSUS
          00000000-0000-0000-0000-000000000000 | +|WU|9482F4B4-E343-43B6-B170-9A65BC822C77| +|MU|7971f918-a847-4430-9279-4a52d1efe18d| +|Store|855E8A7C-ECB4-4CA3-B045-1DFA50104289| +|OS Flighting|8B24B027-1DEE-BABB-9A95-3517DFB9C552| +|WSUS or SCCM|Via ServerSelection::ssManagedServer
          3DA21691-E39D-4da6-8A4B-B43877BCB1B7 | +|Offline scan service|Via IUpdateServiceManager::AddScanPackageService| + +#### Finds network faults +Common update failure is caused due to network issues. To find the root of the issue: + +- Look for "ProtocolTalker" messages to see client-server sync network traffic. +- "SOAP faults" can be either client- or server-side issues; read the message. +- The WU client uses SLS (Service Locator Service) to discover the configurations and endpoints of Microsoft network update sources – WU, MU, Flighting. + + >[!NOTE] + >Warning messages for SLS can be ignored if the search is against WSUS/SCCM. + +- On sites that only use WSUS/SCCM, the SLS may be blocked at the firewall. In this case the SLS request will fail, and can’t scan against Windows Update or Microsoft Update but can still scan against WSUS/SCCM, since it’s locally configured. + ![Windows Update scan log 3](images/update-scan-log-3.png) + +## Downloading updates +![Windows Update download step](images/update-download-step.png) + +Once the Windows Update Orchestrator determines which updates apply to your computer, it will begin downloading the updates, if you have selected the option to automatically download updates. It does this in the background without interrupting your normal use of the computer. + +To ensure that your other downloads aren’t affected or slowed down because updates are downloading, Windows Update uses the Delivery Optimization (DO) technology which downloads updates and reduces bandwidth consumption. + +For more information see [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md). + +## Installing updates +![Windows Update install step](images/update-install-step.png) + +When an update is applicable, the "Arbiter" and metadata are downloaded. Depending on your Windows Update settings, when downloading is complete, the Arbiter will gather details from the device, and compare that with the downloaded metadata to create an "action list". + +The action list describes all the files needed from WU, and what the install agent (such as CBS or Setup) should do with them. The action list is provided to the install agent along with the payload to begin the installation. + +## Committing Updates +![Windows Update commit step](images/update-commit-step.png) + +When the option to automatically install updates is configured, the Windows Update Orchestrator, in most cases, automatically restarts the PC for you after installing the updates. This is necessary because your PC may be insecure, or not fully updated, until a restart is completed. You can use Group Policy settings, mobile device management (MDM), or the registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. + +For more information see [Manage device restarts after updates](waas-restart.md). diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md index da75754d7f..4f38f8583c 100644 --- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md +++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md @@ -1,131 +1,131 @@ ---- -title: Olympia Corp enrollment guidelines -description: Olympia Corp enrollment guidelines -ms.author: greglin -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: greg-lindsay -ms.reviewer: -manager: laurawi -keywords: insider, trial, enterprise, lab, corporation, test ---- - -# Olympia Corp - -## What is Windows Insider Lab for Enterprise and Olympia Corp? - -Windows Insider Lab for Enterprise is intended for Windows Insiders who want to try new experimental and pre-release enterprise privacy and security features. To get the complete experience of these enterprise features, Olympia Corp, a virtual corporation has been set up to reflect the IT infrastructure of real world business. Selected customers are invited to join Olympia Corp and try these features. - -As an Olympia user, you will have an opportunity to: - -- Use various enterprise features like Windows Information Protection (WIP), Advanced Threat Protection (ATP), windows Defender Application Guard (WDAG), and Application Virtualization (APP-V). -- Learn how Microsoft is preparing for GDPR, as well as enabling enterprise customers to prepare for their own readiness. -- Validate and test pre-release software in your environment. -- Provide feedback. -- Interact with engineering team members through a variety of communication channels. - ->[!Note] ->Enterprise features might have reduced or different security, privacy, accessibility, availability, and reliability standards relative to commercially provided services and software. We may change or discontinue any of the enterprise features at any time without notice. - -For more information about Olympia Corp, see [https://olympia.windows.com/Info/FAQ](https://olympia.windows.com/Info/FAQ). - -To request an Olympia Corp account, fill out the survey at [https://aka.ms/RegisterOlympia](https://aka.ms/RegisterOlympia). - -## Enrollment guidelines - -Welcome to Olympia Corp. Here are the steps needed to enroll. - -As part of Windows Insider Lab for Enterprise, you can upgrade to Windows 10 Enterprise from Windows 10 Pro. This upgrade is optional. Since certain features such as Windows Defender Application Guard are only available on Windows 10 Enterprise, we recommend you to upgrade. - -Choose one of the following two enrollment options: - -- To set up an AAD-registered device, [follow these steps](#enrollment-keep-current-edition). In this case, you log onto the device by using an existing (non-Olympia) account. - -- If you are running Windows 10 Pro, we recommend that you upgrade to Windows 10 Enterprise by following these steps to [set up an Azure Active Directory-joined device](#enrollment-upgrade-to-enterprise). In this case, you will be able to log on to the device with your Olympia account. - - - -### Set up an Azure Active Directory-REGISTERED Windows 10 device - -This is the Bring Your Own Device (BYOD) method--your device will receive Olympia policies and features, but a new account will not be created. See [Set up Azure Active Directory registered Windows 10 devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-registered-devices-windows10-setup) for additional information. - -1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)). - - ![Settings -> Accounts](images/1-1.png) - -2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**. - -3. Click **Connect** and enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**. - - ![Set up a work or school account](images/1-3.png) - -4. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password. - - > [!NOTE] - > Passwords should contain 8-16 characters, including at least one special character or number. - - ![Update your password](images/1-4.png) - -5. Read the **Terms and Conditions**. Click **Accept** to participate in the program. - -6. If this is the first time you are logging in, fill in the additional information to help you retrieve your account details. - -7. Create a PIN for signing into your Olympia corporate account. - -8. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**. - - > [!NOTE] - > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness). - -9. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**. - - - -### Set up Azure Active Directory-JOINED Windows 10 device - -- This method will upgrade your Windows 10 Pro license to Enterprise and create a new account. See [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup) for more information. - -1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)). - - ![Settings -> Accounts](images/1-1.png) - -2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**. - -3. Click **Connect**, then click **Join this device to Azure Active Directory**. - - ![Update your password](images/2-3.png) - -4. Enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**. - - ![Set up a work or school account](images/2-4.png) - -5. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password. - - > [!NOTE] - > Passwords should contain 8-16 characters, including at least one special character or number. - - ![Update your password](images/2-5.png) - -6. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**. - -7. If this is the first time you are signing in, fill in the additional information to help you retrieve your account details. - -8. Create a PIN for signing into your Olympia corporate account. - -9. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**. - -10. Restart your device. - -11. In the sign-in screen, choose **Other User** and sign in with your **Olympia corporate account**. Your device will upgrade to Windows 10 Enterprise. - -12. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**. - - > [!NOTE] - > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness). - -13. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**. - ->[!NOTE] -> Your Windows 10 Enterprise license will not be renewed if your device is not connected to Olympia. - +--- +title: Olympia Corp enrollment guidelines +description: Olympia Corp enrollment guidelines +ms.author: greglin +ms.topic: article +ms.prod: w10 +ms.technology: windows +audience: itpro author: greg-lindsay +ms.reviewer: +manager: laurawi +keywords: insider, trial, enterprise, lab, corporation, test +--- + +# Olympia Corp + +## What is Windows Insider Lab for Enterprise and Olympia Corp? + +Windows Insider Lab for Enterprise is intended for Windows Insiders who want to try new experimental and pre-release enterprise privacy and security features. To get the complete experience of these enterprise features, Olympia Corp, a virtual corporation has been set up to reflect the IT infrastructure of real world business. Selected customers are invited to join Olympia Corp and try these features. + +As an Olympia user, you will have an opportunity to: + +- Use various enterprise features like Windows Information Protection (WIP), Advanced Threat Protection (ATP), windows Defender Application Guard (WDAG), and Application Virtualization (APP-V). +- Learn how Microsoft is preparing for GDPR, as well as enabling enterprise customers to prepare for their own readiness. +- Validate and test pre-release software in your environment. +- Provide feedback. +- Interact with engineering team members through a variety of communication channels. + +>[!Note] +>Enterprise features might have reduced or different security, privacy, accessibility, availability, and reliability standards relative to commercially provided services and software. We may change or discontinue any of the enterprise features at any time without notice. + +For more information about Olympia Corp, see [https://olympia.windows.com/Info/FAQ](https://olympia.windows.com/Info/FAQ). + +To request an Olympia Corp account, fill out the survey at [https://aka.ms/RegisterOlympia](https://aka.ms/RegisterOlympia). + +## Enrollment guidelines + +Welcome to Olympia Corp. Here are the steps needed to enroll. + +As part of Windows Insider Lab for Enterprise, you can upgrade to Windows 10 Enterprise from Windows 10 Pro. This upgrade is optional. Since certain features such as Windows Defender Application Guard are only available on Windows 10 Enterprise, we recommend you to upgrade. + +Choose one of the following two enrollment options: + +- To set up an AAD-registered device, [follow these steps](#enrollment-keep-current-edition). In this case, you log onto the device by using an existing (non-Olympia) account. + +- If you are running Windows 10 Pro, we recommend that you upgrade to Windows 10 Enterprise by following these steps to [set up an Azure Active Directory-joined device](#enrollment-upgrade-to-enterprise). In this case, you will be able to log on to the device with your Olympia account. + + + +### Set up an Azure Active Directory-REGISTERED Windows 10 device + +This is the Bring Your Own Device (BYOD) method--your device will receive Olympia policies and features, but a new account will not be created. See [Set up Azure Active Directory registered Windows 10 devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-registered-devices-windows10-setup) for additional information. + +1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)). + + ![Settings -> Accounts](images/1-1.png) + +2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**. + +3. Click **Connect** and enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**. + + ![Set up a work or school account](images/1-3.png) + +4. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password. + + > [!NOTE] + > Passwords should contain 8-16 characters, including at least one special character or number. + + ![Update your password](images/1-4.png) + +5. Read the **Terms and Conditions**. Click **Accept** to participate in the program. + +6. If this is the first time you are logging in, fill in the additional information to help you retrieve your account details. + +7. Create a PIN for signing into your Olympia corporate account. + +8. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**. + + > [!NOTE] + > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness). + +9. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**. + + + +### Set up Azure Active Directory-JOINED Windows 10 device + +- This method will upgrade your Windows 10 Pro license to Enterprise and create a new account. See [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup) for more information. + +1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)). + + ![Settings -> Accounts](images/1-1.png) + +2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**. + +3. Click **Connect**, then click **Join this device to Azure Active Directory**. + + ![Update your password](images/2-3.png) + +4. Enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**. + + ![Set up a work or school account](images/2-4.png) + +5. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password. + + > [!NOTE] + > Passwords should contain 8-16 characters, including at least one special character or number. + + ![Update your password](images/2-5.png) + +6. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**. + +7. If this is the first time you are signing in, fill in the additional information to help you retrieve your account details. + +8. Create a PIN for signing into your Olympia corporate account. + +9. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**. + +10. Restart your device. + +11. In the sign-in screen, choose **Other User** and sign in with your **Olympia corporate account**. Your device will upgrade to Windows 10 Enterprise. + +12. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**. + + > [!NOTE] + > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness). + +13. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**. + +>[!NOTE] +> Your Windows 10 Enterprise license will not be renewed if your device is not connected to Olympia. + diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md index 99e3295e19..1f23ccbc44 100644 --- a/windows/deployment/update/servicing-stack-updates.md +++ b/windows/deployment/update/servicing-stack-updates.md @@ -1,56 +1,56 @@ ---- -title: Servicing stack updates (Windows 10) -description: Servicing stack updates improve the code that installs the other updates. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greglin -ms.date: 11/29/2018 -ms.reviewer: -manager: laurawi -ms.collection: M365-modern-desktop -ms.topic: article ---- - -# Servicing stack updates - - -**Applies to** - -- Windows 10, Windows 8.1, Windows 8, Windows 7 - -## What is a servicing stack update? -Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. - -## Why should servicing stack updates be installed and kept up to date? - -Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. - -## When are they released? - -Servicing stack update are released depending on new issues or vulnerabilities. In rare occasions a servicing stack update may need to be released on demand to address an issue impacting systems installing the monthly security update. Starting in November 2018 new servicing stack updates will be classified as "Security" with a severity rating of "Critical." - ->[!NOTE] ->You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001). - -## What's the difference between a servicing stack update and a cumulative update? - -Both Windows 10 and Windows Server use the cumulative update mechanism, in which many fixes to improve the quality and security of Windows are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates. - -Servicing stack updates must ship separately from the cumulative updates because they modify the component that installs Windows updates. The servicing stack is released separately because the servicing stack itself requires an update. For example, the cumulative update [KB4284880](https://support.microsoft.com/help/4284880/windows-10-update-kb4284880) requires the [May 17, 2018 servicing stack update](https://support.microsoft.com/help/4132216), which includes updates to Windows Update. - - -## Is there any special guidance? - -Microsoft recommends you install the latest servicing stack updates for your operating system before installing the latest cumulative update. - -Typically, the improvements are reliability and performance improvements that do not require any specific special guidance. If there is any significant impact, it will be present in the release notes. - -## Installation notes - -* Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system. -* Installing servicing stack update does not require restarting the device, so installation should not be disruptive. -* Servicing stack update releases are specific to the operating system version (build number), much like quality updates. -* Search to install latest available [Servicing stack update for Windows 10](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001). +--- +title: Servicing stack updates (Windows 10) +description: Servicing stack updates improve the code that installs the other updates. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.author: greglin +ms.date: 11/29/2018 +ms.reviewer: +manager: laurawi +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Servicing stack updates + + +**Applies to** + +- Windows 10, Windows 8.1, Windows 8, Windows 7 + +## What is a servicing stack update? +Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. + +## Why should servicing stack updates be installed and kept up to date? + +Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. + +## When are they released? + +Servicing stack update are released depending on new issues or vulnerabilities. In rare occasions a servicing stack update may need to be released on demand to address an issue impacting systems installing the monthly security update. Starting in November 2018 new servicing stack updates will be classified as "Security" with a severity rating of "Critical." + +>[!NOTE] +>You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001). + +## What's the difference between a servicing stack update and a cumulative update? + +Both Windows 10 and Windows Server use the cumulative update mechanism, in which many fixes to improve the quality and security of Windows are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates. + +Servicing stack updates must ship separately from the cumulative updates because they modify the component that installs Windows updates. The servicing stack is released separately because the servicing stack itself requires an update. For example, the cumulative update [KB4284880](https://support.microsoft.com/help/4284880/windows-10-update-kb4284880) requires the [May 17, 2018 servicing stack update](https://support.microsoft.com/help/4132216), which includes updates to Windows Update. + + +## Is there any special guidance? + +Microsoft recommends you install the latest servicing stack updates for your operating system before installing the latest cumulative update. + +Typically, the improvements are reliability and performance improvements that do not require any specific special guidance. If there is any significant impact, it will be present in the release notes. + +## Installation notes + +* Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system. +* Installing servicing stack update does not require restarting the device, so installation should not be disruptive. +* Servicing stack update releases are specific to the operating system version (build number), much like quality updates. +* Search to install latest available [Servicing stack update for Windows 10](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001). diff --git a/windows/deployment/update/update-compliance-delivery-optimization.md b/windows/deployment/update/update-compliance-delivery-optimization.md index f89a5f7dbf..a2939246a0 100644 --- a/windows/deployment/update/update-compliance-delivery-optimization.md +++ b/windows/deployment/update/update-compliance-delivery-optimization.md @@ -1,56 +1,56 @@ ---- -title: Delivery Optimization in Update Compliance (Windows 10) -ms.reviewer: -manager: laurawi -description: new Delivery Optimization data displayed in Update Compliance -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -keywords: oms, operations management suite, optimization, downloads, updates, log analytics -ms.localizationpriority: medium -ms.collection: M365-analytics -ms.topic: article ---- - -# Delivery Optimization in Update Compliance -The Update Compliance solution of Windows Analytics provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days. - -![DO status](images/UC_workspace_DO_status.png) - -> [!IMPORTANT] -> There are currently two known issues affecting the Delivery Optimization status displayed in these blades: ->- Devices running Windows 10, version 1803 or older versions are not sending the correct configuration profile. As a result, the information in the Device Configuration blade might not accurately reflect the settings in your environment. ->- Some devices running Windows 10, version 1809 report the Delivery Optimization DownloadMode configuration value as the sequential value in the list of possible configurations rather than the actual configured value. For example, a device that is configured as HTTP + Group (2), will be shown as HTTP + Internet (3) in Update Compliance. -> ->Look for fixes for both of these issues in a forthcoming update. - -## Delivery Optimization Status - -The Delivery Optimization Status section includes three blades: - -- The **Device Configuration** blade shows a breakdown of download configuration for each device -- The **Content Distribution (%)** blade shows the percentage of bandwidth savings for each category -- The **Content Distribution (GB)** blade shows the total amount of data seen from each content type broken down by the download source (peers vs non-peers). - - - - -## Device Configuration blade -Devices can be set to use different download modes; these download modes determine in what situations Delivery Optimization will use peer-to-peer distribution to accomplish the downloads. The top section shows the number of devices configured to use peer-to-peer distribution in *Peering On* compared to *Peering Off* modes. The table shows a breakdown of the various download mode configurations seen in your environment. For more information about the different configuration options, see [Set up Delivery Optimization for Windows 10 updates](waas-delivery-optimization-setup.md) for recommendations for different scenarios or [Delivery Optimization reference](waas-delivery-optimization-reference.md#download-mode) for complete details of this setting. - -## Content Distribution (%) blade -The first of two blades showing information on content breakdown, this blade shows a ring chart summarizing **Bandwidth Savings %**, which is the percentage of data received from peer sources out of the total data downloaded (for any device that used peer-to-peer distribution). -The table breaks down the Bandwidth Savings % into specific content categories along with the number of devices seen downloading the given content type that used peer-to-peer distribution. - -## Content Distribution (GB) blade -The second of two blades showing information on content breakdown, this blade shows a ring chart summarizing the total bytes downloaded by using peer-to-peer distribution compared to HTTP distribution. -The table breaks down the number of bytes from each download source into specific content categories, along with the number of devices seen downloading the given content type that used peer-to-peer distribution. - -The download sources that could be included are: -- LAN Bytes: Bytes downloaded from LAN Peers which are other devices on the same local network -- Group Bytes: Bytes downloaded from Group Peers which are other devices that belong to the same Group (available when the “Group” download mode is used) -- HTTP Bytes: Non-peer bytes. The HTTP download source can be Microsoft Servers, Windows Update Servers, a WSUS server or an SCCM Distribution Point for Express Updates. - +--- +title: Delivery Optimization in Update Compliance (Windows 10) +ms.reviewer: +manager: laurawi +description: new Delivery Optimization data displayed in Update Compliance +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +keywords: oms, operations management suite, optimization, downloads, updates, log analytics +ms.localizationpriority: medium +ms.collection: M365-analytics +ms.topic: article +--- + +# Delivery Optimization in Update Compliance +The Update Compliance solution of Windows Analytics provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days. + +![DO status](images/UC_workspace_DO_status.png) + +> [!IMPORTANT] +> There are currently two known issues affecting the Delivery Optimization status displayed in these blades: +>- Devices running Windows 10, version 1803 or older versions are not sending the correct configuration profile. As a result, the information in the Device Configuration blade might not accurately reflect the settings in your environment. +>- Some devices running Windows 10, version 1809 report the Delivery Optimization DownloadMode configuration value as the sequential value in the list of possible configurations rather than the actual configured value. For example, a device that is configured as HTTP + Group (2), will be shown as HTTP + Internet (3) in Update Compliance. +> +>Look for fixes for both of these issues in a forthcoming update. + +## Delivery Optimization Status + +The Delivery Optimization Status section includes three blades: + +- The **Device Configuration** blade shows a breakdown of download configuration for each device +- The **Content Distribution (%)** blade shows the percentage of bandwidth savings for each category +- The **Content Distribution (GB)** blade shows the total amount of data seen from each content type broken down by the download source (peers vs non-peers). + + + + +## Device Configuration blade +Devices can be set to use different download modes; these download modes determine in what situations Delivery Optimization will use peer-to-peer distribution to accomplish the downloads. The top section shows the number of devices configured to use peer-to-peer distribution in *Peering On* compared to *Peering Off* modes. The table shows a breakdown of the various download mode configurations seen in your environment. For more information about the different configuration options, see [Set up Delivery Optimization for Windows 10 updates](waas-delivery-optimization-setup.md) for recommendations for different scenarios or [Delivery Optimization reference](waas-delivery-optimization-reference.md#download-mode) for complete details of this setting. + +## Content Distribution (%) blade +The first of two blades showing information on content breakdown, this blade shows a ring chart summarizing **Bandwidth Savings %**, which is the percentage of data received from peer sources out of the total data downloaded (for any device that used peer-to-peer distribution). +The table breaks down the Bandwidth Savings % into specific content categories along with the number of devices seen downloading the given content type that used peer-to-peer distribution. + +## Content Distribution (GB) blade +The second of two blades showing information on content breakdown, this blade shows a ring chart summarizing the total bytes downloaded by using peer-to-peer distribution compared to HTTP distribution. +The table breaks down the number of bytes from each download source into specific content categories, along with the number of devices seen downloading the given content type that used peer-to-peer distribution. + +The download sources that could be included are: +- LAN Bytes: Bytes downloaded from LAN Peers which are other devices on the same local network +- Group Bytes: Bytes downloaded from Group Peers which are other devices that belong to the same Group (available when the “Group” download mode is used) +- HTTP Bytes: Non-peer bytes. The HTTP download source can be Microsoft Servers, Windows Update Servers, a WSUS server or an SCCM Distribution Point for Express Updates. + diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md index eb806c7b40..8d6fa2501e 100644 --- a/windows/deployment/update/update-compliance-feature-update-status.md +++ b/windows/deployment/update/update-compliance-feature-update-status.md @@ -1,49 +1,49 @@ ---- -title: Update Compliance - Feature Update Status report -ms.reviewer: -manager: laurawi -description: an overview of the Feature Update Status report -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-analytics -ms.topic: article ---- - -# Feature Update Status - -![The Feature Update Status report](images/UC_workspace_FU_status.png) - -The Feature Update Status section provides information about the status of [feature updates](waas-quick-start.md#definitions) across all devices. This section tile in the [Overview Blade](update-compliance-using.md#overview-blade) gives a percentage of devices that are on the latest applicable feature update; [Servicing Channel](waas-overview.md#servicing-channels) is considered in determining applicability. Within this section are two blades; one providing a holistic view of feature updates, the other containing three **Deployment Status** tiles, each charged with tracking the deployment for a different [Servicing Channel](waas-overview.md#servicing-channels). - -## Overall Feature Update Status - -The Overall Feature Update Status blade breaks down how many devices are up-to-date or not, with a special callout for how many devices are running a build that is not supported (for a full list of feature updates, check out the [Windows 10 Release Information](https://technet.microsoft.com/windows/release-info.aspx) page). The table beneath the visualization breaks devices down by Servicing Channel and operating system version, then defining whether this combination is *up-to-date*, *not up-to-date* or *out of support*. Finally, the table provides a count of devices that fall into this category. - -## Deployment Status by Servicing Channel - -To effectively track deployment, **Deployment Status Blades** are divided into each Servicing Channel chosen for the device. This is because Deployment for each channel will happen at different periods in time and feature updates are targeted separately for each channel. Within each Deployment Status tile, devices are aggregated on their feature update distribution, and the columns list the states each device is in. - -Refer to the following list for what each state means: -* **Installed** devices are devices that have completed installation for the given update. -* When a device is counted as **In Progress**, it has begun the feature update installation. -* Devices that are **scheduled next 7 days** are all devices that were deferred from installing the Feature update using [Windows Update for Business Settings](waas-manage-updates-wufb.md) and are set to begin installation in the next 7 days. -* Devices that have failed the given feature update installation are counted as **Update failed**. -* If a device should be, in some way, progressing toward this security update, but its status cannot be inferred, it will count as **Status Unknown**. Devices not using Windows Update are the most likely devices to fall into this category. - -## Compatibility holds - -Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *compatibility hold* is generated to delay the device’s upgrade and safeguard the end-user experience. Holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all compatibility holds on the Windows 10 release information page for any given release. - -To learn how compatibility holds are reflected in the experience, see [Update compliance perspectives](update-compliance-perspectives.md#deployment-status). - -### Opting out of compatibility hold - -Microsoft will release a device from a compatibility hold when it has determined it can safely and smoothly install a feature update, but you are ultimately in control of your devices and can opt out if desired. To opt out, set the registry key **HKLM\Software\Microsoft\Windows NT\CurrentVersion\502505fe-762c-4e80-911e-0c3fa4c63fb0** to a name of **DataRequireGatedScanForFeatureUpdates** and a value of **0**. - - -Setting this registry key to **0** will force the device to opt out from *all* compatibility holds. Any other value, or deleting the key, will resume compatibility protection on the device. - +--- +title: Update Compliance - Feature Update Status report +ms.reviewer: +manager: laurawi +description: an overview of the Feature Update Status report +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-analytics +ms.topic: article +--- + +# Feature Update Status + +![The Feature Update Status report](images/UC_workspace_FU_status.png) + +The Feature Update Status section provides information about the status of [feature updates](waas-quick-start.md#definitions) across all devices. This section tile in the [Overview Blade](update-compliance-using.md#overview-blade) gives a percentage of devices that are on the latest applicable feature update; [Servicing Channel](waas-overview.md#servicing-channels) is considered in determining applicability. Within this section are two blades; one providing a holistic view of feature updates, the other containing three **Deployment Status** tiles, each charged with tracking the deployment for a different [Servicing Channel](waas-overview.md#servicing-channels). + +## Overall Feature Update Status + +The Overall Feature Update Status blade breaks down how many devices are up-to-date or not, with a special callout for how many devices are running a build that is not supported (for a full list of feature updates, check out the [Windows 10 Release Information](https://technet.microsoft.com/windows/release-info.aspx) page). The table beneath the visualization breaks devices down by Servicing Channel and operating system version, then defining whether this combination is *up-to-date*, *not up-to-date* or *out of support*. Finally, the table provides a count of devices that fall into this category. + +## Deployment Status by Servicing Channel + +To effectively track deployment, **Deployment Status Blades** are divided into each Servicing Channel chosen for the device. This is because Deployment for each channel will happen at different periods in time and feature updates are targeted separately for each channel. Within each Deployment Status tile, devices are aggregated on their feature update distribution, and the columns list the states each device is in. + +Refer to the following list for what each state means: +* **Installed** devices are devices that have completed installation for the given update. +* When a device is counted as **In Progress**, it has begun the feature update installation. +* Devices that are **scheduled next 7 days** are all devices that were deferred from installing the Feature update using [Windows Update for Business Settings](waas-manage-updates-wufb.md) and are set to begin installation in the next 7 days. +* Devices that have failed the given feature update installation are counted as **Update failed**. +* If a device should be, in some way, progressing toward this security update, but its status cannot be inferred, it will count as **Status Unknown**. Devices not using Windows Update are the most likely devices to fall into this category. + +## Compatibility holds + +Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *compatibility hold* is generated to delay the device’s upgrade and safeguard the end-user experience. Holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all compatibility holds on the Windows 10 release information page for any given release. + +To learn how compatibility holds are reflected in the experience, see [Update compliance perspectives](update-compliance-perspectives.md#deployment-status). + +### Opting out of compatibility hold + +Microsoft will release a device from a compatibility hold when it has determined it can safely and smoothly install a feature update, but you are ultimately in control of your devices and can opt out if desired. To opt out, set the registry key **HKLM\Software\Microsoft\Windows NT\CurrentVersion\502505fe-762c-4e80-911e-0c3fa4c63fb0** to a name of **DataRequireGatedScanForFeatureUpdates** and a value of **0**. + + +Setting this registry key to **0** will force the device to opt out from *all* compatibility holds. Any other value, or deleting the key, will resume compatibility protection on the device. + diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index 4a3ce5b3d2..8a005eb69d 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -1,75 +1,75 @@ ---- -title: Get started with Update Compliance (Windows 10) -ms.reviewer: -manager: laurawi -description: Configure Update Compliance in Azure Portal to see the status of updates and antimalware protection on devices in your network. -keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.localizationpriority: medium -ms.collection: M365-analytics -ms.topic: article ---- - -# Get started with Update Compliance -This topic explains the steps necessary to configure your environment for Windows Analytics: Update Compliance. - -Steps are provided in sections that follow the recommended setup process: - -1. Ensure you meet the [Update Compliance prerequisites](#update-compliance-prerequisites). -2. [Add Update Compliance to your Azure subscription](#add-update-compliance-to-your-azure-subscription). -3. [Enroll devices in Windows Analytics](#enroll-devices-in-windows-analytics). -4. [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates, Windows Defender Antivirus status, and Delivery Optimization. - -## Update Compliance prerequisites -Before you begin the process to add Update Compliance to your Azure subscription, first ensure you can meet the prerequisites: -1. Update Compliance works only with Windows 10 Professional, Education, and Enterprise editions. Update Compliance only provides data for the standard Desktop Windows 10 version and is not currently compatible with Windows Server, Surface Hub, IoT, etc. -2. Update Compliance provides detailed deployment data for devices on the Semi-Annual Channel and the Long-term Servicing Channel. Update Compliance will show Windows Insider Preview devices, but currently will not provide detailed deployment information for them. -3. Update Compliance requires at least the Basic level of diagnostic data and a Commercial ID to be enabled on the device. -4. To show device names for versions of Windows 10 starting with 1803 in Windows Analytics you must opt in. For details about this, see the "AllowDeviceNameinTelemetry (in Windows 10)" entry in the table in the [Distributing policies at scale](windows-analytics-get-started.md#deploying-windows-analytics-at-scale) section of [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). -5. To use the Windows Defender Status, devices must be E3-licensed and have Cloud Protection enabled. E5-licensed devices will not appear here. For E5 devices, you should use [Windows Defender ATP](https://docs.microsoft.com/sccm/protect/deploy-use/windows-defender-advanced-threat-protection) instead. For more information on Windows 10 Enterprise licensing, see [Windows 10 Enterprise: FAQ for IT Professionals](https://docs.microsoft.com/windows/deployment/planning/windows-10-enterprise-faq-itpro). - -## Add Update Compliance to your Azure subscription -Update Compliance is offered as a solution which is linked to a new or existing [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) workspace within your Azure subscription. To configure this, follow these steps: - -1. Sign in to the [Azure Portal](https://portal.azure.com) with your work or school account or a Microsoft account. If you don't already have an Azure subscription you can create one (including free trial options) through the portal. - -> [!NOTE] -> Update Compliance is included at no additional cost with Windows 10 Professional, Education, and Enterprise editions. An Azure subscription is required for managing and using Update Compliance, but no Azure charges are expected to accrue to the subscription as a result of using Update Compliance. - -2. In the Azure portal select **+ Create a resource**, and search for “Update Compliance". You should see it in the results below. - -![Update Compliance marketplace search results](images/UC_00_marketplace_search.png) - -3. Select **Update Compliance** and a blade will appear summarizing the solution’s offerings. At the bottom, select **Create** to begin adding the solution to Azure. - -![Update Compliance solution creation](images/UC_01_marketplace_create.png) - -4. Choose an existing workspace or create a new workspace that will be assigned to the Update Compliance solution. - - If you already have another Windows Analytics solution, you should use the same workspace. - - If you are creating a new workspace, and your organization does not have policies governing naming conventions and structure, consider the following workspace settings to get started: - - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*. - - For the resource group setting select **Create new** and use the same name you chose for your new workspace. - - For the location setting, choose the Azure region where you would prefer the data to be stored. - - For the pricing tier select **per GB**. - -![Update Compliance workspace creation](images/UC_02_workspace_create.png) - -5. The resource group and workspace creation process could take a few minutes. After this, you are able to use that workspace for Update Compliance. Select **Create**. - -![Update Compliance workspace selection](images/UC_03_workspace_select.png) - -6. Watch for a notification in the Azure portal that your deployment has been successful. This might take a few minutes. Then, select **Go to resource**. - -![Update Compliance deployment successful](images/UC_04_resourcegrp_deployment_successful.png) - -## Enroll devices in Windows Analytics -Once you've added Update Compliance to a workspace in your Azure subscription, you can start enrolling the devices in your organization. For Update Compliance there are two key steps for enrollment: -1. Deploy your Commercial ID (from the Update Compliance Settings page) to your Windows 10 devices (typically by using Group Policy, [Mobile Device Management](https://docs.microsoft.com/windows/client-management/windows-10-mobile-and-mdm), [System Center Configuration Manager](https://docs.microsoft.com/sccm/core/understand/introduction) or similar). -2. Ensure the Windows Diagnostic Data setting on devices is set to at least Basic (typically using Group Policy or similar). For full enrollment instructions and troubleshooting, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). - -After enrolling your devices (by deploying your CommercialID and Windows Diagnostic Data settings), it might take 48-72 hours for the first data to appear in the solution. Until then, Update Compliance will indicate it is still assessing devices. +--- +title: Get started with Update Compliance (Windows 10) +ms.reviewer: +manager: laurawi +description: Configure Update Compliance in Azure Portal to see the status of updates and antimalware protection on devices in your network. +keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.localizationpriority: medium +ms.collection: M365-analytics +ms.topic: article +--- + +# Get started with Update Compliance +This topic explains the steps necessary to configure your environment for Windows Analytics: Update Compliance. + +Steps are provided in sections that follow the recommended setup process: + +1. Ensure you meet the [Update Compliance prerequisites](#update-compliance-prerequisites). +2. [Add Update Compliance to your Azure subscription](#add-update-compliance-to-your-azure-subscription). +3. [Enroll devices in Windows Analytics](#enroll-devices-in-windows-analytics). +4. [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates, Windows Defender Antivirus status, and Delivery Optimization. + +## Update Compliance prerequisites +Before you begin the process to add Update Compliance to your Azure subscription, first ensure you can meet the prerequisites: +1. Update Compliance works only with Windows 10 Professional, Education, and Enterprise editions. Update Compliance only provides data for the standard Desktop Windows 10 version and is not currently compatible with Windows Server, Surface Hub, IoT, etc. +2. Update Compliance provides detailed deployment data for devices on the Semi-Annual Channel and the Long-term Servicing Channel. Update Compliance will show Windows Insider Preview devices, but currently will not provide detailed deployment information for them. +3. Update Compliance requires at least the Basic level of diagnostic data and a Commercial ID to be enabled on the device. +4. To show device names for versions of Windows 10 starting with 1803 in Windows Analytics you must opt in. For details about this, see the "AllowDeviceNameinTelemetry (in Windows 10)" entry in the table in the [Distributing policies at scale](windows-analytics-get-started.md#deploying-windows-analytics-at-scale) section of [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). +5. To use the Windows Defender Status, devices must be E3-licensed and have Cloud Protection enabled. E5-licensed devices will not appear here. For E5 devices, you should use [Windows Defender ATP](https://docs.microsoft.com/sccm/protect/deploy-use/windows-defender-advanced-threat-protection) instead. For more information on Windows 10 Enterprise licensing, see [Windows 10 Enterprise: FAQ for IT Professionals](https://docs.microsoft.com/windows/deployment/planning/windows-10-enterprise-faq-itpro). + +## Add Update Compliance to your Azure subscription +Update Compliance is offered as a solution which is linked to a new or existing [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) workspace within your Azure subscription. To configure this, follow these steps: + +1. Sign in to the [Azure Portal](https://portal.azure.com) with your work or school account or a Microsoft account. If you don't already have an Azure subscription you can create one (including free trial options) through the portal. + +> [!NOTE] +> Update Compliance is included at no additional cost with Windows 10 Professional, Education, and Enterprise editions. An Azure subscription is required for managing and using Update Compliance, but no Azure charges are expected to accrue to the subscription as a result of using Update Compliance. + +2. In the Azure portal select **+ Create a resource**, and search for “Update Compliance". You should see it in the results below. + +![Update Compliance marketplace search results](images/UC_00_marketplace_search.png) + +3. Select **Update Compliance** and a blade will appear summarizing the solution’s offerings. At the bottom, select **Create** to begin adding the solution to Azure. + +![Update Compliance solution creation](images/UC_01_marketplace_create.png) + +4. Choose an existing workspace or create a new workspace that will be assigned to the Update Compliance solution. + - If you already have another Windows Analytics solution, you should use the same workspace. + - If you are creating a new workspace, and your organization does not have policies governing naming conventions and structure, consider the following workspace settings to get started: + - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*. + - For the resource group setting select **Create new** and use the same name you chose for your new workspace. + - For the location setting, choose the Azure region where you would prefer the data to be stored. + - For the pricing tier select **per GB**. + +![Update Compliance workspace creation](images/UC_02_workspace_create.png) + +5. The resource group and workspace creation process could take a few minutes. After this, you are able to use that workspace for Update Compliance. Select **Create**. + +![Update Compliance workspace selection](images/UC_03_workspace_select.png) + +6. Watch for a notification in the Azure portal that your deployment has been successful. This might take a few minutes. Then, select **Go to resource**. + +![Update Compliance deployment successful](images/UC_04_resourcegrp_deployment_successful.png) + +## Enroll devices in Windows Analytics +Once you've added Update Compliance to a workspace in your Azure subscription, you can start enrolling the devices in your organization. For Update Compliance there are two key steps for enrollment: +1. Deploy your Commercial ID (from the Update Compliance Settings page) to your Windows 10 devices (typically by using Group Policy, [Mobile Device Management](https://docs.microsoft.com/windows/client-management/windows-10-mobile-and-mdm), [System Center Configuration Manager](https://docs.microsoft.com/sccm/core/understand/introduction) or similar). +2. Ensure the Windows Diagnostic Data setting on devices is set to at least Basic (typically using Group Policy or similar). For full enrollment instructions and troubleshooting, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). + +After enrolling your devices (by deploying your CommercialID and Windows Diagnostic Data settings), it might take 48-72 hours for the first data to appear in the solution. Until then, Update Compliance will indicate it is still assessing devices. diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index 44c72f9275..1ece514b2e 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -1,57 +1,57 @@ ---- -title: Monitor Windows Updates and Windows Defender AV with Update Compliance (Windows 10) -ms.reviewer: -manager: laurawi -description: You can use Update Compliance in Azure Portal to monitor the progress of updates and key antimalware protection features on devices in your network. -keywords: oms, operations management suite, wdav, updates, upgrades, antivirus, antimalware, signature, log analytics -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.localizationpriority: medium -ms.collection: M365-analytics -ms.topic: article ---- - -# Monitor Windows Updates with Update Compliance - -## Introduction - -Update Compliance is a [Windows Analytics solution](windows-analytics-overview.md) that enables organizations to: - -* Monitor Windows 10 Professional, Education, and Enterprise security, quality, and feature updates. -* View a report of device and update issues related to compliance that need attention. -* See the status of Windows Defender Antivirus signatures and threats. -* Check bandwidth savings incurred across multiple content types by using [Delivery Optimization](waas-delivery-optimization.md). - -Update Compliance is offered through the Azure portal, and is available free for devices that meet the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites). - -Update Compliance uses Windows 10 and Windows Defender Antivirus diagnostic data for all of its reporting. It collects system data including update deployment progress, [Windows Update for Business](waas-manage-updates-wufb.md) configuration data, Windows Defender Antivirus data, and Delivery Optimization usage data, and then sends this data to a secure cloud to be stored for analysis and usage in [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal). - -See the following topics in this guide for detailed information about configuring and using the Update Compliance solution: - -- [Get started with Update Compliance](update-compliance-get-started.md): How to add Update Compliance to your environment. -- [Using Update Compliance](update-compliance-using.md): How to begin using Update Compliance. - -## Update Compliance architecture - -The Update Compliance architecture and data flow is summarized by the following four-step process: - -1. User computers send diagnostic data to a secure Microsoft data center using the Microsoft Data Management Service.
          -2. Diagnostic data is analyzed by the Update Compliance Data Service.
          -3. Diagnostic data is pushed from the Update Compliance Data Service to your Azure Monitor workspace.
          -4. Diagnostic data is available in the Update Compliance solution.
          - - ->[!NOTE] ->This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). - - - -  -## Related topics - -[Get started with Update Compliance](update-compliance-get-started.md)
          -[Use Update Compliance to monitor Windows Updates](update-compliance-using.md) +--- +title: Monitor Windows Updates and Windows Defender AV with Update Compliance (Windows 10) +ms.reviewer: +manager: laurawi +description: You can use Update Compliance in Azure Portal to monitor the progress of updates and key antimalware protection features on devices in your network. +keywords: oms, operations management suite, wdav, updates, upgrades, antivirus, antimalware, signature, log analytics +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.localizationpriority: medium +ms.collection: M365-analytics +ms.topic: article +--- + +# Monitor Windows Updates with Update Compliance + +## Introduction + +Update Compliance is a [Windows Analytics solution](windows-analytics-overview.md) that enables organizations to: + +* Monitor Windows 10 Professional, Education, and Enterprise security, quality, and feature updates. +* View a report of device and update issues related to compliance that need attention. +* See the status of Windows Defender Antivirus signatures and threats. +* Check bandwidth savings incurred across multiple content types by using [Delivery Optimization](waas-delivery-optimization.md). + +Update Compliance is offered through the Azure portal, and is available free for devices that meet the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites). + +Update Compliance uses Windows 10 and Windows Defender Antivirus diagnostic data for all of its reporting. It collects system data including update deployment progress, [Windows Update for Business](waas-manage-updates-wufb.md) configuration data, Windows Defender Antivirus data, and Delivery Optimization usage data, and then sends this data to a secure cloud to be stored for analysis and usage in [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal). + +See the following topics in this guide for detailed information about configuring and using the Update Compliance solution: + +- [Get started with Update Compliance](update-compliance-get-started.md): How to add Update Compliance to your environment. +- [Using Update Compliance](update-compliance-using.md): How to begin using Update Compliance. + +## Update Compliance architecture + +The Update Compliance architecture and data flow is summarized by the following four-step process: + +1. User computers send diagnostic data to a secure Microsoft data center using the Microsoft Data Management Service.
          +2. Diagnostic data is analyzed by the Update Compliance Data Service.
          +3. Diagnostic data is pushed from the Update Compliance Data Service to your Azure Monitor workspace.
          +4. Diagnostic data is available in the Update Compliance solution.
          + + +>[!NOTE] +>This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). + + + +  +## Related topics + +[Get started with Update Compliance](update-compliance-get-started.md)
          +[Use Update Compliance to monitor Windows Updates](update-compliance-using.md) diff --git a/windows/deployment/update/update-compliance-need-attention.md b/windows/deployment/update/update-compliance-need-attention.md index 1dff2b7467..be35a79469 100644 --- a/windows/deployment/update/update-compliance-need-attention.md +++ b/windows/deployment/update/update-compliance-need-attention.md @@ -1,46 +1,46 @@ ---- -title: Update Compliance - Need Attention! report -ms.reviewer: -manager: laurawi -description: an overview of the Update Compliance Need Attention! report -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-analytics -ms.topic: article ---- - -# Needs attention! -![Needs attention section](images/UC_workspace_needs_attention.png) - -The **Needs attention!** section provides a breakdown of all Windows 10 device and update issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within break down the issues encountered. Finally, a [list of queries](#list-of-queries) blade in this section contains queries that provide values but do not fit within any other main section. - ->[!NOTE] ->The summary tile counts the number of devices that have issues, while the blades within the section break down the issues encountered. A single device can have more than one issue, so these numbers might not add up. - -The different issues are broken down by Device Issues and Update Issues: - -## Device Issues - -* **Missing multiple security updates:** This issue occurs when a device is behind by two or more security updates. These devices might be more vulnerable and should be investigated and updated. -* **Out of support OS Version:** This issue occurs when a device has fallen out of support due to the version of Windows 10 it is running. When a device has fallen out of support, it will no longer receive important security updates, and might be vulnerable. These devices should be updated to a supported version of Windows 10. - -## Update Issues - -* **Failed:** This issue occurs when an error halts the process of downloading and applying an update on a device. Some of these errors might be transient, but should be investigated further to be sure. -* **Cancelled**: This issue occurs when a user cancels the update process. -* **Rollback**: This issue occurs when a fatal error occurs during a feature update, and the device is rolled back to the previous version. -* **Uninstalled**: This issue occurs when a feature update is uninstalled from a device by a user or an administrator. Note that this might not be a problem if the uninstallation was intentional, but is highlighted as it might need attention. -* **Progress stalled:** This issue occurs when an update is in progress, but has not completed over a period of 10 days. - -Selecting any of the issues will take you to a [Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) view with all devices that have the given issue. - ->[!NOTE] ->This blade also has a link to the [Setup Diagnostic Tool](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag), a standalone tool you can use to obtain details about why a Windows 10 feature update was unsuccessful. - -## List of Queries - -The **List of Queries** blade is in the **Needs Attention** section of Update Compliance. This blade contains a list of queries with a description and a link to the query. These queries contain important meta-information that did not fit within any specific section or were listed to serve as a good starting point for modification into custom queries. +--- +title: Update Compliance - Need Attention! report +ms.reviewer: +manager: laurawi +description: an overview of the Update Compliance Need Attention! report +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-analytics +ms.topic: article +--- + +# Needs attention! +![Needs attention section](images/UC_workspace_needs_attention.png) + +The **Needs attention!** section provides a breakdown of all Windows 10 device and update issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within break down the issues encountered. Finally, a [list of queries](#list-of-queries) blade in this section contains queries that provide values but do not fit within any other main section. + +>[!NOTE] +>The summary tile counts the number of devices that have issues, while the blades within the section break down the issues encountered. A single device can have more than one issue, so these numbers might not add up. + +The different issues are broken down by Device Issues and Update Issues: + +## Device Issues + +* **Missing multiple security updates:** This issue occurs when a device is behind by two or more security updates. These devices might be more vulnerable and should be investigated and updated. +* **Out of support OS Version:** This issue occurs when a device has fallen out of support due to the version of Windows 10 it is running. When a device has fallen out of support, it will no longer receive important security updates, and might be vulnerable. These devices should be updated to a supported version of Windows 10. + +## Update Issues + +* **Failed:** This issue occurs when an error halts the process of downloading and applying an update on a device. Some of these errors might be transient, but should be investigated further to be sure. +* **Cancelled**: This issue occurs when a user cancels the update process. +* **Rollback**: This issue occurs when a fatal error occurs during a feature update, and the device is rolled back to the previous version. +* **Uninstalled**: This issue occurs when a feature update is uninstalled from a device by a user or an administrator. Note that this might not be a problem if the uninstallation was intentional, but is highlighted as it might need attention. +* **Progress stalled:** This issue occurs when an update is in progress, but has not completed over a period of 10 days. + +Selecting any of the issues will take you to a [Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) view with all devices that have the given issue. + +>[!NOTE] +>This blade also has a link to the [Setup Diagnostic Tool](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag), a standalone tool you can use to obtain details about why a Windows 10 feature update was unsuccessful. + +## List of Queries + +The **List of Queries** blade is in the **Needs Attention** section of Update Compliance. This blade contains a list of queries with a description and a link to the query. These queries contain important meta-information that did not fit within any specific section or were listed to serve as a good starting point for modification into custom queries. diff --git a/windows/deployment/update/update-compliance-perspectives.md b/windows/deployment/update/update-compliance-perspectives.md index 44de7e6407..4af9e5897a 100644 --- a/windows/deployment/update/update-compliance-perspectives.md +++ b/windows/deployment/update/update-compliance-perspectives.md @@ -1,65 +1,65 @@ ---- -title: Update Compliance - Perspectives -ms.reviewer: -manager: laurawi -description: an overview of Update Compliance Perspectives -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-analytics -ms.topic: article ---- - -# Perspectives - -![Perspectives data view](images/uc-perspectiveupdatedeploymentstatus.png) - -Perspectives are elaborations on specific queries hand-crafted by developers which data views that provide deeper insight into your data. Perspectives are loaded whenever clicking into more detailed views from both the Security Update Status section and Feature Update Status section of Update Compliance. - -There is only one perspective framework; it is for **Update Deployment Status**. The same framework is utilized for both feature and quality updates. - -The first blade is the **Build Summary** blade. This blade summarizes the most important aspects of the given build being queried, listing the total number of devices, the total number of update failures for the build, and a breakdown of the different errors encountered. - -The second blade is the **Deferral Configurations** blade, breaking down Windows Update for Business deferral settings (if any). - -## Deployment status - -The third blade is the **Deployment Status** blade. This defines how many days it has been since the queried version has been released, and breaks down the various states in the update funnel each device has reported to be in. The possible states are as follows: - -| State | Description | -| --- | --- | -| Update Completed | When a device has finished the update process and is on the queried update, it will display here as Update completed. | -| In Progress | Devices that report they are “In Progress” are one of the various stages of installing an update; these stages are reported in the Detailed Deployment Status blade. | -| Deferred | When a device’s Windows Update for Business deferral policy dictates that the update is not yet applicable due to deferral, it will report as such in this blade. | -| Progress stalled | Devices that report as “Progress stalled” have been stuck at “In progress” for more than 7 days. | -| Cancelled | The update was cancelled. | -| Blocked | There is a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update. | -| Unknown | Devices that do not report detailed information on the status of their updates will report Unknown. This is most likely devices that do not use Windows Update for deployment. | -| Update paused | These devices have Windows Update for Business pause enabled, preventing this update from being installed. | -| Failed | A device is unable to install an update. This failure could be linked to a serious error in the update installation process or, in some cases, a [compatibility hold](update-compliance-feature-update-status.md#compatibility-holds). | - -## Detailed deployment status - -The final blade is the **Detailed Deployment Status** blade. This blade breaks down the detailed stage of deployment a device is in, beyond the generalized terms defined in Deployment Status. The following are the possible stages a device can report: - -| State | Description | -| --- | --- | -| Update deferred | When a device’s Windows Update for Business policy dictates the update is deferred. | -| Update paused | The device’s Windows Update for Business policy dictates the update is paused from being offered. | -| Update offered | The device has been offered the update, but has not begun downloading it. | -| Pre-Download tasks passed | The device has finished all necessary tasks prior to downloading the update. | -| Compatibility hold | The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information see [Feature Update Status report](update-compliance-feature-update-status.md#compatibility-holds) | -| Download Started | The update has begun downloading on the device. | -| Download Succeeded | The update has successfully completed downloading. | -| Pre-Install Tasks Passed | Tasks that must be completed prior to installing the update have been completed. | -| Install Started | Installation of the update has begun. | -| Reboot Required | The device has finished installing the update, and a reboot is required before the update can be completed. -| Reboot Pending | The device has a scheduled reboot to apply the update. | -| Reboot Initiated | The scheduled reboot has been initiated. | -| Update Completed/Commit | The update has successfully installed. | - ->[!NOTE] ->Interacting with any rows in the perspective view will automatically apply the given value to the query and execute it with the new parameter, narrowing the perspective to devices that satisfy that criteria. For example, clicking “Not configured (-1)” devices in Deferral Configurations will filter the query to only contain devices that do not have a deferral configuration. These filters can also be applied to queries via the filter sidebar. +--- +title: Update Compliance - Perspectives +ms.reviewer: +manager: laurawi +description: an overview of Update Compliance Perspectives +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-analytics +ms.topic: article +--- + +# Perspectives + +![Perspectives data view](images/uc-perspectiveupdatedeploymentstatus.png) + +Perspectives are elaborations on specific queries hand-crafted by developers which data views that provide deeper insight into your data. Perspectives are loaded whenever clicking into more detailed views from both the Security Update Status section and Feature Update Status section of Update Compliance. + +There is only one perspective framework; it is for **Update Deployment Status**. The same framework is utilized for both feature and quality updates. + +The first blade is the **Build Summary** blade. This blade summarizes the most important aspects of the given build being queried, listing the total number of devices, the total number of update failures for the build, and a breakdown of the different errors encountered. + +The second blade is the **Deferral Configurations** blade, breaking down Windows Update for Business deferral settings (if any). + +## Deployment status + +The third blade is the **Deployment Status** blade. This defines how many days it has been since the queried version has been released, and breaks down the various states in the update funnel each device has reported to be in. The possible states are as follows: + +| State | Description | +| --- | --- | +| Update Completed | When a device has finished the update process and is on the queried update, it will display here as Update completed. | +| In Progress | Devices that report they are “In Progress” are one of the various stages of installing an update; these stages are reported in the Detailed Deployment Status blade. | +| Deferred | When a device’s Windows Update for Business deferral policy dictates that the update is not yet applicable due to deferral, it will report as such in this blade. | +| Progress stalled | Devices that report as “Progress stalled” have been stuck at “In progress” for more than 7 days. | +| Cancelled | The update was cancelled. | +| Blocked | There is a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update. | +| Unknown | Devices that do not report detailed information on the status of their updates will report Unknown. This is most likely devices that do not use Windows Update for deployment. | +| Update paused | These devices have Windows Update for Business pause enabled, preventing this update from being installed. | +| Failed | A device is unable to install an update. This failure could be linked to a serious error in the update installation process or, in some cases, a [compatibility hold](update-compliance-feature-update-status.md#compatibility-holds). | + +## Detailed deployment status + +The final blade is the **Detailed Deployment Status** blade. This blade breaks down the detailed stage of deployment a device is in, beyond the generalized terms defined in Deployment Status. The following are the possible stages a device can report: + +| State | Description | +| --- | --- | +| Update deferred | When a device’s Windows Update for Business policy dictates the update is deferred. | +| Update paused | The device’s Windows Update for Business policy dictates the update is paused from being offered. | +| Update offered | The device has been offered the update, but has not begun downloading it. | +| Pre-Download tasks passed | The device has finished all necessary tasks prior to downloading the update. | +| Compatibility hold | The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information see [Feature Update Status report](update-compliance-feature-update-status.md#compatibility-holds) | +| Download Started | The update has begun downloading on the device. | +| Download Succeeded | The update has successfully completed downloading. | +| Pre-Install Tasks Passed | Tasks that must be completed prior to installing the update have been completed. | +| Install Started | Installation of the update has begun. | +| Reboot Required | The device has finished installing the update, and a reboot is required before the update can be completed. +| Reboot Pending | The device has a scheduled reboot to apply the update. | +| Reboot Initiated | The scheduled reboot has been initiated. | +| Update Completed/Commit | The update has successfully installed. | + +>[!NOTE] +>Interacting with any rows in the perspective view will automatically apply the given value to the query and execute it with the new parameter, narrowing the perspective to devices that satisfy that criteria. For example, clicking “Not configured (-1)” devices in Deferral Configurations will filter the query to only contain devices that do not have a deferral configuration. These filters can also be applied to queries via the filter sidebar. diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md index 77c1d488c8..501c1bcb57 100644 --- a/windows/deployment/update/update-compliance-using.md +++ b/windows/deployment/update/update-compliance-using.md @@ -1,94 +1,94 @@ ---- -title: Using Update Compliance (Windows 10) -ms.reviewer: -manager: laurawi -description: Explains how to begin usihg Update Compliance. -keywords: oms, operations management suite, wdav, updates, upgrades, antivirus, antimalware, signature, log analytics -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.localizationpriority: medium -ms.collection: M365-analytics -ms.topic: article ---- - -# Use Update Compliance - -In this section you'll learn how to use Update Compliance to monitor your device's Windows updates and Windows Defender Antivirus status. To configure your environment for use with Update Compliance, refer to [Get started with Update Compliance](update-compliance-get-started.md). - - -Update Compliance: -- Provides detailed deployment data for Windows 10 security, quality, and feature updates. -- Reports when devices have issues related to updates that need attention. -- Shows Windows Defender AV status information for devices that use it and meet the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites). -- Shows bandwidth usage and savings for devices that are configured to use [Delivery Optimization](waas-delivery-optimization.md). -- Provides all of the above data in [Log Analytics](#using-log-analytics), which affords additional querying and export capabilities. - -## The Update Compliance tile -After Update Compliance has successfully been [added to your Azure subscription](update-compliance-get-started.md#add-update-compliance-to-your-azure-subscription), you’ll see this tile: - -![Update Compliance tile no data](images/UC_tile_assessing.png) - -When the solution is added, data is not immediately available. Data will begin to be collected after data is sent up that belongs to the Commercial ID associated with the device. This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). After Microsoft has collected and processed any device data associated with your Commercial ID, the tile will be replaced with the following summary: - -![Update Compliance tile with data](images/UC_tile_filled.png) - -The summary details the total number of devices that Microsoft has received data from with your Commercial ID. It also provides the number of devices that need attention if any. Finally, it details the last point at which your Update Compliance workspace was refreshed. - -## The Update Compliance workspace - -![Update Compliance workspace view](images/UC_workspace_needs_attention.png) - -When you select this tile, you will be redirected to the Update Compliance workspace. The workspace is organized with the Overview blade providing a hub from which to navigate to different reports of your devices' data. - -### Overview blade - -![The Overview blade](images/UC_workspace_overview_blade.png) - -Update Compliance’s overview blade summarizes all the data Update Compliance provides. It functions as a hub from which you can navigate to different sections. The total number of devices detected by Update Compliance is reported in the title of this blade. What follows is a distribution for all devices as to whether they are up to date on the following items: -* Security updates: A device is up to date on quality updates whenever it has the latest applicable quality update installed. Quality updates are monthly cumulative updates that are specific to a version of Windows 10. -* Feature updates: A device is up to date on feature updates whenever it has the latest applicable feature update installed. Update Compliance considers [Servicing Channel](waas-overview.md#servicing-channels) when determining update applicability. -* AV Signature: A device is up to date on Antivirus Signature when the latest Windows Defender Signatures have been downloaded. This distribution only considers devices that are running Windows Defender Antivirus. - -The blade also provides the time at which your Update Compliance workspace was [refreshed](#update-compliance-data-latency). - -The following is a breakdown of the different sections available in Update Compliance: -* [Need Attention!](update-compliance-need-attention.md) - This section is the default section when arriving to your Update Compliance workspace. It provides a summary of the different issues devices are facing relative to Windows 10 updates. -* [Security Update Status](update-compliance-security-update-status.md) - This section lists the percentage of devices that are on the latest security update released for the version of Windows 10 it is running. Selecting this section provides blades that summarize the overall status of security updates across all devices and a summary of their deployment progress towards the latest two security updates. -* [Feature Update Status](update-compliance-feature-update-status.md) - This section lists the percentage of devices that are on the latest feature update that is applicable to a given device. Selecting this section provides blades that summarize the overall feature update status across all devices and a summary of deployment status for different versions of Windows 10 in your environment. -* [Windows Defender AV Status](update-compliance-wd-av-status.md) - This section lists the percentage of devices running Windows Defender Antivirus that are not sufficiently protected. Selecting this section provides a summary of signature and threat status across all devices that are running Windows Defender Antivirus. This section is not applicable to devices not running Windows Defender Antivirus or devices that do not meet the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites) to be assessed. -* [Delivery Optimization Status](update-compliance-delivery-optimization.md) - This section summarizes bandwidth savings incurred by utilizing Delivery Optimization in your environment. It provides a breakdown of Delivery Optimization configuration across devices, and summarizes bandwidth savings and utilization across multiple content types. - - -## Update Compliance data latency -Update Compliance uses Windows 10 diagnostic data as its data source. After you add Update Compliance and appropriately configure your devices, it could take 48-72 hours before they first appear. The process that follows is as follows: - -Update Compliance is refreshed every 12 hours. This means that every 12 hours all data that has been gathered over the last 12-hour interval is pushed to Log Analytics. However, the rate that each data type is sent and how long it takes to be ready for Update Compliance varies, roughly outlined below. - -| Data Type | Refresh Rate | Data Latency | -|--|--|--| -|WaaSUpdateStatus | Once per day |4 hours | -|WaaSInsiderStatus| Once per day |4 hours | -|WaaSDeploymentStatus|Every update event (Download, install, etc.)|24-36 hours | -|WDAVStatus|On signature update|24 hours | -|WDAVThreat|On threat detection|24 hours | -|WUDOAggregatedStatus|On update event, aggregated over time|24-36 hours | -|WUDOStatus|Once per day|12 hours | - -This means you should generally expect to see new data every 24-36 hours, except for WaaSDeploymentStatus and WUDOAggregatedStatus, which may take 36-48 hours (if it misses the 36th hour refresh, it would be in the 48th, so the data will be present in the 48th hour refresh). - -## Using Log Analytics - -Update Compliance is built on the Log Analytics platform that is integrated into Operations Management Suite. All data in the workspace is the direct result of a query. Understanding the tools and features at your disposal, all integrated within Azure Portal, can deeply enhance your experience and complement Update Compliance. - -See below for a few topics related to Log Analytics: -* Learn how to effectively execute custom Log Searches by referring to Microsoft Azure’s excellent documentation on [querying data in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-log-searches). -* To develop your own custom data views in Operations Management Suite or [Power BI](https://powerbi.microsoft.com/); check out documentation on [analyzing data for use in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-dashboards). -* [Gain an overview of Log Analytics’ alerts](https://docs.microsoft.com/azure/log-analytics/log-analytics-alerts) and learn how to use it to always stay informed about the most critical issues you care about. - -## Related topics - -[Get started with Update Compliance](update-compliance-get-started.md) +--- +title: Using Update Compliance (Windows 10) +ms.reviewer: +manager: laurawi +description: Explains how to begin usihg Update Compliance. +keywords: oms, operations management suite, wdav, updates, upgrades, antivirus, antimalware, signature, log analytics +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.localizationpriority: medium +ms.collection: M365-analytics +ms.topic: article +--- + +# Use Update Compliance + +In this section you'll learn how to use Update Compliance to monitor your device's Windows updates and Windows Defender Antivirus status. To configure your environment for use with Update Compliance, refer to [Get started with Update Compliance](update-compliance-get-started.md). + + +Update Compliance: +- Provides detailed deployment data for Windows 10 security, quality, and feature updates. +- Reports when devices have issues related to updates that need attention. +- Shows Windows Defender AV status information for devices that use it and meet the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites). +- Shows bandwidth usage and savings for devices that are configured to use [Delivery Optimization](waas-delivery-optimization.md). +- Provides all of the above data in [Log Analytics](#using-log-analytics), which affords additional querying and export capabilities. + +## The Update Compliance tile +After Update Compliance has successfully been [added to your Azure subscription](update-compliance-get-started.md#add-update-compliance-to-your-azure-subscription), you’ll see this tile: + +![Update Compliance tile no data](images/UC_tile_assessing.png) + +When the solution is added, data is not immediately available. Data will begin to be collected after data is sent up that belongs to the Commercial ID associated with the device. This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). After Microsoft has collected and processed any device data associated with your Commercial ID, the tile will be replaced with the following summary: + +![Update Compliance tile with data](images/UC_tile_filled.png) + +The summary details the total number of devices that Microsoft has received data from with your Commercial ID. It also provides the number of devices that need attention if any. Finally, it details the last point at which your Update Compliance workspace was refreshed. + +## The Update Compliance workspace + +![Update Compliance workspace view](images/UC_workspace_needs_attention.png) + +When you select this tile, you will be redirected to the Update Compliance workspace. The workspace is organized with the Overview blade providing a hub from which to navigate to different reports of your devices' data. + +### Overview blade + +![The Overview blade](images/UC_workspace_overview_blade.png) + +Update Compliance’s overview blade summarizes all the data Update Compliance provides. It functions as a hub from which you can navigate to different sections. The total number of devices detected by Update Compliance is reported in the title of this blade. What follows is a distribution for all devices as to whether they are up to date on the following items: +* Security updates: A device is up to date on quality updates whenever it has the latest applicable quality update installed. Quality updates are monthly cumulative updates that are specific to a version of Windows 10. +* Feature updates: A device is up to date on feature updates whenever it has the latest applicable feature update installed. Update Compliance considers [Servicing Channel](waas-overview.md#servicing-channels) when determining update applicability. +* AV Signature: A device is up to date on Antivirus Signature when the latest Windows Defender Signatures have been downloaded. This distribution only considers devices that are running Windows Defender Antivirus. + +The blade also provides the time at which your Update Compliance workspace was [refreshed](#update-compliance-data-latency). + +The following is a breakdown of the different sections available in Update Compliance: +* [Need Attention!](update-compliance-need-attention.md) - This section is the default section when arriving to your Update Compliance workspace. It provides a summary of the different issues devices are facing relative to Windows 10 updates. +* [Security Update Status](update-compliance-security-update-status.md) - This section lists the percentage of devices that are on the latest security update released for the version of Windows 10 it is running. Selecting this section provides blades that summarize the overall status of security updates across all devices and a summary of their deployment progress towards the latest two security updates. +* [Feature Update Status](update-compliance-feature-update-status.md) - This section lists the percentage of devices that are on the latest feature update that is applicable to a given device. Selecting this section provides blades that summarize the overall feature update status across all devices and a summary of deployment status for different versions of Windows 10 in your environment. +* [Windows Defender AV Status](update-compliance-wd-av-status.md) - This section lists the percentage of devices running Windows Defender Antivirus that are not sufficiently protected. Selecting this section provides a summary of signature and threat status across all devices that are running Windows Defender Antivirus. This section is not applicable to devices not running Windows Defender Antivirus or devices that do not meet the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites) to be assessed. +* [Delivery Optimization Status](update-compliance-delivery-optimization.md) - This section summarizes bandwidth savings incurred by utilizing Delivery Optimization in your environment. It provides a breakdown of Delivery Optimization configuration across devices, and summarizes bandwidth savings and utilization across multiple content types. + + +## Update Compliance data latency +Update Compliance uses Windows 10 diagnostic data as its data source. After you add Update Compliance and appropriately configure your devices, it could take 48-72 hours before they first appear. The process that follows is as follows: + +Update Compliance is refreshed every 12 hours. This means that every 12 hours all data that has been gathered over the last 12-hour interval is pushed to Log Analytics. However, the rate that each data type is sent and how long it takes to be ready for Update Compliance varies, roughly outlined below. + +| Data Type | Refresh Rate | Data Latency | +|--|--|--| +|WaaSUpdateStatus | Once per day |4 hours | +|WaaSInsiderStatus| Once per day |4 hours | +|WaaSDeploymentStatus|Every update event (Download, install, etc.)|24-36 hours | +|WDAVStatus|On signature update|24 hours | +|WDAVThreat|On threat detection|24 hours | +|WUDOAggregatedStatus|On update event, aggregated over time|24-36 hours | +|WUDOStatus|Once per day|12 hours | + +This means you should generally expect to see new data every 24-36 hours, except for WaaSDeploymentStatus and WUDOAggregatedStatus, which may take 36-48 hours (if it misses the 36th hour refresh, it would be in the 48th, so the data will be present in the 48th hour refresh). + +## Using Log Analytics + +Update Compliance is built on the Log Analytics platform that is integrated into Operations Management Suite. All data in the workspace is the direct result of a query. Understanding the tools and features at your disposal, all integrated within Azure Portal, can deeply enhance your experience and complement Update Compliance. + +See below for a few topics related to Log Analytics: +* Learn how to effectively execute custom Log Searches by referring to Microsoft Azure’s excellent documentation on [querying data in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-log-searches). +* To develop your own custom data views in Operations Management Suite or [Power BI](https://powerbi.microsoft.com/); check out documentation on [analyzing data for use in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-dashboards). +* [Gain an overview of Log Analytics’ alerts](https://docs.microsoft.com/azure/log-analytics/log-analytics-alerts) and learn how to use it to always stay informed about the most critical issues you care about. + +## Related topics + +[Get started with Update Compliance](update-compliance-get-started.md) diff --git a/windows/deployment/update/update-compliance-wd-av-status.md b/windows/deployment/update/update-compliance-wd-av-status.md index 716a071e38..35deef9366 100644 --- a/windows/deployment/update/update-compliance-wd-av-status.md +++ b/windows/deployment/update/update-compliance-wd-av-status.md @@ -1,42 +1,42 @@ ---- -title: Update Compliance - Windows Defender AV Status report -ms.reviewer: -manager: laurawi -description: an overview of the Windows Defender AV Status report -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-analytics -ms.topic: article ---- - -# Windows Defender AV Status - -![The Windows Defender AV Status report](images/UC_workspace_WDAV_status.png) - -The Windows Defender AV Status section deals with data concerning signature and threat status for devices that use Windows Defender Antivirus. The section tile in the [Overview Blade](update-compliance-using.md#overview-blade) provides the percentage of devices with insufficient protection – this percentage only considers devices using Windows Defender Antivirus. - ->[!NOTE] ->Update Compliance's Windows Defender Antivirus status is compatible with E3, B, F1, VL Professional and below licenses. Devices with an E5 license are not shown here; devices with an E5 license can be monitored using the [Windows Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection). If you'd like to learn more about Windows 10 licensing, see the [Windows 10 product licensing options](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx). - -# Windows Defender AV Status sections -The **Protection Status** blade gives a count for devices that have either out-of-date signatures or real-time protection turned off. Below, it gives a more detailed breakdown of the two issues. Selecting any of these statuses will navigate you to a Log Search view containing the query. - -The **Threat Status** blade shows, among devices that have encountered threats, how many were and were not remediated successfully. It also provides a detailed count. Selecting either of these will take you to the respective query in Log Search for further investigation. - -Here are some important terms to consider when using the Windows Defender AV Status section of Update Compliance: -* **Signature out of date** devices are devices with a signature older than 14 days. -* **No real-time protection** devices are devices that are using Windows Defender AV but have turned off real-time protection. -* **Recently disappeared** devices are devices that were previously seen by Windows Defender AV and are no longer seen in the past 7 days. -* **Remediation failed** devices are devices where Windows Defender AV failed to remediate the threat. This could be due to a number of reasons, including a full disk, network error, operation aborted, etc. Manual intervention might be needed from IT team. -* **Not assessed** devices are devices where either a non-Microsoft AV solution is used or it has been more than 7 days since the device recently disappeared. - -## Windows Defender data latency -Because of the way Windows Defender is associated with the rest of Windows device data, Defender data for new devices might take much longer to appear than other data types. This process could take up to 28 days. - -## Related topics - -- [Windows Defender Antivirus pre-requisites](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting#confirm-pre-requisites) +--- +title: Update Compliance - Windows Defender AV Status report +ms.reviewer: +manager: laurawi +description: an overview of the Windows Defender AV Status report +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-analytics +ms.topic: article +--- + +# Windows Defender AV Status + +![The Windows Defender AV Status report](images/UC_workspace_WDAV_status.png) + +The Windows Defender AV Status section deals with data concerning signature and threat status for devices that use Windows Defender Antivirus. The section tile in the [Overview Blade](update-compliance-using.md#overview-blade) provides the percentage of devices with insufficient protection – this percentage only considers devices using Windows Defender Antivirus. + +>[!NOTE] +>Update Compliance's Windows Defender Antivirus status is compatible with E3, B, F1, VL Professional and below licenses. Devices with an E5 license are not shown here; devices with an E5 license can be monitored using the [Windows Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection). If you'd like to learn more about Windows 10 licensing, see the [Windows 10 product licensing options](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx). + +# Windows Defender AV Status sections +The **Protection Status** blade gives a count for devices that have either out-of-date signatures or real-time protection turned off. Below, it gives a more detailed breakdown of the two issues. Selecting any of these statuses will navigate you to a Log Search view containing the query. + +The **Threat Status** blade shows, among devices that have encountered threats, how many were and were not remediated successfully. It also provides a detailed count. Selecting either of these will take you to the respective query in Log Search for further investigation. + +Here are some important terms to consider when using the Windows Defender AV Status section of Update Compliance: +* **Signature out of date** devices are devices with a signature older than 14 days. +* **No real-time protection** devices are devices that are using Windows Defender AV but have turned off real-time protection. +* **Recently disappeared** devices are devices that were previously seen by Windows Defender AV and are no longer seen in the past 7 days. +* **Remediation failed** devices are devices where Windows Defender AV failed to remediate the threat. This could be due to a number of reasons, including a full disk, network error, operation aborted, etc. Manual intervention might be needed from IT team. +* **Not assessed** devices are devices where either a non-Microsoft AV solution is used or it has been more than 7 days since the device recently disappeared. + +## Windows Defender data latency +Because of the way Windows Defender is associated with the rest of Windows device data, Defender data for new devices might take much longer to appear than other data types. This process could take up to 28 days. + +## Related topics + +- [Windows Defender Antivirus pre-requisites](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting#confirm-pre-requisites) diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md index ec58b75fbc..6e137f1d82 100644 --- a/windows/deployment/update/waas-branchcache.md +++ b/windows/deployment/update/waas-branchcache.md @@ -1,71 +1,71 @@ ---- -title: Configure BranchCache for Windows 10 updates (Windows 10) -description: Use BranchCache to optimize network bandwidth during update deployment. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greglin -ms.date: 07/27/2017 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Configure BranchCache for Windows 10 updates - - -**Applies to** - -- Windows 10 - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and System Center Configuration Manager can use BranchCache to optimize network bandwidth during update deployment, and it’s easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode. - -- Distributed Cache mode operates like the [Delivery Optimization](waas-delivery-optimization.md) feature in Windows 10: each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file. - - >[!TIP] - >Distributed Cache mode is preferred to Hosted Cache mode for Windows 10 updates to get the most benefit from peer-to-peer distribution. - -- In Hosted Cache mode, designated servers at specific locations act as a cache for files requested by clients in its area. Then, rather than clients retrieving files from a latent source, the hosted cache server provides the content on its behalf. - -For detailed information about how Distributed Cache mode and Hosted Cache mode work, see [BranchCache Overview](https://technet.microsoft.com/library/dd637832(v=ws.10).aspx). - -## Configure clients for BranchCache - -Whether you use BranchCache with Configuration Manager or WSUS, each client that uses BranchCache must be configured to do so. You typically make your configurations through Group Policy. For step-by-step instructions on how to use Group Policy to configure BranchCache for Windows clients, see [Client Configuration](https://technet.microsoft.com/library/dd637820%28v=ws.10%29.aspx) in the [BranchCache Early Adopter’s Guide](https://technet.microsoft.com/library/dd637762(v=ws.10).aspx). - -In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows 10, simply set the Delivery Optimization mode to Bypass to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode. - -## Configure servers for BranchCache - -You can use WSUS and Configuration Manager with BranchCache in Distributed Cache mode. BranchCache in Distributed Cache mode is easy to configure for both WSUS and System Center Configuration Manager. - -For a step-by-step guide to configuring BranchCache on Windows Server devices, see the [BranchCache Deployment Guide (Windows Server 2012)](https://technet.microsoft.com/library/jj572990) or [BranchCache Deployment Guide (Windows Server 2016)](https://technet.microsoft.com/windows-server-docs/networking/branchcache/deploy/branchcache-deployment-guide). - -In addition to these steps, there is one requirement for WSUS to be able to use BranchCache in either operating mode: the WSUS server must be configured to download updates locally on the server to a shared folder. This way, you can select BranchCache publication for the share. For Configuration Manager, you can enable BranchCache on distribution points; no other server-side configuration is necessary for Distributed Cache mode. - ->[!NOTE] ->Configuration Manager only supports Distributed Cache mode. - - -## Related topics - -- [Update Windows 10 in the enterprise](index.md) -- [Overview of Windows as a service](waas-overview.md) -- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) -- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) -- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Deploy Windows 10 updates using Configuration Manager](waas-manage-updates-configuration-manager.md) -- [Manage device restarts after updates](waas-restart.md) +--- +title: Configure BranchCache for Windows 10 updates (Windows 10) +description: Use BranchCache to optimize network bandwidth during update deployment. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.author: greglin +ms.date: 07/27/2017 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Configure BranchCache for Windows 10 updates + + +**Applies to** + +- Windows 10 + +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + +BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and System Center Configuration Manager can use BranchCache to optimize network bandwidth during update deployment, and it’s easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode. + +- Distributed Cache mode operates like the [Delivery Optimization](waas-delivery-optimization.md) feature in Windows 10: each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file. + + >[!TIP] + >Distributed Cache mode is preferred to Hosted Cache mode for Windows 10 updates to get the most benefit from peer-to-peer distribution. + +- In Hosted Cache mode, designated servers at specific locations act as a cache for files requested by clients in its area. Then, rather than clients retrieving files from a latent source, the hosted cache server provides the content on its behalf. + +For detailed information about how Distributed Cache mode and Hosted Cache mode work, see [BranchCache Overview](https://technet.microsoft.com/library/dd637832(v=ws.10).aspx). + +## Configure clients for BranchCache + +Whether you use BranchCache with Configuration Manager or WSUS, each client that uses BranchCache must be configured to do so. You typically make your configurations through Group Policy. For step-by-step instructions on how to use Group Policy to configure BranchCache for Windows clients, see [Client Configuration](https://technet.microsoft.com/library/dd637820%28v=ws.10%29.aspx) in the [BranchCache Early Adopter’s Guide](https://technet.microsoft.com/library/dd637762(v=ws.10).aspx). + +In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows 10, simply set the Delivery Optimization mode to Bypass to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode. + +## Configure servers for BranchCache + +You can use WSUS and Configuration Manager with BranchCache in Distributed Cache mode. BranchCache in Distributed Cache mode is easy to configure for both WSUS and System Center Configuration Manager. + +For a step-by-step guide to configuring BranchCache on Windows Server devices, see the [BranchCache Deployment Guide (Windows Server 2012)](https://technet.microsoft.com/library/jj572990) or [BranchCache Deployment Guide (Windows Server 2016)](https://technet.microsoft.com/windows-server-docs/networking/branchcache/deploy/branchcache-deployment-guide). + +In addition to these steps, there is one requirement for WSUS to be able to use BranchCache in either operating mode: the WSUS server must be configured to download updates locally on the server to a shared folder. This way, you can select BranchCache publication for the share. For Configuration Manager, you can enable BranchCache on distribution points; no other server-side configuration is necessary for Distributed Cache mode. + +>[!NOTE] +>Configuration Manager only supports Distributed Cache mode. + + +## Related topics + +- [Update Windows 10 in the enterprise](index.md) +- [Overview of Windows as a service](waas-overview.md) +- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) +- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) +- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) +- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) +- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) +- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) +- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) +- [Configure Windows Update for Business](waas-configure-wufb.md) +- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) +- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) +- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) +- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) +- [Deploy Windows 10 updates using Configuration Manager](waas-manage-updates-configuration-manager.md) +- [Manage device restarts after updates](waas-restart.md) diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index b9c42b697b..d444923319 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -6,6 +6,7 @@ description: You can use Group Policy or your mobile device management (MDM) ser ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.localizationpriority: medium ms.author: greglin @@ -27,8 +28,8 @@ ms.topic: article You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and above. The MDM policies use the OMA-URI setting from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). ->[!IMPORTANT] ->Beginning with Windows 10, version 1903, organizations can use Windows Update for Business policies, regardless of the diagnostic data level chosen. If the diagnostic data level is set to **0 (Security)**, Windows Update for Business policies will still be honored. For instructions, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels). +> [!IMPORTANT] +> Beginning with Windows 10, version 1903, organizations can use Windows Update for Business policies, regardless of the diagnostic data level chosen. If the diagnostic data level is set to **0 (Security)**, Windows Update for Business policies will still be honored. For instructions, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels). Some Windows Update for Business policies are not applicable or behave differently for devices running Windows 10 Mobile Enterprise. Specifically, policies pertaining to Feature Updates will not be applied to Windows 10 Mobile Enterprise. All Windows 10 Mobile updates are recognized as Quality Updates, and can only be deferred or paused using the Quality Update policy settings. Additional information is provided in this topic and in [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md). diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index 53b0e9a3bf..fec88b2720 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -7,6 +7,7 @@ keywords: oms, operations management suite, wdav, updates, downloads, log analyt ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.localizationpriority: medium ms.author: greglin @@ -106,7 +107,7 @@ Download mode dictates which download sources clients are allowed to use when do | --- | --- | | HTTP Only (0) | This setting disables peer-to-peer caching but still allows Delivery Optimization to download content over HTTP from the download's original source. This mode uses additional metadata provided by the Delivery Optimization cloud services for a peerless reliable and efficient download experience. | | LAN (1 – Default) | This default operating mode for Delivery Optimization enables peer sharing on the same network. The Delivery Optimization cloud service finds other clients that connect to the Internet using the same public IP as the target client. These clients then attempts to connect to other peers on the same network by using their private subnet IP.| -| Group (2) | When group mode is set, the group is automatically selected based on the device’s Active Directory Domain Services (AD DS) site (Windows 10, version 1607), or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use the GroupID option to create your own custom group independently of domains and Active Directory Domain Services sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other methods to create groups dynamically. Group download mode is the recommended option for most organizations looking to leverage bandwidth with Delivery Optimization. | +| Group (2) | When group mode is set, the group is automatically selected based on the device’s Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use GroupID option to create your own custom group independently of domains and AD DS sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other method to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. | | Internet (3) | Enable Internet peer sources for Delivery Optimization. | | Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. | |Bypass (100) | Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You do not need to set this option if you are using SCCM. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **0** or **99**. | @@ -116,7 +117,7 @@ Download mode dictates which download sources clients are allowed to use when do ### Group ID -By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization, but do not fall within those domains or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. +By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. [//]: # (SCCM Boundary Group option; GroupID Source policy) @@ -128,7 +129,7 @@ By default, peer sharing on clients using the group download mode is limited to ### Select the source of Group IDs Starting in Windows 10, version 1803, set this policy to restrict peer selection to a specific source. The options are: - 0 = not set -- 1 = Authenticated Domain Site +- 1 = AD Site - 2 = Authenticated domain SID - 3 = DHCP Option ID (with this option, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID) - 4 = DNS Suffix diff --git a/windows/deployment/update/waas-delivery-optimization-setup.md b/windows/deployment/update/waas-delivery-optimization-setup.md index 848ed759c2..f21112405f 100644 --- a/windows/deployment/update/waas-delivery-optimization-setup.md +++ b/windows/deployment/update/waas-delivery-optimization-setup.md @@ -1,190 +1,190 @@ ---- -title: Set up Delivery Optimization -ms.reviewer: -manager: laurawi -description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10 -keywords: oms, operations management suite, wdav, updates, downloads, log analytics -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - -# Set up Delivery Optimization for Windows 10 updates - -**Applies to** - -- Windows 10 - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -## Recommended Delivery Optimization settings - -Delivery Optimization offers a great many settings to fine-tune its behavior (see [Delivery Optimization reference](waas-delivery-optimization-reference.md) for a comprehensive list), but for the most efficient performance, there are just a few key parameters that will have the greates impact if particular situations exist in your deployment: - -- Does your topology include multiple breakouts to the internet (i.e., a "hybrid WAN") or are there only a few connections to the internet, so that all requests appear to come from a single external IP address (a "hub and spoke" topology)? -- If you use boundary groups in your topology, how many devices are present in a given group? -- What percentage of your devices are mobile? -- Do your devices have a lot of free space on their drives? -- Do you have a lab scenario with many devices on AC power? - ->[!NOTE] ->These scenarios (and the recommended settings for each) are not mutually exclusive. It's possible that your deployment might involve more than one of these scenarios, in which case you can employ the related settings in any combination as needed. In all cases, however, "download mode" is the most important one to set. - -Quick-reference table: - -| Use case | Policy | Recommended value | Reason | -| --- | --- | --- | --- | -| Hub & spoke topology | Download mode | 1 or 2 | Automatic grouping of peers to match your topology | -| Sites with > 30 devices | Minimum file size to cache | 10 MB (or 1 MB) | Leverage peers-to-peer capability in more downloads | -| Large number of mobile devices | Allow uploads on battery power | 60% | Increase # of devices that can upload while limiting battery drain | -| Labs with AC-powered devices | Content Expiration | 7 (up to 30) days | Leverage devices that can upload more for a longer period | - - -### Hybrid WAN scenario - -For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group is the authenticated domain or Active Directory site. If your domain-based group is too wide, or your Active Directory sites aren’t aligned with your site network topology, then you should consider additional options for dynamically creating groups, for example by using the GroupIDSrc parameter. - - - - -To do this in Group Policy go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**. - -To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set DODownloadMode to 1 or 2. - -### Hub and spoke topology with boundary groups - -The default download mode setting is **1**; this means all devices breaking out to the internet using the same public IP will be considered as a single peer group. To prevent peer-to-peer activity across groups, you should set the download mode to **2**. If you have already defined Active Directory sites per hub or branch office, then you don't need to do anything else. If you're not using Active Directory sites, you should set *RestrictPeerSelectionBy* policies to restrict the activity to the subnet or set a different source for Groups by using the GroupIDSrc parameter. See [Select a method to restrict peer selection](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection). - - - -To do this in Group Policy go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**. - -To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set **DODownloadMode** to **2**. - - -### Large number of mobile devices - -If you have a mobile workforce with a great many mobile devices, set Delivery Optimization to allow uploads on battery power, while limiting the use to prevent battery drain. A setting for **DOMinBatteryPercentageAllowedToUpload** of 60% is a good starting point, though you might want to adjust it later. - -To do this in Group Policy, go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Allow uploads while the device is on battery while under set Battery level** to 60. - -To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set **DOMinBatteryPercentageAllowedToUpload** to 60. - -### Plentiful free space and large numbers of devices - -Many devices now come with large internal drives. You can set Delivery Optimization to take better advantage of this space (especially if you have large numbers of devices) by changing the minimum file size to cache. If you have more than 30 devices in your local network or group, change it from the default 50 MB to 10 MB. If you have more than 100 devices (and are running Windows 10, version 1803 or later), set this value to 1 MB. - -[//]: # (default of 50 aimed at consumer) - -To do this in Group Policy, go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Minimum Peer Caching Content File Size** to 100 (if you have more than 30 devices) or 1 (if you have more than 100 devices). - -To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set **DOMinFileSizeToCache** to 100 (if you have more than 30 devices) or 1 (if you have more than 100 devices). - -### Lab scenario - -In a lab situation, you typically have a large number of devices that are plugged in and have a lot of free disk space. By increasing the content expiration interval, you can take advantage of these devices, using them as excellent upload sources in order to upload much more content over a longer period. - -To do this in Group Policy, go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Max Cache Age** to **6048000** (7 days) or more (up to 30 days). - -To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set DOMaxCacheAge to 7 or more (up to 30 days). - -[//]: # (material about "preferred" devices; remove MinQos/MaxCacheAge; table format?) - - -## Monitor Delivery Optimization -[//]: # (How to tell if it’s working? What values are reasonable; which are not? If not, which way to adjust and how? -- check PercentPeerCaching for files > minimum >= 50%) - -### Windows PowerShell cmdlets - -**Starting in Windows 10, version 1703**, you can use new PowerShell cmdlets to check the performance of Delivery Optimization. - -#### Analyze usage - -`Get-DeliveryOptimizationStatus` returns a real-time snapshot of all current Delivery Optimization jobs. - -| Key | Value | -| --- | --- | -| File ID | A GUID that identifies the file being processed | -| Priority | Priority of the download; values are **foreground** or **background** | -| FileSize | Size of the file | -| TotalBytesDownloaded | The number of bytes from any source downloaded so far | -| PercentPeerCaching |The percentage of bytes downloaded from peers versus over HTTP | -| BytesFromPeers | Total bytes downloaded from peer devices (sum of bytes downloaded from LAN, Group, and Internet Peers) | -| BytesfromHTTP | Total number of bytes received over HTTP | -| DownloadDuration | Total download time in seconds | -| Status | Current state of the operation. Possible values are: **Downloading** (download in progress); **Complete** (download completed, but is not uploading yet); **Caching** (download completed successfully and is ready to upload or uploading); **Paused** (download/upload paused by caller) | -| NumPeers | Indicates the total number of peers returned from the service. | -| PredefinedCallerApplication | Indicates the last caller that initiated a request for the file. | -| ExpireOn | The target expiration date and time for the file. | -| Pinned | A yes/no value indicating whether an item has been "pinned" in the cache (see `setDeliveryOptmizationStatus`). | - -`Get-DeliveryOptimizationPerfSnap` returns a list of key performance data: - -- Number of files downloaded  -- Number of files uploaded  -- Total bytes downloaded  -- Total bytes uploaded  -- Average transfer size (download); that is, the number bytes downloaded divided by the number of files  -- Average transfer size (upload); the number of bytes uploaded divided by the number of files -- Peer efficiency; same as PercentPeerCaching - -Using the `-Verbose` option returns additional information: - -- Bytes from peers (per type)  -- Bytes from CDN (the number of bytes received over HTTP) -- Average number of peer connections per download  - -Starting in Window 10, version 1903, `get-DeliveryOptimizationPerfSnap` has a new option `-CacheSummary` which provides a summary of the cache status. - -Starting in Windows 10, version 1803, `Get-DeliveryOptimizationPerfSnapThisMonth` returns data similar to that from `Get-DeliveryOptimizationPerfSnap` but limited to the current calendar month. - -#### Manage the Delivery Optimization cache - -**Starting in Windows 10, version 1903:** - -`set-DeliveryOptimizationStatus -ExpireOn [date time]` extends the expiration of all files in the cache. You can set the expiration immediately for all files that are in the "caching" state. For files in progress ("downloading"), the expiration is applied once the download is complete. You can set the expiration up to one year from the current date and time. - -`set-DeliveryOptimizationStatus -ExpireOn [date time] -FileID [FileID]` extends expiration for a single specific file in the cache. - -You can now "pin" files to keep them persistent in the cache. You can only do this with files that are downloaded in modes 1, 2, or 3. - -`set-DeliveryOptimizationStatus -Pin [True] -File ID [FileID]` keeps a specific file in the cache such that it won't be deleted until the expiration date and time (which you set with `set-DeliveryOptimizationStatus -ExpireOn [date time] -FileID [FileID]`). The file is also excluded from the cache quota calculation. - -`set-DeliveryOptimizationStatus -Pin [False] -File ID [FileID]` "unpins" a file, so that it will be deleted when the expiration date and time are rreached. The file is included in the cache quota calculation. - -`delete-DeliveryOptimizationCache` lets you clear files from the cache and remove all persisted data related to them. You can use these options with this cmdlet: - -- `-FileID` specifies a particular file to delete. -- `-IncludePinnedFiles` deletes all files that are pinned. -- `-Force` deletes the cache with no prompts. - - -#### Work with Delivery Optimization logs - -**Starting in Windows 10, version 1803:** - -`Get-DeliveryOptimizationLog [-Path ] [-Flush]` - -If `Path` is not specified, this cmdlet reads all logs from the dosvc log directory, which requires administrator permissions. If `Flush` is specified, the cmdlet stops dosvc before reading logs. - -Log entries are written to the PowerShell pipeline as objects. To dump logs to a text file, run `Get-DeliveryOptimizationLog | Set-Content ` or something similar. - -[//]: # (section on what to look for in logs, list of peers, connection failures) - - - -[//]: # (possibly move to Troubleshooting) - -### Monitor with Update Compliance - -The Update Compliance solution of Windows Analytics provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days. - -![DO status](images/UC_workspace_DO_status.png) - -For details, see [Delivery Optimization in Update Compliance](update-compliance-delivery-optimization.md). - +--- +title: Set up Delivery Optimization +ms.reviewer: +manager: laurawi +description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10 +keywords: oms, operations management suite, wdav, updates, downloads, log analytics +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Set up Delivery Optimization for Windows 10 updates + +**Applies to** + +- Windows 10 + +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + +## Recommended Delivery Optimization settings + +Delivery Optimization offers a great many settings to fine-tune its behavior (see [Delivery Optimization reference](waas-delivery-optimization-reference.md) for a comprehensive list), but for the most efficient performance, there are just a few key parameters that will have the greates impact if particular situations exist in your deployment: + +- Does your topology include multiple breakouts to the internet (i.e., a "hybrid WAN") or are there only a few connections to the internet, so that all requests appear to come from a single external IP address (a "hub and spoke" topology)? +- If you use boundary groups in your topology, how many devices are present in a given group? +- What percentage of your devices are mobile? +- Do your devices have a lot of free space on their drives? +- Do you have a lab scenario with many devices on AC power? + +>[!NOTE] +>These scenarios (and the recommended settings for each) are not mutually exclusive. It's possible that your deployment might involve more than one of these scenarios, in which case you can employ the related settings in any combination as needed. In all cases, however, "download mode" is the most important one to set. + +Quick-reference table: + +| Use case | Policy | Recommended value | Reason | +| --- | --- | --- | --- | +| Hub & spoke topology | Download mode | 1 or 2 | Automatic grouping of peers to match your topology | +| Sites with > 30 devices | Minimum file size to cache | 10 MB (or 1 MB) | Leverage peers-to-peer capability in more downloads | +| Large number of mobile devices | Allow uploads on battery power | 60% | Increase # of devices that can upload while limiting battery drain | +| Labs with AC-powered devices | Content Expiration | 7 (up to 30) days | Leverage devices that can upload more for a longer period | + + +### Hybrid WAN scenario + +For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group is the authenticated domain or Active Directory site. If your domain-based group is too wide, or your Active Directory sites aren’t aligned with your site network topology, then you should consider additional options for dynamically creating groups, for example by using the GroupIDSrc parameter. + + + + +To do this in Group Policy go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**. + +To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set DODownloadMode to 1 or 2. + +### Hub and spoke topology with boundary groups + +The default download mode setting is **1**; this means all devices breaking out to the internet using the same public IP will be considered as a single peer group. To prevent peer-to-peer activity across groups, you should set the download mode to **2**. If you have already defined Active Directory sites per hub or branch office, then you don't need to do anything else. If you're not using Active Directory sites, you should set *RestrictPeerSelectionBy* policies to restrict the activity to the subnet or set a different source for Groups by using the GroupIDSrc parameter. See [Select a method to restrict peer selection](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection). + + + +To do this in Group Policy go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**. + +To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set **DODownloadMode** to **2**. + + +### Large number of mobile devices + +If you have a mobile workforce with a great many mobile devices, set Delivery Optimization to allow uploads on battery power, while limiting the use to prevent battery drain. A setting for **DOMinBatteryPercentageAllowedToUpload** of 60% is a good starting point, though you might want to adjust it later. + +To do this in Group Policy, go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Allow uploads while the device is on battery while under set Battery level** to 60. + +To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set **DOMinBatteryPercentageAllowedToUpload** to 60. + +### Plentiful free space and large numbers of devices + +Many devices now come with large internal drives. You can set Delivery Optimization to take better advantage of this space (especially if you have large numbers of devices) by changing the minimum file size to cache. If you have more than 30 devices in your local network or group, change it from the default 50 MB to 10 MB. If you have more than 100 devices (and are running Windows 10, version 1803 or later), set this value to 1 MB. + +[//]: # (default of 50 aimed at consumer) + +To do this in Group Policy, go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Minimum Peer Caching Content File Size** to 100 (if you have more than 30 devices) or 1 (if you have more than 100 devices). + +To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set **DOMinFileSizeToCache** to 100 (if you have more than 30 devices) or 1 (if you have more than 100 devices). + +### Lab scenario + +In a lab situation, you typically have a large number of devices that are plugged in and have a lot of free disk space. By increasing the content expiration interval, you can take advantage of these devices, using them as excellent upload sources in order to upload much more content over a longer period. + +To do this in Group Policy, go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Max Cache Age** to **6048000** (7 days) or more (up to 30 days). + +To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set DOMaxCacheAge to 7 or more (up to 30 days). + +[//]: # (material about "preferred" devices; remove MinQos/MaxCacheAge; table format?) + + +## Monitor Delivery Optimization +[//]: # (How to tell if it’s working? What values are reasonable; which are not? If not, which way to adjust and how? -- check PercentPeerCaching for files > minimum >= 50%) + +### Windows PowerShell cmdlets + +**Starting in Windows 10, version 1703**, you can use new PowerShell cmdlets to check the performance of Delivery Optimization. + +#### Analyze usage + +`Get-DeliveryOptimizationStatus` returns a real-time snapshot of all current Delivery Optimization jobs. + +| Key | Value | +| --- | --- | +| File ID | A GUID that identifies the file being processed | +| Priority | Priority of the download; values are **foreground** or **background** | +| FileSize | Size of the file | +| TotalBytesDownloaded | The number of bytes from any source downloaded so far | +| PercentPeerCaching |The percentage of bytes downloaded from peers versus over HTTP | +| BytesFromPeers | Total bytes downloaded from peer devices (sum of bytes downloaded from LAN, Group, and Internet Peers) | +| BytesfromHTTP | Total number of bytes received over HTTP | +| DownloadDuration | Total download time in seconds | +| Status | Current state of the operation. Possible values are: **Downloading** (download in progress); **Complete** (download completed, but is not uploading yet); **Caching** (download completed successfully and is ready to upload or uploading); **Paused** (download/upload paused by caller) | +| NumPeers | Indicates the total number of peers returned from the service. | +| PredefinedCallerApplication | Indicates the last caller that initiated a request for the file. | +| ExpireOn | The target expiration date and time for the file. | +| Pinned | A yes/no value indicating whether an item has been "pinned" in the cache (see `setDeliveryOptmizationStatus`). | + +`Get-DeliveryOptimizationPerfSnap` returns a list of key performance data: + +- Number of files downloaded  +- Number of files uploaded  +- Total bytes downloaded  +- Total bytes uploaded  +- Average transfer size (download); that is, the number bytes downloaded divided by the number of files  +- Average transfer size (upload); the number of bytes uploaded divided by the number of files +- Peer efficiency; same as PercentPeerCaching + +Using the `-Verbose` option returns additional information: + +- Bytes from peers (per type)  +- Bytes from CDN (the number of bytes received over HTTP) +- Average number of peer connections per download  + +Starting in Window 10, version 1903, `get-DeliveryOptimizationPerfSnap` has a new option `-CacheSummary` which provides a summary of the cache status. + +Starting in Windows 10, version 1803, `Get-DeliveryOptimizationPerfSnapThisMonth` returns data similar to that from `Get-DeliveryOptimizationPerfSnap` but limited to the current calendar month. + +#### Manage the Delivery Optimization cache + +**Starting in Windows 10, version 1903:** + +`set-DeliveryOptimizationStatus -ExpireOn [date time]` extends the expiration of all files in the cache. You can set the expiration immediately for all files that are in the "caching" state. For files in progress ("downloading"), the expiration is applied once the download is complete. You can set the expiration up to one year from the current date and time. + +`set-DeliveryOptimizationStatus -ExpireOn [date time] -FileID [FileID]` extends expiration for a single specific file in the cache. + +You can now "pin" files to keep them persistent in the cache. You can only do this with files that are downloaded in modes 1, 2, or 3. + +`set-DeliveryOptimizationStatus -Pin [True] -File ID [FileID]` keeps a specific file in the cache such that it won't be deleted until the expiration date and time (which you set with `set-DeliveryOptimizationStatus -ExpireOn [date time] -FileID [FileID]`). The file is also excluded from the cache quota calculation. + +`set-DeliveryOptimizationStatus -Pin [False] -File ID [FileID]` "unpins" a file, so that it will be deleted when the expiration date and time are rreached. The file is included in the cache quota calculation. + +`delete-DeliveryOptimizationCache` lets you clear files from the cache and remove all persisted data related to them. You can use these options with this cmdlet: + +- `-FileID` specifies a particular file to delete. +- `-IncludePinnedFiles` deletes all files that are pinned. +- `-Force` deletes the cache with no prompts. + + +#### Work with Delivery Optimization logs + +**Starting in Windows 10, version 1803:** + +`Get-DeliveryOptimizationLog [-Path ] [-Flush]` + +If `Path` is not specified, this cmdlet reads all logs from the dosvc log directory, which requires administrator permissions. If `Flush` is specified, the cmdlet stops dosvc before reading logs. + +Log entries are written to the PowerShell pipeline as objects. To dump logs to a text file, run `Get-DeliveryOptimizationLog | Set-Content ` or something similar. + +[//]: # (section on what to look for in logs, list of peers, connection failures) + + + +[//]: # (possibly move to Troubleshooting) + +### Monitor with Update Compliance + +The Update Compliance solution of Windows Analytics provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days. + +![DO status](images/UC_workspace_DO_status.png) + +For details, see [Delivery Optimization in Update Compliance](update-compliance-delivery-optimization.md). + diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index a7e4b0a82e..5f840139e5 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -7,6 +7,7 @@ keywords: oms, operations management suite, wdav, updates, downloads, log analyt ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.localizationpriority: medium ms.author: greglin diff --git a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md index 195f3a72a4..d9effb684b 100644 --- a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md +++ b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md @@ -1,74 +1,74 @@ ---- -title: Build deployment rings for Windows 10 updates (Windows 10) -description: Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greglin -ms.date: 07/11/2018 -ms.reviewer: -manager: laurawi -ms.collection: M365-modern-desktop -ms.topic: article ---- - -# Build deployment rings for Windows 10 updates - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -For Windows as a service, maintenance is ongoing and iterative. Deploying previous versions of Windows required organizations to build sets of users to roll out the changes in phases. Typically, these users ranged (in order) from the most adaptable and least risky to the least adaptable or riskiest. With Windows 10, a similar methodology exists, but construction of the groups is a little different. - -Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades. They are simply a method by which to separate machines into a deployment timeline. With Windows 10, you construct deployment rings a bit differently in each servicing tool, but the concepts remain the same. Each deployment ring should reduce the risk of issues derived from the deployment of the feature updates by gradually deploying the update to entire departments. As previously mentioned, consider including a portion of each department’s employees in several deployment rings. - -Defining deployment rings is generally a one-time event (or at least infrequent), but IT should revisit these groups to ensure that the sequencing is still correct. Also, there are times in which client computers could move between different deployment rings when necessary. - -Table 1 provides an example of the deployment rings you might use. - -**Table 1** - -| Deployment ring | Servicing channel | Deferral for feature updates | Deferral for quality updates | Example | -| --- | --- | --- | --- | --- | -| Preview | Windows Insider Program | None | None | A few machines to evaluate early builds prior to their arrival to the semi-annual channel | -| Targeted | Semi-annual channel (Targeted) | None | None | Select devices across various teams used to evaluate the major release prior to broad deployment | -| Broad | Semi-annual channel | 120 days | 7-14 days | Broadly deployed to most of the organization and monitored for feedback
          Pause updates if there are critical issues | -| Critical | Semi-annual channel | 180 days | 30 days | Devices that are critical and will only receive updates once they've been vetted for a period of time by the majority of the organization | - ->[!NOTE] ->In this example, there are no rings made up of the long-term servicing channel (LTSC). The LTSC does not receive feature updates. - - -As Table 1 shows, each combination of servicing channel and deployment group is tied to a specific deployment ring. As you can see, the associated groups of devices are combined with a servicing channel to specify which deployment ring those devices and their users fall into. The naming convention used to identify the rings is completely customizable as long as the name clearly identifies the sequence. Deployment rings represent a sequential deployment timeline, regardless of the servicing channel they contain. Deployment rings will likely rarely change for an organization, but they should be periodically assessed to ensure that the deployment cadence still makes sense. - - -## Steps to manage updates for Windows 10 - -| | | -| --- | --- | -| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) | -| ![done](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) | -| ![done](images/checklistdone.png) | Build deployment rings for Windows 10 updates (this topic) | -| ![to do](images/checklistbox.gif) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) | -| ![to do](images/checklistbox.gif) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | -| ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
          or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
          or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) | - -## Related topics - -- [Update Windows 10 in the enterprise](index.md) -- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure) -- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) -- [Manage device restarts after updates](waas-restart.md) - +--- +title: Build deployment rings for Windows 10 updates (Windows 10) +description: Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.author: greglin +ms.date: 07/11/2018 +ms.reviewer: +manager: laurawi +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Build deployment rings for Windows 10 updates + + +**Applies to** + +- Windows 10 +- Windows 10 Mobile + +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + +For Windows as a service, maintenance is ongoing and iterative. Deploying previous versions of Windows required organizations to build sets of users to roll out the changes in phases. Typically, these users ranged (in order) from the most adaptable and least risky to the least adaptable or riskiest. With Windows 10, a similar methodology exists, but construction of the groups is a little different. + +Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades. They are simply a method by which to separate machines into a deployment timeline. With Windows 10, you construct deployment rings a bit differently in each servicing tool, but the concepts remain the same. Each deployment ring should reduce the risk of issues derived from the deployment of the feature updates by gradually deploying the update to entire departments. As previously mentioned, consider including a portion of each department’s employees in several deployment rings. + +Defining deployment rings is generally a one-time event (or at least infrequent), but IT should revisit these groups to ensure that the sequencing is still correct. Also, there are times in which client computers could move between different deployment rings when necessary. + +Table 1 provides an example of the deployment rings you might use. + +**Table 1** + +| Deployment ring | Servicing channel | Deferral for feature updates | Deferral for quality updates | Example | +| --- | --- | --- | --- | --- | +| Preview | Windows Insider Program | None | None | A few machines to evaluate early builds prior to their arrival to the semi-annual channel | +| Targeted | Semi-annual channel (Targeted) | None | None | Select devices across various teams used to evaluate the major release prior to broad deployment | +| Broad | Semi-annual channel | 120 days | 7-14 days | Broadly deployed to most of the organization and monitored for feedback
          Pause updates if there are critical issues | +| Critical | Semi-annual channel | 180 days | 30 days | Devices that are critical and will only receive updates once they've been vetted for a period of time by the majority of the organization | + +>[!NOTE] +>In this example, there are no rings made up of the long-term servicing channel (LTSC). The LTSC does not receive feature updates. + + +As Table 1 shows, each combination of servicing channel and deployment group is tied to a specific deployment ring. As you can see, the associated groups of devices are combined with a servicing channel to specify which deployment ring those devices and their users fall into. The naming convention used to identify the rings is completely customizable as long as the name clearly identifies the sequence. Deployment rings represent a sequential deployment timeline, regardless of the servicing channel they contain. Deployment rings will likely rarely change for an organization, but they should be periodically assessed to ensure that the deployment cadence still makes sense. + + +## Steps to manage updates for Windows 10 + +| | | +| --- | --- | +| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) | +| ![done](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) | +| ![done](images/checklistdone.png) | Build deployment rings for Windows 10 updates (this topic) | +| ![to do](images/checklistbox.gif) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) | +| ![to do](images/checklistbox.gif) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | +| ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
          or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
          or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) | + +## Related topics + +- [Update Windows 10 in the enterprise](index.md) +- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) +- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) +- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) +- [Configure Windows Update for Business](waas-configure-wufb.md) +- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) +- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) +- [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure) +- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) +- [Manage device restarts after updates](waas-restart.md) + diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md index e3d00db3ff..5cf9e1b52e 100644 --- a/windows/deployment/update/waas-integrate-wufb.md +++ b/windows/deployment/update/waas-integrate-wufb.md @@ -1,116 +1,116 @@ ---- -title: Integrate Windows Update for Business with management solutions (Windows 10) -description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and System Center Configuration Manager. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greglin -ms.date: 07/27/2017 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Integrate Windows Update for Business with management solutions - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -You can integrate Windows Update for Business deployments with existing management tools such as Windows Server Update Services (WSUS) and System Center Configuration Manager. - -## Integrate Windows Update for Business with Windows Server Update Services - - -For Windows 10, version 1607, devices can now be configured to receive updates from both Windows Update (or Microsoft Update) and Windows Server Update Services (WSUS). In a joint WSUS and Windows Update for Business setup: - -- Devices will receive their Windows content from Microsoft and defer these updates according to Windows Update for Business policy -- All other content synced from WSUS will be directly applied to the device; that is, updates to products other than Windows will not follow your Windows Update for Business deferral policies - -### Configuration example \#1: Deferring Windows Update updates with other update content hosted on WSUS - -**Configuration:** - -- Device is configured to defer Windows Quality Updates using Windows Update for Business -- Device is also configured to be managed by WSUS -- Device is not configured to enable Microsoft Update (**Update/AllowMUUpdateService** = not enabled) -- Admin has opted to put updates to Office and other products on WSUS -- Admin has also put 3rd party drivers on WSUS - - - - - -
          ContentMetadata sourcePayload sourceDeferred?
          Updates to WindowsWindows UpdateWindows UpdateYesdiagram of content flow
          Updates to Office and other productsWSUSWSUSNo
          Third-party driversWSUSWSUSNo
          - -### Configuration example \#2: Excluding drivers from Windows Quality Updates using Windows Update for Business - -**Configuration:** - -- Device is configured to defer Windows Quality Updates and to exclude drivers from Windows Update Quality Updates (**ExcludeWUDriversInQualityUpdate** = enabled) -- Device is also configured to be managed by WSUS -- Admin has opted to put Windows Update drivers on WSUS - - - - - - - -
          ContentMetadata sourcePayload sourceDeferred?
          Updates to Windows (excluding drivers)Windows UpdateWindows UpdateYesdiagram of content flow
          Updates to Office and other productsWSUSWSUSNo
          DriversWSUSWSUSNo
          - -### Configuration example \#3: Device configured to receive Microsoft updates - -**Configuration:** - -- Device is configured to defer Quality Updates using Windows Update for Business and to be managed by WSUS -- Device is configured to “receive updates for other Microsoft products” along with updates to Windows (**Update/AllowMUUpdateService** = enabled) -- Admin has also placed Microsoft Update, third-paprty, and locally-published update content on the WSUS server - -In this example, the deferral behavior for updates to Office and other non-Windows products is slightly different than if WSUS were not enabled. -- In a non-WSUS case, these updates would be deferred just as any update to Windows would be. -- However, with WSUS also configured, these updates are sourced from Microsoft but deferral policies are not applied. - - - - - - -
          ContentMetadata sourcePayload sourceDeferred?
          Updates to Windows (excluding drivers)Microsoft UpdateMicrosoft UpdateYesdiagram of content flow
          Updates to Office and other productsMicrosoft UpdateMicrosoft UpdateNo
          Drivers, third-party applicationsWSUSWSUSNo
          - ->[!NOTE] -> Because the admin enabled **Update/AllowMUUpdateService**, placing the content on WSUS was not needed for the particular device, as the device will always receive Microsoft Update content from Microsoft when configured in this manner. - -## Integrate Windows Update for Business with System Center Configuration Manager - -For Windows 10, version 1607, organizations already managing their systems with a Configuration Manager solution can also have their devices configured for Windows Update for Business (i.e. setting deferral policies on those devices). Such devices will be visible in the Configuration Manager console, however they will appear with a detection state of **Unknown**. - -![Example of unknown devices](images/wufb-sccm.png) - -For more information, see [Integration with Windows Update for Business in Windows 10](https://docs.microsoft.com/sccm/sum/deploy-use/integrate-windows-update-for-business-windows-10). - -## Related topics - -- [Update Windows 10 in the enterprise](index.md) -- [Overview of Windows as a service](waas-overview.md) -- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) -- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) -- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) -- [Manage device restarts after updates](waas-restart.md) - +--- +title: Integrate Windows Update for Business with management solutions (Windows 10) +description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and System Center Configuration Manager. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.author: greglin +ms.date: 07/27/2017 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Integrate Windows Update for Business with management solutions + + +**Applies to** + +- Windows 10 +- Windows 10 Mobile + +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + +You can integrate Windows Update for Business deployments with existing management tools such as Windows Server Update Services (WSUS) and System Center Configuration Manager. + +## Integrate Windows Update for Business with Windows Server Update Services + + +For Windows 10, version 1607, devices can now be configured to receive updates from both Windows Update (or Microsoft Update) and Windows Server Update Services (WSUS). In a joint WSUS and Windows Update for Business setup: + +- Devices will receive their Windows content from Microsoft and defer these updates according to Windows Update for Business policy +- All other content synced from WSUS will be directly applied to the device; that is, updates to products other than Windows will not follow your Windows Update for Business deferral policies + +### Configuration example \#1: Deferring Windows Update updates with other update content hosted on WSUS + +**Configuration:** + +- Device is configured to defer Windows Quality Updates using Windows Update for Business +- Device is also configured to be managed by WSUS +- Device is not configured to enable Microsoft Update (**Update/AllowMUUpdateService** = not enabled) +- Admin has opted to put updates to Office and other products on WSUS +- Admin has also put 3rd party drivers on WSUS + + + + + +
          ContentMetadata sourcePayload sourceDeferred?
          Updates to WindowsWindows UpdateWindows UpdateYesdiagram of content flow
          Updates to Office and other productsWSUSWSUSNo
          Third-party driversWSUSWSUSNo
          + +### Configuration example \#2: Excluding drivers from Windows Quality Updates using Windows Update for Business + +**Configuration:** + +- Device is configured to defer Windows Quality Updates and to exclude drivers from Windows Update Quality Updates (**ExcludeWUDriversInQualityUpdate** = enabled) +- Device is also configured to be managed by WSUS +- Admin has opted to put Windows Update drivers on WSUS + + + + + + + +
          ContentMetadata sourcePayload sourceDeferred?
          Updates to Windows (excluding drivers)Windows UpdateWindows UpdateYesdiagram of content flow
          Updates to Office and other productsWSUSWSUSNo
          DriversWSUSWSUSNo
          + +### Configuration example \#3: Device configured to receive Microsoft updates + +**Configuration:** + +- Device is configured to defer Quality Updates using Windows Update for Business and to be managed by WSUS +- Device is configured to “receive updates for other Microsoft products” along with updates to Windows (**Update/AllowMUUpdateService** = enabled) +- Admin has also placed Microsoft Update, third-paprty, and locally-published update content on the WSUS server + +In this example, the deferral behavior for updates to Office and other non-Windows products is slightly different than if WSUS were not enabled. +- In a non-WSUS case, these updates would be deferred just as any update to Windows would be. +- However, with WSUS also configured, these updates are sourced from Microsoft but deferral policies are not applied. + + + + + + +
          ContentMetadata sourcePayload sourceDeferred?
          Updates to Windows (excluding drivers)Microsoft UpdateMicrosoft UpdateYesdiagram of content flow
          Updates to Office and other productsMicrosoft UpdateMicrosoft UpdateNo
          Drivers, third-party applicationsWSUSWSUSNo
          + +>[!NOTE] +> Because the admin enabled **Update/AllowMUUpdateService**, placing the content on WSUS was not needed for the particular device, as the device will always receive Microsoft Update content from Microsoft when configured in this manner. + +## Integrate Windows Update for Business with System Center Configuration Manager + +For Windows 10, version 1607, organizations already managing their systems with a Configuration Manager solution can also have their devices configured for Windows Update for Business (i.e. setting deferral policies on those devices). Such devices will be visible in the Configuration Manager console, however they will appear with a detection state of **Unknown**. + +![Example of unknown devices](images/wufb-sccm.png) + +For more information, see [Integration with Windows Update for Business in Windows 10](https://docs.microsoft.com/sccm/sum/deploy-use/integrate-windows-update-for-business-windows-10). + +## Related topics + +- [Update Windows 10 in the enterprise](index.md) +- [Overview of Windows as a service](waas-overview.md) +- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) +- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) +- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) +- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) +- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) +- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) +- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) +- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) +- [Configure Windows Update for Business](waas-configure-wufb.md) +- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) +- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) +- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) +- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) +- [Manage device restarts after updates](waas-restart.md) + diff --git a/windows/deployment/update/waas-manage-updates-configuration-manager.md b/windows/deployment/update/waas-manage-updates-configuration-manager.md index c572ab8879..13b782b7e4 100644 --- a/windows/deployment/update/waas-manage-updates-configuration-manager.md +++ b/windows/deployment/update/waas-manage-updates-configuration-manager.md @@ -1,334 +1,334 @@ ---- -title: Deploy Windows 10 updates using System Center Configuration Manager (Windows 10) -description: System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greglin -ms.date: 10/16/2017 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Deploy Windows 10 updates using System Center Configuration Manager - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - ->[!IMPORTANT] ->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products. -> ->In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. - -System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10. Unlike other servicing tools, Configuration Manager has capabilities that extend beyond servicing, such as application deployment, antivirus management, software metering, and reporting, and provides a secondary deployment method for LTSB clients. Configuration Manager can effectively control bandwidth usage and content distribution through a combination of BranchCache and distribution points. Microsoft encourages organizations currently using Configuration Manager for Windows update management to continue doing so for Windows 10 client computers. - -You can use Configuration Manager to service Windows 10 devices in two ways. The first option is to use Windows 10 Servicing Plans to deploy Windows 10 feature updates automatically based on specific criteria, similar to an Automatic Deployment Rule for software updates. The second option is to use a task sequence to deploy feature updates, along with anything else in the installation. - ->[!NOTE] ->This topic focuses on updating and upgrading Windows 10 after it has already been deployed. To use Configuration Manager to upgrade your systems from the Windows 8.1, Windows 8, or Windows 7 operating system, see [Upgrade to Windows 10 with System Center Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager). - -## Windows 10 servicing dashboard - -The Windows 10 servicing dashboard gives you a quick-reference view of your active servicing plans, compliance for servicing plan deployment, and other key information about Windows 10 servicing. For details about what each tile on the servicing dashboard represents, see [Manage Windows as a service using System Center Configuration Manager](https://technet.microsoft.com/library/mt627931.aspx). - -For the Windows 10 servicing dashboard to display information, you must adhere to the following requirements: - -- **Heartbeat discovery**. Enable heartbeat discovery for the site receiving Windows 10 servicing information. Configuration for heartbeat discovery can be found in Administration\Overview\Hierarchy Configuration\Discovery Methods. -- **Windows Server Update Service (WSUS)**. System Center Configuration Manager must have the Software update point site system role added and configured to receive updates from a WSUS 4.0 server with the hotfix KB3095113 installed. -- **Service connection point**. Add the Service connection point site system role in Online, persistent connection mode. -- **Upgrade classification**. Select **Upgrade** from the list of synchronized software update classifications. - - **To configure Upgrade classification** - - 1. Go to Administration\Overview\Site Configuration\Sites, and then select your site from the list. - - 2. On the Ribbon, in the **Settings** section, click **Configure Site Components**, and then click **Software Update Point**. - - ![Example of UI](images/waas-sccm-fig1.png) - - 3. In the **Software Update Point Component Properties** dialog box, on the **Classifications** tab, click **Upgrades**. - -When you have met all these requirements and deployed a servicing plan to a collection, you’ll receive information on the Windows 10 servicing dashboard. - -## Create collections for deployment rings - -Regardless of the method by which you deploy Windows 10 feature updates to your environment, you must start the Windows 10 servicing process by creating collections of computers that represent your deployment rings. In this example, you create two collections: **Windows 10 – All Current Branch for Business** and **Ring 4 Broad business users**. You’ll use the **Windows 10 – All Current Branch for Business** collection for reporting and deployments that should go to all CBB clients. You’ll use the **Ring 4 Broad business users** collection as a deployment ring for the first CBB users. - ->[!NOTE] ->The following procedures use the groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) as examples. - -**To create collections for deployment rings** - -1. In the Configuration Manager console, go to Assets and Compliance\Overview\Device Collections. - -2. On the Ribbon, in the **Create** group, click **Create Device Collection**. - -3. In the Create Device Collection Wizard, in the **name** box, type **Windows 10 – All Current Branch for Business**. - -4. Click **Browse** to select the limiting collection, and then click **All Systems**. - -5. In **Membership rules**, click **Add Rule**, and then click **Query Rule**. - -6. Name the rule **CBB Detection**, and then click **Edit Query Statement**. - -7. On the **Criteria** tab, click the **New** icon. - - ![Example of UI](images/waas-sccm-fig4.png) - -8. In the **Criterion Properties** dialog box, leave the type as **Simple Value**, and then click **Select**. - -9. In the **Select Attribute** dialog box, from the **Attribute class** list, select **System Resource**. From the **Attribute** list, select **OSBranch**, and then click **OK**. - - ![Example of UI](images/waas-sccm-fig5.png) - - >[!NOTE] - >Configuration Manager discovers clients’ servicing branch and stores that value in the **OSBranch** attribute, which you will use to create collections based on servicing branch. The values in this attribute can be **0 (Current Branch)**, **1 (Current Branch for Business)**, or **2 (Long-Term Servicing Branch)**. - -10. Leave **Operator** set to **is equal to**; in the **Value** box, type **1**. Click **OK**. - - ![Example of UI](images/waas-sccm-fig6.png) - -11. Now that the **OSBranch** attribute is correct, verify the operating system version. - -12. On the **Criteria** tab, click the **New** icon again to add criteria. - -13. In the **Criterion Properties** dialog box, click **Select**. - -14. From the **Attribute class** list, select **System Resource**. From the **Attribute** list, select **Operating System Name and Version**, and then click **OK**. - - ![Example of UI](images/waas-sccm-fig7.png) - -15. In the **Value** box, type **Microsoft Windows NT Workstation 10.0**, and then click **OK**. - - ![Example of UI](images/waas-sccm-fig8.png) - -16. In the **Query Statement Properties** dialog box, you see two values. Click **OK**, and then click **OK** again to continue to the Create Device Collection Wizard. - -17. Click **Summary**, and then click **Next**. - -18. Close the wizard. - ->[!IMPORTANT] ->Windows Insider PCs are discovered the same way as CB or CBB devices. If you have Windows Insider PCs that you use Configuration Manager to manage, then you should create a collection of those PCs and exclude them from this collection. You can create the membership for the Windows Insider collection either manually or by using a query where the operating system build doesn’t equal any of the current CB or CBB build numbers. You would have to update each periodically to include new devices or new operating system builds. - -After you have updated the membership, this new collection will contain all managed clients on the CBB servicing branch. You will use this collection as a limiting collection for future CBB-based collections and the **Ring 4 Broad broad business users** collection. Complete the following steps to create the **Ring 4 Broad business users** device collection, which you’ll use as a CBB deployment ring for servicing plans or task sequences. - -1. In the Configuration Manager console, go to Assets and Compliance\Overview\Device Collections. - -2. On the Ribbon, in the **Create** group, click **Create Device Collection**. - -3. In the Create Device Collection Wizard, in the **name** box, type **Ring 4 Broad business users**. - -4. Click **Browse** to select the limiting collection, and then click **Windows 10 – All Current Branch for Business**. - -5. In **Membership rules**, click **Add Rule**, and then click **Direct Rule**. - -6. In the **Create Direct Membership Rule Wizard** dialog box, click **Next**. - -7. In the **Value** field, type all or part of the name of a device to add, and then click **Next**. - -8. Select the computer that will be part of the **Ring 4 Broad business users** deployment ring, and then click **Next**. - -9. Click **Next**, and then click **Close**. - -10. In the **Create Device Collection Wizard** dialog box, click **Summary**. - -11. Click **Next**, and then click **Close**. - - -## Use Windows 10 servicing plans to deploy Windows 10 feature updates - -There are two ways to deploy Windows 10 feature updates with System Center Configuration Manager. The first is to use servicing plans, which provide an automated method to update devices consistently in their respective deployment rings, similar to Automatic Deployment Rules for software updates. - -**To configure Windows feature updates for CBB clients in the Ring 4 Broad business users deployment ring using a servicing plan** - -1. In the Configuration Manager console, go to Software Library\Overview\Windows 10 Servicing, and then click **Servicing Plans**. - -2. On the Ribbon, in the **Create** group, click **Create Servicing Plan**. - -3. Name the plan **Ring 4 Broad business users Servicing Plan**, and then click **Next**. - -4. On the **Servicing Plan page**, click **Browse**. Select the **Ring 4 Broad business users** collection, which you created in the [Create collections for deployment rings](#create-collections-for-deployment-rings) section, click **OK**, and then click **Next**. - - >[!IMPORTANT] - >Microsoft added a new protection feature to Configuration Manager that prevents accidental installation of high-risk deployments such as operating system upgrades on site systems. If you select a collection (All Systems in this example) that has a site system in it, you may receive the following message. - > - >![This is a high-risk deployment](images/waas-sccm-fig9.png) - > - >For details about how to manage the settings for high-risk deployments in Configuration Manager, see [Settings to manage high-risk deployments for System Center Configuration Manager](https://technet.microsoft.com/library/mt621992.aspx). - -5. On the **Deployment Ring** page, select the **Business Ready (Current Branch for Business)** readiness state, leave the delay at **0 days**, and then click **Next**. - - Doing so deploys CBB feature updates to the broad business users deployment ring immediately after they are released to CBB. - - On the Upgrades page, you specify filters for the feature updates to which this servicing plan is applicable. For example, if you wanted this plan to be only for Windows 10 Enterprise, you could select **Title**, and then type **Enterprise**. - -6. For this example, on the **Upgrades** page, click **Next** to leave the criterion blank. - -7. On the **Deployment Schedule** page, click **Next** to keep the default values of making the content available immediately and requiring installation by the 7-day deadline. - -8. On the **User Experience** page, from the **Deadline behavior** list, select **Software Installation and System restart (if necessary)**. From the **Device restart behavior** list, select **Workstations**, and then click **Next**. - - Doing so allows installation and restarts after the 7-day deadline on workstations only. - -9. On the **Deployment Package** page, select **Create a new deployment package**. In **Name**, type **CBB Upgrades**, select a share for your package source location, and then click **Next**. - - In this example, \\contoso-cm01\Sources\Windows 10 Feature Upgrades is a share on the Configuration Manager server that contains all the Windows 10 feature updates. - - ![Example of UI](images/waas-sccm-fig10.png) - -10. On the **Distribution Points** page, from the **Add** list, select **Distribution Point**. - - ![Example of UI](images/waas-sccm-fig11.png) - - Select the distribution points that serve the clients to which you’re deploying this servicing plan, and then click **OK**. - -11. Click **Summary**, click **Next** to complete the servicing plan, and then click **Close**. - - -You have now created a servicing plan for the **Ring 4 Broad business users** deployment ring. By default, this rule is evaluated each time the software update point is synchronized, but you can modify this schedule by viewing the service plan’s properties on the **Evaluation Schedule** tab. - -![Example of UI](images/waas-sccm-fig12.png) - - -## Use a task sequence to deploy Windows 10 updates - -There are times when deploying a Windows 10 feature update requires the use of a task sequence—for example: - -- **LTSB feature updates**. With the LTSB servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade. -- **Additional required tasks**. When deploying a feature update requires additional steps (e.g., suspending disk encryption, updating applications), you must use task sequences to orchestrate the additional steps. Servicing plans do not have the ability to add steps to their deployments. - -Each time Microsoft releases a new Windows 10 build, it releases a new .iso file containing the latest build, as well. Regardless of the scenario that requires a task sequence to deploy the Windows 10 upgrade, the base process is the same. Start by creating an Operating System Upgrade Package in the Configuration Manager console: - -1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Operating System Upgrade Packages. - -2. On the Ribbon, in the **Create** group, click **Add Operating System Upgrade Package**. - -3. On the **Data Source** page, type the path of the extracted .iso file of the new version of Windows 10 you’re deploying, and then click **Next**. - - In this example, the Windows 10 Enterprise 1607 installation media is deployed to \\contoso-cm01\Sources\Operating Systems\Windows 10 Enterprise\Windows 10 Enterprise - Version 1607. - - >[!NOTE] - >System Center Configuration Manager version 1606 is required to manage machines running Windows 10, version 1607. - -4. On the **General** page, in the **Name** field, type the name of the folder (**Windows 10 Enterprise - Version 1607** in this example). Set the **Version** to **1607**, and then click **Next**. - -5. On the **Summary** page, click **Next** to create the package. - -6. On the **Completion** page, click **Close**. - -Now that the operating system upgrade package has been created, the content in that package must be distributed to the correct distribution points so that the clients can access the content. Complete the following steps to distribute the package content to distribution points: - -1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Operating System Upgrade Packages, and then select the **Windows 10 Enterprise – Version 1607** software upgrade package. - -2. On the Ribbon, in the **Deployment group**, click **Distribute Content**. - -3. In the Distribute Content Wizard, on the **General** page, click **Next**. - -4. On the **Content Destination** page, click **Add**, and then click **Distribution Point**. - -5. In the **Add Distribution Points** dialog box, select the distribution point that will serve the clients receiving this package, and then click **OK**. - -6. On the **Content Destination** page, click **Next**. - -7. On the **Summary** page, click **Next** to distribute the content to the selected distribution point. - -8. On the **Completion** page, click **Close**. - -Now that the upgrade package has been created and its contents distributed, create the task sequence that will use it. Complete the following steps to create the task sequence, using the previously created deployment package: - -1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Task Sequences. - -2. On the Ribbon, in the **Create** group, click **Create Task Sequence**. - -3. In the Create Task Sequence Wizard, on the **Create a new task sequence** page, select **Upgrade an operating system from upgrade package**, and then click **Next**. - -4. On the **Task Sequence Information** page, in **Task sequence name**, type **Upgrade Windows 10 Enterprise – Version 1607**, and then click **Next**. - -5. On the **Upgrade the Windows Operating system** page, click **Browse**, select the deployment package you created in the previous steps, and then click **OK**. - -6. Click **Next**. - -7. On the **Include Updates** page, select **Available for installation – All software updates**, and then click **Next**. - -8. On the **Install Applications** page, click **Next**. - -9. On the **Summary** page, click **Next** to create the task sequence. - -10. On the **Completion** page, click **Close**. - -With the task sequence created, you’re ready to deploy it. If you’re using this method to deploy most of your Windows 10 feature updates, you may want to create deployment rings to stage the deployment of this task sequence, with delays appropriate for the respective deployment ring. In this example, you deploy the task sequence to the **Ring 4 Broad business users collection**. - ->[!IMPORTANT] ->This process deploys a Windows 10 operating system feature update to the affected devices. If you’re testing, be sure to select the collection to which you deploy this task sequence carefully. - -**To deploy your task sequence** - -1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Task Sequences, and then select the **Upgrade Windows 10 Enterprise – Version 1607** task sequence. - -2. On the Ribbon, in the **Deployment** group, click **Deploy**. - -3. In the Deploy Software Wizard, on the **General** page, click **Browse**. Select the target collection, click **OK**, and then click **Next**. - -4. On the **Deployment Settings** page, for **purpose**, select **Required**, and then click **Next**. - -5. On the **Scheduling** page, select the **Schedule when this deployment will become available** check box (it sets the current time by default). For **Assignment schedule**, click **New**. - -6. In the **Assignment Schedule** dialog box, click **Schedule**. - -7. In the **Custom Schedule** dialog box, select the desired deadline, and then click **OK**. - -8. In the **Assignment Schedule** dialog box, click **OK**, and then click **Next**. - -9. On the **User Experience** page, in the **When the scheduled assignment time is reached, allow the following activities to be performed outside of the maintenance window** section, select **Software Installation** and **System restart** (if required to complete the installation), and then click **Next**. - -10. Use the defaults for the remaining settings. - -11. Click **Summary**, and then click **Next** to deploy the task sequence. - -12. Click **Close**. - - -## Steps to manage updates for Windows 10 - -| | | -| --- | --- | -| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) | -| ![done](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) | -| ![done](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | -| ![done](images/checklistdone.png) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) | -| ![done](images/checklistdone.png) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | -| ![done](images/checklistdone.png) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
          or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
          or Deploy Windows 10 updates using System Center Configuration Manager (this topic) | - -## See also - -[Manage Windows as a service using System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/manage-windows-as-a-service) - - -## Related topics - -- [Update Windows 10 in the enterprise](index.md) -- [Overview of Windows as a service](waas-overview.md) -- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) -- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) -- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Manage device restarts after updates](waas-restart.md) - +--- +title: Deploy Windows 10 updates using System Center Configuration Manager (Windows 10) +description: System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.author: greglin +ms.date: 10/16/2017 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Deploy Windows 10 updates using System Center Configuration Manager + + +**Applies to** + +- Windows 10 +- Windows 10 Mobile + +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + +>[!IMPORTANT] +>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products. +> +>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. + +System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10. Unlike other servicing tools, Configuration Manager has capabilities that extend beyond servicing, such as application deployment, antivirus management, software metering, and reporting, and provides a secondary deployment method for LTSB clients. Configuration Manager can effectively control bandwidth usage and content distribution through a combination of BranchCache and distribution points. Microsoft encourages organizations currently using Configuration Manager for Windows update management to continue doing so for Windows 10 client computers. + +You can use Configuration Manager to service Windows 10 devices in two ways. The first option is to use Windows 10 Servicing Plans to deploy Windows 10 feature updates automatically based on specific criteria, similar to an Automatic Deployment Rule for software updates. The second option is to use a task sequence to deploy feature updates, along with anything else in the installation. + +>[!NOTE] +>This topic focuses on updating and upgrading Windows 10 after it has already been deployed. To use Configuration Manager to upgrade your systems from the Windows 8.1, Windows 8, or Windows 7 operating system, see [Upgrade to Windows 10 with System Center Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager). + +## Windows 10 servicing dashboard + +The Windows 10 servicing dashboard gives you a quick-reference view of your active servicing plans, compliance for servicing plan deployment, and other key information about Windows 10 servicing. For details about what each tile on the servicing dashboard represents, see [Manage Windows as a service using System Center Configuration Manager](https://technet.microsoft.com/library/mt627931.aspx). + +For the Windows 10 servicing dashboard to display information, you must adhere to the following requirements: + +- **Heartbeat discovery**. Enable heartbeat discovery for the site receiving Windows 10 servicing information. Configuration for heartbeat discovery can be found in Administration\Overview\Hierarchy Configuration\Discovery Methods. +- **Windows Server Update Service (WSUS)**. System Center Configuration Manager must have the Software update point site system role added and configured to receive updates from a WSUS 4.0 server with the hotfix KB3095113 installed. +- **Service connection point**. Add the Service connection point site system role in Online, persistent connection mode. +- **Upgrade classification**. Select **Upgrade** from the list of synchronized software update classifications. + + **To configure Upgrade classification** + + 1. Go to Administration\Overview\Site Configuration\Sites, and then select your site from the list. + + 2. On the Ribbon, in the **Settings** section, click **Configure Site Components**, and then click **Software Update Point**. + + ![Example of UI](images/waas-sccm-fig1.png) + + 3. In the **Software Update Point Component Properties** dialog box, on the **Classifications** tab, click **Upgrades**. + +When you have met all these requirements and deployed a servicing plan to a collection, you’ll receive information on the Windows 10 servicing dashboard. + +## Create collections for deployment rings + +Regardless of the method by which you deploy Windows 10 feature updates to your environment, you must start the Windows 10 servicing process by creating collections of computers that represent your deployment rings. In this example, you create two collections: **Windows 10 – All Current Branch for Business** and **Ring 4 Broad business users**. You’ll use the **Windows 10 – All Current Branch for Business** collection for reporting and deployments that should go to all CBB clients. You’ll use the **Ring 4 Broad business users** collection as a deployment ring for the first CBB users. + +>[!NOTE] +>The following procedures use the groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) as examples. + +**To create collections for deployment rings** + +1. In the Configuration Manager console, go to Assets and Compliance\Overview\Device Collections. + +2. On the Ribbon, in the **Create** group, click **Create Device Collection**. + +3. In the Create Device Collection Wizard, in the **name** box, type **Windows 10 – All Current Branch for Business**. + +4. Click **Browse** to select the limiting collection, and then click **All Systems**. + +5. In **Membership rules**, click **Add Rule**, and then click **Query Rule**. + +6. Name the rule **CBB Detection**, and then click **Edit Query Statement**. + +7. On the **Criteria** tab, click the **New** icon. + + ![Example of UI](images/waas-sccm-fig4.png) + +8. In the **Criterion Properties** dialog box, leave the type as **Simple Value**, and then click **Select**. + +9. In the **Select Attribute** dialog box, from the **Attribute class** list, select **System Resource**. From the **Attribute** list, select **OSBranch**, and then click **OK**. + + ![Example of UI](images/waas-sccm-fig5.png) + + >[!NOTE] + >Configuration Manager discovers clients’ servicing branch and stores that value in the **OSBranch** attribute, which you will use to create collections based on servicing branch. The values in this attribute can be **0 (Current Branch)**, **1 (Current Branch for Business)**, or **2 (Long-Term Servicing Branch)**. + +10. Leave **Operator** set to **is equal to**; in the **Value** box, type **1**. Click **OK**. + + ![Example of UI](images/waas-sccm-fig6.png) + +11. Now that the **OSBranch** attribute is correct, verify the operating system version. + +12. On the **Criteria** tab, click the **New** icon again to add criteria. + +13. In the **Criterion Properties** dialog box, click **Select**. + +14. From the **Attribute class** list, select **System Resource**. From the **Attribute** list, select **Operating System Name and Version**, and then click **OK**. + + ![Example of UI](images/waas-sccm-fig7.png) + +15. In the **Value** box, type **Microsoft Windows NT Workstation 10.0**, and then click **OK**. + + ![Example of UI](images/waas-sccm-fig8.png) + +16. In the **Query Statement Properties** dialog box, you see two values. Click **OK**, and then click **OK** again to continue to the Create Device Collection Wizard. + +17. Click **Summary**, and then click **Next**. + +18. Close the wizard. + +>[!IMPORTANT] +>Windows Insider PCs are discovered the same way as CB or CBB devices. If you have Windows Insider PCs that you use Configuration Manager to manage, then you should create a collection of those PCs and exclude them from this collection. You can create the membership for the Windows Insider collection either manually or by using a query where the operating system build doesn’t equal any of the current CB or CBB build numbers. You would have to update each periodically to include new devices or new operating system builds. + +After you have updated the membership, this new collection will contain all managed clients on the CBB servicing branch. You will use this collection as a limiting collection for future CBB-based collections and the **Ring 4 Broad broad business users** collection. Complete the following steps to create the **Ring 4 Broad business users** device collection, which you’ll use as a CBB deployment ring for servicing plans or task sequences. + +1. In the Configuration Manager console, go to Assets and Compliance\Overview\Device Collections. + +2. On the Ribbon, in the **Create** group, click **Create Device Collection**. + +3. In the Create Device Collection Wizard, in the **name** box, type **Ring 4 Broad business users**. + +4. Click **Browse** to select the limiting collection, and then click **Windows 10 – All Current Branch for Business**. + +5. In **Membership rules**, click **Add Rule**, and then click **Direct Rule**. + +6. In the **Create Direct Membership Rule Wizard** dialog box, click **Next**. + +7. In the **Value** field, type all or part of the name of a device to add, and then click **Next**. + +8. Select the computer that will be part of the **Ring 4 Broad business users** deployment ring, and then click **Next**. + +9. Click **Next**, and then click **Close**. + +10. In the **Create Device Collection Wizard** dialog box, click **Summary**. + +11. Click **Next**, and then click **Close**. + + +## Use Windows 10 servicing plans to deploy Windows 10 feature updates + +There are two ways to deploy Windows 10 feature updates with System Center Configuration Manager. The first is to use servicing plans, which provide an automated method to update devices consistently in their respective deployment rings, similar to Automatic Deployment Rules for software updates. + +**To configure Windows feature updates for CBB clients in the Ring 4 Broad business users deployment ring using a servicing plan** + +1. In the Configuration Manager console, go to Software Library\Overview\Windows 10 Servicing, and then click **Servicing Plans**. + +2. On the Ribbon, in the **Create** group, click **Create Servicing Plan**. + +3. Name the plan **Ring 4 Broad business users Servicing Plan**, and then click **Next**. + +4. On the **Servicing Plan page**, click **Browse**. Select the **Ring 4 Broad business users** collection, which you created in the [Create collections for deployment rings](#create-collections-for-deployment-rings) section, click **OK**, and then click **Next**. + + >[!IMPORTANT] + >Microsoft added a new protection feature to Configuration Manager that prevents accidental installation of high-risk deployments such as operating system upgrades on site systems. If you select a collection (All Systems in this example) that has a site system in it, you may receive the following message. + > + >![This is a high-risk deployment](images/waas-sccm-fig9.png) + > + >For details about how to manage the settings for high-risk deployments in Configuration Manager, see [Settings to manage high-risk deployments for System Center Configuration Manager](https://technet.microsoft.com/library/mt621992.aspx). + +5. On the **Deployment Ring** page, select the **Business Ready (Current Branch for Business)** readiness state, leave the delay at **0 days**, and then click **Next**. + + Doing so deploys CBB feature updates to the broad business users deployment ring immediately after they are released to CBB. + + On the Upgrades page, you specify filters for the feature updates to which this servicing plan is applicable. For example, if you wanted this plan to be only for Windows 10 Enterprise, you could select **Title**, and then type **Enterprise**. + +6. For this example, on the **Upgrades** page, click **Next** to leave the criterion blank. + +7. On the **Deployment Schedule** page, click **Next** to keep the default values of making the content available immediately and requiring installation by the 7-day deadline. + +8. On the **User Experience** page, from the **Deadline behavior** list, select **Software Installation and System restart (if necessary)**. From the **Device restart behavior** list, select **Workstations**, and then click **Next**. + + Doing so allows installation and restarts after the 7-day deadline on workstations only. + +9. On the **Deployment Package** page, select **Create a new deployment package**. In **Name**, type **CBB Upgrades**, select a share for your package source location, and then click **Next**. + + In this example, \\contoso-cm01\Sources\Windows 10 Feature Upgrades is a share on the Configuration Manager server that contains all the Windows 10 feature updates. + + ![Example of UI](images/waas-sccm-fig10.png) + +10. On the **Distribution Points** page, from the **Add** list, select **Distribution Point**. + + ![Example of UI](images/waas-sccm-fig11.png) + + Select the distribution points that serve the clients to which you’re deploying this servicing plan, and then click **OK**. + +11. Click **Summary**, click **Next** to complete the servicing plan, and then click **Close**. + + +You have now created a servicing plan for the **Ring 4 Broad business users** deployment ring. By default, this rule is evaluated each time the software update point is synchronized, but you can modify this schedule by viewing the service plan’s properties on the **Evaluation Schedule** tab. + +![Example of UI](images/waas-sccm-fig12.png) + + +## Use a task sequence to deploy Windows 10 updates + +There are times when deploying a Windows 10 feature update requires the use of a task sequence—for example: + +- **LTSB feature updates**. With the LTSB servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade. +- **Additional required tasks**. When deploying a feature update requires additional steps (e.g., suspending disk encryption, updating applications), you must use task sequences to orchestrate the additional steps. Servicing plans do not have the ability to add steps to their deployments. + +Each time Microsoft releases a new Windows 10 build, it releases a new .iso file containing the latest build, as well. Regardless of the scenario that requires a task sequence to deploy the Windows 10 upgrade, the base process is the same. Start by creating an Operating System Upgrade Package in the Configuration Manager console: + +1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Operating System Upgrade Packages. + +2. On the Ribbon, in the **Create** group, click **Add Operating System Upgrade Package**. + +3. On the **Data Source** page, type the path of the extracted .iso file of the new version of Windows 10 you’re deploying, and then click **Next**. + + In this example, the Windows 10 Enterprise 1607 installation media is deployed to \\contoso-cm01\Sources\Operating Systems\Windows 10 Enterprise\Windows 10 Enterprise - Version 1607. + + >[!NOTE] + >System Center Configuration Manager version 1606 is required to manage machines running Windows 10, version 1607. + +4. On the **General** page, in the **Name** field, type the name of the folder (**Windows 10 Enterprise - Version 1607** in this example). Set the **Version** to **1607**, and then click **Next**. + +5. On the **Summary** page, click **Next** to create the package. + +6. On the **Completion** page, click **Close**. + +Now that the operating system upgrade package has been created, the content in that package must be distributed to the correct distribution points so that the clients can access the content. Complete the following steps to distribute the package content to distribution points: + +1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Operating System Upgrade Packages, and then select the **Windows 10 Enterprise – Version 1607** software upgrade package. + +2. On the Ribbon, in the **Deployment group**, click **Distribute Content**. + +3. In the Distribute Content Wizard, on the **General** page, click **Next**. + +4. On the **Content Destination** page, click **Add**, and then click **Distribution Point**. + +5. In the **Add Distribution Points** dialog box, select the distribution point that will serve the clients receiving this package, and then click **OK**. + +6. On the **Content Destination** page, click **Next**. + +7. On the **Summary** page, click **Next** to distribute the content to the selected distribution point. + +8. On the **Completion** page, click **Close**. + +Now that the upgrade package has been created and its contents distributed, create the task sequence that will use it. Complete the following steps to create the task sequence, using the previously created deployment package: + +1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Task Sequences. + +2. On the Ribbon, in the **Create** group, click **Create Task Sequence**. + +3. In the Create Task Sequence Wizard, on the **Create a new task sequence** page, select **Upgrade an operating system from upgrade package**, and then click **Next**. + +4. On the **Task Sequence Information** page, in **Task sequence name**, type **Upgrade Windows 10 Enterprise – Version 1607**, and then click **Next**. + +5. On the **Upgrade the Windows Operating system** page, click **Browse**, select the deployment package you created in the previous steps, and then click **OK**. + +6. Click **Next**. + +7. On the **Include Updates** page, select **Available for installation – All software updates**, and then click **Next**. + +8. On the **Install Applications** page, click **Next**. + +9. On the **Summary** page, click **Next** to create the task sequence. + +10. On the **Completion** page, click **Close**. + +With the task sequence created, you’re ready to deploy it. If you’re using this method to deploy most of your Windows 10 feature updates, you may want to create deployment rings to stage the deployment of this task sequence, with delays appropriate for the respective deployment ring. In this example, you deploy the task sequence to the **Ring 4 Broad business users collection**. + +>[!IMPORTANT] +>This process deploys a Windows 10 operating system feature update to the affected devices. If you’re testing, be sure to select the collection to which you deploy this task sequence carefully. + +**To deploy your task sequence** + +1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Task Sequences, and then select the **Upgrade Windows 10 Enterprise – Version 1607** task sequence. + +2. On the Ribbon, in the **Deployment** group, click **Deploy**. + +3. In the Deploy Software Wizard, on the **General** page, click **Browse**. Select the target collection, click **OK**, and then click **Next**. + +4. On the **Deployment Settings** page, for **purpose**, select **Required**, and then click **Next**. + +5. On the **Scheduling** page, select the **Schedule when this deployment will become available** check box (it sets the current time by default). For **Assignment schedule**, click **New**. + +6. In the **Assignment Schedule** dialog box, click **Schedule**. + +7. In the **Custom Schedule** dialog box, select the desired deadline, and then click **OK**. + +8. In the **Assignment Schedule** dialog box, click **OK**, and then click **Next**. + +9. On the **User Experience** page, in the **When the scheduled assignment time is reached, allow the following activities to be performed outside of the maintenance window** section, select **Software Installation** and **System restart** (if required to complete the installation), and then click **Next**. + +10. Use the defaults for the remaining settings. + +11. Click **Summary**, and then click **Next** to deploy the task sequence. + +12. Click **Close**. + + +## Steps to manage updates for Windows 10 + +| | | +| --- | --- | +| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) | +| ![done](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) | +| ![done](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | +| ![done](images/checklistdone.png) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) | +| ![done](images/checklistdone.png) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | +| ![done](images/checklistdone.png) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
          or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
          or Deploy Windows 10 updates using System Center Configuration Manager (this topic) | + +## See also + +[Manage Windows as a service using System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/manage-windows-as-a-service) + + +## Related topics + +- [Update Windows 10 in the enterprise](index.md) +- [Overview of Windows as a service](waas-overview.md) +- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) +- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) +- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) +- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) +- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) +- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) +- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) +- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) +- [Configure Windows Update for Business](waas-configure-wufb.md) +- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) +- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) +- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) +- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) +- [Manage device restarts after updates](waas-restart.md) + diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md index 7eccb49914..f9c378860b 100644 --- a/windows/deployment/update/waas-manage-updates-wsus.md +++ b/windows/deployment/update/waas-manage-updates-wsus.md @@ -1,360 +1,360 @@ ---- -title: Deploy Windows 10 updates using Windows Server Update Services (Windows 10) -description: WSUS allows companies to defer, selectively approve, choose when delivered, and determine which devices receive updates. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greglin -ms.date: 10/16/2017 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Deploy Windows 10 updates using Windows Server Update Services (WSUS) - - -**Applies to** - -- Windows 10 - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - ->[!IMPORTANT] ->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products. -> ->In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. - -WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that System Center Configuration Manager provides. - -When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows 10 client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you’re currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 10. - - - -## Requirements for Windows 10 servicing with WSUS - -To be able to use WSUS to manage and deploy Windows 10 feature updates, you must have WSUS 4.0, which is available in the Windows Server 2012 R2 and Windows Server 2012 operating systems. In addition to WSUS 4.0, you must install the [KB3095113](https://support.microsoft.com/kb/3095113) and [KB3159706](https://support.microsoft.com/kb/3159706) patches on the WSUS server. - -## WSUS scalability - -To use WSUS to manage all Windows updates, some organizations may need access to WSUS from a perimeter network, or they might have some other complex scenario. WSUS is highly scalable and configurable for organizations of any size or site layout. For specific information about scaling WSUS, including upstream and downstream server configuration, branch offices, WSUS load balancing, and other complex scenarios, see [Choose a Type of WSUS Deployment](https://technet.microsoft.com/library/cc720448%28v=ws.10%29.aspx). - - -## Express Installation Files - -With Windows 10, quality updates will be larger than traditional Windows Updates because they’re cumulative. To manage the bandwidth clients downloading large updates like these will need, WSUS has a feature called *Express Installation Files*. - - At a binary level, files associated with updates may not change a lot. In fact, with cumulative quality updates, most of the content will be from previous updates. Rather than downloading the entire update when only a small percentage of the payload is actually different, Express Installation Files analyze the differences between the new files associated with an update and the existing files on the client. This approach significantly reduces the amount of bandwidth used because only a fraction of the update content is actually delivered. - - **To configure WSUS to download Express Update Files** - -1. Open the WSUS Administration Console. - -2. In the navigation pane, go to *Your_Server*\\**Options**. - -3. In the **Options** section, click **Update Files and Languages**. - - ![Example of UI](images/waas-wsus-fig1.png) - -4. In the **Update Files and Languages** dialog box, select **Download express installation files**. - - ![Example of UI](images/waas-wsus-fig2.png) - - >[!NOTE] - >Because Windows 10 updates are cumulative, enabling Express Installation Files when WSUS is configured to download Windows 10 updates will significantly increase the amount of disk space that WSUS requires. Alternatively, when using Express Installation Files for previous versions of Windows, the feature’s positive effects aren’t noticeable because the updates aren’t cumulative. - -## Configure automatic updates and update service location - -When using WSUS to manage updates on Windows client devices, start by configuring the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings for your environment. Doing so forces the affected clients to contact the WSUS server so that it can manage them. The following process describes how to specify these settings and deploy them to all devices in the domain. - -**To configure the Configure Automatic Updates and Intranet Microsoft Update Service Location Group Policy settings for your environment** - -1. Open GPMC. - -2. Expand Forest\Domains\\*Your_Domain*. - -3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**. - - ![Example of UI](images/waas-wsus-fig3.png) - - >[!NOTE] - >In this example, the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings are specified for the entire domain. This is not a requirement; you can target these settings to any security group by using Security Filtering or a specific OU. - -4. In the **New GPO** dialog box, name the new GPO **WSUS – Auto Updates and Intranet Update Service Location**. - -5. Right-click the **WSUS – Auto Updates and Intranet Update Service Location** GPO, and then click **Edit**. - -6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update. - -7. Right-click the **Configure Automatic Updates** setting, and then click **Edit**. - - ![Example of UI](images/waas-wsus-fig4.png) - -8. In the **Configure Automatic Updates** dialog box, select **Enable**. - -9. Under **Options**, from the **Configure automatic updating** list, select **3 - Auto download and notify for install**, and then click **OK**. - - ![Example of UI](images/waas-wsus-fig5.png) - - > [!NOTE] - > ?There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](https://technet.microsoft.com/library/cc720539%28v=ws.10%29.aspx). - -10. Right-click the **Specify intranet Microsoft update service location** setting, and then click **Edit**. - -11. In the **Specify intranet Microsoft update service location** dialog box, select **Enable**. - -12. Under **Options**, in the **Set the intranet update service for detecting updates** and **Set the intranet statistics server** options, type http://Your_WSUS_Server_FQDN:PortNumber, and then click **OK**. - - >[!NOTE] - >The URL `http://CONTOSO-WSUS1.contoso.com:8530` in the following image is just an example. In your environment, be sure to use the server name and port number for your WSUS instance. - - ![Example of UI](images/waas-wsus-fig6.png) - - >[!NOTE] - >The default HTTP port for WSUS is 8530, and the default HTTP over Secure Sockets Layer (HTTPS) port is 8531. If you’re unsure which port WSUS is using for client communication, right-click the WSUS Administration site in IIS Manager, and then click **Edit Bindings**. - -As Windows clients refresh their computer policies (the default Group Policy refresh setting is 90 minutes and when a computer restarts), computers start to appear in WSUS. Now that clients are communicating with the WSUS server, create the computer groups that align with your deployment rings. - -## Create computer groups in the WSUS Administration Console - ->[!NOTE] ->The following procedures use the groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) as examples. - -You can use computer groups to target a subset of devices that have specific quality and feature updates. These groups represent your deployment rings, as controlled by WSUS. You can populate the groups either manually by using the WSUS Administration Console or automatically through Group Policy. Regardless of the method you choose, you must first create the groups in the WSUS Administration Console. - -**To create computer groups in the WSUS Administration Console** - -1. Open the WSUS Administration Console. - -2. Go to *Server_Name*\Computers\All Computers, and then click **Add Computer Group**. - - ![Example of UI](images/waas-wsus-fig7.png) - -3. Type **Ring 2 Pilot Business Users** for the name, and then click **Add**. - -4. Repeat these steps for the **Ring 3 Broad IT** and **Ring 4 Broad Business Users** groups. When you’re finished, there should be three deployment ring groups. - -Now that the groups have been created, add the computers to the computer groups that align with the desired deployment rings. You can do this through [Group Policy](#wsus-gp) or manually by using the [WSUS Administration Console](#wsus-admin). - - -## Use the WSUS Administration Console to populate deployment rings - -Adding computers to computer groups in the WSUS Administration Console is simple, but it could take much longer than managing membership through Group Policy, especially if you have many computers to add. Adding computers to computer groups in the WSUS Administration Console is called *server-side targeting*. - -In this example, you add computers to computer groups in two different ways: by manually assigning unassigned computers and by searching for multiple computers. - -### Manually assign unassigned computers to groups - -When new computers communicate with WSUS, they appear in the **Unassigned Computers** group. From there, you can use the following procedure to add computers to their correct groups. For these examples, you use two Windows 10 PCs (WIN10-PC1 and WIN10-PC2) to add to the computer groups. - -**To assign computers manually** - -1. In the WSUS Administration Console, go to *Server_Name*\Computers\All Computers\Unassigned Computers. - - Here, you see the new computers that have received the GPO you created in the previous section and started communicating with WSUS. This example has only two computers; depending on how broadly you deployed your policy, you will likely have many computers here. - -2. Select both computers, right-click the selection, and then click **Change Membership**. - - ![Example of UI](images/waas-wsus-fig8.png) - -3. In the **Set Computer Group Membership** dialog box, select the **Ring 2 Pilot Business Users** deployment ring, and then click **OK**. - - Because they were assigned to a group, the computers are no longer in the **Unassigned Computers** group. If you select the **Ring 2 Pilot Business Users** computer group, you will see both computers there. - -### Search for multiple computers to add to groups - -Another way to add multiple computers to a deployment ring in the WSUS Administration Console is to use the search feature. - -**To search for multiple computers** - -1. In the WSUS Administration Console, go to *Server_Name*\Computers\All Computers, right-click **All Computers**, and then click **Search**. - -2. In the search box, type **WIN10**. - -3. In the search results, select the computers, right-click the selection, and then click **Change Membership**. - - ![Example of UI](images/waas-wsus-fig9.png) - -4. Select the **Ring 3 Broad IT** deployment ring, and then click **OK**. - -You can now see these computers in the **Ring 3 Broad IT** computer group. - - - -## Use Group Policy to populate deployment rings - -The WSUS Administration Console provides a friendly interface from which you can manage Windows 10 quality and feature updates. When you need to add many computers to their correct WSUS deployment ring, however, it can be time-consuming to do so manually in the WSUS Administration Console. For these cases, consider using Group Policy to target the correct computers, automatically adding them to the correct WSUS deployment ring based on an Active Directory security group. This process is called *client-side targeting*. Before enabling client-side targeting in Group Policy, you must configure WSUS to accept Group Policy computer assignment. - -**To configure WSUS to allow client-side targeting from Group Policy** - -1. Open the WSUS Administration Console, and go to *Server_Name*\Options, and then click **Computers**. - - ![Example of UI](images/waas-wsus-fig10.png) - -2. In the **Computers** dialog box, select **Use Group Policy or registry settings on computers**, and then click **OK**. - - >[!NOTE] - >This option is exclusively either-or. When you enable WSUS to use Group Policy for group assignment, you can no longer manually add computers through the WSUS Administration Console until you change the option back. - -Now that WSUS is ready for client-side targeting, complete the following steps to use Group Policy to configure client-side targeting: - -**To configure client-side targeting** - ->[!TIP] ->When using client-side targeting, consider giving security groups the same names as your deployment rings. Doing so simplifies the policy-creation process and helps ensure that you don’t add computers to the incorrect rings. - -1. Open GPMC. - -2. Expand Forest\Domains\\*Your_Domain*. - -3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**. - -4. In the **New GPO** dialog box, type **WSUS – Client Targeting – Ring 4 Broad Business Users** for the name of the new GPO. - -5. Right-click the **WSUS – Client Targeting – Ring 4 Broad Business Users** GPO, and then click **Edit**. - - ![Example of UI](images/waas-wsus-fig11.png) - -6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update. - -7. Right-click **Enable client-side targeting**, and then click **Edit**. - -8. In the **Enable client-side targeting** dialog box, select **Enable**. - -9. In the **Target group name for this computer** box, type **Ring 4 Broad Business Users**. This is the name of the deployment ring in WSUS to which these computers will be added. - - ![Example of UI](images/waas-wsus-fig12.png) - -10. Close the Group Policy Management Editor. - -Now you’re ready to deploy this GPO to the correct computer security group for the **Ring 4 Broad Business Users** deployment ring. - -**To scope the GPO to a group** - -1. In GPMC, select the **WSUS – Client Targeting – Ring 4 Broad Business Users** policy. - -2. Click the **Scope** tab. - -3. Under **Security Filtering**, remove the default **AUTHENTICATED USERS** security group, and then add the **Ring 4 Broad Business Users** group. - - ![Example of UI](images/waas-wsus-fig13.png) - -The next time the clients in the **Ring 4 Broad Business Users** security group receive their computer policy and contact WSUS, they will be added to the **Ring 4 Broad Business Users** deployment ring. - -## Automatically approve and deploy feature updates - -For clients that should have their feature updates approved as soon as they’re available, you can configure Automatic Approval rules in WSUS. - ->[!NOTE] ->WSUS respects the client’s servicing branch. If you approve a feature update while it is still Current Branch (CB), WSUS will install the update only on PCs that are in the CB servicing branch. When Microsoft releases the build for Current Branch for Business (CBB), the PCs in the CBB servicing branch will install it. Windows Update for Business branch settings do not apply to feature updates through WSUS. - -**To configure an Automatic Approval rule for Windows 10 feature updates and approve them for the Ring 3 Broad IT deployment ring** - -1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Options, and then select **Automatic Approvals**. - -2. On the **Update Rules** tab, click **New Rule**. - -3. In the **Add Rule** dialog box, select the **When an update is in a specific classification**, **When an update is in a specific product**, and **Set a deadline for the approval** check boxes. - - ![Example of UI](images/waas-wsus-fig14.png) - -4. In the **Edit the properties** area, select **any classification**. Clear everything except **Upgrades**, and then click **OK**. - -5. In the **Edit the properties area**, click the **any product** link. Clear all check boxes except **Windows 10**, and then click **OK**. - - Windows 10 is under All Products\Microsoft\Windows. - -6. In the **Edit the properties** area, click the **all computers** link. Clear all the computer group check boxes except **Ring 3 Broad IT**, and then click **OK**. - -7. Leave the deadline set for **7 days after the approval at 3:00 AM**. - -8. In the **Step 3: Specify a name** box, type **Windows 10 Upgrade Auto-approval for Ring 3 Broad IT**, and then click **OK**. - - ![Example of UI](images/waas-wsus-fig15.png) - -9. In the **Automatic Approvals** dialog box, click **OK**. - - >[!NOTE] - >WSUS does not honor any existing month/week/day deferral settings for CB or CBB. That said, if you’re using Windows Update for Business for a computer for which WSUS is also managing updates, when WSUS approves the update, it will be installed on the computer regardless of whether you configured Group Policy to wait. - -Now, whenever Windows 10 feature updates are published to WSUS, they will automatically be approved for the **Ring 3 Broad IT** deployment ring with an installation deadline of 1 week. - -## Manually approve and deploy feature updates - -You can manually approve updates and set deadlines for installation within the WSUS Administration Console, as well. To simplify the manual approval process, start by creating a software update view that contains only Windows 10 updates. - -**To approve and deploy feature updates manually** - -1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates. In the **Action** pane, click **New Update View**. - -2. In the **Add Update View** dialog box, select **Updates are in a specific classification** and **Updates are for a specific product**. - -3. Under **Step 2: Edit the properties**, click **any classification**. Clear all check boxes except **Upgrades**, and then click **OK**. - -4. Under **Step 2: Edit the properties**, click **any product**. Clear all check boxes except **Windows 10**, and then click **OK**. - - Windows 10 is under All Products\Microsoft\Windows. - -5. In the **Step 3: Specify a name** box, type **All Windows 10 Upgrades**, and then click **OK**. - - ![Example of UI](images/waas-wsus-fig16.png) - -Now that you have the All Windows 10 Upgrades view, complete the following steps to manually approve an update for the **Ring 4 Broad Business Users** deployment ring: - -1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates\All Windows 10 Upgrades. - -2. Right-click the feature update you want to deploy, and then click **Approve**. - - ![Example of UI](images/waas-wsus-fig17.png) - -3. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, select **Approved for Install**. - - ![Example of UI](images/waas-wsus-fig18.png) - -4. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, click **Deadline**, click **One Week**, and then click **OK**. - - ![Example of UI](images/waas-wsus-fig19.png) - -5. If the **Microsoft Software License Terms** dialog box opens, click **Accept**. - - If the deployment is successful, you should receive a successful progress report. - - ![Example of UI](images/waas-wsus-fig20.png) - -6. In the **Approval Progress** dialog box, click **Close**. - -
          - -## Steps to manage updates for Windows 10 - -| | | -| --- | --- | -| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) | -| ![done](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) | -| ![done](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | -| ![done](images/checklistdone.png) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) | -| ![done](images/checklistdone.png) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | -| ![done](images/checklistdone.png) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
          or Deploy Windows 10 updates using Windows Server Update Services (this topic)
          or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) | - - - -## Related topics - -- [Update Windows 10 in the enterprise](index.md) -- [Overview of Windows as a service](waas-overview.md) -- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) -- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) -- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) -- [Manage device restarts after updates](waas-restart.md) +--- +title: Deploy Windows 10 updates using Windows Server Update Services (Windows 10) +description: WSUS allows companies to defer, selectively approve, choose when delivered, and determine which devices receive updates. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.author: greglin +ms.date: 10/16/2017 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Deploy Windows 10 updates using Windows Server Update Services (WSUS) + + +**Applies to** + +- Windows 10 + +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + +>[!IMPORTANT] +>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products. +> +>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. + +WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that System Center Configuration Manager provides. + +When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows 10 client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you’re currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 10. + + + +## Requirements for Windows 10 servicing with WSUS + +To be able to use WSUS to manage and deploy Windows 10 feature updates, you must have WSUS 4.0, which is available in the Windows Server 2012 R2 and Windows Server 2012 operating systems. In addition to WSUS 4.0, you must install the [KB3095113](https://support.microsoft.com/kb/3095113) and [KB3159706](https://support.microsoft.com/kb/3159706) patches on the WSUS server. + +## WSUS scalability + +To use WSUS to manage all Windows updates, some organizations may need access to WSUS from a perimeter network, or they might have some other complex scenario. WSUS is highly scalable and configurable for organizations of any size or site layout. For specific information about scaling WSUS, including upstream and downstream server configuration, branch offices, WSUS load balancing, and other complex scenarios, see [Choose a Type of WSUS Deployment](https://technet.microsoft.com/library/cc720448%28v=ws.10%29.aspx). + + +## Express Installation Files + +With Windows 10, quality updates will be larger than traditional Windows Updates because they’re cumulative. To manage the bandwidth clients downloading large updates like these will need, WSUS has a feature called *Express Installation Files*. + + At a binary level, files associated with updates may not change a lot. In fact, with cumulative quality updates, most of the content will be from previous updates. Rather than downloading the entire update when only a small percentage of the payload is actually different, Express Installation Files analyze the differences between the new files associated with an update and the existing files on the client. This approach significantly reduces the amount of bandwidth used because only a fraction of the update content is actually delivered. + + **To configure WSUS to download Express Update Files** + +1. Open the WSUS Administration Console. + +2. In the navigation pane, go to *Your_Server*\\**Options**. + +3. In the **Options** section, click **Update Files and Languages**. + + ![Example of UI](images/waas-wsus-fig1.png) + +4. In the **Update Files and Languages** dialog box, select **Download express installation files**. + + ![Example of UI](images/waas-wsus-fig2.png) + + >[!NOTE] + >Because Windows 10 updates are cumulative, enabling Express Installation Files when WSUS is configured to download Windows 10 updates will significantly increase the amount of disk space that WSUS requires. Alternatively, when using Express Installation Files for previous versions of Windows, the feature’s positive effects aren’t noticeable because the updates aren’t cumulative. + +## Configure automatic updates and update service location + +When using WSUS to manage updates on Windows client devices, start by configuring the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings for your environment. Doing so forces the affected clients to contact the WSUS server so that it can manage them. The following process describes how to specify these settings and deploy them to all devices in the domain. + +**To configure the Configure Automatic Updates and Intranet Microsoft Update Service Location Group Policy settings for your environment** + +1. Open GPMC. + +2. Expand Forest\Domains\\*Your_Domain*. + +3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**. + + ![Example of UI](images/waas-wsus-fig3.png) + + >[!NOTE] + >In this example, the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings are specified for the entire domain. This is not a requirement; you can target these settings to any security group by using Security Filtering or a specific OU. + +4. In the **New GPO** dialog box, name the new GPO **WSUS – Auto Updates and Intranet Update Service Location**. + +5. Right-click the **WSUS – Auto Updates and Intranet Update Service Location** GPO, and then click **Edit**. + +6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update. + +7. Right-click the **Configure Automatic Updates** setting, and then click **Edit**. + + ![Example of UI](images/waas-wsus-fig4.png) + +8. In the **Configure Automatic Updates** dialog box, select **Enable**. + +9. Under **Options**, from the **Configure automatic updating** list, select **3 - Auto download and notify for install**, and then click **OK**. + + ![Example of UI](images/waas-wsus-fig5.png) + + > [!NOTE] + > ?There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](https://technet.microsoft.com/library/cc720539%28v=ws.10%29.aspx). + +10. Right-click the **Specify intranet Microsoft update service location** setting, and then click **Edit**. + +11. In the **Specify intranet Microsoft update service location** dialog box, select **Enable**. + +12. Under **Options**, in the **Set the intranet update service for detecting updates** and **Set the intranet statistics server** options, type http://Your_WSUS_Server_FQDN:PortNumber, and then click **OK**. + + >[!NOTE] + >The URL `http://CONTOSO-WSUS1.contoso.com:8530` in the following image is just an example. In your environment, be sure to use the server name and port number for your WSUS instance. + + ![Example of UI](images/waas-wsus-fig6.png) + + >[!NOTE] + >The default HTTP port for WSUS is 8530, and the default HTTP over Secure Sockets Layer (HTTPS) port is 8531. If you’re unsure which port WSUS is using for client communication, right-click the WSUS Administration site in IIS Manager, and then click **Edit Bindings**. + +As Windows clients refresh their computer policies (the default Group Policy refresh setting is 90 minutes and when a computer restarts), computers start to appear in WSUS. Now that clients are communicating with the WSUS server, create the computer groups that align with your deployment rings. + +## Create computer groups in the WSUS Administration Console + +>[!NOTE] +>The following procedures use the groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) as examples. + +You can use computer groups to target a subset of devices that have specific quality and feature updates. These groups represent your deployment rings, as controlled by WSUS. You can populate the groups either manually by using the WSUS Administration Console or automatically through Group Policy. Regardless of the method you choose, you must first create the groups in the WSUS Administration Console. + +**To create computer groups in the WSUS Administration Console** + +1. Open the WSUS Administration Console. + +2. Go to *Server_Name*\Computers\All Computers, and then click **Add Computer Group**. + + ![Example of UI](images/waas-wsus-fig7.png) + +3. Type **Ring 2 Pilot Business Users** for the name, and then click **Add**. + +4. Repeat these steps for the **Ring 3 Broad IT** and **Ring 4 Broad Business Users** groups. When you’re finished, there should be three deployment ring groups. + +Now that the groups have been created, add the computers to the computer groups that align with the desired deployment rings. You can do this through [Group Policy](#wsus-gp) or manually by using the [WSUS Administration Console](#wsus-admin). + + +## Use the WSUS Administration Console to populate deployment rings + +Adding computers to computer groups in the WSUS Administration Console is simple, but it could take much longer than managing membership through Group Policy, especially if you have many computers to add. Adding computers to computer groups in the WSUS Administration Console is called *server-side targeting*. + +In this example, you add computers to computer groups in two different ways: by manually assigning unassigned computers and by searching for multiple computers. + +### Manually assign unassigned computers to groups + +When new computers communicate with WSUS, they appear in the **Unassigned Computers** group. From there, you can use the following procedure to add computers to their correct groups. For these examples, you use two Windows 10 PCs (WIN10-PC1 and WIN10-PC2) to add to the computer groups. + +**To assign computers manually** + +1. In the WSUS Administration Console, go to *Server_Name*\Computers\All Computers\Unassigned Computers. + + Here, you see the new computers that have received the GPO you created in the previous section and started communicating with WSUS. This example has only two computers; depending on how broadly you deployed your policy, you will likely have many computers here. + +2. Select both computers, right-click the selection, and then click **Change Membership**. + + ![Example of UI](images/waas-wsus-fig8.png) + +3. In the **Set Computer Group Membership** dialog box, select the **Ring 2 Pilot Business Users** deployment ring, and then click **OK**. + + Because they were assigned to a group, the computers are no longer in the **Unassigned Computers** group. If you select the **Ring 2 Pilot Business Users** computer group, you will see both computers there. + +### Search for multiple computers to add to groups + +Another way to add multiple computers to a deployment ring in the WSUS Administration Console is to use the search feature. + +**To search for multiple computers** + +1. In the WSUS Administration Console, go to *Server_Name*\Computers\All Computers, right-click **All Computers**, and then click **Search**. + +2. In the search box, type **WIN10**. + +3. In the search results, select the computers, right-click the selection, and then click **Change Membership**. + + ![Example of UI](images/waas-wsus-fig9.png) + +4. Select the **Ring 3 Broad IT** deployment ring, and then click **OK**. + +You can now see these computers in the **Ring 3 Broad IT** computer group. + + + +## Use Group Policy to populate deployment rings + +The WSUS Administration Console provides a friendly interface from which you can manage Windows 10 quality and feature updates. When you need to add many computers to their correct WSUS deployment ring, however, it can be time-consuming to do so manually in the WSUS Administration Console. For these cases, consider using Group Policy to target the correct computers, automatically adding them to the correct WSUS deployment ring based on an Active Directory security group. This process is called *client-side targeting*. Before enabling client-side targeting in Group Policy, you must configure WSUS to accept Group Policy computer assignment. + +**To configure WSUS to allow client-side targeting from Group Policy** + +1. Open the WSUS Administration Console, and go to *Server_Name*\Options, and then click **Computers**. + + ![Example of UI](images/waas-wsus-fig10.png) + +2. In the **Computers** dialog box, select **Use Group Policy or registry settings on computers**, and then click **OK**. + + >[!NOTE] + >This option is exclusively either-or. When you enable WSUS to use Group Policy for group assignment, you can no longer manually add computers through the WSUS Administration Console until you change the option back. + +Now that WSUS is ready for client-side targeting, complete the following steps to use Group Policy to configure client-side targeting: + +**To configure client-side targeting** + +>[!TIP] +>When using client-side targeting, consider giving security groups the same names as your deployment rings. Doing so simplifies the policy-creation process and helps ensure that you don’t add computers to the incorrect rings. + +1. Open GPMC. + +2. Expand Forest\Domains\\*Your_Domain*. + +3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**. + +4. In the **New GPO** dialog box, type **WSUS – Client Targeting – Ring 4 Broad Business Users** for the name of the new GPO. + +5. Right-click the **WSUS – Client Targeting – Ring 4 Broad Business Users** GPO, and then click **Edit**. + + ![Example of UI](images/waas-wsus-fig11.png) + +6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update. + +7. Right-click **Enable client-side targeting**, and then click **Edit**. + +8. In the **Enable client-side targeting** dialog box, select **Enable**. + +9. In the **Target group name for this computer** box, type **Ring 4 Broad Business Users**. This is the name of the deployment ring in WSUS to which these computers will be added. + + ![Example of UI](images/waas-wsus-fig12.png) + +10. Close the Group Policy Management Editor. + +Now you’re ready to deploy this GPO to the correct computer security group for the **Ring 4 Broad Business Users** deployment ring. + +**To scope the GPO to a group** + +1. In GPMC, select the **WSUS – Client Targeting – Ring 4 Broad Business Users** policy. + +2. Click the **Scope** tab. + +3. Under **Security Filtering**, remove the default **AUTHENTICATED USERS** security group, and then add the **Ring 4 Broad Business Users** group. + + ![Example of UI](images/waas-wsus-fig13.png) + +The next time the clients in the **Ring 4 Broad Business Users** security group receive their computer policy and contact WSUS, they will be added to the **Ring 4 Broad Business Users** deployment ring. + +## Automatically approve and deploy feature updates + +For clients that should have their feature updates approved as soon as they’re available, you can configure Automatic Approval rules in WSUS. + +>[!NOTE] +>WSUS respects the client’s servicing branch. If you approve a feature update while it is still Current Branch (CB), WSUS will install the update only on PCs that are in the CB servicing branch. When Microsoft releases the build for Current Branch for Business (CBB), the PCs in the CBB servicing branch will install it. Windows Update for Business branch settings do not apply to feature updates through WSUS. + +**To configure an Automatic Approval rule for Windows 10 feature updates and approve them for the Ring 3 Broad IT deployment ring** + +1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Options, and then select **Automatic Approvals**. + +2. On the **Update Rules** tab, click **New Rule**. + +3. In the **Add Rule** dialog box, select the **When an update is in a specific classification**, **When an update is in a specific product**, and **Set a deadline for the approval** check boxes. + + ![Example of UI](images/waas-wsus-fig14.png) + +4. In the **Edit the properties** area, select **any classification**. Clear everything except **Upgrades**, and then click **OK**. + +5. In the **Edit the properties area**, click the **any product** link. Clear all check boxes except **Windows 10**, and then click **OK**. + + Windows 10 is under All Products\Microsoft\Windows. + +6. In the **Edit the properties** area, click the **all computers** link. Clear all the computer group check boxes except **Ring 3 Broad IT**, and then click **OK**. + +7. Leave the deadline set for **7 days after the approval at 3:00 AM**. + +8. In the **Step 3: Specify a name** box, type **Windows 10 Upgrade Auto-approval for Ring 3 Broad IT**, and then click **OK**. + + ![Example of UI](images/waas-wsus-fig15.png) + +9. In the **Automatic Approvals** dialog box, click **OK**. + + >[!NOTE] + >WSUS does not honor any existing month/week/day deferral settings for CB or CBB. That said, if you’re using Windows Update for Business for a computer for which WSUS is also managing updates, when WSUS approves the update, it will be installed on the computer regardless of whether you configured Group Policy to wait. + +Now, whenever Windows 10 feature updates are published to WSUS, they will automatically be approved for the **Ring 3 Broad IT** deployment ring with an installation deadline of 1 week. + +## Manually approve and deploy feature updates + +You can manually approve updates and set deadlines for installation within the WSUS Administration Console, as well. To simplify the manual approval process, start by creating a software update view that contains only Windows 10 updates. + +**To approve and deploy feature updates manually** + +1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates. In the **Action** pane, click **New Update View**. + +2. In the **Add Update View** dialog box, select **Updates are in a specific classification** and **Updates are for a specific product**. + +3. Under **Step 2: Edit the properties**, click **any classification**. Clear all check boxes except **Upgrades**, and then click **OK**. + +4. Under **Step 2: Edit the properties**, click **any product**. Clear all check boxes except **Windows 10**, and then click **OK**. + + Windows 10 is under All Products\Microsoft\Windows. + +5. In the **Step 3: Specify a name** box, type **All Windows 10 Upgrades**, and then click **OK**. + + ![Example of UI](images/waas-wsus-fig16.png) + +Now that you have the All Windows 10 Upgrades view, complete the following steps to manually approve an update for the **Ring 4 Broad Business Users** deployment ring: + +1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates\All Windows 10 Upgrades. + +2. Right-click the feature update you want to deploy, and then click **Approve**. + + ![Example of UI](images/waas-wsus-fig17.png) + +3. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, select **Approved for Install**. + + ![Example of UI](images/waas-wsus-fig18.png) + +4. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, click **Deadline**, click **One Week**, and then click **OK**. + + ![Example of UI](images/waas-wsus-fig19.png) + +5. If the **Microsoft Software License Terms** dialog box opens, click **Accept**. + + If the deployment is successful, you should receive a successful progress report. + + ![Example of UI](images/waas-wsus-fig20.png) + +6. In the **Approval Progress** dialog box, click **Close**. + +
          + +## Steps to manage updates for Windows 10 + +| | | +| --- | --- | +| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) | +| ![done](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) | +| ![done](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | +| ![done](images/checklistdone.png) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) | +| ![done](images/checklistdone.png) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | +| ![done](images/checklistdone.png) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
          or Deploy Windows 10 updates using Windows Server Update Services (this topic)
          or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) | + + + +## Related topics + +- [Update Windows 10 in the enterprise](index.md) +- [Overview of Windows as a service](waas-overview.md) +- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) +- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) +- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) +- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) +- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) +- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) +- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) +- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) +- [Configure Windows Update for Business](waas-configure-wufb.md) +- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) +- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) +- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) +- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) +- [Manage device restarts after updates](waas-restart.md) diff --git a/windows/deployment/update/waas-mobile-updates.md b/windows/deployment/update/waas-mobile-updates.md index 64cc697106..a968d2c48c 100644 --- a/windows/deployment/update/waas-mobile-updates.md +++ b/windows/deployment/update/waas-mobile-updates.md @@ -1,94 +1,94 @@ ---- -title: Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile (Windows 10) -description: tbd -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greglin -ms.date: 07/27/2017 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile - - -**Applies to** - -- Windows 10 Mobile -- [Windows 10 IoT Mobile](https://www.microsoft.com/en-us/WindowsForBusiness/windows-iot) - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - ->[!TIP] ->If you're not familiar with the Windows 10 servicing or release channels, read [Servicing channels](waas-overview.md#servicing-channels) first. - -Devices running Windows 10 Mobile and Windows 10 IoT Mobile receive updates from the Semi-annual channel unless you [enroll the device in the Windows Insider Program](waas-servicing-channels-windows-10-updates.md#enroll-devices-in-the-windows-insider-program) or assign the device to Current Branch for Business (CBB). Only devices running Windows 10 Mobile Enterprise or Windows 10 IoT Mobile can be assigned to CBB. - -[Learn how to upgrade Windows 10 Mobile to Windows 10 Mobile Enterprise](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades) - -
          - ->[!IMPORTANT] ->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products. -> ->In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. - -| Windows 10 edition | CB | CBB | Insider Program | -| --- | --- | --- | --- | --- | -| Mobile | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | -| Mobile Enterprise | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | -| IoT Mobile | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | - -
          - -Configuration of Windows 10 Mobile and Windows 10 IoT Mobile devices is limited to the feature set pertaining to Quality Updates only. That is, Windows Mobile Feature Updates are categorized the same as Quality Updates, and can only be deferred by setting the Quality Update deferral period, for a maximum period of 30 days. You can use mobile device management (MDM) to manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile. Updates cannot be managed for Windows 10 Mobile. - -## Windows 10, version 1511 - -Only the following Windows Update for Business policies are supported for Windows 10 Mobile and Windows 10 IoT Mobile: - -- ../Vendor/MSFT/Policy/Config/Update/RequireDeferredUpgrade -- ../Vendor/MSFT/Policy/Config/Update/DeferUpdatePeriod -- ../Vendor/MSFT/Policy/Config/Update/PauseDeferrals - -To defer the update period or pause deferrals, the device must be configured for CBB servicing branch by applying the **RequireDeferredUpgrade** policy. - -## Windows 10, version 1607 - -Only the following Windows Update for Business policies are supported for Windows 10 Mobile and Windows 10 IoT Mobile: - -- ../Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel -- ../Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesInDays -- ../Vendor/MSFT/Policy/Config/Update/PauseQualityUpdates - -In version 1607, you can defer and pause updates for devices on both the CB and CBB servicing branches. - -If a device running Windows 10 Mobile Enterprise or Windows 10 IoT Mobile, version 1511, has Windows Update for Business policies applied and is then updated to version 1607, version 1511 policies continue to apply until version 1607 policies are applied. - - - -## Related topics - -- [Update Windows 10 in the enterprise](index.md) -- [Overview of Windows as a service](waas-overview.md) -- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) -- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) -- [Manage device restarts after updates](waas-restart.md) - - - +--- +title: Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile (Windows 10) +description: tbd +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.author: greglin +ms.date: 07/27/2017 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile + + +**Applies to** + +- Windows 10 Mobile +- [Windows 10 IoT Mobile](https://www.microsoft.com/en-us/WindowsForBusiness/windows-iot) + +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + +>[!TIP] +>If you're not familiar with the Windows 10 servicing or release channels, read [Servicing channels](waas-overview.md#servicing-channels) first. + +Devices running Windows 10 Mobile and Windows 10 IoT Mobile receive updates from the Semi-annual channel unless you [enroll the device in the Windows Insider Program](waas-servicing-channels-windows-10-updates.md#enroll-devices-in-the-windows-insider-program) or assign the device to Current Branch for Business (CBB). Only devices running Windows 10 Mobile Enterprise or Windows 10 IoT Mobile can be assigned to CBB. + +[Learn how to upgrade Windows 10 Mobile to Windows 10 Mobile Enterprise](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades) + +
          + +>[!IMPORTANT] +>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products. +> +>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. + +| Windows 10 edition | CB | CBB | Insider Program | +| --- | --- | --- | --- | --- | +| Mobile | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | +| Mobile Enterprise | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | +| IoT Mobile | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | + +
          + +Configuration of Windows 10 Mobile and Windows 10 IoT Mobile devices is limited to the feature set pertaining to Quality Updates only. That is, Windows Mobile Feature Updates are categorized the same as Quality Updates, and can only be deferred by setting the Quality Update deferral period, for a maximum period of 30 days. You can use mobile device management (MDM) to manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile. Updates cannot be managed for Windows 10 Mobile. + +## Windows 10, version 1511 + +Only the following Windows Update for Business policies are supported for Windows 10 Mobile and Windows 10 IoT Mobile: + +- ../Vendor/MSFT/Policy/Config/Update/RequireDeferredUpgrade +- ../Vendor/MSFT/Policy/Config/Update/DeferUpdatePeriod +- ../Vendor/MSFT/Policy/Config/Update/PauseDeferrals + +To defer the update period or pause deferrals, the device must be configured for CBB servicing branch by applying the **RequireDeferredUpgrade** policy. + +## Windows 10, version 1607 + +Only the following Windows Update for Business policies are supported for Windows 10 Mobile and Windows 10 IoT Mobile: + +- ../Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel +- ../Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesInDays +- ../Vendor/MSFT/Policy/Config/Update/PauseQualityUpdates + +In version 1607, you can defer and pause updates for devices on both the CB and CBB servicing branches. + +If a device running Windows 10 Mobile Enterprise or Windows 10 IoT Mobile, version 1511, has Windows Update for Business policies applied and is then updated to version 1607, version 1511 policies continue to apply until version 1607 policies are applied. + + + +## Related topics + +- [Update Windows 10 in the enterprise](index.md) +- [Overview of Windows as a service](waas-overview.md) +- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) +- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) +- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) +- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) +- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) +- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) +- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) +- [Configure Windows Update for Business](waas-configure-wufb.md) +- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) +- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) +- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) +- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) +- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) +- [Manage device restarts after updates](waas-restart.md) + + + diff --git a/windows/deployment/update/waas-morenews.md b/windows/deployment/update/waas-morenews.md index 454491e609..b1122abef6 100644 --- a/windows/deployment/update/waas-morenews.md +++ b/windows/deployment/update/waas-morenews.md @@ -1,51 +1,51 @@ ---- -title: Windows as a service -ms.prod: w10 -ms.topic: article -ms.manager: elizapo -author: greg-lindsay -ms.author: greglin -ms.date: 12/19/2018 -ms.reviewer: -manager: laurawi -ms.localizationpriority: high -ms.topic: article ---- -# Windows as a service - More news - -Here's more news about [Windows as a service](windows-as-a-service.md): - - +--- +title: Windows as a service +ms.prod: w10 +ms.topic: article +ms.manager: elizapo +audience: itpro author: greg-lindsay +ms.author: greglin +ms.date: 12/19/2018 +ms.reviewer: +manager: laurawi +ms.localizationpriority: high +ms.topic: article +--- +# Windows as a service - More news + +Here's more news about [Windows as a service](windows-as-a-service.md): + + diff --git a/windows/deployment/update/waas-optimize-windows-10-updates.md b/windows/deployment/update/waas-optimize-windows-10-updates.md index f4255e3760..b620db134e 100644 --- a/windows/deployment/update/waas-optimize-windows-10-updates.md +++ b/windows/deployment/update/waas-optimize-windows-10-updates.md @@ -1,111 +1,111 @@ ---- -title: Optimize update delivery for Windows 10 updates (Windows 10) -description: Two methods of peer-to-peer content distribution are available in Windows 10, Delivery Optimization and BranchCache. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greg-lindsay -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Optimize Windows 10 update delivery - - -**Applies to** - -- Windows 10 - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -When considering your content distribution strategy for Windows 10, think about enabling a form of peer-to-peer content sharing to reduce bandwidth issues during updates. Windows 10 offers two peer-to-peer options for update content distribution: Delivery Optimization and BranchCache. These technologies can be used with several of the servicing tools for Windows 10. - -Two methods of peer-to-peer content distribution are available in Windows 10. - -- [Delivery Optimization](waas-delivery-optimization.md) is a new peer-to-peer distribution method in Windows 10. Windows 10 clients can source content from other devices on their local network that have already downloaded the updates or from peers over the internet. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfil peer-to-peer requests. - - Windows Update, Windows Update for Business, and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization can significantly reduce the amount of network traffic to external Windows Update sources as well as the time it takes for clients to retrieve the updates. - -- [BranchCache](waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of Windows Server 2016 and Windows 10 operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7. - - >[!NOTE] - >Full BranchCache functionality is supported in Windows 10 Enterprise and Education; Windows 10 Pro supports some BranchCache functionality, including BITS transfers used for servicing operations. - - Windows Server Update Services (WSUS) and System Center Configuration Manager can use BranchCache to allow peers to source content from each other versus always having to contact a server. Using BranchCache, files are cached on each individual client, and other clients can retrieve them as needed. This approach distributes the cache rather than having a single point of retrieval, saving a significant amount of bandwidth while drastically reducing the time that it takes for clients to receive the requested content. - -

          - -| Method | Windows Update | Windows Update for Business | WSUS | Configuration Manager | -| --- | --- | --- | --- | --- | -| Delivery Optimization | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | -| BranchCache | ![no](images/crossmark.png) | ![no](images/crossmark.png) |![yes](images/checkmark.png) | ![yes](images/checkmark.png) | - ->[!NOTE] ->System Center Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use System Center Configuration Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/client-peer-cache). -> ->In addition to Client Peer Cache, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with System Center Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in System Center Configuration Manager](https://technet.microsoft.com/library/mt613173.aspx). - -## Express update delivery - -Windows 10 quality update downloads can be large because every package contains all previously released fixes to ensure consistency and simplicity. Windows has been able to reduce the size of Windows Update downloads with a feature called Express. - ->[!NOTE] ->Express update delivery applies to quality update downloads. Starting with Windows 10, version 1709, Express update delivery also applies to feature update downloads for clients connected to Windows Update and Windows Update for Business. - -### How Microsoft supports Express -- **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or later, or Windows 10, version 1607 with the April 2017 cumulative update. -- **Express on WSUS Standalone** - - Express update delivery is available on [all support versions of WSUS](https://technet.microsoft.com/library/cc708456(v=ws.10).aspx). -- **Express on devices directly connected to Windows Update** -- **Enterprise devices managed using [Windows Update for Business](waas-manage-updates-wufb.md)** also get the benefit of Express update delivery support without any change in configuration. - -### How Express download works - -For OS updates that support Express, there are two versions of the file payload stored on the service: -1. **Full-file version** - essentially replacing the local versions of the update binaries. -2. **Express version** - containing the deltas needed to patch the existing binaries on the device. - -Both the full-file version and the Express version are referenced in the update's metadata, which has been downloaded to the client as part of the scan phase. - -**Express download works as follows:** - -The Windows Update client will try to download Express first, and under certain situations fall back to full-file if needed (for example, if going through a proxy that doesn't support byte range requests). - -1. When the Windows Update client initiates an Express download, **Windows Update first downloads a stub**, which is part of the Express package. -2. **The Windows Update client passes this stub to the Windows installer**, which uses the stub to do a local inventory, comparing the deltas of the file on the device with what is needed to get to the latest version of the file being offered. -3. **The Windows installer then requests the Windows Update client to download the ranges**, which have been determined to be required. -4. **The client downloads these ranges and passes them to the Windows Installer**, which applies the ranges and then determines if additional ranges are needed. This repeats until the Windows installer tells the Windows Update client that all necessary ranges have been downloaded. - -At this point, the download is complete and the update is ready to be installed. - ->[!TIP] ->Express will **always** be leveraged if your machines are updated regularly with the latest cumulative updates. - -## Steps to manage updates for Windows 10 - -| | | -| --- | --- | -| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) | -| ![done](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) | -| ![done](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | -| ![done](images/checklistdone.png) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) | -| ![done](images/checklistdone.png) | Optimize update delivery for Windows 10 updates (this topic) | -| ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
          or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
          or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) | - - -## Related topics - - -- [Update Windows 10 in the enterprise](index.md) -- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) -- [Manage device restarts after updates](waas-restart.md) +--- +title: Optimize update delivery for Windows 10 updates (Windows 10) +description: Two methods of peer-to-peer content distribution are available in Windows 10, Delivery Optimization and BranchCache. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.audience: itpro author: greg-lindsay +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Optimize Windows 10 update delivery + + +**Applies to** + +- Windows 10 + +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + +When considering your content distribution strategy for Windows 10, think about enabling a form of peer-to-peer content sharing to reduce bandwidth issues during updates. Windows 10 offers two peer-to-peer options for update content distribution: Delivery Optimization and BranchCache. These technologies can be used with several of the servicing tools for Windows 10. + +Two methods of peer-to-peer content distribution are available in Windows 10. + +- [Delivery Optimization](waas-delivery-optimization.md) is a new peer-to-peer distribution method in Windows 10. Windows 10 clients can source content from other devices on their local network that have already downloaded the updates or from peers over the internet. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfil peer-to-peer requests. + + Windows Update, Windows Update for Business, and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization can significantly reduce the amount of network traffic to external Windows Update sources as well as the time it takes for clients to retrieve the updates. + +- [BranchCache](waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of Windows Server 2016 and Windows 10 operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7. + + >[!NOTE] + >Full BranchCache functionality is supported in Windows 10 Enterprise and Education; Windows 10 Pro supports some BranchCache functionality, including BITS transfers used for servicing operations. + + Windows Server Update Services (WSUS) and System Center Configuration Manager can use BranchCache to allow peers to source content from each other versus always having to contact a server. Using BranchCache, files are cached on each individual client, and other clients can retrieve them as needed. This approach distributes the cache rather than having a single point of retrieval, saving a significant amount of bandwidth while drastically reducing the time that it takes for clients to receive the requested content. + +

          + +| Method | Windows Update | Windows Update for Business | WSUS | Configuration Manager | +| --- | --- | --- | --- | --- | +| Delivery Optimization | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | +| BranchCache | ![no](images/crossmark.png) | ![no](images/crossmark.png) |![yes](images/checkmark.png) | ![yes](images/checkmark.png) | + +>[!NOTE] +>System Center Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use System Center Configuration Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/client-peer-cache). +> +>In addition to Client Peer Cache, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with System Center Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in System Center Configuration Manager](https://technet.microsoft.com/library/mt613173.aspx). + +## Express update delivery + +Windows 10 quality update downloads can be large because every package contains all previously released fixes to ensure consistency and simplicity. Windows has been able to reduce the size of Windows Update downloads with a feature called Express. + +>[!NOTE] +>Express update delivery applies to quality update downloads. Starting with Windows 10, version 1709, Express update delivery also applies to feature update downloads for clients connected to Windows Update and Windows Update for Business. + +### How Microsoft supports Express +- **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or later, or Windows 10, version 1607 with the April 2017 cumulative update. +- **Express on WSUS Standalone** + + Express update delivery is available on [all support versions of WSUS](https://technet.microsoft.com/library/cc708456(v=ws.10).aspx). +- **Express on devices directly connected to Windows Update** +- **Enterprise devices managed using [Windows Update for Business](waas-manage-updates-wufb.md)** also get the benefit of Express update delivery support without any change in configuration. + +### How Express download works + +For OS updates that support Express, there are two versions of the file payload stored on the service: +1. **Full-file version** - essentially replacing the local versions of the update binaries. +2. **Express version** - containing the deltas needed to patch the existing binaries on the device. + +Both the full-file version and the Express version are referenced in the update's metadata, which has been downloaded to the client as part of the scan phase. + +**Express download works as follows:** + +The Windows Update client will try to download Express first, and under certain situations fall back to full-file if needed (for example, if going through a proxy that doesn't support byte range requests). + +1. When the Windows Update client initiates an Express download, **Windows Update first downloads a stub**, which is part of the Express package. +2. **The Windows Update client passes this stub to the Windows installer**, which uses the stub to do a local inventory, comparing the deltas of the file on the device with what is needed to get to the latest version of the file being offered. +3. **The Windows installer then requests the Windows Update client to download the ranges**, which have been determined to be required. +4. **The client downloads these ranges and passes them to the Windows Installer**, which applies the ranges and then determines if additional ranges are needed. This repeats until the Windows installer tells the Windows Update client that all necessary ranges have been downloaded. + +At this point, the download is complete and the update is ready to be installed. + +>[!TIP] +>Express will **always** be leveraged if your machines are updated regularly with the latest cumulative updates. + +## Steps to manage updates for Windows 10 + +| | | +| --- | --- | +| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) | +| ![done](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) | +| ![done](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | +| ![done](images/checklistdone.png) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) | +| ![done](images/checklistdone.png) | Optimize update delivery for Windows 10 updates (this topic) | +| ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
          or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
          or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) | + + +## Related topics + + +- [Update Windows 10 in the enterprise](index.md) +- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) +- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) +- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) +- [Configure Windows Update for Business](waas-configure-wufb.md) +- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) +- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) +- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) +- [Manage device restarts after updates](waas-restart.md) diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index 68f993905f..ff3e259787 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -5,9 +5,11 @@ keywords: updates, servicing, current, deployment, semi-annual channel, feature, ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +audience: itpro author: greg-lindsay ms.localizationpriority: medium -ms.author: greg-lindsay +ms.audience: itpro +author: greg-lindsay ms.date: 09/24/2018 ms.reviewer: manager: laurawi @@ -79,13 +81,13 @@ As part of the alignment with Windows 10 and Office 365 ProPlus, we are adopting >[!IMPORTANT] >With each Semi-Annual Channel release, we recommend beginning deployment right away to devices selected for early adoption (targeted validation) and ramp up to full deployment at your discretion, regardless of the "Targeted" designation. This will enable you to gain access to new features, experiences, and integrated security as soon as possible. For more information, see the blog post [Windows 10 and the "disappearing" SAC-T](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-and-the-disappearing-SAC-T/ba-p/199747). ->[!NOTE] +> [!NOTE] >For additional information, see the section about [Servicing Channels](#servicing-channels). > >You can also read the blog post [Waas simplified and aligned](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/), with details on this change. ->[!IMPORTANT] ->Devices on the Semi-Annual Channel (formerly called Current Branch for Business) must have their diagnostic data set to **1 (Basic)** or higher, in order to ensure that the service is performing at the expected quality. If diagnostic data is set to **0**, the device will be treated as if it were in the Semi-Annual Channel (Targeted)(formerly called Current Branch or CB) branch. For instructions to set the diagnostic data level, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels). +> [!IMPORTANT] +> Devices on the Semi-Annual Channel (formerly called Current Branch for Business) must have their diagnostic data set to **1 (Basic)** or higher, in order to ensure that the service is performing at the expected quality. If diagnostic data is set to **0**, the device will be treated as if it were in the Semi-Annual Channel (Targeted)(formerly called Current Branch or CB) branch. For instructions to set the diagnostic data level, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels). ### Feature updates @@ -140,12 +142,12 @@ Specialized systems—such as PCs that control medical equipment, point-of-sale > [!NOTE] > Windows 10 Enterprise LTSB is a separate Long Term Servicing Channel version. > ->Long-term Servicing channel is not intended for deployment on most or all the PCs in an organization; it should be used only for special-purpose devices. As a general guideline, a PC with Microsoft Office installed is a general-purpose device, typically used by an information worker, and therefore it is better suited for the Semi-Annual servicing channel. +> Long-term Servicing channel is not intended for deployment on most or all the PCs in an organization; it should be used only for special-purpose devices. As a general guideline, a PC with Microsoft Office installed is a general-purpose device, typically used by an information worker, and therefore it is better suited for the Semi-Annual servicing channel. Microsoft never publishes feature updates through Windows Update on devices that run Windows 10 Enterprise LTSB. Instead, it typically offers new LTSC releases every 2–3 years, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle. > [!NOTE] -> Windows 10 LTSB will support the currently released processors and chipsets at the time of release of the LTSB. As future CPU generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information about Windows support for the latest processor and chipsets, see [Windows Processor Requirements](https://docs.microsoft.com/windows-hardware/design/minimum/windows-processor-requirements). +> Windows 10 LTSB will support the currently released processors and chipsets at the time of release of the LTSB. As future CPU generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](https://support.microsoft.com/help/18581/lifecycle-support-policy-faq-windows-products). The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This edition of Windows doesn’t include a number of applications, such as Microsoft Edge, Microsoft Store, Cortana (though limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. These apps are not supported in Windows 10 Enterprise LTSB edition, even if you install by using sideloading. @@ -161,7 +163,7 @@ Microsoft recommends that all organizations have at least a few PCs enrolled in > [!NOTE] > Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub app. > ->The Windows Insider Program isn’t intended to replace Semi-Annual Channel deployments in an organization. Rather, it provides IT pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft. +> The Windows Insider Program isn’t intended to replace Semi-Annual Channel deployments in an organization. Rather, it provides IT pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft. diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md index 2c926db3d9..8a2e544771 100644 --- a/windows/deployment/update/waas-quick-start.md +++ b/windows/deployment/update/waas-quick-start.md @@ -1,95 +1,95 @@ ---- -title: Quick guide to Windows as a service (Windows 10) -description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy. -keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greg-lindsay -ms.date: 10/17/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Quick guide to Windows as a service - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile -- Windows 10 IoT Mobile - -Windows as a service is a new concept, introduced with the release of Windows 10. While [an extensive set of documentation](index.md) is available explaining all the specifics and nuances, here is a quick guide to the most important concepts. - -## Definitions - -Some new terms have been introduced as part of Windows as a service, so you should know what these terms mean. -- **Feature updates** will be released twice per year, around March and September. As the name suggests, these will add new features to Windows 10, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years. -- **Quality updates** deliver both security and non-security fixes. They are typically released on the second Tuesday of each month ("Patch Tuesday"), though they can be released at any time. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. Quality updates are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update. The "servicing stack" is the code that installs other updates, so they are important to keep current. For more information, see [Servicing stack updates](servicing-stack-updates.md). -- **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features as well as compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered. -- **Servicing channels** allow organizations to choose when to deploy new features. - - The **Semi-Annual Channel** receives feature updates twice per year. - - The **Long Term Servicing Channel**, which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years. -- **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization. - -See [Overview of Windows as a service](waas-overview.md) for more information. - -For some interesting in-depth information about how cumulative updates work, see [Windows Updates using forward and reverse differentials](PSFxWhitepaper.md). - -## Key Concepts - -Windows 10 gains new functionality with twice-per-year feature update releases. Initially, organizations will use these feature update releases for pilot deployments to ensure compatibility with existing apps and infrastructure. After a period of time, typically about four months after the feature update release, broad deployment throughout the organization can begin. The exact timeframe is determined by feedback from customers, ISVs, OEMs, and others, with an explicit "ready for broad deployment" declaration signaling this to customers. - -Each Windows 10 feature update will be serviced with quality updates for 18 months from the date of the feature update release. - -Windows 10 Enterprise LTSB is a separate **Long Term Servicing Channel** version. Each release is supported for a total of 10 years (five years standard support, five years extended support). New releases are expected about every three years. - -See [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) for more information. - -## Staying up to date - -The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of tools management and patching tools such as Windows Update, Windows Update for Business, Windows Server Update Services, System Center Configuration Manager, and third-party products) can be used to help with this process. [Windows Analytics Upgrade Readiness](https://www.microsoft.com/en-us/WindowsForBusiness/windows-analytics), a free tool to streamline Windows upgrade projects, is another important tool to help. - -Because app compatibility, both for desktop apps and web apps, is outstanding with Windows 10, extensive advanced testing isn’t required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps, broad deployment can begin. - -This process repeats with each new feature update, twice per year. These are small deployment projects, compared to the big projects that were necessary with the old three-to-five-year Windows release cycles. - -Additional technologies such as BranchCache and Delivery Optimization, both peer-to-peer distribution tools, can help with the distribution of the feature update installation files. - -See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) and [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) for more information. - -## Video: An overview of Windows as a service - -Click the following Microsoft Mechanics video for an overview of the updated release model, particularly the Semi-Annual Channel. - - -[![YouTube video of Michael Niehouse explaining how the Semi-Annual Channel works](images/SAC_vid_crop.jpg)](https://youtu.be/qSAsiM01GOU) - -## Learn more - -- [Adopting Windows as a service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft) -- [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) - -## Related topics - -- [Update Windows 10 in the enterprise](index.md) -- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) -- [Manage device restarts after updates](waas-restart.md) - - - - - - - - +--- +title: Quick guide to Windows as a service (Windows 10) +description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy. +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.audience: itpro author: greg-lindsay +ms.date: 10/17/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Quick guide to Windows as a service + + +**Applies to** + +- Windows 10 +- Windows 10 Mobile +- Windows 10 IoT Mobile + +Windows as a service is a new concept, introduced with the release of Windows 10. While [an extensive set of documentation](index.md) is available explaining all the specifics and nuances, here is a quick guide to the most important concepts. + +## Definitions + +Some new terms have been introduced as part of Windows as a service, so you should know what these terms mean. +- **Feature updates** will be released twice per year, around March and September. As the name suggests, these will add new features to Windows 10, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years. +- **Quality updates** deliver both security and non-security fixes. They are typically released on the second Tuesday of each month ("Patch Tuesday"), though they can be released at any time. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. Quality updates are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update. The "servicing stack" is the code that installs other updates, so they are important to keep current. For more information, see [Servicing stack updates](servicing-stack-updates.md). +- **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features as well as compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered. +- **Servicing channels** allow organizations to choose when to deploy new features. + - The **Semi-Annual Channel** receives feature updates twice per year. + - The **Long Term Servicing Channel**, which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years. +- **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization. + +See [Overview of Windows as a service](waas-overview.md) for more information. + +For some interesting in-depth information about how cumulative updates work, see [Windows Updates using forward and reverse differentials](PSFxWhitepaper.md). + +## Key Concepts + +Windows 10 gains new functionality with twice-per-year feature update releases. Initially, organizations will use these feature update releases for pilot deployments to ensure compatibility with existing apps and infrastructure. After a period of time, typically about four months after the feature update release, broad deployment throughout the organization can begin. The exact timeframe is determined by feedback from customers, ISVs, OEMs, and others, with an explicit "ready for broad deployment" declaration signaling this to customers. + +Each Windows 10 feature update will be serviced with quality updates for 18 months from the date of the feature update release. + +Windows 10 Enterprise LTSB is a separate **Long Term Servicing Channel** version. Each release is supported for a total of 10 years (five years standard support, five years extended support). New releases are expected about every three years. + +See [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) for more information. + +## Staying up to date + +The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of tools management and patching tools such as Windows Update, Windows Update for Business, Windows Server Update Services, System Center Configuration Manager, and third-party products) can be used to help with this process. [Windows Analytics Upgrade Readiness](https://www.microsoft.com/en-us/WindowsForBusiness/windows-analytics), a free tool to streamline Windows upgrade projects, is another important tool to help. + +Because app compatibility, both for desktop apps and web apps, is outstanding with Windows 10, extensive advanced testing isn’t required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps, broad deployment can begin. + +This process repeats with each new feature update, twice per year. These are small deployment projects, compared to the big projects that were necessary with the old three-to-five-year Windows release cycles. + +Additional technologies such as BranchCache and Delivery Optimization, both peer-to-peer distribution tools, can help with the distribution of the feature update installation files. + +See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) and [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) for more information. + +## Video: An overview of Windows as a service + +Click the following Microsoft Mechanics video for an overview of the updated release model, particularly the Semi-Annual Channel. + + +[![YouTube video of Michael Niehouse explaining how the Semi-Annual Channel works](images/SAC_vid_crop.jpg)](https://youtu.be/qSAsiM01GOU) + +## Learn more + +- [Adopting Windows as a service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft) +- [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) + +## Related topics + +- [Update Windows 10 in the enterprise](index.md) +- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) +- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) +- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) +- [Configure Windows Update for Business](waas-configure-wufb.md) +- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) +- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) +- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) +- [Manage device restarts after updates](waas-restart.md) + + + + + + + + diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md index 2d3589d3ec..bf291e370f 100644 --- a/windows/deployment/update/waas-restart.md +++ b/windows/deployment/update/waas-restart.md @@ -1,208 +1,208 @@ ---- -title: Manage device restarts after updates (Windows 10) -description: tbd -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greg-lindsay -ms.date: 07/27/2017 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Manage device restarts after updates - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -You can use Group Policy settings, mobile device management (MDM) or Registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both. - -## Schedule update installation - -In Group Policy, within **Configure Automatic Updates**, you can configure a forced restart after a specified installation time. - -To set the time, you need to go to **Configure Automatic Updates**, select option **4 - Auto download and schedule the install**, and then enter a time in the **Scheduled install time** dropdown. Alternatively, you can specify that installation will occur during the automatic maintenance time (configured using **Computer Configuration\Administrative Templates\Windows Components\Maintenance Scheduler**). - -**Always automatically restart at the scheduled time** forces a restart after the specified installation time and lets you configure a timer to warn a signed-in user that a restart is going to occur. - -While not recommended, the same result can be achieved through Registry. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4**, set the install time with **ScheduledInstallTime**, enable **AlwaysAutoRebootAtScheduledTime** and specify the delay in minutes through **AlwaysAutoRebootAtScheduledTimeMinutes**. Similar to Group Policy, **AlwaysAutoRebootAtScheduledTimeMinutes** sets the timer to warn a signed-in user that a restart is going to occur. - -For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart). - -## Delay automatic reboot - -When **Configure Automatic Updates** is enabled in Group Policy, you can enable one of the following additional policies to delay an automatic reboot after update installation: - -- **Turn off auto-restart for updates during active hours** prevents automatic restart during active hours. -- **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**. - -> [!NOTE] -> When using Remote Desktop Protocol connections, only active RDP sessions are considered as logged on users. Devices that do not have locally logged on users, or active RDP sessions, will be restarted. - -You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it will override this setting. - -For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart). - -## Configure active hours - -*Active hours* identify the period of time when you expect the device to be in use. Automatic restarts after an update will occur outside of the active hours. - -By default, active hours are from 8 AM to 5 PM on PCs and from 5 AM to 11 PM on phones. Users can change the active hours manually. - -Starting with Windows 10, version 1703, you can also specify the max active hours range. The specified range will be counted from the active hours start time. - -Administrators can use multiple ways to set active hours for managed devices: - -- You can use Group Policy, as described in the procedure that follows. -- You can use MDM, as described in [Configuring active hours with MDM](#configuring-active-hours-with-mdm). -- While not recommended, you can also configure active hours, as described in [Configuring active hours through Registry](#configuring-active-hours-through-registry). - -### Configuring active hours with Group Policy - -To configure active hours using Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Turn off auto-restart for updates during active hours** policy setting. When the policy is enabled, you can set the start and end times for active hours. - -![Use Group Policy to configure active hours](images/waas-active-hours-policy.png) - -### Configuring active hours with MDM - -MDM uses the [Update/ActiveHoursStart and Update/ActiveHoursEnd](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_ActiveHoursEnd) and [Update/ActiveHoursMaxRange](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursmaxrange) settings in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to configure active hours. - -### Configuring active hours through Registry - -This method is not recommended, and should only be used when neither Group Policy or MDM are available. -Any settings configured through Registry may conflict with any existing configuration that uses any of the methods mentioned above. - -You should set a combination of the following registry values, in order to configure active hours. -Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate** use **SetActiveHours** to enable or disable active hours and **ActiveHoursStart**,**ActiveHoursEnd** to specify the range of active hours. - -For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart). - ->[!NOTE] ->To configure active hours manually on a single device, go to **Settings** > **Update & security** > **Windows Update** and select **Change active hours**. -> ->![Change active hours](images/waas-active-hours.png) - -### Configuring active hours max range - -With Windows 10, version 1703, administrators can specify the max active hours range users can set. This option gives you additional flexibility to leave some of the decision for active hours on the user's side, while making sure you allow enough time for updating. The max range is calculated from active hours start time. - -To configure active hours max range through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Specify active hours range for auto-restarts**. - -To configure active hours max range through MDM, use [**Update/ActiveHoursMaxRange**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-activehoursmaxrange). - -## Limit restart delays - -After an update is installed, Windows 10 attempts automatic restart outside of active hours. If the restart does not succeed after 7 days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from 7 days to a number of days between 2 and 14. - -## Control restart notifications - -In Windows 10, version 1703, we have added settings to control restart notifications for users. - -### Auto-restart notifications - -Administrators can override the default behavior for the auto-restart required notification. By default, this notification will dismiss automatically. - -To configure this behavior through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select **Configure auto-restart required notification for updates**. When configured to **2 - User Action**, a user that gets this notification must manually dismiss it. - -To configure this behavior through MDM, use [**Update/AutoRestartRequiredNotificationDismissal**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-AutoRestartRequiredNotificationDismissal) - -You can also configure the period prior to an update that this notification will show up on. The default value is 15 minutes. - -To change it through Group Policy, select **Configure auto-restart-reminder notifications for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select the period in minutes. - -To change it through MDM, use [**Update/AutoRestartNotificationSchedule**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-AutoRestartNotificationSchedule). - - -In some cases, you don't need a notification to show up. - -To do so through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select **Turn off auto-restart notifications for update installations**. - -To do so through MDM, use [**Update/SetAutoRestartNotificationDisable**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-setautorestartnotificationdisable). - -### Scheduled auto-restart warnings - -Since users are not able to postpone a scheduled restart once the deadline has been reached, you can configure a warning reminder prior to the scheduled restart. You can also configure a warning prior to the restart, to notify users once the restart is imminent and allow them to save their work. - -To configure both through Group Policy, find **Configure auto-restart warning notifications schedule for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The warning reminder can be configured by **Reminder (hours)** and the warning prior to an imminent auto-restart can be configured by **Warning (mins)**. - -In MDM, the warning reminder is configured using [**Update/ScheduleRestartWarning**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-ScheduleRestartWarning) and the auto-restart imminent warning is configured using [**Update/ScheduleImminentRestartWarning**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-ScheduleImminentRestartWarning). - -### Engaged restart - -Engaged restart is the period of time when users are required to schedule a restart. Initially, Windows will auto-restart outside of working hours. Once the set period ends (7 days by default), Windows transitions to user scheduled restarts. - -The following settings can be adjusted for engaged restart: -* Period of time before auto-restart transitions to engaged restart. -* The number of days that users can snooze engaged restart reminder notifications. -* The number of days before a pending restart automatically executes outside of working hours. - -In Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and pick **Specify Engaged restart transition and notification schedule for updates**. - -In MDM, use [**Update/EngagedRestartTransitionSchedule**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-EngagedRestartTransitionSchedule), [**Update/EngagedRestartSnoozeSchedule**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-EngagedRestartSnoozeSchedule) and [**Update/EngagedRestartDeadline**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-EngagedRestartDeadline) respectively. - -## Group Policy settings for restart - -In the Group Policy editor, you will see a number of policy settings that pertain to restart behavior in **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The following table shows which policies apply to Windows 10. - -| Policy | Applies to Windows 10 | Notes | -| --- | --- | --- | -| Turn off auto-restart for updates during active hours | ![yes](images/checkmark.png) | Use this policy to configure active hours, during which the device will not be restarted. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. | -| Always automatically restart at the scheduled time | ![yes](images/checkmark.png) | Use this policy to configure a restart timer (between 15 and 180 minutes) that will start immediately after Windows Update installs important updates. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** policy is enabled. | -| Specify deadline before auto-restart for update installation | ![yes](images/checkmark.png) | Use this policy to specify how many days (between 2 and 14) an automatic restart can be delayed. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. | -| No auto-restart with logged on users for scheduled automatic updates installations | ![yes](images/checkmark.png) | Use this policy to prevent automatic restart when a user is logged on. This policy applies only when the **Configure Automatic Updates** policy is configured to perform scheduled installations of updates.
          There is no equivalent MDM policy setting for Windows 10 Mobile. | -| Re-prompt for restart with scheduled installations | ![no](images/crossmark.png) | | -| Delay Restart for scheduled installations | ![no](images/crossmark.png) | | -| Reschedule Automatic Updates scheduled installations | ![no](images/crossmark.png) | | - ->[!NOTE] ->You can only choose one path for restart behavior. ->If you set conflicting restart policies, the actual restart behavior may not be what you expected. ->When using RDP, only active RDP sessions are considered as logged on users. - - -## Registry keys used to manage restart -The following tables list registry values that correspond to the Group Policy settings for controlling restarts after updates in Windows 10. - -**HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate** - -| Registry key | Key type | Value | -| --- | --- | --- | -| ActiveHoursEnd | REG_DWORD | 0-23: set active hours to end at a specific hour
          starts with 12 AM (0) and ends with 11 PM (23) | -| ActiveHoursStart | REG_DWORD | 0-23: set active hours to start at a specific hour
          starts with 12 AM (0) and ends with 11 PM (23) | -| SetActiveHours | REG_DWORD | 0: disable automatic restart after updates outside of active hours
          1: enable automatic restart after updates outside of active hours | - -**HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU** - -| Registry key | Key type | Value | -| --- | --- | --- | -| AlwaysAutoRebootAtScheduledTime | REG_DWORD | 0: disable automatic reboot after update installation at scheduled time
          1: enable automatic reboot after update installation at ascheduled time | -| AlwaysAutoRebootAtScheduledTimeMinutes | REG_DWORD | 15-180: set automatic reboot to occur after given minutes | -| AUOptions | REG_DWORD | 2: notify for download and notify for installation of updates
          3: automatically download and notify for installation of updates
          4: Automatically download and schedule installation of updates
          5: allow the local admin to configure these settings
          **Note:** To configure restart behavior, set this value to **4** | -| NoAutoRebootWithLoggedOnUsers | REG_DWORD | 0: disable do not reboot if users are logged on
          1: do not reboot after an update installation if a user is logged on
          **Note:** If disabled : Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation | -| ScheduledInstallTime | REG_DWORD | 0-23: schedule update installation time to a specific hour
          starts with 12 AM (0) and ends with 11 PM (23) | - -There are 3 different registry combinations for controlling restart behavior: - -- To set active hours, **SetActiveHours** should be **1**, while **ActiveHoursStart** and **ActiveHoursEnd** should define the time range. -- To schedule a specific installation and reboot time, **AUOptions** should be **4**, **ScheduledInstallTime** should specify the installation time, **AlwaysAutoRebootAtScheduledTime** set to **1** and **AlwaysAutoRebootAtScheduledTimeMinutes** should specify number of minutes to wait before rebooting. -- To delay rebooting if a user is logged on, **AUOptions** should be **4**, while **NoAutoRebootWithLoggedOnUsers** is set to **1**. - -## Related topics - -- [Update Windows 10 in the enterprise](index.md) -- [Overview of Windows as a service](waas-overview.md) -- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) +--- +title: Manage device restarts after updates (Windows 10) +description: tbd +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.audience: itpro author: greg-lindsay +ms.date: 07/27/2017 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Manage device restarts after updates + + +**Applies to** + +- Windows 10 +- Windows 10 Mobile + +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + +You can use Group Policy settings, mobile device management (MDM) or Registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both. + +## Schedule update installation + +In Group Policy, within **Configure Automatic Updates**, you can configure a forced restart after a specified installation time. + +To set the time, you need to go to **Configure Automatic Updates**, select option **4 - Auto download and schedule the install**, and then enter a time in the **Scheduled install time** dropdown. Alternatively, you can specify that installation will occur during the automatic maintenance time (configured using **Computer Configuration\Administrative Templates\Windows Components\Maintenance Scheduler**). + +**Always automatically restart at the scheduled time** forces a restart after the specified installation time and lets you configure a timer to warn a signed-in user that a restart is going to occur. + +While not recommended, the same result can be achieved through Registry. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4**, set the install time with **ScheduledInstallTime**, enable **AlwaysAutoRebootAtScheduledTime** and specify the delay in minutes through **AlwaysAutoRebootAtScheduledTimeMinutes**. Similar to Group Policy, **AlwaysAutoRebootAtScheduledTimeMinutes** sets the timer to warn a signed-in user that a restart is going to occur. + +For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart). + +## Delay automatic reboot + +When **Configure Automatic Updates** is enabled in Group Policy, you can enable one of the following additional policies to delay an automatic reboot after update installation: + +- **Turn off auto-restart for updates during active hours** prevents automatic restart during active hours. +- **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**. + +> [!NOTE] +> When using Remote Desktop Protocol connections, only active RDP sessions are considered as logged on users. Devices that do not have locally logged on users, or active RDP sessions, will be restarted. + +You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it will override this setting. + +For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart). + +## Configure active hours + +*Active hours* identify the period of time when you expect the device to be in use. Automatic restarts after an update will occur outside of the active hours. + +By default, active hours are from 8 AM to 5 PM on PCs and from 5 AM to 11 PM on phones. Users can change the active hours manually. + +Starting with Windows 10, version 1703, you can also specify the max active hours range. The specified range will be counted from the active hours start time. + +Administrators can use multiple ways to set active hours for managed devices: + +- You can use Group Policy, as described in the procedure that follows. +- You can use MDM, as described in [Configuring active hours with MDM](#configuring-active-hours-with-mdm). +- While not recommended, you can also configure active hours, as described in [Configuring active hours through Registry](#configuring-active-hours-through-registry). + +### Configuring active hours with Group Policy + +To configure active hours using Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Turn off auto-restart for updates during active hours** policy setting. When the policy is enabled, you can set the start and end times for active hours. + +![Use Group Policy to configure active hours](images/waas-active-hours-policy.png) + +### Configuring active hours with MDM + +MDM uses the [Update/ActiveHoursStart and Update/ActiveHoursEnd](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_ActiveHoursEnd) and [Update/ActiveHoursMaxRange](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursmaxrange) settings in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to configure active hours. + +### Configuring active hours through Registry + +This method is not recommended, and should only be used when neither Group Policy or MDM are available. +Any settings configured through Registry may conflict with any existing configuration that uses any of the methods mentioned above. + +You should set a combination of the following registry values, in order to configure active hours. +Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate** use **SetActiveHours** to enable or disable active hours and **ActiveHoursStart**,**ActiveHoursEnd** to specify the range of active hours. + +For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart). + +>[!NOTE] +>To configure active hours manually on a single device, go to **Settings** > **Update & security** > **Windows Update** and select **Change active hours**. +> +>![Change active hours](images/waas-active-hours.png) + +### Configuring active hours max range + +With Windows 10, version 1703, administrators can specify the max active hours range users can set. This option gives you additional flexibility to leave some of the decision for active hours on the user's side, while making sure you allow enough time for updating. The max range is calculated from active hours start time. + +To configure active hours max range through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Specify active hours range for auto-restarts**. + +To configure active hours max range through MDM, use [**Update/ActiveHoursMaxRange**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-activehoursmaxrange). + +## Limit restart delays + +After an update is installed, Windows 10 attempts automatic restart outside of active hours. If the restart does not succeed after 7 days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from 7 days to a number of days between 2 and 14. + +## Control restart notifications + +In Windows 10, version 1703, we have added settings to control restart notifications for users. + +### Auto-restart notifications + +Administrators can override the default behavior for the auto-restart required notification. By default, this notification will dismiss automatically. + +To configure this behavior through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select **Configure auto-restart required notification for updates**. When configured to **2 - User Action**, a user that gets this notification must manually dismiss it. + +To configure this behavior through MDM, use [**Update/AutoRestartRequiredNotificationDismissal**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-AutoRestartRequiredNotificationDismissal) + +You can also configure the period prior to an update that this notification will show up on. The default value is 15 minutes. + +To change it through Group Policy, select **Configure auto-restart-reminder notifications for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select the period in minutes. + +To change it through MDM, use [**Update/AutoRestartNotificationSchedule**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-AutoRestartNotificationSchedule). + + +In some cases, you don't need a notification to show up. + +To do so through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select **Turn off auto-restart notifications for update installations**. + +To do so through MDM, use [**Update/SetAutoRestartNotificationDisable**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-setautorestartnotificationdisable). + +### Scheduled auto-restart warnings + +Since users are not able to postpone a scheduled restart once the deadline has been reached, you can configure a warning reminder prior to the scheduled restart. You can also configure a warning prior to the restart, to notify users once the restart is imminent and allow them to save their work. + +To configure both through Group Policy, find **Configure auto-restart warning notifications schedule for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The warning reminder can be configured by **Reminder (hours)** and the warning prior to an imminent auto-restart can be configured by **Warning (mins)**. + +In MDM, the warning reminder is configured using [**Update/ScheduleRestartWarning**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-ScheduleRestartWarning) and the auto-restart imminent warning is configured using [**Update/ScheduleImminentRestartWarning**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-ScheduleImminentRestartWarning). + +### Engaged restart + +Engaged restart is the period of time when users are required to schedule a restart. Initially, Windows will auto-restart outside of working hours. Once the set period ends (7 days by default), Windows transitions to user scheduled restarts. + +The following settings can be adjusted for engaged restart: +* Period of time before auto-restart transitions to engaged restart. +* The number of days that users can snooze engaged restart reminder notifications. +* The number of days before a pending restart automatically executes outside of working hours. + +In Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and pick **Specify Engaged restart transition and notification schedule for updates**. + +In MDM, use [**Update/EngagedRestartTransitionSchedule**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-EngagedRestartTransitionSchedule), [**Update/EngagedRestartSnoozeSchedule**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-EngagedRestartSnoozeSchedule) and [**Update/EngagedRestartDeadline**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-EngagedRestartDeadline) respectively. + +## Group Policy settings for restart + +In the Group Policy editor, you will see a number of policy settings that pertain to restart behavior in **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The following table shows which policies apply to Windows 10. + +| Policy | Applies to Windows 10 | Notes | +| --- | --- | --- | +| Turn off auto-restart for updates during active hours | ![yes](images/checkmark.png) | Use this policy to configure active hours, during which the device will not be restarted. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. | +| Always automatically restart at the scheduled time | ![yes](images/checkmark.png) | Use this policy to configure a restart timer (between 15 and 180 minutes) that will start immediately after Windows Update installs important updates. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** policy is enabled. | +| Specify deadline before auto-restart for update installation | ![yes](images/checkmark.png) | Use this policy to specify how many days (between 2 and 14) an automatic restart can be delayed. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. | +| No auto-restart with logged on users for scheduled automatic updates installations | ![yes](images/checkmark.png) | Use this policy to prevent automatic restart when a user is logged on. This policy applies only when the **Configure Automatic Updates** policy is configured to perform scheduled installations of updates.
          There is no equivalent MDM policy setting for Windows 10 Mobile. | +| Re-prompt for restart with scheduled installations | ![no](images/crossmark.png) | | +| Delay Restart for scheduled installations | ![no](images/crossmark.png) | | +| Reschedule Automatic Updates scheduled installations | ![no](images/crossmark.png) | | + +>[!NOTE] +>You can only choose one path for restart behavior. +>If you set conflicting restart policies, the actual restart behavior may not be what you expected. +>When using RDP, only active RDP sessions are considered as logged on users. + + +## Registry keys used to manage restart +The following tables list registry values that correspond to the Group Policy settings for controlling restarts after updates in Windows 10. + +**HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate** + +| Registry key | Key type | Value | +| --- | --- | --- | +| ActiveHoursEnd | REG_DWORD | 0-23: set active hours to end at a specific hour
          starts with 12 AM (0) and ends with 11 PM (23) | +| ActiveHoursStart | REG_DWORD | 0-23: set active hours to start at a specific hour
          starts with 12 AM (0) and ends with 11 PM (23) | +| SetActiveHours | REG_DWORD | 0: disable automatic restart after updates outside of active hours
          1: enable automatic restart after updates outside of active hours | + +**HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU** + +| Registry key | Key type | Value | +| --- | --- | --- | +| AlwaysAutoRebootAtScheduledTime | REG_DWORD | 0: disable automatic reboot after update installation at scheduled time
          1: enable automatic reboot after update installation at ascheduled time | +| AlwaysAutoRebootAtScheduledTimeMinutes | REG_DWORD | 15-180: set automatic reboot to occur after given minutes | +| AUOptions | REG_DWORD | 2: notify for download and notify for installation of updates
          3: automatically download and notify for installation of updates
          4: Automatically download and schedule installation of updates
          5: allow the local admin to configure these settings
          **Note:** To configure restart behavior, set this value to **4** | +| NoAutoRebootWithLoggedOnUsers | REG_DWORD | 0: disable do not reboot if users are logged on
          1: do not reboot after an update installation if a user is logged on
          **Note:** If disabled : Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation | +| ScheduledInstallTime | REG_DWORD | 0-23: schedule update installation time to a specific hour
          starts with 12 AM (0) and ends with 11 PM (23) | + +There are 3 different registry combinations for controlling restart behavior: + +- To set active hours, **SetActiveHours** should be **1**, while **ActiveHoursStart** and **ActiveHoursEnd** should define the time range. +- To schedule a specific installation and reboot time, **AUOptions** should be **4**, **ScheduledInstallTime** should specify the installation time, **AlwaysAutoRebootAtScheduledTime** set to **1** and **AlwaysAutoRebootAtScheduledTimeMinutes** should specify number of minutes to wait before rebooting. +- To delay rebooting if a user is logged on, **AUOptions** should be **4**, while **NoAutoRebootWithLoggedOnUsers** is set to **1**. + +## Related topics + +- [Update Windows 10 in the enterprise](index.md) +- [Overview of Windows as a service](waas-overview.md) +- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) +- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) +- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) +- [Configure Windows Update for Business](waas-configure-wufb.md) +- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) +- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) +- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md index 211678945d..d58eb30284 100644 --- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md @@ -1,228 +1,228 @@ ---- -title: Assign devices to servicing channels for Windows 10 updates (Windows 10) -description: tbd -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greg-lindsay -ms.date: 10/13/2017 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Assign devices to servicing channels for Windows 10 updates - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - ->[!TIP] ->If you're not familiar with the Windows 10 servicing or release channels, read [Servicing Channels](waas-overview.md#servicing-channels) first. -> ->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB, CBB and LTSB may still be displayed in some of our products. - -Semi-Annual Channel is the default servicing channel for all Windows 10 devices except those with the LTSB edition installed. The following table shows the servicing channels available to each Windows 10 edition. - -| Windows 10 edition | Semi-Annual Channel (Targeted) | Semi-Annual Channel | Long-Term Servicing Channel | Insider Program | -| --- | --- | --- | --- | --- | -| Home | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | -| Pro | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | -| Enterprise | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | -| Enterprise LTSB | ![no](images/crossmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | -| Pro Education | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | -| Education | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | -| Mobile | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | -| Mobile Enterprise | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | - - - ->[!NOTE] ->The LTSB edition of Windows 10 is only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). - ->[!NOTE] ->Semi-Annual Channel (Targeted) should be used only by the customers that are using [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb). For those who don't use Windows Update for Business, Semi-Annual Channel (Targeted) would be the same as Semi-Annual Channel. - -## Assign devices to Semi-Annual Channel - ->[!IMPORTANT] ->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB, CBB and LTSB may still be displayed in some of our products. -> ->In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. - -**To assign a single PC locally to CBB** - -1. Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options**. -2. Select **Defer feature updates**. - -**To assign PCs to CBB using Group Policy** - -- In Windows 10, version 1511: - - Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** - -- In Windows 10, version 1607: - - Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** - enable policy and set branch readiness level to CBB - -**To assign PCs to CBB using MDM** - -- In Windows 10, version 1511: - - ../Vendor/MSFT/Policy/Config/Update/**RequireDeferUpgrade** - -- In Windows 10, version 1607: - - ../Vendor/MSFT/Policy/Config/Update/**BranchReadinessLevel** - -**To assign Windows 10 Mobile Enterprise to CBB using MDM** - -- In Windows 10 Mobile Enterprise, version 1511: - - ../Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade - -- In Windows 10 Mobile Enterprise, version 1607: - - ../Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel - -## Enroll devices in the Windows Insider Program - -To get started with the Windows Insider Program for Business, you will need to follow a few simple steps: - -1. On the [Windows Insider](https://insider.windows.com) website, go to **For Business > Getting Started** to [register your organizational Azure AD account](https://insider.windows.com/en-us/insidersigninaad/). -2. **Register your domain**. Rather than have each user register individually for Insider Preview builds, administrators can simply [register their domain](https://insider.windows.com/en-us/for-business-organization-admin/) and control settings centrally.
          **Note:** The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register the domain. -3. Make sure the **Allow Telemetry** setting is set to **2** or higher. -4. Starting with Windows 10, version 1709, set policies to manage preview builds and their delivery: - -The **Manage preview builds** setting gives administrators control over enabling or disabling preview build installation on a device. You can also decide to stop preview builds once the release is public. -* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds* -* MDM: **Update/ManagePreviewBuilds** - -The **Branch Readiness Level** settings allows you to choose between preview flight rings, and allows you to defer or pause the delivery of updates. -* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and Feature Updates are received* -* MDM: **Update/BranchReadinessLevel** - -For more information, see [Windows Insider Program for Business](waas-windows-insider-for-business.md) - -## Block access to Windows Insider Program - -To prevent devices in your enterprise from being enrolled in the Insider Program for early releases of Windows 10: - -- Group Policy: Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\\**Toggle user control over Insider builds** -- MDM: Policy CSP - [System/AllowBuildPreview](https://msdn.microsoft.com/library/windows/hardware/dn904962%28v=vs.85%29.aspx#System_AllowBuildPreview) - ->[!IMPORTANT] ->Starting with Windows 10, version 1709, this policy is replaced by **Manage preview builds** policy. -> * Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds* -> * MDM: **Update/ManagePreviewBuilds** - - -## Switching channels - -During the life of a device, it may be necessary or desirable to switch between the available channels. Depending on the channel you are using, the exact mechanism for doing this can be different; some will be simple, others more involved. - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          From this channelTo this channelYou need to
          Windows Insider ProgramSemi-Annual Channel (Targeted)Wait for the final Semi-Annual Channel release.
          Semi-Annual ChannelNot directly possible, because Windows Insider Program devices are automatically upgraded to the Semi-Annual Channel (Targeted) release at the end of the development cycle.
          Long-Term Servicing ChannelNot directly possible (requires wipe-and-load).
          Semi-Annual Channel (Targeted)InsiderUse the Settings app to enroll the device in the Windows Insider Program.
          Semi-Annual ChannelSelect the Defer upgrade setting, or move the PC to a target group or flight that will not receive the next upgrade until it is business ready. Note that this change will not have any immediate impact; it only prevents the installation of the next Semi-Annual Channel release.
          Long-Term Servicing ChannelNot directly possible (requires wipe-and-load).
          Semi-Annual ChannelInsiderUse the Settings app to enroll the device in the Windows Insider Program.
          Semi-Annual Channel (Targeted)Disable the Defer upgrade setting, or move the device to a target group or flight that will receive the latest Current Semi-Annual Channel release.
          Long-Term Servicing ChannelNot directly possible (requires wipe-and-load).
          Long-Term Servicing ChannelInsiderUse media to upgrade to the latest Windows Insider Program build.
          Semi-Annual Channel (Targeted)Use media to upgrade. Note that the Semi-Annual Channel build must be a later build.
          Semi-Annual ChannelUse media to upgrade. Note that the Semi-Annual Channel build must be a later build.
          - -## Block user access to Windows Update settings - -In Windows 10, administrators can control user access to Windows Update. -By enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features**, administrators can disable the "Check for updates" option for users. Any background update scans, downloads and installations will continue to work as configured. - ->[!NOTE] -> In Windows 10, any Group Policy user configuration settings for Windows Update were deprecated and are no longer supported on this platform. - -## Steps to manage updates for Windows 10 - -| | | -| --- | --- | -| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) | -| ![done](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) | -| ![done](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | -| ![done](images/checklistdone.png) | Assign devices to servicing channels for Windows 10 updates (this topic) | -| ![to do](images/checklistbox.gif) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | -| ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
          or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
          or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) | - -## Related topics - -- [Update Windows 10 in the enterprise](index.md) -- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) -- [Manage device restarts after updates](waas-restart.md) +--- +title: Assign devices to servicing channels for Windows 10 updates (Windows 10) +description: tbd +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.audience: itpro author: greg-lindsay +ms.date: 10/13/2017 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Assign devices to servicing channels for Windows 10 updates + + +**Applies to** + +- Windows 10 +- Windows 10 Mobile + +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + +>[!TIP] +>If you're not familiar with the Windows 10 servicing or release channels, read [Servicing Channels](waas-overview.md#servicing-channels) first. +> +>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB, CBB and LTSB may still be displayed in some of our products. + +Semi-Annual Channel is the default servicing channel for all Windows 10 devices except those with the LTSB edition installed. The following table shows the servicing channels available to each Windows 10 edition. + +| Windows 10 edition | Semi-Annual Channel (Targeted) | Semi-Annual Channel | Long-Term Servicing Channel | Insider Program | +| --- | --- | --- | --- | --- | +| Home | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | +| Pro | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | +| Enterprise | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | +| Enterprise LTSB | ![no](images/crossmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | +| Pro Education | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | +| Education | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | +| Mobile | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | +| Mobile Enterprise | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | + + + +>[!NOTE] +>The LTSB edition of Windows 10 is only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). + +>[!NOTE] +>Semi-Annual Channel (Targeted) should be used only by the customers that are using [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb). For those who don't use Windows Update for Business, Semi-Annual Channel (Targeted) would be the same as Semi-Annual Channel. + +## Assign devices to Semi-Annual Channel + +>[!IMPORTANT] +>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB, CBB and LTSB may still be displayed in some of our products. +> +>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. + +**To assign a single PC locally to CBB** + +1. Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options**. +2. Select **Defer feature updates**. + +**To assign PCs to CBB using Group Policy** + +- In Windows 10, version 1511: + + Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** + +- In Windows 10, version 1607: + + Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** - enable policy and set branch readiness level to CBB + +**To assign PCs to CBB using MDM** + +- In Windows 10, version 1511: + + ../Vendor/MSFT/Policy/Config/Update/**RequireDeferUpgrade** + +- In Windows 10, version 1607: + + ../Vendor/MSFT/Policy/Config/Update/**BranchReadinessLevel** + +**To assign Windows 10 Mobile Enterprise to CBB using MDM** + +- In Windows 10 Mobile Enterprise, version 1511: + + ../Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade + +- In Windows 10 Mobile Enterprise, version 1607: + + ../Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel + +## Enroll devices in the Windows Insider Program + +To get started with the Windows Insider Program for Business, you will need to follow a few simple steps: + +1. On the [Windows Insider](https://insider.windows.com) website, go to **For Business > Getting Started** to [register your organizational Azure AD account](https://insider.windows.com/en-us/insidersigninaad/). +2. **Register your domain**. Rather than have each user register individually for Insider Preview builds, administrators can simply [register their domain](https://insider.windows.com/en-us/for-business-organization-admin/) and control settings centrally.
          **Note:** The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register the domain. +3. Make sure the **Allow Telemetry** setting is set to **2** or higher. +4. Starting with Windows 10, version 1709, set policies to manage preview builds and their delivery: + +The **Manage preview builds** setting gives administrators control over enabling or disabling preview build installation on a device. You can also decide to stop preview builds once the release is public. +* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds* +* MDM: **Update/ManagePreviewBuilds** + +The **Branch Readiness Level** settings allows you to choose between preview flight rings, and allows you to defer or pause the delivery of updates. +* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and Feature Updates are received* +* MDM: **Update/BranchReadinessLevel** + +For more information, see [Windows Insider Program for Business](waas-windows-insider-for-business.md) + +## Block access to Windows Insider Program + +To prevent devices in your enterprise from being enrolled in the Insider Program for early releases of Windows 10: + +- Group Policy: Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\\**Toggle user control over Insider builds** +- MDM: Policy CSP - [System/AllowBuildPreview](https://msdn.microsoft.com/library/windows/hardware/dn904962%28v=vs.85%29.aspx#System_AllowBuildPreview) + +>[!IMPORTANT] +>Starting with Windows 10, version 1709, this policy is replaced by **Manage preview builds** policy. +> * Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds* +> * MDM: **Update/ManagePreviewBuilds** + + +## Switching channels + +During the life of a device, it may be necessary or desirable to switch between the available channels. Depending on the channel you are using, the exact mechanism for doing this can be different; some will be simple, others more involved. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          From this channelTo this channelYou need to
          Windows Insider ProgramSemi-Annual Channel (Targeted)Wait for the final Semi-Annual Channel release.
          Semi-Annual ChannelNot directly possible, because Windows Insider Program devices are automatically upgraded to the Semi-Annual Channel (Targeted) release at the end of the development cycle.
          Long-Term Servicing ChannelNot directly possible (requires wipe-and-load).
          Semi-Annual Channel (Targeted)InsiderUse the Settings app to enroll the device in the Windows Insider Program.
          Semi-Annual ChannelSelect the Defer upgrade setting, or move the PC to a target group or flight that will not receive the next upgrade until it is business ready. Note that this change will not have any immediate impact; it only prevents the installation of the next Semi-Annual Channel release.
          Long-Term Servicing ChannelNot directly possible (requires wipe-and-load).
          Semi-Annual ChannelInsiderUse the Settings app to enroll the device in the Windows Insider Program.
          Semi-Annual Channel (Targeted)Disable the Defer upgrade setting, or move the device to a target group or flight that will receive the latest Current Semi-Annual Channel release.
          Long-Term Servicing ChannelNot directly possible (requires wipe-and-load).
          Long-Term Servicing ChannelInsiderUse media to upgrade to the latest Windows Insider Program build.
          Semi-Annual Channel (Targeted)Use media to upgrade. Note that the Semi-Annual Channel build must be a later build.
          Semi-Annual ChannelUse media to upgrade. Note that the Semi-Annual Channel build must be a later build.
          + +## Block user access to Windows Update settings + +In Windows 10, administrators can control user access to Windows Update. +By enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features**, administrators can disable the "Check for updates" option for users. Any background update scans, downloads and installations will continue to work as configured. + +>[!NOTE] +> In Windows 10, any Group Policy user configuration settings for Windows Update were deprecated and are no longer supported on this platform. + +## Steps to manage updates for Windows 10 + +| | | +| --- | --- | +| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) | +| ![done](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) | +| ![done](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | +| ![done](images/checklistdone.png) | Assign devices to servicing channels for Windows 10 updates (this topic) | +| ![to do](images/checklistbox.gif) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | +| ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
          or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
          or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) | + +## Related topics + +- [Update Windows 10 in the enterprise](index.md) +- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) +- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) +- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) +- [Configure Windows Update for Business](waas-configure-wufb.md) +- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) +- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) +- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) +- [Manage device restarts after updates](waas-restart.md) diff --git a/windows/deployment/update/waas-servicing-differences.md b/windows/deployment/update/waas-servicing-differences.md index b4d7c089e3..fda8dac6f6 100644 --- a/windows/deployment/update/waas-servicing-differences.md +++ b/windows/deployment/update/waas-servicing-differences.md @@ -7,9 +7,11 @@ keywords: updates, servicing, current, deployment, semi-annual channel, feature, ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +audience: itpro author: greg-lindsay ms.localizationpriority: medium -ms.author: greg-lindsay +ms.audience: itpro +author: greg-lindsay ms.topic: article ms.collection: M365-modern-desktop --- diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md index 9621e81104..2162d1aafa 100644 --- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md @@ -1,74 +1,74 @@ ---- -title: Prepare servicing strategy for Windows 10 updates (Windows 10) -description: A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greg-lindsay -ms.date: 11/02/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Prepare servicing strategy for Windows 10 updates - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -In the past, traditional Windows deployments tended to be large, lengthy, and expensive. Windows 10 offers a new approach to deploying both quality and feature updates, making the process much simpler and therefore the planning much more straightforward. With Windows as a service, the methodology around updating Windows has completely changed, moving away from major upgrades every few years to iterative updates twice per year. Each iteration contains a smaller subset of changes so that they won’t seem like substantial differences, like they do today. This image illustrates the level of effort needed for traditional Windows deployments versus servicing Windows 10 and how it is now spread evenly over time versus spiking every few years. - - -![Compare traditional servicing to Windows 10](images/waas-strategy-fig1a.png) - -Windows 10 spreads the traditional deployment effort of a Windows upgrade, which typically occurred every few years, over smaller, continuous updates. With this change, you must approach the ongoing deployment and servicing of Windows differently. A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. Here’s an example of what this process might look like: - -- **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before they’re available to the Semi-Annual Channel. Typically, this would be a small number of test devices that IT staff members use to evaluate pre-releas builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program on a Windows 10 device. -- **Identify excluded devices.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than the Semi-annual Channel can offer. For those machines, you must install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly. -- **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you’re looking for feedback rather than people to just “try it out” and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible. -- **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain will need to download a .admx package and copy it to their [Central Store](https://support.microsoft.com/help/929841/how-to-create-the-central-store-for-group-policy-administrative-templa) (or to the [PolicyDefinitions](https://msdn.microsoft.com/library/bb530196.aspx) directory in the SYSVOL of a domain controller if not using a Central Store). Always manage new group polices from the version of Windows 10 they shipped with by using the Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for “ADMX download for Windows build xxxx”. For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) -- **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or System Center Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. With Windows 10, multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools). -- **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those that are the most business critical. Because the expectation is that application compatibility with Windows 10 will be high, only the most business critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](../upgrade/manage-windows-upgrades-with-upgrade-readiness.md). - ->[!NOTE] ->This strategy is applicable to approaching an environment in which Windows 10 already exists. For information about how to deploy or upgrade to Windows 10 where another version of Windows exists, see [Plan for Windows 10 deployment](../planning/index.md). -> ->>Windows 10 Enterprise LTSB is a separate Long Term Servicing Channel version. - -Each time Microsoft releases a Windows 10 feature update, the IT department should use the following high-level process to help ensure that the broad deployment is successful: - -1. **Validate compatibility of business critical apps.** Test your most important business-critical applications for compatibility with the new Windows 10 feature update running on your Windows Insider machines identified in the earlier “Configure test machines” step of the Predeployment strategy section. The list of applications involved in this validation process should be small because most applications can be tested during the pilot phase. For more information about device and application compatibility in Windows 10, see the section Compatibility. -2. **Target and react to feedback.** With Windows 10, Microsoft expects application and device compatibility to be high, but it’s still important to have targeted groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this will represent the majority of application compatibility testing in your environment. This should not necessarily be a formal process but rather user validation through the use of a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your targeted groups running in the Semi-annual channel that you identified in the “Recruit volunteers” step of the Predeployment strategy section. Be sure to communicate clearly that you’re looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan in place to address it. -3. **Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings, like the ones discussed in Table 1. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you don’t prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more and more people have been updated in any particular department. - - -## Steps to manage updates for Windows 10 - -| | | -| --- | --- | -| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) | -| ![done](images/checklistdone.png) | Prepare servicing strategy for Windows 10 updates (this topic) | -| ![to do](images/checklistbox.gif) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | -| ![to do](images/checklistbox.gif) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) | -| ![to do](images/checklistbox.gif) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | -| ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
          or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
          or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) | - - -## Related topics - -- [Update Windows 10 in the enterprise](index.md) -- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) -- [Manage device restarts after updates](waas-restart.md) +--- +title: Prepare servicing strategy for Windows 10 updates (Windows 10) +description: A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.audience: itpro author: greg-lindsay +ms.date: 11/02/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Prepare servicing strategy for Windows 10 updates + + +**Applies to** + +- Windows 10 +- Windows 10 Mobile + +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + +In the past, traditional Windows deployments tended to be large, lengthy, and expensive. Windows 10 offers a new approach to deploying both quality and feature updates, making the process much simpler and therefore the planning much more straightforward. With Windows as a service, the methodology around updating Windows has completely changed, moving away from major upgrades every few years to iterative updates twice per year. Each iteration contains a smaller subset of changes so that they won’t seem like substantial differences, like they do today. This image illustrates the level of effort needed for traditional Windows deployments versus servicing Windows 10 and how it is now spread evenly over time versus spiking every few years. + + +![Compare traditional servicing to Windows 10](images/waas-strategy-fig1a.png) + +Windows 10 spreads the traditional deployment effort of a Windows upgrade, which typically occurred every few years, over smaller, continuous updates. With this change, you must approach the ongoing deployment and servicing of Windows differently. A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. Here’s an example of what this process might look like: + +- **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before they’re available to the Semi-Annual Channel. Typically, this would be a small number of test devices that IT staff members use to evaluate pre-releas builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program on a Windows 10 device. +- **Identify excluded devices.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than the Semi-annual Channel can offer. For those machines, you must install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly. +- **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you’re looking for feedback rather than people to just “try it out” and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible. +- **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain will need to download a .admx package and copy it to their [Central Store](https://support.microsoft.com/help/929841/how-to-create-the-central-store-for-group-policy-administrative-templa) (or to the [PolicyDefinitions](https://msdn.microsoft.com/library/bb530196.aspx) directory in the SYSVOL of a domain controller if not using a Central Store). Always manage new group polices from the version of Windows 10 they shipped with by using the Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for “ADMX download for Windows build xxxx”. For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) +- **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or System Center Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. With Windows 10, multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools). +- **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those that are the most business critical. Because the expectation is that application compatibility with Windows 10 will be high, only the most business critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](../upgrade/manage-windows-upgrades-with-upgrade-readiness.md). + +>[!NOTE] +>This strategy is applicable to approaching an environment in which Windows 10 already exists. For information about how to deploy or upgrade to Windows 10 where another version of Windows exists, see [Plan for Windows 10 deployment](../planning/index.md). +> +>>Windows 10 Enterprise LTSB is a separate Long Term Servicing Channel version. + +Each time Microsoft releases a Windows 10 feature update, the IT department should use the following high-level process to help ensure that the broad deployment is successful: + +1. **Validate compatibility of business critical apps.** Test your most important business-critical applications for compatibility with the new Windows 10 feature update running on your Windows Insider machines identified in the earlier “Configure test machines” step of the Predeployment strategy section. The list of applications involved in this validation process should be small because most applications can be tested during the pilot phase. For more information about device and application compatibility in Windows 10, see the section Compatibility. +2. **Target and react to feedback.** With Windows 10, Microsoft expects application and device compatibility to be high, but it’s still important to have targeted groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this will represent the majority of application compatibility testing in your environment. This should not necessarily be a formal process but rather user validation through the use of a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your targeted groups running in the Semi-annual channel that you identified in the “Recruit volunteers” step of the Predeployment strategy section. Be sure to communicate clearly that you’re looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan in place to address it. +3. **Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings, like the ones discussed in Table 1. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you don’t prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more and more people have been updated in any particular department. + + +## Steps to manage updates for Windows 10 + +| | | +| --- | --- | +| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) | +| ![done](images/checklistdone.png) | Prepare servicing strategy for Windows 10 updates (this topic) | +| ![to do](images/checklistbox.gif) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | +| ![to do](images/checklistbox.gif) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) | +| ![to do](images/checklistbox.gif) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | +| ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
          or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
          or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) | + + +## Related topics + +- [Update Windows 10 in the enterprise](index.md) +- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) +- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) +- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) +- [Configure Windows Update for Business](waas-configure-wufb.md) +- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) +- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) +- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) +- [Manage device restarts after updates](waas-restart.md) diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md index b18360e804..9646afd361 100644 --- a/windows/deployment/update/waas-wu-settings.md +++ b/windows/deployment/update/waas-wu-settings.md @@ -4,9 +4,11 @@ description: Additional settings to control the behavior of Windows Update (WU) ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.localizationpriority: medium -ms.author: greg-lindsay +ms.audience: itpro +author: greg-lindsay ms.date: 07/27/2017 ms.reviewer: manager: laurawi @@ -190,47 +192,47 @@ To do this, follow these steps: 3. Add one of the following registry values to configure Automatic Update. - * NoAutoUpdate (REG_DWORD): - - * **0**: Automatic Updates is enabled (default). - - * **1**: Automatic Updates is disabled. - - * AUOptions (REG_DWORD): - - * **1**: Keep my computer up to date is disabled in Automatic Updates. - - * **2**: Notify of download and installation. - - * **3**: Automatically download and notify of installation. - - * **4**: Automatically download and scheduled installation. + * NoAutoUpdate (REG_DWORD): + + * **0**: Automatic Updates is enabled (default). + + * **1**: Automatic Updates is disabled. + + * AUOptions (REG_DWORD): + + * **1**: Keep my computer up to date is disabled in Automatic Updates. + + * **2**: Notify of download and installation. + + * **3**: Automatically download and notify of installation. + + * **4**: Automatically download and scheduled installation. * ScheduledInstallDay (REG_DWORD): - + * **0**: Every day. - + * **1** through **7**: The days of the week from Sunday (1) to Saturday (7). - + * ScheduledInstallTime (REG_DWORD): - + **n**, where **n** equals the time of day in a 24-hour format (0-23). - + * UseWUServer (REG_DWORD) - + Set this value to **1** to configure Automatic Updates to use a server that is running Software Update Services instead of Windows Update. - + * RescheduleWaitTime (REG_DWORD) - + **m**, where **m** equals the time period to wait between the time Automatic Updates starts and the time that it begins installations where the scheduled times have passed. The time is set in minutes from 1 to 60, representing 1 minute to 60 minutes) - + > [!NOTE] > This setting only affects client behavior after the clients have updated to the SUS SP1 client version or later versions. - + * NoAutoRebootWithLoggedOnUsers (REG_DWORD): - + **0** (false) or **1** (true). If set to **1**, Automatic Updates does not automatically restart a computer while users are logged on. - + > [!NOTE] > This setting affects client behavior after the clients have updated to the SUS SP1 client version or later versions. diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md index b9df3fe9ee..e8912d59ed 100644 --- a/windows/deployment/update/waas-wufb-group-policy.md +++ b/windows/deployment/update/waas-wufb-group-policy.md @@ -1,149 +1,149 @@ ---- -title: Walkthrough use Group Policy to configure Windows Update for Business - Windows 10 -description: Configure Windows Update for Business settings using Group Policy. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greg-lindsay -ms.date: 07/27/2017 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Walkthrough: use Group Policy to configure Windows Update for Business - - -**Applies to** - -- Windows 10 - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - - -## Overview - -You can use Group Policy through the Group Policy Management Console (GPMC) to control how Windows Update for Business works. You should consider and devise a deployment strategy for updates before you make changes to the Windows Update for Business settings. See - -An IT administrator can set policies for Windows Update for Business by using Group Policy, or they can be set locally (per device). All of the relevant policies are under the path **Computer configuration > Administrative Templates > Windows Components > Windows Update**. - -To manage updates with Windows Update for Business as described in this topic, you should prepare with these steps, if you haven't already: - -- Create Active Directory security groups that align with the deployment rings you use to phase deployment of updates. See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to learn more about deployment rings in Windows 10. -- Allow access to the Windows Update service. -- Download and install ADMX templates appropriate to your Windows 10 version. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759) and [Step-By-Step: Managing Windows 10 with Administrative templates](https://blogs.technet.microsoft.com/canitpro/2015/10/20/step-by-step-managing-windows-10-with-administrative-templates/). - - -## Set up Windows Update for Business - -In this example, one security group is used to manage updates. Typically we would recommend having at least three rings (early testers for pre-release builds, broad deployment for releases, critical devices for mature releases) to deploy. See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) for more information. - -Follow these steps on a device running the Remote Server Administration Tools or on a domain controller: - -### Set up a ring -1. Start Group Policy Management Console (gpmc.msc). -2. Expand **Forest > Domains > *\*. -3. Right-click *\* and select **Create a GPO in this domain and link it here**. -4. In the **New GPO** dialog box, enter *Windows Update for Business - Group 1* as the name of the new Group Policy Object. -5. Right-click the **Windows Update for Business - Group 1" object, and then select **Edit**. -6. In the Group Policy Management Editor, go to **Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update**. You are now ready to start assigning policies to this ring (group) of devices. - - -## Offering - -You can control when updates are applied, for example by deferring when an update is installed on a device or by pausing updates for a certain period of time. - -### Manage which updates are offered - -Windows Update for Business offers you the ability to turn on or off both driver and Microsoft product updates. - -- Drivers (on/off): **Computer configuration > Administrative Templates > Windows Components > Windows Update > Do not include drivers with Windows Updates** -- Microsoft product updates (on/off): **Computer configuration > Administrative Templates > Windows Components > Windows Update > Get updates for other Microsoft Products** - -We recommend that you allow the driver policy to allow drivers to updated on devices (the default), but you can turn this setting off if you prefer to manage drivers manually. We also recommend that you leave the "Microsoft product updates" setting on. - -### Manage when updates are offered -You can defer or pause the installation of updates for a set period of time. - -#### Defer or pause an update - -A Windows Update for Business administrator can defer or pause updates and preview builds. You can defer features updates for up to 365 days. You can pause feature or quality updates for up to 35 days from a given start date that you specify. - -- Defer or pause a feature update: **Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are Received** -- Defer or pause a quality update: **Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are Received** - -#### Example - -In this example, there are three rings for quality updates. The first ring ("pilot") has a deferral period of 0 days. The second ring ("fast") has a deferral of five days. The third ring ("slow") has a deferral of ten days. - -![illustration of devices divided into three rings](images/waas-wufb-3-rings.png) - -When the quality update is released, it is offered to devices in the pilot ring the next time they scan for updates. - -##### Five days later -The devices in the fast ring are offered the quality update the next time they scan for updates. - -![illustration of devices with fast ring deployed](images/waas-wufb-fast-ring.png) - -##### Ten days later -Ten days after the quality update is released, it is offered to the devices in the slow ring the next time they scan for updates. - -![illustration of devices with slow ring deployed](images/waas-wufb-slow-ring.png) - -If no problems occur, all of the devices that scan for updates will be offered the quality update within ten days of its release, in three waves. - -##### What if a problem occurs with the update? - -In this example, some problem is discovered during the deployment of the update to the "pilot" ring. - -![illustration of devices divided with pilot ring experiencing a problem](images/waas-wufb-pilot-problem.png) - -At this point, the IT administrator can set a policy to pause the update. In this example, the admin selects the **Pause quality updates** check box. - -![illustration of rings with pause quality update check box selected](images/waas-wufb-pause.png) - -Now all devices are paused from updating for 35 days. When the pause is removed, they will be offered the *next* quality update, which ideally will not have the same issue. If there is still an issue, the IT admin can pause updates again. - - - -#### Set branch readiness level for feature updates - -This policy only applies to feature updates. To enable preview builds for devices in your organization, set the "Enable preview builds" policy and then use the "Select when preview builds and feature updates are received" policy. - -We recommend that you set up a ring to receive preview builds by joining the Windows Insider Program for Business. By having a ring of devices receiving "pre-release slow" builds and learning about commercial pre-release features, you can ensure that any issues you have with the release are fixed before it is ever released and far before you broadly deploy. - -- Enable preview builds: **Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Manage Preview Builds** - - - -- Set branch readiness level: **Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are Received** - - - - - -## Related topics - -- [Update Windows 10 in the enterprise](index.md) -- [Overview of Windows as a service](waas-overview.md) -- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) -- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) -- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) -- [Manage device restarts after updates](waas-restart.md) - - - - - +--- +title: Walkthrough use Group Policy to configure Windows Update for Business - Windows 10 +description: Configure Windows Update for Business settings using Group Policy. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.audience: itpro author: greg-lindsay +ms.date: 07/27/2017 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Walkthrough: use Group Policy to configure Windows Update for Business + + +**Applies to** + +- Windows 10 + +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + + +## Overview + +You can use Group Policy through the Group Policy Management Console (GPMC) to control how Windows Update for Business works. You should consider and devise a deployment strategy for updates before you make changes to the Windows Update for Business settings. See + +An IT administrator can set policies for Windows Update for Business by using Group Policy, or they can be set locally (per device). All of the relevant policies are under the path **Computer configuration > Administrative Templates > Windows Components > Windows Update**. + +To manage updates with Windows Update for Business as described in this topic, you should prepare with these steps, if you haven't already: + +- Create Active Directory security groups that align with the deployment rings you use to phase deployment of updates. See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to learn more about deployment rings in Windows 10. +- Allow access to the Windows Update service. +- Download and install ADMX templates appropriate to your Windows 10 version. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759) and [Step-By-Step: Managing Windows 10 with Administrative templates](https://blogs.technet.microsoft.com/canitpro/2015/10/20/step-by-step-managing-windows-10-with-administrative-templates/). + + +## Set up Windows Update for Business + +In this example, one security group is used to manage updates. Typically we would recommend having at least three rings (early testers for pre-release builds, broad deployment for releases, critical devices for mature releases) to deploy. See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) for more information. + +Follow these steps on a device running the Remote Server Administration Tools or on a domain controller: + +### Set up a ring +1. Start Group Policy Management Console (gpmc.msc). +2. Expand **Forest > Domains > *\*. +3. Right-click *\* and select **Create a GPO in this domain and link it here**. +4. In the **New GPO** dialog box, enter *Windows Update for Business - Group 1* as the name of the new Group Policy Object. +5. Right-click the **Windows Update for Business - Group 1" object, and then select **Edit**. +6. In the Group Policy Management Editor, go to **Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update**. You are now ready to start assigning policies to this ring (group) of devices. + + +## Offering + +You can control when updates are applied, for example by deferring when an update is installed on a device or by pausing updates for a certain period of time. + +### Manage which updates are offered + +Windows Update for Business offers you the ability to turn on or off both driver and Microsoft product updates. + +- Drivers (on/off): **Computer configuration > Administrative Templates > Windows Components > Windows Update > Do not include drivers with Windows Updates** +- Microsoft product updates (on/off): **Computer configuration > Administrative Templates > Windows Components > Windows Update > Get updates for other Microsoft Products** + +We recommend that you allow the driver policy to allow drivers to updated on devices (the default), but you can turn this setting off if you prefer to manage drivers manually. We also recommend that you leave the "Microsoft product updates" setting on. + +### Manage when updates are offered +You can defer or pause the installation of updates for a set period of time. + +#### Defer or pause an update + +A Windows Update for Business administrator can defer or pause updates and preview builds. You can defer features updates for up to 365 days. You can pause feature or quality updates for up to 35 days from a given start date that you specify. + +- Defer or pause a feature update: **Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are Received** +- Defer or pause a quality update: **Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are Received** + +#### Example + +In this example, there are three rings for quality updates. The first ring ("pilot") has a deferral period of 0 days. The second ring ("fast") has a deferral of five days. The third ring ("slow") has a deferral of ten days. + +![illustration of devices divided into three rings](images/waas-wufb-3-rings.png) + +When the quality update is released, it is offered to devices in the pilot ring the next time they scan for updates. + +##### Five days later +The devices in the fast ring are offered the quality update the next time they scan for updates. + +![illustration of devices with fast ring deployed](images/waas-wufb-fast-ring.png) + +##### Ten days later +Ten days after the quality update is released, it is offered to the devices in the slow ring the next time they scan for updates. + +![illustration of devices with slow ring deployed](images/waas-wufb-slow-ring.png) + +If no problems occur, all of the devices that scan for updates will be offered the quality update within ten days of its release, in three waves. + +##### What if a problem occurs with the update? + +In this example, some problem is discovered during the deployment of the update to the "pilot" ring. + +![illustration of devices divided with pilot ring experiencing a problem](images/waas-wufb-pilot-problem.png) + +At this point, the IT administrator can set a policy to pause the update. In this example, the admin selects the **Pause quality updates** check box. + +![illustration of rings with pause quality update check box selected](images/waas-wufb-pause.png) + +Now all devices are paused from updating for 35 days. When the pause is removed, they will be offered the *next* quality update, which ideally will not have the same issue. If there is still an issue, the IT admin can pause updates again. + + + +#### Set branch readiness level for feature updates + +This policy only applies to feature updates. To enable preview builds for devices in your organization, set the "Enable preview builds" policy and then use the "Select when preview builds and feature updates are received" policy. + +We recommend that you set up a ring to receive preview builds by joining the Windows Insider Program for Business. By having a ring of devices receiving "pre-release slow" builds and learning about commercial pre-release features, you can ensure that any issues you have with the release are fixed before it is ever released and far before you broadly deploy. + +- Enable preview builds: **Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Manage Preview Builds** + + + +- Set branch readiness level: **Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are Received** + + + + + +## Related topics + +- [Update Windows 10 in the enterprise](index.md) +- [Overview of Windows as a service](waas-overview.md) +- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) +- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) +- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) +- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) +- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) +- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) +- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) +- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) +- [Configure Windows Update for Business](waas-configure-wufb.md) +- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) +- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) +- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) +- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) +- [Manage device restarts after updates](waas-restart.md) + + + + + diff --git a/windows/deployment/update/waas-wufb-intune.md b/windows/deployment/update/waas-wufb-intune.md index e7654ed33a..30f7702f19 100644 --- a/windows/deployment/update/waas-wufb-intune.md +++ b/windows/deployment/update/waas-wufb-intune.md @@ -1,293 +1,293 @@ ---- -title: Walkthrough use Intune to configure Windows Update for Business (Windows 10) -description: Configure Windows Update for Business settings using Microsoft Intune. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greg-lindsay -ms.date: 07/27/2017 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Walkthrough: use Microsoft Intune to configure Windows Update for Business - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - ->[!IMPORTANT] ->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products. -> ->In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. - -You can use Intune to configure Windows Update for Business even if you don’t have on-premises infrastructure when you use Intune in conjunction with Azure AD. Before configuring Windows Update for Business, consider a [deployment strategy](waas-servicing-strategy-windows-10-updates.md) for updates and feature updates in your environment. - -Windows Update for Business in Windows 10 version 1511 allows you to delay quality updates up to 4 weeks and feature updates up to an additional 8 months after Microsoft releases builds to the Current Branch for Business (CBB) servicing branch. In Windows 10 version 1607 and later, you can delay quality updates for up to 30 days and feature updates up to an additional 180 days after the release of either a Current Branch (CB) or CBB build. - -To use Intune to manage quality and feature updates in your environment, you must first create computer groups that align with your constructed deployment rings. - ->[!NOTE] ->Coming soon: [Intune Groups will be converted to Azure Active Directory-based Security Groups](https://docs.microsoft.com/intune/deploy-use/use-groups-to-manage-users-and-devices-with-microsoft-intune) - -## Configure Windows Update for Business in Windows 10, version 1511 - -In this example, you use two security groups to manage your updates: **Ring 4 Broad business users** and **Ring 5 Broad business users #2** from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md). - -- The **Ring 4 Broad business users** group contains PCs of IT members who test the updates as soon as they’re released for Windows clients in the Current Branch for Business (CBB) servicing branch. This phase typically occurs after testing on Current Branch (CB) devices. -- The **Ring 5 Broad business users #2** group consists of the first line-of-business (LOB) users, who consume quality updates after 1 week and feature updates 1 month after the CBB release. - ->[!NOTE] ->Although the [sample deployment rings](waas-deployment-rings-windows-10-updates.md) specify a feature update deferral of 2 weeks for Ring 5, deferrals in Windows 10, version 1511 are in increments of months only. - -### Configure the Ring 4 Broad business users deployment ring for CBB with no deferral - -1. Sign in to [https://manage.microsoft.com](https://manage.microsoft.com) with your Intune administrator credentials. - -2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane. - - ![Shows the UI for this step](images/waas-wufb-intune-step2a.png) - -3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**. - -4. Name the policy **Windows Update for Business - CBB1**. Then, in the **OMA-URI Settings** section, click **Add**. - -5. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list. - -6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade**. - -7. In the **Value** box, type **1**, and then click **OK**. - - >[!NOTE] - >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax. - - ![Settings for this policy](images/waas-wufb-intune-step7a.png) - -8. For this deployment ring, you’re required to enable only CBB, so click **Save Policy**. - -9. In the **Deploy Policy: Windows Update for Business – CBB1** dialog box, click **Yes**. - - >[!NOTE] - >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**. - -10. In the **Manage Deployment: Windows Update for Business – CBB1** dialog box, select the **Ring 4 Broad business users** group, click **Add**, and then click **OK**. - -You have now configured the **Ring 4 Broad business users** deployment ring to enable the CBB servicing branch. Now, you must configure **Ring 5 Broad business users #2** to accommodate a 1-week delay for quality updates and a 1-month delay for feature updates. - -### Configure the Ring 5 Broad business users \#2 deployment ring for CBB with deferrals - -1. In the Policy workspace, click **Configuration Policies**, and then click **Add**. - -2. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**. - -3. Name the policy **Windows Update for Business – CBB2**. Then, in the **OMA-URI Settings** section, click **Add**. - In this policy, you add two OMA-URI settings, one for each deferment type. - -4. In **Setting name**, type **Enable Clients for CBB**, and then in the **Data type** list, select **Integer**. - -6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade**. Then, in the **Value** box, type **1**. - -7. Click **OK** to save the setting. - -8. In the **OMA-URI Settings** section, click **Add**. - -9. For this setting, in **Setting name**, type **Defer Updates for 1 Week**, and then in the **Data type** list, select **Integer**. - -11. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferUpdatePeriod**. - -12. In the **Value** box, type **1**. - -13. Click **OK** to save the setting. - -14. In the **OMA-URI Settings** section, click **Add**. - -15. For this setting, in **Setting name**, type **Defer Upgrades for 1 Month**, and then in the **Data type** list, select **Integer**. - -17. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferUpgradePeriod**. - -18. In the **Value** box, type **1**. - -19. Click **OK** to save the setting. - - Three settings should appear in the **Windows Update for Business – CBB2** policy. - - ![Settings for CBB2 policy](images/waas-wufb-intune-step19a.png) - -20. Click **Save Policy**, and then click **Yes** at the **Deploy Policy** prompt. - -21. In the **Manage Deployment** dialog box, select the **Ring 5 Broad business users #2** computer group, click **Add**, and then click **OK**. - -## Configure Windows Update for Business in Windows 10 version 1607 - -To use Intune to manage quality and feature updates in your environment, you must first create computer groups that align with your constructed deployment rings. - -In this example, you use three security groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to manage your updates: - -- **Ring 2 Pilot Business Users** contains the PCs of business users which are part of the pilot testing process, receiving CB builds 28 days after they are released. -- **Ring 4 Broad business users** consists of IT members who receive updates after Microsoft releases a Windows 10 build to the CBB servicing branch. -- **Ring 5 Broad business users #2** consists of LOB users on CBB, who receive quality updates after 7 days and feature updates after 14 days. - -### Configure Ring 2 Pilot Business Users policy - -1. Sign in to [https://manage.microsoft.com](https://manage.microsoft.com) with your Intune administrator credentials. - -2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane. - - ![Shows the UI for this step](images/waas-wufb-intune-step2a.png) - -3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**. - -4. Name the policy **Windows Update for Business - CB2**. Then, in the **OMA-URI Settings** section, click **Add**. - -4. In **Setting name**, type **Enable Clients for CB**, and then select **Integer** from the **Data type** list. - -6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**. - -7. In the **Value** box, type **0**, and then click **OK**. - - >[!NOTE] - >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax. - - ![Settings for this policy](images/waas-wufb-intune-cb2a.png) - -8. Because the **Ring 2 Pilot Business Users** deployment ring receives the CB feature updates after 28 days, in the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting. - -8. In **Setting name**, type **Defer feature updates for 28 days**, and then select **Integer** from the **Data type** list. -10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**. -11. In the **Value** box, type **28**, and then click **OK**. - - ![Settings for this policy](images/waas-wufb-intune-step11a.png) - -9. Click **Save Policy**. - -9. In the **Deploy Policy: Windows Update for Business – CB2** dialog box, click **Yes**. - - >[!NOTE] - >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**. - -10. In the **Manage Deployment: Windows Update for Business – CB2** dialog box, select the **Ring 2 Pilot Business Users** group, click **Add**, and then click **OK**. - -You have now configured the **Ring 2 Pilot Business Users** deployment ring to enable CB feature update deferment for 14 days. Now, you must configure **Ring 4 Broad business users** to receive CBB features updates as soon as they’re available. - -### Configure Ring 4 Broad business users policy - -2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane. - - ![Shows the UI for this step](images/waas-wufb-intune-step2a.png) - -3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**. - -4. Name the policy **Windows Update for Business - CBB1**. Then, in the **OMA-URI Settings** section, click **Add**. - -5. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list. - -6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**. - -7. In the **Value** box, type **1**, and then click **OK**. - - >[!NOTE] - >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax. - - -8. Because the **Ring 4 Broad business users** deployment ring receives the CBB feature updates immediately, in the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting. - -9. In **Setting name**, type **Defer feature updates for 0 days**, and then select **Integer** from the **Data type** list. - -10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**. - -11. In the **Value** box, type **0**, and then click **OK**. - - ![Settings for this policy](images/waas-wufb-intune-cbb1a.png) - -12. Click **Save Policy**. - -13. In the **Deploy Policy: Windows Update for Business – CBB1** dialog box, click **Yes**. - - >[!NOTE] - >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**. - -14. In the **Manage Deployment: Windows Update for Business – CBB1** dialog box, select the **Ring 4 Broad business users** group, click **Add**, and then click **OK**. - -You have now configured the **Ring 4 Broad business users** deployment ring to receive CBB feature updates as soon as they’re available. Finally, configure **Ring 5 Broad business users #2** to accommodate a 7-day delay for quality updates and a 14-day delay for feature updates. - - -### Configure Ring 5 Broad business users \#2 policy - -2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane. - - ![Shows the UI for this step](images/waas-wufb-intune-step2a.png) - -3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**. - -4. Name the policy **Windows Update for Business - CBB2**. Then, in the **OMA-URI Settings** section, click **Add**. - -5. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list. - -6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**. - -7. In the **Value** box, type **1**, and then click **OK**. - - >[!NOTE] - >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax. - - -8. In the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting. - -9. In **Setting name**, type **Defer quality updates for 7 days**, and then select **Integer** from the **Data type** list. - -10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesPeriodInDays**. - -11. In the **Value** box, type **7**, and then click **OK**. - -12. In the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting. - -13. In **Setting name**, type **Defer feature updates for 14 days**, and then select **Integer** from the **Data type** list. - -14. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**. - -15. In the **Value** box, type **14**, and then click **OK**. - - ![Settings for this policy](images/waas-wufb-intune-cbb2a.png) - -16. Click **Save Policy**. - -17. In the **Deploy Policy: Windows Update for Business – CBB2** dialog box, click **Yes**. - - >[!NOTE] - >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**. - -18. In the **Manage Deployment: Windows Update for Business – CBB2** dialog box, select the **Ring 5 Broad Business Users #2** group, click **Add**, and then click **OK**. - -## Related topics - -- [Update Windows 10 in the enterprise](index.md) -- [Overview of Windows as a service](waas-overview.md) -- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) -- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) -- [Manage device restarts after updates](waas-restart.md) - - - - - - - - +--- +title: Walkthrough use Intune to configure Windows Update for Business (Windows 10) +description: Configure Windows Update for Business settings using Microsoft Intune. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.audience: itpro author: greg-lindsay +ms.date: 07/27/2017 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Walkthrough: use Microsoft Intune to configure Windows Update for Business + + +**Applies to** + +- Windows 10 +- Windows 10 Mobile + +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + +>[!IMPORTANT] +>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products. +> +>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. + +You can use Intune to configure Windows Update for Business even if you don’t have on-premises infrastructure when you use Intune in conjunction with Azure AD. Before configuring Windows Update for Business, consider a [deployment strategy](waas-servicing-strategy-windows-10-updates.md) for updates and feature updates in your environment. + +Windows Update for Business in Windows 10 version 1511 allows you to delay quality updates up to 4 weeks and feature updates up to an additional 8 months after Microsoft releases builds to the Current Branch for Business (CBB) servicing branch. In Windows 10 version 1607 and later, you can delay quality updates for up to 30 days and feature updates up to an additional 180 days after the release of either a Current Branch (CB) or CBB build. + +To use Intune to manage quality and feature updates in your environment, you must first create computer groups that align with your constructed deployment rings. + +>[!NOTE] +>Coming soon: [Intune Groups will be converted to Azure Active Directory-based Security Groups](https://docs.microsoft.com/intune/deploy-use/use-groups-to-manage-users-and-devices-with-microsoft-intune) + +## Configure Windows Update for Business in Windows 10, version 1511 + +In this example, you use two security groups to manage your updates: **Ring 4 Broad business users** and **Ring 5 Broad business users #2** from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md). + +- The **Ring 4 Broad business users** group contains PCs of IT members who test the updates as soon as they’re released for Windows clients in the Current Branch for Business (CBB) servicing branch. This phase typically occurs after testing on Current Branch (CB) devices. +- The **Ring 5 Broad business users #2** group consists of the first line-of-business (LOB) users, who consume quality updates after 1 week and feature updates 1 month after the CBB release. + +>[!NOTE] +>Although the [sample deployment rings](waas-deployment-rings-windows-10-updates.md) specify a feature update deferral of 2 weeks for Ring 5, deferrals in Windows 10, version 1511 are in increments of months only. + +### Configure the Ring 4 Broad business users deployment ring for CBB with no deferral + +1. Sign in to [https://manage.microsoft.com](https://manage.microsoft.com) with your Intune administrator credentials. + +2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane. + + ![Shows the UI for this step](images/waas-wufb-intune-step2a.png) + +3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**. + +4. Name the policy **Windows Update for Business - CBB1**. Then, in the **OMA-URI Settings** section, click **Add**. + +5. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list. + +6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade**. + +7. In the **Value** box, type **1**, and then click **OK**. + + >[!NOTE] + >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax. + + ![Settings for this policy](images/waas-wufb-intune-step7a.png) + +8. For this deployment ring, you’re required to enable only CBB, so click **Save Policy**. + +9. In the **Deploy Policy: Windows Update for Business – CBB1** dialog box, click **Yes**. + + >[!NOTE] + >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**. + +10. In the **Manage Deployment: Windows Update for Business – CBB1** dialog box, select the **Ring 4 Broad business users** group, click **Add**, and then click **OK**. + +You have now configured the **Ring 4 Broad business users** deployment ring to enable the CBB servicing branch. Now, you must configure **Ring 5 Broad business users #2** to accommodate a 1-week delay for quality updates and a 1-month delay for feature updates. + +### Configure the Ring 5 Broad business users \#2 deployment ring for CBB with deferrals + +1. In the Policy workspace, click **Configuration Policies**, and then click **Add**. + +2. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**. + +3. Name the policy **Windows Update for Business – CBB2**. Then, in the **OMA-URI Settings** section, click **Add**. + In this policy, you add two OMA-URI settings, one for each deferment type. + +4. In **Setting name**, type **Enable Clients for CBB**, and then in the **Data type** list, select **Integer**. + +6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade**. Then, in the **Value** box, type **1**. + +7. Click **OK** to save the setting. + +8. In the **OMA-URI Settings** section, click **Add**. + +9. For this setting, in **Setting name**, type **Defer Updates for 1 Week**, and then in the **Data type** list, select **Integer**. + +11. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferUpdatePeriod**. + +12. In the **Value** box, type **1**. + +13. Click **OK** to save the setting. + +14. In the **OMA-URI Settings** section, click **Add**. + +15. For this setting, in **Setting name**, type **Defer Upgrades for 1 Month**, and then in the **Data type** list, select **Integer**. + +17. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferUpgradePeriod**. + +18. In the **Value** box, type **1**. + +19. Click **OK** to save the setting. + + Three settings should appear in the **Windows Update for Business – CBB2** policy. + + ![Settings for CBB2 policy](images/waas-wufb-intune-step19a.png) + +20. Click **Save Policy**, and then click **Yes** at the **Deploy Policy** prompt. + +21. In the **Manage Deployment** dialog box, select the **Ring 5 Broad business users #2** computer group, click **Add**, and then click **OK**. + +## Configure Windows Update for Business in Windows 10 version 1607 + +To use Intune to manage quality and feature updates in your environment, you must first create computer groups that align with your constructed deployment rings. + +In this example, you use three security groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to manage your updates: + +- **Ring 2 Pilot Business Users** contains the PCs of business users which are part of the pilot testing process, receiving CB builds 28 days after they are released. +- **Ring 4 Broad business users** consists of IT members who receive updates after Microsoft releases a Windows 10 build to the CBB servicing branch. +- **Ring 5 Broad business users #2** consists of LOB users on CBB, who receive quality updates after 7 days and feature updates after 14 days. + +### Configure Ring 2 Pilot Business Users policy + +1. Sign in to [https://manage.microsoft.com](https://manage.microsoft.com) with your Intune administrator credentials. + +2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane. + + ![Shows the UI for this step](images/waas-wufb-intune-step2a.png) + +3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**. + +4. Name the policy **Windows Update for Business - CB2**. Then, in the **OMA-URI Settings** section, click **Add**. + +4. In **Setting name**, type **Enable Clients for CB**, and then select **Integer** from the **Data type** list. + +6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**. + +7. In the **Value** box, type **0**, and then click **OK**. + + >[!NOTE] + >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax. + + ![Settings for this policy](images/waas-wufb-intune-cb2a.png) + +8. Because the **Ring 2 Pilot Business Users** deployment ring receives the CB feature updates after 28 days, in the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting. + +8. In **Setting name**, type **Defer feature updates for 28 days**, and then select **Integer** from the **Data type** list. +10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**. +11. In the **Value** box, type **28**, and then click **OK**. + + ![Settings for this policy](images/waas-wufb-intune-step11a.png) + +9. Click **Save Policy**. + +9. In the **Deploy Policy: Windows Update for Business – CB2** dialog box, click **Yes**. + + >[!NOTE] + >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**. + +10. In the **Manage Deployment: Windows Update for Business – CB2** dialog box, select the **Ring 2 Pilot Business Users** group, click **Add**, and then click **OK**. + +You have now configured the **Ring 2 Pilot Business Users** deployment ring to enable CB feature update deferment for 14 days. Now, you must configure **Ring 4 Broad business users** to receive CBB features updates as soon as they’re available. + +### Configure Ring 4 Broad business users policy + +2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane. + + ![Shows the UI for this step](images/waas-wufb-intune-step2a.png) + +3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**. + +4. Name the policy **Windows Update for Business - CBB1**. Then, in the **OMA-URI Settings** section, click **Add**. + +5. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list. + +6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**. + +7. In the **Value** box, type **1**, and then click **OK**. + + >[!NOTE] + >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax. + + +8. Because the **Ring 4 Broad business users** deployment ring receives the CBB feature updates immediately, in the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting. + +9. In **Setting name**, type **Defer feature updates for 0 days**, and then select **Integer** from the **Data type** list. + +10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**. + +11. In the **Value** box, type **0**, and then click **OK**. + + ![Settings for this policy](images/waas-wufb-intune-cbb1a.png) + +12. Click **Save Policy**. + +13. In the **Deploy Policy: Windows Update for Business – CBB1** dialog box, click **Yes**. + + >[!NOTE] + >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**. + +14. In the **Manage Deployment: Windows Update for Business – CBB1** dialog box, select the **Ring 4 Broad business users** group, click **Add**, and then click **OK**. + +You have now configured the **Ring 4 Broad business users** deployment ring to receive CBB feature updates as soon as they’re available. Finally, configure **Ring 5 Broad business users #2** to accommodate a 7-day delay for quality updates and a 14-day delay for feature updates. + + +### Configure Ring 5 Broad business users \#2 policy + +2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane. + + ![Shows the UI for this step](images/waas-wufb-intune-step2a.png) + +3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**. + +4. Name the policy **Windows Update for Business - CBB2**. Then, in the **OMA-URI Settings** section, click **Add**. + +5. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list. + +6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**. + +7. In the **Value** box, type **1**, and then click **OK**. + + >[!NOTE] + >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax. + + +8. In the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting. + +9. In **Setting name**, type **Defer quality updates for 7 days**, and then select **Integer** from the **Data type** list. + +10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesPeriodInDays**. + +11. In the **Value** box, type **7**, and then click **OK**. + +12. In the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting. + +13. In **Setting name**, type **Defer feature updates for 14 days**, and then select **Integer** from the **Data type** list. + +14. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**. + +15. In the **Value** box, type **14**, and then click **OK**. + + ![Settings for this policy](images/waas-wufb-intune-cbb2a.png) + +16. Click **Save Policy**. + +17. In the **Deploy Policy: Windows Update for Business – CBB2** dialog box, click **Yes**. + + >[!NOTE] + >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**. + +18. In the **Manage Deployment: Windows Update for Business – CBB2** dialog box, select the **Ring 5 Broad Business Users #2** group, click **Add**, and then click **OK**. + +## Related topics + +- [Update Windows 10 in the enterprise](index.md) +- [Overview of Windows as a service](waas-overview.md) +- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) +- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) +- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) +- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) +- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) +- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) +- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) +- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) +- [Configure Windows Update for Business](waas-configure-wufb.md) +- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) +- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) +- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) +- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) +- [Manage device restarts after updates](waas-restart.md) + + + + + + + + diff --git a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md index a68b265218..423c82f71c 100644 --- a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md +++ b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md @@ -1,293 +1,293 @@ ---- -title: Frequently asked questions and troubleshooting Windows Analytics -ms.reviewer: -manager: laurawi -description: Frequently asked questions about Windows Analytics and steps to take when things go wrong -keywords: windows analytics, oms, operations management suite, prerequisites, requirements, updates, upgrades, log analytics, health, FAQ, problems, troubleshooting, error -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greg-lindsay -ms.localizationpriority: medium -ms.collection: M365-analytics -ms.topic: article ---- - -# Frequently asked questions and troubleshooting Windows Analytics - ->[!IMPORTANT] ->**The OMS portal has been deprecated; you should start using the [Azure portal](https://portal.azure.com) instead as soon as possible.** Many experiences are the same in the two portals, but there are some key differences. See [Windows Analytics in the Azure Portal](windows-analytics-azure-portal.md) for steps to use Windows Analytics in the Azure portal. For much more information about the transition from OMS to Azure, see [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition). - -This topic compiles the most common issues encountered with configuring and using Windows Analytics, as well as general questions. This FAQ, along with the [Windows Analytics Technical Community](https://techcommunity.microsoft.com/t5/Windows-Analytics/ct-p/WindowsAnalytics), are recommended resources to consult before contacting Microsoft support. - -## Troubleshooting common problems - -If you've followed the steps in the [Enrolling devices in Windows Analytics](windows-analytics-get-started.md) topic and are still encountering problems, you might find the solution here. - -[Devices not appearing in Upgrade Readiness](#devices-not-appearing-in-upgrade-readiness) - -[Devices not appearing in Device Health Device Reliability](#devices-not-appearing-in-device-health-device-reliability) - -[Device crashes not appearing in Device Health Device Reliability](#device-crashes-not-appearing-in-device-health-device-reliability) - -[Apps not appearing in Device Health App Reliability](#apps-not-appearing-in-device-health-app-reliability) - -[Upgrade Readiness shows many "Computers with outdated KB"](#upgrade-readiness-shows-many-computers-with-outdated-kb) - -[Upgrade Readiness shows many "Computers with incomplete data"](#upgrade-readiness-shows-many-computers-with-incomplete-data) - -[Upgrade Readiness doesn't show app inventory data on some devices](#upgrade-readiness-doesnt-show-app-inventory-data-on-some-devices) - -[Upgrade Readiness doesn't show IE site discovery data from some devices](#upgrade-readiness-doesnt-show-ie-site-discovery-data-from-some-devices) - -[Device names not appearing for Windows 10 devices](#device-names-not-appearing-for-windows-10-devices) - -[Custom log queries using the AbnormalShutdownCount field of Device Health show zero or lower than expected results](#custom-log-queries-using-the-abnormalshutdowncount-field-of-device-health-show-zero-or-lower-than-expected-results) - -[Disable Upgrade Readiness](#disable-upgrade-readiness) - -[Exporting large data sets](#exporting-large-data-sets) - - -### Devices not appearing in Upgrade Readiness - -In Log Analytics, go to **Settings > Connected sources > Windows telemetry** and verify that you are subscribed to the Windows Analytics solutions you intend to use. - -Even though devices can take 2-3 days after enrollment to show up due to latency in the system, you can now verify the status of your devices within a few hours of running the deployment script as described in [You can now check on the status of your computers within hours of running the deployment script](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/You-can-now-check-on-the-status-of-your-computers-within-hours/ba-p/187213) on the Tech Community Blog. - ->[!NOTE] -> If you generate the status report and get an error message saying "Sorry! We’re not recognizing your Commercial Id," go to **Settings > Connected sources > Windows telemetry** remove the Upgrade Readiness solution, and then re-add it. - -If devices are not showing up as expected, find a representative device and follow these steps to run the latest pilot version of the Upgrade Readiness deployment script on it to troubleshoot issues: - -1. Download and extract the [Upgrade Readiness Deployment Script](https://www.microsoft.com/download/details.aspx?id=53327). Ensure that the **Pilot/Diagnostics** folder is included. -2. Edit the script as described in [Upgrade Readiness deployment script](../upgrade/upgrade-readiness-deployment-script.md). -3. Check that `isVerboseLogging` is set to `$true`. -4. Run the script again. Log files will be saved to the directory specified in the script. -5. Check the output of the script in the command window and/or log **UA_dateTime_machineName.txt** to ensure that all steps were completed successfully. -6. If you are still seeing errors you can't diagnose, then consider open a support case with Microsoft Support through your regular channel and provide this information. - -If you want to check a large number of devices, you should run the latest script at scale from your management tool of choice (for example, System Center Configuration Manager) and check the results centrally. - -If you think the issue might be related to a network proxy, check "Enable data sharing" section of the [Enrolling devices in Windows Analytics](windows-analytics-get-started.md) topic. Also see [Understanding connectivity scenarios and the deployment script](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog. - -If you have deployed images that have not been generalized, then many of them might have the same ID and so Windows Analytics will see them as one device. If you suspect this is the issue, then you can reset the IDs on the non-generalized devices by performing these steps: -1. Net stop diagtrack -2. Reg delete hklm\software\microsoft\sqmclient /v MachineId /f -3. Net start diagtrack - -#### Devices not appearing in Device Health Device Reliability - -[![Device Reliability tile showing device count highlighted](images/device-reliability-device-count.png)](images/device-reliability-device-count.png) - -If you have devices that appear in other solutions, but not Device Health (the Device Health overview tile shows "Performing Assessment" or the device count is lower than expected), follow these steps to investigate the issue: -1. Using the Azure portal, remove the Device Health (appears as DeviceHealthProd on some pages) solution from your Log Analytics workspace. After completing this, add the Device Health solution to you workspace again. -2. Confirm that the devices are running Windows 10. -3. Verify that the Commercial ID is present in the device's registry. For details see [https://gpsearch.azurewebsites.net/#13551](https://gpsearch.azurewebsites.net/#13551). -4. Confirm that devices are opted in to send diagnostic data by checking in the registry that **AllowTelemetry** is set to either 2 (Enhanced) or 3 (Full). - - **AllowTelemetry** under **HKLM\Software\Policies\Microsoft\Windows\DataCollection** is the IT policy path. - - **AllowTelemetry** under **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** is the user preference (Settings app) path. - - IMPORTANT: By convention (and in earlier versions of Windows 10) the IT policy would take precedence over any user preference. Starting with Windows 10, version 1803, the user can lower the device's effective value even when an IT policy is set. This change assists organizations in complying with regional or organizational expectations about user control over privacy settings. For organizations where user control of privacy settings is not required, the previous behavior (IT policy path always wins) can be enabled using the new policy **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in setting user interface**. -5. Verify that devices can reach the endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). Also check settings for SSL inspection and proxy authentication; see [Configuring endpoint access with SSL inspection](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#configuring-endpoint-access-with-ssl-inspection) for more information. -6. Wait 48 hours for activity to appear in the reports. -7. If you need additional troubleshooting, contact Microsoft Support. - - -### Device crashes not appearing in Device Health Device Reliability - -[![Device Reliability tile showing crash count highlighted](images/device-reliability-crash-count.png)](images/device-reliability-crash-count.png) - -If you know that devices are experiencing stop error crashes that do not seem to be reflected in the count of devices with crashes, follow these steps to investigate the issue: - -1. Verify that devices are reporting data properly by following the steps in the [Devices not appearing in Device Health Device Reliability](#devices-not-appearing-in-device-health-device-reliability) section of this topic. -2. Trigger a known crash on a test device by using a tool such as [NotMyFault](https://docs.microsoft.com/sysinternals/downloads/notmyfault) from Windows Sysinternals. -3. Verify that Windows Error Reporting (WER) is not disabled or redirected by confirming the registry settings in **HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting** (or **HKLM\Software\Policies\Microsoft\Windows\DataCollection**, which will take precedence if set): - - - Verify that the value "Disabled" (REG_DWORD), if set, is 0. - - Verify that the value "DontSendAdditionalData" (REG_DWORD), if set, is 0. - - Verify that the value "CorporateWERServer" (REG_SZ) is not configured. - -4. Verify that WER can reach all diagnostic endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md)--if WER can only reach some of the endpoints, it could be included in the device count while not reporting crashes. -5. Check that crash reports successfully complete the round trip with Event 1001 and that BucketID is not blank. A typical such event looks like this: - - [![Event viewer detail showing Event 1001 details](images/event_1001.png)](images/event_1001.png) - - You can use the following Windows PowerShell snippet to summarize recent occurrences of Event 1001. Most events should have a value for BucketID (a few intermittent blank values are OK, however). - - ```powershell - $limitToMostRecentNEvents = 20 - Get-WinEvent -FilterHashTable @{ProviderName="Windows Error Reporting"; ID=1001} | - ?{ $_.Properties[2].Value -match "crash|blue" } | - % { [pscustomobject]@{ - TimeCreated=$_.TimeCreated - WEREvent=$_.Properties[2].Value - BucketId=$_.Properties[0].Value - ContextHint = $( - if($_.Properties[2].Value -eq "bluescreen"){"kernel"} - else{ $_.Properties[5].Value } - ) - }} | Select-Object -First $limitToMostRecentNEvents - ``` - The output should look something like this: - [![Typical output for this snippet](images/device-reliability-event1001-PSoutput.png)](images/device-reliability-event1001-PSoutput.png) - -6. Check that some other installed device, app, or crash monitoring solution is not intercepting crash events. -7. Wait 48 hours for activity to appear in the reports. -8. If you need additional troubleshooting, contact Microsoft Support. - -#### Endpoint connectivity - -Devices must be able to reach the endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). - -If you are using proxy server authentication, it's worth taking extra care to check the configuration. Prior to Windows 10, version 1703, WER only uploads error reports in the machine context, so whitelisting endpoints to allow non-authenticated access was typically used. In Windows 10, version 1703 and later versions, WER will attempt to use the context of the user that is logged on for proxy authentication such that only the user account requires proxy access. - - -For more information, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md#configuring-endpoint-access-with-proxy-server-authentication). - -### Apps not appearing in Device Health App Reliability - -[![App Reliability tile showing relability events trend](images/app-reliability.png)](images/app-reliability.png) - -If apps that you know are crashing do not appear in App Reliability, follow these steps to investigate the issue: - -1. Double-check the steps in the [Devices not appearing in Device Health Device Reliability](#devices-not-appearing-in-device-health-device-reliability) and [Device crashes not appearing in Device Health Device Reliability](#device-crashes-not-appearing-in-device-health-device-reliability) sections of this topic. -2. Confirm that an in-scope application has crashed on an enrolled device. Keep the following points in mind: - - Not all user-mode crashes are included in App Reliability, which tracks only apps that have a GUI, have been used interactively by a user, and are not part of the operating system. - - Enrolling more devices helps to ensure that there are enough naturally occurring app crashes. - - You can also use test apps which are designed to crash on demand. - -3. Verify that *per-user* Windows Error Reporting (WER) is not disabled or redirected by confirming the registry settings in **HKCU\SOFTWARE\Microsoft\Windows\Windows Error Reporting** (or **HKCU\Software\Policies\Microsoft\Windows\DataCollection**, which will take precedence if set): - - - Verify that the value "Disabled" (REG_DWORD), if set, is 0. - - Verify that the value "DontSendAdditionalData" (REG_DWORD), if set, is 0. - - Verify that the value "CorporateWERServer" (REG_SZ) is not configured. -4. Check that some other installed device, app, or crash monitoring solution is not intercepting crash events. -5. Wait 48 hours for activity to appear in the reports. -6. If you need additional troubleshooting, contact Microsoft Support. - - -### Upgrade Readiness shows many "Computers with outdated KB" -If you see a large number of devices reported as shown in this screenshot of the Upgrade Readiness tile: - -[![Upgrade Readiness tile showing Computers with outdated KB datum in red box](images/outdated_outdated.png)](images/outdated_outdated.png) - -On Windows 7 SP1 and Windows 8.1 devices, you must deploy the compatibility update as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). - -Note that the compatibility update retains the same KB number when a new version is released, so even if the update is installed on your devices, *they might not be running the latest version*. The compatibility update is now a critical update, so you can check that the latest version is installed from your management tool. - - -### Upgrade Readiness shows many "Computers with incomplete data" -If you see a large number of devices reported as shown in this screenshot of the Upgrade Readiness tile: - -[![Upgrade Readiness tile showing Computers with incomplete data datum in red box](images/outdated_incomplete.png)](images/outdated_incomplete.png) - -Download the latest deployment script and run it on an affected device to check for issues. See the [Upgrade Readiness deployment script](../upgrade/upgrade-readiness-deployment-script.md) topic for information about obtaining and running the script, and for a description of the error codes that can be displayed. Remember to wait up to 48-72 hours to see the results. -See ["Understanding connectivity scenarios and the deployment script"](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog for a summary of setting the ClientProxy for the script, which will enable the script properly check for diagnostic data endpoint connectivity. - - -If this becomes a recurring issue, schedule a full inventory scan monthly, as per the device enrollment guidelines for deployment at scale. - - - -### Upgrade Readiness doesn't show app inventory data on some devices -Upgrade Readiness only collects app inventory on devices that are not yet upgraded to the target operating system version specified in the Upgrade Readiness Overview blade. This is because Upgrade Readiness targets upgrade planning (for devices not yet upgraded). - - -### Upgrade Readiness doesn't show IE site discovery data from some devices -Double-check that IE site discovery opt-in has been configured in the deployment script. (See the [Upgrade Readiness deployment script](../upgrade/upgrade-readiness-deployment-script.md) topic for information about obtaining and running the script, and for a description of the error codes that can be displayed. See ["Understanding connectivity scenarios and the deployment script"](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog for a summary of setting the ClientProxy for the script, which will enable the script properly check for diagnostic data endpoint connectivity.) - -Also, on Windows 10 devices remember that IE site discovery requires data diagnostics set to the Enhanced level. - -There are two additional configurations to check: -1. Make sure Flip Ahead with Page Prediction is enabled. It can be configured at Internet Options -> Advanced -> Browsing -> Enable flip ahead with page prediction. -2. Make sure IE is not running in InPrivate mode. - -Finally, Upgrade Readiness only collects IE site discovery data on devices that are not yet upgraded to the target operating system version specified in the Upgrade Readiness Overview blade. This is because Upgrade Readiness targets upgrade planning (for devices not yet upgraded). - ->[!NOTE] -> IE site discovery is disabled on devices running Windows 7 and Windows 8.1 that are in Switzerland and EU countries. - -### Device names not appearing for Windows 10 devices -Starting with Windows 10, version 1803, the device name is no longer collected by default and requires a separate opt-in. For more information, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). Allowing device names to be collected can make it easier for you to identify individual devices that report problems. Without the device name, Windows Analytics can only label devices by a GUID that it generates. - -### Custom log queries using the AbnormalShutdownCount field of Device Health show zero or lower than expected results -This issue affects custom queries of the Device Health data by using the **Logs > Search page** or API. It does not impact any of the built-in tiles or reports of the Device Health solution. The **AbnormalShutdownCount** field of the **DHOSReliability** data table represents abnormal shutdowns other than crashes, such as sudden power loss or holding down the power button. - -We have identified an incompatibility between AbnormalShutdownCount and the Limited Enhanced diagnostic data level on Windows 10, versions 1709, 1803, and 1809. Such devices do not send the abnormal shutdown signal to Microsoft. You should not rely on AbnormalShutdownCount in your custom queries unless you use any one of the following workarounds: - - -- Upgrade devices to Windows 10, version 1903 when available. Participants in the Windows Insider program can preview this change using Windows Insider builds. -- Change the diagnostic data setting from devices running Windows 10, versions 1709, 1803, and 1809 normal Enhanced level instead of Limited Enhanced. -- Use alternative data from devices to track abnormal shutdowns. For example, you can forward abnormal shutdown events from the Windows Event Log to your Log Analytics workspace by using the Log Analytics agent. Suggested events to forward include: - - Log: System, ID: 41, Source: Kernel-Power - - Log System, ID: 6008, Source: EventLog - - - -### Disable Upgrade Readiness - -If you want to stop using Upgrade Readiness and stop sending diagnostic data to Microsoft, follow these steps: - -1. Unsubscribe from the Upgrade Readiness solution in Azure Portal. In Azure Portal, go to **Settings** > **Connected Sources** > **Windows Telemetry** and choose the **Unsubscribe** option. - - ![Upgrade Readiness unsubscribe](images/upgrade-analytics-unsubscribe.png) - -2. Disable the Commercial Data Opt-in Key on computers running Windows 7 SP1 or 8.1. On computers running Windows 10, set the diagnostic data level to **Security**: - - **Windows 7 and Windows 8.1**: Delete CommercialDataOptIn registry property from *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection* - - **Windows 10**: Follow the instructions in [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization). - -3. If you enabled **Internet Explorer Site Discovery**, you can disable Internet Explorer data collection by setting the *IEDataOptIn* registry key to value "0". The IEDataOptIn key can be found under: *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*. -4. **Optional step:** You can also remove the “CommercialId” key from: "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection". - -### Exporting large data sets - -Azure Log Analytics is optimized for advanced analytics of large data sets and can efficiently generate summaries and analytics for them. The query language is not optimized (or intended) for returning large raw data sets and has built-in limits to protect against overuse. There are times when it might be necessary to get more data than this, but that should be done sparingly since this is not the intended way to use Azure Log Analytics. The following code snippet shows how to retrieve data from UAApp one “page” at a time: - -``` -let snapshot = toscalar(UAApp | summarize max(TimeGenerated)); -let pageSize = 100000; -let pageNumber = 0; - -UAApp -| where TimeGenerated == snapshot and IsRollup==true and RollupLevel=="Granular" and Importance == "Low install count" -| order by AppName, AppVendor, AppVersion desc -| serialize -| where row_number(0) >= (pageSize * pageNumber) -| take pageSize -``` - - - -## Other common questions - -### What are the requirements and costs for Windows Analytics solutions? - -| Windows Analytics solution| Windows license requirements | Windows version requirements | Minimum diagnostic data requirements | -|----------------------|-----------------------------------|------------------------------|------------------------------| -| Upgrade Readiness | No additional requirements | Windows 7 with Service Pack 1, Windows 8.1, Windows 10 | Basic level in most cases; Enhanced level to support Windows 10 app usage data and IE site discovery | -| Update Compliance | No additional requirements | Windows 10 | Basic level | -| Device Health | **Any** of the following licenses:
          - Windows 10 Enterprise or Windows 10 Education per-device with active Software Assurance
          - Windows 10 Enterprise E3 or E5 per-device or per-user subscription (including Microsoft 365 F1, E3, or E5)
          - Windows 10 Education A3 or A5 (including Microsoft 365 Education A3 or A5)
          - Windows VDA E3 or E5 per-device or per-user subscription
          - Windows Server 2016 or later | Windows 10 | - For Windows 10 version 1709 or later: Enhanced (Limited)
          - For earlier versions: Enhanced - ->[!NOTE] -> Regarding licensing requirements for Device Health, you do not need per-seat licensing, but only enough licenses to cover your total device usage. For example, if you have 100 E3 licenses, you can monitor 100 devices with Device Health. - -Beyond the cost of Windows operating system licenses, there is no additional cost for using Windows Analytics. Within Azure Log Analytics, Windows Analytics is "zero-rated;" this means it is excluded from data limits and costs regardless of the Azure Log Analytics pricing tier you have chosen. To be more specific, Azure Log Analytics is available in different pricing tiers as described in [Pricing - Log Analytics](https://azure.microsoft.com/pricing/details/log-analytics/). -- If you are using the free tier, which has a cap on the amount of data collected per day, the Windows Analytics data will not count towards this cap. You will be able to collect all the Windows Analytics data from your devices and still have the full cap available for collecting additional data from other sources. -- If you are using a paid tier that charges per GB of data collected, the Windows Analytics data will not be charged. You will be able to collect all the Windows Analytics data from your devices and not incur any costs. - -Note that different Azure Log Analytics plans have different data retention periods, and the Windows Analytics solutions inherit the workspace's data retention policy. So, for example, if your workspace is on the free plan then Windows Analytics will retain the last week's worth of "daily snapshots" that are collected in the workspace. - - -### Why do SCCM and Upgrade Readiness show different counts of devices that are ready to upgrade? -System Center Configuration Manager (SCCM) considers a device ready to upgrade if *no installed app* has an upgrade decision of “not ready” (that is, they are all "ready" or "in progress"), while Upgrade Readiness considers a device ready to upgrade only if *all* installed apps are marked “ready”. - -Currently, you can choose the criteria you wish to use: -- To use the SCCM criteria, create the collection of devices ready to upgrade within the SCCM console (using the analytics connector). -- To use the Upgrade Readiness criteria, export the list of ready-to-upgrade devices from the corresponding Upgrade Readiness report, and then build the SCCM collection from that spreadsheet. - -### How does Upgrade Readiness collect the inventory of devices and applications? -For details about this process and some tips, see [How does Upgrade Readiness in WA collects application inventory for your OMS workspace?](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/How-does-Upgrade-Readiness-in-WA-collects-application-inventory/ba-p/213586) on the Windows Analytics blog. +--- +title: Frequently asked questions and troubleshooting Windows Analytics +ms.reviewer: +manager: laurawi +description: Frequently asked questions about Windows Analytics and steps to take when things go wrong +keywords: windows analytics, oms, operations management suite, prerequisites, requirements, updates, upgrades, log analytics, health, FAQ, problems, troubleshooting, error +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.collection: M365-analytics +ms.topic: article +--- + +# Frequently asked questions and troubleshooting Windows Analytics + +>[!IMPORTANT] +>**The OMS portal has been deprecated; you should start using the [Azure portal](https://portal.azure.com) instead as soon as possible.** Many experiences are the same in the two portals, but there are some key differences. See [Windows Analytics in the Azure Portal](windows-analytics-azure-portal.md) for steps to use Windows Analytics in the Azure portal. For much more information about the transition from OMS to Azure, see [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition). + +This topic compiles the most common issues encountered with configuring and using Windows Analytics, as well as general questions. This FAQ, along with the [Windows Analytics Technical Community](https://techcommunity.microsoft.com/t5/Windows-Analytics/ct-p/WindowsAnalytics), are recommended resources to consult before contacting Microsoft support. + +## Troubleshooting common problems + +If you've followed the steps in the [Enrolling devices in Windows Analytics](windows-analytics-get-started.md) topic and are still encountering problems, you might find the solution here. + +[Devices not appearing in Upgrade Readiness](#devices-not-appearing-in-upgrade-readiness) + +[Devices not appearing in Device Health Device Reliability](#devices-not-appearing-in-device-health-device-reliability) + +[Device crashes not appearing in Device Health Device Reliability](#device-crashes-not-appearing-in-device-health-device-reliability) + +[Apps not appearing in Device Health App Reliability](#apps-not-appearing-in-device-health-app-reliability) + +[Upgrade Readiness shows many "Computers with outdated KB"](#upgrade-readiness-shows-many-computers-with-outdated-kb) + +[Upgrade Readiness shows many "Computers with incomplete data"](#upgrade-readiness-shows-many-computers-with-incomplete-data) + +[Upgrade Readiness doesn't show app inventory data on some devices](#upgrade-readiness-doesnt-show-app-inventory-data-on-some-devices) + +[Upgrade Readiness doesn't show IE site discovery data from some devices](#upgrade-readiness-doesnt-show-ie-site-discovery-data-from-some-devices) + +[Device names not appearing for Windows 10 devices](#device-names-not-appearing-for-windows-10-devices) + +[Custom log queries using the AbnormalShutdownCount field of Device Health show zero or lower than expected results](#custom-log-queries-using-the-abnormalshutdowncount-field-of-device-health-show-zero-or-lower-than-expected-results) + +[Disable Upgrade Readiness](#disable-upgrade-readiness) + +[Exporting large data sets](#exporting-large-data-sets) + + +### Devices not appearing in Upgrade Readiness + +In Log Analytics, go to **Settings > Connected sources > Windows telemetry** and verify that you are subscribed to the Windows Analytics solutions you intend to use. + +Even though devices can take 2-3 days after enrollment to show up due to latency in the system, you can now verify the status of your devices within a few hours of running the deployment script as described in [You can now check on the status of your computers within hours of running the deployment script](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/You-can-now-check-on-the-status-of-your-computers-within-hours/ba-p/187213) on the Tech Community Blog. + +>[!NOTE] +> If you generate the status report and get an error message saying "Sorry! We’re not recognizing your Commercial Id," go to **Settings > Connected sources > Windows telemetry** remove the Upgrade Readiness solution, and then re-add it. + +If devices are not showing up as expected, find a representative device and follow these steps to run the latest pilot version of the Upgrade Readiness deployment script on it to troubleshoot issues: + +1. Download and extract the [Upgrade Readiness Deployment Script](https://www.microsoft.com/download/details.aspx?id=53327). Ensure that the **Pilot/Diagnostics** folder is included. +2. Edit the script as described in [Upgrade Readiness deployment script](../upgrade/upgrade-readiness-deployment-script.md). +3. Check that `isVerboseLogging` is set to `$true`. +4. Run the script again. Log files will be saved to the directory specified in the script. +5. Check the output of the script in the command window and/or log **UA_dateTime_machineName.txt** to ensure that all steps were completed successfully. +6. If you are still seeing errors you can't diagnose, then consider open a support case with Microsoft Support through your regular channel and provide this information. + +If you want to check a large number of devices, you should run the latest script at scale from your management tool of choice (for example, System Center Configuration Manager) and check the results centrally. + +If you think the issue might be related to a network proxy, check "Enable data sharing" section of the [Enrolling devices in Windows Analytics](windows-analytics-get-started.md) topic. Also see [Understanding connectivity scenarios and the deployment script](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog. + +If you have deployed images that have not been generalized, then many of them might have the same ID and so Windows Analytics will see them as one device. If you suspect this is the issue, then you can reset the IDs on the non-generalized devices by performing these steps: +1. Net stop diagtrack +2. Reg delete hklm\software\microsoft\sqmclient /v MachineId /f +3. Net start diagtrack + +#### Devices not appearing in Device Health Device Reliability + +[![Device Reliability tile showing device count highlighted](images/device-reliability-device-count.png)](images/device-reliability-device-count.png) + +If you have devices that appear in other solutions, but not Device Health (the Device Health overview tile shows "Performing Assessment" or the device count is lower than expected), follow these steps to investigate the issue: +1. Using the Azure portal, remove the Device Health (appears as DeviceHealthProd on some pages) solution from your Log Analytics workspace. After completing this, add the Device Health solution to you workspace again. +2. Confirm that the devices are running Windows 10. +3. Verify that the Commercial ID is present in the device's registry. For details see [https://gpsearch.azurewebsites.net/#13551](https://gpsearch.azurewebsites.net/#13551). +4. Confirm that devices are opted in to send diagnostic data by checking in the registry that **AllowTelemetry** is set to either 2 (Enhanced) or 3 (Full). + - **AllowTelemetry** under **HKLM\Software\Policies\Microsoft\Windows\DataCollection** is the IT policy path. + - **AllowTelemetry** under **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** is the user preference (Settings app) path. + - IMPORTANT: By convention (and in earlier versions of Windows 10) the IT policy would take precedence over any user preference. Starting with Windows 10, version 1803, the user can lower the device's effective value even when an IT policy is set. This change assists organizations in complying with regional or organizational expectations about user control over privacy settings. For organizations where user control of privacy settings is not required, the previous behavior (IT policy path always wins) can be enabled using the new policy **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in setting user interface**. +5. Verify that devices can reach the endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). Also check settings for SSL inspection and proxy authentication; see [Configuring endpoint access with SSL inspection](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#configuring-endpoint-access-with-ssl-inspection) for more information. +6. Wait 48 hours for activity to appear in the reports. +7. If you need additional troubleshooting, contact Microsoft Support. + + +### Device crashes not appearing in Device Health Device Reliability + +[![Device Reliability tile showing crash count highlighted](images/device-reliability-crash-count.png)](images/device-reliability-crash-count.png) + +If you know that devices are experiencing stop error crashes that do not seem to be reflected in the count of devices with crashes, follow these steps to investigate the issue: + +1. Verify that devices are reporting data properly by following the steps in the [Devices not appearing in Device Health Device Reliability](#devices-not-appearing-in-device-health-device-reliability) section of this topic. +2. Trigger a known crash on a test device by using a tool such as [NotMyFault](https://docs.microsoft.com/sysinternals/downloads/notmyfault) from Windows Sysinternals. +3. Verify that Windows Error Reporting (WER) is not disabled or redirected by confirming the registry settings in **HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting** (or **HKLM\Software\Policies\Microsoft\Windows\DataCollection**, which will take precedence if set): + + - Verify that the value "Disabled" (REG_DWORD), if set, is 0. + - Verify that the value "DontSendAdditionalData" (REG_DWORD), if set, is 0. + - Verify that the value "CorporateWERServer" (REG_SZ) is not configured. + +4. Verify that WER can reach all diagnostic endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md)--if WER can only reach some of the endpoints, it could be included in the device count while not reporting crashes. +5. Check that crash reports successfully complete the round trip with Event 1001 and that BucketID is not blank. A typical such event looks like this: + + [![Event viewer detail showing Event 1001 details](images/event_1001.png)](images/event_1001.png) + + You can use the following Windows PowerShell snippet to summarize recent occurrences of Event 1001. Most events should have a value for BucketID (a few intermittent blank values are OK, however). + + ```powershell + $limitToMostRecentNEvents = 20 + Get-WinEvent -FilterHashTable @{ProviderName="Windows Error Reporting"; ID=1001} | + ?{ $_.Properties[2].Value -match "crash|blue" } | + % { [pscustomobject]@{ + TimeCreated=$_.TimeCreated + WEREvent=$_.Properties[2].Value + BucketId=$_.Properties[0].Value + ContextHint = $( + if($_.Properties[2].Value -eq "bluescreen"){"kernel"} + else{ $_.Properties[5].Value } + ) + }} | Select-Object -First $limitToMostRecentNEvents + ``` + The output should look something like this: + [![Typical output for this snippet](images/device-reliability-event1001-PSoutput.png)](images/device-reliability-event1001-PSoutput.png) + +6. Check that some other installed device, app, or crash monitoring solution is not intercepting crash events. +7. Wait 48 hours for activity to appear in the reports. +8. If you need additional troubleshooting, contact Microsoft Support. + +#### Endpoint connectivity + +Devices must be able to reach the endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). + +If you are using proxy server authentication, it's worth taking extra care to check the configuration. Prior to Windows 10, version 1703, WER only uploads error reports in the machine context, so whitelisting endpoints to allow non-authenticated access was typically used. In Windows 10, version 1703 and later versions, WER will attempt to use the context of the user that is logged on for proxy authentication such that only the user account requires proxy access. + + +For more information, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md#configuring-endpoint-access-with-proxy-server-authentication). + +### Apps not appearing in Device Health App Reliability + +[![App Reliability tile showing relability events trend](images/app-reliability.png)](images/app-reliability.png) + +If apps that you know are crashing do not appear in App Reliability, follow these steps to investigate the issue: + +1. Double-check the steps in the [Devices not appearing in Device Health Device Reliability](#devices-not-appearing-in-device-health-device-reliability) and [Device crashes not appearing in Device Health Device Reliability](#device-crashes-not-appearing-in-device-health-device-reliability) sections of this topic. +2. Confirm that an in-scope application has crashed on an enrolled device. Keep the following points in mind: + - Not all user-mode crashes are included in App Reliability, which tracks only apps that have a GUI, have been used interactively by a user, and are not part of the operating system. + - Enrolling more devices helps to ensure that there are enough naturally occurring app crashes. + - You can also use test apps which are designed to crash on demand. + +3. Verify that *per-user* Windows Error Reporting (WER) is not disabled or redirected by confirming the registry settings in **HKCU\SOFTWARE\Microsoft\Windows\Windows Error Reporting** (or **HKCU\Software\Policies\Microsoft\Windows\DataCollection**, which will take precedence if set): + + - Verify that the value "Disabled" (REG_DWORD), if set, is 0. + - Verify that the value "DontSendAdditionalData" (REG_DWORD), if set, is 0. + - Verify that the value "CorporateWERServer" (REG_SZ) is not configured. +4. Check that some other installed device, app, or crash monitoring solution is not intercepting crash events. +5. Wait 48 hours for activity to appear in the reports. +6. If you need additional troubleshooting, contact Microsoft Support. + + +### Upgrade Readiness shows many "Computers with outdated KB" +If you see a large number of devices reported as shown in this screenshot of the Upgrade Readiness tile: + +[![Upgrade Readiness tile showing Computers with outdated KB datum in red box](images/outdated_outdated.png)](images/outdated_outdated.png) + +On Windows 7 SP1 and Windows 8.1 devices, you must deploy the compatibility update as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). + +Note that the compatibility update retains the same KB number when a new version is released, so even if the update is installed on your devices, *they might not be running the latest version*. The compatibility update is now a critical update, so you can check that the latest version is installed from your management tool. + + +### Upgrade Readiness shows many "Computers with incomplete data" +If you see a large number of devices reported as shown in this screenshot of the Upgrade Readiness tile: + +[![Upgrade Readiness tile showing Computers with incomplete data datum in red box](images/outdated_incomplete.png)](images/outdated_incomplete.png) + +Download the latest deployment script and run it on an affected device to check for issues. See the [Upgrade Readiness deployment script](../upgrade/upgrade-readiness-deployment-script.md) topic for information about obtaining and running the script, and for a description of the error codes that can be displayed. Remember to wait up to 48-72 hours to see the results. +See ["Understanding connectivity scenarios and the deployment script"](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog for a summary of setting the ClientProxy for the script, which will enable the script properly check for diagnostic data endpoint connectivity. + + +If this becomes a recurring issue, schedule a full inventory scan monthly, as per the device enrollment guidelines for deployment at scale. + + + +### Upgrade Readiness doesn't show app inventory data on some devices +Upgrade Readiness only collects app inventory on devices that are not yet upgraded to the target operating system version specified in the Upgrade Readiness Overview blade. This is because Upgrade Readiness targets upgrade planning (for devices not yet upgraded). + + +### Upgrade Readiness doesn't show IE site discovery data from some devices +Double-check that IE site discovery opt-in has been configured in the deployment script. (See the [Upgrade Readiness deployment script](../upgrade/upgrade-readiness-deployment-script.md) topic for information about obtaining and running the script, and for a description of the error codes that can be displayed. See ["Understanding connectivity scenarios and the deployment script"](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog for a summary of setting the ClientProxy for the script, which will enable the script properly check for diagnostic data endpoint connectivity.) + +Also, on Windows 10 devices remember that IE site discovery requires data diagnostics set to the Enhanced level. + +There are two additional configurations to check: +1. Make sure Flip Ahead with Page Prediction is enabled. It can be configured at Internet Options -> Advanced -> Browsing -> Enable flip ahead with page prediction. +2. Make sure IE is not running in InPrivate mode. + +Finally, Upgrade Readiness only collects IE site discovery data on devices that are not yet upgraded to the target operating system version specified in the Upgrade Readiness Overview blade. This is because Upgrade Readiness targets upgrade planning (for devices not yet upgraded). + +>[!NOTE] +> IE site discovery is disabled on devices running Windows 7 and Windows 8.1 that are in Switzerland and EU countries. + +### Device names not appearing for Windows 10 devices +Starting with Windows 10, version 1803, the device name is no longer collected by default and requires a separate opt-in. For more information, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). Allowing device names to be collected can make it easier for you to identify individual devices that report problems. Without the device name, Windows Analytics can only label devices by a GUID that it generates. + +### Custom log queries using the AbnormalShutdownCount field of Device Health show zero or lower than expected results +This issue affects custom queries of the Device Health data by using the **Logs > Search page** or API. It does not impact any of the built-in tiles or reports of the Device Health solution. The **AbnormalShutdownCount** field of the **DHOSReliability** data table represents abnormal shutdowns other than crashes, such as sudden power loss or holding down the power button. + +We have identified an incompatibility between AbnormalShutdownCount and the Limited Enhanced diagnostic data level on Windows 10, versions 1709, 1803, and 1809. Such devices do not send the abnormal shutdown signal to Microsoft. You should not rely on AbnormalShutdownCount in your custom queries unless you use any one of the following workarounds: + + +- Upgrade devices to Windows 10, version 1903 when available. Participants in the Windows Insider program can preview this change using Windows Insider builds. +- Change the diagnostic data setting from devices running Windows 10, versions 1709, 1803, and 1809 normal Enhanced level instead of Limited Enhanced. +- Use alternative data from devices to track abnormal shutdowns. For example, you can forward abnormal shutdown events from the Windows Event Log to your Log Analytics workspace by using the Log Analytics agent. Suggested events to forward include: + - Log: System, ID: 41, Source: Kernel-Power + - Log System, ID: 6008, Source: EventLog + + + +### Disable Upgrade Readiness + +If you want to stop using Upgrade Readiness and stop sending diagnostic data to Microsoft, follow these steps: + +1. Unsubscribe from the Upgrade Readiness solution in Azure Portal. In Azure Portal, go to **Settings** > **Connected Sources** > **Windows Telemetry** and choose the **Unsubscribe** option. + + ![Upgrade Readiness unsubscribe](images/upgrade-analytics-unsubscribe.png) + +2. Disable the Commercial Data Opt-in Key on computers running Windows 7 SP1 or 8.1. On computers running Windows 10, set the diagnostic data level to **Security**: + + **Windows 7 and Windows 8.1**: Delete CommercialDataOptIn registry property from *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection* + + **Windows 10**: Follow the instructions in [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization). + +3. If you enabled **Internet Explorer Site Discovery**, you can disable Internet Explorer data collection by setting the *IEDataOptIn* registry key to value "0". The IEDataOptIn key can be found under: *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*. +4. **Optional step:** You can also remove the “CommercialId” key from: "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection". + +### Exporting large data sets + +Azure Log Analytics is optimized for advanced analytics of large data sets and can efficiently generate summaries and analytics for them. The query language is not optimized (or intended) for returning large raw data sets and has built-in limits to protect against overuse. There are times when it might be necessary to get more data than this, but that should be done sparingly since this is not the intended way to use Azure Log Analytics. The following code snippet shows how to retrieve data from UAApp one “page” at a time: + +``` +let snapshot = toscalar(UAApp | summarize max(TimeGenerated)); +let pageSize = 100000; +let pageNumber = 0; + +UAApp +| where TimeGenerated == snapshot and IsRollup==true and RollupLevel=="Granular" and Importance == "Low install count" +| order by AppName, AppVendor, AppVersion desc +| serialize +| where row_number(0) >= (pageSize * pageNumber) +| take pageSize +``` + + + +## Other common questions + +### What are the requirements and costs for Windows Analytics solutions? + +| Windows Analytics solution| Windows license requirements | Windows version requirements | Minimum diagnostic data requirements | +|----------------------|-----------------------------------|------------------------------|------------------------------| +| Upgrade Readiness | No additional requirements | Windows 7 with Service Pack 1, Windows 8.1, Windows 10 | Basic level in most cases; Enhanced level to support Windows 10 app usage data and IE site discovery | +| Update Compliance | No additional requirements | Windows 10 | Basic level | +| Device Health | **Any** of the following licenses:
          - Windows 10 Enterprise or Windows 10 Education per-device with active Software Assurance
          - Windows 10 Enterprise E3 or E5 per-device or per-user subscription (including Microsoft 365 F1, E3, or E5)
          - Windows 10 Education A3 or A5 (including Microsoft 365 Education A3 or A5)
          - Windows VDA E3 or E5 per-device or per-user subscription
          - Windows Server 2016 or later | Windows 10 | - For Windows 10 version 1709 or later: Enhanced (Limited)
          - For earlier versions: Enhanced + +>[!NOTE] +> Regarding licensing requirements for Device Health, you do not need per-seat licensing, but only enough licenses to cover your total device usage. For example, if you have 100 E3 licenses, you can monitor 100 devices with Device Health. + +Beyond the cost of Windows operating system licenses, there is no additional cost for using Windows Analytics. Within Azure Log Analytics, Windows Analytics is "zero-rated;" this means it is excluded from data limits and costs regardless of the Azure Log Analytics pricing tier you have chosen. To be more specific, Azure Log Analytics is available in different pricing tiers as described in [Pricing - Log Analytics](https://azure.microsoft.com/pricing/details/log-analytics/). +- If you are using the free tier, which has a cap on the amount of data collected per day, the Windows Analytics data will not count towards this cap. You will be able to collect all the Windows Analytics data from your devices and still have the full cap available for collecting additional data from other sources. +- If you are using a paid tier that charges per GB of data collected, the Windows Analytics data will not be charged. You will be able to collect all the Windows Analytics data from your devices and not incur any costs. + +Note that different Azure Log Analytics plans have different data retention periods, and the Windows Analytics solutions inherit the workspace's data retention policy. So, for example, if your workspace is on the free plan then Windows Analytics will retain the last week's worth of "daily snapshots" that are collected in the workspace. + + +### Why do SCCM and Upgrade Readiness show different counts of devices that are ready to upgrade? +System Center Configuration Manager (SCCM) considers a device ready to upgrade if *no installed app* has an upgrade decision of “not ready” (that is, they are all "ready" or "in progress"), while Upgrade Readiness considers a device ready to upgrade only if *all* installed apps are marked “ready”. + +Currently, you can choose the criteria you wish to use: +- To use the SCCM criteria, create the collection of devices ready to upgrade within the SCCM console (using the analytics connector). +- To use the Upgrade Readiness criteria, export the list of ready-to-upgrade devices from the corresponding Upgrade Readiness report, and then build the SCCM collection from that spreadsheet. + +### How does Upgrade Readiness collect the inventory of devices and applications? +For details about this process and some tips, see [How does Upgrade Readiness in WA collects application inventory for your OMS workspace?](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/How-does-Upgrade-Readiness-in-WA-collects-application-inventory/ba-p/213586) on the Windows Analytics blog. diff --git a/windows/deployment/update/windows-analytics-azure-portal.md b/windows/deployment/update/windows-analytics-azure-portal.md index d39c251ca1..77c86f443d 100644 --- a/windows/deployment/update/windows-analytics-azure-portal.md +++ b/windows/deployment/update/windows-analytics-azure-portal.md @@ -1,71 +1,71 @@ ---- -title: Windows Analytics in the Azure Portal -ms.reviewer: -manager: laurawi -description: Use the Azure Portal to add and configure Windows Analytics solutions -keywords: Device Health, oms, Azure, portal, operations management suite, add, manage, configure, Upgrade Readiness, Update Compliance -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greg-lindsay -ms.localizationpriority: medium -ms.collection: M365-analytics -ms.topic: article ---- - -# Windows Analytics in the Azure Portal - -Windows Analytics uses Azure Log Analytics workspaces (formerly known as Operations Management Suite or OMS), a collection of cloud-based services for monitoring and automating your on-premises and cloud environments. - -**The OMS portal has been deprecated; you should start using the [Azure portal](https://portal.azure.com) instead as soon as possible.** Many experiences are the same in the two portals, but there are some key differences, which this topic will explain. For much more information about the transition from OMS to Azure, see [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition). - -## Navigation and permissions in the Azure portal - -Go to the [Azure portal](https://portal.azure.com), select **All services**, and search for *Log Analytics workspaces*. Once it appears, you can select the star to add it to your favorites for easy access in the future. - -[![Azure portal all services page with Log Analytics found and selected as favorite](images/azure-portal-LAfav1.png)](images/azure-portal-LAfav1.png) - -### Permissions - -It's important to understand the difference between Azure Active Directory and an Azure subscription: - -**Azure Active Directory** is the directory that Azure uses. Azure Active Directory (Azure AD) is a separate service which sits by itself and is used by all of Azure and also Office 365. - -An **Azure subscription** is a container for billing, but also acts as a security boundary. Every Azure subscription has a trust relationship with at least one Azure AD instance. This means that a subscription trusts that directory to authenticate users, services, and devices. - - ->[!IMPORTANT] ->Unlike the OMS portal (which only requires permission to access the Azure Log Analytics workspace), the Azure portal also requires access to be configured to either the linked *Azure subscription* or Azure resource group. - -To check the Log Analytics workspaces you can access, select **Log Analytics workspaces**. You should see a grid control listing all workspaces, along with the Azure subscription each is linked to: - -[![Log Analytics workspace page showing accessible workspaces and linked Azure subscriptions](images/azure-portal-LAmain-wkspc-subname-sterile.png)](images/azure-portal-LAmain-wkspc-subname-sterile.png) - -If you do not see your workspace in this view, but you are able to access the workspace from the classic portal, that means you do not have access to the workspace's Azure subscription or resource group. To remedy this, you will need to find someone with admin rights to grant you access, which they can do by selecting the subscription name and selecting **Access control (IAM)** (alternatively they can configure your access at the resource group level). They should either grant you "Log Analytics Reader" access (for read-only access) or "Log Analytics Contributor" access (which enables making changes such as creating deployment plans and changing application readiness states). - -When permissions are configured, you can select the workspace and then select **Workspace summary** to see information similar to what was shown in the OMS overview page. - -[![Log Analytics workspace page showing workspace summary](images/azure-portal-LA-wkspcsumm_sterile.png)](images/azure-portal-LA-wkspcsumm_sterile.png) - -## Adding Windows Analytics solutions - -In the Azure portal, the simplest way to add Windows Analytics solutions (Upgrade Readiness, Update Compliance, and Device Health) is to select **+ Create a resource** and then type the solution name in the search box. In this example, the search is for "Device Health": - -[![Add WA solutions with "create a resource"](images/azure-portal-create-resource-boxes.png)](images/azure-portal-create-resource-boxes.png) - -Select the solution from the list that is returned by the search, and then select **Create** to add the solution. - -## Navigating to Windows Analytics solutions settings - -To adjust settings for a Windows Analytics solution, first navigate to the **Solutions** tab for your workspace, and then select the solution to configure. In this example, Upgrade Readiness is being adjusted by selecting **CompatibilityAssessment**: - -[![Select WA solution to adjust settings](images/temp-azure-portal-soltn-setting.png)](images/temp-azure-portal-soltn-setting.png) - -From there, select the settings page to adjust specific settings: - -[![Settings page for Upgrade Readiness in Azure portsl](images/azure-portal-UR-settings.png)](images/azure-portal-UR-settings.png) - ->[!NOTE] ->To access these settings, both the subscription and workspace require "contributor" permissions. You can view your current role and make changes in other roles by using the **Access control (IAM)** tab in Azure. +--- +title: Windows Analytics in the Azure Portal +ms.reviewer: +manager: laurawi +description: Use the Azure Portal to add and configure Windows Analytics solutions +keywords: Device Health, oms, Azure, portal, operations management suite, add, manage, configure, Upgrade Readiness, Update Compliance +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.collection: M365-analytics +ms.topic: article +--- + +# Windows Analytics in the Azure Portal + +Windows Analytics uses Azure Log Analytics workspaces (formerly known as Operations Management Suite or OMS), a collection of cloud-based services for monitoring and automating your on-premises and cloud environments. + +**The OMS portal has been deprecated; you should start using the [Azure portal](https://portal.azure.com) instead as soon as possible.** Many experiences are the same in the two portals, but there are some key differences, which this topic will explain. For much more information about the transition from OMS to Azure, see [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition). + +## Navigation and permissions in the Azure portal + +Go to the [Azure portal](https://portal.azure.com), select **All services**, and search for *Log Analytics workspaces*. Once it appears, you can select the star to add it to your favorites for easy access in the future. + +[![Azure portal all services page with Log Analytics found and selected as favorite](images/azure-portal-LAfav1.png)](images/azure-portal-LAfav1.png) + +### Permissions + +It's important to understand the difference between Azure Active Directory and an Azure subscription: + +**Azure Active Directory** is the directory that Azure uses. Azure Active Directory (Azure AD) is a separate service which sits by itself and is used by all of Azure and also Office 365. + +An **Azure subscription** is a container for billing, but also acts as a security boundary. Every Azure subscription has a trust relationship with at least one Azure AD instance. This means that a subscription trusts that directory to authenticate users, services, and devices. + + +>[!IMPORTANT] +>Unlike the OMS portal (which only requires permission to access the Azure Log Analytics workspace), the Azure portal also requires access to be configured to either the linked *Azure subscription* or Azure resource group. + +To check the Log Analytics workspaces you can access, select **Log Analytics workspaces**. You should see a grid control listing all workspaces, along with the Azure subscription each is linked to: + +[![Log Analytics workspace page showing accessible workspaces and linked Azure subscriptions](images/azure-portal-LAmain-wkspc-subname-sterile.png)](images/azure-portal-LAmain-wkspc-subname-sterile.png) + +If you do not see your workspace in this view, but you are able to access the workspace from the classic portal, that means you do not have access to the workspace's Azure subscription or resource group. To remedy this, you will need to find someone with admin rights to grant you access, which they can do by selecting the subscription name and selecting **Access control (IAM)** (alternatively they can configure your access at the resource group level). They should either grant you "Log Analytics Reader" access (for read-only access) or "Log Analytics Contributor" access (which enables making changes such as creating deployment plans and changing application readiness states). + +When permissions are configured, you can select the workspace and then select **Workspace summary** to see information similar to what was shown in the OMS overview page. + +[![Log Analytics workspace page showing workspace summary](images/azure-portal-LA-wkspcsumm_sterile.png)](images/azure-portal-LA-wkspcsumm_sterile.png) + +## Adding Windows Analytics solutions + +In the Azure portal, the simplest way to add Windows Analytics solutions (Upgrade Readiness, Update Compliance, and Device Health) is to select **+ Create a resource** and then type the solution name in the search box. In this example, the search is for "Device Health": + +[![Add WA solutions with "create a resource"](images/azure-portal-create-resource-boxes.png)](images/azure-portal-create-resource-boxes.png) + +Select the solution from the list that is returned by the search, and then select **Create** to add the solution. + +## Navigating to Windows Analytics solutions settings + +To adjust settings for a Windows Analytics solution, first navigate to the **Solutions** tab for your workspace, and then select the solution to configure. In this example, Upgrade Readiness is being adjusted by selecting **CompatibilityAssessment**: + +[![Select WA solution to adjust settings](images/temp-azure-portal-soltn-setting.png)](images/temp-azure-portal-soltn-setting.png) + +From there, select the settings page to adjust specific settings: + +[![Settings page for Upgrade Readiness in Azure portsl](images/azure-portal-UR-settings.png)](images/azure-portal-UR-settings.png) + +>[!NOTE] +>To access these settings, both the subscription and workspace require "contributor" permissions. You can view your current role and make changes in other roles by using the **Access control (IAM)** tab in Azure. diff --git a/windows/deployment/update/windows-analytics-overview.md b/windows/deployment/update/windows-analytics-overview.md index 22d20bf71a..833f2db650 100644 --- a/windows/deployment/update/windows-analytics-overview.md +++ b/windows/deployment/update/windows-analytics-overview.md @@ -1,59 +1,59 @@ ---- -title: Windows Analytics -ms.reviewer: -manager: laurawi -description: Introduction and overview of Windows Analytics -keywords: Device Health, Upgrade Readiness, Update Compliance, oms, operations management suite, prerequisites, requirements, monitoring, crash, drivers -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greg-lindsay -ms.localizationpriority: medium -ms.collection: M365-analytics -ms.topic: article ---- - -# Windows Analytics overview - -Windows Analytics is a set of solutions for Azure Portal that provide you with extensive data about the state of devices in your deployment. There are currently three solutions which you can use singly or in any combination: - -## Device Health - -[Device Health](device-health-get-started.md) provides the following: - -- Identification of devices that crash frequently, and therefore might need to be rebuilt or replaced -- Identification of device drivers that are causing device crashes, with suggestions of alternative versions of those drivers that might reduce the number of crashes -- Notification of Windows Information Protection misconfigurations that send prompts to end users - - -## Update Compliance - -[Update Compliance](update-compliance-get-started.md) shows you the state of your devices with respect to the Windows updates so that you can ensure that they are on the most current updates as appropriate. In addition, Update Compliance provides the following: - -- Dedicated drill-downs for devices that might need attention -- An inventory of devices, including the version of Windows they are running and their update status -- The ability to track protection and threat status for Windows Defender Antivirus-enabled devices -- An overview of Windows Update for Business deferral configurations (Windows 10, version 1607 and later) -- Powerful built-in log analytics to create useful custom queries -- Cloud-connected access utilizing Windows 10 diagnostic data means no need for new complex, customized infrastructure - -## Upgrade Readiness - -[Upgrade Readiness](../upgrade/upgrade-readiness-get-started.md) offers a set of tools to plan and manage the upgrade process end to end, allowing you to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released. Upgrade Readiness not only supports upgrade management from Windows 7 and Windows 8.1 to Windows 10, but also Windows 10 upgrades in the Windows as a service model. - -Use Upgrade Readiness to get: - -- A visual workflow that guides you from pilot to production -- Detailed computer and application inventory -- Powerful computer-level search and drill-downs -- Guidance and insights into application and driver compatibility issues, with suggested fixes -- Data-driven application rationalization tools -- Application usage information, allowing targeted validation; workflow to track validation progress and decisions -- Data export to commonly used software deployment tools, including System Center Configuration Manager - -To get started with any of these solutions, visit the links for instructions to add it to Azure Portal. - ->[!NOTE] -> For details about licensing requirements and costs associated with using Windows Analytics solutions, see [What are the requirements and costs for Windows Analytics solutions?](windows-analytics-FAQ-troubleshooting.md#what-are-the-requirements-and-costs-for-windows-analytics-solutions). +--- +title: Windows Analytics +ms.reviewer: +manager: laurawi +description: Introduction and overview of Windows Analytics +keywords: Device Health, Upgrade Readiness, Update Compliance, oms, operations management suite, prerequisites, requirements, monitoring, crash, drivers +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.collection: M365-analytics +ms.topic: article +--- + +# Windows Analytics overview + +Windows Analytics is a set of solutions for Azure Portal that provide you with extensive data about the state of devices in your deployment. There are currently three solutions which you can use singly or in any combination: + +## Device Health + +[Device Health](device-health-get-started.md) provides the following: + +- Identification of devices that crash frequently, and therefore might need to be rebuilt or replaced +- Identification of device drivers that are causing device crashes, with suggestions of alternative versions of those drivers that might reduce the number of crashes +- Notification of Windows Information Protection misconfigurations that send prompts to end users + + +## Update Compliance + +[Update Compliance](update-compliance-get-started.md) shows you the state of your devices with respect to the Windows updates so that you can ensure that they are on the most current updates as appropriate. In addition, Update Compliance provides the following: + +- Dedicated drill-downs for devices that might need attention +- An inventory of devices, including the version of Windows they are running and their update status +- The ability to track protection and threat status for Windows Defender Antivirus-enabled devices +- An overview of Windows Update for Business deferral configurations (Windows 10, version 1607 and later) +- Powerful built-in log analytics to create useful custom queries +- Cloud-connected access utilizing Windows 10 diagnostic data means no need for new complex, customized infrastructure + +## Upgrade Readiness + +[Upgrade Readiness](../upgrade/upgrade-readiness-get-started.md) offers a set of tools to plan and manage the upgrade process end to end, allowing you to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released. Upgrade Readiness not only supports upgrade management from Windows 7 and Windows 8.1 to Windows 10, but also Windows 10 upgrades in the Windows as a service model. + +Use Upgrade Readiness to get: + +- A visual workflow that guides you from pilot to production +- Detailed computer and application inventory +- Powerful computer-level search and drill-downs +- Guidance and insights into application and driver compatibility issues, with suggested fixes +- Data-driven application rationalization tools +- Application usage information, allowing targeted validation; workflow to track validation progress and decisions +- Data export to commonly used software deployment tools, including System Center Configuration Manager + +To get started with any of these solutions, visit the links for instructions to add it to Azure Portal. + +>[!NOTE] +> For details about licensing requirements and costs associated with using Windows Analytics solutions, see [What are the requirements and costs for Windows Analytics solutions?](windows-analytics-FAQ-troubleshooting.md#what-are-the-requirements-and-costs-for-windows-analytics-solutions). diff --git a/windows/deployment/update/windows-analytics-privacy.md b/windows/deployment/update/windows-analytics-privacy.md index 0252876b56..8e7a8558db 100644 --- a/windows/deployment/update/windows-analytics-privacy.md +++ b/windows/deployment/update/windows-analytics-privacy.md @@ -1,61 +1,61 @@ ---- -title: Windows Analytics and privacy -ms.reviewer: -manager: laurawi -description: How Windows Analytics uses data -keywords: windows analytics, oms, privacy, data, diagnostic, operations management suite, prerequisites, requirements, updates, upgrades, log analytics, health, FAQ, problems, troubleshooting, error -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greg-lindsay -ms.localizationpriority: high -ms.collection: M365-analytics -ms.topic: article ---- - -# Windows Analytics and privacy - -Windows Analytics is fully committed to privacy, centering on these tenets: - -- **Transparency:** We fully document the Windows Analytics diagnostic events (see the links for additional information) so you can review them with your company’s security and compliance teams. The Diagnostic Data Viewer lets you see diagnostic data sent from a given device (see [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) for details). -- **Control:** You ultimately control the level of diagnostic data you wish to share. In Windows 10, version 1709 we added a new policy to Limit enhanced diagnostic data to the minimum required by Windows Analytics -- **Security:** Your data is protected with strong security and encryption -- **Trust:** Windows Analytics supports the Microsoft Online Service Terms - -The following illustration shows how diagnostic data flows from individual devices through the Diagnostic Data Service, Azure Log Analytics storage, and to your Log Analytics workspace: - -[![Diagram illustrating flow of diagnostic data from devices](images/WA-data-flow-v1.png)](images/WA-data-flow-v1.png) - -The data flow sequence is as follows: - -1. Diagnostic data is sent from devices to the Microsoft Diagnostic Data Management service, which is hosted in the US. -2. An IT administrator creates an Azure Log Analytics workspace. The administrator chooses the location, copies the Commercial ID (which identifies that workspace), and then pushes Commercial ID to devices they want to monitor. This is the mechanism that specifies which devices appear in which workspaces. -3. Each day Microsoft produces a "snapshot" of IT-focused insights for each workspace in the Diagnostic Data Management service. -4. These snapshots are copied to transient storage which is used only by Windows Analytics (also hosted in US data centers) where they are segregated by Commercial ID. -5. The snapshots are then copied to the appropriate Azure Log Analytics workspace. -6. If the IT administrator is using the Upgrade Readiness solution, user input from the IT administrator (specifically, the target operating system release and the importance and upgrade readiness per app) is stored in the Windows Analytics Azure Storage. (Upgrade Readiness is the only Windows Analytics solution that takes such user input.) - - -See these topics for additional background information about related privacy issues: - -- [Windows 10 and the GDPR for IT Decision Makers](https://docs.microsoft.com/windows/privacy/gdpr-it-guidance) -- [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization) -- [Windows 7, Windows 8, and Windows 8.1 Appraiser Telemetry Events, and Fields](https://go.microsoft.com/fwlink/?LinkID=822965) -- [Windows 10, version 1809 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809) -- [Windows 10, version 1803 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803) -- [Windows 10, version 1709 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709) -- [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703) -- [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](https://docs.microsoft.com/windows/configuration/enhanced-diagnostic-data-windows-analytics-events-and-fields) -- [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) -- [Licensing Terms and Documentation](https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31) -- [Learn about security and privacy at Microsoft datacenters](https://www.microsoft.com/datacenters) -- [Confidence in the trusted cloud](https://azure.microsoft.com/support/trust-center/) -- [Trust Center](https://www.microsoft.com/trustcenter) - -### Can Windows Analytics be used without a direct client connection to the Microsoft Data Management Service? -No, the entire service is powered by Windows diagnostic data, which requires that devices have this direct connectivity. - -### Can I choose the data center location? -Yes for Azure Log Analytics, but no for the Microsoft Data Management Service (which is hosted in the US). +--- +title: Windows Analytics and privacy +ms.reviewer: +manager: laurawi +description: How Windows Analytics uses data +keywords: windows analytics, oms, privacy, data, diagnostic, operations management suite, prerequisites, requirements, updates, upgrades, log analytics, health, FAQ, problems, troubleshooting, error +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.audience: itpro author: greg-lindsay +ms.localizationpriority: high +ms.collection: M365-analytics +ms.topic: article +--- + +# Windows Analytics and privacy + +Windows Analytics is fully committed to privacy, centering on these tenets: + +- **Transparency:** We fully document the Windows Analytics diagnostic events (see the links for additional information) so you can review them with your company’s security and compliance teams. The Diagnostic Data Viewer lets you see diagnostic data sent from a given device (see [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) for details). +- **Control:** You ultimately control the level of diagnostic data you wish to share. In Windows 10, version 1709 we added a new policy to Limit enhanced diagnostic data to the minimum required by Windows Analytics +- **Security:** Your data is protected with strong security and encryption +- **Trust:** Windows Analytics supports the Microsoft Online Service Terms + +The following illustration shows how diagnostic data flows from individual devices through the Diagnostic Data Service, Azure Log Analytics storage, and to your Log Analytics workspace: + +[![Diagram illustrating flow of diagnostic data from devices](images/WA-data-flow-v1.png)](images/WA-data-flow-v1.png) + +The data flow sequence is as follows: + +1. Diagnostic data is sent from devices to the Microsoft Diagnostic Data Management service, which is hosted in the US. +2. An IT administrator creates an Azure Log Analytics workspace. The administrator chooses the location, copies the Commercial ID (which identifies that workspace), and then pushes Commercial ID to devices they want to monitor. This is the mechanism that specifies which devices appear in which workspaces. +3. Each day Microsoft produces a "snapshot" of IT-focused insights for each workspace in the Diagnostic Data Management service. +4. These snapshots are copied to transient storage which is used only by Windows Analytics (also hosted in US data centers) where they are segregated by Commercial ID. +5. The snapshots are then copied to the appropriate Azure Log Analytics workspace. +6. If the IT administrator is using the Upgrade Readiness solution, user input from the IT administrator (specifically, the target operating system release and the importance and upgrade readiness per app) is stored in the Windows Analytics Azure Storage. (Upgrade Readiness is the only Windows Analytics solution that takes such user input.) + + +See these topics for additional background information about related privacy issues: + +- [Windows 10 and the GDPR for IT Decision Makers](https://docs.microsoft.com/windows/privacy/gdpr-it-guidance) +- [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization) +- [Windows 7, Windows 8, and Windows 8.1 Appraiser Telemetry Events, and Fields](https://go.microsoft.com/fwlink/?LinkID=822965) +- [Windows 10, version 1809 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809) +- [Windows 10, version 1803 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803) +- [Windows 10, version 1709 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709) +- [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703) +- [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](https://docs.microsoft.com/windows/configuration/enhanced-diagnostic-data-windows-analytics-events-and-fields) +- [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) +- [Licensing Terms and Documentation](https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31) +- [Learn about security and privacy at Microsoft datacenters](https://www.microsoft.com/datacenters) +- [Confidence in the trusted cloud](https://azure.microsoft.com/support/trust-center/) +- [Trust Center](https://www.microsoft.com/trustcenter) + +### Can Windows Analytics be used without a direct client connection to the Microsoft Data Management Service? +No, the entire service is powered by Windows diagnostic data, which requires that devices have this direct connectivity. + +### Can I choose the data center location? +Yes for Azure Log Analytics, but no for the Microsoft Data Management Service (which is hosted in the US). diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md index 6254ed3b81..ab43140802 100644 --- a/windows/deployment/update/windows-as-a-service.md +++ b/windows/deployment/update/windows-as-a-service.md @@ -1,131 +1,131 @@ ---- -title: Windows as a service -ms.prod: windows-10 -layout: LandingPage -ms.topic: landing-page -ms.manager: elizapo -author: greg-lindsay -ms.author: greg-lindsay -ms.date: 01/24/2019 -ms.reviewer: -manager: laurawi -ms.localizationpriority: high -ms.collection: M365-modern-desktop ---- -# Windows as a service - -Find the tools and resources you need to help deploy and support Windows as a service in your organization. - -## Latest news, videos, & podcasts - -Find the latest and greatest news on Windows 10 deployment and servicing. - -**Discovering the Windows 10 Update history pages** -> [!VIDEO https://www.youtube-nocookie.com/embed/mTnAb9XjMPY] - -Everyone wins when transparency is a top priority. We want you to know when updates are available, as well as alert you to any potential issues you may encounter during or after you install an update. Bookmark the Windows release health dashboard for near real-time information on known issues, workarounds, and resolutions--as well as the current status of the latest feature update rollout. - -The latest news: - - -[See more news](waas-morenews.md). You can also check out the [Windows 10 blog](https://techcommunity.microsoft.com/t5/Windows-10-Blog/bg-p/Windows10Blog). - -## IT pro champs corner -Written by IT pros for IT pros, sharing real world examples and scenarios for Windows 10 deployment and servicing. - - - -**NEW** Tactical considerations for creating Windows deployment rings - -**NEW** Windows 10 Enterprise vs. Windows 10 Pro: Modern management considerations for your organization - -Deployment rings: The hidden [strategic] gem of Windows as a service - -Classifying Windows updates in common deployment tools - -Express updates for Windows Server 2016 re-enabled for November 2018 update - - -2019 SHA-2 Code Signing Support requirement for Windows and WSUS - -Deploying Windows 10 Feature Updates to 24/7 Mission Critical Devices - -## Discover - -Learn more about Windows as a service and its value to your organization. - - - -Overview of Windows as a service - -Quick guide to Windows as a service - -Windows Analytics overview - -What's new in Windows 10 deployment - -How Microsoft IT deploys Windows 10 - -## Plan - -Prepare to implement Windows as a service effectively using the right tools, products, and strategies. - - - -Simplified updates - -Windows 10 end user readiness - -Ready for Windows - -Manage Windows upgrades with Upgrade Readiness - -Preparing your organization for a seamless Windows 10 deployment - -## Deploy - -Secure your organization's deployment investment. - - - -Update Windows 10 in the enterprise - -Deploying as an in-place upgrade - -Configure Windows Update for Business - -Express update delivery - -Windows 10 deployment considerations - - -## Microsoft Ignite 2018 - - -Looking to learn more? These informative session replays from Microsoft Ignite 2018 (complete with downloadable slide decks) can provide some great insights on Windows as a service. - -[BRK2417: What’s new in Windows Analytics: An Intro to Desktop Analytics](https://myignite.techcommunity.microsoft.com/sessions/64324#ignite-html-anchor) - -[BRK3018: Deploying Windows 10 in the enterprise using traditional and modern techniques](https://myignite.techcommunity.microsoft.com/sessions/64509#ignite-html-anchor) - -[BRK3019: Delivery Optimization deep dive: How to reduce internet bandwidth impact on your network](https://myignite.techcommunity.microsoft.com/sessions/64510#ignite-html-anchor) - -[BRK3020: Using AI to automate Windows and Office update staging with Windows Update for Business](https://myignite.techcommunity.microsoft.com/sessions/64513#ignite-html-anchor) - -[BRK3027: Deploying Windows 10: Making the update experience smooth and seamless](https://myignite.techcommunity.microsoft.com/sessions/64612#ignite-html-anchor) - -[BRK3039: Windows 10 and Microsoft Office 365 ProPlus lifecycle and servicing update](https://myignite.techcommunity.microsoft.com/sessions/66763#ignite-html-anchor) - -[BRK3211: Ask the Experts: Successfully deploying, servicing, managing Windows 10](https://myignite.techcommunity.microsoft.com/sessions/65963#ignite-html-anchor) - -[THR2234: Windows servicing and delivery fundamentals](https://myignite.techcommunity.microsoft.com/sessions/66741#ignite-html-anchor) - -[THR3006: The pros and cons of LTSC in the enterprise](https://myignite.techcommunity.microsoft.com/sessions/64512#ignite-html-anchor) +--- +title: Windows as a service +ms.prod: windows-10 +layout: LandingPage +ms.topic: landing-page +ms.manager: elizapo +audience: itpro author: greg-lindsay +ms.audience: itpro author: greg-lindsay +ms.date: 01/24/2019 +ms.reviewer: +manager: laurawi +ms.localizationpriority: high +ms.collection: M365-modern-desktop +--- +# Windows as a service + +Find the tools and resources you need to help deploy and support Windows as a service in your organization. + +## Latest news, videos, & podcasts + +Find the latest and greatest news on Windows 10 deployment and servicing. + +**Discovering the Windows 10 Update history pages** +> [!VIDEO https://www.youtube-nocookie.com/embed/mTnAb9XjMPY] + +Everyone wins when transparency is a top priority. We want you to know when updates are available, as well as alert you to any potential issues you may encounter during or after you install an update. Bookmark the Windows release health dashboard for near real-time information on known issues, workarounds, and resolutions--as well as the current status of the latest feature update rollout. + +The latest news: + + +[See more news](waas-morenews.md). You can also check out the [Windows 10 blog](https://techcommunity.microsoft.com/t5/Windows-10-Blog/bg-p/Windows10Blog). + +## IT pro champs corner +Written by IT pros for IT pros, sharing real world examples and scenarios for Windows 10 deployment and servicing. + + + +**NEW** Tactical considerations for creating Windows deployment rings + +**NEW** Windows 10 Enterprise vs. Windows 10 Pro: Modern management considerations for your organization + +Deployment rings: The hidden [strategic] gem of Windows as a service + +Classifying Windows updates in common deployment tools + +Express updates for Windows Server 2016 re-enabled for November 2018 update + + +2019 SHA-2 Code Signing Support requirement for Windows and WSUS + +Deploying Windows 10 Feature Updates to 24/7 Mission Critical Devices + +## Discover + +Learn more about Windows as a service and its value to your organization. + + + +Overview of Windows as a service + +Quick guide to Windows as a service + +Windows Analytics overview + +What's new in Windows 10 deployment + +How Microsoft IT deploys Windows 10 + +## Plan + +Prepare to implement Windows as a service effectively using the right tools, products, and strategies. + + + +Simplified updates + +Windows 10 end user readiness + +Ready for Windows + +Manage Windows upgrades with Upgrade Readiness + +Preparing your organization for a seamless Windows 10 deployment + +## Deploy + +Secure your organization's deployment investment. + + + +Update Windows 10 in the enterprise + +Deploying as an in-place upgrade + +Configure Windows Update for Business + +Express update delivery + +Windows 10 deployment considerations + + +## Microsoft Ignite 2018 + + +Looking to learn more? These informative session replays from Microsoft Ignite 2018 (complete with downloadable slide decks) can provide some great insights on Windows as a service. + +[BRK2417: What’s new in Windows Analytics: An Intro to Desktop Analytics](https://myignite.techcommunity.microsoft.com/sessions/64324#ignite-html-anchor) + +[BRK3018: Deploying Windows 10 in the enterprise using traditional and modern techniques](https://myignite.techcommunity.microsoft.com/sessions/64509#ignite-html-anchor) + +[BRK3019: Delivery Optimization deep dive: How to reduce internet bandwidth impact on your network](https://myignite.techcommunity.microsoft.com/sessions/64510#ignite-html-anchor) + +[BRK3020: Using AI to automate Windows and Office update staging with Windows Update for Business](https://myignite.techcommunity.microsoft.com/sessions/64513#ignite-html-anchor) + +[BRK3027: Deploying Windows 10: Making the update experience smooth and seamless](https://myignite.techcommunity.microsoft.com/sessions/64612#ignite-html-anchor) + +[BRK3039: Windows 10 and Microsoft Office 365 ProPlus lifecycle and servicing update](https://myignite.techcommunity.microsoft.com/sessions/66763#ignite-html-anchor) + +[BRK3211: Ask the Experts: Successfully deploying, servicing, managing Windows 10](https://myignite.techcommunity.microsoft.com/sessions/65963#ignite-html-anchor) + +[THR2234: Windows servicing and delivery fundamentals](https://myignite.techcommunity.microsoft.com/sessions/66741#ignite-html-anchor) + +[THR3006: The pros and cons of LTSC in the enterprise](https://myignite.techcommunity.microsoft.com/sessions/64512#ignite-html-anchor) diff --git a/windows/deployment/update/windows-update-error-reference.md b/windows/deployment/update/windows-update-error-reference.md index 476a82bf7b..52969656a5 100644 --- a/windows/deployment/update/windows-update-error-reference.md +++ b/windows/deployment/update/windows-update-error-reference.md @@ -1,365 +1,365 @@ ---- -title: Windows Update error code list by component -description: Reference information for Windows Update error codes -ms.prod: w10 -ms.mktglfcycl: -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greg-lindsay -ms.date: 09/18/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Windows Update error codes by component - ->Applies to: Windows 10 - - -This section lists the error codes for Microsoft Windows Update. - -## Automatic Update Errors - -| Error code | Message | Description | -|------------|-------------------------------|--------------------------------------------------------------------------------------------------------| -| 0x80243FFF | WU_E_AUCLIENT_UNEXPECTED | There was a user interface error not covered by another WU_E_AUCLIENT_\* error code. | -| 0x8024A000 | WU_E_AU_NOSERVICE | Automatic Updates was unable to service incoming requests.  | -| 0x8024A002 | WU_E_AU_NONLEGACYSERVER | The old version of the Automatic Updates client has stopped because the WSUS server has been upgraded. | -| 0x8024A003 | WU_E_AU_LEGACYCLIENTDISABLED |  The old version of the Automatic Updates client was disabled. | -| 0x8024A004 | WU_E_AU_PAUSED | Automatic Updates was unable to process incoming requests because it was paused. | -| 0x8024A005 | WU_E_AU_NO_REGISTERED_SERVICE |  No unmanaged service is registered with AU. | -| 0x8024AFFF | WU_E_AU_UNEXPECTED |  An Automatic Updates error not covered by another WU_E_AU \* code. | - -## Windows Update UI errors - -| Error code | Message | Description | -|------------|-------------------------------------------|--------------------------------------------------------------------------------------------------------------------------| -| 0x80243001 | WU_E_INSTALLATION_RESULTS_UNKNOWN_VERSION | The results of download and installation could not be read from the registry due to an unrecognized data format version. | -| 0x80243002 | WU_E_INSTALLATION_RESULTS_INVALID_DATA | The results of download and installation could not be read from the registry due to an invalid data format. | -| 0x80243003 | WU_E_INSTALLATION_RESULTS_NOT_FOUND | The results of download and installation are not available; the operation may have failed to start. | -| 0x80243004 |  WU_E_TRAYICON_FAILURE |  A failure occurred when trying to create an icon in the taskbar notification area. | -| 0x80243FFD |  WU_E_NON_UI_MODE |  Unable to show UI when in non-UI mode; WU client UI modules may not be installed.  | -| 0x80243FFE |  WU_E_WUCLTUI_UNSUPPORTED_VERSION |  Unsupported version of WU client UI exported functions.  | -| 0x80243FFF |  WU_E_AUCLIENT_UNEXPECTED |  There was a user interface error not covered by another WU_E_AUCLIENT_\* error code.  | - -## Inventory errors - -| Error code | Message | Description | -|------------|-------------------------------------------|-------------------------------------------------------------------------------| -| 0x80249001 |  WU_E_INVENTORY_PARSEFAILED |  Parsing of the rule file failed.  | -| 0x80249002 |  WU_E_INVENTORY_GET_INVENTORY_TYPE_FAILED |  Failed to get the requested inventory type from the server.  | -| 0x80249003 |  WU_E_INVENTORY_RESULT_UPLOAD_FAILED |  Failed to upload inventory result to the server.  | -| 0x80249004 |  WU_E_INVENTORY_UNEXPECTED |  There was an inventory error not covered by another error code. | -| 0x80249005 |  WU_E_INVENTORY_WMI_ERROR |  A WMI error occurred when enumerating the instances for a particular class.  | - -## Expression evaluator errors - -| Error code | Message | Description | -|-------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------| -| 0x8024E001 |  WU_E_EE_UNKNOWN_EXPRESSION |  An expression evaluator operation could not be completed because an expression was unrecognized. | -| 0x8024E002 |  WU_E_EE_INVALID_EXPRESSION |  An expression evaluator operation could not be completed because an expression was invalid.  | -| 0x8024E003 |  WU_E_EE_MISSING_METADATA |  An expression evaluator operation could not be completed because an expression contains an incorrect number of metadata nodes.  | -| 0x8024E004 |  WU_E_EE_INVALID_VERSION |  An expression evaluator operation could not be completed because the version of the serialized expression data is invalid.  | -|  0x8024E005 |  WU_E_EE_NOT_INITIALIZED |  The expression evaluator could not be initialized. | -|  0x8024E006 |  WU_E_EE_INVALID_ATTRIBUTEDATA |  An expression evaluator operation could not be completed because there was an invalid attribute. | -|  0x8024E007 |  WU_E_EE_CLUSTER_ERROR |  An expression evaluator operation could not be completed because the cluster state of the computer could not be determined.  | -|  0x8024EFFF |  WU_E_EE_UNEXPECTED |  There was an expression evaluator error not covered by another WU_E_EE_\* error code.  | - -## Reporter errors - -| Error code | Message | Description | -|-------------|------------------------------------------|-----------------------------------------------------------------------------------------------------------------------| -|  0x80247001 |  WU_E_OL_INVALID_SCANFILE |  An operation could not be completed because the scan package was invalid. | -| 0x80247002 |  WU_E_OL_NEWCLIENT_REQUIRED |  An operation could not be completed because the scan package requires a greater version of the Windows Update Agent. | -|  0x80247FFF |  WU_E_OL_UNEXPECTED |  Search using the scan package failed.  | -|  0x8024F001 |  WU_E_REPORTER_EVENTCACHECORRUPT |  The event cache file was defective.  | -|  0x8024F002 |  WU_E_REPORTER_EVENTNAMESPACEPARSEFAILED |  The XML in the event namespace descriptor could not be parsed. | -|  0x8024F003 |  WU_E_INVALID_EVENT |  The XML in the event namespace descriptor could not be parsed. | -|  0x8024F004 |  WU_E_SERVER_BUSY |  The server rejected an event because the server was too busy. | -|  0x8024FFFF |  WU_E_REPORTER_UNEXPECTED |  There was a reporter error not covered by another error code.  | - -## Redirector errors -The components that download the Wuredir.cab file and then parse the Wuredir.cab file generate the following errors. - -|Error code|Message|Description | -|-|-|-| -| 0x80245001| WU_E_REDIRECTOR_LOAD_XML| The redirector XML document could not be loaded into the DOM class.  | -| 0x80245002| WU_E_REDIRECTOR_S_FALSE| The redirector XML document is missing some required information. | -| 0x80245003| WU_E_REDIRECTOR_ID_SMALLER| The redirectorId in the downloaded redirector cab is less than in the cached cab.  | -| 0x80245FFF| WU_E_REDIRECTOR_UNEXPECTED| The redirector failed for reasons not covered by another WU_E_REDIRECTOR_* error code.  | - -## Protocol Talker errors -The following errors map to SOAPCLIENT_ERRORs through the Atlsoap.h file. These errors are obtained when the CClientWebService object calls the GetClientError() method. - - -| Error code | Message | Description | -|-------------|---------------------------------|------------------------------------------------------------------------------------------------------------------------------------| -|  0x80244000 |  WU_E_PT_SOAPCLIENT_BASE |  WU_E_PT_SOAPCLIENT_\* error codes map to the SOAPCLIENT_ERROR enum of the ATL Server Library. | -| 0x80244001 |  WU_E_PT_SOAPCLIENT_INITIALIZE |  Same as SOAPCLIENT_INITIALIZE_ERROR - initialization of the SOAP client failed possibly because of an MSXML installation failure. | -|  0x80244002 |  WU_E_PT_SOAPCLIENT_OUTOFMEMORY |  Same as SOAPCLIENT_OUTOFMEMORY - SOAP client failed because it ran out of memory.  | -|  0x80244003 |  WU_E_PT_SOAPCLIENT_GENERATE |  Same as SOAPCLIENT_GENERATE_ERROR - SOAP client failed to generate the request. | -|  0x80244004 |  WU_E_PT_SOAPCLIENT_CONNECT |  Same as SOAPCLIENT_CONNECT_ERROR - SOAP client failed to connect to the server.  | -|  0x80244005 |  WU_E_PT_SOAPCLIENT_SEND |  Same as SOAPCLIENT_SEND_ERROR - SOAP client failed to send a message for reasons of WU_E_WINHTTP_\* error codes. | -|  0x80244006 |  WU_E_PT_SOAPCLIENT_SERVER |  Same as SOAPCLIENT_SERVER_ERROR - SOAP client failed because there was a server error.  | -|  0x80244007 |  WU_E_PT_SOAPCLIENT_SOAPFAULT |  Same as SOAPCLIENT_SOAPFAULT - SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | -|  0x80244008 |  WU_E_PT_SOAPCLIENT_PARSEFAULT |  Same as SOAPCLIENT_PARSEFAULT_ERROR - SOAP client failed to parse a SOAP fault. | -|  0x80244009 |  WU_E_PT_SOAPCLIENT_READ |  Same as SOAPCLIENT_READ_ERROR - SOAP client failed while reading the response from the server. | -|  0x8024400A |  WU_E_PT_SOAPCLIENT_PARSE |  Same as SOAPCLIENT_PARSE_ERROR - SOAP client failed to parse the response from the server.  | - -## Other Protocol Talker errors -The following errors map to SOAP_ERROR_CODEs from the Atlsoap.h file. These errors are obtained from the m_fault.m_soapErrCode member of the CClientWebService object when GetClientError() returns SOAPCLIENT_SOAPFAULT. - - -| Error code | Message | Description | -|-------------|---------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -|  0x8024400B |  WU_E_PT_SOAP_VERSION |  Same as SOAP_E_VERSION_MISMATCH - SOAP client found an unrecognizable namespace for the SOAP envelope. | -|  0x8024400C |  WU_E_PT_SOAP_MUST_UNDERSTAND |  Same as SOAP_E_MUST_UNDERSTAND - SOAP client was unable to understand a header.  | -|  0x8024400D |  WU_E_PT_SOAP_CLIENT |  Same as SOAP_E_CLIENT - SOAP client found the message was malformed; fix before resending.  | -|  0x8024400E |  WU_E_PT_SOAP_SERVER |  Same as SOAP_E_SERVER - The SOAP message could not be processed due to a server error; resend later.  | -|  0x8024400F |  WU_E_PT_WMI_ERROR |  There was an unspecified Windows Management Instrumentation (WMI) error. | -|  0x80244010 |  WU_E_PT_EXCEEDED_MAX_SERVER_TRIPS |  The number of round trips to the server exceeded the maximum limit.  | -|  0x80244011 |  WU_E_PT_SUS_SERVER_NOT_SET |  WUServer policy value is missing in the registry.  | -|  0x80244012 |  WU_E_PT_DOUBLE_INITIALIZATION |  Initialization failed because the object was already initialized.  | -|  0x80244013 |  WU_E_PT_INVALID_COMPUTER_NAME |  The computer name could not be determined.  | -|  0x80244015 |  WU_E_PT_REFRESH_CACHE_REQUIRED |  The reply from the server indicates that the server was changed or the cookie was invalid; refresh the state of the internal cache and retry. | -|  0x80244016 |  WU_E_PT_HTTP_STATUS_BAD_REQUEST |  Same as HTTP status 400 - the server could not process the request due to invalid syntax.  | -|  0x80244017 |  WU_E_PT_HTTP_STATUS_DENIED |  Same as HTTP status 401 - the requested resource requires user authentication.  | -|  0x80244018 |  WU_E_PT_HTTP_STATUS_FORBIDDEN |  Same as HTTP status 403 - server understood the request but declined to fulfill it. | -|  0x80244019 |  WU_E_PT_HTTP_STATUS_NOT_FOUND |  Same as HTTP status 404 - the server cannot find the requested URI (Uniform Resource Identifier).  | -|  0x8024401A |  WU_E_PT_HTTP_STATUS_BAD_METHOD |  Same as HTTP status 405 - the HTTP method is not allowed.  | -|  0x8024401B |  WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ |  Same as HTTP status 407 - proxy authentication is required.  | -|  0x8024401C |  WU_E_PT_HTTP_STATUS_REQUEST_TIMEOUT |  Same as HTTP status 408 - the server timed out waiting for the request.  | -|  0x8024401D |  WU_E_PT_HTTP_STATUS_CONFLICT |  Same as HTTP status 409 - the request was not completed due to a conflict with the current state of the resource.  | -|  0x8024401E |  WU_E_PT_HTTP_STATUS_GONE |  Same as HTTP status 410 - requested resource is no longer available at the server. | -|  0x8024401F |  WU_E_PT_HTTP_STATUS_SERVER_ERROR |  Same as HTTP status 500 - an error internal to the server prevented fulfilling the request.  | -|  0x80244020 |  WU_E_PT_HTTP_STATUS_NOT_SUPPORTED |  Same as HTTP status 500 - server does not support the functionality required to fulfill the request.  | -|  0x80244021 |  WU_E_PT_HTTP_STATUS_BAD_GATEWAY | Same as HTTP status 502 - the server while acting as a gateway or a proxy received an invalid response from the upstream server it accessed in attempting to fulfil the request. | -|  0x80244022 |  WU_E_PT_HTTP_STATUS_SERVICE_UNAVAIL |  Same as HTTP status 503 - the service is temporarily overloaded.  | -|  0x80244023 |  WU_E_PT_HTTP_STATUS_GATEWAY_TIMEOUT |  Same as HTTP status 503 - the request was timed out waiting for a gateway.  | -|  0x80244024 |  WU_E_PT_HTTP_STATUS_VERSION_NOT_SUP |  Same as HTTP status 505 - the server does not support the HTTP protocol version used for the request.  | -|  0x80244025 |  WU_E_PT_FILE_LOCATIONS_CHANGED |  Operation failed due to a changed file location; refresh internal state and resend. | -|  0x80244026 |  WU_E_PT_REGISTRATION_NOT_SUPPORTED |  Operation failed because Windows Update Agent does not support registration with a non-WSUS server.  | -|  0x80244027 |  WU_E_PT_NO_AUTH_PLUGINS_REQUESTED |  The server returned an empty authentication information list.  | -|  0x80244028 |  WU_E_PT_NO_AUTH_COOKIES_CREATED |  Windows Update Agent was unable to create any valid authentication cookies.  | -|  0x80244029 |  WU_E_PT_INVALID_CONFIG_PROP |  A configuration property value was wrong.  | -|  0x8024402A |  WU_E_PT_CONFIG_PROP_MISSING |  A configuration property value was missing.  | -|  0x8024402B |  WU_E_PT_HTTP_STATUS_NOT_MAPPED |  The HTTP request could not be completed and the reason did not correspond to any of the WU_E_PT_HTTP_\* error codes.  | -|  0x8024402C |  WU_E_PT_WINHTTP_NAME_NOT_RESOLVED |  Same as ERROR_WINHTTP_NAME_NOT_RESOLVED - the proxy server or target server name cannot be resolved.  | -|  0x8024402F |  WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS |  External cab file processing completed with some errors. | -|  0x80244030 |  WU_E_PT_ECP_INIT_FAILED |  The external cab processor initialization did not complete.  | -|  0x80244031 |  WU_E_PT_ECP_INVALID_FILE_FORMAT |  The format of a metadata file was invalid.  | -|  0x80244032 |  WU_E_PT_ECP_INVALID_METADATA |  External cab processor found invalid metadata.  | -|  0x80244033 |  WU_E_PT_ECP_FAILURE_TO_EXTRACT_DIGEST |  The file digest could not be extracted from an external cab file.  | -|  0x80244034 |  WU_E_PT_ECP_FAILURE_TO_DECOMPRESS_CAB_FILE |  An external cab file could not be decompressed.  | -|  0x80244035 |  WU_E_PT_ECP_FILE_LOCATION_ERROR |  External cab processor was unable to get file locations.  | -|  0x80244FFF |  WU_E_PT_UNEXPECTED |  A communication error not covered by another WU_E_PT_\* error code.  | -|  0x8024502D |  WU_E_PT_SAME_REDIR_ID |  Windows Update Agent failed to download a redirector cabinet file with a new redirectorId value from the server during the recovery.  | -|  0x8024502E |  WU_E_PT_NO_MANAGED_RECOVER |  A redirector recovery action did not complete because the server is managed.  | - -## Download Manager errors - -| Error code | Message | Description | -|-------------|----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------| -|  0x80246001 |  WU_E_DM_URLNOTAVAILABLE |  A download manager operation could not be completed because the requested file does not have a URL.  | -|  0x80246002 |  WU_E_DM_INCORRECTFILEHASH |  A download manager operation could not be completed because the file digest was not recognized.  | -|  0x80246003 |  WU_E_DM_UNKNOWNALGORITHM |  A download manager operation could not be completed because the file metadata requested an unrecognized hash algorithm.  | -|  0x80246004 |  WU_E_DM_NEEDDOWNLOADREQUEST |  An operation could not be completed because a download request is required from the download handler.  | -|  0x80246005 |  WU_E_DM_NONETWORK |  A download manager operation could not be completed because the network connection was unavailable.  | -|  0x80246006 |  WU_E_DM_WRONGBITSVERSION |  A download manager operation could not be completed because the version of Background Intelligent Transfer Service (BITS) is incompatible. | -|  0x80246007 |  WU_E_DM_NOTDOWNLOADED |  The update has not been downloaded.  | -|  0x80246008 |  WU_E_DM_FAILTOCONNECTTOBITS |  A download manager operation failed because the download manager was unable to connect the Background Intelligent Transfer Service (BITS). | -|  0x80246009 | WU_E_DM_BITSTRANSFERERROR |  A download manager operation failed because there was an unspecified Background Intelligent Transfer Service (BITS) transfer error.  | -|  0x8024600A |  WU_E_DM_DOWNLOADLOCATIONCHANGED |  A download must be restarted because the location of the source of the download has changed. | -|  0x8024600B |  WU_E_DM_CONTENTCHANGED |  A download must be restarted because the update content changed in a new revision.  | -|  0x80246FFF |  WU_E_DM_UNEXPECTED |  There was a download manager error not covered by another WU_E_DM_\* error code.  | - -## Update Handler errors - -| Error code | Message | Description | -|-------------|---------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------| -|  0x80242000 |  WU_E_UH_REMOTEUNAVAILABLE | 9 A request for a remote update handler could not be completed because no remote process is available.  | -|  0x80242001 |  WU_E_UH_LOCALONLY |  A request for a remote update handler could not be completed because the handler is local only.  | -|  0x80242002 |  WU_E_UH_UNKNOWNHANDLER |  A request for an update handler could not be completed because the handler could not be recognized.  | -|  0x80242003 |  WU_E_UH_REMOTEALREADYACTIVE |  A remote update handler could not be created because one already exists.  | -|  0x80242004 |  WU_E_UH_DOESNOTSUPPORTACTION |  A request for the handler to install (uninstall) an update could not be completed because the update does not support install (uninstall). | -|  0x80242005 |  WU_E_UH_WRONGHANDLER |  An operation did not complete because the wrong handler was specified.  | -|  0x80242006 |  WU_E_UH_INVALIDMETADATA |  A handler operation could not be completed because the update contains invalid metadata.  | -|  0x80242007 |  WU_E_UH_INSTALLERHUNG |  An operation could not be completed because the installer exceeded the time limit.  | -|  0x80242008 |  WU_E_UH_OPERATIONCANCELLED |  An operation being done by the update handler was cancelled.  | -|  0x80242009 |  WU_E_UH_BADHANDLERXML |  An operation could not be completed because the handler-specific metadata is invalid.  | -| 0x8024200A |  WU_E_UH_CANREQUIREINPUT |  A request to the handler to install an update could not be completed because the update requires user input.  | -|  0x8024200B |  WU_E_UH_INSTALLERFAILURE |  The installer failed to install (uninstall) one or more updates.  | -|  0x8024200C |  WU_E_UH_FALLBACKTOSELFCONTAINED |  The update handler should download self-contained content rather than delta-compressed content for the update.  | -|  0x8024200D |  WU_E_UH_NEEDANOTHERDOWNLOAD |  The update handler did not install the update because it needs to be downloaded again.  | -|  0x8024200E |  WU_E_UH_NOTIFYFAILURE |  The update handler failed to send notification of the status of the install (uninstall) operation.  | -|  0x8024200F | WU_E_UH_INCONSISTENT_FILE_NAMES |  The file names contained in the update metadata and in the update package are inconsistent.  | -|  0x80242010 |  WU_E_UH_FALLBACKERROR |  The update handler failed to fall back to the self-contained content.  | -|  0x80242011 |  WU_E_UH_TOOMANYDOWNLOADREQUESTS |  The update handler has exceeded the maximum number of download requests.  | -|  0x80242012 |  WU_E_UH_UNEXPECTEDCBSRESPONSE |  The update handler has received an unexpected response from CBS.  | -|  0x80242013 |  WU_E_UH_BADCBSPACKAGEID |  The update metadata contains an invalid CBS package identifier.  | -|  0x80242014 |  WU_E_UH_POSTREBOOTSTILLPENDING |  The post-reboot operation for the update is still in progress.  | -|  0x80242015 |  WU_E_UH_POSTREBOOTRESULTUNKNOWN |  The result of the post-reboot operation for the update could not be determined.  | -|  0x80242016 |  WU_E_UH_POSTREBOOTUNEXPECTEDSTATE |  The state of the update after its post-reboot operation has completed is unexpected.  | -|  0x80242017 |  WU_E_UH_NEW_SERVICING_STACK_REQUIRED |  The OS servicing stack must be updated before this update is downloaded or installed.  | -|  0x80242FFF |  WU_E_UH_UNEXPECTED |  An update handler error not covered by another WU_E_UH_\* code.  | - -## Data Store errors - -| Error code | Message | Description | -|-------------|-------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -|  0x80248000 |  WU_E_DS_SHUTDOWN |  An operation failed because Windows Update Agent is shutting down.  | -|  0x80248001 |  WU_E_DS_INUSE |  An operation failed because the data store was in use. | -|  0x80248002 |  WU_E_DS_INVALID |  The current and expected states of the data store do not match. | -|  0x80248003 |  WU_E_DS_TABLEMISSING |  The data store is missing a table.  | -|  0x80248004 |  WU_E_DS_TABLEINCORRECT |  The data store contains a table with unexpected columns.  | -|  0x80248005 |  WU_E_DS_INVALIDTABLENAME |  A table could not be opened because the table is not in the data store.  | -|  0x80248006 |  WU_E_DS_BADVERSION |  The current and expected versions of the data store do not match.  | -|  0x80248007 |  WU_E_DS_NODATA |  The information requested is not in the data store.  | -|  0x80248008 |  WU_E_DS_MISSINGDATA |  The data store is missing required information or has a NULL in a table column that requires a non-null value.  | -|  0x80248009 |  WU_E_DS_MISSINGREF |  The data store is missing required information or has a reference to missing license terms file localized property or linked row. | -|  0x8024800A |  WU_E_DS_UNKNOWNHANDLER |  The update was not processed because its update handler could not be recognized.  | -|  0x8024800B |  WU_E_DS_CANTDELETE |  The update was not deleted because it is still referenced by one or more services.  | -|  0x8024800C |  WU_E_DS_LOCKTIMEOUTEXPIRED |  The data store section could not be locked within the allotted time.  | -|  0x8024800D |  WU_E_DS_NOCATEGORIES |  The category was not added because it contains no parent categories and is not a top-level category itself.  | -|  0x8024800E |  WU_E_DS_ROWEXISTS |  The row was not added because an existing row has the same primary key.  | -|  0x8024800F |  WU_E_DS_STOREFILELOCKED |  The data store could not be initialized because it was locked by another process.  | -|  0x80248010 |  WU_E_DS_CANNOTREGISTER |  The data store is not allowed to be registered with COM in the current process.  | -|  0x80248011 | WU_E_DS_UNABLETOSTART |  Could not create a data store object in another process.  | -|  0x80248013 |  WU_E_DS_DUPLICATEUPDATEID | The server sent the same update to the client with two different revision IDs.  | -|  0x80248014 | WU_E_DS_UNKNOWNSERVICE |  An operation did not complete because the service is not in the data store.  | -| 0x80248015 | WU_E_DS_SERVICEEXPIRED | An operation did not complete because the registration of the service has expired.  | -| 0x80248016 |  WU_E_DS_DECLINENOTALLOWED |  A request to hide an update was declined because it is a mandatory update or because it was deployed with a deadline.  | -| 0x80248017 |  WU_E_DS_TABLESESSIONMISMATCH |  A table was not closed because it is not associated with the session.  | -| 0x80248018 |  WU_E_DS_SESSIONLOCKMISMATCH |  A table was not closed because it is not associated with the session.  | -| 0x80248019 |  WU_E_DS_NEEDWINDOWSSERVICE |  A request to remove the Windows Update service or to unregister it with Automatic Updates was declined because it is a built-in service and/or Automatic Updates cannot fall back to another service.  | -| 0x8024801A |  WU_E_DS_INVALIDOPERATION |  A request was declined because the operation is not allowed.  | -| 0x8024801B |  WU_E_DS_SCHEMAMISMATCH |  The schema of the current data store and the schema of a table in a backup XML document do not match.  | -| 0x8024801C |  WU_E_DS_RESETREQUIRED |  The data store requires a session reset; release the session and retry with a new session.  | -| 0x8024801D |  WU_E_DS_IMPERSONATED |  A data store operation did not complete because it was requested with an impersonated identity.  | -| 0x80248FFF |  WU_E_DS_UNEXPECTED |  A data store error not covered by another WU_E_DS_\* code.  | - -## Driver Util errors -The PnP enumerated device is removed from the System Spec because one of the hardware IDs or the compatible IDs matches an installed printer driver. This is not a fatal error, and the device is merely skipped. - -|Error code|Message|Description -|-|-|-| -| 0x8024C001 | WU_E_DRV_PRUNED| A driver was skipped.  -| 0x8024C002 |WU_E_DRV_NOPROP_OR_LEGACY| A property for the driver could not be found. It may not conform with required specifications.  -| 0x8024C003 | WU_E_DRV_REG_MISMATCH| The registry type read for the driver does not match the expected type.  -| 0x8024C004 | WU_E_DRV_NO_METADATA| The driver update is missing metadata.  -| 0x8024C005 | WU_E_DRV_MISSING_ATTRIBUTE| The driver update is missing a required attribute.  -| 0x8024C006| WU_E_DRV_SYNC_FAILED| Driver synchronization failed.  -| 0x8024C007 | WU_E_DRV_NO_PRINTER_CONTENT| Information required for the synchronization of applicable printers is missing.  -| 0x8024CFFF | WU_E_DRV_UNEXPECTED| A driver error not covered by another WU_E_DRV_* code.  - -## Windows Update error codes - -|Error code|Message|Description -|-|-|-| -| 0x80240001 | WU_E_NO_SERVICE| Windows Update Agent was unable to provide the service.  -| 0x80240002 | WU_E_MAX_CAPACITY_REACHED | The maximum capacity of the service was exceeded.  -| 0x80240003 | WU_E_UNKNOWN_ID| An ID cannot be found.  -| 0x80240004 | WU_E_NOT_INITIALIZED| The object could not be initialized.  -| 0x80240005 | WU_E_RANGEOVERLAP |The update handler requested a byte range overlapping a previously requested range.  -| 0x80240006 | WU_E_TOOMANYRANGES| The requested number of byte ranges exceeds the maximum number (2^31 - 1).  -| 0x80240007 | WU_E_INVALIDINDEX| The index to a collection was invalid.  -| 0x80240008 | WU_E_ITEMNOTFOUND| The key for the item queried could not be found.  -| 0x80240009 | WU_E_OPERATIONINPROGRESS| Another conflicting operation was in progress. Some operations such as installation cannot be performed twice simultaneously.  -| 0x8024000A | WU_E_COULDNOTCANCEL| Cancellation of the operation was not allowed.  -| 0x8024000B | WU_E_CALL_CANCELLED| Operation was cancelled.  -| 0x8024000C | WU_E_NOOP| No operation was required.  -| 0x8024000D | WU_E_XML_MISSINGDATA| Windows Update Agent could not find required information in the update's XML data.  -| 0x8024000E | WU_E_XML_INVALID| Windows Update Agent found invalid information in the update's XML data.  -| 0x8024000F | WU_E_CYCLE_DETECTED | Circular update relationships were detected in the metadata.  -| 0x80240010 | WU_E_TOO_DEEP_RELATION| Update relationships too deep to evaluate were evaluated.  -| 0x80240011 | WU_E_INVALID_RELATIONSHIP| An invalid update relationship was detected.  -| 0x80240012 | WU_E_REG_VALUE_INVALID| An invalid registry value was read.  -| 0x80240013 | WU_E_DUPLICATE_ITEM| Operation tried to add a duplicate item to a list.  -| 0x80240016 | WU_E_INSTALL_NOT_ALLOWED| Operation tried to install while another installation was in progress or the system was pending a mandatory restart.  -| 0x80240017 | WU_E_NOT_APPLICABLE| Operation was not performed because there are no applicable updates.  -| 0x80240018 | WU_E_NO_USERTOKEN| Operation failed because a required user token is missing.  -| 0x80240019 | WU_E_EXCLUSIVE_INSTALL_CONFLICT| An exclusive update cannot be installed with other updates at the same time.  -| 0x8024001A | WU_E_POLICY_NOT_SET | A policy value was not set.  -| 0x8024001B | WU_E_SELFUPDATE_IN_PROGRESS| The operation could not be performed because the Windows Update Agent is self-updating.  -| 0x8024001D | WU_E_INVALID_UPDATE| An update contains invalid metadata.  -| 0x8024001E | WU_E_SERVICE_STOP| Operation did not complete because the service or system was being shut down.  -| 0x8024001F | WU_E_NO_CONNECTION| Operation did not complete because the network connection was unavailable.  -| 0x80240020 | WU_E_NO_INTERACTIVE_USER| Operation did not complete because there is no logged-on interactive user.  -| 0x80240021 | WU_E_TIME_OUT| Operation did not complete because it timed out.  -| 0x80240022 | WU_E_ALL_UPDATES_FAILED| Operation failed for all the updates.  -| 0x80240023 | WU_E_EULAS_DECLINED| The license terms for all updates were declined.  -| 0x80240024 | WU_E_NO_UPDATE| There are no updates.  -| 0x80240025 | WU_E_USER_ACCESS_DISABLED| Group Policy settings prevented access to Windows Update.  -| 0x80240026 | WU_E_INVALID_UPDATE_TYPE| The type of update is invalid.  -| 0x80240027 | WU_E_URL_TOO_LONG| The URL exceeded the maximum length.  -| 0x80240028 | WU_E_UNINSTALL_NOT_ALLOWED| The update could not be uninstalled because the request did not originate from a WSUS server.  -| 0x80240029 | WU_E_INVALID_PRODUCT_LICENSE| Search may have missed some updates before there is an unlicensed application on the system.  -| 0x8024002A | WU_E_MISSING_HANDLER| A component required to detect applicable updates was missing.  -| 0x8024002B | WU_E_LEGACYSERVER| An operation did not complete because it requires a newer version of server.  -| 0x8024002C | WU_E_BIN_SOURCE_ABSENT| A delta-compressed update could not be installed because it required the source.  -| 0x8024002D | WU_E_SOURCE_ABSENT| A full-file update could not be installed because it required the source.  -| 0x8024002E | WU_E_WU_DISABLED| Access to an unmanaged server is not allowed.  -| 0x8024002F | WU_E_CALL_CANCELLED_BY_POLICY| Operation did not complete because the DisableWindowsUpdateAccess policy was set.  -| 0x80240030 | WU_E_INVALID_PROXY_SERVER| The format of the proxy list was invalid.  -| 0x80240031 | WU_E_INVALID_FILE| The file is in the wrong format.  -| 0x80240032 | WU_E_INVALID_CRITERIA| The search criteria string was invalid.  -| 0x80240033 | WU_E_EULA_UNAVAILABLE| License terms could not be downloaded.  -| 0x80240034 | WU_E_DOWNLOAD_FAILED| Update failed to download.  -| 0x80240035 | WU_E_UPDATE_NOT_PROCESSED| The update was not processed.  -| 0x80240036 | WU_E_INVALID_OPERATION| The object's current state did not allow the operation.  -| 0x80240037 | WU_E_NOT_SUPPORTED| The functionality for the operation is not supported.  -| 0x80240038 | WU_E_WINHTTP_INVALID_FILE| The downloaded file has an unexpected content type.  -| 0x80240039 | WU_E_TOO_MANY_RESYNC| Agent is asked by server to resync too many times.  -| 0x80240040 | WU_E_NO_SERVER_CORE_SUPPORT| WUA API method does not run on Server Core installation.  -| 0x80240041 | WU_E_SYSPREP_IN_PROGRESS| Service is not available while sysprep is running.  -| 0x80240042 | WU_E_UNKNOWN_SERVICE| The update service is no longer registered with AU.  -| 0x80240043 | WU_E_NO_UI_SUPPORT| There is no support for WUA UI.  -| 0x80240FFF | WU_E_UNEXPECTED| An operation failed due to reasons not covered by another error code.  - -## Windows Update success codes - -|Error code|Message|Description -|-|-|-| -| 0x00240001| WU_S_SERVICE_STOP| Windows Update Agent was stopped successfully.  -| 0x00240002 | WU_S_SELFUPDATE| Windows Update Agent updated itself.  -| 0x00240003 | WU_S_UPDATE_ERROR| Operation completed successfully but there were errors applying the updates.  -| 0x00240004 | WU_S_MARKED_FOR_DISCONNECT| A callback was marked to be disconnected later because the request to disconnect the operation came while a callback was executing.  -| 0x00240005 | WU_S_REBOOT_REQUIRED| The system must be restarted to complete installation of the update.  -| 0x00240006 | WU_S_ALREADY_INSTALLED| The update to be installed is already installed on the system.  -| 0x00240007 | WU_S_ALREADY_UNINSTALLED | The update to be removed is not installed on the system.  -| 0x00240008 | WU_S_ALREADY_DOWNLOADED| The update to be downloaded has already been downloaded.  - -## Windows Installer minor errors -The following errors are used to indicate that part of a search fails because of Windows Installer problems. Another part of the search may successfully return updates. All Windows Installer minor codes must share the same error code range so that the caller can tell that they are related to Windows Installer. - -|Error code|Message|Description -|-|-|-| -| 0x80241001 |WU_E_MSI_WRONG_VERSION| Search may have missed some updates because the Windows Installer is less than version 3.1.  -| 0x80241002 | WU_E_MSI_NOT_CONFIGURED| Search may have missed some updates because the Windows Installer is not configured.  -| 0x80241003 | WU_E_MSP_DISABLED| Search may have missed some updates because policy has disabled Windows Installer patching.  -| 0x80241004 | WU_E_MSI_WRONG_APP_CONTEXT| An update could not be applied because the application is installed per-user.  -| 0x80241FFF | WU_E_MSP_UNEXPECTED| Search may have missed some updates because there was a failure of the Windows Installer.  - -## Windows Update Agent update and setup errors - -|Error code|Message|Description -|-|-|-| -| 0x8024D001 | WU_E_SETUP_INVALID_INFDATA| Windows Update Agent could not be updated because an INF file contains invalid information.  -| 0x8024D002 | WU_E_SETUP_INVALID_IDENTDATA| Windows Update Agent could not be updated because the wuident.cab file contains invalid information.  -| 0x8024D003 | WU_E_SETUP_ALREADY_INITIALIZED| Windows Update Agent could not be updated because of an internal error that caused setup initialization to be performed twice.  -| 0x8024D004 | WU_E_SETUP_NOT_INITIALIZED| Windows Update Agent could not be updated because setup initialization never completed successfully.  -| 0x8024D005 | WU_E_SETUP_SOURCE_VERSION_MISMATCH| Windows Update Agent could not be updated because the versions specified in the INF do not match the actual source file versions.  -| 0x8024D006 | WU_E_SETUP_TARGET_VERSION_GREATER| Windows Update Agent could not be updated because a WUA file on the target system is newer than the corresponding source file.  -| 0x8024D007 | WU_E_SETUP_REGISTRATION_FAILED| Windows Update Agent could not be updated because regsvr32.exe returned an error.  -| 0x8024D009 | WU_E_SETUP_SKIP_UPDATE| An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file.  -| 0x8024D00A | WU_E_SETUP_UNSUPPORTED_CONFIGURATION| Windows Update Agent could not be updated because the current system configuration is not supported.  -| 0x8024D00B | WU_E_SETUP_BLOCKED_CONFIGURATION| Windows Update Agent could not be updated because the system is configured to block the update.  -| 0x8024D00C | WU_E_SETUP_REBOOT_TO_FIX| Windows Update Agent could not be updated because a restart of the system is required.  -| 0x8024D00D | WU_E_SETUP_ALREADYRUNNING| Windows Update Agent setup is already running.  -| 0x8024D00E | WU_E_SETUP_REBOOTREQUIRED| Windows Update Agent setup package requires a reboot to complete installation.  -| 0x8024D00F | WU_E_SETUP_HANDLER_EXEC_FAILURE| Windows Update Agent could not be updated because the setup handler failed during execution.  -| 0x8024D010 | WU_E_SETUP_INVALID_REGISTRY_DATA| Windows Update Agent could not be updated because the registry contains invalid information.  -| 0x8024D013 | WU_E_SETUP_WRONG_SERVER_VERSION| Windows Update Agent could not be updated because the server does not contain update information for this version.  -| 0x8024DFFF | WU_E_SETUP_UNEXPECTED| Windows Update Agent could not be updated because of an error not covered by another WU_E_SETUP_* error code.  +--- +title: Windows Update error code list by component +description: Reference information for Windows Update error codes +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.audience: itpro author: greg-lindsay +ms.date: 09/18/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Windows Update error codes by component + +>Applies to: Windows 10 + + +This section lists the error codes for Microsoft Windows Update. + +## Automatic Update Errors + +| Error code | Message | Description | +|------------|-------------------------------|--------------------------------------------------------------------------------------------------------| +| 0x80243FFF | WU_E_AUCLIENT_UNEXPECTED | There was a user interface error not covered by another WU_E_AUCLIENT_\* error code. | +| 0x8024A000 | WU_E_AU_NOSERVICE | Automatic Updates was unable to service incoming requests.  | +| 0x8024A002 | WU_E_AU_NONLEGACYSERVER | The old version of the Automatic Updates client has stopped because the WSUS server has been upgraded. | +| 0x8024A003 | WU_E_AU_LEGACYCLIENTDISABLED |  The old version of the Automatic Updates client was disabled. | +| 0x8024A004 | WU_E_AU_PAUSED | Automatic Updates was unable to process incoming requests because it was paused. | +| 0x8024A005 | WU_E_AU_NO_REGISTERED_SERVICE |  No unmanaged service is registered with AU. | +| 0x8024AFFF | WU_E_AU_UNEXPECTED |  An Automatic Updates error not covered by another WU_E_AU \* code. | + +## Windows Update UI errors + +| Error code | Message | Description | +|------------|-------------------------------------------|--------------------------------------------------------------------------------------------------------------------------| +| 0x80243001 | WU_E_INSTALLATION_RESULTS_UNKNOWN_VERSION | The results of download and installation could not be read from the registry due to an unrecognized data format version. | +| 0x80243002 | WU_E_INSTALLATION_RESULTS_INVALID_DATA | The results of download and installation could not be read from the registry due to an invalid data format. | +| 0x80243003 | WU_E_INSTALLATION_RESULTS_NOT_FOUND | The results of download and installation are not available; the operation may have failed to start. | +| 0x80243004 |  WU_E_TRAYICON_FAILURE |  A failure occurred when trying to create an icon in the taskbar notification area. | +| 0x80243FFD |  WU_E_NON_UI_MODE |  Unable to show UI when in non-UI mode; WU client UI modules may not be installed.  | +| 0x80243FFE |  WU_E_WUCLTUI_UNSUPPORTED_VERSION |  Unsupported version of WU client UI exported functions.  | +| 0x80243FFF |  WU_E_AUCLIENT_UNEXPECTED |  There was a user interface error not covered by another WU_E_AUCLIENT_\* error code.  | + +## Inventory errors + +| Error code | Message | Description | +|------------|-------------------------------------------|-------------------------------------------------------------------------------| +| 0x80249001 |  WU_E_INVENTORY_PARSEFAILED |  Parsing of the rule file failed.  | +| 0x80249002 |  WU_E_INVENTORY_GET_INVENTORY_TYPE_FAILED |  Failed to get the requested inventory type from the server.  | +| 0x80249003 |  WU_E_INVENTORY_RESULT_UPLOAD_FAILED |  Failed to upload inventory result to the server.  | +| 0x80249004 |  WU_E_INVENTORY_UNEXPECTED |  There was an inventory error not covered by another error code. | +| 0x80249005 |  WU_E_INVENTORY_WMI_ERROR |  A WMI error occurred when enumerating the instances for a particular class.  | + +## Expression evaluator errors + +| Error code | Message | Description | +|-------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------| +| 0x8024E001 |  WU_E_EE_UNKNOWN_EXPRESSION |  An expression evaluator operation could not be completed because an expression was unrecognized. | +| 0x8024E002 |  WU_E_EE_INVALID_EXPRESSION |  An expression evaluator operation could not be completed because an expression was invalid.  | +| 0x8024E003 |  WU_E_EE_MISSING_METADATA |  An expression evaluator operation could not be completed because an expression contains an incorrect number of metadata nodes.  | +| 0x8024E004 |  WU_E_EE_INVALID_VERSION |  An expression evaluator operation could not be completed because the version of the serialized expression data is invalid.  | +|  0x8024E005 |  WU_E_EE_NOT_INITIALIZED |  The expression evaluator could not be initialized. | +|  0x8024E006 |  WU_E_EE_INVALID_ATTRIBUTEDATA |  An expression evaluator operation could not be completed because there was an invalid attribute. | +|  0x8024E007 |  WU_E_EE_CLUSTER_ERROR |  An expression evaluator operation could not be completed because the cluster state of the computer could not be determined.  | +|  0x8024EFFF |  WU_E_EE_UNEXPECTED |  There was an expression evaluator error not covered by another WU_E_EE_\* error code.  | + +## Reporter errors + +| Error code | Message | Description | +|-------------|------------------------------------------|-----------------------------------------------------------------------------------------------------------------------| +|  0x80247001 |  WU_E_OL_INVALID_SCANFILE |  An operation could not be completed because the scan package was invalid. | +| 0x80247002 |  WU_E_OL_NEWCLIENT_REQUIRED |  An operation could not be completed because the scan package requires a greater version of the Windows Update Agent. | +|  0x80247FFF |  WU_E_OL_UNEXPECTED |  Search using the scan package failed.  | +|  0x8024F001 |  WU_E_REPORTER_EVENTCACHECORRUPT |  The event cache file was defective.  | +|  0x8024F002 |  WU_E_REPORTER_EVENTNAMESPACEPARSEFAILED |  The XML in the event namespace descriptor could not be parsed. | +|  0x8024F003 |  WU_E_INVALID_EVENT |  The XML in the event namespace descriptor could not be parsed. | +|  0x8024F004 |  WU_E_SERVER_BUSY |  The server rejected an event because the server was too busy. | +|  0x8024FFFF |  WU_E_REPORTER_UNEXPECTED |  There was a reporter error not covered by another error code.  | + +## Redirector errors +The components that download the Wuredir.cab file and then parse the Wuredir.cab file generate the following errors. + +|Error code|Message|Description | +|-|-|-| +| 0x80245001| WU_E_REDIRECTOR_LOAD_XML| The redirector XML document could not be loaded into the DOM class.  | +| 0x80245002| WU_E_REDIRECTOR_S_FALSE| The redirector XML document is missing some required information. | +| 0x80245003| WU_E_REDIRECTOR_ID_SMALLER| The redirectorId in the downloaded redirector cab is less than in the cached cab.  | +| 0x80245FFF| WU_E_REDIRECTOR_UNEXPECTED| The redirector failed for reasons not covered by another WU_E_REDIRECTOR_* error code.  | + +## Protocol Talker errors +The following errors map to SOAPCLIENT_ERRORs through the Atlsoap.h file. These errors are obtained when the CClientWebService object calls the GetClientError() method. + + +| Error code | Message | Description | +|-------------|---------------------------------|------------------------------------------------------------------------------------------------------------------------------------| +|  0x80244000 |  WU_E_PT_SOAPCLIENT_BASE |  WU_E_PT_SOAPCLIENT_\* error codes map to the SOAPCLIENT_ERROR enum of the ATL Server Library. | +| 0x80244001 |  WU_E_PT_SOAPCLIENT_INITIALIZE |  Same as SOAPCLIENT_INITIALIZE_ERROR - initialization of the SOAP client failed possibly because of an MSXML installation failure. | +|  0x80244002 |  WU_E_PT_SOAPCLIENT_OUTOFMEMORY |  Same as SOAPCLIENT_OUTOFMEMORY - SOAP client failed because it ran out of memory.  | +|  0x80244003 |  WU_E_PT_SOAPCLIENT_GENERATE |  Same as SOAPCLIENT_GENERATE_ERROR - SOAP client failed to generate the request. | +|  0x80244004 |  WU_E_PT_SOAPCLIENT_CONNECT |  Same as SOAPCLIENT_CONNECT_ERROR - SOAP client failed to connect to the server.  | +|  0x80244005 |  WU_E_PT_SOAPCLIENT_SEND |  Same as SOAPCLIENT_SEND_ERROR - SOAP client failed to send a message for reasons of WU_E_WINHTTP_\* error codes. | +|  0x80244006 |  WU_E_PT_SOAPCLIENT_SERVER |  Same as SOAPCLIENT_SERVER_ERROR - SOAP client failed because there was a server error.  | +|  0x80244007 |  WU_E_PT_SOAPCLIENT_SOAPFAULT |  Same as SOAPCLIENT_SOAPFAULT - SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | +|  0x80244008 |  WU_E_PT_SOAPCLIENT_PARSEFAULT |  Same as SOAPCLIENT_PARSEFAULT_ERROR - SOAP client failed to parse a SOAP fault. | +|  0x80244009 |  WU_E_PT_SOAPCLIENT_READ |  Same as SOAPCLIENT_READ_ERROR - SOAP client failed while reading the response from the server. | +|  0x8024400A |  WU_E_PT_SOAPCLIENT_PARSE |  Same as SOAPCLIENT_PARSE_ERROR - SOAP client failed to parse the response from the server.  | + +## Other Protocol Talker errors +The following errors map to SOAP_ERROR_CODEs from the Atlsoap.h file. These errors are obtained from the m_fault.m_soapErrCode member of the CClientWebService object when GetClientError() returns SOAPCLIENT_SOAPFAULT. + + +| Error code | Message | Description | +|-------------|---------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +|  0x8024400B |  WU_E_PT_SOAP_VERSION |  Same as SOAP_E_VERSION_MISMATCH - SOAP client found an unrecognizable namespace for the SOAP envelope. | +|  0x8024400C |  WU_E_PT_SOAP_MUST_UNDERSTAND |  Same as SOAP_E_MUST_UNDERSTAND - SOAP client was unable to understand a header.  | +|  0x8024400D |  WU_E_PT_SOAP_CLIENT |  Same as SOAP_E_CLIENT - SOAP client found the message was malformed; fix before resending.  | +|  0x8024400E |  WU_E_PT_SOAP_SERVER |  Same as SOAP_E_SERVER - The SOAP message could not be processed due to a server error; resend later.  | +|  0x8024400F |  WU_E_PT_WMI_ERROR |  There was an unspecified Windows Management Instrumentation (WMI) error. | +|  0x80244010 |  WU_E_PT_EXCEEDED_MAX_SERVER_TRIPS |  The number of round trips to the server exceeded the maximum limit.  | +|  0x80244011 |  WU_E_PT_SUS_SERVER_NOT_SET |  WUServer policy value is missing in the registry.  | +|  0x80244012 |  WU_E_PT_DOUBLE_INITIALIZATION |  Initialization failed because the object was already initialized.  | +|  0x80244013 |  WU_E_PT_INVALID_COMPUTER_NAME |  The computer name could not be determined.  | +|  0x80244015 |  WU_E_PT_REFRESH_CACHE_REQUIRED |  The reply from the server indicates that the server was changed or the cookie was invalid; refresh the state of the internal cache and retry. | +|  0x80244016 |  WU_E_PT_HTTP_STATUS_BAD_REQUEST |  Same as HTTP status 400 - the server could not process the request due to invalid syntax.  | +|  0x80244017 |  WU_E_PT_HTTP_STATUS_DENIED |  Same as HTTP status 401 - the requested resource requires user authentication.  | +|  0x80244018 |  WU_E_PT_HTTP_STATUS_FORBIDDEN |  Same as HTTP status 403 - server understood the request but declined to fulfill it. | +|  0x80244019 |  WU_E_PT_HTTP_STATUS_NOT_FOUND |  Same as HTTP status 404 - the server cannot find the requested URI (Uniform Resource Identifier).  | +|  0x8024401A |  WU_E_PT_HTTP_STATUS_BAD_METHOD |  Same as HTTP status 405 - the HTTP method is not allowed.  | +|  0x8024401B |  WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ |  Same as HTTP status 407 - proxy authentication is required.  | +|  0x8024401C |  WU_E_PT_HTTP_STATUS_REQUEST_TIMEOUT |  Same as HTTP status 408 - the server timed out waiting for the request.  | +|  0x8024401D |  WU_E_PT_HTTP_STATUS_CONFLICT |  Same as HTTP status 409 - the request was not completed due to a conflict with the current state of the resource.  | +|  0x8024401E |  WU_E_PT_HTTP_STATUS_GONE |  Same as HTTP status 410 - requested resource is no longer available at the server. | +|  0x8024401F |  WU_E_PT_HTTP_STATUS_SERVER_ERROR |  Same as HTTP status 500 - an error internal to the server prevented fulfilling the request.  | +|  0x80244020 |  WU_E_PT_HTTP_STATUS_NOT_SUPPORTED |  Same as HTTP status 500 - server does not support the functionality required to fulfill the request.  | +|  0x80244021 |  WU_E_PT_HTTP_STATUS_BAD_GATEWAY | Same as HTTP status 502 - the server while acting as a gateway or a proxy received an invalid response from the upstream server it accessed in attempting to fulfil the request. | +|  0x80244022 |  WU_E_PT_HTTP_STATUS_SERVICE_UNAVAIL |  Same as HTTP status 503 - the service is temporarily overloaded.  | +|  0x80244023 |  WU_E_PT_HTTP_STATUS_GATEWAY_TIMEOUT |  Same as HTTP status 503 - the request was timed out waiting for a gateway.  | +|  0x80244024 |  WU_E_PT_HTTP_STATUS_VERSION_NOT_SUP |  Same as HTTP status 505 - the server does not support the HTTP protocol version used for the request.  | +|  0x80244025 |  WU_E_PT_FILE_LOCATIONS_CHANGED |  Operation failed due to a changed file location; refresh internal state and resend. | +|  0x80244026 |  WU_E_PT_REGISTRATION_NOT_SUPPORTED |  Operation failed because Windows Update Agent does not support registration with a non-WSUS server.  | +|  0x80244027 |  WU_E_PT_NO_AUTH_PLUGINS_REQUESTED |  The server returned an empty authentication information list.  | +|  0x80244028 |  WU_E_PT_NO_AUTH_COOKIES_CREATED |  Windows Update Agent was unable to create any valid authentication cookies.  | +|  0x80244029 |  WU_E_PT_INVALID_CONFIG_PROP |  A configuration property value was wrong.  | +|  0x8024402A |  WU_E_PT_CONFIG_PROP_MISSING |  A configuration property value was missing.  | +|  0x8024402B |  WU_E_PT_HTTP_STATUS_NOT_MAPPED |  The HTTP request could not be completed and the reason did not correspond to any of the WU_E_PT_HTTP_\* error codes.  | +|  0x8024402C |  WU_E_PT_WINHTTP_NAME_NOT_RESOLVED |  Same as ERROR_WINHTTP_NAME_NOT_RESOLVED - the proxy server or target server name cannot be resolved.  | +|  0x8024402F |  WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS |  External cab file processing completed with some errors. | +|  0x80244030 |  WU_E_PT_ECP_INIT_FAILED |  The external cab processor initialization did not complete.  | +|  0x80244031 |  WU_E_PT_ECP_INVALID_FILE_FORMAT |  The format of a metadata file was invalid.  | +|  0x80244032 |  WU_E_PT_ECP_INVALID_METADATA |  External cab processor found invalid metadata.  | +|  0x80244033 |  WU_E_PT_ECP_FAILURE_TO_EXTRACT_DIGEST |  The file digest could not be extracted from an external cab file.  | +|  0x80244034 |  WU_E_PT_ECP_FAILURE_TO_DECOMPRESS_CAB_FILE |  An external cab file could not be decompressed.  | +|  0x80244035 |  WU_E_PT_ECP_FILE_LOCATION_ERROR |  External cab processor was unable to get file locations.  | +|  0x80244FFF |  WU_E_PT_UNEXPECTED |  A communication error not covered by another WU_E_PT_\* error code.  | +|  0x8024502D |  WU_E_PT_SAME_REDIR_ID |  Windows Update Agent failed to download a redirector cabinet file with a new redirectorId value from the server during the recovery.  | +|  0x8024502E |  WU_E_PT_NO_MANAGED_RECOVER |  A redirector recovery action did not complete because the server is managed.  | + +## Download Manager errors + +| Error code | Message | Description | +|-------------|----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------| +|  0x80246001 |  WU_E_DM_URLNOTAVAILABLE |  A download manager operation could not be completed because the requested file does not have a URL.  | +|  0x80246002 |  WU_E_DM_INCORRECTFILEHASH |  A download manager operation could not be completed because the file digest was not recognized.  | +|  0x80246003 |  WU_E_DM_UNKNOWNALGORITHM |  A download manager operation could not be completed because the file metadata requested an unrecognized hash algorithm.  | +|  0x80246004 |  WU_E_DM_NEEDDOWNLOADREQUEST |  An operation could not be completed because a download request is required from the download handler.  | +|  0x80246005 |  WU_E_DM_NONETWORK |  A download manager operation could not be completed because the network connection was unavailable.  | +|  0x80246006 |  WU_E_DM_WRONGBITSVERSION |  A download manager operation could not be completed because the version of Background Intelligent Transfer Service (BITS) is incompatible. | +|  0x80246007 |  WU_E_DM_NOTDOWNLOADED |  The update has not been downloaded.  | +|  0x80246008 |  WU_E_DM_FAILTOCONNECTTOBITS |  A download manager operation failed because the download manager was unable to connect the Background Intelligent Transfer Service (BITS). | +|  0x80246009 | WU_E_DM_BITSTRANSFERERROR |  A download manager operation failed because there was an unspecified Background Intelligent Transfer Service (BITS) transfer error.  | +|  0x8024600A |  WU_E_DM_DOWNLOADLOCATIONCHANGED |  A download must be restarted because the location of the source of the download has changed. | +|  0x8024600B |  WU_E_DM_CONTENTCHANGED |  A download must be restarted because the update content changed in a new revision.  | +|  0x80246FFF |  WU_E_DM_UNEXPECTED |  There was a download manager error not covered by another WU_E_DM_\* error code.  | + +## Update Handler errors + +| Error code | Message | Description | +|-------------|---------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------| +|  0x80242000 |  WU_E_UH_REMOTEUNAVAILABLE | 9 A request for a remote update handler could not be completed because no remote process is available.  | +|  0x80242001 |  WU_E_UH_LOCALONLY |  A request for a remote update handler could not be completed because the handler is local only.  | +|  0x80242002 |  WU_E_UH_UNKNOWNHANDLER |  A request for an update handler could not be completed because the handler could not be recognized.  | +|  0x80242003 |  WU_E_UH_REMOTEALREADYACTIVE |  A remote update handler could not be created because one already exists.  | +|  0x80242004 |  WU_E_UH_DOESNOTSUPPORTACTION |  A request for the handler to install (uninstall) an update could not be completed because the update does not support install (uninstall). | +|  0x80242005 |  WU_E_UH_WRONGHANDLER |  An operation did not complete because the wrong handler was specified.  | +|  0x80242006 |  WU_E_UH_INVALIDMETADATA |  A handler operation could not be completed because the update contains invalid metadata.  | +|  0x80242007 |  WU_E_UH_INSTALLERHUNG |  An operation could not be completed because the installer exceeded the time limit.  | +|  0x80242008 |  WU_E_UH_OPERATIONCANCELLED |  An operation being done by the update handler was cancelled.  | +|  0x80242009 |  WU_E_UH_BADHANDLERXML |  An operation could not be completed because the handler-specific metadata is invalid.  | +| 0x8024200A |  WU_E_UH_CANREQUIREINPUT |  A request to the handler to install an update could not be completed because the update requires user input.  | +|  0x8024200B |  WU_E_UH_INSTALLERFAILURE |  The installer failed to install (uninstall) one or more updates.  | +|  0x8024200C |  WU_E_UH_FALLBACKTOSELFCONTAINED |  The update handler should download self-contained content rather than delta-compressed content for the update.  | +|  0x8024200D |  WU_E_UH_NEEDANOTHERDOWNLOAD |  The update handler did not install the update because it needs to be downloaded again.  | +|  0x8024200E |  WU_E_UH_NOTIFYFAILURE |  The update handler failed to send notification of the status of the install (uninstall) operation.  | +|  0x8024200F | WU_E_UH_INCONSISTENT_FILE_NAMES |  The file names contained in the update metadata and in the update package are inconsistent.  | +|  0x80242010 |  WU_E_UH_FALLBACKERROR |  The update handler failed to fall back to the self-contained content.  | +|  0x80242011 |  WU_E_UH_TOOMANYDOWNLOADREQUESTS |  The update handler has exceeded the maximum number of download requests.  | +|  0x80242012 |  WU_E_UH_UNEXPECTEDCBSRESPONSE |  The update handler has received an unexpected response from CBS.  | +|  0x80242013 |  WU_E_UH_BADCBSPACKAGEID |  The update metadata contains an invalid CBS package identifier.  | +|  0x80242014 |  WU_E_UH_POSTREBOOTSTILLPENDING |  The post-reboot operation for the update is still in progress.  | +|  0x80242015 |  WU_E_UH_POSTREBOOTRESULTUNKNOWN |  The result of the post-reboot operation for the update could not be determined.  | +|  0x80242016 |  WU_E_UH_POSTREBOOTUNEXPECTEDSTATE |  The state of the update after its post-reboot operation has completed is unexpected.  | +|  0x80242017 |  WU_E_UH_NEW_SERVICING_STACK_REQUIRED |  The OS servicing stack must be updated before this update is downloaded or installed.  | +|  0x80242FFF |  WU_E_UH_UNEXPECTED |  An update handler error not covered by another WU_E_UH_\* code.  | + +## Data Store errors + +| Error code | Message | Description | +|-------------|-------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +|  0x80248000 |  WU_E_DS_SHUTDOWN |  An operation failed because Windows Update Agent is shutting down.  | +|  0x80248001 |  WU_E_DS_INUSE |  An operation failed because the data store was in use. | +|  0x80248002 |  WU_E_DS_INVALID |  The current and expected states of the data store do not match. | +|  0x80248003 |  WU_E_DS_TABLEMISSING |  The data store is missing a table.  | +|  0x80248004 |  WU_E_DS_TABLEINCORRECT |  The data store contains a table with unexpected columns.  | +|  0x80248005 |  WU_E_DS_INVALIDTABLENAME |  A table could not be opened because the table is not in the data store.  | +|  0x80248006 |  WU_E_DS_BADVERSION |  The current and expected versions of the data store do not match.  | +|  0x80248007 |  WU_E_DS_NODATA |  The information requested is not in the data store.  | +|  0x80248008 |  WU_E_DS_MISSINGDATA |  The data store is missing required information or has a NULL in a table column that requires a non-null value.  | +|  0x80248009 |  WU_E_DS_MISSINGREF |  The data store is missing required information or has a reference to missing license terms file localized property or linked row. | +|  0x8024800A |  WU_E_DS_UNKNOWNHANDLER |  The update was not processed because its update handler could not be recognized.  | +|  0x8024800B |  WU_E_DS_CANTDELETE |  The update was not deleted because it is still referenced by one or more services.  | +|  0x8024800C |  WU_E_DS_LOCKTIMEOUTEXPIRED |  The data store section could not be locked within the allotted time.  | +|  0x8024800D |  WU_E_DS_NOCATEGORIES |  The category was not added because it contains no parent categories and is not a top-level category itself.  | +|  0x8024800E |  WU_E_DS_ROWEXISTS |  The row was not added because an existing row has the same primary key.  | +|  0x8024800F |  WU_E_DS_STOREFILELOCKED |  The data store could not be initialized because it was locked by another process.  | +|  0x80248010 |  WU_E_DS_CANNOTREGISTER |  The data store is not allowed to be registered with COM in the current process.  | +|  0x80248011 | WU_E_DS_UNABLETOSTART |  Could not create a data store object in another process.  | +|  0x80248013 |  WU_E_DS_DUPLICATEUPDATEID | The server sent the same update to the client with two different revision IDs.  | +|  0x80248014 | WU_E_DS_UNKNOWNSERVICE |  An operation did not complete because the service is not in the data store.  | +| 0x80248015 | WU_E_DS_SERVICEEXPIRED | An operation did not complete because the registration of the service has expired.  | +| 0x80248016 |  WU_E_DS_DECLINENOTALLOWED |  A request to hide an update was declined because it is a mandatory update or because it was deployed with a deadline.  | +| 0x80248017 |  WU_E_DS_TABLESESSIONMISMATCH |  A table was not closed because it is not associated with the session.  | +| 0x80248018 |  WU_E_DS_SESSIONLOCKMISMATCH |  A table was not closed because it is not associated with the session.  | +| 0x80248019 |  WU_E_DS_NEEDWINDOWSSERVICE |  A request to remove the Windows Update service or to unregister it with Automatic Updates was declined because it is a built-in service and/or Automatic Updates cannot fall back to another service.  | +| 0x8024801A |  WU_E_DS_INVALIDOPERATION |  A request was declined because the operation is not allowed.  | +| 0x8024801B |  WU_E_DS_SCHEMAMISMATCH |  The schema of the current data store and the schema of a table in a backup XML document do not match.  | +| 0x8024801C |  WU_E_DS_RESETREQUIRED |  The data store requires a session reset; release the session and retry with a new session.  | +| 0x8024801D |  WU_E_DS_IMPERSONATED |  A data store operation did not complete because it was requested with an impersonated identity.  | +| 0x80248FFF |  WU_E_DS_UNEXPECTED |  A data store error not covered by another WU_E_DS_\* code.  | + +## Driver Util errors +The PnP enumerated device is removed from the System Spec because one of the hardware IDs or the compatible IDs matches an installed printer driver. This is not a fatal error, and the device is merely skipped. + +|Error code|Message|Description +|-|-|-| +| 0x8024C001 | WU_E_DRV_PRUNED| A driver was skipped.  +| 0x8024C002 |WU_E_DRV_NOPROP_OR_LEGACY| A property for the driver could not be found. It may not conform with required specifications.  +| 0x8024C003 | WU_E_DRV_REG_MISMATCH| The registry type read for the driver does not match the expected type.  +| 0x8024C004 | WU_E_DRV_NO_METADATA| The driver update is missing metadata.  +| 0x8024C005 | WU_E_DRV_MISSING_ATTRIBUTE| The driver update is missing a required attribute.  +| 0x8024C006| WU_E_DRV_SYNC_FAILED| Driver synchronization failed.  +| 0x8024C007 | WU_E_DRV_NO_PRINTER_CONTENT| Information required for the synchronization of applicable printers is missing.  +| 0x8024CFFF | WU_E_DRV_UNEXPECTED| A driver error not covered by another WU_E_DRV_* code.  + +## Windows Update error codes + +|Error code|Message|Description +|-|-|-| +| 0x80240001 | WU_E_NO_SERVICE| Windows Update Agent was unable to provide the service.  +| 0x80240002 | WU_E_MAX_CAPACITY_REACHED | The maximum capacity of the service was exceeded.  +| 0x80240003 | WU_E_UNKNOWN_ID| An ID cannot be found.  +| 0x80240004 | WU_E_NOT_INITIALIZED| The object could not be initialized.  +| 0x80240005 | WU_E_RANGEOVERLAP |The update handler requested a byte range overlapping a previously requested range.  +| 0x80240006 | WU_E_TOOMANYRANGES| The requested number of byte ranges exceeds the maximum number (2^31 - 1).  +| 0x80240007 | WU_E_INVALIDINDEX| The index to a collection was invalid.  +| 0x80240008 | WU_E_ITEMNOTFOUND| The key for the item queried could not be found.  +| 0x80240009 | WU_E_OPERATIONINPROGRESS| Another conflicting operation was in progress. Some operations such as installation cannot be performed twice simultaneously.  +| 0x8024000A | WU_E_COULDNOTCANCEL| Cancellation of the operation was not allowed.  +| 0x8024000B | WU_E_CALL_CANCELLED| Operation was cancelled.  +| 0x8024000C | WU_E_NOOP| No operation was required.  +| 0x8024000D | WU_E_XML_MISSINGDATA| Windows Update Agent could not find required information in the update's XML data.  +| 0x8024000E | WU_E_XML_INVALID| Windows Update Agent found invalid information in the update's XML data.  +| 0x8024000F | WU_E_CYCLE_DETECTED | Circular update relationships were detected in the metadata.  +| 0x80240010 | WU_E_TOO_DEEP_RELATION| Update relationships too deep to evaluate were evaluated.  +| 0x80240011 | WU_E_INVALID_RELATIONSHIP| An invalid update relationship was detected.  +| 0x80240012 | WU_E_REG_VALUE_INVALID| An invalid registry value was read.  +| 0x80240013 | WU_E_DUPLICATE_ITEM| Operation tried to add a duplicate item to a list.  +| 0x80240016 | WU_E_INSTALL_NOT_ALLOWED| Operation tried to install while another installation was in progress or the system was pending a mandatory restart.  +| 0x80240017 | WU_E_NOT_APPLICABLE| Operation was not performed because there are no applicable updates.  +| 0x80240018 | WU_E_NO_USERTOKEN| Operation failed because a required user token is missing.  +| 0x80240019 | WU_E_EXCLUSIVE_INSTALL_CONFLICT| An exclusive update cannot be installed with other updates at the same time.  +| 0x8024001A | WU_E_POLICY_NOT_SET | A policy value was not set.  +| 0x8024001B | WU_E_SELFUPDATE_IN_PROGRESS| The operation could not be performed because the Windows Update Agent is self-updating.  +| 0x8024001D | WU_E_INVALID_UPDATE| An update contains invalid metadata.  +| 0x8024001E | WU_E_SERVICE_STOP| Operation did not complete because the service or system was being shut down.  +| 0x8024001F | WU_E_NO_CONNECTION| Operation did not complete because the network connection was unavailable.  +| 0x80240020 | WU_E_NO_INTERACTIVE_USER| Operation did not complete because there is no logged-on interactive user.  +| 0x80240021 | WU_E_TIME_OUT| Operation did not complete because it timed out.  +| 0x80240022 | WU_E_ALL_UPDATES_FAILED| Operation failed for all the updates.  +| 0x80240023 | WU_E_EULAS_DECLINED| The license terms for all updates were declined.  +| 0x80240024 | WU_E_NO_UPDATE| There are no updates.  +| 0x80240025 | WU_E_USER_ACCESS_DISABLED| Group Policy settings prevented access to Windows Update.  +| 0x80240026 | WU_E_INVALID_UPDATE_TYPE| The type of update is invalid.  +| 0x80240027 | WU_E_URL_TOO_LONG| The URL exceeded the maximum length.  +| 0x80240028 | WU_E_UNINSTALL_NOT_ALLOWED| The update could not be uninstalled because the request did not originate from a WSUS server.  +| 0x80240029 | WU_E_INVALID_PRODUCT_LICENSE| Search may have missed some updates before there is an unlicensed application on the system.  +| 0x8024002A | WU_E_MISSING_HANDLER| A component required to detect applicable updates was missing.  +| 0x8024002B | WU_E_LEGACYSERVER| An operation did not complete because it requires a newer version of server.  +| 0x8024002C | WU_E_BIN_SOURCE_ABSENT| A delta-compressed update could not be installed because it required the source.  +| 0x8024002D | WU_E_SOURCE_ABSENT| A full-file update could not be installed because it required the source.  +| 0x8024002E | WU_E_WU_DISABLED| Access to an unmanaged server is not allowed.  +| 0x8024002F | WU_E_CALL_CANCELLED_BY_POLICY| Operation did not complete because the DisableWindowsUpdateAccess policy was set.  +| 0x80240030 | WU_E_INVALID_PROXY_SERVER| The format of the proxy list was invalid.  +| 0x80240031 | WU_E_INVALID_FILE| The file is in the wrong format.  +| 0x80240032 | WU_E_INVALID_CRITERIA| The search criteria string was invalid.  +| 0x80240033 | WU_E_EULA_UNAVAILABLE| License terms could not be downloaded.  +| 0x80240034 | WU_E_DOWNLOAD_FAILED| Update failed to download.  +| 0x80240035 | WU_E_UPDATE_NOT_PROCESSED| The update was not processed.  +| 0x80240036 | WU_E_INVALID_OPERATION| The object's current state did not allow the operation.  +| 0x80240037 | WU_E_NOT_SUPPORTED| The functionality for the operation is not supported.  +| 0x80240038 | WU_E_WINHTTP_INVALID_FILE| The downloaded file has an unexpected content type.  +| 0x80240039 | WU_E_TOO_MANY_RESYNC| Agent is asked by server to resync too many times.  +| 0x80240040 | WU_E_NO_SERVER_CORE_SUPPORT| WUA API method does not run on Server Core installation.  +| 0x80240041 | WU_E_SYSPREP_IN_PROGRESS| Service is not available while sysprep is running.  +| 0x80240042 | WU_E_UNKNOWN_SERVICE| The update service is no longer registered with AU.  +| 0x80240043 | WU_E_NO_UI_SUPPORT| There is no support for WUA UI.  +| 0x80240FFF | WU_E_UNEXPECTED| An operation failed due to reasons not covered by another error code.  + +## Windows Update success codes + +|Error code|Message|Description +|-|-|-| +| 0x00240001| WU_S_SERVICE_STOP| Windows Update Agent was stopped successfully.  +| 0x00240002 | WU_S_SELFUPDATE| Windows Update Agent updated itself.  +| 0x00240003 | WU_S_UPDATE_ERROR| Operation completed successfully but there were errors applying the updates.  +| 0x00240004 | WU_S_MARKED_FOR_DISCONNECT| A callback was marked to be disconnected later because the request to disconnect the operation came while a callback was executing.  +| 0x00240005 | WU_S_REBOOT_REQUIRED| The system must be restarted to complete installation of the update.  +| 0x00240006 | WU_S_ALREADY_INSTALLED| The update to be installed is already installed on the system.  +| 0x00240007 | WU_S_ALREADY_UNINSTALLED | The update to be removed is not installed on the system.  +| 0x00240008 | WU_S_ALREADY_DOWNLOADED| The update to be downloaded has already been downloaded.  + +## Windows Installer minor errors +The following errors are used to indicate that part of a search fails because of Windows Installer problems. Another part of the search may successfully return updates. All Windows Installer minor codes must share the same error code range so that the caller can tell that they are related to Windows Installer. + +|Error code|Message|Description +|-|-|-| +| 0x80241001 |WU_E_MSI_WRONG_VERSION| Search may have missed some updates because the Windows Installer is less than version 3.1.  +| 0x80241002 | WU_E_MSI_NOT_CONFIGURED| Search may have missed some updates because the Windows Installer is not configured.  +| 0x80241003 | WU_E_MSP_DISABLED| Search may have missed some updates because policy has disabled Windows Installer patching.  +| 0x80241004 | WU_E_MSI_WRONG_APP_CONTEXT| An update could not be applied because the application is installed per-user.  +| 0x80241FFF | WU_E_MSP_UNEXPECTED| Search may have missed some updates because there was a failure of the Windows Installer.  + +## Windows Update Agent update and setup errors + +|Error code|Message|Description +|-|-|-| +| 0x8024D001 | WU_E_SETUP_INVALID_INFDATA| Windows Update Agent could not be updated because an INF file contains invalid information.  +| 0x8024D002 | WU_E_SETUP_INVALID_IDENTDATA| Windows Update Agent could not be updated because the wuident.cab file contains invalid information.  +| 0x8024D003 | WU_E_SETUP_ALREADY_INITIALIZED| Windows Update Agent could not be updated because of an internal error that caused setup initialization to be performed twice.  +| 0x8024D004 | WU_E_SETUP_NOT_INITIALIZED| Windows Update Agent could not be updated because setup initialization never completed successfully.  +| 0x8024D005 | WU_E_SETUP_SOURCE_VERSION_MISMATCH| Windows Update Agent could not be updated because the versions specified in the INF do not match the actual source file versions.  +| 0x8024D006 | WU_E_SETUP_TARGET_VERSION_GREATER| Windows Update Agent could not be updated because a WUA file on the target system is newer than the corresponding source file.  +| 0x8024D007 | WU_E_SETUP_REGISTRATION_FAILED| Windows Update Agent could not be updated because regsvr32.exe returned an error.  +| 0x8024D009 | WU_E_SETUP_SKIP_UPDATE| An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file.  +| 0x8024D00A | WU_E_SETUP_UNSUPPORTED_CONFIGURATION| Windows Update Agent could not be updated because the current system configuration is not supported.  +| 0x8024D00B | WU_E_SETUP_BLOCKED_CONFIGURATION| Windows Update Agent could not be updated because the system is configured to block the update.  +| 0x8024D00C | WU_E_SETUP_REBOOT_TO_FIX| Windows Update Agent could not be updated because a restart of the system is required.  +| 0x8024D00D | WU_E_SETUP_ALREADYRUNNING| Windows Update Agent setup is already running.  +| 0x8024D00E | WU_E_SETUP_REBOOTREQUIRED| Windows Update Agent setup package requires a reboot to complete installation.  +| 0x8024D00F | WU_E_SETUP_HANDLER_EXEC_FAILURE| Windows Update Agent could not be updated because the setup handler failed during execution.  +| 0x8024D010 | WU_E_SETUP_INVALID_REGISTRY_DATA| Windows Update Agent could not be updated because the registry contains invalid information.  +| 0x8024D013 | WU_E_SETUP_WRONG_SERVER_VERSION| Windows Update Agent could not be updated because the server does not contain update information for this version.  +| 0x8024DFFF | WU_E_SETUP_UNEXPECTED| Windows Update Agent could not be updated because of an error not covered by another WU_E_SETUP_* error code.  diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md index 7d473f04c2..b39238347d 100644 --- a/windows/deployment/update/windows-update-errors.md +++ b/windows/deployment/update/windows-update-errors.md @@ -1,40 +1,40 @@ ---- -title: Windows Update common errors and mitigation -description: Learn about some common issues you might experience with Windows Update -ms.prod: w10 -ms.mktglfcycl: -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greg-lindsay -ms.date: 09/18/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Windows Update common errors and mitigation - ->Applies to: Windows 10 - -The following table provides information about common errors you might run into with Windows Update, as well as steps to help you mitigate them. - - -| Error Code | Message | Description | Mitigation | -|------------------------------------------|-----------------------------------|-----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0x8024402F | WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External cab file processing completed with some errors | One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
          The IP addresses of the computers you want to get updates successfully on, should be added to the exceptions list of Lightspeed | -| 0x80242006 | WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again:
          Rename the following folders to \*.BAK:
          - %systemroot%\system32\catroot2

          To do this, type the following commands at a command prompt. Press ENTER after you type each command.
          - Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
          - Ren %systemroot%\SoftwareDistribution\Download \*.bak
          Ren %systemroot%\system32\catroot2 \*.bak | -| 0x80070BC9 | ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that we do not have any policies that control the start behavior for the Windows Module Installer. This service should not be hardened to any start value and should be managed by the OS. | -| 0x80200053 | BG_E_VALIDATION_FAILED | NA | Ensure that there is no Firewalls that filter downloads. The Firewall filtering may lead to invalid responses being received by the Windows Update Client.

          If the issue still persists, run the [WU reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc). | -| 0x80072EE2 | WININET_E_TIMEOUT | The operation timed out | This error message can be caused if the computer isn't connected to Internet. To fix this issue, following these steps: make sure these URLs are not blocked:
          http://.update.microsoft.com
          https://          .update.microsoft.com


          Additionally , you can take a network trace and see what is timing out. \ | -| 0x80072EFD
          0x80072EFE 
          0x80D02002 | TIME OUT ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
          Take a network monitor trace to understand better. \ | -| 0X8007000D | ERROR_INVALID_DATA | Indicates invalid data downloaded or corruption occurred. | Attempt to re-download the update and initiate installation. | -| 0x8024A10A | USO_E_SERVICE_SHUTTING_DOWN | Indicates that the WU Service is shutting down. | This may happen due to a very long period of time of inactivity, a system hang leading to the service being idle and leading to the shutdown of the service. Ensure that the system remains active and the connections remain established to complete the upgrade. | -| 0x80240020 | WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Please login to the system to initiate the installation and allow the system to be rebooted. | -| 0x80242014 | WU_E_UH_POSTREBOOTSTILLPENDING | The post-reboot operation for the update is still in progress. | Some Windows Updates require the system to be restarted. Reboot the system to complete the installation of the Updates. | -| 0x80246017 | WU_E_DM_UNAUTHORIZED_LOCAL_USER | The download failed because the local user was denied authorization to download the content. | Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator). | -| 0x8024000B | WU_E_CALL_CANCELLED | Operation was cancelled. | This indicates that the operation was cancelled by the user/service. You may also encounter this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | -| 0x8024000E | WU_E_XML_INVALID | Windows Update Agent found invalid information in the update's XML data. | Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. | -| 0x8024D009 | WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file. | You may encounter this error when WSUS is not sending the Self-update to the clients.

          Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. | -| 0x80244007 | WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows cannot renew the cookies for Windows Update.

          Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. | - +--- +title: Windows Update common errors and mitigation +description: Learn about some common issues you might experience with Windows Update +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.audience: itpro author: greg-lindsay +ms.date: 09/18/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Windows Update common errors and mitigation + +>Applies to: Windows 10 + +The following table provides information about common errors you might run into with Windows Update, as well as steps to help you mitigate them. + + +| Error Code | Message | Description | Mitigation | +|------------------------------------------|-----------------------------------|-----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 0x8024402F | WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External cab file processing completed with some errors | One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
          The IP addresses of the computers you want to get updates successfully on, should be added to the exceptions list of Lightspeed | +| 0x80242006 | WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again:
          Rename the following folders to \*.BAK:
          - %systemroot%\system32\catroot2

          To do this, type the following commands at a command prompt. Press ENTER after you type each command.
          - Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
          - Ren %systemroot%\SoftwareDistribution\Download \*.bak
          Ren %systemroot%\system32\catroot2 \*.bak | +| 0x80070BC9 | ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that we do not have any policies that control the start behavior for the Windows Module Installer. This service should not be hardened to any start value and should be managed by the OS. | +| 0x80200053 | BG_E_VALIDATION_FAILED | NA | Ensure that there is no Firewalls that filter downloads. The Firewall filtering may lead to invalid responses being received by the Windows Update Client.

          If the issue still persists, run the [WU reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc). | +| 0x80072EE2 | WININET_E_TIMEOUT | The operation timed out | This error message can be caused if the computer isn't connected to Internet. To fix this issue, following these steps: make sure these URLs are not blocked:
          http://.update.microsoft.com
          https://          .update.microsoft.com


          Additionally , you can take a network trace and see what is timing out. \ | +| 0x80072EFD
          0x80072EFE 
          0x80D02002 | TIME OUT ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
          Take a network monitor trace to understand better. \ | +| 0X8007000D | ERROR_INVALID_DATA | Indicates invalid data downloaded or corruption occurred. | Attempt to re-download the update and initiate installation. | +| 0x8024A10A | USO_E_SERVICE_SHUTTING_DOWN | Indicates that the WU Service is shutting down. | This may happen due to a very long period of time of inactivity, a system hang leading to the service being idle and leading to the shutdown of the service. Ensure that the system remains active and the connections remain established to complete the upgrade. | +| 0x80240020 | WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Please login to the system to initiate the installation and allow the system to be rebooted. | +| 0x80242014 | WU_E_UH_POSTREBOOTSTILLPENDING | The post-reboot operation for the update is still in progress. | Some Windows Updates require the system to be restarted. Reboot the system to complete the installation of the Updates. | +| 0x80246017 | WU_E_DM_UNAUTHORIZED_LOCAL_USER | The download failed because the local user was denied authorization to download the content. | Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator). | +| 0x8024000B | WU_E_CALL_CANCELLED | Operation was cancelled. | This indicates that the operation was cancelled by the user/service. You may also encounter this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | +| 0x8024000E | WU_E_XML_INVALID | Windows Update Agent found invalid information in the update's XML data. | Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. | +| 0x8024D009 | WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file. | You may encounter this error when WSUS is not sending the Self-update to the clients.

          Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. | +| 0x80244007 | WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows cannot renew the cookies for Windows Update.

          Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. | + diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md index 233ad50d7b..7eec34d793 100644 --- a/windows/deployment/update/windows-update-logs.md +++ b/windows/deployment/update/windows-update-logs.md @@ -1,147 +1,147 @@ ---- -title: Windows Update log files -description: Learn about the Windows Update log files -ms.prod: w10 -ms.mktglfcycl: -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greg-lindsay -ms.date: 09/18/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Windows Update log files - ->Applies to: Windows 10 - -The following table describes the log files created by Windows Update. - - -|Log file|Location|Description|When to Use | -|-|-|-|-| -|windowsupdate.log|C:\Windows\Logs\WindowsUpdate|Starting in Windows 8.1 and continuing in Windows 10, Windows Update client uses Event Tracing for Windows (ETW) to generate diagnostic logs.|If you receive an error message when you run Windows Update (WU), you can use the information that is included in the Windowsupdate.log log file to troubleshoot the issue.| -|UpdateSessionOrchestration.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the Update Orchestrator is responsible for sequence of downloading and installing various update types from Windows Update. And the events are logged to these etl files.|When you see that the updates are available but download is not getting triggered.
          When Updates are downloaded but installation is not triggered.
          When Updates are installed but reboot is not triggered. | -|NotificationUxBroker.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the notification toast or the banner is triggered by this NotificationUxBroker.exe . And the logs to check its working is this etl. |When you want to check whether the Notification was triggered or not for reboot or update availability etc. | -|CBS.log|%systemroot%\Logs\CBS|This logs provides insight on the update installation part in the servicing stack.|To troubleshoot the issues related to WU installation.| - -## Generating WindowsUpdate.log -To merge and convert WU trace files (.etl files) into a single readable WindowsUpdate.log file, see [Get-WindowsUpdateLog](https://docs.microsoft.com/powershell/module/windowsupdate/get-windowsupdatelog?view=win10-ps). - ->[!NOTE] ->When you run the **Get-WindowsUpdateLog** cmdlet, an copy of WindowsUpdate.log file is created as a static log file. It does not update as the old WindowsUpate.log unless you run **Get-WindowsUpdateLog** again. - -### Windows Update log components -The WU engine has different component names. The following are some of the most common components that appear in the WindowsUpdate.log file: - -- AGENT- Windows Update agent -- AU - Automatic Updates is performing this task -- AUCLNT- Interaction between AU and the logged-on user -- CDM- Device Manager -- CMPRESS- Compression agent -- COMAPI- Windows Update API -- DRIVER- Device driver information -- DTASTOR- Handles database transactions -- EEHNDLER- Expression handler that's used to evaluate update applicability -- HANDLER- Manages the update installers -- MISC- General service information -- OFFLSNC- Detects available updates without network connection -- PARSER- Parses expression information -- PT- Synchronizes updates information to the local datastore -- REPORT- Collects reporting information -- SERVICE- Startup/shutdown of the Automatic Updates service -- SETUP- Installs new versions of the Windows Update client when it is available -- SHUTDWN- Install at shutdown feature -- WUREDIR- The Windows Update redirector files -- WUWEB- The Windows Update ActiveX control -- ProtocolTalker - Client-server sync -- DownloadManager - Creates and monitors payload downloads -- Handler, Setup - Installer handlers (CBS, and so on) -- EEHandler - Evaluating update applicability rules -- DataStore - Caching update data locally -- IdleTimer - Tracking active calls, stopping a service - ->[!NOTE] ->Many component log messages are invaluable if you are looking for problems in that specific area. However, they can be useless if you don't filter to exclude irrelevant components so that you can focus on what’s important. - -### Windows Update log structure -The Windows update log structure is separated into four main identities: - -- Time Stamps -- Process ID and Thread ID -- Component Name -- Update Identifiers - - Update ID and Revision Number - - Revision ID - - Local ID - - Inconsistent terminology - -The WindowsUpdate.log structure is discussed in the following sections. - -#### Time stamps -The time stamp indicates the time at which the logging occurs. -- Messages are usually in chronological order, but there may be exceptions. -- A pause during a sync can indicate a network problem, even if the scan succeeds. -- A long pause near the end of a scan can indicate a supersedence chain issue. - ![Windows Update time stamps](images/update-time-log.png) - - -#### Process ID and thread ID -The Process IDs and Thread IDs are random, and they can vary from log to log and even from service session to service session within the same log. -- The first four hex digits are the process ID. -- The next four hex digits are the thread ID. -- Each component, such as the USO, WU engine, COM API callers, and WU installer handlers, has its own process ID. - ![Windows Update process and thread IDs](images/update-process-id.png) - - -#### Component name -Search for and identify the components that are associated with the IDs. Different parts of the WU engine have different component names. Some of them are as follows: - -- ProtocolTalker - Client-server sync -- DownloadManager - Creates and monitors payload downloads -- Handler, Setup - Installer handlers (CBS, etc.) -- EEHandler - Evaluating update applicability rules -- DataStore - Caching update data locally -- IdleTimer - Tracking active calls, stopping service - -![Windows Update component name](images/update-component-name.png) - - -#### Update identifiers - -##### Update ID and revision number -There are different identifiers for the same update in different contexts. It’s important to know the identifier schemes. -- Update ID: A GUID (indicated in the previous screen shot) that's assigned to a given update at publication time -- Revision number: A number incremented every time that a given update (that has a given update ID) is modified and republished on a service -- Revision numbers are reused from one update to another (not a unique identifier). -- The update ID and revision number are often shown together as "{GUID}.revision." - ![Windows Update update identifiers](images/update-update-id.png) - - -##### Revision ID -- A Revision ID (do no confuse this with “revision number”) is a serial number that's issued when an update is initially published or revised on a given service. -- An existing update that’s revised keeps the same update ID (GUID), has its revision number incremented (for example, from 100 to 101), but gets a completely new revision ID that is not related to the previous ID. -- Revision IDs are unique on a given update source, but not across multiple sources. -- The same update revision may have completely different revision IDs on WU and WSUS. -- The same revision ID may represent different updates on WU and WSUS. - -##### Local ID -- Local ID is a serial number issued when an update is received from a service by a given WU client -- Usually seen in debug logs, especially involving the local cache for update info (Datastore) -- Different client PCs will assign different Local IDs to the same update -- You can find the local IDs that a client is using by getting the client’s %WINDIR%\SoftwareDistribution\Datastore\Datastore.edb file - -##### Inconsistent terminology -- Sometimes the logs use terms inconsistently. For example, the InstalledNonLeafUpdateIDs list actually contains revision IDs, not update IDs. -- Recognize IDs by form and context: - - - GUIDs are update IDs - - Small integers that appear alongside an update ID are revision numbers - - Large integers are typically revision IDs - - Small integers (especially in Datastore) can be local IDs - ![Windows Update inconsisten terminology](images/update-inconsistent.png) - -## Windows Setup log files analysis using SetupDiag tool -SetupDiag is a diagnostic tool that can be used for analysis of logs related to installation of Windows Updates. For detailed information, see [SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag). +--- +title: Windows Update log files +description: Learn about the Windows Update log files +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.audience: itpro author: greg-lindsay +ms.date: 09/18/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Windows Update log files + +>Applies to: Windows 10 + +The following table describes the log files created by Windows Update. + + +|Log file|Location|Description|When to Use | +|-|-|-|-| +|windowsupdate.log|C:\Windows\Logs\WindowsUpdate|Starting in Windows 8.1 and continuing in Windows 10, Windows Update client uses Event Tracing for Windows (ETW) to generate diagnostic logs.|If you receive an error message when you run Windows Update (WU), you can use the information that is included in the Windowsupdate.log log file to troubleshoot the issue.| +|UpdateSessionOrchestration.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the Update Orchestrator is responsible for sequence of downloading and installing various update types from Windows Update. And the events are logged to these etl files.|When you see that the updates are available but download is not getting triggered.
          When Updates are downloaded but installation is not triggered.
          When Updates are installed but reboot is not triggered. | +|NotificationUxBroker.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the notification toast or the banner is triggered by this NotificationUxBroker.exe . And the logs to check its working is this etl. |When you want to check whether the Notification was triggered or not for reboot or update availability etc. | +|CBS.log|%systemroot%\Logs\CBS|This logs provides insight on the update installation part in the servicing stack.|To troubleshoot the issues related to WU installation.| + +## Generating WindowsUpdate.log +To merge and convert WU trace files (.etl files) into a single readable WindowsUpdate.log file, see [Get-WindowsUpdateLog](https://docs.microsoft.com/powershell/module/windowsupdate/get-windowsupdatelog?view=win10-ps). + +>[!NOTE] +>When you run the **Get-WindowsUpdateLog** cmdlet, an copy of WindowsUpdate.log file is created as a static log file. It does not update as the old WindowsUpate.log unless you run **Get-WindowsUpdateLog** again. + +### Windows Update log components +The WU engine has different component names. The following are some of the most common components that appear in the WindowsUpdate.log file: + +- AGENT- Windows Update agent +- AU - Automatic Updates is performing this task +- AUCLNT- Interaction between AU and the logged-on user +- CDM- Device Manager +- CMPRESS- Compression agent +- COMAPI- Windows Update API +- DRIVER- Device driver information +- DTASTOR- Handles database transactions +- EEHNDLER- Expression handler that's used to evaluate update applicability +- HANDLER- Manages the update installers +- MISC- General service information +- OFFLSNC- Detects available updates without network connection +- PARSER- Parses expression information +- PT- Synchronizes updates information to the local datastore +- REPORT- Collects reporting information +- SERVICE- Startup/shutdown of the Automatic Updates service +- SETUP- Installs new versions of the Windows Update client when it is available +- SHUTDWN- Install at shutdown feature +- WUREDIR- The Windows Update redirector files +- WUWEB- The Windows Update ActiveX control +- ProtocolTalker - Client-server sync +- DownloadManager - Creates and monitors payload downloads +- Handler, Setup - Installer handlers (CBS, and so on) +- EEHandler - Evaluating update applicability rules +- DataStore - Caching update data locally +- IdleTimer - Tracking active calls, stopping a service + +>[!NOTE] +>Many component log messages are invaluable if you are looking for problems in that specific area. However, they can be useless if you don't filter to exclude irrelevant components so that you can focus on what’s important. + +### Windows Update log structure +The Windows update log structure is separated into four main identities: + +- Time Stamps +- Process ID and Thread ID +- Component Name +- Update Identifiers + - Update ID and Revision Number + - Revision ID + - Local ID + - Inconsistent terminology + +The WindowsUpdate.log structure is discussed in the following sections. + +#### Time stamps +The time stamp indicates the time at which the logging occurs. +- Messages are usually in chronological order, but there may be exceptions. +- A pause during a sync can indicate a network problem, even if the scan succeeds. +- A long pause near the end of a scan can indicate a supersedence chain issue. + ![Windows Update time stamps](images/update-time-log.png) + + +#### Process ID and thread ID +The Process IDs and Thread IDs are random, and they can vary from log to log and even from service session to service session within the same log. +- The first four hex digits are the process ID. +- The next four hex digits are the thread ID. +- Each component, such as the USO, WU engine, COM API callers, and WU installer handlers, has its own process ID. + ![Windows Update process and thread IDs](images/update-process-id.png) + + +#### Component name +Search for and identify the components that are associated with the IDs. Different parts of the WU engine have different component names. Some of them are as follows: + +- ProtocolTalker - Client-server sync +- DownloadManager - Creates and monitors payload downloads +- Handler, Setup - Installer handlers (CBS, etc.) +- EEHandler - Evaluating update applicability rules +- DataStore - Caching update data locally +- IdleTimer - Tracking active calls, stopping service + +![Windows Update component name](images/update-component-name.png) + + +#### Update identifiers + +##### Update ID and revision number +There are different identifiers for the same update in different contexts. It’s important to know the identifier schemes. +- Update ID: A GUID (indicated in the previous screen shot) that's assigned to a given update at publication time +- Revision number: A number incremented every time that a given update (that has a given update ID) is modified and republished on a service +- Revision numbers are reused from one update to another (not a unique identifier). +- The update ID and revision number are often shown together as "{GUID}.revision." + ![Windows Update update identifiers](images/update-update-id.png) + + +##### Revision ID +- A Revision ID (do no confuse this with “revision number”) is a serial number that's issued when an update is initially published or revised on a given service. +- An existing update that’s revised keeps the same update ID (GUID), has its revision number incremented (for example, from 100 to 101), but gets a completely new revision ID that is not related to the previous ID. +- Revision IDs are unique on a given update source, but not across multiple sources. +- The same update revision may have completely different revision IDs on WU and WSUS. +- The same revision ID may represent different updates on WU and WSUS. + +##### Local ID +- Local ID is a serial number issued when an update is received from a service by a given WU client +- Usually seen in debug logs, especially involving the local cache for update info (Datastore) +- Different client PCs will assign different Local IDs to the same update +- You can find the local IDs that a client is using by getting the client’s %WINDIR%\SoftwareDistribution\Datastore\Datastore.edb file + +##### Inconsistent terminology +- Sometimes the logs use terms inconsistently. For example, the InstalledNonLeafUpdateIDs list actually contains revision IDs, not update IDs. +- Recognize IDs by form and context: + + - GUIDs are update IDs + - Small integers that appear alongside an update ID are revision numbers + - Large integers are typically revision IDs + - Small integers (especially in Datastore) can be local IDs + ![Windows Update inconsisten terminology](images/update-inconsistent.png) + +## Windows Setup log files analysis using SetupDiag tool +SetupDiag is a diagnostic tool that can be used for analysis of logs related to installation of Windows Updates. For detailed information, see [SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag). diff --git a/windows/deployment/update/windows-update-overview.md b/windows/deployment/update/windows-update-overview.md index c88535580b..3eda438f80 100644 --- a/windows/deployment/update/windows-update-overview.md +++ b/windows/deployment/update/windows-update-overview.md @@ -1,57 +1,57 @@ ---- -title: Get started with Windows Update -description: Learn how Windows Update works, including architecture and troubleshooting -ms.prod: w10 -ms.mktglfcycl: -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greg-lindsay -ms.date: 09/18/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Get started with Windows Update - ->Applies to: Windows 10 - -With the release of Windows 10, we moved the update model to the Unified Update Platform. Unified Update Platform (UUP) is a single publishing, hosting, scan and download model for all types of OS updates, desktop and mobile for all Windows-based operating systems, for everything from monthly quality updates to new feature updates. - -Ues the following information to get started with Windows Update: - -- Understand the UUP architecture -- Understand [how Windows Update works](how-windows-update-works.md) -- Find [Windows Update log files](windows-update-logs.md) -- Learn how to [troubleshoot Windows Update](windows-update-troubleshooting.md) -- Review [common Windows Update errors](windows-update-errors.md) and check out the [error code reference](windows-update-error-reference.md) -- Review [other resources](windows-update-resources.md) to help you use Windows Update - -## Unified Update Platform (UUP) architecture -To understand the changes to the Windows Update architecture that UUP introduces let's start with some new key terms. - -![Windows Update terminology](images/update-terminology.png) - -- **Update UI** – The user interface to initiate Windows Update check and history. Available under **Settings --> Update & Security --> Windows Update**. -- **Update Session Orchestrator (USO)**- A Windows OS component that orchestrates the sequence of downloading and installing various update types from Windows Update. - - Update types- - - OS Feature updates - - OS Security updates - - Device drivers - - Defender definition updates - - >[!NOTE] - > Other types of updates, like Office desktop updates, are installed if the user opts into Microsoft Update. - > - >Store apps aren't installed by USO, today they are separate. - -- **WU Client/ UpdateAgent** - The component running on your PC. It's essentially a DLL that is downloaded to the device when an update is applicable. It surfaces the APIs needed to perform an update, including those needed to generate a list of payloads to download, as well as starts stage and commit operations. It provides a unified interface that abstracts away the underlying update technologies from the caller. -- **WU Arbiter handle**- Code that is included in the UpdateAgent binary. The arbiter gathers information about the device, and uses the CompDB(s) to output an action list. It is responsible for determining the final "composition state" of your device, and which payloads (like ESDs or packages) are needed to get your device up to date. -- **Deployment Arbiter**- A deployment manager that calls different installers. For example, CBS. - -Additional components include the following- - -- **CompDB** – A generic term to refer to the XML describing information about target build composition, available diff packages, and conditional rules. -- **Action List** – The payload and additional information needed to perform an update. The action list is consumed by the UpdateAgent, as well as other installers to determine what payload to download. It's also consumed by the "Install Agent" to determine what actions need to be taken, such as installing or removing packages. +--- +title: Get started with Windows Update +description: Learn how Windows Update works, including architecture and troubleshooting +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.audience: itpro author: greg-lindsay +ms.date: 09/18/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Get started with Windows Update + +>Applies to: Windows 10 + +With the release of Windows 10, we moved the update model to the Unified Update Platform. Unified Update Platform (UUP) is a single publishing, hosting, scan and download model for all types of OS updates, desktop and mobile for all Windows-based operating systems, for everything from monthly quality updates to new feature updates. + +Ues the following information to get started with Windows Update: + +- Understand the UUP architecture +- Understand [how Windows Update works](how-windows-update-works.md) +- Find [Windows Update log files](windows-update-logs.md) +- Learn how to [troubleshoot Windows Update](windows-update-troubleshooting.md) +- Review [common Windows Update errors](windows-update-errors.md) and check out the [error code reference](windows-update-error-reference.md) +- Review [other resources](windows-update-resources.md) to help you use Windows Update + +## Unified Update Platform (UUP) architecture +To understand the changes to the Windows Update architecture that UUP introduces let's start with some new key terms. + +![Windows Update terminology](images/update-terminology.png) + +- **Update UI** – The user interface to initiate Windows Update check and history. Available under **Settings --> Update & Security --> Windows Update**. +- **Update Session Orchestrator (USO)**- A Windows OS component that orchestrates the sequence of downloading and installing various update types from Windows Update. + + Update types- + - OS Feature updates + - OS Security updates + - Device drivers + - Defender definition updates + + >[!NOTE] + > Other types of updates, like Office desktop updates, are installed if the user opts into Microsoft Update. + > + >Store apps aren't installed by USO, today they are separate. + +- **WU Client/ UpdateAgent** - The component running on your PC. It's essentially a DLL that is downloaded to the device when an update is applicable. It surfaces the APIs needed to perform an update, including those needed to generate a list of payloads to download, as well as starts stage and commit operations. It provides a unified interface that abstracts away the underlying update technologies from the caller. +- **WU Arbiter handle**- Code that is included in the UpdateAgent binary. The arbiter gathers information about the device, and uses the CompDB(s) to output an action list. It is responsible for determining the final "composition state" of your device, and which payloads (like ESDs or packages) are needed to get your device up to date. +- **Deployment Arbiter**- A deployment manager that calls different installers. For example, CBS. + +Additional components include the following- + +- **CompDB** – A generic term to refer to the XML describing information about target build composition, available diff packages, and conditional rules. +- **Action List** – The payload and additional information needed to perform an update. The action list is consumed by the UpdateAgent, as well as other installers to determine what payload to download. It's also consumed by the "Install Agent" to determine what actions need to be taken, such as installing or removing packages. diff --git a/windows/deployment/update/windows-update-resources.md b/windows/deployment/update/windows-update-resources.md index b403e77a48..c98b9d29d0 100644 --- a/windows/deployment/update/windows-update-resources.md +++ b/windows/deployment/update/windows-update-resources.md @@ -1,126 +1,126 @@ ---- -title: Windows Update - Additional resources -description: Additional resources for Windows Update -ms.prod: w10 -ms.mktglfcycl: -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greg-lindsay -ms.date: 09/18/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Windows Update - additional resources - ->Applies to: Windows 10 - -The following resources provide additional information about using Windows Update. - -## WSUS Troubleshooting - -[Troubleshooting issues with WSUS client agents](https://support.microsoft.com/help/10132/) - -[How to troubleshoot WSUS](https://support.microsoft.com/help/4025764/) - -[Error 80244007 when WSUS client scans for updates](https://support.microsoft.com/help/4096317/) - -[Updates may not be installed with Fast Startup in Windows 10](https://support.microsoft.com/help/4011287/) - - -## How do I reset Windows Update components? - -[This script](https://gallery.technet.microsoft.com/scriptcenter/Reset-WindowsUpdateps1-e0c5eb78) will completely reset the Windows Update client settings. It has been tested on Windows 7, 8, 10, and Windows Server 2012 R2. It will configure the services and registry keys related to Windows Update for default settings. It will also clean up files related to Windows Update, in addition to BITS related data. - - -[This script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc) allow reset the Windows Update Agent resolving issues with Windows Update. - - -## Reset Windows Update components manually -1. Open a Windows command prompt. To open a command prompt, click **Start > Run**. Copy and paste (or type) the following command and then press ENTER: - ``` - cmd - ``` -2. Stop the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command. - ``` - net stop bits - net stop wuauserv - ``` -3. Delete the qmgr\*.dat files. To do this, type the following command at a command prompt, and then press ENTER: - ``` - Del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat" - ``` -4. If this is your first attempt at resolving your Windows Update issues by using the steps in this article, go to step 5 without carrying out the steps in step 4. The steps in step 4 should only be performed at this point in the troubleshooting if you cannot resolve your Windows Update issues after following all steps but step 4. The steps in step 4 are also performed by the "Aggressive" mode of the Fix it Solution above. - 1. Rename the following folders to *.BAK: - - %systemroot%\SoftwareDistribution\DataStore - - %systemroot%\SoftwareDistribution\Download - - %systemroot%\system32\catroot2 - - To do this, type the following commands at a command prompt. Press ENTER after you type each command. - - Ren %systemroot%\SoftwareDistribution\DataStore *.bak - - Ren %systemroot%\SoftwareDistribution\Download *.bak - - Ren %systemroot%\system32\catroot2 *.bak - 2. Reset the BITS service and the Windows Update service to the default security descriptor. To do this, type the following commands at a command prompt. Press ENTER after you type each command. - - sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU) - - sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU) -5. Type the following command at a command prompt, and then press ENTER: - ``` - cd /d %windir%\system32 - ``` -6. Reregister the BITS files and the Windows Update files. To do this, type the following commands at a command prompt. Press ENTER after you type each command. - - regsvr32.exe atl.dll - - regsvr32.exe urlmon.dll - - regsvr32.exe mshtml.dll - - regsvr32.exe shdocvw.dll - - regsvr32.exe browseui.dll - - regsvr32.exe jscript.dll - - regsvr32.exe vbscript.dll - - regsvr32.exe scrrun.dll - - regsvr32.exe msxml.dll - - regsvr32.exe msxml3.dll - - regsvr32.exe msxml6.dll - - regsvr32.exe actxprxy.dll - - regsvr32.exe softpub.dll - - regsvr32.exe wintrust.dll - - regsvr32.exe dssenh.dll - - regsvr32.exe rsaenh.dll - - regsvr32.exe gpkcsp.dll - - regsvr32.exe sccbase.dll - - regsvr32.exe slbcsp.dll - - regsvr32.exe cryptdlg.dll - - regsvr32.exe oleaut32.dll - - regsvr32.exe ole32.dll - - regsvr32.exe shell32.dll - - regsvr32.exe initpki.dll - - regsvr32.exe wuapi.dll - - regsvr32.exe wuaueng.dll - - regsvr32.exe wuaueng1.dll - - regsvr32.exe wucltui.dll - - regsvr32.exe wups.dll - - regsvr32.exe wups2.dll - - regsvr32.exe wuweb.dll - - regsvr32.exe qmgr.dll - - regsvr32.exe qmgrprxy.dll - - regsvr32.exe wucltux.dll - - regsvr32.exe muweb.dll - - regsvr32.exe wuwebv.dll -7. Reset Winsock. To do this, type the following command at a command prompt, and then press ENTER: - ``` - netsh winsock reset - ``` -8. If you are running Windows XP or Windows Server 2003, you have to set the proxy settings. To do this, type the following command at a command prompt, and then press ENTER: - ``` - proxycfg.exe -d - ``` -9. Restart the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command. - ``` - net start bits - - net start wuauserv - ``` -10. If you are running Windows Vista or Windows Server 2008, clear the BITS queue. To do this, type the following command at a command prompt, and then press ENTER: - ``` - bitsadmin.exe /reset /allusers - ``` +--- +title: Windows Update - Additional resources +description: Additional resources for Windows Update +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.audience: itpro author: greg-lindsay +ms.date: 09/18/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Windows Update - additional resources + +>Applies to: Windows 10 + +The following resources provide additional information about using Windows Update. + +## WSUS Troubleshooting + +[Troubleshooting issues with WSUS client agents](https://support.microsoft.com/help/10132/) + +[How to troubleshoot WSUS](https://support.microsoft.com/help/4025764/) + +[Error 80244007 when WSUS client scans for updates](https://support.microsoft.com/help/4096317/) + +[Updates may not be installed with Fast Startup in Windows 10](https://support.microsoft.com/help/4011287/) + + +## How do I reset Windows Update components? + +[This script](https://gallery.technet.microsoft.com/scriptcenter/Reset-WindowsUpdateps1-e0c5eb78) will completely reset the Windows Update client settings. It has been tested on Windows 7, 8, 10, and Windows Server 2012 R2. It will configure the services and registry keys related to Windows Update for default settings. It will also clean up files related to Windows Update, in addition to BITS related data. + + +[This script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc) allow reset the Windows Update Agent resolving issues with Windows Update. + + +## Reset Windows Update components manually +1. Open a Windows command prompt. To open a command prompt, click **Start > Run**. Copy and paste (or type) the following command and then press ENTER: + ``` + cmd + ``` +2. Stop the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command. + ``` + net stop bits + net stop wuauserv + ``` +3. Delete the qmgr\*.dat files. To do this, type the following command at a command prompt, and then press ENTER: + ``` + Del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat" + ``` +4. If this is your first attempt at resolving your Windows Update issues by using the steps in this article, go to step 5 without carrying out the steps in step 4. The steps in step 4 should only be performed at this point in the troubleshooting if you cannot resolve your Windows Update issues after following all steps but step 4. The steps in step 4 are also performed by the "Aggressive" mode of the Fix it Solution above. + 1. Rename the following folders to *.BAK: + - %systemroot%\SoftwareDistribution\DataStore + - %systemroot%\SoftwareDistribution\Download + - %systemroot%\system32\catroot2 + + To do this, type the following commands at a command prompt. Press ENTER after you type each command. + - Ren %systemroot%\SoftwareDistribution\DataStore *.bak + - Ren %systemroot%\SoftwareDistribution\Download *.bak + - Ren %systemroot%\system32\catroot2 *.bak + 2. Reset the BITS service and the Windows Update service to the default security descriptor. To do this, type the following commands at a command prompt. Press ENTER after you type each command. + - sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU) + - sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU) +5. Type the following command at a command prompt, and then press ENTER: + ``` + cd /d %windir%\system32 + ``` +6. Reregister the BITS files and the Windows Update files. To do this, type the following commands at a command prompt. Press ENTER after you type each command. + - regsvr32.exe atl.dll + - regsvr32.exe urlmon.dll + - regsvr32.exe mshtml.dll + - regsvr32.exe shdocvw.dll + - regsvr32.exe browseui.dll + - regsvr32.exe jscript.dll + - regsvr32.exe vbscript.dll + - regsvr32.exe scrrun.dll + - regsvr32.exe msxml.dll + - regsvr32.exe msxml3.dll + - regsvr32.exe msxml6.dll + - regsvr32.exe actxprxy.dll + - regsvr32.exe softpub.dll + - regsvr32.exe wintrust.dll + - regsvr32.exe dssenh.dll + - regsvr32.exe rsaenh.dll + - regsvr32.exe gpkcsp.dll + - regsvr32.exe sccbase.dll + - regsvr32.exe slbcsp.dll + - regsvr32.exe cryptdlg.dll + - regsvr32.exe oleaut32.dll + - regsvr32.exe ole32.dll + - regsvr32.exe shell32.dll + - regsvr32.exe initpki.dll + - regsvr32.exe wuapi.dll + - regsvr32.exe wuaueng.dll + - regsvr32.exe wuaueng1.dll + - regsvr32.exe wucltui.dll + - regsvr32.exe wups.dll + - regsvr32.exe wups2.dll + - regsvr32.exe wuweb.dll + - regsvr32.exe qmgr.dll + - regsvr32.exe qmgrprxy.dll + - regsvr32.exe wucltux.dll + - regsvr32.exe muweb.dll + - regsvr32.exe wuwebv.dll +7. Reset Winsock. To do this, type the following command at a command prompt, and then press ENTER: + ``` + netsh winsock reset + ``` +8. If you are running Windows XP or Windows Server 2003, you have to set the proxy settings. To do this, type the following command at a command prompt, and then press ENTER: + ``` + proxycfg.exe -d + ``` +9. Restart the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command. + ``` + net start bits + + net start wuauserv + ``` +10. If you are running Windows Vista or Windows Server 2008, clear the BITS queue. To do this, type the following command at a command prompt, and then press ENTER: + ``` + bitsadmin.exe /reset /allusers + ``` diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md index 2b51f8351f..ac0087fb59 100644 --- a/windows/deployment/update/windows-update-troubleshooting.md +++ b/windows/deployment/update/windows-update-troubleshooting.md @@ -1,217 +1,217 @@ ---- -title: Windows Update troubleshooting -description: Learn how to troubleshoot Windows Update -ms.prod: w10 -ms.mktglfcycl: -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greg-lindsay -ms.date: 09/18/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Windows Update troubleshooting - ->Applies to: Windows 10 - -If you run into problems when using Windows Update, start with the following steps: - -1. Run the built-in Windows Update troubleshooter to fix common issues. Navigate to **Settings > Update & Security > Troubleshoot > Windows Update**. -2. Install the most recent Servicing Stack Update (SSU) that matches your version of Windows from the Microsoft Update Catalog. See [Servicing stack updates](servicing-stack-updates.md) for more details on SSU. -3. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system: - - - [Windows 10, version 1809 and Windows Server 2019](https://support.microsoft.com/help/4464619/windows-10-update-history) - - [Windows 10, version 1803](https://support.microsoft.com/help/4099479/windows-10-update-history) - - [Windows 10, version 1709](https://support.microsoft.com/help/4043454) - - [Windows 10, version 1703](https://support.microsoft.com/help/4018124) - - [Windows 10 and Windows Server 2016](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) - - [Windows 8.1 and Windows Server 2012 R2](https://support.microsoft.com/help/4009470/windows-8-1-windows-server-2012-r2-update-history) - - [Windows Server 2012](https://support.microsoft.com/help/4009471/windows-server-2012-update-history) - - [Windows 7 SP1 and Windows Server 2008 R2 SP1](https://support.microsoft.com/help/4009469/windows-7-sp1-windows-server-2008-r2-sp1-update-history) - -Advanced users can also refer to the [log](windows-update-logs.md) generated by Windows Update for further investigation. - -You might encounter the following scenarios when using Windows Update. - -## Why am I offered an older update/upgrade? -The update that is offered to a device depends on several factors. Some of the most common attributes include the following: - -- OS Build -- OS Branch -- OS Locale -- OS Architecture -- Device update management configuration - -If the update you're offered isn't the most current available, it might be because your device is being managed by a WSUS server, and you're being offered the updates available on that server. It's also possible, if your device is part of a Windows as a Service deployment ring, that your admin is intentionally slowing the rollout of updates. Since the WaaS rollout is slow and measured to begin with, all devices will not receive the update on the same day. - -## My machine is frozen at scan. Why? -The Settings UI is talking to the Update Orchestrator service which in turn is talking to Windows Update service. If these services stop unexpectedly then you might see this behavior. In such cases, do the following: -1. Close the Settings app and reopen it. -2. Launch Services.msc and check if the following services are running: - - Update State Orchestrator - - Windows Update - -## Feature updates are not being offered while other updates are -On computers running [Windows 10 1709 or higher](#BKMK_DCAT) configured to update from Windows Update (usually WUfB scenario) servicing and definition updates are being installed successfully, but feature updates are never offered. - -Checking the WindowsUpdate.log reveals the following error: -``` -YYYY/MM/DD HH:mm:ss:SSS PID TID Agent * START * Finding updates CallerId = Update;taskhostw Id = 25 -YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Online = Yes; Interactive = No; AllowCachedResults = No; Ignore download priority = No -YYYY/MM/DD HH:mm:ss:SSS PID TID Agent ServiceID = {855E8A7C-ECB4-4CA3-B045-1DFA50104289} Third party service -YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Search Scope = {Current User} -YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Caller SID for Applicability: S-1-12-1-2933642503-1247987907-1399130510-4207851353 -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc Got 855E8A7C-ECB4-4CA3-B045-1DFA50104289 redir Client/Server URL: https://fe3.delivery.mp.microsoft.com/ClientWebService/client.asmx"" -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc Token Requested with 0 category IDs. -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc GetUserTickets: No user tickets found. Returning WU_E_NO_USERTOKEN. -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [AuthTicketHelper::GetDeviceTickets:570] -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [AuthTicketHelper::GetDeviceTickets:570] -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] GetDeviceTickets -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [AuthTicketHelper::AddTickets:1092] -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [CUpdateEndpointProvider::GenerateSecurityTokenWithAuthTickets:1587] -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] GetAgentTokenFromServer -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] GetAgentToken -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] EP:Call to GetEndpointToken -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Failed to obtain service 855E8A7C-ECB4-4CA3-B045-1DFA50104289 plugin Client/Server auth token of type 0x00000001 -YYYY/MM/DD HH:mm:ss:SSS PID TID ProtocolTalker *FAILED* [80070426] Method failed [CAgentProtocolTalkerContext::DetermineServiceEndpoint:377] -YYYY/MM/DD HH:mm:ss:SSS PID TID ProtocolTalker *FAILED* [80070426] Initialization failed for Protocol Talker Context -YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Exit code = 0x80070426 -YYYY/MM/DD HH:mm:ss:SSS PID TID Agent * END * Finding updates CallerId = Update;taskhostw Id = 25 -``` - -The 0x80070426 error code translates to: -``` -ERROR_SERVICE_NOT_ACTIVE - # The service has not been started. -``` - -Microsoft Account Sign In Assistant (MSA or wlidsvc) is the service in question. The DCAT Flighting service (ServiceId: 855E8A7C-ECB4-4CA3-B045-1DFA50104289) relies on the Microsoft Account Sign In Assistant (MSA) to get the Global Device ID for the device. Without the MSA service running, the global device ID will not be generated and sent by the client and the search for feature updates never completes successfully. - -In order to solve this issue, we need to reset the MSA service to the default StartType of manual. - -## Issues related to HTTP/Proxy -Windows Update uses WinHttp with Partial Range requests (RFC 7233) to download updates and applications from Windows Update servers or on-premises WSUS servers. Because of this proxy servers configured on the network must support HTTP RANGE requests. If a proxy was configured in Internet Explorer (User level) but not in WinHTTP (System level), connections to Windows Update will fail. - -To fix this issue, configure a proxy in WinHTTP by using the following netsh command: - -``` -netsh winhttp set proxy ProxyServerName:PortNumber -``` - ->[!NOTE] -> You can also import the proxy settings from Internet Explorer by using the following command: netsh winhttp import proxy source=ie - -If downloads through a proxy server fail with a 0x80d05001 DO_E_HTTP_BLOCKSIZE_MISMATCH error, or if you notice high CPU usage while updates are downloading, check the proxy configuration to permit HTTP RANGE requests to run. - -You may choose to apply a rule to permit HTTP RANGE requests for the following URLs: - -*.download.windowsupdate.com -*.dl.delivery.mp.microsoft.com -*.emdl.ws.microsoft.com - -If you cannot permit RANGE requests, keep in mind that this means you are downloading more content than needed in updates (as delta patching will not work). - - -## The update is not applicable to your computer -The most common reasons for this error are described in the following table: - -|Cause|Explanation|Resolution| -|-----|-----------|----------| -|Update is superseded|As updates for a component are released, the updated component will supersede an older component that is already on the system. When this occurs, the previous update is marked as superseded. If the update that you're trying to install already has a newer version of the payload on your system, you may encounter this error message.|Check that the package that you are installing contains newer versions of the binaries. Or, check that the package is superseded by another new package. | -|Update is already installed|If the update that you're trying to install was previously installed, for example, by another update that carried the same payload, you may encounter this error message.|Verify that the package that you are trying to install was not previously installed.| -|Wrong update for architecture|Updates are published by CPU architecture. If the update that you're trying to install does not match the architecture for your CPU, you may encounter this error message. |Verify that the package that you're trying to install matches the Windows version that you are using. The Windows version information can be found in the "Applies To" section of the article for each update. For example, Windows Server 2012-only updates cannot be installed on Windows Server 2012 R2-based computers.
          Also, verify that the package that you are installing matches the processor architecture of the Windows version that you are using. For example, an x86-based update cannot be installed on x64-based installations of Windows. | -|Missing prerequisite update|Some updates require a prerequisite update before they can be applied to a system. If you are missing a prerequisite update, you may encounter this error message. For example, KB 2919355 must be installed on Windows 8.1 and Windows Server 2012 R2 computers before many of the updates that were released after April 2014 can be installed.|Check the related articles about the package in the Microsoft Knowledge Base (KB) to make sure that you have the prerequisite updates installed. For example, if you encounter the error message on Windows 8.1 or Windows Server 2012 R2, you may have to install the April 2014 update 2919355 as a prerequisite and one or more pre-requisite servicing updates (KB 2919442 and KB 3173424).
          Note: To determine if these prerequisite updates are installed, run the following PowerShell command:
          get-hotfix KB3173424,KB2919355,KB2919442
          If the updates are installed, the command will return the installed date in the "InstalledOn" section of the output. - -## Issues related to firewall configuration -Error that may be seen in the WU logs: -``` -DownloadManager Error 0x800706d9 occurred while downloading update; notifying dependent calls. -``` -Or -``` -[DownloadManager] BITS job {A4AC06DD-D6E6-4420-8720-7407734FDAF2} hit a transient error, updateId = {D053C08A-6250-4C43-A111-56C5198FE142}.200 , error = 0x800706D9 -``` -Or -``` -DownloadManager [0]12F4.1FE8::09/29/2017-13:45:08.530 [agent]DO job {C6E2F6DC-5B78-4608-B6F1-0678C23614BD} hit a transient error, updateId = 5537BD35-BB74-40B2-A8C3-B696D3C97CBA.201 , error = 0x80D0000A -``` - -Go to Services.msc and ensure that Windows Firewall Service is enabled. Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft. For more information, see [I need to disable Windows Firewall](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc766337(v=ws.10)). - -## Issues arising from configuration of conflicting policies -Windows Update provides a wide range configuration policies to control the behavior of WU service in a managed environment. While these policies let you configure the settings at a granular level, misconfiguration or setting conflicting polices may lead to unexpected behaviors. - -See [How to configure automatic updates by using Group Policy or registry settings](https://support.microsoft.com/help/328010/how-to-configure-automatic-updates-by-using-group-policy-or-registry-s) for more information. - - -## Updates aren't downloading from the intranet endpoint (WSUS/SCCM) -Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps: -1. Start Windows PowerShell as an administrator -2. Run \$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager". -3. Run \$MUSM.Services. - -Check the output for the Name and OffersWindowsUPdates parameters, which you can interpret according to this table. - -|Output|Interpretation| -|-|-| -|- Name: Microsoft Update
          -OffersWindowsUpdates: True| - The update source is Microsoft Update, which means that updates for other Microsoft products besides the operating system could also be delivered.
          - Indicates that the client is configured to receive updates for all Microsoft Products (Office, etc.) | -|- Name: DCat Flighting Prod
          - OffersWindowsUpdates: True |- Starting with Windows 10 1709, feature updates are always delivered through the DCAT service.
          - Indicates that the client is configured to receive feature updates from Windows Update. | -|- Name: Windows Store (DCat Prod)
          - OffersWindowsUpdates: False |-The update source is Insider Updates for Store Apps.
          - Indicates that the client will not receive or is not configured to receive these updates.| -|- Name: Windows Server Update Service
          - OffersWindowsUpdates: True |- The source is a Windows Server Updates Services server.
          - The client is configured to receive updates from WSUS. | -|- Name: Windows Update
          - OffersWindowsUpdates: True|- The source is Windows Update.
          - The client is configured to receive updates from Windows Update Online.| - -## You have a bad setup in the environment -If we look at the GPO being set through registry, the system is configured to use WSUS to download updates: - -``` -HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] -"UseWUServer"=dword:00000001 ===================================> it says use WSUS server. -``` - -From the WU logs: -``` -2018-08-06 09:33:31:085 480 1118 Agent ** START ** Agent: Finding updates [CallerId = OperationalInsight Id = 49] -2018-08-06 09:33:31:085 480 1118 Agent ********* -2018-08-06 09:33:31:085 480 1118 Agent * Include potentially superseded updates -2018-08-06 09:33:31:085 480 1118 Agent * Online = No; Ignore download priority = No -2018-08-06 09:33:31:085 480 1118 Agent * Criteria = "IsHidden = 0 AND DeploymentAction=*" -2018-08-06 09:33:31:085 480 1118 Agent * ServiceID = {00000000-0000-0000-0000-000000000000} Third party service -2018-08-06 09:33:31:085 480 1118 Agent * Search Scope = {Machine} -2018-08-06 09:33:32:554 480 1118 Agent * Found 83 updates and 83 categories in search; evaluated appl. rules of 517 out of 1473 deployed entities -2018-08-06 09:33:32:554 480 1118 Agent ********* -2018-08-06 09:33:32:554 480 1118 Agent ** END ** Agent: Finding updates [CallerId = OperationalInsight Id = 49] -``` - -In the above log snippet, we see that the Criteria = "IsHidden = 0 AND DeploymentAction=*". "*" means there is nothing specified from the server. So, the scan happens but there is no direction to download or install to the agent. So it just scans the update and provides the results. - -Now if you look at the below logs, the Automatic update runs the scan and finds no update approved for it. So it reports there are 0 updates to install or download. This is due to bad setup or configuration in the environment. The WSUS side should approve the patches for WU so that it fetches the updates and installs it on the specified time according to the policy. Since this scenario doesn't include SCCM, there's no way to install unapproved updates. And that is the problem you are facing. You expect that the scan should be done by the operational insight agent and automatically trigger download and install but that won’t happen here. - -``` -2018-08-06 10:58:45:992 480 5d8 Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates Id = 57] -2018-08-06 10:58:45:992 480 5d8 Agent ********* -2018-08-06 10:58:45:992 480 5d8 Agent * Online = Yes; Ignore download priority = No -2018-08-06 10:58:45:992 480 5d8 Agent * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1" - -2018-08-06 10:58:46:617 480 5d8 PT + SyncUpdates round trips: 2 -2018-08-06 10:58:47:383 480 5d8 Agent * Found 0 updates and 83 categories in search; evaluated appl. rules of 617 out of 1473 deployed entities -2018-08-06 10:58:47:383 480 5d8 Agent Reporting status event with 0 installable, 83 installed, 0 installed pending, 0 failed and 0 downloaded updates -2018-08-06 10:58:47:383 480 5d8 Agent ********* -2018-08-06 10:58:47:383 480 5d8 Agent ** END ** Agent: Finding updates [CallerId = AutomaticUpdates Id = 57] -``` - -## High bandwidth usage on Windows 10 by Windows Update -Users may see that Windows 10 is consuming all the bandwidth in the different offices under the system context. This behavior is by design. Components that may consume bandwidth expand beyond Windows Update components. - -The following group policies can help mitigate this: - -- Blocking access to Windows Update servers: [Policy Turn off access to all Windows Update features](http://gpsearch.azurewebsites.net/#4728) (Set to enabled) -- Driver search: [Policy Specify search order for device driver source locations](http://gpsearch.azurewebsites.net/#183) (Set to "Do not search Windows Update") -- Windows Store automatic update: [Policy Turn off Automatic Download and Install of updates](http://gpsearch.azurewebsites.net/#10876) (Set to enabled) - -Other components that reach out to the internet: - -- Windows Spotlight: [Policy Configure Windows spotlight on lock screen](http://gpsearch.azurewebsites.net/#13362) (Set to disabled) -- Consumer experiences: [Policy Turn off Microsoft consumer experiences](http://gpsearch.azurewebsites.net/#13329) (Set to enabled) -- Background traffic from Windows apps: [Policy Let Windows apps run in the background](http://gpsearch.azurewebsites.net/#13571) +--- +title: Windows Update troubleshooting +description: Learn how to troubleshoot Windows Update +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.audience: itpro author: greg-lindsay +ms.date: 09/18/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Windows Update troubleshooting + +>Applies to: Windows 10 + +If you run into problems when using Windows Update, start with the following steps: + +1. Run the built-in Windows Update troubleshooter to fix common issues. Navigate to **Settings > Update & Security > Troubleshoot > Windows Update**. +2. Install the most recent Servicing Stack Update (SSU) that matches your version of Windows from the Microsoft Update Catalog. See [Servicing stack updates](servicing-stack-updates.md) for more details on SSU. +3. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system: + + - [Windows 10, version 1809 and Windows Server 2019](https://support.microsoft.com/help/4464619/windows-10-update-history) + - [Windows 10, version 1803](https://support.microsoft.com/help/4099479/windows-10-update-history) + - [Windows 10, version 1709](https://support.microsoft.com/help/4043454) + - [Windows 10, version 1703](https://support.microsoft.com/help/4018124) + - [Windows 10 and Windows Server 2016](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) + - [Windows 8.1 and Windows Server 2012 R2](https://support.microsoft.com/help/4009470/windows-8-1-windows-server-2012-r2-update-history) + - [Windows Server 2012](https://support.microsoft.com/help/4009471/windows-server-2012-update-history) + - [Windows 7 SP1 and Windows Server 2008 R2 SP1](https://support.microsoft.com/help/4009469/windows-7-sp1-windows-server-2008-r2-sp1-update-history) + +Advanced users can also refer to the [log](windows-update-logs.md) generated by Windows Update for further investigation. + +You might encounter the following scenarios when using Windows Update. + +## Why am I offered an older update/upgrade? +The update that is offered to a device depends on several factors. Some of the most common attributes include the following: + +- OS Build +- OS Branch +- OS Locale +- OS Architecture +- Device update management configuration + +If the update you're offered isn't the most current available, it might be because your device is being managed by a WSUS server, and you're being offered the updates available on that server. It's also possible, if your device is part of a Windows as a Service deployment ring, that your admin is intentionally slowing the rollout of updates. Since the WaaS rollout is slow and measured to begin with, all devices will not receive the update on the same day. + +## My machine is frozen at scan. Why? +The Settings UI is talking to the Update Orchestrator service which in turn is talking to Windows Update service. If these services stop unexpectedly then you might see this behavior. In such cases, do the following: +1. Close the Settings app and reopen it. +2. Launch Services.msc and check if the following services are running: + - Update State Orchestrator + - Windows Update + +## Feature updates are not being offered while other updates are +On computers running [Windows 10 1709 or higher](#BKMK_DCAT) configured to update from Windows Update (usually WUfB scenario) servicing and definition updates are being installed successfully, but feature updates are never offered. + +Checking the WindowsUpdate.log reveals the following error: +``` +YYYY/MM/DD HH:mm:ss:SSS PID TID Agent * START * Finding updates CallerId = Update;taskhostw Id = 25 +YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Online = Yes; Interactive = No; AllowCachedResults = No; Ignore download priority = No +YYYY/MM/DD HH:mm:ss:SSS PID TID Agent ServiceID = {855E8A7C-ECB4-4CA3-B045-1DFA50104289} Third party service +YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Search Scope = {Current User} +YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Caller SID for Applicability: S-1-12-1-2933642503-1247987907-1399130510-4207851353 +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc Got 855E8A7C-ECB4-4CA3-B045-1DFA50104289 redir Client/Server URL: https://fe3.delivery.mp.microsoft.com/ClientWebService/client.asmx"" +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc Token Requested with 0 category IDs. +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc GetUserTickets: No user tickets found. Returning WU_E_NO_USERTOKEN. +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [AuthTicketHelper::GetDeviceTickets:570] +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [AuthTicketHelper::GetDeviceTickets:570] +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] GetDeviceTickets +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [AuthTicketHelper::AddTickets:1092] +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [CUpdateEndpointProvider::GenerateSecurityTokenWithAuthTickets:1587] +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] GetAgentTokenFromServer +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] GetAgentToken +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] EP:Call to GetEndpointToken +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Failed to obtain service 855E8A7C-ECB4-4CA3-B045-1DFA50104289 plugin Client/Server auth token of type 0x00000001 +YYYY/MM/DD HH:mm:ss:SSS PID TID ProtocolTalker *FAILED* [80070426] Method failed [CAgentProtocolTalkerContext::DetermineServiceEndpoint:377] +YYYY/MM/DD HH:mm:ss:SSS PID TID ProtocolTalker *FAILED* [80070426] Initialization failed for Protocol Talker Context +YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Exit code = 0x80070426 +YYYY/MM/DD HH:mm:ss:SSS PID TID Agent * END * Finding updates CallerId = Update;taskhostw Id = 25 +``` + +The 0x80070426 error code translates to: +``` +ERROR_SERVICE_NOT_ACTIVE - # The service has not been started. +``` + +Microsoft Account Sign In Assistant (MSA or wlidsvc) is the service in question. The DCAT Flighting service (ServiceId: 855E8A7C-ECB4-4CA3-B045-1DFA50104289) relies on the Microsoft Account Sign In Assistant (MSA) to get the Global Device ID for the device. Without the MSA service running, the global device ID will not be generated and sent by the client and the search for feature updates never completes successfully. + +In order to solve this issue, we need to reset the MSA service to the default StartType of manual. + +## Issues related to HTTP/Proxy +Windows Update uses WinHttp with Partial Range requests (RFC 7233) to download updates and applications from Windows Update servers or on-premises WSUS servers. Because of this proxy servers configured on the network must support HTTP RANGE requests. If a proxy was configured in Internet Explorer (User level) but not in WinHTTP (System level), connections to Windows Update will fail. + +To fix this issue, configure a proxy in WinHTTP by using the following netsh command: + +``` +netsh winhttp set proxy ProxyServerName:PortNumber +``` + +>[!NOTE] +> You can also import the proxy settings from Internet Explorer by using the following command: netsh winhttp import proxy source=ie + +If downloads through a proxy server fail with a 0x80d05001 DO_E_HTTP_BLOCKSIZE_MISMATCH error, or if you notice high CPU usage while updates are downloading, check the proxy configuration to permit HTTP RANGE requests to run. + +You may choose to apply a rule to permit HTTP RANGE requests for the following URLs: + +*.download.windowsupdate.com +*.dl.delivery.mp.microsoft.com +*.emdl.ws.microsoft.com + +If you cannot permit RANGE requests, keep in mind that this means you are downloading more content than needed in updates (as delta patching will not work). + + +## The update is not applicable to your computer +The most common reasons for this error are described in the following table: + +|Cause|Explanation|Resolution| +|-----|-----------|----------| +|Update is superseded|As updates for a component are released, the updated component will supersede an older component that is already on the system. When this occurs, the previous update is marked as superseded. If the update that you're trying to install already has a newer version of the payload on your system, you may encounter this error message.|Check that the package that you are installing contains newer versions of the binaries. Or, check that the package is superseded by another new package. | +|Update is already installed|If the update that you're trying to install was previously installed, for example, by another update that carried the same payload, you may encounter this error message.|Verify that the package that you are trying to install was not previously installed.| +|Wrong update for architecture|Updates are published by CPU architecture. If the update that you're trying to install does not match the architecture for your CPU, you may encounter this error message. |Verify that the package that you're trying to install matches the Windows version that you are using. The Windows version information can be found in the "Applies To" section of the article for each update. For example, Windows Server 2012-only updates cannot be installed on Windows Server 2012 R2-based computers.
          Also, verify that the package that you are installing matches the processor architecture of the Windows version that you are using. For example, an x86-based update cannot be installed on x64-based installations of Windows. | +|Missing prerequisite update|Some updates require a prerequisite update before they can be applied to a system. If you are missing a prerequisite update, you may encounter this error message. For example, KB 2919355 must be installed on Windows 8.1 and Windows Server 2012 R2 computers before many of the updates that were released after April 2014 can be installed.|Check the related articles about the package in the Microsoft Knowledge Base (KB) to make sure that you have the prerequisite updates installed. For example, if you encounter the error message on Windows 8.1 or Windows Server 2012 R2, you may have to install the April 2014 update 2919355 as a prerequisite and one or more pre-requisite servicing updates (KB 2919442 and KB 3173424).
          Note: To determine if these prerequisite updates are installed, run the following PowerShell command:
          get-hotfix KB3173424,KB2919355,KB2919442
          If the updates are installed, the command will return the installed date in the "InstalledOn" section of the output. + +## Issues related to firewall configuration +Error that may be seen in the WU logs: +``` +DownloadManager Error 0x800706d9 occurred while downloading update; notifying dependent calls. +``` +Or +``` +[DownloadManager] BITS job {A4AC06DD-D6E6-4420-8720-7407734FDAF2} hit a transient error, updateId = {D053C08A-6250-4C43-A111-56C5198FE142}.200 , error = 0x800706D9 +``` +Or +``` +DownloadManager [0]12F4.1FE8::09/29/2017-13:45:08.530 [agent]DO job {C6E2F6DC-5B78-4608-B6F1-0678C23614BD} hit a transient error, updateId = 5537BD35-BB74-40B2-A8C3-B696D3C97CBA.201 , error = 0x80D0000A +``` + +Go to Services.msc and ensure that Windows Firewall Service is enabled. Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft. For more information, see [I need to disable Windows Firewall](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc766337(v=ws.10)). + +## Issues arising from configuration of conflicting policies +Windows Update provides a wide range configuration policies to control the behavior of WU service in a managed environment. While these policies let you configure the settings at a granular level, misconfiguration or setting conflicting polices may lead to unexpected behaviors. + +See [How to configure automatic updates by using Group Policy or registry settings](https://support.microsoft.com/help/328010/how-to-configure-automatic-updates-by-using-group-policy-or-registry-s) for more information. + + +## Updates aren't downloading from the intranet endpoint (WSUS/SCCM) +Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps: +1. Start Windows PowerShell as an administrator +2. Run \$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager". +3. Run \$MUSM.Services. + +Check the output for the Name and OffersWindowsUPdates parameters, which you can interpret according to this table. + +|Output|Interpretation| +|-|-| +|- Name: Microsoft Update
          -OffersWindowsUpdates: True| - The update source is Microsoft Update, which means that updates for other Microsoft products besides the operating system could also be delivered.
          - Indicates that the client is configured to receive updates for all Microsoft Products (Office, etc.) | +|- Name: DCat Flighting Prod
          - OffersWindowsUpdates: True |- Starting with Windows 10 1709, feature updates are always delivered through the DCAT service.
          - Indicates that the client is configured to receive feature updates from Windows Update. | +|- Name: Windows Store (DCat Prod)
          - OffersWindowsUpdates: False |-The update source is Insider Updates for Store Apps.
          - Indicates that the client will not receive or is not configured to receive these updates.| +|- Name: Windows Server Update Service
          - OffersWindowsUpdates: True |- The source is a Windows Server Updates Services server.
          - The client is configured to receive updates from WSUS. | +|- Name: Windows Update
          - OffersWindowsUpdates: True|- The source is Windows Update.
          - The client is configured to receive updates from Windows Update Online.| + +## You have a bad setup in the environment +If we look at the GPO being set through registry, the system is configured to use WSUS to download updates: + +``` +HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] +"UseWUServer"=dword:00000001 ===================================> it says use WSUS server. +``` + +From the WU logs: +``` +2018-08-06 09:33:31:085 480 1118 Agent ** START ** Agent: Finding updates [CallerId = OperationalInsight Id = 49] +2018-08-06 09:33:31:085 480 1118 Agent ********* +2018-08-06 09:33:31:085 480 1118 Agent * Include potentially superseded updates +2018-08-06 09:33:31:085 480 1118 Agent * Online = No; Ignore download priority = No +2018-08-06 09:33:31:085 480 1118 Agent * Criteria = "IsHidden = 0 AND DeploymentAction=*" +2018-08-06 09:33:31:085 480 1118 Agent * ServiceID = {00000000-0000-0000-0000-000000000000} Third party service +2018-08-06 09:33:31:085 480 1118 Agent * Search Scope = {Machine} +2018-08-06 09:33:32:554 480 1118 Agent * Found 83 updates and 83 categories in search; evaluated appl. rules of 517 out of 1473 deployed entities +2018-08-06 09:33:32:554 480 1118 Agent ********* +2018-08-06 09:33:32:554 480 1118 Agent ** END ** Agent: Finding updates [CallerId = OperationalInsight Id = 49] +``` + +In the above log snippet, we see that the Criteria = "IsHidden = 0 AND DeploymentAction=*". "*" means there is nothing specified from the server. So, the scan happens but there is no direction to download or install to the agent. So it just scans the update and provides the results. + +Now if you look at the below logs, the Automatic update runs the scan and finds no update approved for it. So it reports there are 0 updates to install or download. This is due to bad setup or configuration in the environment. The WSUS side should approve the patches for WU so that it fetches the updates and installs it on the specified time according to the policy. Since this scenario doesn't include SCCM, there's no way to install unapproved updates. And that is the problem you are facing. You expect that the scan should be done by the operational insight agent and automatically trigger download and install but that won’t happen here. + +``` +2018-08-06 10:58:45:992 480 5d8 Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates Id = 57] +2018-08-06 10:58:45:992 480 5d8 Agent ********* +2018-08-06 10:58:45:992 480 5d8 Agent * Online = Yes; Ignore download priority = No +2018-08-06 10:58:45:992 480 5d8 Agent * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1" + +2018-08-06 10:58:46:617 480 5d8 PT + SyncUpdates round trips: 2 +2018-08-06 10:58:47:383 480 5d8 Agent * Found 0 updates and 83 categories in search; evaluated appl. rules of 617 out of 1473 deployed entities +2018-08-06 10:58:47:383 480 5d8 Agent Reporting status event with 0 installable, 83 installed, 0 installed pending, 0 failed and 0 downloaded updates +2018-08-06 10:58:47:383 480 5d8 Agent ********* +2018-08-06 10:58:47:383 480 5d8 Agent ** END ** Agent: Finding updates [CallerId = AutomaticUpdates Id = 57] +``` + +## High bandwidth usage on Windows 10 by Windows Update +Users may see that Windows 10 is consuming all the bandwidth in the different offices under the system context. This behavior is by design. Components that may consume bandwidth expand beyond Windows Update components. + +The following group policies can help mitigate this: + +- Blocking access to Windows Update servers: [Policy Turn off access to all Windows Update features](http://gpsearch.azurewebsites.net/#4728) (Set to enabled) +- Driver search: [Policy Specify search order for device driver source locations](http://gpsearch.azurewebsites.net/#183) (Set to "Do not search Windows Update") +- Windows Store automatic update: [Policy Turn off Automatic Download and Install of updates](http://gpsearch.azurewebsites.net/#10876) (Set to enabled) + +Other components that reach out to the internet: + +- Windows Spotlight: [Policy Configure Windows spotlight on lock screen](http://gpsearch.azurewebsites.net/#13362) (Set to disabled) +- Consumer experiences: [Policy Turn off Microsoft consumer experiences](http://gpsearch.azurewebsites.net/#13329) (Set to enabled) +- Background traffic from Windows apps: [Policy Let Windows apps run in the background](http://gpsearch.azurewebsites.net/#13571) diff --git a/windows/deployment/update/wufb-autoupdate.md b/windows/deployment/update/wufb-autoupdate.md index e2d14bf393..9bdabe44ba 100644 --- a/windows/deployment/update/wufb-autoupdate.md +++ b/windows/deployment/update/wufb-autoupdate.md @@ -1,37 +1,37 @@ ---- -title: Setting up Automatic Update in Windows Update for Business (Windows 10) -description: Learn how to get started using Windows Update for Business. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greg-lindsay -ms.date: 06/20/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Set up Automatic Update in Windows Update for Business with group policies - ->Applies to: Windows 10 - -Use the Automatic Update group policies to manage the interaction between Windows Update and clients. - -Automatic Update governs the "behind the scenes" download and installation processes. It's important to keep in mind the device limitation in your environment as the download and install process can consume processing power. The below section outlines the ideal configuration for devices with the least amount of user experience degradation. - -|Policy|Description | -|-|-| -|Configure Automatic Updates|Governs the installation activity that happens in the background. This allows you to configure the installation to happen during the [maintenance window](https://docs.microsoft.com/sccm/core/clients/manage/collections/use-maintenance-windows). Also, you can specify an installation time where the device will also try to install the latest packages. You can also pick a certain day and or week.| -|Automatic Update Detection Frequency|Lets you set the scan frequency the device will use to connect to Windows Update to see if there is any available content. Default is 22 hours, but you can increase or decrease the frequency. Keep in mind a desktop computer may need to scan less frequently than laptops, which can have intermittent internet connection.| -|Specify Intranet Microsoft Update Service Location|Used for Windows Server Update Services or System Center Configuration Manager users who want to install custom packages that are not offered through Windows Update.| -|Do not connect to any Windows Update Internet locations
          Required for Dual Scan|Prevents access to Windows Update.| - -## Suggested configuration - -|Policy|Location|Suggested configuration| -|-|-|-| -|Configure Automatic Updates| GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates| **Attention**: If you are using this policy, don't set it/configure it to get the default behavior. If you have set this policy, delete the reg key. This ensures the device uses the default behavior. Note that this is not the same as the default setting within the policy.

          **Default behavior**: Download and installation happen automatically. The device will then be in a pending reboot state.

          **Pro tip**: You can configure the scan frequency to be more frequent with the policy below.| -|Automatic Update Detection Frequency|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Automatic Updates detection frequency|State: Enabled
          **Check for updates on the following interval (hours)**: 22| -|Do not connect to any Windows Update Internet locations (Required for Dual Scan) | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not connect to any Windows Update Internet locations |State: Disabled | +--- +title: Setting up Automatic Update in Windows Update for Business (Windows 10) +description: Learn how to get started using Windows Update for Business. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.audience: itpro author: greg-lindsay +ms.date: 06/20/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Set up Automatic Update in Windows Update for Business with group policies + +>Applies to: Windows 10 + +Use the Automatic Update group policies to manage the interaction between Windows Update and clients. + +Automatic Update governs the "behind the scenes" download and installation processes. It's important to keep in mind the device limitation in your environment as the download and install process can consume processing power. The below section outlines the ideal configuration for devices with the least amount of user experience degradation. + +|Policy|Description | +|-|-| +|Configure Automatic Updates|Governs the installation activity that happens in the background. This allows you to configure the installation to happen during the [maintenance window](https://docs.microsoft.com/sccm/core/clients/manage/collections/use-maintenance-windows). Also, you can specify an installation time where the device will also try to install the latest packages. You can also pick a certain day and or week.| +|Automatic Update Detection Frequency|Lets you set the scan frequency the device will use to connect to Windows Update to see if there is any available content. Default is 22 hours, but you can increase or decrease the frequency. Keep in mind a desktop computer may need to scan less frequently than laptops, which can have intermittent internet connection.| +|Specify Intranet Microsoft Update Service Location|Used for Windows Server Update Services or System Center Configuration Manager users who want to install custom packages that are not offered through Windows Update.| +|Do not connect to any Windows Update Internet locations
          Required for Dual Scan|Prevents access to Windows Update.| + +## Suggested configuration + +|Policy|Location|Suggested configuration| +|-|-|-| +|Configure Automatic Updates| GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates| **Attention**: If you are using this policy, don't set it/configure it to get the default behavior. If you have set this policy, delete the reg key. This ensures the device uses the default behavior. Note that this is not the same as the default setting within the policy.

          **Default behavior**: Download and installation happen automatically. The device will then be in a pending reboot state.

          **Pro tip**: You can configure the scan frequency to be more frequent with the policy below.| +|Automatic Update Detection Frequency|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Automatic Updates detection frequency|State: Enabled
          **Check for updates on the following interval (hours)**: 22| +|Do not connect to any Windows Update Internet locations (Required for Dual Scan) | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not connect to any Windows Update Internet locations |State: Disabled | diff --git a/windows/deployment/update/wufb-basics.md b/windows/deployment/update/wufb-basics.md index 24c01317ea..e1e9419e08 100644 --- a/windows/deployment/update/wufb-basics.md +++ b/windows/deployment/update/wufb-basics.md @@ -1,29 +1,29 @@ ---- -title: Configure the Basic group policy for Windows Update for Business -description: Learn how to get started using the Basic GPO in Windows Update for Business. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greg-lindsay -ms.date: 06/20/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- -# Configure the Basic group policy for Windows Update for Business - -For Windows Update for Business configurations to work, devices need to be configured with minimum [diagnostic data](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization) level of "Basic." Additionally, compliance reporting for configured devices is obtained using [Update Compliance in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor). To view your data in Update Compliance [diagnostics data must be enabled](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#set-diagnostic-data-levels) and the devices must be configured with a commercial ID, a unique GUID created for an enterprise at the time of onboarding to the Windows Analytics solution. - -|Policy name|Description | -|-|-| -|Allow Telemetry|Enables Microsoft to run diagnostics on your device and troubleshoot.| -|Configure Commercial ID|This policy allows you to join the device to an entity.| - -## Suggested configuration - -|Policy|Location|Suggested configuration| -|-|-|-| -|Allow Telemetry |GPO: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Allow Telemetry |State: Enabled
          **Option**: 1-Basic| -|Configure Commercial ID|GPO: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Commercial ID |State: Enabled
          **Commercial ID**: The GUID created for you at the time of onboarding to Windows Analytics| +--- +title: Configure the Basic group policy for Windows Update for Business +description: Learn how to get started using the Basic GPO in Windows Update for Business. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.audience: itpro author: greg-lindsay +ms.date: 06/20/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- +# Configure the Basic group policy for Windows Update for Business + +For Windows Update for Business configurations to work, devices need to be configured with minimum [diagnostic data](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization) level of "Basic." Additionally, compliance reporting for configured devices is obtained using [Update Compliance in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor). To view your data in Update Compliance [diagnostics data must be enabled](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#set-diagnostic-data-levels) and the devices must be configured with a commercial ID, a unique GUID created for an enterprise at the time of onboarding to the Windows Analytics solution. + +|Policy name|Description | +|-|-| +|Allow Telemetry|Enables Microsoft to run diagnostics on your device and troubleshoot.| +|Configure Commercial ID|This policy allows you to join the device to an entity.| + +## Suggested configuration + +|Policy|Location|Suggested configuration| +|-|-|-| +|Allow Telemetry |GPO: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Allow Telemetry |State: Enabled
          **Option**: 1-Basic| +|Configure Commercial ID|GPO: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Commercial ID |State: Enabled
          **Commercial ID**: The GUID created for you at the time of onboarding to Windows Analytics| diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md index e464692f3f..bb088093c1 100644 --- a/windows/deployment/update/wufb-compliancedeadlines.md +++ b/windows/deployment/update/wufb-compliancedeadlines.md @@ -1,100 +1,100 @@ ---- -title: Enforce compliance deadlines with policies in Windows Update for Business (Windows 10) -description: Learn how to enforce compliance deadlines using Windows Update for Business. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greg-lindsay -ms.date: 06/20/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- -# Enforcing compliance deadlines for updates - ->Applies to: Windows 10 - -Deploying feature or quality updates for many organizations is only part of the equation for managing their device ecosystem. The ability to enforce patch compliance is the next important part. Windows Update for Business provides controls to manage deadlines for when devices should migrate to newer revisions. We offer two compliance flows that you can choose from: - -- [Deadline only](#deadline-only) -- [Deadline with user engagement](#deadline-with-user-engagement) - -## Deadline Only - -This flow only enforces the deadline where the device will attempt to silently restart outside of active hours before the deadline is reached. Once the deadline is reached the user is prompted with either a confirmation button or a restart now option. - -### End User Experience - -Once the device is in the pending restart state, it will attempt to restart the device during non-active hours. This is known as the auto-restart period, and by default it does not require user interaction to reboot the device. - ->[!NOTE] ->Deadlines are enforced from pending restart state (for example, when the device has completed the installation and download from Windows Update). - -### Policy overview - -|Policy|Description | -|-|-| -|Specify deadline before auto-restart for update installation|Governs the update experience once the device has entered pending reboot state. It specifies a deadline, in days, to enforce compliance (such as imminent install).| -|Configure Auto-restart warning notification schedule for updates|Configures the reminder notification and the warning notification for a scheduled install. The user can dismiss a reminder, but not the warning.| - -### Suggested Configuration - -|Policy|Location|3 Day Compliance|5 Day Compliance|7 Day Compliance | -|-|-|-|-|-| -|Specify deadline before auto-restart for update installation| GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadline before auto-restart for update installation |State: Enabled
          **Specify the number of days before pending restart will automatically be executed outside of active hours**: 2|State: Enabled
          **Specify the number of days before pending restart will automatically be executed outside of active hours**: 3|State: Enabled
          **Specify the number of days before pending restart will automatically be executed outside of active hours**: 4 - -### Controlling notification experience for deadline - -|Policy| Location|Suggested Configuration | -|-|-|-| -|Configure Auto-restart warning notification schedule for updates|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure auto-restart warning notifications schedule for updates |State: Enabled
          **Reminder** (hours): 2
          **Warning** (minutes): 60 | - -### Notification experience for deadline - -Notification users get for a quality update deadline: -![The notification users get for an impending quality update deadline](images/wufb-quality-notification.png) - -Notification users get for a feature update deadline: -![The notification users get for an impending feature update deadline](images/wufb-feature-notification.png) - -## Deadline with user engagement - -This flow provides the end user with prompts to select a time to restart the device before the deadline is reached. If the device is unable to restart at the time specified by the user or the time selected is outside the deadline, the device will restart the next time it is active. - -### End user experience - -Before the deadline the device will be in two states: auto-restart period and engaged-restart period. During the auto-restart period the device will silently try to restart outside of active hours. If the device can't find an idle moment to restart, then the device will go into engaged-restart. The end user, at this point, can select a time that they would like the device to try to restart. Both phases happen before the deadline; once that deadline has passed then the device will restart at the next available time. - -### Policy overview - -|Policy| Description | -|-|-| -|Specify engaged restart transition and notification schedule for updates|Governs how the user will be impacted by the pending reboot. Transition days, first starts out in Auto-Restart where the device will find an idle moment to reboot the device. After 2 days engaged restart will commence and the user will be able to choose a time| -|Configure Auto-restart required notification for updates|Governs the notifications during the Auto-Restart period. During Active hours, the user will be notified that the device is trying to reboot. They will have the option to confirm or dismiss the notification| - -### Suggested configuration - -|Policy| Location| 3 Day Compliance| 5 Day Compliance| 7 Day Compliance | -|-|-|-|-|-| -|Specify engaged restart transition and notification schedule for updates|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify Engaged restart transition and notification schedule for updates|State: Enabled
          **Transition** (Days): 2
          **Snooze** (Days): 2
          **Deadline** (Days): 3|State: Enabled
          **Transition** (Days): 2
          **Snooze** (Days): 2
          **Deadline** (Days): 4|State: Enabled
          **Transition** (Days): 2
          **Snooze** (Days): 2
          **Deadline** (Days): 5| - -### Controlling notification experience for engaged deadline - -|Policy| Location |Suggested Configuration -|-|-|-| -|Configure Auto-restart required notification for updates |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Auto-restart required notification for updates|State: Enabled
          **Method**: 2- User| - -### Notification experience for engaged deadlines -Notification users get for quality update engaged deadline: -![The notification users get for an impending engaged quality update deadline](images/wufb-quality-engaged-notification.png) - -Notification users get for a quality update deadline: -![The notification users get for an impending quality update deadline](images/wufb-quality-notification.png) - -Notification users get for a feature update engaged deadline: -![The notification users get for an impending feature update engaged deadline](images/wufb-feature-update-engaged-notification.png) - -Notification users get for a feature update deadline: -![The notification users get for an impending feature update deadline](images/wufb-feature-update-deadline-notification.png) +--- +title: Enforce compliance deadlines with policies in Windows Update for Business (Windows 10) +description: Learn how to enforce compliance deadlines using Windows Update for Business. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.audience: itpro author: greg-lindsay +ms.date: 06/20/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- +# Enforcing compliance deadlines for updates + +>Applies to: Windows 10 + +Deploying feature or quality updates for many organizations is only part of the equation for managing their device ecosystem. The ability to enforce patch compliance is the next important part. Windows Update for Business provides controls to manage deadlines for when devices should migrate to newer revisions. We offer two compliance flows that you can choose from: + +- [Deadline only](#deadline-only) +- [Deadline with user engagement](#deadline-with-user-engagement) + +## Deadline Only + +This flow only enforces the deadline where the device will attempt to silently restart outside of active hours before the deadline is reached. Once the deadline is reached the user is prompted with either a confirmation button or a restart now option. + +### End User Experience + +Once the device is in the pending restart state, it will attempt to restart the device during non-active hours. This is known as the auto-restart period, and by default it does not require user interaction to reboot the device. + +>[!NOTE] +>Deadlines are enforced from pending restart state (for example, when the device has completed the installation and download from Windows Update). + +### Policy overview + +|Policy|Description | +|-|-| +|Specify deadline before auto-restart for update installation|Governs the update experience once the device has entered pending reboot state. It specifies a deadline, in days, to enforce compliance (such as imminent install).| +|Configure Auto-restart warning notification schedule for updates|Configures the reminder notification and the warning notification for a scheduled install. The user can dismiss a reminder, but not the warning.| + +### Suggested Configuration + +|Policy|Location|3 Day Compliance|5 Day Compliance|7 Day Compliance | +|-|-|-|-|-| +|Specify deadline before auto-restart for update installation| GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadline before auto-restart for update installation |State: Enabled
          **Specify the number of days before pending restart will automatically be executed outside of active hours**: 2|State: Enabled
          **Specify the number of days before pending restart will automatically be executed outside of active hours**: 3|State: Enabled
          **Specify the number of days before pending restart will automatically be executed outside of active hours**: 4 + +### Controlling notification experience for deadline + +|Policy| Location|Suggested Configuration | +|-|-|-| +|Configure Auto-restart warning notification schedule for updates|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure auto-restart warning notifications schedule for updates |State: Enabled
          **Reminder** (hours): 2
          **Warning** (minutes): 60 | + +### Notification experience for deadline + +Notification users get for a quality update deadline: +![The notification users get for an impending quality update deadline](images/wufb-quality-notification.png) + +Notification users get for a feature update deadline: +![The notification users get for an impending feature update deadline](images/wufb-feature-notification.png) + +## Deadline with user engagement + +This flow provides the end user with prompts to select a time to restart the device before the deadline is reached. If the device is unable to restart at the time specified by the user or the time selected is outside the deadline, the device will restart the next time it is active. + +### End user experience + +Before the deadline the device will be in two states: auto-restart period and engaged-restart period. During the auto-restart period the device will silently try to restart outside of active hours. If the device can't find an idle moment to restart, then the device will go into engaged-restart. The end user, at this point, can select a time that they would like the device to try to restart. Both phases happen before the deadline; once that deadline has passed then the device will restart at the next available time. + +### Policy overview + +|Policy| Description | +|-|-| +|Specify engaged restart transition and notification schedule for updates|Governs how the user will be impacted by the pending reboot. Transition days, first starts out in Auto-Restart where the device will find an idle moment to reboot the device. After 2 days engaged restart will commence and the user will be able to choose a time| +|Configure Auto-restart required notification for updates|Governs the notifications during the Auto-Restart period. During Active hours, the user will be notified that the device is trying to reboot. They will have the option to confirm or dismiss the notification| + +### Suggested configuration + +|Policy| Location| 3 Day Compliance| 5 Day Compliance| 7 Day Compliance | +|-|-|-|-|-| +|Specify engaged restart transition and notification schedule for updates|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify Engaged restart transition and notification schedule for updates|State: Enabled
          **Transition** (Days): 2
          **Snooze** (Days): 2
          **Deadline** (Days): 3|State: Enabled
          **Transition** (Days): 2
          **Snooze** (Days): 2
          **Deadline** (Days): 4|State: Enabled
          **Transition** (Days): 2
          **Snooze** (Days): 2
          **Deadline** (Days): 5| + +### Controlling notification experience for engaged deadline + +|Policy| Location |Suggested Configuration +|-|-|-| +|Configure Auto-restart required notification for updates |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Auto-restart required notification for updates|State: Enabled
          **Method**: 2- User| + +### Notification experience for engaged deadlines +Notification users get for quality update engaged deadline: +![The notification users get for an impending engaged quality update deadline](images/wufb-quality-engaged-notification.png) + +Notification users get for a quality update deadline: +![The notification users get for an impending quality update deadline](images/wufb-quality-notification.png) + +Notification users get for a feature update engaged deadline: +![The notification users get for an impending feature update engaged deadline](images/wufb-feature-update-engaged-notification.png) + +Notification users get for a feature update deadline: +![The notification users get for an impending feature update deadline](images/wufb-feature-update-deadline-notification.png) diff --git a/windows/deployment/update/wufb-managedrivers.md b/windows/deployment/update/wufb-managedrivers.md index d45d3a878d..a43179a6a8 100644 --- a/windows/deployment/update/wufb-managedrivers.md +++ b/windows/deployment/update/wufb-managedrivers.md @@ -1,68 +1,68 @@ ---- -title: Managing drivers, dual-managed environments, and Delivery Optimization with group policies in Windows Update for Business -description: Learn how to manage drivers, dual managed environments, and bandwidth (Delivery Optimization) with GPOs in Windows Update for Business. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greg-lindsay -ms.date: 06/21/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- -# Managing drivers, dual-managed environments, and Delivery Optimization with group policies - ->Applies to: Windows 10 - -Use the following group policy information to manage drivers, to manage environments using both Windows Update for Business and Windows Server Update Services, and to manage the bandwidth required for updates with Delivery Optimization. - -## Managing drivers -Windows Update for Business provides the ability to manage drivers from the Windows Update service. By default, drivers will be offered to your Windows Update-connected devices. Our guidance here is to continue to receive drivers from Windows Update. Alternatively, you can enable the following policy to stop receiving drivers from Windows Update. - -### Policy overview - -|Policy| Description | -|-|-| -|Do not include drivers with Windows Update |When enabled prevents Windows Update from offering drivers.| - -### Suggested configuration - -|Policy| Location|Suggested configuration | -|-|-|-| -|Do not include drivers with Windows Update |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not include drivers with Windows Updates|State: Disabled | - -## Dual-managed environment - -You can use an on-premises catalog, like WSUS, to deploy 3rd Party patches and use Windows Update to deploy feature and quality updates. We provide capabilities to deploy content from both Windows Update Service and from WSUS. In addition to the policies for managing drivers, apply the following configurations to your environment. - -|Policy| Description | -|-|-| -|Specify Intranet Microsoft Update Service Location| Used for WSUS/System Center Configuration Manager customers who want to install custom packages that are not offered through Windows Update.| - -### Suggested configuration - -|Policy| Location|Suggested configuration | -|-|-|-| -|Specify Intranet Microsoft Update Service Location|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify Intranet Microsoft update service location|State: Enabled
          **Set the Intranet Update service for detecting updates**:
          **Set the Intranet statistics server**:
          **Set the alternate download server**: | - -## Download Optimization - Managing your bandwidth - -[Delivery Optimization](waas-delivery-optimization.md) is Windows 10's built-in downloader and peer-caching technology that can benefit CSE for network bandwidth reduction of Windows 10 servicing updates. Windows 10 clients can source content from other devices on their local network that have already downloaded the same updates in addition to downloading these updates from Microsoft. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfil peer-to-peer requests. To configure devices for delivery optimization, ensure the following configurations are set. - -|Policy| Description | -|-|-| -|Download Mode| 2=HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2| -|Minimum Peer Caching Content File Size (in MB)|Specifies the minimum content file size in MB enabled to use peer caching.
          Choose a size that meets your environment's constraints.| -|Allow uploads while the device is on battery while under set battery level (percentage)|Specify a battery level from 1-100, where the device will pause uploads once the battery level drops below that percentage. | -|Max Cache Age (in seconds)|Maximum number of seconds to keep data in cache.| - -### Suggested configuration - -|Policy| Location| Suggested configuration | -|-|-|-| -|Download Mode|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Download Mode|State: Enabled
          **Download Mode**: Group (2)| -|Minimum Peer Caching Content File Size (in MB)|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Minimum Peer Caching Content File Size (in MB)|State: Enabled
          **Minimum Peer caching content file size (in MB)**: 10 MB| -|Allow uploads while the device is on battery while under set battery level (percentage)|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Allow uploads while the device is on battery while under set battery level (percentage)|State: Enabled
          **Minimum battery level (Percentage)**: 60| -|Max Cache Age (in seconds)|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Max Cache Age (in seconds)|State: Enabled
          **Max Cache Age (in seconds)**: 604800 ~ 7 days| +--- +title: Managing drivers, dual-managed environments, and Delivery Optimization with group policies in Windows Update for Business +description: Learn how to manage drivers, dual managed environments, and bandwidth (Delivery Optimization) with GPOs in Windows Update for Business. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.audience: itpro author: greg-lindsay +ms.date: 06/21/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- +# Managing drivers, dual-managed environments, and Delivery Optimization with group policies + +>Applies to: Windows 10 + +Use the following group policy information to manage drivers, to manage environments using both Windows Update for Business and Windows Server Update Services, and to manage the bandwidth required for updates with Delivery Optimization. + +## Managing drivers +Windows Update for Business provides the ability to manage drivers from the Windows Update service. By default, drivers will be offered to your Windows Update-connected devices. Our guidance here is to continue to receive drivers from Windows Update. Alternatively, you can enable the following policy to stop receiving drivers from Windows Update. + +### Policy overview + +|Policy| Description | +|-|-| +|Do not include drivers with Windows Update |When enabled prevents Windows Update from offering drivers.| + +### Suggested configuration + +|Policy| Location|Suggested configuration | +|-|-|-| +|Do not include drivers with Windows Update |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not include drivers with Windows Updates|State: Disabled | + +## Dual-managed environment + +You can use an on-premises catalog, like WSUS, to deploy 3rd Party patches and use Windows Update to deploy feature and quality updates. We provide capabilities to deploy content from both Windows Update Service and from WSUS. In addition to the policies for managing drivers, apply the following configurations to your environment. + +|Policy| Description | +|-|-| +|Specify Intranet Microsoft Update Service Location| Used for WSUS/System Center Configuration Manager customers who want to install custom packages that are not offered through Windows Update.| + +### Suggested configuration + +|Policy| Location|Suggested configuration | +|-|-|-| +|Specify Intranet Microsoft Update Service Location|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify Intranet Microsoft update service location|State: Enabled
          **Set the Intranet Update service for detecting updates**:
          **Set the Intranet statistics server**:
          **Set the alternate download server**: | + +## Download Optimization - Managing your bandwidth + +[Delivery Optimization](waas-delivery-optimization.md) is Windows 10's built-in downloader and peer-caching technology that can benefit CSE for network bandwidth reduction of Windows 10 servicing updates. Windows 10 clients can source content from other devices on their local network that have already downloaded the same updates in addition to downloading these updates from Microsoft. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfil peer-to-peer requests. To configure devices for delivery optimization, ensure the following configurations are set. + +|Policy| Description | +|-|-| +|Download Mode| 2=HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2| +|Minimum Peer Caching Content File Size (in MB)|Specifies the minimum content file size in MB enabled to use peer caching.
          Choose a size that meets your environment's constraints.| +|Allow uploads while the device is on battery while under set battery level (percentage)|Specify a battery level from 1-100, where the device will pause uploads once the battery level drops below that percentage. | +|Max Cache Age (in seconds)|Maximum number of seconds to keep data in cache.| + +### Suggested configuration + +|Policy| Location| Suggested configuration | +|-|-|-| +|Download Mode|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Download Mode|State: Enabled
          **Download Mode**: Group (2)| +|Minimum Peer Caching Content File Size (in MB)|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Minimum Peer Caching Content File Size (in MB)|State: Enabled
          **Minimum Peer caching content file size (in MB)**: 10 MB| +|Allow uploads while the device is on battery while under set battery level (percentage)|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Allow uploads while the device is on battery while under set battery level (percentage)|State: Enabled
          **Minimum battery level (Percentage)**: 60| +|Max Cache Age (in seconds)|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Max Cache Age (in seconds)|State: Enabled
          **Max Cache Age (in seconds)**: 604800 ~ 7 days| diff --git a/windows/deployment/update/wufb-manageupdate.md b/windows/deployment/update/wufb-manageupdate.md index 329656a29e..6ba3572c05 100644 --- a/windows/deployment/update/wufb-manageupdate.md +++ b/windows/deployment/update/wufb-manageupdate.md @@ -1,59 +1,59 @@ ---- -title: Managing feature and quality updates with policies in Windows Update for Business (Windows 10) -description: Learn how to get started using Windows Update for Business. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greg-lindsay -ms.date: 06/20/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Manage feature and quality updates with group policies - ->Applies to: Windows 10 - -Windows Update for Business allows users to control when devices should receive a feature or quality update from Windows Update. Depending on the size of your organization you may want to do a wave deployment of updates. The first step in this process is to determine which Branch Readiness Level you want your organization on. For more information on which level is right for your organization review [Overview of Windows as a service](waas-overview.md). - -The following policies let you configure when you want a device to see a feature and or quality update from Windows Update. - -## Policy overview - -|Policy name| Description | -|-|-| -|Select when Quality Updates are received|Configures when the device should receive quality update. In this policy you can also select a date to pause receiving Quality Updates until. | -|Select when Preview Builds & feature Updates are received|Configures when the device should receive a feature update. You can also configure your branch readiness level. This policy also provides the ability to "pause" updates until a certain point. | -|Do not allow update deferral policies to cause scans against Windows Update|When enabled will not allow the deferral policies to cause scans against Windows Update.| - -## Suggested configuration for a non-wave deployment - -If you don't need a wave deployment and have a small set of devices to manage, we recommend the following configuration: - -|Policy| Location|Suggested configuration | -|-|-|-| -|Select when Quality Updates are received | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are received|State: Enabled
          **Defer receiving it for this many days**: 0
          **Pause Quality Updates**: Blank
          *Note: use this functionality to prevent the device from receiving a quality update until the time passes| -|Select when Preview Builds & feature Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received|State: Enabled
          **Select Windows Readiness Level**: SAC
          **Defer receiving for this many days**: 0-365
          **Pause Feature Updates**: Blank
          *Note: use this functionality to prevent the device from receiving a feature update until the time passes| -|Do not allow update deferral policies to cause scans against Windows Update|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not allow update deferral policies to cause scans against Windows Update|State: Disabled| - -## Suggested configuration for a wave deployment -![Graphic showing a deployment divided into rings for a wave deployment](images/wufb-wave-deployment.png) - -## Early validation and testing -Depending on your organizational size and requirements you might be able to test feature updates earlier to identify if there are impacts to Line of Business applications. Our recommendation is to enroll a set of devices that are a good representation of your device ecosystem (for example, devices with accounting software or engineering software). Learn more about [different deployment rings](https://insider.windows.com/how-to-pc/#working-with-rings). - -|Policy|Location|Suggested configuration | -|-|-|-| -|Select when Preview Builds & feature Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received|State: Enabled
          **Select Windows Readiness Level**: WIP Fast or WIP slow
          **Defer receiving for this many days**: 0
          **Pause Feature Updates**: Blank *Note: use this functionality to prevent the device from receiving a feature update until the time passes.| -|Select when Quality Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are received|State: Enabled
          **Defer receiving it for this many days**: 0
          **Pause Quality Updates**: Blank
          *Note: use this functionality to prevent the device from receiving a quality update until the time passes| - -## Wave deployment for feature updates - -If you want to deploy feature updates in waves we suggest using the following configuration. For the deferral days we recommend staging them out in 1-month increments. Manage your risk by placing critical devices later in the wave (deferrals > 30 or 60 days) while placing your low risk devices earlier in the wave (deferrals < 30 days). Using deferrals days is a great method to manage your wave deployment. Using this in combination with our suggested early validation will help you prepare your environment for the latest updates from Windows. - -|Policy|Location|Suggested configuration | -|-|-|-| -|Select when Preview Builds & feature Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received|State: Enabled
          **Select Windows Readiness Level**: SAC
          **Defer receiving for this many days**: 0, 30, 60, 90, 120
          **Pause Feature Updates**: Blank
          *Note: use this functionality to prevent the device from receiving a feature update until the time passes +--- +title: Managing feature and quality updates with policies in Windows Update for Business (Windows 10) +description: Learn how to get started using Windows Update for Business. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.audience: itpro author: greg-lindsay +ms.date: 06/20/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Manage feature and quality updates with group policies + +>Applies to: Windows 10 + +Windows Update for Business allows users to control when devices should receive a feature or quality update from Windows Update. Depending on the size of your organization you may want to do a wave deployment of updates. The first step in this process is to determine which Branch Readiness Level you want your organization on. For more information on which level is right for your organization review [Overview of Windows as a service](waas-overview.md). + +The following policies let you configure when you want a device to see a feature and or quality update from Windows Update. + +## Policy overview + +|Policy name| Description | +|-|-| +|Select when Quality Updates are received|Configures when the device should receive quality update. In this policy you can also select a date to pause receiving Quality Updates until. | +|Select when Preview Builds & feature Updates are received|Configures when the device should receive a feature update. You can also configure your branch readiness level. This policy also provides the ability to "pause" updates until a certain point. | +|Do not allow update deferral policies to cause scans against Windows Update|When enabled will not allow the deferral policies to cause scans against Windows Update.| + +## Suggested configuration for a non-wave deployment + +If you don't need a wave deployment and have a small set of devices to manage, we recommend the following configuration: + +|Policy| Location|Suggested configuration | +|-|-|-| +|Select when Quality Updates are received | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are received|State: Enabled
          **Defer receiving it for this many days**: 0
          **Pause Quality Updates**: Blank
          *Note: use this functionality to prevent the device from receiving a quality update until the time passes| +|Select when Preview Builds & feature Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received|State: Enabled
          **Select Windows Readiness Level**: SAC
          **Defer receiving for this many days**: 0-365
          **Pause Feature Updates**: Blank
          *Note: use this functionality to prevent the device from receiving a feature update until the time passes| +|Do not allow update deferral policies to cause scans against Windows Update|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not allow update deferral policies to cause scans against Windows Update|State: Disabled| + +## Suggested configuration for a wave deployment +![Graphic showing a deployment divided into rings for a wave deployment](images/wufb-wave-deployment.png) + +## Early validation and testing +Depending on your organizational size and requirements you might be able to test feature updates earlier to identify if there are impacts to Line of Business applications. Our recommendation is to enroll a set of devices that are a good representation of your device ecosystem (for example, devices with accounting software or engineering software). Learn more about [different deployment rings](https://insider.windows.com/how-to-pc/#working-with-rings). + +|Policy|Location|Suggested configuration | +|-|-|-| +|Select when Preview Builds & feature Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received|State: Enabled
          **Select Windows Readiness Level**: WIP Fast or WIP slow
          **Defer receiving for this many days**: 0
          **Pause Feature Updates**: Blank *Note: use this functionality to prevent the device from receiving a feature update until the time passes.| +|Select when Quality Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are received|State: Enabled
          **Defer receiving it for this many days**: 0
          **Pause Quality Updates**: Blank
          *Note: use this functionality to prevent the device from receiving a quality update until the time passes| + +## Wave deployment for feature updates + +If you want to deploy feature updates in waves we suggest using the following configuration. For the deferral days we recommend staging them out in 1-month increments. Manage your risk by placing critical devices later in the wave (deferrals > 30 or 60 days) while placing your low risk devices earlier in the wave (deferrals < 30 days). Using deferrals days is a great method to manage your wave deployment. Using this in combination with our suggested early validation will help you prepare your environment for the latest updates from Windows. + +|Policy|Location|Suggested configuration | +|-|-|-| +|Select when Preview Builds & feature Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received|State: Enabled
          **Select Windows Readiness Level**: SAC
          **Defer receiving for this many days**: 0, 30, 60, 90, 120
          **Pause Feature Updates**: Blank
          *Note: use this functionality to prevent the device from receiving a feature update until the time passes diff --git a/windows/deployment/update/wufb-onboard.md b/windows/deployment/update/wufb-onboard.md index fac68e1a9c..98d62be2fa 100644 --- a/windows/deployment/update/wufb-onboard.md +++ b/windows/deployment/update/wufb-onboard.md @@ -1,47 +1,47 @@ ---- -title: Onboarding to Windows Update for Business (Windows 10) -description: Learn how to get started using Windows Update for Business. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greg-lindsay -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Onboarding to Windows Update for Business in Windows 10 - ->Applies to: Windows 10 - -Windows Update for Business is a tool that enables IT pros and power users to manage content they want to receive from Windows Update Service. Windows Update for Business can control the following: - -- Interaction between the client and Windows Update service -- End user notification for pending updates -- Compliance deadlines for feature or quality updates -- Configure wave deployment for feature or quality updates bandwidth optimization - -We also provide additional functionality to manage your environment when risk or issues arise such as applications being blocked: - -- Uninstall latest feature or quality update -- Pause for a duration of time - -Use the following information to set up your environment using Windows Update for Business policies: - -- [Supported SKUs](#supported-editions) -- [Windows Update for Business basics](wufb-basics.md) -- [Setting up automatic update](wufb-autoupdate.md) -- [Managing feature and quality updates](wufb-manageupdate.md) -- [Enforcing compliance deadlines](wufb-compliancedeadlines.md) -- [Managing drivers, environments with both Windows Update for Business and WSUS, and Download Optmization](wufb-managedrivers.md) - -## Supported editions - -Windows Update for Business is supported on the following editions of Windows 10: - -- Windows 10 Education -- Windows 10 Enterprise -- Windows 10 Pro -- Windows 10 S (for Windows 10, version 1709 and earlier) +--- +title: Onboarding to Windows Update for Business (Windows 10) +description: Learn how to get started using Windows Update for Business. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.audience: itpro author: greg-lindsay +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Onboarding to Windows Update for Business in Windows 10 + +>Applies to: Windows 10 + +Windows Update for Business is a tool that enables IT pros and power users to manage content they want to receive from Windows Update Service. Windows Update for Business can control the following: + +- Interaction between the client and Windows Update service +- End user notification for pending updates +- Compliance deadlines for feature or quality updates +- Configure wave deployment for feature or quality updates bandwidth optimization + +We also provide additional functionality to manage your environment when risk or issues arise such as applications being blocked: + +- Uninstall latest feature or quality update +- Pause for a duration of time + +Use the following information to set up your environment using Windows Update for Business policies: + +- [Supported SKUs](#supported-editions) +- [Windows Update for Business basics](wufb-basics.md) +- [Setting up automatic update](wufb-autoupdate.md) +- [Managing feature and quality updates](wufb-manageupdate.md) +- [Enforcing compliance deadlines](wufb-compliancedeadlines.md) +- [Managing drivers, environments with both Windows Update for Business and WSUS, and Download Optmization](wufb-managedrivers.md) + +## Supported editions + +Windows Update for Business is supported on the following editions of Windows 10: + +- Windows 10 Education +- Windows 10 Enterprise +- Windows 10 Pro +- Windows 10 S (for Windows 10, version 1709 and earlier) diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md index 2344d36ef8..0216aec2c1 100644 --- a/windows/deployment/upgrade/log-files.md +++ b/windows/deployment/upgrade/log-files.md @@ -1,171 +1,171 @@ ---- -title: Log files - Windows IT Pro -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. -keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.localizationpriority: medium -ms.topic: article ---- - -# Log files - -**Applies to** -- Windows 10 - ->[!NOTE] ->This is a 400 level topic (advanced).
          ->See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. - - -Several log files are created during each phase of the upgrade process. These log files are essential for troubleshooting upgrade problems. By default, the folders that contain these log files are hidden on the upgrade target computer. To view the log files, configure Windows Explorer to view hidden items, or use a tool to automatically gather these logs. The most useful log is **setupact.log**. The log files are located in a different folder depending on the Windows Setup phase. Recall that you can determine the phase from the extend code. - -Note: Also see the [Windows Error Reporting](windows-error-reporting.md) section in this document for help locating error codes and log files. - -The following table describes some log files and how to use them for troubleshooting purposes:
          - -
          - - - - - - - - - - - - - - - - -
          Log filePhase: LocationDescriptionWhen to use
          setupact.logDown-Level:
          $Windows.~BT\Sources\Panther          		Contains information about setup actions during the downlevel phase. All down-level failures and starting point for rollback investigations.
          This is the most important log for diagnosing setup issues.
          OOBE:
          $Windows.~BT\Sources\Panther\UnattendGC          		Contains information about actions during the OOBE phase.Investigating rollbacks that failed during OOBE phase and operations – 0x4001C, 0x4001D, 0x4001E, 0x4001F.
          Rollback:
          $Windows.~BT\Sources\Rollback          		Contains information about actions during rollback.Investigating generic rollbacks - 0xC1900101.
          Pre-initialization (prior to downlevel):
          Windows          		Contains information about initializing setup.If setup fails to launch.
          Post-upgrade (after OOBE):
          Windows\Panther          		Contains information about setup actions during the installation.Investigate post-upgrade related issues.
          setuperr.logSame as setupact.logContains information about setup errors during the installation.Review all errors encountered during the installation phase.
          miglog.xmlPost-upgrade (after OOBE):
          Windows\Panther          		Contains information about what was migrated during the installation.Identify post upgrade data migration issues.
          BlueBox.logDown-Level:
          Windows\Logs\Mosetup          		Contains information communication between setup.exe and Windows Update.Use during WSUS and WU down-level failures or for 0xC1900107.
          Supplemental rollback logs:
          -Setupmem.dmp
          -setupapi.dev.log
          -Event logs (*.evtx)          		$Windows.~BT\Sources\RollbackAdditional logs collected during rollback. -Setupmem.dmp: If OS bugchecks during upgrade, setup will attempt to extract a mini-dump.
          -Setupapi: Device install issues - 0x30018
          -Event logs: Generic rollbacks (0xC1900101) or unexpected reboots.
          - -## Log entry structure - -A setupact.log or setuperr.log entry (files are located at C:\Windows) includes the following elements: - -
            -
          1. The date and time - 2016-09-08 09:20:05. -
          2. The log level - Info, Warning, Error, Fatal Error. -
          3. The logging component - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS. -
              -
            • The logging components SP (setup platform), MIG (migration engine), and CONX (compatibility information) are particularly useful for troubleshooting Windows Setup errors. -
            -
          4. The message - Operation completed successfully. -
          - -See the following example: - -| Date/Time | Log level | Component | Message | -|------|------------|------------|------------| -|2016-09-08 09:23:50,| Warning | MIG | Could not replace object C:\Users\name\Cookies. Target Object cannot be removed.| - - -## Analyze log files - ->The following instructions are meant for IT professionals. Also see the [Upgrade error codes](upgrade-error-codes.md) section in this guide to familiarize yourself with [result codes](upgrade-error-codes.md#result-codes) and [extend codes](upgrade-error-codes.md#extend-codes). - -
          To analyze Windows Setup log files: - -
            -
          1. Determine the Windows Setup error code. This code should be returned by Windows Setup if it is not successful with the upgrade process. -
          2. Based on the extend code portion of the error code, determine the type and location of a log files to investigate. -
          3. Open the log file in a text editor, such as notepad. -
          4. Using the result code portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below. -
          5. To find the last occurrence of the result code: -
              -
            1. Scroll to the bottom of the file and click after the last character. -
            2. Click Edit. -
            3. Click Find. -
            4. Type the result code. -
            5. Under Direction select Up. -
            6. Click Find Next. -
            -
          6. When you have located the last occurrence of the result code, scroll up a few lines from this location in the file and review the processes that failed just prior to generating the result code. -
          7. Search for the following important text strings: -
              -
            • Shell application requested abort -
            • Abandoning apply due to error for object -
            -
          8. Decode Win32 errors that appear in this section. -
          9. Write down the timestamp for the observed errors in this section. -
          10. Search other log files for additional information matching these timestamps or errors. -
          - -For example, assume that the error code for an error is 0x8007042B - 0x2000D. Searching for "8007042B" reveals the following content from the setuperr.log file: - ->Some lines in the text below are shortened to enhance readability. The date and time at the start of each line (ex: 2016-10-05 15:27:08) is shortened to minutes and seconds, and the certificate file name which is a long text string is shortened to just "CN." - -
          setuperr.log content: - -
          -27:08, Error           SP     Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
-27:08, Error           MIG    Error 1392 while gathering object C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Shell application requested abort![gle=0x00000570]
-27:08, Error                  Gather failed. Last error: 0x00000000
-27:08, Error           SP     SPDoFrameworkGather: Gather operation failed. Error: 0x0000002C
-27:09, Error           SP     CMigrateFramework: Gather framework failed. Status: 44
-27:09, Error           SP     Operation failed: Migrate framework (Full). Error: 0x8007042B[gle=0x000000b7]
-27:09, Error           SP     Operation execution failed: 13. hr = 0x8007042B[gle=0x000000b7]
-27:09, Error           SP     CSetupPlatformPrivate::Execute: Execution of operations queue failed, abandoning. Error: 0x8007042B[gle=0x000000b7]
-
          - -The first line indicates there was an error **0x00000570** with the file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]** (shown below): - -
          -27:08, Error           SP     Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
-
          - -The error 0x00000570 is a [Win32 error code](https://msdn.microsoft.com/library/cc231199.aspx) corresponding to: ERROR_FILE_CORRUPT: The file or directory is corrupted and unreadable. - -Therefore, Windows Setup failed because it was not able to migrate the corrupt file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN]**. This file is a local system certificate and can be safely deleted. Searching the setupact.log file for additional details, the phrase "Shell application requested abort" is found in a location with the same timestamp as the lines in setuperr.log. This confirms our suspicion that this file is the cause of the upgrade failure: - -
          setupact.log content: - -
          -27:00, Info                   Gather started at 10/5/2016 23:27:00
-27:00, Info [0x080489] MIG    Setting system object filter context (System)
-27:00, Info [0x0803e5] MIG    Not unmapping HKCU\Software\Classes; it is not mapped
-27:00, Info [0x0803e5] MIG    Not unmapping HKCU; it is not mapped
-27:00, Info            SP     ExecuteProgress: Elapsed events:1 of 4, Percent: 12
-27:00, Info [0x0802c6] MIG    Processing GATHER for migration unit: <System>\UpgradeFramework (CMXEAgent)
-27:08, Error           SP     Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
-27:08, Error           MIG    Error 1392 while gathering object C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Shell application requested abort![gle=0x00000570]
-27:08, Info            SP     ExecuteProgress: Elapsed events:2 of 4, Percent: 25
-27:08, Info            SP     ExecuteProgress: Elapsed events:3 of 4, Percent: 37
-27:08, Info [0x080489] MIG    Setting system object filter context (System)
-27:08, Info [0x0803e5] MIG    Not unmapping HKCU\Software\Classes; it is not mapped
-27:08, Info [0x0803e5] MIG    Not unmapping HKCU; it is not mapped
-27:08, Info            MIG    COutOfProcPluginFactory::FreeSurrogateHost: Shutdown in progress.
-27:08, Info            MIG    COutOfProcPluginFactory::LaunchSurrogateHost::CommandLine: -shortened-
-27:08, Info            MIG    COutOfProcPluginFactory::LaunchSurrogateHost: Successfully launched host and got control object.
-27:08, Error                  Gather failed. Last error: 0x00000000
-27:08, Info                   Gather ended at 10/5/2016 23:27:08 with result 44
-27:08, Info                   Leaving MigGather method
-27:08, Error           SP     SPDoFrameworkGather: Gather operation failed. Error: 0x0000002C
-
          - - -
          This analysis indicates that the Windows upgrade error can be resolved by deleting the C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN] file. Note: In this example, the full, unshortened file name is C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\be8228fb2d3cb6c6b0ccd9ad51b320b4_a43d512c-69f2-42de-aef9-7a88fabdaa3f. - -## Related topics - -[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) -
          [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) -
          [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications) -
          [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) -
          [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) +--- +title: Log files - Windows IT Pro +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. +keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.topic: article +--- + +# Log files + +**Applies to** +- Windows 10 + +>[!NOTE] +>This is a 400 level topic (advanced).
          +>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. + + +Several log files are created during each phase of the upgrade process. These log files are essential for troubleshooting upgrade problems. By default, the folders that contain these log files are hidden on the upgrade target computer. To view the log files, configure Windows Explorer to view hidden items, or use a tool to automatically gather these logs. The most useful log is **setupact.log**. The log files are located in a different folder depending on the Windows Setup phase. Recall that you can determine the phase from the extend code. + +Note: Also see the [Windows Error Reporting](windows-error-reporting.md) section in this document for help locating error codes and log files. + +The following table describes some log files and how to use them for troubleshooting purposes:
          + +
          + + + + + + + + + + + + + + + + +
          Log filePhase: LocationDescriptionWhen to use
          setupact.logDown-Level:
          $Windows.~BT\Sources\Panther          		Contains information about setup actions during the downlevel phase. All down-level failures and starting point for rollback investigations.
          This is the most important log for diagnosing setup issues.
          OOBE:
          $Windows.~BT\Sources\Panther\UnattendGC          		Contains information about actions during the OOBE phase.Investigating rollbacks that failed during OOBE phase and operations – 0x4001C, 0x4001D, 0x4001E, 0x4001F.
          Rollback:
          $Windows.~BT\Sources\Rollback          		Contains information about actions during rollback.Investigating generic rollbacks - 0xC1900101.
          Pre-initialization (prior to downlevel):
          Windows          		Contains information about initializing setup.If setup fails to launch.
          Post-upgrade (after OOBE):
          Windows\Panther          		Contains information about setup actions during the installation.Investigate post-upgrade related issues.
          setuperr.logSame as setupact.logContains information about setup errors during the installation.Review all errors encountered during the installation phase.
          miglog.xmlPost-upgrade (after OOBE):
          Windows\Panther          		Contains information about what was migrated during the installation.Identify post upgrade data migration issues.
          BlueBox.logDown-Level:
          Windows\Logs\Mosetup          		Contains information communication between setup.exe and Windows Update.Use during WSUS and WU down-level failures or for 0xC1900107.
          Supplemental rollback logs:
          +Setupmem.dmp
          +setupapi.dev.log
          +Event logs (*.evtx)          		$Windows.~BT\Sources\RollbackAdditional logs collected during rollback. +Setupmem.dmp: If OS bugchecks during upgrade, setup will attempt to extract a mini-dump.
          +Setupapi: Device install issues - 0x30018
          +Event logs: Generic rollbacks (0xC1900101) or unexpected reboots.
          + +## Log entry structure + +A setupact.log or setuperr.log entry (files are located at C:\Windows) includes the following elements: + +
            +
          1. The date and time - 2016-09-08 09:20:05. +
          2. The log level - Info, Warning, Error, Fatal Error. +
          3. The logging component - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS. +
              +
            • The logging components SP (setup platform), MIG (migration engine), and CONX (compatibility information) are particularly useful for troubleshooting Windows Setup errors. +
            +
          4. The message - Operation completed successfully. +
          + +See the following example: + +| Date/Time | Log level | Component | Message | +|------|------------|------------|------------| +|2016-09-08 09:23:50,| Warning | MIG | Could not replace object C:\Users\name\Cookies. Target Object cannot be removed.| + + +## Analyze log files + +>The following instructions are meant for IT professionals. Also see the [Upgrade error codes](upgrade-error-codes.md) section in this guide to familiarize yourself with [result codes](upgrade-error-codes.md#result-codes) and [extend codes](upgrade-error-codes.md#extend-codes). + +
          To analyze Windows Setup log files: + +
            +
          1. Determine the Windows Setup error code. This code should be returned by Windows Setup if it is not successful with the upgrade process. +
          2. Based on the extend code portion of the error code, determine the type and location of a log files to investigate. +
          3. Open the log file in a text editor, such as notepad. +
          4. Using the result code portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below. +
          5. To find the last occurrence of the result code: +
              +
            1. Scroll to the bottom of the file and click after the last character. +
            2. Click Edit. +
            3. Click Find. +
            4. Type the result code. +
            5. Under Direction select Up. +
            6. Click Find Next. +
            +
          6. When you have located the last occurrence of the result code, scroll up a few lines from this location in the file and review the processes that failed just prior to generating the result code. +
          7. Search for the following important text strings: +
              +
            • Shell application requested abort +
            • Abandoning apply due to error for object +
            +
          8. Decode Win32 errors that appear in this section. +
          9. Write down the timestamp for the observed errors in this section. +
          10. Search other log files for additional information matching these timestamps or errors. +
          + +For example, assume that the error code for an error is 0x8007042B - 0x2000D. Searching for "8007042B" reveals the following content from the setuperr.log file: + +>Some lines in the text below are shortened to enhance readability. The date and time at the start of each line (ex: 2016-10-05 15:27:08) is shortened to minutes and seconds, and the certificate file name which is a long text string is shortened to just "CN." + +
          setuperr.log content: + +
          +27:08, Error           SP     Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
+27:08, Error           MIG    Error 1392 while gathering object C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Shell application requested abort![gle=0x00000570]
+27:08, Error                  Gather failed. Last error: 0x00000000
+27:08, Error           SP     SPDoFrameworkGather: Gather operation failed. Error: 0x0000002C
+27:09, Error           SP     CMigrateFramework: Gather framework failed. Status: 44
+27:09, Error           SP     Operation failed: Migrate framework (Full). Error: 0x8007042B[gle=0x000000b7]
+27:09, Error           SP     Operation execution failed: 13. hr = 0x8007042B[gle=0x000000b7]
+27:09, Error           SP     CSetupPlatformPrivate::Execute: Execution of operations queue failed, abandoning. Error: 0x8007042B[gle=0x000000b7]
+
          + +The first line indicates there was an error **0x00000570** with the file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]** (shown below): + +
          +27:08, Error           SP     Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
+
          + +The error 0x00000570 is a [Win32 error code](https://msdn.microsoft.com/library/cc231199.aspx) corresponding to: ERROR_FILE_CORRUPT: The file or directory is corrupted and unreadable. + +Therefore, Windows Setup failed because it was not able to migrate the corrupt file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN]**. This file is a local system certificate and can be safely deleted. Searching the setupact.log file for additional details, the phrase "Shell application requested abort" is found in a location with the same timestamp as the lines in setuperr.log. This confirms our suspicion that this file is the cause of the upgrade failure: + +
          setupact.log content: + +
          +27:00, Info                   Gather started at 10/5/2016 23:27:00
+27:00, Info [0x080489] MIG    Setting system object filter context (System)
+27:00, Info [0x0803e5] MIG    Not unmapping HKCU\Software\Classes; it is not mapped
+27:00, Info [0x0803e5] MIG    Not unmapping HKCU; it is not mapped
+27:00, Info            SP     ExecuteProgress: Elapsed events:1 of 4, Percent: 12
+27:00, Info [0x0802c6] MIG    Processing GATHER for migration unit: <System>\UpgradeFramework (CMXEAgent)
+27:08, Error           SP     Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
+27:08, Error           MIG    Error 1392 while gathering object C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Shell application requested abort![gle=0x00000570]
+27:08, Info            SP     ExecuteProgress: Elapsed events:2 of 4, Percent: 25
+27:08, Info            SP     ExecuteProgress: Elapsed events:3 of 4, Percent: 37
+27:08, Info [0x080489] MIG    Setting system object filter context (System)
+27:08, Info [0x0803e5] MIG    Not unmapping HKCU\Software\Classes; it is not mapped
+27:08, Info [0x0803e5] MIG    Not unmapping HKCU; it is not mapped
+27:08, Info            MIG    COutOfProcPluginFactory::FreeSurrogateHost: Shutdown in progress.
+27:08, Info            MIG    COutOfProcPluginFactory::LaunchSurrogateHost::CommandLine: -shortened-
+27:08, Info            MIG    COutOfProcPluginFactory::LaunchSurrogateHost: Successfully launched host and got control object.
+27:08, Error                  Gather failed. Last error: 0x00000000
+27:08, Info                   Gather ended at 10/5/2016 23:27:08 with result 44
+27:08, Info                   Leaving MigGather method
+27:08, Error           SP     SPDoFrameworkGather: Gather operation failed. Error: 0x0000002C
+
          + + +
          This analysis indicates that the Windows upgrade error can be resolved by deleting the C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN] file. Note: In this example, the full, unshortened file name is C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\be8228fb2d3cb6c6b0ccd9ad51b320b4_a43d512c-69f2-42de-aef9-7a88fabdaa3f. + +## Related topics + +[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) +
          [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) +
          [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications) +
          [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) +
          [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) diff --git a/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md b/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md index 1fb24f2e4e..078074ba23 100644 --- a/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md +++ b/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md @@ -1,47 +1,47 @@ ---- -title: Manage Windows upgrades with Upgrade Readiness (Windows 10) -description: Provides an overview of the process of managing Windows upgrades with Upgrade Readiness. -ms.prod: w10 -author: greg-lindsay -ms.date: 04/25/2017 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.topic: article ---- - -# Manage Windows upgrades with Upgrade Readiness - -Upgrading to new operating systems has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points. - -With the release of Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released. Windows Upgrade Readiness not only supports upgrade management from Windows 7, Windows 8.1 to Windows 10, but also Windows 10 upgrades in the [Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview) model. - -Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. - -With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. - -Use Upgrade Readiness to get: - -- A visual workflow that guides you from pilot to production -- Detailed computer and application inventory -- Powerful computer level search and drill-downs -- Guidance and insights into application and driver compatibility issues, with suggested fixes -- Data driven application rationalization tools -- Application usage information, allowing targeted validation; workflow to track validation progress and decisions -- Data export to commonly used software deployment tools, including System Center Configuration Manager - -The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. - -**Important** For system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what diagnostic data Microsoft collects and how that data is used and protected by Microsoft, see: - -- [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization) -- [Manage connections from Windows operating system components to Microsoft services](/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services) -- [Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965) - -## **Related topics** - -[Upgrade Readiness architecture](upgrade-readiness-architecture.md)
          -[Upgrade Readiness requirements](upgrade-readiness-requirements.md)
          -[Upgrade Readiness release notes](upgrade-readiness-requirements.md#important-information-about-this-release)
          -[Get started with Upgrade Readiness](upgrade-readiness-get-started.md)
          -[Use Upgrade Readiness to manage Windows upgrades](use-upgrade-readiness-to-manage-windows-upgrades.md) +--- +title: Manage Windows upgrades with Upgrade Readiness (Windows 10) +description: Provides an overview of the process of managing Windows upgrades with Upgrade Readiness. +ms.prod: w10 +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.topic: article +--- + +# Manage Windows upgrades with Upgrade Readiness + +Upgrading to new operating systems has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points. + +With the release of Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released. Windows Upgrade Readiness not only supports upgrade management from Windows 7, Windows 8.1 to Windows 10, but also Windows 10 upgrades in the [Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview) model. + +Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. + +With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. + +Use Upgrade Readiness to get: + +- A visual workflow that guides you from pilot to production +- Detailed computer and application inventory +- Powerful computer level search and drill-downs +- Guidance and insights into application and driver compatibility issues, with suggested fixes +- Data driven application rationalization tools +- Application usage information, allowing targeted validation; workflow to track validation progress and decisions +- Data export to commonly used software deployment tools, including System Center Configuration Manager + +The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. + +**Important** For system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what diagnostic data Microsoft collects and how that data is used and protected by Microsoft, see: + +- [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization) +- [Manage connections from Windows operating system components to Microsoft services](/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services) +- [Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965) + +## **Related topics** + +[Upgrade Readiness architecture](upgrade-readiness-architecture.md)
          +[Upgrade Readiness requirements](upgrade-readiness-requirements.md)
          +[Upgrade Readiness release notes](upgrade-readiness-requirements.md#important-information-about-this-release)
          +[Get started with Upgrade Readiness](upgrade-readiness-get-started.md)
          +[Use Upgrade Readiness to manage Windows upgrades](use-upgrade-readiness-to-manage-windows-upgrades.md) diff --git a/windows/deployment/upgrade/quick-fixes.md b/windows/deployment/upgrade/quick-fixes.md index f258bb2378..305917b360 100644 --- a/windows/deployment/upgrade/quick-fixes.md +++ b/windows/deployment/upgrade/quick-fixes.md @@ -1,239 +1,239 @@ ---- -title: Quick fixes - Windows IT Pro -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. -keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.localizationpriority: medium -ms.topic: article ---- - -# Quick fixes - -**Applies to** -- Windows 10 - ->[!NOTE] ->This is a 100 level topic (basic).
          ->See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. - -The following list of fixes can resolve many Windows upgrade problems. You should try these steps before contacting Microsoft support, or attempting a more advanced analysis of a Windows upgrade failure. Also review information at [Windows 10 help](https://support.microsoft.com/products/windows?os=windows-10). - -The Microsoft Virtual Agent provided by [Microsoft Support](https://support.microsoft.com/contactus/) can help you to analyze and correct some Windows upgrade errors. **To talk to a person about your issue**, start the Virtual Agent (click **Get started**) and enter "Talk to a person" two times. - ->You might also wish to try a new tool available from Microsoft that helps to diagnose many Windows upgrade errors. For more information and to download this tool, see [SetupDiag](setupdiag.md). The topic is more advanced (300 level) because several advanced options are available for using the tool. However, you can now just download and then double-click the tool to run it. By default when you click Save, the tool is saved in your **Downloads** folder. Double-click the tool in the folder and wait until it finishes running (it might take a few minutes), then double-click the **SetupDiagResults.log** file and open it using Notepad to see the results of the analysis. - -## List of fixes - -
            -
          1. Remove nonessential external hardware, such as docks and USB devices. More information.
            2. -
          2. Check the system drive for errors and attempt repairs. More information.
            3. -
          3. Run the Windows Update troubleshooter. More information.
            4. -
          4. Attempt to restore and repair system files. More information.
            5. -
          5. Update Windows so that all available recommended updates are installed, and ensure the computer is rebooted if this is necessary to complete installation of an update. More information.
            6. -
          6. Temporarily uninstall non-Microsoft antivirus software. - More information.
            7. - -
          7. Uninstall all nonessential software. More information.
            8. -
          8. Update firmware and drivers. More information
            9. -
          9. Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. More information.
            10. -
          10. Verify at least 16 GB of free space is available to upgrade a 32-bit OS, or 20 GB for a 64-bit OS. More information.
            11. -
          - -## Step by step instructions - -### Remove external hardware - -If the computer is portable and it is currently in a docking station, [undock the computer](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754084(v=ws.11)). - -Unplug nonessential external hardware devices from the computer, such as: -- Headphones -- Joysticks -- Printers -- Plotters -- Projectors -- Scanners -- Speakers -- USB flash drives -- Portable hard drives -- Portable CD/DVD/Blu-ray drives -- Microphones -- Media card readers -- Cameras/Webcams -- Smart phones -- Secondary monitors, keyboards, mice - -For more information about disconnecting external devices, see [Safely remove hardware in Windows 10](https://support.microsoft.com/help/4051300/windows-10-safely-remove-hardware) - -### Repair the system drive - -The system drive is the drive that contains the [system partition](https://docs.microsoft.com/windows-hardware/manufacture/desktop/hard-drives-and-partitions#span-idpartitionsspanspan-idpartitionsspanspan-idpartitionsspanpartitions). This is usually the **C:** drive. - -To check and repair errors on the system drive: - -1. Click **Start**. -2. Type **command**. -3. Right-click **Command Prompt** and then left-click **Run as administrator**. -4. If you are prompted by UAC, click **Yes**. -5. Type **chkdsk /F** and press ENTER. -6. When you are prompted to schedule a check the next time the system restarts, type **Y**. -7. See the following example - - ``` - C:\WINDOWS\system32>chkdsk /F - The type of the file system is NTFS. - Cannot lock current drive. - - Chkdsk cannot run because the volume is in use by another - process. Would you like to schedule this volume to be - checked the next time the system restarts? (Y/N) Y - - This volume will be checked the next time the system restarts. - ``` - -8. Restart the computer. The computer will pause before loading Windows and perform a repair of your hard drive. - -### Windows Update Troubleshooter - -The Windows Update troubleshooter tool will automatically analyze and fix problems with Windows Update, such as a corrupted download. It will also tell you if there is a pending reboot that is preventing Windows from updating. - -For Windows 7 and 8.1, the tool is [here](https://aka.ms/diag_wu). - -For Windows 10, the tool is [here](https://aka.ms/wudiag). - -To run the tool, click the appropriate link above. Your web browser will prompt you to save or open the file. Select **open** and the tool will automatically start. The tool will walk you through analyzing and fixing some common problems. - -You can also download the Windows Update Troubleshooter by starting the Microsoft [Virtual Agent](https://support.microsoft.com/contact/virtual-agent/), typing **update Windows**, selecting the version of Windows you are running, and then answering **Yes** when asked "Do you need help troubleshooting Windows Update?" - -If any errors are displayed in the Windows Update Troubleshooter, use the Microsoft [Virtual Agent](https://support.microsoft.com/contact/virtual-agent/) to ask about these errors. The Virtual Agent will perform a search and provide a list of helpful links. - -### Repair system files - -This fix is also described in detail at [answers.microsoft.com](https://answers.microsoft.com/en-us/windows/forum/windows_10-update/system-file-check-sfc-scan-and-repair-system-files/bc609315-da1f-4775-812c-695b60477a93). - -To check and repair system files: - -1. Click **Start**. -2. Type **command**. -3. Right-click **Command Prompt** and then left-click **Run as administrator**. -4. If you are prompted by UAC, click **Yes**. -5. Type **sfc /scannow** and press ENTER. See the following example: - - ``` - C:\>sfc /scannow - - Beginning system scan. This process will take some time. - - Beginning verification phase of system scan. - Verification 100% complete. - - Windows Resource Protection did not find any integrity violations. - ``` -6. If you are running Windows 8.1 or later, type **DISM.exe /Online /Cleanup-image /Restorehealth** and press ENTER (the DISM command options are not available for Windows 7). See the following example: - - ``` - C:\>DISM.exe /Online /Cleanup-image /Restorehealth - - Deployment Image Servicing and Management tool - Version: 10.0.16299.15 - - Image Version: 10.0.16299.309 - - [==========================100.0%==========================] The restore operation completed successfully. - The operation completed successfully. - - ``` - >It may take several minutes for the command operations to be completed. For more information, see [Repair a Windows Image](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/repair-a-windows-image). - - -### Update Windows - -You should ensure that all important updates are installed before attempting to upgrade. This includes updates to hardware drivers on your computer. - -The Microsoft [Virtual Agent](https://support.microsoft.com/contact/virtual-agent/) can walk you through the process of making sure that Windows is updated. - -Start the [Virtual Agent](https://support.microsoft.com/contact/virtual-agent/) and then type "update windows." - -Answer questions that the agent asks, and follow instructions to ensure that Windows is up to date. You can also run the [Windows Update Troubleshooter](#windows-update-troubleshooter) described above. - -Click **Start**, click power options, and then restart the computer. - -### Uninstall non-Microsoft antivirus software - -Use Windows Defender for protection during the upgrade. - -Verify compatibility information, and if desired re-install antivirus applications after the upgrade. If you plan to re-install the application after upgrading, be sure that you have the installation media and all required activation information before removing the program. - -To remove the application, go to **Control Panel\Programs\Programs and Features** and click the antivirus application, then click Uninstall. Choose **Yes** when you are asked to confirm program removal. - -For more information, see [Windows 7 - How to properly uninstall programs](https://support.microsoft.com/help/2601726) or [Repair or remove programs in Windows 10](https://support.microsoft.com/help/4028054/windows-repair-or-remove-programs-in-windows-10). - -### Uninstall non-essential software - -Outdated applications can cause problems with a Windows upgrade. Removing old or non-essential applications from the computer can therefore help. - -If you plan to reinstall the application later, be sure that you have the installation media and all required activation information before removing it. - -To remove programs, use the same steps as are provided [above](#uninstall-non-microsoft-antivirus-software) for uninstalling non-Microsoft antivirus software, but instead of removing the antivirus application repeat the steps for all your non-essential, unused, or out-of-date software. - -### Update firmware and drivers - -Updating firmware (such as the BIOS) and installing hardware drivers is a somewhat advanced task. Do not attempt to update BIOS if you aren't familiar with BIOS settings or are not sure how to restore the previous BIOS version if there are problems. Most BIOS updates are provided as a "flash" update. Your manufacturer might provide a tool to perform the update, or you might be required to enter the BIOS and update it manually. Be sure to save your working BIOS settings, since some updates can reset your configuration and make the computer fail to boot if (for example) a RAID configuration is changed. - -Most BIOS and other hardware updates can be obtained from a website maintained by your computer manufacturer. For example, Microsoft Surface device drivers can be obtained at: [Download the latest firmware and drivers for Surface devices](https://docs.microsoft.com/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices). - -To obtain the proper firmware drivers, search for the most updated driver version provided by your computer manufacturer. Install these updates and reboot the computer after installation. Request assistance from the manufacturer if you have any questions. - -### Ensure that "Download and install updates" is selected - -When you begin a Windows Update, the setup process will ask you to **Get important updates**. Answer **Yes** if the computer you are updating is connected to the Internet. See the following example: - -![Get important updates](../images/update.jpg) - -### Verify disk space - -You can see a list of requirements for Windows 10 at [Windows 10 Specifications & System Requirements](https://www.microsoft.com/windows/windows-10-specifications). One of the requirements is that enough hard drive space be available for the installation to take place. At least 16 GB of free space must be available on the system drive to upgrade a 32-bit OS, or 20 GB for a 64-bit OS. - -To view how much hard drive space is available on your computer, open [File Explorer](https://support.microsoft.com/help/4026617/windows-windows-explorer-has-a-new-name). In Windows 7, this was called Windows Explorer. - -In File Explorer, click on **Computer** or **This PC** on the left, then look under **Hard Disk Drives** or under **Devices and drives**. If there are multiple drives listed, the system drive is the drive that includes a Microsoft Windows logo above the drive icon. - -The amount of space available on the system drive will be displayed under the drive. See the following example: - -![System drive](../images/drive.png) - -In the previous example, there is 703 GB of available free space on the system drive (C:). - -To free up additional space on the system drive, begin by running Disk Cleanup. You can access Disk Cleanup by right-clicking the hard drive icon and then clicking Properties. See the following example: - -![Disk cleanup](../images/cleanup.png) - -For instructions to run Disk Cleanup and other suggestions to free up hard drive space, see [Tips to free up drive space on your PC](https://support.microsoft.com/help/17421/windows-free-up-drive-space). - -When you run Disk Cleanup and enable the option to Clean up system files, you can remove previous Windows installations which can free a large amount of space. You should only do this if you do not plan to restore the old OS version. - -### Open an elevated command prompt - ->It is no longer necessary to open an elevated command prompt to run the [SetupDiag](setupdiag.md) tool. However, this is still the optimal way to run the tool. - -To launch an elevated command prompt, press the Windows key on your keyboard, type **cmd**, press Ctrl+Shift+Enter, and then Alt+C to confirm the elevation prompt. Screenshots and other steps to open an administrator (aka elevated) command prompt are [here](https://answers.microsoft.com/en-us/windows/forum/windows_7-security/command-prompt-admin-windows-7/6a188166-5e23-461f-b468-f325688ec8c7). - -Note: When you open an elevated command prompt, you will usually start in the **C:\WINDOWS\system32** directory. To run a program that you recently downloaded, you must change to the directory where the program is located. Alternatively, you can move or copy the program to a location on the computer that is automatically searched. These directories are listed in the [PATH variable](https://answers.microsoft.com/en-us/windows/forum/windows_10-other_settings-winpc/adding-path-variable/97300613-20cb-4d85-8d0e-cc9d3549ba23). - -If this is too complicated for you, then use File Explorer to create a new folder under C: with a short name such as "new" then copy or move the programs you want to run (like SetupDiag) to this folder using File Explorer. When you open an elevated command prompt, change to this directory by typing "cd c:\new" and now you can run the programs in that folder. - -If you downloaded the SetupDiag.exe program to your computer, then copied it to the folder C:\new, and you opened an elevated command prompt then typed cd c:\new to change to this directory, you can just type setupdiag and press ENTER to run the program. This program will analyze the files on your computer to see why a Windows Upgrade failed and if the reason was a common one, it will report this reason. It will not fix the problem for you but knowing why the upgrade failed enables you to take steps to fix the problem. - -## Related topics - -[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) -
          [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) -
          [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications) -
          [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) -
          [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) +--- +title: Quick fixes - Windows IT Pro +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. +keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.topic: article +--- + +# Quick fixes + +**Applies to** +- Windows 10 + +>[!NOTE] +>This is a 100 level topic (basic).
          +>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. + +The following list of fixes can resolve many Windows upgrade problems. You should try these steps before contacting Microsoft support, or attempting a more advanced analysis of a Windows upgrade failure. Also review information at [Windows 10 help](https://support.microsoft.com/products/windows?os=windows-10). + +The Microsoft Virtual Agent provided by [Microsoft Support](https://support.microsoft.com/contactus/) can help you to analyze and correct some Windows upgrade errors. **To talk to a person about your issue**, start the Virtual Agent (click **Get started**) and enter "Talk to a person" two times. + +>You might also wish to try a new tool available from Microsoft that helps to diagnose many Windows upgrade errors. For more information and to download this tool, see [SetupDiag](setupdiag.md). The topic is more advanced (300 level) because several advanced options are available for using the tool. However, you can now just download and then double-click the tool to run it. By default when you click Save, the tool is saved in your **Downloads** folder. Double-click the tool in the folder and wait until it finishes running (it might take a few minutes), then double-click the **SetupDiagResults.log** file and open it using Notepad to see the results of the analysis. + +## List of fixes + +
            +
          1. Remove nonessential external hardware, such as docks and USB devices. More information.
            2. +
          2. Check the system drive for errors and attempt repairs. More information.
            3. +
          3. Run the Windows Update troubleshooter. More information.
            4. +
          4. Attempt to restore and repair system files. More information.
            5. +
          5. Update Windows so that all available recommended updates are installed, and ensure the computer is rebooted if this is necessary to complete installation of an update. More information.
            6. +
          6. Temporarily uninstall non-Microsoft antivirus software. + More information.
            7. + +
          7. Uninstall all nonessential software. More information.
            8. +
          8. Update firmware and drivers. More information
            9. +
          9. Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. More information.
            10. +
          10. Verify at least 16 GB of free space is available to upgrade a 32-bit OS, or 20 GB for a 64-bit OS. More information.
            11. +
          + +## Step by step instructions + +### Remove external hardware + +If the computer is portable and it is currently in a docking station, [undock the computer](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754084(v=ws.11)). + +Unplug nonessential external hardware devices from the computer, such as: +- Headphones +- Joysticks +- Printers +- Plotters +- Projectors +- Scanners +- Speakers +- USB flash drives +- Portable hard drives +- Portable CD/DVD/Blu-ray drives +- Microphones +- Media card readers +- Cameras/Webcams +- Smart phones +- Secondary monitors, keyboards, mice + +For more information about disconnecting external devices, see [Safely remove hardware in Windows 10](https://support.microsoft.com/help/4051300/windows-10-safely-remove-hardware) + +### Repair the system drive + +The system drive is the drive that contains the [system partition](https://docs.microsoft.com/windows-hardware/manufacture/desktop/hard-drives-and-partitions#span-idpartitionsspanspan-idpartitionsspanspan-idpartitionsspanpartitions). This is usually the **C:** drive. + +To check and repair errors on the system drive: + +1. Click **Start**. +2. Type **command**. +3. Right-click **Command Prompt** and then left-click **Run as administrator**. +4. If you are prompted by UAC, click **Yes**. +5. Type **chkdsk /F** and press ENTER. +6. When you are prompted to schedule a check the next time the system restarts, type **Y**. +7. See the following example + + ``` + C:\WINDOWS\system32>chkdsk /F + The type of the file system is NTFS. + Cannot lock current drive. + + Chkdsk cannot run because the volume is in use by another + process. Would you like to schedule this volume to be + checked the next time the system restarts? (Y/N) Y + + This volume will be checked the next time the system restarts. + ``` + +8. Restart the computer. The computer will pause before loading Windows and perform a repair of your hard drive. + +### Windows Update Troubleshooter + +The Windows Update troubleshooter tool will automatically analyze and fix problems with Windows Update, such as a corrupted download. It will also tell you if there is a pending reboot that is preventing Windows from updating. + +For Windows 7 and 8.1, the tool is [here](https://aka.ms/diag_wu). + +For Windows 10, the tool is [here](https://aka.ms/wudiag). + +To run the tool, click the appropriate link above. Your web browser will prompt you to save or open the file. Select **open** and the tool will automatically start. The tool will walk you through analyzing and fixing some common problems. + +You can also download the Windows Update Troubleshooter by starting the Microsoft [Virtual Agent](https://support.microsoft.com/contact/virtual-agent/), typing **update Windows**, selecting the version of Windows you are running, and then answering **Yes** when asked "Do you need help troubleshooting Windows Update?" + +If any errors are displayed in the Windows Update Troubleshooter, use the Microsoft [Virtual Agent](https://support.microsoft.com/contact/virtual-agent/) to ask about these errors. The Virtual Agent will perform a search and provide a list of helpful links. + +### Repair system files + +This fix is also described in detail at [answers.microsoft.com](https://answers.microsoft.com/en-us/windows/forum/windows_10-update/system-file-check-sfc-scan-and-repair-system-files/bc609315-da1f-4775-812c-695b60477a93). + +To check and repair system files: + +1. Click **Start**. +2. Type **command**. +3. Right-click **Command Prompt** and then left-click **Run as administrator**. +4. If you are prompted by UAC, click **Yes**. +5. Type **sfc /scannow** and press ENTER. See the following example: + + ``` + C:\>sfc /scannow + + Beginning system scan. This process will take some time. + + Beginning verification phase of system scan. + Verification 100% complete. + + Windows Resource Protection did not find any integrity violations. + ``` +6. If you are running Windows 8.1 or later, type **DISM.exe /Online /Cleanup-image /Restorehealth** and press ENTER (the DISM command options are not available for Windows 7). See the following example: + + ``` + C:\>DISM.exe /Online /Cleanup-image /Restorehealth + + Deployment Image Servicing and Management tool + Version: 10.0.16299.15 + + Image Version: 10.0.16299.309 + + [==========================100.0%==========================] The restore operation completed successfully. + The operation completed successfully. + + ``` + >It may take several minutes for the command operations to be completed. For more information, see [Repair a Windows Image](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/repair-a-windows-image). + + +### Update Windows + +You should ensure that all important updates are installed before attempting to upgrade. This includes updates to hardware drivers on your computer. + +The Microsoft [Virtual Agent](https://support.microsoft.com/contact/virtual-agent/) can walk you through the process of making sure that Windows is updated. + +Start the [Virtual Agent](https://support.microsoft.com/contact/virtual-agent/) and then type "update windows." + +Answer questions that the agent asks, and follow instructions to ensure that Windows is up to date. You can also run the [Windows Update Troubleshooter](#windows-update-troubleshooter) described above. + +Click **Start**, click power options, and then restart the computer. + +### Uninstall non-Microsoft antivirus software + +Use Windows Defender for protection during the upgrade. + +Verify compatibility information, and if desired re-install antivirus applications after the upgrade. If you plan to re-install the application after upgrading, be sure that you have the installation media and all required activation information before removing the program. + +To remove the application, go to **Control Panel\Programs\Programs and Features** and click the antivirus application, then click Uninstall. Choose **Yes** when you are asked to confirm program removal. + +For more information, see [Windows 7 - How to properly uninstall programs](https://support.microsoft.com/help/2601726) or [Repair or remove programs in Windows 10](https://support.microsoft.com/help/4028054/windows-repair-or-remove-programs-in-windows-10). + +### Uninstall non-essential software + +Outdated applications can cause problems with a Windows upgrade. Removing old or non-essential applications from the computer can therefore help. + +If you plan to reinstall the application later, be sure that you have the installation media and all required activation information before removing it. + +To remove programs, use the same steps as are provided [above](#uninstall-non-microsoft-antivirus-software) for uninstalling non-Microsoft antivirus software, but instead of removing the antivirus application repeat the steps for all your non-essential, unused, or out-of-date software. + +### Update firmware and drivers + +Updating firmware (such as the BIOS) and installing hardware drivers is a somewhat advanced task. Do not attempt to update BIOS if you aren't familiar with BIOS settings or are not sure how to restore the previous BIOS version if there are problems. Most BIOS updates are provided as a "flash" update. Your manufacturer might provide a tool to perform the update, or you might be required to enter the BIOS and update it manually. Be sure to save your working BIOS settings, since some updates can reset your configuration and make the computer fail to boot if (for example) a RAID configuration is changed. + +Most BIOS and other hardware updates can be obtained from a website maintained by your computer manufacturer. For example, Microsoft Surface device drivers can be obtained at: [Download the latest firmware and drivers for Surface devices](https://docs.microsoft.com/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices). + +To obtain the proper firmware drivers, search for the most updated driver version provided by your computer manufacturer. Install these updates and reboot the computer after installation. Request assistance from the manufacturer if you have any questions. + +### Ensure that "Download and install updates" is selected + +When you begin a Windows Update, the setup process will ask you to **Get important updates**. Answer **Yes** if the computer you are updating is connected to the Internet. See the following example: + +![Get important updates](../images/update.jpg) + +### Verify disk space + +You can see a list of requirements for Windows 10 at [Windows 10 Specifications & System Requirements](https://www.microsoft.com/windows/windows-10-specifications). One of the requirements is that enough hard drive space be available for the installation to take place. At least 16 GB of free space must be available on the system drive to upgrade a 32-bit OS, or 20 GB for a 64-bit OS. + +To view how much hard drive space is available on your computer, open [File Explorer](https://support.microsoft.com/help/4026617/windows-windows-explorer-has-a-new-name). In Windows 7, this was called Windows Explorer. + +In File Explorer, click on **Computer** or **This PC** on the left, then look under **Hard Disk Drives** or under **Devices and drives**. If there are multiple drives listed, the system drive is the drive that includes a Microsoft Windows logo above the drive icon. + +The amount of space available on the system drive will be displayed under the drive. See the following example: + +![System drive](../images/drive.png) + +In the previous example, there is 703 GB of available free space on the system drive (C:). + +To free up additional space on the system drive, begin by running Disk Cleanup. You can access Disk Cleanup by right-clicking the hard drive icon and then clicking Properties. See the following example: + +![Disk cleanup](../images/cleanup.png) + +For instructions to run Disk Cleanup and other suggestions to free up hard drive space, see [Tips to free up drive space on your PC](https://support.microsoft.com/help/17421/windows-free-up-drive-space). + +When you run Disk Cleanup and enable the option to Clean up system files, you can remove previous Windows installations which can free a large amount of space. You should only do this if you do not plan to restore the old OS version. + +### Open an elevated command prompt + +>It is no longer necessary to open an elevated command prompt to run the [SetupDiag](setupdiag.md) tool. However, this is still the optimal way to run the tool. + +To launch an elevated command prompt, press the Windows key on your keyboard, type **cmd**, press Ctrl+Shift+Enter, and then Alt+C to confirm the elevation prompt. Screenshots and other steps to open an administrator (aka elevated) command prompt are [here](https://answers.microsoft.com/en-us/windows/forum/windows_7-security/command-prompt-admin-windows-7/6a188166-5e23-461f-b468-f325688ec8c7). + +Note: When you open an elevated command prompt, you will usually start in the **C:\WINDOWS\system32** directory. To run a program that you recently downloaded, you must change to the directory where the program is located. Alternatively, you can move or copy the program to a location on the computer that is automatically searched. These directories are listed in the [PATH variable](https://answers.microsoft.com/en-us/windows/forum/windows_10-other_settings-winpc/adding-path-variable/97300613-20cb-4d85-8d0e-cc9d3549ba23). + +If this is too complicated for you, then use File Explorer to create a new folder under C: with a short name such as "new" then copy or move the programs you want to run (like SetupDiag) to this folder using File Explorer. When you open an elevated command prompt, change to this directory by typing "cd c:\new" and now you can run the programs in that folder. + +If you downloaded the SetupDiag.exe program to your computer, then copied it to the folder C:\new, and you opened an elevated command prompt then typed cd c:\new to change to this directory, you can just type setupdiag and press ENTER to run the program. This program will analyze the files on your computer to see why a Windows Upgrade failed and if the reason was a common one, it will report this reason. It will not fix the problem for you but knowing why the upgrade failed enables you to take steps to fix the problem. + +## Related topics + +[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) +
          [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) +
          [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications) +
          [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) +
          [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) diff --git a/windows/deployment/upgrade/resolution-procedures.md b/windows/deployment/upgrade/resolution-procedures.md index 2d922591a5..34e22a7ab7 100644 --- a/windows/deployment/upgrade/resolution-procedures.md +++ b/windows/deployment/upgrade/resolution-procedures.md @@ -1,771 +1,771 @@ ---- -title: Resolution procedures - Windows IT Pro -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. -keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.localizationpriority: medium -ms.topic: article ---- - -# Resolution procedures - -**Applies to** -- Windows 10 - ->[!NOTE] ->This is a 200 level topic (moderate).
          ->See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. - - -## 0xC1900101 - -A frequently observed result code is 0xC1900101. This result code can be thrown at any stage of the upgrade process, with the exception of the downlevel phase. 0xC1900101 is a generic rollback code, and usually indicates that an incompatible driver is present. The incompatible driver can cause blue screens, system hangs, and unexpected reboots. Analysis of supplemental log files is often helpful, such as:
          - -- The minidump file: $Windows.~bt\Sources\Rollback\setupmem.dmp, -- Event logs: $Windows.~bt\Sources\Rollback\*.evtx -- The device install log: $Windows.~bt\Sources\Rollback\setupapi\setupapi.dev.log - -The device install log is particularly helpful if rollback occurs during the sysprep operation (extend code 0x30018). To resolve a rollback due to driver conflicts, try running setup using a minimal set of drivers and startup programs by performing a [clean boot](https://support.microsoft.com/kb/929135) before initiating the upgrade process. - -
          See the following general troubleshooting procedures associated with a result code of 0xC1900101: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          - - -
          Code -
          0xC1900101 - 0x20004 -
          - -
          -
          Cause -
          Windows Setup encountered an error during the SAFE_OS with the INSTALL_RECOVERY_ENVIRONMENT operation -
          This is generally caused by out-of-date drivers. -
          -          		 - - -
          Mitigation -
          Uninstall antivirus applications. -
          Remove all unused SATA devices. -
          Remove all unused devices and drivers. -
          Update drivers and BIOS. -
          -
          - - -
          Code -
          0xC1900101 - 0x2000c -
          - -
          -
          Cause -
          Windows Setup encountered an unspecified error during Wim apply in the WinPE phase. -
          This is generally caused by out-of-date drivers. -
          -          		 - - -
          Mitigation -
          Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display. -
          Contact your hardware vendor to obtain updated device drivers. -
          Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. -
          -
          - - -
          Code -
          0xC1900101 - 0x20017 - -
          - -
          -
          Cause -
          A driver has caused an illegal operation. -
          Windows was not able to migrate the driver, resulting in a rollback of the operating system. -
          This is a SafeOS boot failure, typically caused by drivers or non-Microsoft disk encryption software. -
          -          		 - - -
          Mitigation -
          -Ensure that all that drivers are updated.
          -Open the Setuperr.log and Setupact.log files in the %windir%\Panther directory, and then locate the problem drivers. -
          For more information, see Understanding Failures and Log Files. -
          Update or uninstall the problem drivers. -
          -
          - - -
          Code -
          0xC1900101 - 0x30018 -
          - -
          -
          Cause -
          A device driver has stopped responding to setup.exe during the upgrade process. -
          -          		 - - -
          Mitigation -
          -Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display. -
          Contact your hardware vendor to obtain updated device drivers. -
          Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. -
          -
          - - -
          Code -
          0xC1900101 - 0x3000D -
          - -
          -
          Cause -
          Installation failed during the FIRST_BOOT phase while attempting the MIGRATE_DATA operation. -
          This can occur due to a problem with a display driver. - -
          -          		 - - -
          Mitigation -
          -Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display. -
          Update or uninstall the display driver. -
          -
          - - -
          Code -
          0xC1900101 - 0x4000D -
          - -
          -
          Cause -
          A rollback occurred due to a driver configuration issue. -
          Installation failed during the second boot phase while attempting the MIGRATE_DATA operation. - -
          This can occur due to incompatible drivers. - -
          -          		 - - -
          Mitigation -
          -
          Check supplemental rollback logs for a setupmem.dmp file, or event logs for any unexpected reboots or errors. -
          Review the rollback log and determine the stop code. -
          The rollback log is located in the C:$Windows.~BT\Sources\Panther folder. An example analysis is shown below. This example is not representative of all cases: -
          Info SP Crash 0x0000007E detected -
          Info SP Module name : -
          Info SP Bugcheck parameter 1 : 0xFFFFFFFFC0000005 -
          Info SP Bugcheck parameter 2 : 0xFFFFF8015BC0036A -
          Info SP Bugcheck parameter 3 : 0xFFFFD000E5D23728 -
          Info SP Bugcheck parameter 4 : 0xFFFFD000E5D22F40 -
          Info SP Cannot recover the system. -
          Info SP Rollback: Showing splash window with restoring text: Restoring your previous version of Windows. - - -
          Typically, there is a dump file for the crash to analyze. If you are not equipped to debug the dump, then attempt the following basic troubleshooting procedures:
          - -1. Make sure you have enough disk space.
          -2. If a driver is identified in the bug check message, disable the driver or check with the manufacturer for driver updates.
          -3. Try changing video adapters.
          -4. Check with your hardware vendor for any BIOS updates.
          -5. Disable BIOS memory options such as caching or shadowing. -

          -
          -
          - - -
          Code -
          0xC1900101 - 0x40017 -
          - -
          -
          Cause -
          Windows 10 upgrade failed after the second reboot. -
          This is usually caused by a faulty driver. For example: antivirus filter drivers or encryption drivers. -
          -          		 - - -
          Mitigation -
          Clean boot into Windows, and then attempt the upgrade to Windows 10.
          - -For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/kb/929135). - -

          Ensure you select the option to "Download and install updates (recommended)." -
          -
          - -

          0x800xxxxx

          - -
          Result codes starting with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly. - -
          See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:
          - -
          - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          - - -
          Code -
          - -80040005 - 0x20007 - -
          - -
          -
          Cause -
          - -An unspecified error occurred with a driver during the SafeOS phase. - -
          -          		 - - -
          Mitigation -
          - -This error has more than one possible cause. Attempt [quick fixes](quick-fixes.md), and if not successful, [analyze log files](log-files.md#analyze-log-files) in order to determine the problem and solution. - -
          -
          - - -
          Code -
          - -0x80073BC3 - 0x20009
          -0x8007002 - 0x20009
          -0x80073B92 - 0x20009 - -
          - -
          -
          Cause -
          - -The requested system device cannot be found, there is a sharing violation, or there are multiple devices matching the identification criteria. - -
          -          		 - - -
          Mitigation -
          - -These errors occur during partition analysis and validation, and can be caused by the presence of multiple system partitions. For example, if you installed a new system drive but left the previous system drive connected, this can cause a conflict. To resolve the errors, disconnect or temporarily disable drives that contain the unused system partition. You can reconnect the drive after the upgrade has completed. Alternatively, you can delete the unused system partition. - -
          -
          - - -
          Code -
          - -800704B8 - 0x3001A - -
          - -
          -
          Cause -
          - -An extended error has occurred during the first boot phase. - -
          -          		 - - -
          Mitigation -
          - -Disable or uninstall non-Microsoft antivirus applications, disconnect all unnecessary devices, and perform a [clean boot](https://support.microsoft.com/kb/929135). - -
          -
          - - -
          Code -
          - -8007042B - 0x4000D - -
          - -
          -
          Cause -
          - -The installation failed during the second boot phase while attempting the MIGRATE_DATA operation. -
          This issue can occur due to file system, application, or driver issues. - -
          -          		 - - -
          Mitigation -
          - -[Analyze log files](log-files.md#analyze-log-files) in order to determine the file, application, or driver that is not able to be migrated. Disconnect, update, remove, or replace the device or object. - -
          -
          - - -
          Code -
          - -8007001F - 0x3000D - -
          - -
          -
          Cause -
          - -The installation failed in the FIRST_BOOT phase with an error during MIGRATE_DATA operation. - -
          -          		 - - -
          Mitigation -
          - -[Analyze log files](log-files.md#analyze-log-files) in order to determine the files or registry entries that are blocking data migration. - -This error can be due to a problem with user profiles. It can occur due to corrupt registry entries under **HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList** or invalid files in the **\\Users** directory. - -Note: If a previous upgrade did not complete, invalid profiles might exist in the **Windows.old\\Users** directory. - -To repair this error, ensure that deleted accounts are not still present in the Windows registry and that files under the \\Users directory are valid. Delete the invalid files or user profiles that are causing this error. The specific files and profiles that are causing the error will be recorded in the Windows setup log files. - -
          -
          - - -
          Code -
          - -8007001F - 0x4000D - -
          - -
          -
          Cause -
          - -General failure, a device attached to the system is not functioning. - -
          -          		 - - -
          Mitigation -
          - -[Analyze log files](log-files.md#analyze-log-files) in order to determine the device that is not functioning properly. Disconnect, update, or replace the device. - -
          -
          - - -
          Code -
          - -8007042B - 0x4001E - -
          - -
          -
          Cause -
          - -The installation failed during the second boot phase while attempting the PRE_OOBE operation. - -
          -          		 - - -
          Mitigation -
          - -This error has more than one possible cause. Attempt [quick fixes](quick-fixes.md), and if not successful, [analyze log files](log-files.md#analyze-log-files) in order to determine the problem and solution. - -
          -
          - - -## Other result codes - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Error code -Cause -Mitigation -
          0xC1800118WSUS has downloaded content that it cannot use due to a missing decryption key.See Steps to resolve error 0xC1800118 for information.
          0xC1900200Setup.exe has detected that the machine does not meet the minimum system requirements.Ensure the system you are trying to upgrade meets the minimum system requirements.
          See Windows 10 specifications for information.
          0x80090011A device driver error occurred during user data migration.Contact your hardware vendor and get all the device drivers updated. It is recommended to have an active internet connection during upgrade process. -
          Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.
          0xC7700112Failure to complete writing data to the system drive, possibly due to write access failure on the hard disk.This issue is resolved in the latest version of Upgrade Assistant. -
          Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.
          0x80190001An unexpected error was encountered while attempting to download files required for upgrade.To resolve this issue, download and run the media creation tool. See Download windows 10. -
          0x80246007The update was not downloaded successfully.Attempt other methods of upgrading the operating system.
          -Download and run the media creation tool. See Download windows 10. -
          Attempt to upgrade using .ISO or USB.
          -Note: Windows 10 Enterprise isn’t available in the media creation tool. For more information, go to the Volume Licensing Service Center. -
          0x80244018Your machine is connected through a proxy server.Make sure Automatically Detect Settings is selected in internet options. (Control Panel > Internet Options > Connections > LAN Settings). -
          0xC1900201The system did not pass the minimum requirements to install the update.Contact the hardware vendor to get the latest updates.
          0x80240017The upgrade is unavailable for this edition of Windows.Administrative policies enforced by your organization might be preventing the upgrade. Contact your IT administrator.
          0x80070020The existing process cannot access the file because it is being used by another process.Use the MSCONFIG tool to perform a clean boot on the machine and then try to perform the update again. For more information, see How to perform a clean boot in Windows.
          0x80070522The user doesn’t have required privilege or credentials to upgrade.Ensure that you have signed in as a local administrator or have local administrator privileges.
          0xC1900107A cleanup operation from a previous installation attempt is still pending and a system reboot is required in order to continue the upgrade. -Reboot the device and run setup again. If restarting device does not resolve the issue, then use the Disk Cleanup utility and cleanup the temporary as well as the System files. For more information, see Disk cleanup in Windows 10.
          0xC1900209The user has chosen to cancel because the system does not pass the compatibility scan to install the update. Setup.exe will report this error when it can upgrade the machine with user data but cannot migrate installed applications.Incompatible software is blocking the upgrade process. Uninstall the application and try the upgrade again. See Windows 10 Pre-Upgrade Validation using SETUP.EXE for more information. - -
          You can also download the [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526740) and install Application Compatibility Tools. -
          0x8007002 This error is specific to upgrades using System Center Configuration Manager 2012 R2 SP1 CU3 (5.00.8238.1403)Analyze the SMSTS.log and verify that the upgrade is failing on "Apply Operating system" Phase: Error 80072efe DownloadFileWithRanges() failed. 80072efe. ApplyOperatingSystem (0x0760) - -
          The error 80072efe means that the connection with the server was terminated abnormally. - -
          To resolve this issue, try the OS Deployment test on a client in same VLAN as the Configuration Manager server. Check the network configuration for random client-server connection issues happening on the remote VLAN. -
          0x80240FFF Occurs when update synchronization fails. It can occur when you are using Windows Server Update Services on its own or when it is integrated with System Center Configuration Manager. If you enable update synchronization before you install hotfix 3095113, WSUS doesn't recognize the Upgrades classification and instead treats the upgrade like a regular update. You can prevent this by installing hotfix 3095113 before you enable update synchronization. However, if you have already run into this problem, do the following: - -
            -
          1. Disable the Upgrades classification.
            2. -
          2. Install hotfix 3095113.
            3. -
          3. Delete previously synched updates.
            4. -
          4. Enable the Upgrades classification.
            5. -
          5. Perform a full synch.
            6. -
          -
          For detailed information on how to run these steps check out How to delete upgrades in WSUS.

          -
          0x8007007EOccurs when update synchronization fails because you do not have hotfix 3095113 installed before you enable update synchronization. Specifically, the CopyToCache operation fails on clients that have already downloaded the upgrade because Windows Server Update Services has bad metadata related to the upgrade. It can occur when you are using standalone Windows Server Update Services or when WSUS is integrated with System Center Configuration Manager. Use the following steps to repair Windows Server Update Services. You must run these steps on each WSUS server that synched metadata before you installed the hotfix. - -
            -
          1. Stop the Windows Update service. Sign in as a user with administrative privileges, and then do the following: -
              -
            1. Open Administrative Tools from the Control Panel.
              2. -
            2. Double-click Services.
              3. -
            3. Find the Windows Update service, right-click it, and then click Stop. If prompted, enter your credentials.
              4. -
            -
            2. -
          2. Delete all files and folders under c:\Windows\SoftwareDistribution\DataStore.
            3. -
          3. Restart the Windows Update service.
            4. -
          -
          - -## Other error codes - - - - - - - - - - - - - - - -
          Error CodesCauseMitigation
          0x80070003- 0x20007 -This is a failure during SafeOS phase driver installation. - -Verify device drivers on the computer, and analyze log files to determine the problem driver. -
          0x8007025D - 0x2000C -This error occurs if the ISO file's metadata is corrupt."Re-download the ISO/Media and re-attempt the upgrade. - -Alternatively, re-create installation media the [Media Creation Tool](https://www.microsoft.com/en-us/software-download/windows10). - -
          0x80070490 - 0x20007An incompatible device driver is present. - -Verify device drivers on the computer, and analyze log files to determine the problem driver. - -
          0xC1900101 - 0x2000c -An unspecified error occurred in the SafeOS phase during WIM apply. This can be caused by an outdated driver or disk corruption. -Run checkdisk to repair the file system. For more information, see the quick fixes section in this guide. -
          Update drivers on the computer, and select "Download and install updates (recommended)" during the upgrade process. Disconnect devices other than the mouse, keyboard and display.
          0xC1900200 - 0x20008 - -The computer doesn’t meet the minimum requirements to download or upgrade to Windows 10. - -See Windows 10 Specifications and verify the computer meets minimum requirements. - -
          Review logs for [compatibility information](https://blogs.technet.microsoft.com/askcore/2016/01/21/using-the-windows-10-compatibility-reports-to-understand-upgrade-issues/).
          0x80070004 - 0x3000D -This is a problem with data migration during the first boot phase. There are multiple possible causes. - -Analyze log files to determine the issue.
          0xC1900101 - 0x4001E -Installation failed in the SECOND_BOOT phase with an error during PRE_OOBE operation. -This is a generic error that occurs during the OOBE phase of setup. See the 0xC1900101 section of this guide and review general troubleshooting procedures described in that section.
          0x80070005 - 0x4000D -The installation failed in the SECOND_BOOT phase with an error in during MIGRATE_DATA operation. This error indicates that access was denied while attempting to migrate data. -Analyze log files to determine the data point that is reporting access denied.
          0x80070004 - 0x50012 -Windows Setup failed to open a file. -Analyze log files to determine the data point that is reporting access problems.
          0xC190020e -
          0x80070070 - 0x50011 -
          0x80070070 - 0x50012 -
          0x80070070 - 0x60000 -          		These errors indicate the computer does not have enough free space available to install the upgrade. -To upgrade a computer to Windows 10, it requires 16 GB of free hard drive space for a 32-bit OS, and 20 GB for a 64-bit OS. If there is not enough space, attempt to free up drive space before proceeding with the upgrade. - -
          Note: If your device allows it, you can use an external USB drive for the upgrade process. Windows setup will back up the previous version of Windows to a USB external drive. The external drive must be at least 8GB (16GB is recommended). The external drive should be formatted using NTFS. Drives that are formatted in FAT32 may run into errors due to FAT32 file size limitations. USB drives are preferred over SD cards because drivers for SD cards are not migrated if the device does not support Connected Standby. -
          - -## Modern setup errors - -Also see the following sequential list of modern setup (mosetup) error codes with a brief description of the cause. - -| Result code | Message | Description | -| --- | --- | --- | -| 0XC1900100 | MOSETUP_E_VERSION_MISMATCH | An unexpected version of Setup Platform binaries was encountered. Please verify the package contents. | -| 0XC1900101 | MOSETUP_E_SETUP_PLATFORM | The Setup Platform has encountered an unspecified error. | -| 0XC1900102 | MOSETUP_E_SHUTDOWN_BLOCK | Unable to create or destroy the shutdown block message. | -| 0XC1900103 | MOSETUP_E_COMPAT_TIMEOUT | The compatibility issues were not resolved within the required time limit. | -| 0XC1900104 | MOSETUP_E_PROCESS_TIMEOUT | The installation process did not complete within the required time limit. | -| 0XC1900105 | MOSETUP_E_TEST_MODE | The installation process is being used in a test environment. | -| 0XC1900106 | MOSETUP_E_TERMINATE_PROCESS | The installation process was terminated. | -| 0XC1900107 | MOSETUP_E_CLEANUP_PENDING | A cleanup operation from a previous installation attempt is still pending. A system reboot is required. | -| 0XC1900108 | MOSETUP_E_REPORTING | An error has occured and the result value must be consolidated for telemetry purposes. | -| 0XC1900109 | MOSETUP_E_COMPAT_TERMINATE | The installation process was terminated during the actionable compatibility phase. | -| 0XC190010a | MOSETUP_E_UNKNOWN_CMD_LINE | The installation process was launched with an unknown command line argument. | -| 0XC190010b | MOSETUP_E_INSTALL_IMAGE_NOT_FOUND | The installation image was not found. | -| 0XC190010c | MOSETUP_E_AUTOMATION_INVALID | The provided automation information was invalid. | -| 0XC190010d | MOSETUP_E_INVALID_CMD_LINE | The installation process was launched with an invalid command line argument. | -| 0XC190010e | MOSETUP_E_EULA_ACCEPT_REQUIRED | The installation process requires that the user accept the license agreement. | -| 0XC1900110 | MOSETUP_E_EULA_CANCEL | The user has chosen to cancel for license agreement. | -| 0XC1900111 | MOSETUP_E_ADVERTISE_CANCEL | The user has chosen to cancel for advertisement. | -| 0XC1900112 | MOSETUP_E_TARGET_DRIVE_NOT_FOUND | Could not find a target drive letter. | -| 0XC1900113 | MOSETUP_E_EULA_DECLINED | The user has declined the license terms. | -| 0XC190011e | MOSETUP_E_FLIGHTING_BVT | The installation process has been halted for testing purposes. | -| 0XC190011f | MOSETUP_E_PROCESS_CRASHED | The installation process crashed. | -| 0XC1900120 | MOSETUP_E_EULA_TIMEOUT | The user has not accepted Eula within the required time limit. | -| 0XC1900121 | MOSETUP_E_ADVERTISE_TIMEOUT | The user has not accepted Advertisement within the required time limit. | -| 0XC1900122 | MOSETUP_E_DOWNLOADDISKSPACE_TIMEOUT | The download diskspace issues were not resolved within the required time limit. | -| 0XC1900123 | MOSETUP_E_INSTALLDISKSPACE_TIMEOUT | The install diskspace issues were not resolved within the required time limit. | -| 0XC1900124 | MOSETUP_E_COMPAT_SYSREQ_TIMEOUT | The minimum requirements compatibility issues were not resolved within the required time limit. | -| 0XC1900125 | MOSETUP_E_COMPAT_DOWNLOADREQ_TIMEOUT | The compatibility issues for download were not resolved within the required time limit. | -| 0XC1900126 | MOSETUP_E_GATHER_OS_STATE_SIGNATURE | The GatherOsState executable has invalid signature. | -| 0XC1900127 | MOSETUP_E_UNINSTALL_ALLOWED_ABORT | The user has chosen to abort Setup to keep Uninstall option active. | -| 0XC1900128 | MOSETUP_E_MISSING_TASK | The install cannot continue because a required task is missing. | -| 0XC1900129 | MOSETUP_E_UPDATEMEDIA_REQUESTED | A more up-to-date version of setup will be launched to continue installation -| 0XC190012f | MOSETUP_E_FINALIZE_ALREADY_REQUESTED | The install cannot continue because a finalize operation was already requested. | -| 0XC1900130 | MOSETUP_E_INSTALL_HASH_MISSING | The install cannot continue because the instance hash was not found. | -| 0XC1900131 | MOSETUP_E_INSTALL_HASH_MISMATCH | The install cannot continue because the instance hash does not match. | -| 0XC19001df | MOSETUP_E_DISK_FULL | The install cannot continue because the system is out of disk space. | -| 0XC19001e0 | MOSETUP_E_GATHER_OS_STATE_FAILED | The GatherOsState executable has failed to execute. | -| 0XC19001e1 | MOSETUP_E_PROCESS_SUSPENDED | The installation process was suspended. | -| 0XC19001e2 | MOSETUP_E_PREINSTALL_SCRIPT_FAILED | A preinstall script failed to execute or returned an error. | -| 0XC19001e3 | MOSETUP_E_PRECOMMIT_SCRIPT_FAILED | A precommit script failed to execute or returned an error. | -| 0XC19001e4 | MOSETUP_E_FAILURE_SCRIPT_FAILED | A failure script failed to execute or returned an error. | -| 0XC19001e5 | MOSETUP_E_SCRIPT_TIMEOUT | A script exceeded the timeout limit. | -| 0XC1900200 | MOSETUP_E_COMPAT_SYSREQ_BLOCK | The system does not pass the minimum requirements to install the update. | -| 0XC1900201 | MOSETUP_E_COMPAT_SYSREQ_CANCEL | The user has chosen to cancel because the system does not pass the minimum requirements to install the update. | -| 0XC1900202 | MOSETUP_E_COMPAT_DOWNLOADREQ_BLOCK | The system does not pass the minimum requirements to download the update. | -| 0XC1900203 | MOSETUP_E_COMPAT_DOWNLOADREQ_CANCEL | The user has chosen to cancel because the system does not pass the minimum requirements to download the update. | -| 0XC1900204 | MOSETUP_E_COMPAT_MIGCHOICE_BLOCK | The system does not pass the requirements for desired migration choice. | -| 0XC1900205 | MOSETUP_E_COMPAT_MIGCHOICE_CANCEL | The user has chosen to cancel because the system does not pass the requirements for desired migration choice. | -| 0XC1900206 | MOSETUP_E_COMPAT_DEVICEREQ_BLOCK | The system does not pass the device scan to install the update. | -| 0XC1900207 | MOSETUP_E_COMPAT_DEVICEREQ_CANCEL | The user has chosen to cancel because the system does not pass the device scan to install the update. | -| 0XC1900208 | MOSETUP_E_COMPAT_INSTALLREQ_BLOCK | The system does not pass the compat scan to install the update. | -| 0XC1900209 | MOSETUP_E_COMPAT_INSTALLREQ_CANCEL | The user has chosen to cancel because the system does not pass the compat scan to install the update. | -| 0XC190020a | MOSETUP_E_COMPAT_RECOVERYREQ_BLOCK | The system does not pass the minimum requirements to recover Windows. | -| 0XC190020b | MOSETUP_E_COMPAT_RECOVERYREQ_CANCEL | The user has chosen to cancel because the system does not pass the minimum requirements to recover Windows. | -| 0XC190020c | MOSETUP_E_DOWNLOADDISKSPACE_BLOCK | The system does not pass the diskspace requirements to download the payload. | -| 0XC190020d | MOSETUP_E_DOWNLOADDISKSPACE_CANCEL | The user has chosen to cancel as the device does not have enough disk space to download. | -| 0XC190020e | MOSETUP_E_INSTALLDISKSPACE_BLOCK | The system does not pass the diskspace requirements to install the payload. | -| 0XC190020f | MOSETUP_E_INSTALLDISKSPACE_CANCEL | The user has chosen to cancel as the device does not have enough disk space to install. | -| 0XC1900210 | MOSETUP_E_COMPAT_SCANONLY | The user has used the setup.exe command line to do scanonly, not to install the OS. | -| 0XC1900211 | MOSETUP_E_DOWNLOAD_UNPACK_DISKSPACE_BLOCK | The system does not pass the disk space requirements to download and unpack media. | -| 0XC1900212 | MOSETUP_E_DOWNLOAD_UNPACK_DISKSPACE_MULTIARCH_BLOCK | The system does not pass the disk space requirements to download and unpack multi-architecture media. | -| 0XC1900213 | MOSETUP_E_NO_OFFER_FOUND | There was no offer found that matches the required criteria. | -| 0XC1900214 | MOSETUP_E_UNSUPPORTED_VERSION | This version of the tool is not supported. | -| 0XC1900215 | MOSETUP_E_NO_MATCHING_INSTALL_IMAGE | Could not find an install image for this system. | -| 0XC1900216 | MOSETUP_E_ROLLBACK_PENDING | Found pending OS rollback operation. | -| 0XC1900220 | MOSETUP_E_COMPAT_REPORT_NOT_DISPLAYED | The compatibility report cannot be displayed due to a missing system component. | -| 0XC1900400 | MOSETUP_E_UA_VERSION_MISMATCH | An unexpected version of Update Agent client was encountered. | -| 0XC1900401 | MOSETUP_E_UA_NO_PACKAGES_TO_DOWNLOAD | No packages to be downloaded. | -| 0XC1900402 | MOSETUP_E_UA_UPDATE_CANNOT_BE_MERGED | No packages to be downloaded. | -| 0XC1900403 | MOSETUP_E_UA_CORRUPT_PAYLOAD_FILES | Payload files were corrupt. | -| 0XC1900404 | MOSETUP_E_UA_BOX_NOT_FOUND | The installation executable was not found. | -| 0XC1900405 | MOSETUP_E_UA_BOX_CRASHED | The installation process terminated unexpectedly. | - -## Related topics - -[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) -
          [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) -
          [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications) -
          [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) -
          [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) +--- +title: Resolution procedures - Windows IT Pro +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. +keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.topic: article +--- + +# Resolution procedures + +**Applies to** +- Windows 10 + +>[!NOTE] +>This is a 200 level topic (moderate).
          +>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. + + +## 0xC1900101 + +A frequently observed result code is 0xC1900101. This result code can be thrown at any stage of the upgrade process, with the exception of the downlevel phase. 0xC1900101 is a generic rollback code, and usually indicates that an incompatible driver is present. The incompatible driver can cause blue screens, system hangs, and unexpected reboots. Analysis of supplemental log files is often helpful, such as:
          + +- The minidump file: $Windows.~bt\Sources\Rollback\setupmem.dmp, +- Event logs: $Windows.~bt\Sources\Rollback\*.evtx +- The device install log: $Windows.~bt\Sources\Rollback\setupapi\setupapi.dev.log + +The device install log is particularly helpful if rollback occurs during the sysprep operation (extend code 0x30018). To resolve a rollback due to driver conflicts, try running setup using a minimal set of drivers and startup programs by performing a [clean boot](https://support.microsoft.com/kb/929135) before initiating the upgrade process. + +
          See the following general troubleshooting procedures associated with a result code of 0xC1900101: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          + + +
          Code +
          0xC1900101 - 0x20004 +
          + +
          +
          Cause +
          Windows Setup encountered an error during the SAFE_OS with the INSTALL_RECOVERY_ENVIRONMENT operation +
          This is generally caused by out-of-date drivers. +
          +          		 + + +
          Mitigation +
          Uninstall antivirus applications. +
          Remove all unused SATA devices. +
          Remove all unused devices and drivers. +
          Update drivers and BIOS. +
          +
          + + +
          Code +
          0xC1900101 - 0x2000c +
          + +
          +
          Cause +
          Windows Setup encountered an unspecified error during Wim apply in the WinPE phase. +
          This is generally caused by out-of-date drivers. +
          +          		 + + +
          Mitigation +
          Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display. +
          Contact your hardware vendor to obtain updated device drivers. +
          Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. +
          +
          + + +
          Code +
          0xC1900101 - 0x20017 + +
          + +
          +
          Cause +
          A driver has caused an illegal operation. +
          Windows was not able to migrate the driver, resulting in a rollback of the operating system. +
          This is a SafeOS boot failure, typically caused by drivers or non-Microsoft disk encryption software. +
          +          		 + + +
          Mitigation +
          +Ensure that all that drivers are updated.
          +Open the Setuperr.log and Setupact.log files in the %windir%\Panther directory, and then locate the problem drivers. +
          For more information, see Understanding Failures and Log Files. +
          Update or uninstall the problem drivers. +
          +
          + + +
          Code +
          0xC1900101 - 0x30018 +
          + +
          +
          Cause +
          A device driver has stopped responding to setup.exe during the upgrade process. +
          +          		 + + +
          Mitigation +
          +Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display. +
          Contact your hardware vendor to obtain updated device drivers. +
          Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. +
          +
          + + +
          Code +
          0xC1900101 - 0x3000D +
          + +
          +
          Cause +
          Installation failed during the FIRST_BOOT phase while attempting the MIGRATE_DATA operation. +
          This can occur due to a problem with a display driver. + +
          +          		 + + +
          Mitigation +
          +Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display. +
          Update or uninstall the display driver. +
          +
          + + +
          Code +
          0xC1900101 - 0x4000D +
          + +
          +
          Cause +
          A rollback occurred due to a driver configuration issue. +
          Installation failed during the second boot phase while attempting the MIGRATE_DATA operation. + +
          This can occur due to incompatible drivers. + +
          +          		 + + +
          Mitigation +
          +
          Check supplemental rollback logs for a setupmem.dmp file, or event logs for any unexpected reboots or errors. +
          Review the rollback log and determine the stop code. +
          The rollback log is located in the C:$Windows.~BT\Sources\Panther folder. An example analysis is shown below. This example is not representative of all cases: +
          Info SP Crash 0x0000007E detected +
          Info SP Module name : +
          Info SP Bugcheck parameter 1 : 0xFFFFFFFFC0000005 +
          Info SP Bugcheck parameter 2 : 0xFFFFF8015BC0036A +
          Info SP Bugcheck parameter 3 : 0xFFFFD000E5D23728 +
          Info SP Bugcheck parameter 4 : 0xFFFFD000E5D22F40 +
          Info SP Cannot recover the system. +
          Info SP Rollback: Showing splash window with restoring text: Restoring your previous version of Windows. + + +
          Typically, there is a dump file for the crash to analyze. If you are not equipped to debug the dump, then attempt the following basic troubleshooting procedures:
          + +1. Make sure you have enough disk space.
          +2. If a driver is identified in the bug check message, disable the driver or check with the manufacturer for driver updates.
          +3. Try changing video adapters.
          +4. Check with your hardware vendor for any BIOS updates.
          +5. Disable BIOS memory options such as caching or shadowing. +

          +
          +
          + + +
          Code +
          0xC1900101 - 0x40017 +
          + +
          +
          Cause +
          Windows 10 upgrade failed after the second reboot. +
          This is usually caused by a faulty driver. For example: antivirus filter drivers or encryption drivers. +
          +          		 + + +
          Mitigation +
          Clean boot into Windows, and then attempt the upgrade to Windows 10.
          + +For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/kb/929135). + +

          Ensure you select the option to "Download and install updates (recommended)." +
          +
          + +

          0x800xxxxx

          + +
          Result codes starting with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly. + +
          See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:
          + +
          + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          + + +
          Code +
          + +80040005 - 0x20007 + +
          + +
          +
          Cause +
          + +An unspecified error occurred with a driver during the SafeOS phase. + +
          +          		 + + +
          Mitigation +
          + +This error has more than one possible cause. Attempt [quick fixes](quick-fixes.md), and if not successful, [analyze log files](log-files.md#analyze-log-files) in order to determine the problem and solution. + +
          +
          + + +
          Code +
          + +0x80073BC3 - 0x20009
          +0x8007002 - 0x20009
          +0x80073B92 - 0x20009 + +
          + +
          +
          Cause +
          + +The requested system device cannot be found, there is a sharing violation, or there are multiple devices matching the identification criteria. + +
          +          		 + + +
          Mitigation +
          + +These errors occur during partition analysis and validation, and can be caused by the presence of multiple system partitions. For example, if you installed a new system drive but left the previous system drive connected, this can cause a conflict. To resolve the errors, disconnect or temporarily disable drives that contain the unused system partition. You can reconnect the drive after the upgrade has completed. Alternatively, you can delete the unused system partition. + +
          +
          + + +
          Code +
          + +800704B8 - 0x3001A + +
          + +
          +
          Cause +
          + +An extended error has occurred during the first boot phase. + +
          +          		 + + +
          Mitigation +
          + +Disable or uninstall non-Microsoft antivirus applications, disconnect all unnecessary devices, and perform a [clean boot](https://support.microsoft.com/kb/929135). + +
          +
          + + +
          Code +
          + +8007042B - 0x4000D + +
          + +
          +
          Cause +
          + +The installation failed during the second boot phase while attempting the MIGRATE_DATA operation. +
          This issue can occur due to file system, application, or driver issues. + +
          +          		 + + +
          Mitigation +
          + +[Analyze log files](log-files.md#analyze-log-files) in order to determine the file, application, or driver that is not able to be migrated. Disconnect, update, remove, or replace the device or object. + +
          +
          + + +
          Code +
          + +8007001F - 0x3000D + +
          + +
          +
          Cause +
          + +The installation failed in the FIRST_BOOT phase with an error during MIGRATE_DATA operation. + +
          +          		 + + +
          Mitigation +
          + +[Analyze log files](log-files.md#analyze-log-files) in order to determine the files or registry entries that are blocking data migration. + +This error can be due to a problem with user profiles. It can occur due to corrupt registry entries under **HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList** or invalid files in the **\\Users** directory. + +Note: If a previous upgrade did not complete, invalid profiles might exist in the **Windows.old\\Users** directory. + +To repair this error, ensure that deleted accounts are not still present in the Windows registry and that files under the \\Users directory are valid. Delete the invalid files or user profiles that are causing this error. The specific files and profiles that are causing the error will be recorded in the Windows setup log files. + +
          +
          + + +
          Code +
          + +8007001F - 0x4000D + +
          + +
          +
          Cause +
          + +General failure, a device attached to the system is not functioning. + +
          +          		 + + +
          Mitigation +
          + +[Analyze log files](log-files.md#analyze-log-files) in order to determine the device that is not functioning properly. Disconnect, update, or replace the device. + +
          +
          + + +
          Code +
          + +8007042B - 0x4001E + +
          + +
          +
          Cause +
          + +The installation failed during the second boot phase while attempting the PRE_OOBE operation. + +
          +          		 + + +
          Mitigation +
          + +This error has more than one possible cause. Attempt [quick fixes](quick-fixes.md), and if not successful, [analyze log files](log-files.md#analyze-log-files) in order to determine the problem and solution. + +
          +
          + + +## Other result codes + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Error code +Cause +Mitigation +
          0xC1800118WSUS has downloaded content that it cannot use due to a missing decryption key.See Steps to resolve error 0xC1800118 for information.
          0xC1900200Setup.exe has detected that the machine does not meet the minimum system requirements.Ensure the system you are trying to upgrade meets the minimum system requirements.
          See Windows 10 specifications for information.
          0x80090011A device driver error occurred during user data migration.Contact your hardware vendor and get all the device drivers updated. It is recommended to have an active internet connection during upgrade process. +
          Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.
          0xC7700112Failure to complete writing data to the system drive, possibly due to write access failure on the hard disk.This issue is resolved in the latest version of Upgrade Assistant. +
          Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.
          0x80190001An unexpected error was encountered while attempting to download files required for upgrade.To resolve this issue, download and run the media creation tool. See Download windows 10. +
          0x80246007The update was not downloaded successfully.Attempt other methods of upgrading the operating system.
          +Download and run the media creation tool. See Download windows 10. +
          Attempt to upgrade using .ISO or USB.
          +Note: Windows 10 Enterprise isn’t available in the media creation tool. For more information, go to the Volume Licensing Service Center. +
          0x80244018Your machine is connected through a proxy server.Make sure Automatically Detect Settings is selected in internet options. (Control Panel > Internet Options > Connections > LAN Settings). +
          0xC1900201The system did not pass the minimum requirements to install the update.Contact the hardware vendor to get the latest updates.
          0x80240017The upgrade is unavailable for this edition of Windows.Administrative policies enforced by your organization might be preventing the upgrade. Contact your IT administrator.
          0x80070020The existing process cannot access the file because it is being used by another process.Use the MSCONFIG tool to perform a clean boot on the machine and then try to perform the update again. For more information, see How to perform a clean boot in Windows.
          0x80070522The user doesn’t have required privilege or credentials to upgrade.Ensure that you have signed in as a local administrator or have local administrator privileges.
          0xC1900107A cleanup operation from a previous installation attempt is still pending and a system reboot is required in order to continue the upgrade. +Reboot the device and run setup again. If restarting device does not resolve the issue, then use the Disk Cleanup utility and cleanup the temporary as well as the System files. For more information, see Disk cleanup in Windows 10.
          0xC1900209The user has chosen to cancel because the system does not pass the compatibility scan to install the update. Setup.exe will report this error when it can upgrade the machine with user data but cannot migrate installed applications.Incompatible software is blocking the upgrade process. Uninstall the application and try the upgrade again. See Windows 10 Pre-Upgrade Validation using SETUP.EXE for more information. + +
          You can also download the [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526740) and install Application Compatibility Tools. +
          0x8007002 This error is specific to upgrades using System Center Configuration Manager 2012 R2 SP1 CU3 (5.00.8238.1403)Analyze the SMSTS.log and verify that the upgrade is failing on "Apply Operating system" Phase: Error 80072efe DownloadFileWithRanges() failed. 80072efe. ApplyOperatingSystem (0x0760) + +
          The error 80072efe means that the connection with the server was terminated abnormally. + +
          To resolve this issue, try the OS Deployment test on a client in same VLAN as the Configuration Manager server. Check the network configuration for random client-server connection issues happening on the remote VLAN. +
          0x80240FFF Occurs when update synchronization fails. It can occur when you are using Windows Server Update Services on its own or when it is integrated with System Center Configuration Manager. If you enable update synchronization before you install hotfix 3095113, WSUS doesn't recognize the Upgrades classification and instead treats the upgrade like a regular update. You can prevent this by installing hotfix 3095113 before you enable update synchronization. However, if you have already run into this problem, do the following: + +
            +
          1. Disable the Upgrades classification.
            2. +
          2. Install hotfix 3095113.
            3. +
          3. Delete previously synched updates.
            4. +
          4. Enable the Upgrades classification.
            5. +
          5. Perform a full synch.
            6. +
          +
          For detailed information on how to run these steps check out How to delete upgrades in WSUS.

          +
          0x8007007EOccurs when update synchronization fails because you do not have hotfix 3095113 installed before you enable update synchronization. Specifically, the CopyToCache operation fails on clients that have already downloaded the upgrade because Windows Server Update Services has bad metadata related to the upgrade. It can occur when you are using standalone Windows Server Update Services or when WSUS is integrated with System Center Configuration Manager. Use the following steps to repair Windows Server Update Services. You must run these steps on each WSUS server that synched metadata before you installed the hotfix. + +
            +
          1. Stop the Windows Update service. Sign in as a user with administrative privileges, and then do the following: +
              +
            1. Open Administrative Tools from the Control Panel.
              2. +
            2. Double-click Services.
              3. +
            3. Find the Windows Update service, right-click it, and then click Stop. If prompted, enter your credentials.
              4. +
            +
            2. +
          2. Delete all files and folders under c:\Windows\SoftwareDistribution\DataStore.
            3. +
          3. Restart the Windows Update service.
            4. +
          +
          + +## Other error codes + + + + + + + + + + + + + + + +
          Error CodesCauseMitigation
          0x80070003- 0x20007 +This is a failure during SafeOS phase driver installation. + +Verify device drivers on the computer, and analyze log files to determine the problem driver. +
          0x8007025D - 0x2000C +This error occurs if the ISO file's metadata is corrupt."Re-download the ISO/Media and re-attempt the upgrade. + +Alternatively, re-create installation media the [Media Creation Tool](https://www.microsoft.com/en-us/software-download/windows10). + +
          0x80070490 - 0x20007An incompatible device driver is present. + +Verify device drivers on the computer, and analyze log files to determine the problem driver. + +
          0xC1900101 - 0x2000c +An unspecified error occurred in the SafeOS phase during WIM apply. This can be caused by an outdated driver or disk corruption. +Run checkdisk to repair the file system. For more information, see the quick fixes section in this guide. +
          Update drivers on the computer, and select "Download and install updates (recommended)" during the upgrade process. Disconnect devices other than the mouse, keyboard and display.
          0xC1900200 - 0x20008 + +The computer doesn’t meet the minimum requirements to download or upgrade to Windows 10. + +See Windows 10 Specifications and verify the computer meets minimum requirements. + +
          Review logs for [compatibility information](https://blogs.technet.microsoft.com/askcore/2016/01/21/using-the-windows-10-compatibility-reports-to-understand-upgrade-issues/).
          0x80070004 - 0x3000D +This is a problem with data migration during the first boot phase. There are multiple possible causes. + +Analyze log files to determine the issue.
          0xC1900101 - 0x4001E +Installation failed in the SECOND_BOOT phase with an error during PRE_OOBE operation. +This is a generic error that occurs during the OOBE phase of setup. See the 0xC1900101 section of this guide and review general troubleshooting procedures described in that section.
          0x80070005 - 0x4000D +The installation failed in the SECOND_BOOT phase with an error in during MIGRATE_DATA operation. This error indicates that access was denied while attempting to migrate data. +Analyze log files to determine the data point that is reporting access denied.
          0x80070004 - 0x50012 +Windows Setup failed to open a file. +Analyze log files to determine the data point that is reporting access problems.
          0xC190020e +
          0x80070070 - 0x50011 +
          0x80070070 - 0x50012 +
          0x80070070 - 0x60000 +          		These errors indicate the computer does not have enough free space available to install the upgrade. +To upgrade a computer to Windows 10, it requires 16 GB of free hard drive space for a 32-bit OS, and 20 GB for a 64-bit OS. If there is not enough space, attempt to free up drive space before proceeding with the upgrade. + +
          Note: If your device allows it, you can use an external USB drive for the upgrade process. Windows setup will back up the previous version of Windows to a USB external drive. The external drive must be at least 8GB (16GB is recommended). The external drive should be formatted using NTFS. Drives that are formatted in FAT32 may run into errors due to FAT32 file size limitations. USB drives are preferred over SD cards because drivers for SD cards are not migrated if the device does not support Connected Standby. +
          + +## Modern setup errors + +Also see the following sequential list of modern setup (mosetup) error codes with a brief description of the cause. + +| Result code | Message | Description | +| --- | --- | --- | +| 0XC1900100 | MOSETUP_E_VERSION_MISMATCH | An unexpected version of Setup Platform binaries was encountered. Please verify the package contents. | +| 0XC1900101 | MOSETUP_E_SETUP_PLATFORM | The Setup Platform has encountered an unspecified error. | +| 0XC1900102 | MOSETUP_E_SHUTDOWN_BLOCK | Unable to create or destroy the shutdown block message. | +| 0XC1900103 | MOSETUP_E_COMPAT_TIMEOUT | The compatibility issues were not resolved within the required time limit. | +| 0XC1900104 | MOSETUP_E_PROCESS_TIMEOUT | The installation process did not complete within the required time limit. | +| 0XC1900105 | MOSETUP_E_TEST_MODE | The installation process is being used in a test environment. | +| 0XC1900106 | MOSETUP_E_TERMINATE_PROCESS | The installation process was terminated. | +| 0XC1900107 | MOSETUP_E_CLEANUP_PENDING | A cleanup operation from a previous installation attempt is still pending. A system reboot is required. | +| 0XC1900108 | MOSETUP_E_REPORTING | An error has occured and the result value must be consolidated for telemetry purposes. | +| 0XC1900109 | MOSETUP_E_COMPAT_TERMINATE | The installation process was terminated during the actionable compatibility phase. | +| 0XC190010a | MOSETUP_E_UNKNOWN_CMD_LINE | The installation process was launched with an unknown command line argument. | +| 0XC190010b | MOSETUP_E_INSTALL_IMAGE_NOT_FOUND | The installation image was not found. | +| 0XC190010c | MOSETUP_E_AUTOMATION_INVALID | The provided automation information was invalid. | +| 0XC190010d | MOSETUP_E_INVALID_CMD_LINE | The installation process was launched with an invalid command line argument. | +| 0XC190010e | MOSETUP_E_EULA_ACCEPT_REQUIRED | The installation process requires that the user accept the license agreement. | +| 0XC1900110 | MOSETUP_E_EULA_CANCEL | The user has chosen to cancel for license agreement. | +| 0XC1900111 | MOSETUP_E_ADVERTISE_CANCEL | The user has chosen to cancel for advertisement. | +| 0XC1900112 | MOSETUP_E_TARGET_DRIVE_NOT_FOUND | Could not find a target drive letter. | +| 0XC1900113 | MOSETUP_E_EULA_DECLINED | The user has declined the license terms. | +| 0XC190011e | MOSETUP_E_FLIGHTING_BVT | The installation process has been halted for testing purposes. | +| 0XC190011f | MOSETUP_E_PROCESS_CRASHED | The installation process crashed. | +| 0XC1900120 | MOSETUP_E_EULA_TIMEOUT | The user has not accepted Eula within the required time limit. | +| 0XC1900121 | MOSETUP_E_ADVERTISE_TIMEOUT | The user has not accepted Advertisement within the required time limit. | +| 0XC1900122 | MOSETUP_E_DOWNLOADDISKSPACE_TIMEOUT | The download diskspace issues were not resolved within the required time limit. | +| 0XC1900123 | MOSETUP_E_INSTALLDISKSPACE_TIMEOUT | The install diskspace issues were not resolved within the required time limit. | +| 0XC1900124 | MOSETUP_E_COMPAT_SYSREQ_TIMEOUT | The minimum requirements compatibility issues were not resolved within the required time limit. | +| 0XC1900125 | MOSETUP_E_COMPAT_DOWNLOADREQ_TIMEOUT | The compatibility issues for download were not resolved within the required time limit. | +| 0XC1900126 | MOSETUP_E_GATHER_OS_STATE_SIGNATURE | The GatherOsState executable has invalid signature. | +| 0XC1900127 | MOSETUP_E_UNINSTALL_ALLOWED_ABORT | The user has chosen to abort Setup to keep Uninstall option active. | +| 0XC1900128 | MOSETUP_E_MISSING_TASK | The install cannot continue because a required task is missing. | +| 0XC1900129 | MOSETUP_E_UPDATEMEDIA_REQUESTED | A more up-to-date version of setup will be launched to continue installation +| 0XC190012f | MOSETUP_E_FINALIZE_ALREADY_REQUESTED | The install cannot continue because a finalize operation was already requested. | +| 0XC1900130 | MOSETUP_E_INSTALL_HASH_MISSING | The install cannot continue because the instance hash was not found. | +| 0XC1900131 | MOSETUP_E_INSTALL_HASH_MISMATCH | The install cannot continue because the instance hash does not match. | +| 0XC19001df | MOSETUP_E_DISK_FULL | The install cannot continue because the system is out of disk space. | +| 0XC19001e0 | MOSETUP_E_GATHER_OS_STATE_FAILED | The GatherOsState executable has failed to execute. | +| 0XC19001e1 | MOSETUP_E_PROCESS_SUSPENDED | The installation process was suspended. | +| 0XC19001e2 | MOSETUP_E_PREINSTALL_SCRIPT_FAILED | A preinstall script failed to execute or returned an error. | +| 0XC19001e3 | MOSETUP_E_PRECOMMIT_SCRIPT_FAILED | A precommit script failed to execute or returned an error. | +| 0XC19001e4 | MOSETUP_E_FAILURE_SCRIPT_FAILED | A failure script failed to execute or returned an error. | +| 0XC19001e5 | MOSETUP_E_SCRIPT_TIMEOUT | A script exceeded the timeout limit. | +| 0XC1900200 | MOSETUP_E_COMPAT_SYSREQ_BLOCK | The system does not pass the minimum requirements to install the update. | +| 0XC1900201 | MOSETUP_E_COMPAT_SYSREQ_CANCEL | The user has chosen to cancel because the system does not pass the minimum requirements to install the update. | +| 0XC1900202 | MOSETUP_E_COMPAT_DOWNLOADREQ_BLOCK | The system does not pass the minimum requirements to download the update. | +| 0XC1900203 | MOSETUP_E_COMPAT_DOWNLOADREQ_CANCEL | The user has chosen to cancel because the system does not pass the minimum requirements to download the update. | +| 0XC1900204 | MOSETUP_E_COMPAT_MIGCHOICE_BLOCK | The system does not pass the requirements for desired migration choice. | +| 0XC1900205 | MOSETUP_E_COMPAT_MIGCHOICE_CANCEL | The user has chosen to cancel because the system does not pass the requirements for desired migration choice. | +| 0XC1900206 | MOSETUP_E_COMPAT_DEVICEREQ_BLOCK | The system does not pass the device scan to install the update. | +| 0XC1900207 | MOSETUP_E_COMPAT_DEVICEREQ_CANCEL | The user has chosen to cancel because the system does not pass the device scan to install the update. | +| 0XC1900208 | MOSETUP_E_COMPAT_INSTALLREQ_BLOCK | The system does not pass the compat scan to install the update. | +| 0XC1900209 | MOSETUP_E_COMPAT_INSTALLREQ_CANCEL | The user has chosen to cancel because the system does not pass the compat scan to install the update. | +| 0XC190020a | MOSETUP_E_COMPAT_RECOVERYREQ_BLOCK | The system does not pass the minimum requirements to recover Windows. | +| 0XC190020b | MOSETUP_E_COMPAT_RECOVERYREQ_CANCEL | The user has chosen to cancel because the system does not pass the minimum requirements to recover Windows. | +| 0XC190020c | MOSETUP_E_DOWNLOADDISKSPACE_BLOCK | The system does not pass the diskspace requirements to download the payload. | +| 0XC190020d | MOSETUP_E_DOWNLOADDISKSPACE_CANCEL | The user has chosen to cancel as the device does not have enough disk space to download. | +| 0XC190020e | MOSETUP_E_INSTALLDISKSPACE_BLOCK | The system does not pass the diskspace requirements to install the payload. | +| 0XC190020f | MOSETUP_E_INSTALLDISKSPACE_CANCEL | The user has chosen to cancel as the device does not have enough disk space to install. | +| 0XC1900210 | MOSETUP_E_COMPAT_SCANONLY | The user has used the setup.exe command line to do scanonly, not to install the OS. | +| 0XC1900211 | MOSETUP_E_DOWNLOAD_UNPACK_DISKSPACE_BLOCK | The system does not pass the disk space requirements to download and unpack media. | +| 0XC1900212 | MOSETUP_E_DOWNLOAD_UNPACK_DISKSPACE_MULTIARCH_BLOCK | The system does not pass the disk space requirements to download and unpack multi-architecture media. | +| 0XC1900213 | MOSETUP_E_NO_OFFER_FOUND | There was no offer found that matches the required criteria. | +| 0XC1900214 | MOSETUP_E_UNSUPPORTED_VERSION | This version of the tool is not supported. | +| 0XC1900215 | MOSETUP_E_NO_MATCHING_INSTALL_IMAGE | Could not find an install image for this system. | +| 0XC1900216 | MOSETUP_E_ROLLBACK_PENDING | Found pending OS rollback operation. | +| 0XC1900220 | MOSETUP_E_COMPAT_REPORT_NOT_DISPLAYED | The compatibility report cannot be displayed due to a missing system component. | +| 0XC1900400 | MOSETUP_E_UA_VERSION_MISMATCH | An unexpected version of Update Agent client was encountered. | +| 0XC1900401 | MOSETUP_E_UA_NO_PACKAGES_TO_DOWNLOAD | No packages to be downloaded. | +| 0XC1900402 | MOSETUP_E_UA_UPDATE_CANNOT_BE_MERGED | No packages to be downloaded. | +| 0XC1900403 | MOSETUP_E_UA_CORRUPT_PAYLOAD_FILES | Payload files were corrupt. | +| 0XC1900404 | MOSETUP_E_UA_BOX_NOT_FOUND | The installation executable was not found. | +| 0XC1900405 | MOSETUP_E_UA_BOX_CRASHED | The installation process terminated unexpectedly. | + +## Related topics + +[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) +
          [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) +
          [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications) +
          [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) +
          [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md index e869cfa80e..af24d3c075 100644 --- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md +++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md @@ -1,64 +1,64 @@ ---- -title: Resolve Windows 10 upgrade errors - Windows IT Pro -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. -keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.localizationpriority: medium -ms.topic: article ---- - -# Resolve Windows 10 upgrade errors : Technical information for IT Pros - -**Applies to** -- Windows 10 - ->[!IMPORTANT] ->This article contains technical instructions for IT administrators. If you are not an IT administrator, try some of the [quick fixes](quick-fixes.md) described in this article then contact [Microsoft Support](https://support.microsoft.com/contactus/) starting with the Virtual Agent. To talk to a person about your issue, click **Get started** to interact with the Virtual Agent, then enter "Talk to a person" two times. The Virtual Agent can also help you to resolve many Windows upgrade issues. Also see: [Get help with Windows 10 upgrade and installation errors](https://support.microsoft.com/help/10587/windows-10-get-help-with-upgrade-installation-errors) and [Submit Windows 10 upgrade errors using Feedback Hub](submit-errors.md). - -This article contains a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. - -The article was originally one page, but has been divided into sub-topics of different technical levels. Basic level provides common procedures that can resolve several types of upgrade errors. Advanced level requires some experience with detailed troubleshooting methods. - -The following four levels are assigned: - -Level 100: Basic
          -Level 200: Moderate
          -Level 300: Moderate advanced
          -Level 400: Advanced
          - -## In this guide - -See the following topics in this article: - -- [Quick fixes](quick-fixes.md): \Level 100\ Steps you can take to eliminate many Windows upgrade errors.
          -- [SetupDiag](setupdiag.md): \Level 300\ SetupDiag is a new tool to help you isolate the root cause of an upgrade failure. -- [Troubleshooting upgrade errors](troubleshoot-upgrade-errors.md): \Level 300\ General advice and techniques for troubleshooting Windows 10 upgrade errors, and an explanation of phases used during the upgrade process.
          -- [Windows Error Reporting](windows-error-reporting.md): \Level 300\ How to use Event Viewer to review details about a Windows 10 upgrade. -- [Upgrade error codes](upgrade-error-codes.md): \Level 400\ The components of an error code are explained. - - [Result codes](upgrade-error-codes.md#result-codes): Information about result codes. - - [Extend codes](upgrade-error-codes.md#extend-codes): Information about extend codes. -- [Log files](log-files.md): \Level 400\ A list and description of log files useful for troubleshooting. - - [Log entry structure](log-files.md#log-entry-structure): The format of a log entry is described. - - [Analyze log files](log-files.md#analyze-log-files): General procedures for log file analysis, and an example. -- [Resolution procedures](resolution-procedures.md): \Level 200\ Causes and mitigation procedures associated with specific error codes. - - [0xC1900101](resolution-procedures.md#0xc1900101): Information about the 0xC1900101 result code. - - [0x800xxxxx](resolution-procedures.md#0x800xxxxx): Information about result codes that start with 0x800. - - [Other result codes](resolution-procedures.md#other-result-codes): Additional causes and mitigation procedures are provided for some result codes. - - [Other error codes](resolution-procedures.md#other-error-codes): Additional causes and mitigation procedures are provided for some error codes. -- [Submit Windows 10 upgrade errors](submit-errors.md): \Level 100\ Submit upgrade errors to Microsoft for analysis. - -## Related topics - -[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) -
          [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) -
          [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications) -
          [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) -
          [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) -
          +--- +title: Resolve Windows 10 upgrade errors - Windows IT Pro +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. +keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.topic: article +--- + +# Resolve Windows 10 upgrade errors : Technical information for IT Pros + +**Applies to** +- Windows 10 + +>[!IMPORTANT] +>This article contains technical instructions for IT administrators. If you are not an IT administrator, try some of the [quick fixes](quick-fixes.md) described in this article then contact [Microsoft Support](https://support.microsoft.com/contactus/) starting with the Virtual Agent. To talk to a person about your issue, click **Get started** to interact with the Virtual Agent, then enter "Talk to a person" two times. The Virtual Agent can also help you to resolve many Windows upgrade issues. Also see: [Get help with Windows 10 upgrade and installation errors](https://support.microsoft.com/help/10587/windows-10-get-help-with-upgrade-installation-errors) and [Submit Windows 10 upgrade errors using Feedback Hub](submit-errors.md). + +This article contains a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. + +The article was originally one page, but has been divided into sub-topics of different technical levels. Basic level provides common procedures that can resolve several types of upgrade errors. Advanced level requires some experience with detailed troubleshooting methods. + +The following four levels are assigned: + +Level 100: Basic
          +Level 200: Moderate
          +Level 300: Moderate advanced
          +Level 400: Advanced
          + +## In this guide + +See the following topics in this article: + +- [Quick fixes](quick-fixes.md): \Level 100\ Steps you can take to eliminate many Windows upgrade errors.
          +- [SetupDiag](setupdiag.md): \Level 300\ SetupDiag is a new tool to help you isolate the root cause of an upgrade failure. +- [Troubleshooting upgrade errors](troubleshoot-upgrade-errors.md): \Level 300\ General advice and techniques for troubleshooting Windows 10 upgrade errors, and an explanation of phases used during the upgrade process.
          +- [Windows Error Reporting](windows-error-reporting.md): \Level 300\ How to use Event Viewer to review details about a Windows 10 upgrade. +- [Upgrade error codes](upgrade-error-codes.md): \Level 400\ The components of an error code are explained. + - [Result codes](upgrade-error-codes.md#result-codes): Information about result codes. + - [Extend codes](upgrade-error-codes.md#extend-codes): Information about extend codes. +- [Log files](log-files.md): \Level 400\ A list and description of log files useful for troubleshooting. + - [Log entry structure](log-files.md#log-entry-structure): The format of a log entry is described. + - [Analyze log files](log-files.md#analyze-log-files): General procedures for log file analysis, and an example. +- [Resolution procedures](resolution-procedures.md): \Level 200\ Causes and mitigation procedures associated with specific error codes. + - [0xC1900101](resolution-procedures.md#0xc1900101): Information about the 0xC1900101 result code. + - [0x800xxxxx](resolution-procedures.md#0x800xxxxx): Information about result codes that start with 0x800. + - [Other result codes](resolution-procedures.md#other-result-codes): Additional causes and mitigation procedures are provided for some result codes. + - [Other error codes](resolution-procedures.md#other-error-codes): Additional causes and mitigation procedures are provided for some error codes. +- [Submit Windows 10 upgrade errors](submit-errors.md): \Level 100\ Submit upgrade errors to Microsoft for analysis. + +## Related topics + +[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) +
          [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) +
          [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications) +
          [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) +
          [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) +
          diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md index 5eb09cda0d..cd3aaab920 100644 --- a/windows/deployment/upgrade/setupdiag.md +++ b/windows/deployment/upgrade/setupdiag.md @@ -9,6 +9,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy +audience: itpro author: greg-lindsay ms.localizationpriority: medium ms.topic: article diff --git a/windows/deployment/upgrade/submit-errors.md b/windows/deployment/upgrade/submit-errors.md index 1eebd06873..6f6bde4fba 100644 --- a/windows/deployment/upgrade/submit-errors.md +++ b/windows/deployment/upgrade/submit-errors.md @@ -1,76 +1,76 @@ ---- -title: Submit Windows 10 upgrade errors using Feedback Hub -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Submit Windows 10 upgrade errors for diagnosis using feedback hub -keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, feedback -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.localizationpriority: medium -ms.topic: article ---- - -# Submit Windows 10 upgrade errors using Feedback Hub - -**Applies to** -- Windows 10 - ->[!NOTE] ->This is a 100 level topic (basic).
          ->See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. - -## In this topic - -This topic describes how to submit problems with a Windows 10 upgrade to Microsoft using the Windows 10 Feedback Hub. - -## About the Feedback Hub - -The Feedback Hub app lets you tell Microsoft about any problems you run in to while using Windows 10 and send suggestions to help us improve your Windows experience. Previously, you could only use the Feedback Hub if you were in the Windows Insider Program. Now anyone can use this tool. You can download the Feedback Hub app from the Microsoft Store [here](https://www.microsoft.com/en-us/store/p/feedback-hub/9nblggh4r32n?SilentAuth=1&wa=wsignin1.0). - -The Feedback Hub requires Windows 10 or Windows 10 mobile. If you are having problems upgrading from an older version of Windows to Windows 10, you can use the Feedback Hub to submit this information, but you must collect the log files from the legacy operating system and then attach these files to your feedback using a device that is running Windows 10. If you are upgrading to Windows 10 from a previous verion of Windows 10, the Feedback Hub will collect log files automatically. - -## Submit feedback - -To submit feedback about a failed Windows 10 upgrade, click the following link: [Feedback Hub](feedback-hub://?referrer=resolveUpgradeErrorsPage&tabid=2&contextid=81&newFeedback=true&feedbackType=2&topic=submit-errors.md)  - -The Feedback Hub will open. - -- Under **Tell us about it**, and then under **Summarize your issue**, type **Upgrade failing**. -- Under **Give us more detail**, provide additional information about the failed upgrade, such as: - - When did the failure occur? - - Were there any reboots? - - How many times did the system reboot? - - How did the upgrade fail? - - Were any error codes visible? - - Did the computer fail to a blue screen? - - Did the computer automatically roll back or did it hang, requiring you to power cycle it before it rolled back? -- Additional details - - What type of security software is installed? - - Is the computer up to date with latest drivers and firmware? - - Are there any external devices connected? -- If you used the link above, the category and subcategory will be automatically selected. If it is not selected, choose **Install and Update** and **Windows Installation**. - -You can attach a screenshot or file if desired. This is optional, but can be extremely helpful when diagnosing your upgrade issue. The location of these files is described here: [Windows Setup log files and event logs](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-log-files-and-event-logs). - -Click **Submit** to send your feedback. - -See the following example: - -![feedback example](../images/feedback.png) - -After you click Submit, that's all you need to do. Microsoft will receive your feedback and begin analyzing the issue. You can check on your feedback periodically to see what solutions have been provided. - -## Link to your feedback - -After your feedback is submitted, you can email or post links to it by opening the Feedback Hub, clicking My feedback at the top, clicking the feedback item you submitted, clicking **Share**, then copying the short link that is displayed. - -![share](../images/share.jpg) - -## Related topics - -[Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx) - +--- +title: Submit Windows 10 upgrade errors using Feedback Hub +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Submit Windows 10 upgrade errors for diagnosis using feedback hub +keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, feedback +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.topic: article +--- + +# Submit Windows 10 upgrade errors using Feedback Hub + +**Applies to** +- Windows 10 + +>[!NOTE] +>This is a 100 level topic (basic).
          +>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. + +## In this topic + +This topic describes how to submit problems with a Windows 10 upgrade to Microsoft using the Windows 10 Feedback Hub. + +## About the Feedback Hub + +The Feedback Hub app lets you tell Microsoft about any problems you run in to while using Windows 10 and send suggestions to help us improve your Windows experience. Previously, you could only use the Feedback Hub if you were in the Windows Insider Program. Now anyone can use this tool. You can download the Feedback Hub app from the Microsoft Store [here](https://www.microsoft.com/en-us/store/p/feedback-hub/9nblggh4r32n?SilentAuth=1&wa=wsignin1.0). + +The Feedback Hub requires Windows 10 or Windows 10 mobile. If you are having problems upgrading from an older version of Windows to Windows 10, you can use the Feedback Hub to submit this information, but you must collect the log files from the legacy operating system and then attach these files to your feedback using a device that is running Windows 10. If you are upgrading to Windows 10 from a previous verion of Windows 10, the Feedback Hub will collect log files automatically. + +## Submit feedback + +To submit feedback about a failed Windows 10 upgrade, click the following link: [Feedback Hub](feedback-hub://?referrer=resolveUpgradeErrorsPage&tabid=2&contextid=81&newFeedback=true&feedbackType=2&topic=submit-errors.md)  + +The Feedback Hub will open. + +- Under **Tell us about it**, and then under **Summarize your issue**, type **Upgrade failing**. +- Under **Give us more detail**, provide additional information about the failed upgrade, such as: + - When did the failure occur? + - Were there any reboots? + - How many times did the system reboot? + - How did the upgrade fail? + - Were any error codes visible? + - Did the computer fail to a blue screen? + - Did the computer automatically roll back or did it hang, requiring you to power cycle it before it rolled back? +- Additional details + - What type of security software is installed? + - Is the computer up to date with latest drivers and firmware? + - Are there any external devices connected? +- If you used the link above, the category and subcategory will be automatically selected. If it is not selected, choose **Install and Update** and **Windows Installation**. + +You can attach a screenshot or file if desired. This is optional, but can be extremely helpful when diagnosing your upgrade issue. The location of these files is described here: [Windows Setup log files and event logs](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-log-files-and-event-logs). + +Click **Submit** to send your feedback. + +See the following example: + +![feedback example](../images/feedback.png) + +After you click Submit, that's all you need to do. Microsoft will receive your feedback and begin analyzing the issue. You can check on your feedback periodically to see what solutions have been provided. + +## Link to your feedback + +After your feedback is submitted, you can email or post links to it by opening the Feedback Hub, clicking My feedback at the top, clicking the feedback item you submitted, clicking **Share**, then copying the short link that is displayed. + +![share](../images/share.jpg) + +## Related topics + +[Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx) + diff --git a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md index fe26d367f3..b252ff670a 100644 --- a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md +++ b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md @@ -1,97 +1,97 @@ ---- -title: Troubleshoot Windows 10 upgrade errors - Windows IT Pro -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. -keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.localizationpriority: medium -ms.topic: article ---- - -# Troubleshooting upgrade errors - -**Applies to** -- Windows 10 - ->[!NOTE] ->This is a 300 level topic (moderately advanced).
          ->See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. - -If a Windows 10 upgrade is not successful, it can be very helpful to understand *when* an error occurred in the upgrade process. - -Briefly, the upgrade process consists of four phases: **Downlevel**, **SafeOS**, **First boot**, and **Second boot**. The computer will reboot once between each phase. Note: Progress is tracked in the registry during the upgrade process using the following key: **HKLM\System\Setup\mosetup\volatile\SetupProgress**. This key is volatile and only present during the upgrade process; it contains a binary value in the range 0-100. - -These phases are explained in greater detail [below](#the-windows-10-upgrade-process). First, let's summarize the actions performed during each phase because this affects the type of errors that can be encountered. - -1. **Downlevel phase**: Because this phase runs on the source OS, upgrade errors are not typically seen. If you do encounter an error, ensure the source OS is stable. Also ensure the Windows setup source and the destination drive are accessible. - -2. **SafeOS phase**: Errors most commonly occur during this phase due to hardware issues, firmware issues, or non-microsoft disk encryption software. - - Since the computer is booted into Windows PE during the SafeOS phase, a useful troubleshooting technique is to boot into [Windows PE](https://docs.microsoft.com/windows-hardware/manufacture/desktop/winpe-intro) using installation media. You can use the [media creation tool](https://www.microsoft.com/software-download/windows10) to create bootable media, or you can use tools such as the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit), and then boot your device from this media to test for hardware and firmware compatibility issues. - - >[!TIP] - >If you attempt to use the media creation tool with a USB drive and this fails with error 0x80004005 - 0xa001a, this is because the USB drive is using GPT partition style. The tool requires that you use MBR partition style. You can use the DISKPART command to convert the USB drive from GPT to MBR. For more information, see [Change a GUID Partition Table Disk into a Master Boot Record Disk](https://go.microsoft.com/fwlink/?LinkId=207050). - - **Do not proceed with the Windows 10 installation after booting from this media**. This method can only be used to perform a clean install which will not migrate any of your apps and settings, and you will be required re-enter your Windows 10 license information. - - If the computer does not successfully boot into Windows PE using the media that you created, this is likely due to a hardware or firmware issue. Check with your hardware manufacturer and apply any recommended BIOS and firmware updates. If you are still unable to boot to installation media after applying updates, disconnect or replace legacy hardware. - - If the computer successfully boots into Windows PE, but you are not able to browse the system drive on the computer, it is possible that non-Microsoft disk encryption software is blocking your ability to perform a Windows 10 upgrade. Update or temporarily remove the disk encryption. - -3. **First boot phase**: Boot failures in this phase are relatively rare, and almost exclusively caused by device drivers. Disconnect all peripheral devices except for the mouse, keyboard, and display. Obtain and install updated device drivers, then retry the upgrade. - -4. **Second boot phase**: In this phase, the system is running under the target OS with new drivers. Boot failures are most commonly due to anti-virus software or filter drivers. Disconnect all peripheral devices except for the mouse, keyboard, and display. Obtain and install updated device drivers, temporarily uninstall anti-virus software, then retry the upgrade. - -If the general troubleshooting techniques described above or the [quick fixes](quick-fixes.md) detailed below do not resolve your issue, you can attempt to analyze [log files](log-files.md) and interpret [upgrade error codes](upgrade-error-codes.md). You can also [Submit Windows 10 upgrade errors using Feedback Hub](submit-errors.md) so that Microsoft can diagnose your issue. - -## The Windows 10 upgrade process - -The **Windows Setup** application is used to upgrade a computer to Windows 10, or to perform a clean installation. Windows Setup starts and restarts the computer, gathers information, copies files, and creates or adjusts configuration settings. - -When performing an operating system upgrade, Windows Setup uses phases described below. A reboot occurs between each of the phases. After the first reboot, the user interface will remain the same until the upgrade is completed. Percent progress is displayed and will advance as you move through each phase, reaching 100% at the end of the second boot phase. - -1. **Downlevel phase**: The downlevel phase is run within the previous operating system. Windows files are copied and installation components are gathered. - - ![downlevel phase](../images/downlevel.png) - -2. **Safe OS phase**: A recovery partition is configured, Windows files are expanded, and updates are installed. An OS rollback is prepared if needed. Example error codes: 0x2000C, 0x20017. - - ![safeOS phase](../images/safeos.png) - -3. **First boot phase**: Initial settings are applied. Example error codes: 0x30018, 0x3000D. - - ![first boot phase](../images/firstboot.png) - -4. **Second boot phase**: Final settings are applied. This is also called the **OOBE boot phase**. Example error codes: 0x4000D, 0x40017. - - At the end of the second boot phase, the **Welcome to Windows 10** screen is displayed, preferences are configured, and the Windows 10 sign-in prompt is displayed. - - ![second boot phase](../images/secondboot.png) - - ![second boot phase](../images/secondboot2.png) - - ![second boot phase](../images/secondboot3.png) - -5. **Uninstall phase**: This phase occurs if upgrade is unsuccessful (image not shown). Example error codes: 0x50000, 0x50015. - -**Figure 1**: Phases of a successful Windows 10 upgrade (uninstall is not shown): - -![Upgrade process](../images/upgrade-process.png) - -DU = Driver/device updates.
          -OOBE = Out of box experience.
          -WIM = Windows image (Microsoft) - -## Related topics - -[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) -
          [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) -
          [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications) -
          [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) -
          [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) +--- +title: Troubleshoot Windows 10 upgrade errors - Windows IT Pro +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. +keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.topic: article +--- + +# Troubleshooting upgrade errors + +**Applies to** +- Windows 10 + +>[!NOTE] +>This is a 300 level topic (moderately advanced).
          +>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. + +If a Windows 10 upgrade is not successful, it can be very helpful to understand *when* an error occurred in the upgrade process. + +Briefly, the upgrade process consists of four phases: **Downlevel**, **SafeOS**, **First boot**, and **Second boot**. The computer will reboot once between each phase. Note: Progress is tracked in the registry during the upgrade process using the following key: **HKLM\System\Setup\mosetup\volatile\SetupProgress**. This key is volatile and only present during the upgrade process; it contains a binary value in the range 0-100. + +These phases are explained in greater detail [below](#the-windows-10-upgrade-process). First, let's summarize the actions performed during each phase because this affects the type of errors that can be encountered. + +1. **Downlevel phase**: Because this phase runs on the source OS, upgrade errors are not typically seen. If you do encounter an error, ensure the source OS is stable. Also ensure the Windows setup source and the destination drive are accessible. + +2. **SafeOS phase**: Errors most commonly occur during this phase due to hardware issues, firmware issues, or non-microsoft disk encryption software. + + Since the computer is booted into Windows PE during the SafeOS phase, a useful troubleshooting technique is to boot into [Windows PE](https://docs.microsoft.com/windows-hardware/manufacture/desktop/winpe-intro) using installation media. You can use the [media creation tool](https://www.microsoft.com/software-download/windows10) to create bootable media, or you can use tools such as the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit), and then boot your device from this media to test for hardware and firmware compatibility issues. + + >[!TIP] + >If you attempt to use the media creation tool with a USB drive and this fails with error 0x80004005 - 0xa001a, this is because the USB drive is using GPT partition style. The tool requires that you use MBR partition style. You can use the DISKPART command to convert the USB drive from GPT to MBR. For more information, see [Change a GUID Partition Table Disk into a Master Boot Record Disk](https://go.microsoft.com/fwlink/?LinkId=207050). + + **Do not proceed with the Windows 10 installation after booting from this media**. This method can only be used to perform a clean install which will not migrate any of your apps and settings, and you will be required re-enter your Windows 10 license information. + + If the computer does not successfully boot into Windows PE using the media that you created, this is likely due to a hardware or firmware issue. Check with your hardware manufacturer and apply any recommended BIOS and firmware updates. If you are still unable to boot to installation media after applying updates, disconnect or replace legacy hardware. + + If the computer successfully boots into Windows PE, but you are not able to browse the system drive on the computer, it is possible that non-Microsoft disk encryption software is blocking your ability to perform a Windows 10 upgrade. Update or temporarily remove the disk encryption. + +3. **First boot phase**: Boot failures in this phase are relatively rare, and almost exclusively caused by device drivers. Disconnect all peripheral devices except for the mouse, keyboard, and display. Obtain and install updated device drivers, then retry the upgrade. + +4. **Second boot phase**: In this phase, the system is running under the target OS with new drivers. Boot failures are most commonly due to anti-virus software or filter drivers. Disconnect all peripheral devices except for the mouse, keyboard, and display. Obtain and install updated device drivers, temporarily uninstall anti-virus software, then retry the upgrade. + +If the general troubleshooting techniques described above or the [quick fixes](quick-fixes.md) detailed below do not resolve your issue, you can attempt to analyze [log files](log-files.md) and interpret [upgrade error codes](upgrade-error-codes.md). You can also [Submit Windows 10 upgrade errors using Feedback Hub](submit-errors.md) so that Microsoft can diagnose your issue. + +## The Windows 10 upgrade process + +The **Windows Setup** application is used to upgrade a computer to Windows 10, or to perform a clean installation. Windows Setup starts and restarts the computer, gathers information, copies files, and creates or adjusts configuration settings. + +When performing an operating system upgrade, Windows Setup uses phases described below. A reboot occurs between each of the phases. After the first reboot, the user interface will remain the same until the upgrade is completed. Percent progress is displayed and will advance as you move through each phase, reaching 100% at the end of the second boot phase. + +1. **Downlevel phase**: The downlevel phase is run within the previous operating system. Windows files are copied and installation components are gathered. + + ![downlevel phase](../images/downlevel.png) + +2. **Safe OS phase**: A recovery partition is configured, Windows files are expanded, and updates are installed. An OS rollback is prepared if needed. Example error codes: 0x2000C, 0x20017. + + ![safeOS phase](../images/safeos.png) + +3. **First boot phase**: Initial settings are applied. Example error codes: 0x30018, 0x3000D. + + ![first boot phase](../images/firstboot.png) + +4. **Second boot phase**: Final settings are applied. This is also called the **OOBE boot phase**. Example error codes: 0x4000D, 0x40017. + + At the end of the second boot phase, the **Welcome to Windows 10** screen is displayed, preferences are configured, and the Windows 10 sign-in prompt is displayed. + + ![second boot phase](../images/secondboot.png) + + ![second boot phase](../images/secondboot2.png) + + ![second boot phase](../images/secondboot3.png) + +5. **Uninstall phase**: This phase occurs if upgrade is unsuccessful (image not shown). Example error codes: 0x50000, 0x50015. + +**Figure 1**: Phases of a successful Windows 10 upgrade (uninstall is not shown): + +![Upgrade process](../images/upgrade-process.png) + +DU = Driver/device updates.
          +OOBE = Out of box experience.
          +WIM = Windows image (Microsoft) + +## Related topics + +[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) +
          [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) +
          [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications) +
          [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) +
          [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) diff --git a/windows/deployment/upgrade/upgrade-error-codes.md b/windows/deployment/upgrade/upgrade-error-codes.md index efaa098dab..f06c6fb87b 100644 --- a/windows/deployment/upgrade/upgrade-error-codes.md +++ b/windows/deployment/upgrade/upgrade-error-codes.md @@ -1,159 +1,159 @@ ---- -title: Upgrade error codes - Windows IT Pro -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. -keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.localizationpriority: medium -ms.topic: article ---- - -# Upgrade error codes - -**Applies to** -- Windows 10 - ->[!NOTE] ->This is a 400 level topic (advanced).
          ->See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. - - -If the upgrade process is not successful, Windows Setup will return two codes: - -1. **A result code**: The result code corresponds to a specific Win32 or NTSTATUS error. -2. **An extend code**: The extend code contains information about both the *phase* in which an error occurred, and the *operation* that was being performed when the error occurred. - ->For example, a result code of **0xC1900101** with an extend code of **0x4000D** will be returned as: **0xC1900101 - 0x4000D**. - -Note: If only a result code is returned, this can be because a tool is being used that was not able to capture the extend code. For example, if you are using the [Windows 10 Upgrade Assistant](https://support.microsoft.com/kb/3159635) then only a result code might be returned. - ->[!TIP] ->If you are unable to locate the result and extend error codes, you can attempt to find these codes using Event Viewer. For more information, see [Windows Error Reporting](windows-error-reporting.md). - -## Result codes - ->A result code of **0xC1900101** is generic and indicates that a rollback occurred. In most cases, the cause is a driver compatibility issue.
          To troubleshoot a failed upgrade that has returned a result code of 0xC1900101, analyze the extend code to determine the Windows Setup phase, and see the [Resolution procedures](resolution-procedures.md) section later in this article. - -The following set of result codes are associated with [Windows Setup](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options) compatibility warnings: - -| Result code | Message | Description | -| --- | --- | --- | -| 0xC1900210 | MOSETUP_E_COMPAT_SCANONLY | Setup did not find any compat issue | -| 0xC1900208 | MOSETUP_E_COMPAT_INSTALLREQ_BLOCK | Setup found an actionable compat issue, such as an incompatible app | -| 0xC1900204 | MOSETUP_E_COMPAT_MIGCHOICE_BLOCK | The migration choice selected is not available (ex: Enterprise to Home) | -| 0xC1900200 | MOSETUP_E_COMPAT_SYSREQ_BLOCK | The computer is not eligible for Windows 10 | -| 0xC190020E | MOSETUP_E_INSTALLDISKSPACE_BLOCK | The computer does not have enough free space to install | - -A list of modern setup (mosetup) errors with descriptions in the range is available in the [Resolution procedures](resolution-procedures.md#modern-setup-errors) topic in this article. - -Other result codes can be matched to the specific type of error encountered. To match a result code to an error: - -1. Identify the error code type as either Win32 or NTSTATUS using the first hexadecimal digit: -
          **8** = Win32 error code (ex: 0x**8**0070070) -
          **C** = NTSTATUS value (ex: 0x**C**1900107) -2. Write down the last 4 digits of the error code (ex: 0x8007**0070** = 0070). These digits are the actual error code type as defined in the [HRESULT](https://msdn.microsoft.com/library/cc231198.aspx) or the [NTSTATUS](https://msdn.microsoft.com/library/cc231200.aspx) structure. Other digits in the code identify things such as the device type that produced the error. -3. Based on the type of error code determined in the first step (Win32 or NTSTATUS), match the 4 digits derived from the second step to either a Win32 error code or NTSTATUS value using the following links: - - [Win32 error code](https://msdn.microsoft.com/library/cc231199.aspx) - - [NTSTATUS value](https://msdn.microsoft.com/library/cc704588.aspx) - -Examples: -- 0x80070070 - - Based on the "8" this is a Win32 error code - - The last four digits are 0070, so look up 0x00000070 in the [Win32 error code](https://msdn.microsoft.com/library/cc231199.aspx) table - - The error is: **ERROR_DISK_FULL** -- 0xC1900107 - - Based on the "C" this is an NTSTATUS error code - - The last four digits are 0107, so look up 0x00000107 in the [NTSTATUS value](https://msdn.microsoft.com/library/cc704588.aspx) table - - The error is: **STATUS_SOME_NOT_MAPPED** - -Some result codes are self-explanatory, whereas others are more generic and require further analysis. In the examples shown above, ERROR_DISK_FULL indicates that the hard drive is full and additional room is needed to complete Windows upgrade. The message STATUS_SOME_NOT_MAPPED is more ambiguous, and means that an action is pending. In this case, the action pending is often the cleanup operation from a previous installation attempt, which can be resolved with a system reboot. - -## Extend codes - ->**Important**: Extend codes reflect the current Windows 10 upgrade process, and might change in future releases of Windows 10. The codes discussed in this section apply to Windows 10 version 1607, also known as the Anniversary Update. - -Extend codes can be matched to the phase and operation when an error occurred. To match an extend code to the phase and operation: - -1. Use the first digit to identify the phase (ex: 0x4000D = 4). -2. Use the last two digits to identify the operation (ex: 0x4000D = 0D). -3. Match the phase and operation to values in the tables provided below. - -The following tables provide the corresponding phase and operation for values of an extend code: - -
          - - - -
          Extend code: phase
          HexPhase -
          0SP_EXECUTION_UNKNOWN -
          1SP_EXECUTION_DOWNLEVEL -
          2SP_EXECUTION_SAFE_OS -
          3SP_EXECUTION_FIRST_BOOT -
          4SP_EXECUTION_OOBE_BOOT -
          5SP_EXECUTION_UNINSTALL -
          - - - - - - - -
          Extend code: operation
          - -
          HexOperation -
          0SP_EXECUTION_OP_UNKNOWN -
          1SP_EXECUTION_OP_COPY_PAYLOAD -
          2SP_EXECUTION_OP_DOWNLOAD_UPDATES -
          3SP_EXECUTION_OP_INSTALL_UPDATES -
          4SP_EXECUTION_OP_INSTALL_RECOVERY_ENVIRONMENT -
          5SP_EXECUTION_OP_INSTALL_RECOVERY_IMAGE -
          6SP_EXECUTION_OP_REPLICATE_OC -
          7SP_EXECUTION_OP_INSTALL_DRVIERS -
          8SP_EXECUTION_OP_PREPARE_SAFE_OS -
          9SP_EXECUTION_OP_PREPARE_ROLLBACK -
          ASP_EXECUTION_OP_PREPARE_FIRST_BOOT -
          BSP_EXECUTION_OP_PREPARE_OOBE_BOOT -
          CSP_EXECUTION_OP_APPLY_IMAGE -
          DSP_EXECUTION_OP_MIGRATE_DATA -
          ESP_EXECUTION_OP_SET_PRODUCT_KEY -
          FSP_EXECUTION_OP_ADD_UNATTEND -
          -          		 - -
          HexOperation -
          10SP_EXECUTION_OP_ADD_DRIVER -
          11SP_EXECUTION_OP_ENABLE_FEATURE -
          12SP_EXECUTION_OP_DISABLE_FEATURE -
          13SP_EXECUTION_OP_REGISTER_ASYNC_PROCESS -
          14SP_EXECUTION_OP_REGISTER_SYNC_PROCESS -
          15SP_EXECUTION_OP_CREATE_FILE -
          16SP_EXECUTION_OP_CREATE_REGISTRY -
          17SP_EXECUTION_OP_BOOT -
          18SP_EXECUTION_OP_SYSPREP -
          19SP_EXECUTION_OP_OOBE -
          1ASP_EXECUTION_OP_BEGIN_FIRST_BOOT -
          1BSP_EXECUTION_OP_END_FIRST_BOOT -
          1CSP_EXECUTION_OP_BEGIN_OOBE_BOOT -
          1DSP_EXECUTION_OP_END_OOBE_BOOT -
          1ESP_EXECUTION_OP_PRE_OOBE -
          1FSP_EXECUTION_OP_POST_OOBE -
          20SP_EXECUTION_OP_ADD_PROVISIONING_PACKAGE -
          -
          - -For example: An extend code of **0x4000D**, represents a problem during phase 4 (**0x4**) with data migration (**000D**). - -## Related topics - -[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) -
          [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) -
          [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications) -
          [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) -
          [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) +--- +title: Upgrade error codes - Windows IT Pro +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. +keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.topic: article +--- + +# Upgrade error codes + +**Applies to** +- Windows 10 + +>[!NOTE] +>This is a 400 level topic (advanced).
          +>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. + + +If the upgrade process is not successful, Windows Setup will return two codes: + +1. **A result code**: The result code corresponds to a specific Win32 or NTSTATUS error. +2. **An extend code**: The extend code contains information about both the *phase* in which an error occurred, and the *operation* that was being performed when the error occurred. + +>For example, a result code of **0xC1900101** with an extend code of **0x4000D** will be returned as: **0xC1900101 - 0x4000D**. + +Note: If only a result code is returned, this can be because a tool is being used that was not able to capture the extend code. For example, if you are using the [Windows 10 Upgrade Assistant](https://support.microsoft.com/kb/3159635) then only a result code might be returned. + +>[!TIP] +>If you are unable to locate the result and extend error codes, you can attempt to find these codes using Event Viewer. For more information, see [Windows Error Reporting](windows-error-reporting.md). + +## Result codes + +>A result code of **0xC1900101** is generic and indicates that a rollback occurred. In most cases, the cause is a driver compatibility issue.
          To troubleshoot a failed upgrade that has returned a result code of 0xC1900101, analyze the extend code to determine the Windows Setup phase, and see the [Resolution procedures](resolution-procedures.md) section later in this article. + +The following set of result codes are associated with [Windows Setup](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options) compatibility warnings: + +| Result code | Message | Description | +| --- | --- | --- | +| 0xC1900210 | MOSETUP_E_COMPAT_SCANONLY | Setup did not find any compat issue | +| 0xC1900208 | MOSETUP_E_COMPAT_INSTALLREQ_BLOCK | Setup found an actionable compat issue, such as an incompatible app | +| 0xC1900204 | MOSETUP_E_COMPAT_MIGCHOICE_BLOCK | The migration choice selected is not available (ex: Enterprise to Home) | +| 0xC1900200 | MOSETUP_E_COMPAT_SYSREQ_BLOCK | The computer is not eligible for Windows 10 | +| 0xC190020E | MOSETUP_E_INSTALLDISKSPACE_BLOCK | The computer does not have enough free space to install | + +A list of modern setup (mosetup) errors with descriptions in the range is available in the [Resolution procedures](resolution-procedures.md#modern-setup-errors) topic in this article. + +Other result codes can be matched to the specific type of error encountered. To match a result code to an error: + +1. Identify the error code type as either Win32 or NTSTATUS using the first hexadecimal digit: +
          **8** = Win32 error code (ex: 0x**8**0070070) +
          **C** = NTSTATUS value (ex: 0x**C**1900107) +2. Write down the last 4 digits of the error code (ex: 0x8007**0070** = 0070). These digits are the actual error code type as defined in the [HRESULT](https://msdn.microsoft.com/library/cc231198.aspx) or the [NTSTATUS](https://msdn.microsoft.com/library/cc231200.aspx) structure. Other digits in the code identify things such as the device type that produced the error. +3. Based on the type of error code determined in the first step (Win32 or NTSTATUS), match the 4 digits derived from the second step to either a Win32 error code or NTSTATUS value using the following links: + - [Win32 error code](https://msdn.microsoft.com/library/cc231199.aspx) + - [NTSTATUS value](https://msdn.microsoft.com/library/cc704588.aspx) + +Examples: +- 0x80070070 + - Based on the "8" this is a Win32 error code + - The last four digits are 0070, so look up 0x00000070 in the [Win32 error code](https://msdn.microsoft.com/library/cc231199.aspx) table + - The error is: **ERROR_DISK_FULL** +- 0xC1900107 + - Based on the "C" this is an NTSTATUS error code + - The last four digits are 0107, so look up 0x00000107 in the [NTSTATUS value](https://msdn.microsoft.com/library/cc704588.aspx) table + - The error is: **STATUS_SOME_NOT_MAPPED** + +Some result codes are self-explanatory, whereas others are more generic and require further analysis. In the examples shown above, ERROR_DISK_FULL indicates that the hard drive is full and additional room is needed to complete Windows upgrade. The message STATUS_SOME_NOT_MAPPED is more ambiguous, and means that an action is pending. In this case, the action pending is often the cleanup operation from a previous installation attempt, which can be resolved with a system reboot. + +## Extend codes + +>**Important**: Extend codes reflect the current Windows 10 upgrade process, and might change in future releases of Windows 10. The codes discussed in this section apply to Windows 10 version 1607, also known as the Anniversary Update. + +Extend codes can be matched to the phase and operation when an error occurred. To match an extend code to the phase and operation: + +1. Use the first digit to identify the phase (ex: 0x4000D = 4). +2. Use the last two digits to identify the operation (ex: 0x4000D = 0D). +3. Match the phase and operation to values in the tables provided below. + +The following tables provide the corresponding phase and operation for values of an extend code: + +
          + + + +
          Extend code: phase
          HexPhase +
          0SP_EXECUTION_UNKNOWN +
          1SP_EXECUTION_DOWNLEVEL +
          2SP_EXECUTION_SAFE_OS +
          3SP_EXECUTION_FIRST_BOOT +
          4SP_EXECUTION_OOBE_BOOT +
          5SP_EXECUTION_UNINSTALL +
          + + + + + + + +
          Extend code: operation
          + +
          HexOperation +
          0SP_EXECUTION_OP_UNKNOWN +
          1SP_EXECUTION_OP_COPY_PAYLOAD +
          2SP_EXECUTION_OP_DOWNLOAD_UPDATES +
          3SP_EXECUTION_OP_INSTALL_UPDATES +
          4SP_EXECUTION_OP_INSTALL_RECOVERY_ENVIRONMENT +
          5SP_EXECUTION_OP_INSTALL_RECOVERY_IMAGE +
          6SP_EXECUTION_OP_REPLICATE_OC +
          7SP_EXECUTION_OP_INSTALL_DRVIERS +
          8SP_EXECUTION_OP_PREPARE_SAFE_OS +
          9SP_EXECUTION_OP_PREPARE_ROLLBACK +
          ASP_EXECUTION_OP_PREPARE_FIRST_BOOT +
          BSP_EXECUTION_OP_PREPARE_OOBE_BOOT +
          CSP_EXECUTION_OP_APPLY_IMAGE +
          DSP_EXECUTION_OP_MIGRATE_DATA +
          ESP_EXECUTION_OP_SET_PRODUCT_KEY +
          FSP_EXECUTION_OP_ADD_UNATTEND +
          +          		 + +
          HexOperation +
          10SP_EXECUTION_OP_ADD_DRIVER +
          11SP_EXECUTION_OP_ENABLE_FEATURE +
          12SP_EXECUTION_OP_DISABLE_FEATURE +
          13SP_EXECUTION_OP_REGISTER_ASYNC_PROCESS +
          14SP_EXECUTION_OP_REGISTER_SYNC_PROCESS +
          15SP_EXECUTION_OP_CREATE_FILE +
          16SP_EXECUTION_OP_CREATE_REGISTRY +
          17SP_EXECUTION_OP_BOOT +
          18SP_EXECUTION_OP_SYSPREP +
          19SP_EXECUTION_OP_OOBE +
          1ASP_EXECUTION_OP_BEGIN_FIRST_BOOT +
          1BSP_EXECUTION_OP_END_FIRST_BOOT +
          1CSP_EXECUTION_OP_BEGIN_OOBE_BOOT +
          1DSP_EXECUTION_OP_END_OOBE_BOOT +
          1ESP_EXECUTION_OP_PRE_OOBE +
          1FSP_EXECUTION_OP_POST_OOBE +
          20SP_EXECUTION_OP_ADD_PROVISIONING_PACKAGE +
          +
          + +For example: An extend code of **0x4000D**, represents a problem during phase 4 (**0x4**) with data migration (**000D**). + +## Related topics + +[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) +
          [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) +
          [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications) +
          [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) +
          [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) diff --git a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md index 09a0e88f33..93d1f63cc0 100644 --- a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md +++ b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md @@ -1,96 +1,96 @@ ---- -title: Upgrade Readiness - Additional insights -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Explains additional features of Upgrade Readiness. -ms.prod: w10 -author: greg-lindsay -ms.topic: article -ms.collection: M365-analytics ---- - -# Upgrade Readiness - Additional insights - -This topic provides information on additional features that are available in Upgrade Readiness to provide insights into your environment. These include: - -- [Spectre and Meltdown protections](#spectre-and-meltdown-protection-status): Status of devices with respect to their anti-virus, security update, and firmware updates related to protection from the "Spectre" and "Meltdown" vulnerabilities. -- [Site discovery](#site-discovery): An inventory of web sites that are accessed by client computers running Windows 7, Windows 8.1, or Windows 10 using Internet Explorer. -- [Office add-ins](#office-add-ins): A list of the Microsoft Office add-ins that are installed on client computers. - -## Spectre and Meltdown protection status -Microsoft has published guidance for IT Pros that outlines the steps you can take to improve protection against the hardware vulnerabilities known as "Spectre" and "Meltdown." See [Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities](https://go.microsoft.com/fwlink/?linkid=867468) for details about the vulnerabilities and steps you can take. - -Microsoft recommends three steps to help protect against the Spectre and Meltdown vulnerabilities: -- Verify that you are running a supported antivirus application. -- Apply all available Windows operating system updates, including the January 2018 and later Windows security updates. -- Apply any applicable processor firmware (microcode) updates provided by your device manufacturer(s). - -Upgrade Readiness reports on status of your devices in these three areas. - -![Spectre-Meltdown protection blades](../images/spectre-meltdown-prod-closeup.png) - ->[!IMPORTANT] ->To provide these blades with data, ensure that your devices can reach the endpoint **http://adl.windows.com**. (See [Enrolling devices in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started) for more about necessary endpoints and how to whitelist them.) - -### Anti-virus status blade -This blade helps you determine if your devices' anti-virus solution is compatible with the latest Windows operating system updates. It shows the number of devices that have an anti-virus solution with no known issues, issues reported, or an unknown status for a particular Windows security update. In the following example, an anti-virus solution that has no known issues with the January 3, 2018 Windows update is installed on about 2,800 devices. - -![Spectre-Meltdown antivirus blade](../images/AV-status-by-computer.png) - -### Security update status blade -This blade indicates whether a Windows security update that includes Spectre- or Meltdown-related fixes (January 3, 2018 or later) has been installed, as well as whether specific fixes have been disabled. Though protections are enabled by default on devices running Windows (but not Windows Server) operating systems, some IT administrators might choose to disable specific protections. In the following example, about 4,300 devices have a Windows security update that includes Spectre or Meltdown protections installed, and those protections are enabled. - -![Spectre-Meltdown antivirus blade](../images/win-security-update-status-by-computer.png) - ->[!IMPORTANT] ->If you are seeing computers with statuses of either “Unknown – action may be required” or “Installed, but mitigation status unknown,” it is likely that you need to whitelist the **http://adl.windows.com** endpoint. - -### Firmware update status blade -This blade reports the number of devices that have installed a firmware update that includes Spectre or Meltdown protections. The blade might report a large number of blank, “unknown”, or “to be determined” statuses at first. As CPU information is provided by partners, the blade will automatically update with no further action required on your part. - - - - -## Site discovery - -The IE site discovery feature in Upgrade Readiness provides an inventory of web sites that are accessed by client computers using Internet Explorer on Windows 7, Windows 8.1, and Windows 10. Site discovery does not include sites that are accessed using other Web browsers, such as Microsoft Edge. Site inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data. - -> [!NOTE] -> Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. The data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees. -> -> IE site discovery is disabled on devices running Windows 7 and Windows 8.1 that are in Switzerland and EU countries. - -In order to use site discovery, a separate opt-in is required; see [Enrolling devices in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started). - -### Review most active sites - -This blade indicates the most visited sites by computers in your environment. Review this list to determine which web applications and sites are used most frequently. The number of visits is based on the total number of views, and not by the number of unique devices accessing a page. - -For each site, the fully qualified domain name will be listed. You can sort the data by domain name or by URL. - -![Most active sites](../images/upgrade-analytics-most-active-sites.png) - -Click the name of any site in the list to drill down into more details about the visits, including the time of each visit and the computer name. - -![Site domain detail](../images/upgrade-analytics-site-domain-detail.png) - -### Review document modes in use - -This blade provides information about which document modes are used in the sites that are visited in your environment. Document modes are used to provide compatibility with older versions of Internet Explorer. Sites that use older technologies may require additional testing and are less likely to be compatible with Microsoft Edge. Counts are based on total page views and not the number of unique devices. For more information about document modes, see [Deprecated document modes](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/deprecated-document-modes). - -![Site activity by document mode](../images/upgrade-analytics-site-activity-by-doc-mode.png) - -### Run browser-related queries - -You can run predefined queries to capture more info, such as sites that have Enterprise Mode enabled, or the number of unique computers that have visited a site. For example, this query returns the most used ActiveX controls. You can modify and save the predefined queries. - -![](../images/upgrade-analytics-query-activex-name.png) - -## Office add-ins - -Office add-ins provides a list of the Microsoft Office add-ins in your environment, and enumerates the computers that have these add-ins installed. This information should not affect the upgrade decision workflow, but can be helpful to an administrator. - -## Related topics - -[Manage Windows upgrades with Upgrade Readiness](manage-windows-upgrades-with-upgrade-readiness.md) +--- +title: Upgrade Readiness - Additional insights +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Explains additional features of Upgrade Readiness. +ms.prod: w10 +audience: itpro author: greg-lindsay +ms.topic: article +ms.collection: M365-analytics +--- + +# Upgrade Readiness - Additional insights + +This topic provides information on additional features that are available in Upgrade Readiness to provide insights into your environment. These include: + +- [Spectre and Meltdown protections](#spectre-and-meltdown-protection-status): Status of devices with respect to their anti-virus, security update, and firmware updates related to protection from the "Spectre" and "Meltdown" vulnerabilities. +- [Site discovery](#site-discovery): An inventory of web sites that are accessed by client computers running Windows 7, Windows 8.1, or Windows 10 using Internet Explorer. +- [Office add-ins](#office-add-ins): A list of the Microsoft Office add-ins that are installed on client computers. + +## Spectre and Meltdown protection status +Microsoft has published guidance for IT Pros that outlines the steps you can take to improve protection against the hardware vulnerabilities known as "Spectre" and "Meltdown." See [Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities](https://go.microsoft.com/fwlink/?linkid=867468) for details about the vulnerabilities and steps you can take. + +Microsoft recommends three steps to help protect against the Spectre and Meltdown vulnerabilities: +- Verify that you are running a supported antivirus application. +- Apply all available Windows operating system updates, including the January 2018 and later Windows security updates. +- Apply any applicable processor firmware (microcode) updates provided by your device manufacturer(s). + +Upgrade Readiness reports on status of your devices in these three areas. + +![Spectre-Meltdown protection blades](../images/spectre-meltdown-prod-closeup.png) + +>[!IMPORTANT] +>To provide these blades with data, ensure that your devices can reach the endpoint **http://adl.windows.com**. (See [Enrolling devices in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started) for more about necessary endpoints and how to whitelist them.) + +### Anti-virus status blade +This blade helps you determine if your devices' anti-virus solution is compatible with the latest Windows operating system updates. It shows the number of devices that have an anti-virus solution with no known issues, issues reported, or an unknown status for a particular Windows security update. In the following example, an anti-virus solution that has no known issues with the January 3, 2018 Windows update is installed on about 2,800 devices. + +![Spectre-Meltdown antivirus blade](../images/AV-status-by-computer.png) + +### Security update status blade +This blade indicates whether a Windows security update that includes Spectre- or Meltdown-related fixes (January 3, 2018 or later) has been installed, as well as whether specific fixes have been disabled. Though protections are enabled by default on devices running Windows (but not Windows Server) operating systems, some IT administrators might choose to disable specific protections. In the following example, about 4,300 devices have a Windows security update that includes Spectre or Meltdown protections installed, and those protections are enabled. + +![Spectre-Meltdown antivirus blade](../images/win-security-update-status-by-computer.png) + +>[!IMPORTANT] +>If you are seeing computers with statuses of either “Unknown – action may be required” or “Installed, but mitigation status unknown,” it is likely that you need to whitelist the **http://adl.windows.com** endpoint. + +### Firmware update status blade +This blade reports the number of devices that have installed a firmware update that includes Spectre or Meltdown protections. The blade might report a large number of blank, “unknown”, or “to be determined” statuses at first. As CPU information is provided by partners, the blade will automatically update with no further action required on your part. + + + + +## Site discovery + +The IE site discovery feature in Upgrade Readiness provides an inventory of web sites that are accessed by client computers using Internet Explorer on Windows 7, Windows 8.1, and Windows 10. Site discovery does not include sites that are accessed using other Web browsers, such as Microsoft Edge. Site inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data. + +> [!NOTE] +> Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. The data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees. +> +> IE site discovery is disabled on devices running Windows 7 and Windows 8.1 that are in Switzerland and EU countries. + +In order to use site discovery, a separate opt-in is required; see [Enrolling devices in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started). + +### Review most active sites + +This blade indicates the most visited sites by computers in your environment. Review this list to determine which web applications and sites are used most frequently. The number of visits is based on the total number of views, and not by the number of unique devices accessing a page. + +For each site, the fully qualified domain name will be listed. You can sort the data by domain name or by URL. + +![Most active sites](../images/upgrade-analytics-most-active-sites.png) + +Click the name of any site in the list to drill down into more details about the visits, including the time of each visit and the computer name. + +![Site domain detail](../images/upgrade-analytics-site-domain-detail.png) + +### Review document modes in use + +This blade provides information about which document modes are used in the sites that are visited in your environment. Document modes are used to provide compatibility with older versions of Internet Explorer. Sites that use older technologies may require additional testing and are less likely to be compatible with Microsoft Edge. Counts are based on total page views and not the number of unique devices. For more information about document modes, see [Deprecated document modes](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/deprecated-document-modes). + +![Site activity by document mode](../images/upgrade-analytics-site-activity-by-doc-mode.png) + +### Run browser-related queries + +You can run predefined queries to capture more info, such as sites that have Enterprise Mode enabled, or the number of unique computers that have visited a site. For example, this query returns the most used ActiveX controls. You can modify and save the predefined queries. + +![](../images/upgrade-analytics-query-activex-name.png) + +## Office add-ins + +Office add-ins provides a list of the Microsoft Office add-ins in your environment, and enumerates the computers that have these add-ins installed. This information should not affect the upgrade decision workflow, but can be helpful to an administrator. + +## Related topics + +[Manage Windows upgrades with Upgrade Readiness](manage-windows-upgrades-with-upgrade-readiness.md) diff --git a/windows/deployment/upgrade/upgrade-readiness-architecture.md b/windows/deployment/upgrade/upgrade-readiness-architecture.md index 2f98a96cc3..e5d5a0d480 100644 --- a/windows/deployment/upgrade/upgrade-readiness-architecture.md +++ b/windows/deployment/upgrade/upgrade-readiness-architecture.md @@ -1,35 +1,35 @@ ---- -title: Upgrade Readiness architecture (Windows 10) -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Describes Upgrade Readiness architecture. -ms.prod: w10 -author: greg-lindsay -ms.topic: article -ms.collection: M365-analytics ---- - -# Upgrade Readiness architecture - -Microsoft analyzes system, application, and driver diagnostic data to help you determine when computers are upgrade-ready, allowing you to simplify and accelerate Windows upgrades in your organization. The diagram below illustrates how Upgrade Readiness components work together in a typical installation. - - - -![Upgrade Readiness architecture](../images/ur-arch-diagram.png) - -After you enable Windows diagnostic data on user computers and install the compatibility update KB (1), user computers send computer, application and driver diagnostic data to a secure Microsoft data center through the Microsoft Data Management Service (2). After you configure Upgrade Readiness, diagnostic data is analyzed by the Upgrade Readiness Service (3) and pushed to your workspace (4). You can then use the Upgrade Readiness solution (5) to plan and manage Windows upgrades. - -For more information about what diagnostic data Microsoft collects and how that data is used and protected by Microsoft, see: - -[Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization)
          -[Manage connections from Windows operating system components to Microsoft services](/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services)
          -[Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965)
          - -## **Related topics** - -[Upgrade Readiness requirements](upgrade-readiness-requirements.md)
          -[Upgrade Readiness release notes](upgrade-readiness-requirements.md#important-information-about-this-release)
          -[Get started with Upgrade Readiness](upgrade-readiness-get-started.md)
          +--- +title: Upgrade Readiness architecture (Windows 10) +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Describes Upgrade Readiness architecture. +ms.prod: w10 +audience: itpro author: greg-lindsay +ms.topic: article +ms.collection: M365-analytics +--- + +# Upgrade Readiness architecture + +Microsoft analyzes system, application, and driver diagnostic data to help you determine when computers are upgrade-ready, allowing you to simplify and accelerate Windows upgrades in your organization. The diagram below illustrates how Upgrade Readiness components work together in a typical installation. + + + +![Upgrade Readiness architecture](../images/ur-arch-diagram.png) + +After you enable Windows diagnostic data on user computers and install the compatibility update KB (1), user computers send computer, application and driver diagnostic data to a secure Microsoft data center through the Microsoft Data Management Service (2). After you configure Upgrade Readiness, diagnostic data is analyzed by the Upgrade Readiness Service (3) and pushed to your workspace (4). You can then use the Upgrade Readiness solution (5) to plan and manage Windows upgrades. + +For more information about what diagnostic data Microsoft collects and how that data is used and protected by Microsoft, see: + +[Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization)
          +[Manage connections from Windows operating system components to Microsoft services](/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services)
          +[Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965)
          + +## **Related topics** + +[Upgrade Readiness requirements](upgrade-readiness-requirements.md)
          +[Upgrade Readiness release notes](upgrade-readiness-requirements.md#important-information-about-this-release)
          +[Get started with Upgrade Readiness](upgrade-readiness-get-started.md)
          diff --git a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md index a6470eed73..0bbda9f3df 100644 --- a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md +++ b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md @@ -1,57 +1,57 @@ ---- -title: Upgrade Readiness data sharing -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Connectivity scenarios for data sharing with Upgrade Readiness -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.topic: article -ms.collection: M365-analytics ---- - -# Upgrade Readiness data sharing - -To enable data sharing with the Upgrade Readiness solution, double-check the endpoints list in [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md#enable-data-sharing) to be sure they are whitelisted. - -## Connectivity to the Internet - -There are several different methods your organization can use to connect to the Internet, and these methods can affect how authentication is performed by the deployment script. - -### Direct connection to the Internet - -This scenario is very simple since there is no proxy involved. If you are using a network firewall which is blocking outgoing traffic, please keep in mind that even though we provide DNS names for the endpoints needed to communicate to the Microsoft diagnostic data backend, We therefore do not recommend to attempt to whitelist endpoints on your firewall based on IP-addresses. - -In order to use the direct connection scenario, set the parameter **ClientProxy=Direct** in **runconfig.bat**. - -### Connection through the WinHTTP proxy - -This is the first and most simple proxy scenario. The WinHTTP stack was designed for use in services and does not support proxy autodetection, PAC scripts or authentication. - -In order to set the WinHTTP proxy system-wide on your computers, you need to -- Use the command netsh winhttp set proxy \:\ -- Set ClientProxy=System in runconfig.bat - -The WinHTTP scenario is most appropriate for customers who use a single proxy. If you have more advanced proxy requirements, refer to Scenario 3. - -If you want to learn more about proxy considerations on Windows, see [Understanding Web Proxy Configuration](https://blogs.msdn.microsoft.com/ieinternals/2013/10/11/understanding-web-proxy-configuration/). - -### Logged-in user’s Internet connection - -In order to accommodate complex proxy scenarios, we also support using the currently logged-in user’s internet connection. This scenario supports PAC scripts, proxy autodetection and authentication. Essentially, if the logged in user can reach the Windows diagnostic data endpoints, the diagnostic data client can send data. If runconfig.bat runs while no user is logged in, diagnostic data events get written into a buffer which gets flushed when a user logs in. - -In order to enable this scenario, you need: -- A current quality update Rollup for Windows 7, 8.1 or Windows 10 Version 1511. Updates shipped after October 2016 have the needed code -- Set the reg key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection\DisableEnterpriseAuthProxy to 0. If the value does not exist, create a new DWORD, name it DisableEnterpriseAuthProxy and set the value to 0. The deployment script will check this is configured correctly. -- Set ClientProxy=User in bat. - -> [!IMPORTANT] -> Using **Logged-in user's internet connection** with **DisableEnterpriseAuthProxy = 0** scenario is incompatible with ATP where the required value of that attribute is 1.(Read more here)[] - - - - - +--- +title: Upgrade Readiness data sharing +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Connectivity scenarios for data sharing with Upgrade Readiness +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.topic: article +ms.collection: M365-analytics +--- + +# Upgrade Readiness data sharing + +To enable data sharing with the Upgrade Readiness solution, double-check the endpoints list in [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md#enable-data-sharing) to be sure they are whitelisted. + +## Connectivity to the Internet + +There are several different methods your organization can use to connect to the Internet, and these methods can affect how authentication is performed by the deployment script. + +### Direct connection to the Internet + +This scenario is very simple since there is no proxy involved. If you are using a network firewall which is blocking outgoing traffic, please keep in mind that even though we provide DNS names for the endpoints needed to communicate to the Microsoft diagnostic data backend, We therefore do not recommend to attempt to whitelist endpoints on your firewall based on IP-addresses. + +In order to use the direct connection scenario, set the parameter **ClientProxy=Direct** in **runconfig.bat**. + +### Connection through the WinHTTP proxy + +This is the first and most simple proxy scenario. The WinHTTP stack was designed for use in services and does not support proxy autodetection, PAC scripts or authentication. + +In order to set the WinHTTP proxy system-wide on your computers, you need to +- Use the command netsh winhttp set proxy \:\ +- Set ClientProxy=System in runconfig.bat + +The WinHTTP scenario is most appropriate for customers who use a single proxy. If you have more advanced proxy requirements, refer to Scenario 3. + +If you want to learn more about proxy considerations on Windows, see [Understanding Web Proxy Configuration](https://blogs.msdn.microsoft.com/ieinternals/2013/10/11/understanding-web-proxy-configuration/). + +### Logged-in user’s Internet connection + +In order to accommodate complex proxy scenarios, we also support using the currently logged-in user’s internet connection. This scenario supports PAC scripts, proxy autodetection and authentication. Essentially, if the logged in user can reach the Windows diagnostic data endpoints, the diagnostic data client can send data. If runconfig.bat runs while no user is logged in, diagnostic data events get written into a buffer which gets flushed when a user logs in. + +In order to enable this scenario, you need: +- A current quality update Rollup for Windows 7, 8.1 or Windows 10 Version 1511. Updates shipped after October 2016 have the needed code +- Set the reg key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection\DisableEnterpriseAuthProxy to 0. If the value does not exist, create a new DWORD, name it DisableEnterpriseAuthProxy and set the value to 0. The deployment script will check this is configured correctly. +- Set ClientProxy=User in bat. + +> [!IMPORTANT] +> Using **Logged-in user's internet connection** with **DisableEnterpriseAuthProxy = 0** scenario is incompatible with ATP where the required value of that attribute is 1.(Read more here)[] + + + + + diff --git a/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md b/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md index 9827ca77e8..b097017757 100644 --- a/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md +++ b/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md @@ -1,102 +1,102 @@ ---- -title: Upgrade Readiness - Get a list of computers that are upgrade ready (Windows 10) -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Describes how to get a list of computers that are ready to be upgraded in Upgrade Readiness. -ms.prod: w10 -author: greg-lindsay -ms.topic: article -ms.collection: M365-analytics ---- - -# Upgrade Readiness - Step 3: Deploy Windows - -All of your work up to now involved reviewing and resolving application and driver issues. Along the way, as you’ve resolved issues and decided which applications and drivers are ready to upgrade, you’ve been building a list of computers that are upgrade ready. -The blades in the **Deploy** section are: - -- [Deploy eligible computers](#deploy-eligible-computers) -- [Deploy computers by group](#computer-groups) - ->Computers that are listed in this step are assigned an **UpgradeDecision** value, and the total count of computers in each upgrade decision category is displayed. Additionally, computers are assigned an **UpgradeAssessment** value. This value is displayed by drilling down into a specific upgrade decision category. For information about upgrade assessment values, see [Upgrade assessment](#upgrade-assessment). - -## Deploy eligible computers - -In this blade, computers grouped by upgrade decision are listed. The upgrade decision on the machines is a calculated value based on the upgrade decision status for the apps and drivers installed on the computer. This value cannot be modified directly. The upgrade decision is calculated in the following ways: -- **Review in progress**: At least one app or driver installed on the computer is marked **Review in progress**. -- **Ready to upgrade**: All apps and drivers installed on the computer are marked as **Ready to Upgrade**. -- **Won’t upgrade**: At least one app or driver installed on the computer is marked as **Won’t upgrade**, or a system requirement is not met. - - - -![Deploy eligible computers](../images/ua-cg-16.png) - -Select **Export computers** for more details, including computer name, manufacturer and model, and Windows edition currently running on the computer. Sort or further query the data and then select **Export** to generate and save a comma-separated value (csv) list of upgrade-ready computers. - ->**Important**
          When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export fewer items at a time. - -## Computer groups - -Computer groups allow you to segment your environment by creating device groups based on log search results, or by importing groups from Active Directory, WSUS or System Center Configuration Manager. Computer groups are an OMS feature. For more information, see [Computer groups in OMS](https://blogs.technet.microsoft.com/msoms/2016/04/04/computer-groups-in-oms/). - -Query based computer groups are recommended in the initial release of this feature. A feature known as **Configuration Manager Upgrade Readiness Connector** is anticipated in a future release that will enable synchronization of **ConfigMgr Collections** with computer groups in OMS. - -### Getting started with Computer Groups - -When you sign in to OMS, you will see a new blade entitled **Computer Groups**. See the following example: - -![Computer groups](../images/ua-cg-01.png) - -To create a computer group, open **Log Search** and create a query based on **Type=UAComputer**, for example: - -``` -Type=UAComputer Manufacturer=DELL -``` - -![Computer groups](../images/ua-cg-02.png) - -When you are satisfied that the query is returning the intended results, add the following text to your search: - -``` -| measure count() by Computer -``` - -This will ensure every computer only shows up once. Then, save your group by clicking **Save** and **Yes**. See the following example: - -![Computer groups](../images/ua-cg-03.png) - -Your new computer group will now be available in Upgrade Readiness. See the following example: - -![Computer groups](../images/ua-cg-04.png) - -### Using Computer Groups - -When you drill into a computer group, you will see that computers are categorized by **UpgradeDecision**. For computers with the status **Review in progress** or **Won’t upgrade** you can drill down to view issues that cause a computer to be in each category, or you can simply display a list of the computers in the category. For computers that are designated **Ready to upgrade**, you can go directly to the list of computers that are ready. - -![Computer groups](../images/ua-cg-05.png) - -Viewing a list of computers in a certain status is self-explanatory, Let’s look at what happens when you click the details link on **Review in progress**: - -![Computer groups](../images/ua-cg-06.png) - -Next, select if you want to see application issues (**UAApp**) or driver issues (**UADriver**). See the following example of selecting **UAApp**: - -![Computer groups](../images/ua-cg-07.png) - -A list of apps that require review so that Dell Computers are ready for upgrade to Windows 10 is displayed. - -### Upgrade assessment - -Upgrade assessment and guidance details are explained in the following table. - -| Upgrade assessment | Action required before or after upgrade pilot? | Issue | What it means | Guidance | -|-----------------------|------------------------------------------------|----------|-----------------|---------------| -| No known issues | No | None | Computers will upgrade seamlessly.
          | OK to use as-is in pilot. | -| OK to pilot, fixed during upgrade | No, for awareness only | Application or driver will not migrate to new OS | The currently installed version of an application or driver won’t migrate to the new operating system; however, a compatible version is installed with the new operating system. | OK to use as-is in pilot. | -| OK to pilot with new driver from Windows Update | Yes | Driver will not migrate to new OS | The currently installed version of a driver won’t migrate to the new operating system; however, a newer, compatible version is available from Windows Update. | Although a compatible version of the driver is installed during upgrade, a newer version is available from Windows Update.

          If the computer automatically receives updates from Windows Update, no action is required. Otherwise, replace the new in-box driver with the Windows Update version after upgrading.

          | - -Select **Export computers** to view pilot-ready computers organized by operating system. After you select the computers you want to use in a pilot, click Export to generate and save a comma-separated value (csv) file. - ->**Important**> When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export fewer items at a time. +--- +title: Upgrade Readiness - Get a list of computers that are upgrade ready (Windows 10) +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Describes how to get a list of computers that are ready to be upgraded in Upgrade Readiness. +ms.prod: w10 +audience: itpro author: greg-lindsay +ms.topic: article +ms.collection: M365-analytics +--- + +# Upgrade Readiness - Step 3: Deploy Windows + +All of your work up to now involved reviewing and resolving application and driver issues. Along the way, as you’ve resolved issues and decided which applications and drivers are ready to upgrade, you’ve been building a list of computers that are upgrade ready. +The blades in the **Deploy** section are: + +- [Deploy eligible computers](#deploy-eligible-computers) +- [Deploy computers by group](#computer-groups) + +>Computers that are listed in this step are assigned an **UpgradeDecision** value, and the total count of computers in each upgrade decision category is displayed. Additionally, computers are assigned an **UpgradeAssessment** value. This value is displayed by drilling down into a specific upgrade decision category. For information about upgrade assessment values, see [Upgrade assessment](#upgrade-assessment). + +## Deploy eligible computers + +In this blade, computers grouped by upgrade decision are listed. The upgrade decision on the machines is a calculated value based on the upgrade decision status for the apps and drivers installed on the computer. This value cannot be modified directly. The upgrade decision is calculated in the following ways: +- **Review in progress**: At least one app or driver installed on the computer is marked **Review in progress**. +- **Ready to upgrade**: All apps and drivers installed on the computer are marked as **Ready to Upgrade**. +- **Won’t upgrade**: At least one app or driver installed on the computer is marked as **Won’t upgrade**, or a system requirement is not met. + + + +![Deploy eligible computers](../images/ua-cg-16.png) + +Select **Export computers** for more details, including computer name, manufacturer and model, and Windows edition currently running on the computer. Sort or further query the data and then select **Export** to generate and save a comma-separated value (csv) list of upgrade-ready computers. + +>**Important**
          When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export fewer items at a time. + +## Computer groups + +Computer groups allow you to segment your environment by creating device groups based on log search results, or by importing groups from Active Directory, WSUS or System Center Configuration Manager. Computer groups are an OMS feature. For more information, see [Computer groups in OMS](https://blogs.technet.microsoft.com/msoms/2016/04/04/computer-groups-in-oms/). + +Query based computer groups are recommended in the initial release of this feature. A feature known as **Configuration Manager Upgrade Readiness Connector** is anticipated in a future release that will enable synchronization of **ConfigMgr Collections** with computer groups in OMS. + +### Getting started with Computer Groups + +When you sign in to OMS, you will see a new blade entitled **Computer Groups**. See the following example: + +![Computer groups](../images/ua-cg-01.png) + +To create a computer group, open **Log Search** and create a query based on **Type=UAComputer**, for example: + +``` +Type=UAComputer Manufacturer=DELL +``` + +![Computer groups](../images/ua-cg-02.png) + +When you are satisfied that the query is returning the intended results, add the following text to your search: + +``` +| measure count() by Computer +``` + +This will ensure every computer only shows up once. Then, save your group by clicking **Save** and **Yes**. See the following example: + +![Computer groups](../images/ua-cg-03.png) + +Your new computer group will now be available in Upgrade Readiness. See the following example: + +![Computer groups](../images/ua-cg-04.png) + +### Using Computer Groups + +When you drill into a computer group, you will see that computers are categorized by **UpgradeDecision**. For computers with the status **Review in progress** or **Won’t upgrade** you can drill down to view issues that cause a computer to be in each category, or you can simply display a list of the computers in the category. For computers that are designated **Ready to upgrade**, you can go directly to the list of computers that are ready. + +![Computer groups](../images/ua-cg-05.png) + +Viewing a list of computers in a certain status is self-explanatory, Let’s look at what happens when you click the details link on **Review in progress**: + +![Computer groups](../images/ua-cg-06.png) + +Next, select if you want to see application issues (**UAApp**) or driver issues (**UADriver**). See the following example of selecting **UAApp**: + +![Computer groups](../images/ua-cg-07.png) + +A list of apps that require review so that Dell Computers are ready for upgrade to Windows 10 is displayed. + +### Upgrade assessment + +Upgrade assessment and guidance details are explained in the following table. + +| Upgrade assessment | Action required before or after upgrade pilot? | Issue | What it means | Guidance | +|-----------------------|------------------------------------------------|----------|-----------------|---------------| +| No known issues | No | None | Computers will upgrade seamlessly.
          | OK to use as-is in pilot. | +| OK to pilot, fixed during upgrade | No, for awareness only | Application or driver will not migrate to new OS | The currently installed version of an application or driver won’t migrate to the new operating system; however, a compatible version is installed with the new operating system. | OK to use as-is in pilot. | +| OK to pilot with new driver from Windows Update | Yes | Driver will not migrate to new OS | The currently installed version of a driver won’t migrate to the new operating system; however, a newer, compatible version is available from Windows Update. | Although a compatible version of the driver is installed during upgrade, a newer version is available from Windows Update.

          If the computer automatically receives updates from Windows Update, no action is required. Otherwise, replace the new in-box driver with the Windows Update version after upgrading.

          | + +Select **Export computers** to view pilot-ready computers organized by operating system. After you select the computers you want to use in a pilot, click Export to generate and save a comma-separated value (csv) file. + +>**Important**> When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export fewer items at a time. diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md index 9c6619d3d9..8ad77cca4e 100644 --- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md +++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md @@ -8,6 +8,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy +audience: itpro author: greg-lindsay ms.topic: article ms.collection: M365-analytics @@ -186,5 +187,5 @@ Error creating or updating registry key: **CommercialId** at **HKLM:\SOFTWARE\Mi > > Then run the Enterprise Config script (RunConfig.bat) again. > -> If the script still fails, contact support including log files from the RunConfig.bat script. These log files are stored on the drive that is specified in the RunConfig.bat file. By default this is set to **%SystemDrive%\UADiagnostics**. The log file is named with the format **UA_yyyy_mm_dd_hh_mm_ss_machineID.txt**. There will be some additional logs generated under your **\\Windows\Temp** directory with the names similar to **AslLog_....txt**. You should send those logs as well. +> If the script still fails, then contact support@microsoft.com and share the log files from the RunConfig.bat script. These log files are stored on the drive that is specified in the RunConfig.bat file. By default this is set to **%SystemDrive%\UADiagnostics**. The log file is named with the format **UA_yyyy_mm_dd_hh_mm_ss_machineID.txt**. There will be some additional logs generated under your **\\Windows\Temp** directory with the names similar to **AslLog_....txt**. You should send those logs as well. diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md index 3cfb3be1df..47a7fc7fe2 100644 --- a/windows/deployment/upgrade/upgrade-readiness-get-started.md +++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md @@ -1,81 +1,81 @@ ---- -title: Get started with Upgrade Readiness (Windows 10) -ms.reviewer: -manager: laurawi -description: Explains how to get started with Upgrade Readiness. -keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.localizationpriority: medium -ms.topic: article -ms.collection: M365-analytics ---- - -# Get started with Upgrade Readiness - ->[!IMPORTANT] ->**The OMS portal has been deprecated; you should start using the [Azure portal](https://portal.azure.com) instead as soon as possible.** Many experiences are the same in the two portals, but there are some key differences. See [Windows Analytics in the Azure Portal](../update/windows-analytics-azure-portal.md) for steps to use Windows Analytics in the Azure portal. For much more information about the transition from OMS to Azure, see [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition). - -This topic explains how to obtain and configure Upgrade Readiness for your organization. - -You can use Upgrade Readiness to plan and manage your upgrade project end-to-end. Upgrade Readiness works by establishing communications between computers in your organization and Microsoft. Upgrade Readiness collects computer, application, and driver data for analysis. This data is used to identify compatibility issues that can block your upgrade and to suggest fixes that are known to Microsoft. - -Before you begin, consider reviewing the following helpful information:
          - - [Upgrade Readiness requirements](upgrade-readiness-requirements.md): Provides detailed requirements to use Upgrade Readiness.
          - - [Upgrade Readiness blog](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/bg-p/WindowsAnalyticsBlog): Contains announcements of new features and provides helpful tips for using Upgrade Readiness. - ->If you are using System Center Configuration Manager, also check out information about how to integrate Upgrade Readiness with Configuration Manager: [Integrate Upgrade Readiness with System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics). - -When you are ready to begin using Upgrade Readiness, perform the following steps: - -1. Review [data collection and privacy](#data-collection-and-privacy) information. -2. [Add the Upgrade Readiness solution to your Azure subsctiption](#add-the-upgrade-readiness-solution-to-your-azure-subscription). -3. [Enroll devices in Windows Analytics](#enroll-devices-in-windows-analytics). -4. [Use Upgrade Readiness to manage Windows Upgrades](#use-upgrade-readiness-to-manage-windows-upgrades) once your devices are enrolled. - -## Data collection and privacy - -To enable system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what diagnostic data Microsoft collects and how that data is used and protected by Microsoft, see the following topics, refer to [Frequently asked questions and troubleshooting Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-FAQ-troubleshooting), which discusses the issues and provides links to still more detailed information. - -## Add the Upgrade Readiness solution to your Azure subscription - -Upgrade Readiness is offered as a *solution* which you link to a new or existing [Azure Log Analytics](https://azure.microsoft.com/services/log-analytics/) *workspace* within your Azure *subscription*. To configure this, follows these steps: - -1. Sign in to the [Azure Portal](https://portal.azure.com) with your work or school account or a Microsoft account. If you don't already have an Azure subscription you can create one (including free trial options) through the portal. - - >[!NOTE] - > Upgrade Readiness is included at no additional cost with Windows 10 Professional, Education, and Enterprise editions. An Azure subscription is required for managing and using Upgrade Readiness, but no Azure charges are expected to accrue to the subscription as a result of using Upgrade Readiness. - -2. In the Azure portal select **Create a resource**, search for "Upgrade Readiness", and then select **Create** on the **Upgrade Readiness** solution. - ![Azure portal page highlighting + Create a resource and with Upgrade Readiness selected](../images/UR-Azureportal1.png) - - ![Azure portal showing Upgrade Readiness fly-in and Create button highlighted(images/CreateSolution-Part2-Create.png)](../images/UR-Azureportal2.png) -3. Choose an existing workspace or create a new workspace to host the Upgrade Readiness solution. - ![Azure portal showing Log Analytics workspace fly-in](../images/UR-Azureportal3.png) - - If you are using other Windows Analytics solutions (Device Health or Update Compliance) you should add Upgrade Readiness to the same workspace. - - If you are creating a new workspace, and your organization does not have policies governing naming conventions and structure, consider the following workspace settings to get started: - - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*. - - For the resource group setting select **Create new** and use the same name you chose for your new workspace. - - For the location setting, choose the Azure region where you would prefer the data to be stored. - - For the pricing tier select **per GB**. -4. Now that you have selected a workspace, you can go back to the Upgrade Readiness blade and select **Create**. - ![Azure portal showing workspace selected and with Create button highlighted](../images/UR-Azureportal4.png) -5. Watch for a Notification (in the Azure portal) that "Deployment 'Microsoft.CompatibilityAssessmentOMS' to resource group 'YourResourceGroupName' was successful." and then select **Go to resource** This might take several minutes to appear. - ![Azure portal all services page with Log Analytics found and selected as favorite](../images/CreateSolution-Part5-GoToResource.png) - - Suggestion: Choose the **Pin to Dashboard** option to make it easy to navigate to your newly added Upgrade Readiness solution. - - Suggestion: If a "resource unavailable" error occurs when navigating to the solution, try again after one hour. - -## Enroll devices in Windows Analytics - - -Once you've added Upgrade Readiness to a workspace in your Azure subscription, you can start enrolling the devices in your organization. For full instructions, see [Enrolling devices in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started). - - - -## Use Upgrade Readiness to manage Windows Upgrades - -Now that your devices are enrolled, you can move on to [Use Upgrade Readiness to manage Windows Upgrades](https://docs.microsoft.com/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades). +--- +title: Get started with Upgrade Readiness (Windows 10) +ms.reviewer: +manager: laurawi +description: Explains how to get started with Upgrade Readiness. +keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.localizationpriority: medium +ms.topic: article +ms.collection: M365-analytics +--- + +# Get started with Upgrade Readiness + +>[!IMPORTANT] +>**The OMS portal has been deprecated; you should start using the [Azure portal](https://portal.azure.com) instead as soon as possible.** Many experiences are the same in the two portals, but there are some key differences. See [Windows Analytics in the Azure Portal](../update/windows-analytics-azure-portal.md) for steps to use Windows Analytics in the Azure portal. For much more information about the transition from OMS to Azure, see [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition). + +This topic explains how to obtain and configure Upgrade Readiness for your organization. + +You can use Upgrade Readiness to plan and manage your upgrade project end-to-end. Upgrade Readiness works by establishing communications between computers in your organization and Microsoft. Upgrade Readiness collects computer, application, and driver data for analysis. This data is used to identify compatibility issues that can block your upgrade and to suggest fixes that are known to Microsoft. + +Before you begin, consider reviewing the following helpful information:
          + - [Upgrade Readiness requirements](upgrade-readiness-requirements.md): Provides detailed requirements to use Upgrade Readiness.
          + - [Upgrade Readiness blog](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/bg-p/WindowsAnalyticsBlog): Contains announcements of new features and provides helpful tips for using Upgrade Readiness. + +>If you are using System Center Configuration Manager, also check out information about how to integrate Upgrade Readiness with Configuration Manager: [Integrate Upgrade Readiness with System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics). + +When you are ready to begin using Upgrade Readiness, perform the following steps: + +1. Review [data collection and privacy](#data-collection-and-privacy) information. +2. [Add the Upgrade Readiness solution to your Azure subsctiption](#add-the-upgrade-readiness-solution-to-your-azure-subscription). +3. [Enroll devices in Windows Analytics](#enroll-devices-in-windows-analytics). +4. [Use Upgrade Readiness to manage Windows Upgrades](#use-upgrade-readiness-to-manage-windows-upgrades) once your devices are enrolled. + +## Data collection and privacy + +To enable system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what diagnostic data Microsoft collects and how that data is used and protected by Microsoft, see the following topics, refer to [Frequently asked questions and troubleshooting Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-FAQ-troubleshooting), which discusses the issues and provides links to still more detailed information. + +## Add the Upgrade Readiness solution to your Azure subscription + +Upgrade Readiness is offered as a *solution* which you link to a new or existing [Azure Log Analytics](https://azure.microsoft.com/services/log-analytics/) *workspace* within your Azure *subscription*. To configure this, follows these steps: + +1. Sign in to the [Azure Portal](https://portal.azure.com) with your work or school account or a Microsoft account. If you don't already have an Azure subscription you can create one (including free trial options) through the portal. + + >[!NOTE] + > Upgrade Readiness is included at no additional cost with Windows 10 Professional, Education, and Enterprise editions. An Azure subscription is required for managing and using Upgrade Readiness, but no Azure charges are expected to accrue to the subscription as a result of using Upgrade Readiness. + +2. In the Azure portal select **Create a resource**, search for "Upgrade Readiness", and then select **Create** on the **Upgrade Readiness** solution. + ![Azure portal page highlighting + Create a resource and with Upgrade Readiness selected](../images/UR-Azureportal1.png) + + ![Azure portal showing Upgrade Readiness fly-in and Create button highlighted(images/CreateSolution-Part2-Create.png)](../images/UR-Azureportal2.png) +3. Choose an existing workspace or create a new workspace to host the Upgrade Readiness solution. + ![Azure portal showing Log Analytics workspace fly-in](../images/UR-Azureportal3.png) + - If you are using other Windows Analytics solutions (Device Health or Update Compliance) you should add Upgrade Readiness to the same workspace. + - If you are creating a new workspace, and your organization does not have policies governing naming conventions and structure, consider the following workspace settings to get started: + - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*. + - For the resource group setting select **Create new** and use the same name you chose for your new workspace. + - For the location setting, choose the Azure region where you would prefer the data to be stored. + - For the pricing tier select **per GB**. +4. Now that you have selected a workspace, you can go back to the Upgrade Readiness blade and select **Create**. + ![Azure portal showing workspace selected and with Create button highlighted](../images/UR-Azureportal4.png) +5. Watch for a Notification (in the Azure portal) that "Deployment 'Microsoft.CompatibilityAssessmentOMS' to resource group 'YourResourceGroupName' was successful." and then select **Go to resource** This might take several minutes to appear. + ![Azure portal all services page with Log Analytics found and selected as favorite](../images/CreateSolution-Part5-GoToResource.png) + - Suggestion: Choose the **Pin to Dashboard** option to make it easy to navigate to your newly added Upgrade Readiness solution. + - Suggestion: If a "resource unavailable" error occurs when navigating to the solution, try again after one hour. + +## Enroll devices in Windows Analytics + + +Once you've added Upgrade Readiness to a workspace in your Azure subscription, you can start enrolling the devices in your organization. For full instructions, see [Enrolling devices in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started). + + + +## Use Upgrade Readiness to manage Windows Upgrades + +Now that your devices are enrolled, you can move on to [Use Upgrade Readiness to manage Windows Upgrades](https://docs.microsoft.com/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades). diff --git a/windows/deployment/upgrade/upgrade-readiness-identify-apps.md b/windows/deployment/upgrade/upgrade-readiness-identify-apps.md index 81992ee784..4c4477de3c 100644 --- a/windows/deployment/upgrade/upgrade-readiness-identify-apps.md +++ b/windows/deployment/upgrade/upgrade-readiness-identify-apps.md @@ -1,41 +1,41 @@ ---- -title: Upgrade Readiness - Identify important apps (Windows 10) -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Describes how to prepare your environment so that you can use Upgrade Readiness to manage Windows upgrades. -ms.prod: w10 -author: greg-lindsay -ms.topic: article -ms.collection: M365-analytics ---- - -# Upgrade Readiness - Step 1: Identify important apps - -This is the first step of the Upgrade Readiness workflow. In this step, applications are listed and grouped by importance level. Setting the importance level enables you to prioritize applications for upgrade. - - - -![Prioritize applications](../images/upgrade-analytics-prioritize.png) - -Select **Assign importance** to change an application’s importance level. By default, applications are marked **Not reviewed** or **Low install count** until you assign a different importance level to them. - -To change an application’s importance level: - -1. Select **Not reviewed** or **Low install count** on the **Prioritize applications** blade to view the list of applications with that importance level. -2. Select the applications you want to change to a specific importance level and then select the appropriate option from the **Select importance level** list. -3. Click **Save** when finished. - -Importance levels include: - -| Importance level | When to use it | Recommendation | -|--------------------|------------------|------------------| -| Low install count | We give you a head start by identifying applications that are installed on 2% or less of your total computer inventory. \[Number of computers application is installed on/total number of computers in your inventory.\]

          Low install count applications are automatically marked as **Ready to upgrade** in the **UpgradeDecision** column unless they have issues that need attention.
          | Be sure to review low install count applications for any business critical or important applications that are not yet upgrade-ready, despite their low installation rates. For example, payroll apps or tax accounting apps tend to be installed on a relatively small number of machines but are still considered business critical applications.

          | -| Not reviewed | Applications that are installed on more than 2% of your total computer inventory are marked not reviewed until you set their importance level.

          | Once you’ve started to investigate an application to determine its importance level and upgrade readiness, change its status to **Review in progress** in both the **Importance** and **UpgradeDecision** columns. | -| Business critical | By default, no applications are marked as business critical because only you can make that determination. If you know that an application is critical to your organization’s functioning, mark it **Business critical**.

          | You may also want to change the application’s status to **Review in progress** in the **UpgradeDecision** column to let other team members know that you’re working on getting this business critical application upgrade-ready. Once you’ve fixed any issues and validated that the application will migrate successfully, change the upgrade decision to **Ready to upgrade**.
          | -| Important | By default, no applications are marked as important because only you can make that determination. If the application is important but not critical to your organization’s functioning, mark it **Important**. | You may also want to change the application’s status to **Review in progress** in the **UpgradeDecision** column to let other team members know that you’re working on getting this important application upgrade-ready. Once you’ve fixed any issues and validated that the application will migrate successfully, change the upgrade decision to **Ready to upgrade**.
          | -| Ignore | By default, no applications are marked as ignore because only you can make that determination. If the application is not important to your organization’s functioning, such as user-installed applications and games, you may not want to spend time and money validating that these applications will migrate successfully. Mark these applications **Ignore**.
          | Set the application’s importance level to **Ignore** to let other team members know that it can be left as-is with no further investigation or testing. If you set the importance level to ignore, and this is an app that you are not planning on testing or validating, consider changing the upgrade decision to **Ready to upgrade**. By marking these apps ready to upgrade, you are indicating that you are comfortable upgrading with the app remaining in its current state.

          | -| Review in progress | Once you’ve started to investigate an application to determine its importance level and upgrade readiness, change its status to **Review in progress** in both the **Importance** and **UpgradeDecision** columns.
          | As you learn more about the application’s importance to your organization’s functioning, change the importance level to **Business critical**, **Important**, or **Ignore**.

          Until you’ve determined that priority applications will migrate successfully, leave the upgrade decision status as **Review in progress**.
          | - +--- +title: Upgrade Readiness - Identify important apps (Windows 10) +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Describes how to prepare your environment so that you can use Upgrade Readiness to manage Windows upgrades. +ms.prod: w10 +audience: itpro author: greg-lindsay +ms.topic: article +ms.collection: M365-analytics +--- + +# Upgrade Readiness - Step 1: Identify important apps + +This is the first step of the Upgrade Readiness workflow. In this step, applications are listed and grouped by importance level. Setting the importance level enables you to prioritize applications for upgrade. + + + +![Prioritize applications](../images/upgrade-analytics-prioritize.png) + +Select **Assign importance** to change an application’s importance level. By default, applications are marked **Not reviewed** or **Low install count** until you assign a different importance level to them. + +To change an application’s importance level: + +1. Select **Not reviewed** or **Low install count** on the **Prioritize applications** blade to view the list of applications with that importance level. +2. Select the applications you want to change to a specific importance level and then select the appropriate option from the **Select importance level** list. +3. Click **Save** when finished. + +Importance levels include: + +| Importance level | When to use it | Recommendation | +|--------------------|------------------|------------------| +| Low install count | We give you a head start by identifying applications that are installed on 2% or less of your total computer inventory. \[Number of computers application is installed on/total number of computers in your inventory.\]

          Low install count applications are automatically marked as **Ready to upgrade** in the **UpgradeDecision** column unless they have issues that need attention.
          | Be sure to review low install count applications for any business critical or important applications that are not yet upgrade-ready, despite their low installation rates. For example, payroll apps or tax accounting apps tend to be installed on a relatively small number of machines but are still considered business critical applications.

          | +| Not reviewed | Applications that are installed on more than 2% of your total computer inventory are marked not reviewed until you set their importance level.

          | Once you’ve started to investigate an application to determine its importance level and upgrade readiness, change its status to **Review in progress** in both the **Importance** and **UpgradeDecision** columns. | +| Business critical | By default, no applications are marked as business critical because only you can make that determination. If you know that an application is critical to your organization’s functioning, mark it **Business critical**.

          | You may also want to change the application’s status to **Review in progress** in the **UpgradeDecision** column to let other team members know that you’re working on getting this business critical application upgrade-ready. Once you’ve fixed any issues and validated that the application will migrate successfully, change the upgrade decision to **Ready to upgrade**.
          | +| Important | By default, no applications are marked as important because only you can make that determination. If the application is important but not critical to your organization’s functioning, mark it **Important**. | You may also want to change the application’s status to **Review in progress** in the **UpgradeDecision** column to let other team members know that you’re working on getting this important application upgrade-ready. Once you’ve fixed any issues and validated that the application will migrate successfully, change the upgrade decision to **Ready to upgrade**.
          | +| Ignore | By default, no applications are marked as ignore because only you can make that determination. If the application is not important to your organization’s functioning, such as user-installed applications and games, you may not want to spend time and money validating that these applications will migrate successfully. Mark these applications **Ignore**.
          | Set the application’s importance level to **Ignore** to let other team members know that it can be left as-is with no further investigation or testing. If you set the importance level to ignore, and this is an app that you are not planning on testing or validating, consider changing the upgrade decision to **Ready to upgrade**. By marking these apps ready to upgrade, you are indicating that you are comfortable upgrading with the app remaining in its current state.

          | +| Review in progress | Once you’ve started to investigate an application to determine its importance level and upgrade readiness, change its status to **Review in progress** in both the **Importance** and **UpgradeDecision** columns.
          | As you learn more about the application’s importance to your organization’s functioning, change the importance level to **Business critical**, **Important**, or **Ignore**.

          Until you’ve determined that priority applications will migrate successfully, leave the upgrade decision status as **Review in progress**.
          | + diff --git a/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md b/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md index 6dffc54509..1aee2eb281 100644 --- a/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md +++ b/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md @@ -1,51 +1,51 @@ ---- -title: Monitor deployment with Upgrade Readiness -ms.reviewer: -manager: laurawi -description: Describes how to use Upgrade Readiness to monitor the deployment after Windows upgrades. -keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, -ms.localizationpriority: medium -ms.prod: w10 -author: greg-lindsay -ms.author: greglin -ms.topic: article -ms.collection: M365-analytics ---- - -# Upgrade Readiness - Step 4: Monitor - -Now that you have started deploying an update with Upgrade Readiness, you can use it to monitor important elements. - -![Upgrade Readiness dialog showing "STEP 4: Monitor" and blades for "Update progress," "Driver issues," and "User feedback"](../images/UR-monitor-main.png) - - -## Update progress - -The **Update progress** blade allows you to monitor the progress and status of your deployment. Any device that has attepted to upgrade in the last 30 days displays the **DeploymentStatus** attribute. You'll be able to see the number of computers that have successfully upgraded, failed to upgrade, are stalled, etc. - - -Selecting this blade allows you to view device-level details about the deployment. For example, select **Failed** to view the original operating system version, the target operating system version, and the reason the update failed for each of the devices that failed to upgrade. In the case of the device illustrated in the following image, an attempt was made to upgrade from Windows 10, version 1703 to 1709, but the operation timed out. - -!["Update progress" blade showing detailed information after selecting the "failed" item](../images/UR-update-progress-failed-detail.png) - - -## Driver issues - -The **Driver issues** blade allows you to see Device Manager errors for your upgraded devices. We include data for all compatibility-related device errors, such as "driver not found" and "driver not started." The blade summarizes errors by error type, but you can select a particular error type to see device-level details about which device(s) are failing and where to obtain a driver. - - -For example, by selecting error code **28 - driver not installed**, you would see that the device in the following image is missing the driver for a network controller. Upgrade Readiness also notifies that a suitable driver is available online through Windows Update. If this device is configured to automatically receive updates from Windows Update, this issue would likely resolve itself following the device's next Windows Update scan. If this device does not automatically receive updates from Windows Update, you would need to deliver the driver manually. - -!["Driver issue" blade showing detailed information after selecting a specific driver error](../images/UR-driver-issue-detail.png) - -## User feedback - -The **User Feedback** blade focuses on gathering subjective feedback from your end users. If a user submits feedback through the Feedback Hub app on a device in your workspace, we will make that feedback visible to you in this blade. The Feedback Hub app is built into Windows 10 and can be accessed by typing "Feedback Hub" in the Cortana search bar. - - -We recommend that you encourage your end users to submit any feedback they have through Feedback Hub. Not only will this feedback be sent directly to Microsoft for review, but you'll also be able to see it by using Upgrade Readiness. You should be aware that **feedback submitted through Feedback Hub will be publicly visible**, so it's best to avoid submitting feedback about internal line-of-business applications. - -When viewing user feedback in Upgrade Readiness, you'll be able to see the raw "Title" and "Feedback" text from the user's submission in Feedback Hub, as well as the number of upvotes the submission has received. (Since feedback is publicly visible, the number of upvotes is a global value and not specific to your company.) If a Microsoft engineer has responded to the submission in Feedback Hub, we'll pull in the Microsoft response for you to see as well. - -![Example user feedback item](../images/UR-example-feedback.png) - +--- +title: Monitor deployment with Upgrade Readiness +ms.reviewer: +manager: laurawi +description: Describes how to use Upgrade Readiness to monitor the deployment after Windows upgrades. +keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, +ms.localizationpriority: medium +ms.prod: w10 +audience: itpro author: greg-lindsay +ms.author: greglin +ms.topic: article +ms.collection: M365-analytics +--- + +# Upgrade Readiness - Step 4: Monitor + +Now that you have started deploying an update with Upgrade Readiness, you can use it to monitor important elements. + +![Upgrade Readiness dialog showing "STEP 4: Monitor" and blades for "Update progress," "Driver issues," and "User feedback"](../images/UR-monitor-main.png) + + +## Update progress + +The **Update progress** blade allows you to monitor the progress and status of your deployment. Any device that has attepted to upgrade in the last 30 days displays the **DeploymentStatus** attribute. You'll be able to see the number of computers that have successfully upgraded, failed to upgrade, are stalled, etc. + + +Selecting this blade allows you to view device-level details about the deployment. For example, select **Failed** to view the original operating system version, the target operating system version, and the reason the update failed for each of the devices that failed to upgrade. In the case of the device illustrated in the following image, an attempt was made to upgrade from Windows 10, version 1703 to 1709, but the operation timed out. + +!["Update progress" blade showing detailed information after selecting the "failed" item](../images/UR-update-progress-failed-detail.png) + + +## Driver issues + +The **Driver issues** blade allows you to see Device Manager errors for your upgraded devices. We include data for all compatibility-related device errors, such as "driver not found" and "driver not started." The blade summarizes errors by error type, but you can select a particular error type to see device-level details about which device(s) are failing and where to obtain a driver. + + +For example, by selecting error code **28 - driver not installed**, you would see that the device in the following image is missing the driver for a network controller. Upgrade Readiness also notifies that a suitable driver is available online through Windows Update. If this device is configured to automatically receive updates from Windows Update, this issue would likely resolve itself following the device's next Windows Update scan. If this device does not automatically receive updates from Windows Update, you would need to deliver the driver manually. + +!["Driver issue" blade showing detailed information after selecting a specific driver error](../images/UR-driver-issue-detail.png) + +## User feedback + +The **User Feedback** blade focuses on gathering subjective feedback from your end users. If a user submits feedback through the Feedback Hub app on a device in your workspace, we will make that feedback visible to you in this blade. The Feedback Hub app is built into Windows 10 and can be accessed by typing "Feedback Hub" in the Cortana search bar. + + +We recommend that you encourage your end users to submit any feedback they have through Feedback Hub. Not only will this feedback be sent directly to Microsoft for review, but you'll also be able to see it by using Upgrade Readiness. You should be aware that **feedback submitted through Feedback Hub will be publicly visible**, so it's best to avoid submitting feedback about internal line-of-business applications. + +When viewing user feedback in Upgrade Readiness, you'll be able to see the raw "Title" and "Feedback" text from the user's submission in Feedback Hub, as well as the number of upvotes the submission has received. (Since feedback is publicly visible, the number of upvotes is a global value and not specific to your company.) If a Microsoft engineer has responded to the submission in Feedback Hub, we'll pull in the Microsoft response for you to see as well. + +![Example user feedback item](../images/UR-example-feedback.png) + diff --git a/windows/deployment/upgrade/upgrade-readiness-requirements.md b/windows/deployment/upgrade/upgrade-readiness-requirements.md index 1ed4a081c1..3078890be7 100644 --- a/windows/deployment/upgrade/upgrade-readiness-requirements.md +++ b/windows/deployment/upgrade/upgrade-readiness-requirements.md @@ -1,76 +1,76 @@ ---- -title: Upgrade Readiness requirements (Windows 10) -ms.reviewer: -manager: laurawi -description: Provides requirements for Upgrade Readiness. -keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, -ms.prod: w10 -author: greg-lindsay -ms.author: greglin -ms.localizationpriority: medium -ms.topic: article -ms.collection: M365-analytics ---- - -# Upgrade Readiness requirements - -This article introduces concepts and steps needed to get up and running with Upgrade Readiness. We recommend that you review this list of requirements before getting started as you may need to collect information, such as account credentials, and get approval from internal IT groups, such as your network security group, before you can start using Upgrade Readiness. - -## Supported upgrade paths - -### Windows 7 and Windows 8.1 - -To perform an in-place upgrade, user computers must be running the latest version of either Windows 7 SP1 or Windows 8.1. After you enable Windows diagnostic data, Upgrade Readiness performs a full inventory of computers so that you can see which version of Windows is installed on each computer. - -The compatibility update that sends diagnostic data from user computers to Microsoft data centers works with Windows 7 SP1 and Windows 8.1 only. Upgrade Readiness cannot evaluate Windows XP or Windows Vista for upgrade eligibility. - - - -If you need to update user computers to Windows 7 SP1 or Windows 8.1, use Windows Update or download and deploy the applicable package from the Microsoft Download Center. - -> [!NOTE] -> Upgrade Readiness is designed to best support in-place upgrades. In-place upgrades do not support migrations from BIOS to UEFI or from 32-bit to 64-bit architecture. If you need to migrate computers in these scenarios, use the wipe-and-reload method. Upgrade Readiness insights are still valuable in this scenario, however, you can ignore in-place upgrade specific guidance. - -See [Windows 10 Specifications](https://www.microsoft.com/en-US/windows/windows-10-specifications) for additional information about computer system requirements. - -### Windows 10 - -Keeping Windows 10 up to date involves deploying a feature update, and Upgrade Readiness tools help you prepare and plan for these Windows updates. -The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility updates are installed. You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com). - -While Upgrade Readiness can be used to assist with updating devices from Windows 10 Long-Term Servicing Channel (LTSC) to Windows 10 Semi-Annual Channel, Upgrade Readiness does not support updates to Windows 10 LTSC. The Long-Term Servicing Channel of Windows 10 is not intended for general deployment, and does not receive feature updates, therefore it is not a supported target with Upgrade Readiness. See [Windows as a service overview](../update/waas-overview.md#long-term-servicing-channel) to understand more about LTSC. - -## Operations Management Suite or Azure Log Analytics - -Upgrade Readiness is offered as a solution in Azure Portal and Azure Log Analytics, a collection of cloud-based services for managing on premises and cloud computing environments. For more information about Azure Portal, see [Windows Analytics in the Azure Portal](../update/windows-analytics-azure-portal.md) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/). - -If you’re already using Azure Portal or Azure Log Analytics, you’ll find Upgrade Readiness in the Solutions Gallery. Click the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution’s details page. Upgrade Readiness is now visible in your workspace. - -If you are not using Azure Portal or Azure Log Analytics, go to [Log Analytics](https://azure.microsoft.com/services/log-analytics/) on Microsoft.com and select **Start free** to start the setup process. During the process, you’ll create a workspace and add the Upgrade Readiness solution to it. - ->[!IMPORTANT] ->You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work or School account when you sign in to Azure Portal. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in Azure Portal. You also need an Azure subscription to link to your Azure Portal workspace. The account you used to create the workspace must have administrator permissions on the Azure subscription in order to link the workspace to the Azure account. Once the link has been established, you can revoke the administrator permissions. - -## System Center Configuration Manager integration - -Upgrade Readiness can be integrated with your installation of Configuration Manager. For more information, see [Integrate Upgrade Readiness with System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics). - - - -## Important information about this release - -Before you get started configuring Upgrade Anatlyics, review the following tips and limitations about this release. - -**Upgrade Readiness does not support on-premises Windows deployments.** Upgrade Readiness is built as a cloud service, which allows Upgrade Readiness to provide you with insights based on the data from user computers and other Microsoft compatibility services. Cloud services are easy to get up and running and are cost-effective because there is no requirement to physically implement and maintain services on-premises. - -**In-region data storage requirements.** Windows diagnostic data from user computers is encrypted, sent to, and processed at Microsoft-managed secure data centers located in the US. Our analysis of the upgrade readiness-related data is then provided to you through the Upgrade Readiness solution in Azure Portal. Upgrade Readiness is supported in all Azure regions; however, selecting an international Azure region does not prevent diagnostic data from being sent to and processed in Microsoft's secure data centers in the US. - -### Tips - -- When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export a list with fewer items. - -- Sorting data by clicking a column heading may not sort your complete list of items. For information about how to sort data in Azure Portal, see [Sorting DocumentDB data using Order By](https://azure.microsoft.com/documentation/articles/documentdb-orderby). - -## Get started - -See [Get started with Upgrade Readiness](upgrade-readiness-get-started.md) for detailed, step-by-step instructions for configuring Upgrade Readiness and getting started on your Windows upgrade project. +--- +title: Upgrade Readiness requirements (Windows 10) +ms.reviewer: +manager: laurawi +description: Provides requirements for Upgrade Readiness. +keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, +ms.prod: w10 +audience: itpro author: greg-lindsay +ms.author: greglin +ms.localizationpriority: medium +ms.topic: article +ms.collection: M365-analytics +--- + +# Upgrade Readiness requirements + +This article introduces concepts and steps needed to get up and running with Upgrade Readiness. We recommend that you review this list of requirements before getting started as you may need to collect information, such as account credentials, and get approval from internal IT groups, such as your network security group, before you can start using Upgrade Readiness. + +## Supported upgrade paths + +### Windows 7 and Windows 8.1 + +To perform an in-place upgrade, user computers must be running the latest version of either Windows 7 SP1 or Windows 8.1. After you enable Windows diagnostic data, Upgrade Readiness performs a full inventory of computers so that you can see which version of Windows is installed on each computer. + +The compatibility update that sends diagnostic data from user computers to Microsoft data centers works with Windows 7 SP1 and Windows 8.1 only. Upgrade Readiness cannot evaluate Windows XP or Windows Vista for upgrade eligibility. + + + +If you need to update user computers to Windows 7 SP1 or Windows 8.1, use Windows Update or download and deploy the applicable package from the Microsoft Download Center. + +> [!NOTE] +> Upgrade Readiness is designed to best support in-place upgrades. In-place upgrades do not support migrations from BIOS to UEFI or from 32-bit to 64-bit architecture. If you need to migrate computers in these scenarios, use the wipe-and-reload method. Upgrade Readiness insights are still valuable in this scenario, however, you can ignore in-place upgrade specific guidance. + +See [Windows 10 Specifications](https://www.microsoft.com/en-US/windows/windows-10-specifications) for additional information about computer system requirements. + +### Windows 10 + +Keeping Windows 10 up to date involves deploying a feature update, and Upgrade Readiness tools help you prepare and plan for these Windows updates. +The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility updates are installed. You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com). + +While Upgrade Readiness can be used to assist with updating devices from Windows 10 Long-Term Servicing Channel (LTSC) to Windows 10 Semi-Annual Channel, Upgrade Readiness does not support updates to Windows 10 LTSC. The Long-Term Servicing Channel of Windows 10 is not intended for general deployment, and does not receive feature updates, therefore it is not a supported target with Upgrade Readiness. See [Windows as a service overview](../update/waas-overview.md#long-term-servicing-channel) to understand more about LTSC. + +## Operations Management Suite or Azure Log Analytics + +Upgrade Readiness is offered as a solution in Azure Portal and Azure Log Analytics, a collection of cloud-based services for managing on premises and cloud computing environments. For more information about Azure Portal, see [Windows Analytics in the Azure Portal](../update/windows-analytics-azure-portal.md) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/). + +If you’re already using Azure Portal or Azure Log Analytics, you’ll find Upgrade Readiness in the Solutions Gallery. Click the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution’s details page. Upgrade Readiness is now visible in your workspace. + +If you are not using Azure Portal or Azure Log Analytics, go to [Log Analytics](https://azure.microsoft.com/services/log-analytics/) on Microsoft.com and select **Start free** to start the setup process. During the process, you’ll create a workspace and add the Upgrade Readiness solution to it. + +>[!IMPORTANT] +>You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work or School account when you sign in to Azure Portal. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in Azure Portal. You also need an Azure subscription to link to your Azure Portal workspace. The account you used to create the workspace must have administrator permissions on the Azure subscription in order to link the workspace to the Azure account. Once the link has been established, you can revoke the administrator permissions. + +## System Center Configuration Manager integration + +Upgrade Readiness can be integrated with your installation of Configuration Manager. For more information, see [Integrate Upgrade Readiness with System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics). + + + +## Important information about this release + +Before you get started configuring Upgrade Anatlyics, review the following tips and limitations about this release. + +**Upgrade Readiness does not support on-premises Windows deployments.** Upgrade Readiness is built as a cloud service, which allows Upgrade Readiness to provide you with insights based on the data from user computers and other Microsoft compatibility services. Cloud services are easy to get up and running and are cost-effective because there is no requirement to physically implement and maintain services on-premises. + +**In-region data storage requirements.** Windows diagnostic data from user computers is encrypted, sent to, and processed at Microsoft-managed secure data centers located in the US. Our analysis of the upgrade readiness-related data is then provided to you through the Upgrade Readiness solution in Azure Portal. Upgrade Readiness is supported in all Azure regions; however, selecting an international Azure region does not prevent diagnostic data from being sent to and processed in Microsoft's secure data centers in the US. + +### Tips + +- When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export a list with fewer items. + +- Sorting data by clicking a column heading may not sort your complete list of items. For information about how to sort data in Azure Portal, see [Sorting DocumentDB data using Order By](https://azure.microsoft.com/documentation/articles/documentdb-orderby). + +## Get started + +See [Get started with Upgrade Readiness](upgrade-readiness-get-started.md) for detailed, step-by-step instructions for configuring Upgrade Readiness and getting started on your Windows upgrade project. diff --git a/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md b/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md index 3367363f1c..6d2a66ecdc 100644 --- a/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md +++ b/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md @@ -1,216 +1,216 @@ ---- -title: Upgrade Readiness - Resolve application and driver issues (Windows 10) -ms.reviewer: -manager: laurawi -description: Describes how to resolve application and driver issues that can occur during an upgrade with Upgrade Readiness. -keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, -ms.prod: w10 -author: greg-lindsay -ms.author: greglin -ms.localizationpriority: medium -ms.topic: article -ms.collection: M365-analytics ---- - -# Upgrade Readiness - Step 2: Resolve app and driver issues - -This section of the Upgrade Readiness workflow reports application and driver inventory and shows you which applications have known issues, which applications have no known issues, and which drivers have issues. We identify applications and drivers that need attention and suggest fixes when we know about them. - -## In this section - -The blades in the **Step 2: Resolve issues** section are: - -- [Review applications with known issues](#review-applications-with-known-issues) -- [Review known driver issues](#review-drivers-with-known-issues) -- [Review low-risk apps and drivers](#review-low-risk-apps-and-drivers) -- [Prioritize app and driver testing](#prioritize-app-and-driver-testing) - ->You can change an application’s upgrade decision and a driver’s upgrade decision from the blades in this section. To change an application’s or a driver’s importance level, select **User changes**. Select the item you want to change and then select the appropriate option from the **Select upgrade decision** list. - -Upgrade decisions include: - - -| Upgrade decision | When to use it | Guidance | -|--------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Not reviewed | All drivers are marked as Not reviewed by default.

          Any app that has not been marked **Low install count** will also have an upgrade decision of **Not reviewed** by default.
          | Apps you have not yet reviewed or are waiting to review later should be marked as **Not reviewed**. When you start to investigate an application or a driver to determine upgrade readiness, change their upgrade decision to **Review in progress**.

          | -| Review in progress | When you start to investigate an application or a driver to determine upgrade readiness, change its upgrade decision to **Review in progress**.

          Until you’ve determined that applications and drivers will migrate successfully or you’ve resolved blocking issues, leave the upgrade decision status as **Review in progress**.

          | Once you’ve fixed any issues and validated that the application or driver will migrate successfully, change the upgrade decision to **Ready to upgrade**.
          | -| Ready to upgrade | Mark applications and drivers **Ready to upgrade** once you’ve resolved all blocking issues and you’re confident that they will upgrade successfully, or if you’ve decided to upgrade them as-is. | Applications with no known issues and with low installation rates are marked **Ready to upgrade** by default.

          In Step 1, you might have marked some of your apps as **Ignore**. These should be marked as **Ready to upgrade**. Apps with low installation rates are marked as **Ready to upgrade** by default. Be sure to review any low install count applications for any business critical or important applications that are not yet upgrade-ready, despite their low installation rates.
          | -| Won’t upgrade | By default, no applications or drivers are marked **Won’t upgrade** because only you can make that determination.

          Use **Won’t upgrade** for applications and drivers that you do not work on your target operating system, or that you are unable to upgrade.
          | If, during your investigation into an application or driver, you determine that they should not or cannot be upgraded, mark them **Won’t upgrade**.

          | - -As you review applications with known issues, you can also see ISV support statements or applications using [Ready for Windows](https://www.readyforwindows.com/). - -## Review applications with known issues - -Applications with issues known to Microsoft are listed, grouped by upgrade assessment into **Attention needed** or **Fix available**. - - - -![Review applications with known issues](../images/upgrade-analytics-apps-known-issues.png) - -To change an application's upgrade decision: - -1. Select **Decide upgrade readiness** to view applications with issues. -2. In the table view, select an **UpgradeDecision** value. -3. Select **Decide upgrade readiness** to change the upgrade decision for each application. -4. Select the applications you want to change to a specific upgrade decision and then select the appropriate option from the **Select upgrade decision** list. -5. Click **Save** when finished. - -IMPORTANT: Ensure that you have the most recent versions of the compatibility update and related KBs installed to get the most up-to-date compatibility information. - -For applications assessed as **Attention needed**, review the table below for details about known issues and for guidance about how to resolve them, when possible. - -| Upgrade Assessment | Action required prior to upgrade? | Issue | What it means | Guidance | -|--------------------|-----------------------------------|-----------|-----------------|------------| -| Attention needed | No | Application is removed during upgrade | Compatibility issues were detected and the application will not migrate to the new operating system.
          | No action is required for the upgrade to proceed. | -| Attention needed | Yes | Blocking upgrade | Blocking issues were detected and Upgrade Readiness is not able to remove the application during upgrade.

          The application may work on the new operating system.
          | Remove the application before upgrading, and reinstall and test on new operating system. | -| Attention needed | No | Evaluate application on new OS | The application will migrate, but issues were detected that may impact its performance on the new operating system. | No action is required for the upgrade to proceed, but be sure to test the application on the new operating system.
          | -| Attention needed | No | Does not work with new OS, but won’t block upgrade | The application is not compatible with the new operating system, but won’t block the upgrade. | No action is required for the upgrade to proceed, however, you’ll have to install a compatible version of the application on the new operating system.
          | -| Attention needed | Yes | Does not work with new OS, and will block upgrade | The application is not compatible with the new operating system and will block the upgrade. | Remove the application before upgrading.

          A compatible version of the application may be available.
          | -| Attention needed | Yes | May block upgrade, test application | Issues were detected that may interfere with the upgrade, but need to be investigated further.
          | Test the application’s behavior during upgrade. If it blocks the upgrade, remove it before upgrading and reinstall and test it on the new operating system.
          | -| Attention needed | Maybe | Multiple | Multiple issues are affecting the application. See detailed view for more information.| When you see Multiple in the query detailed view, click **Query** to see details about what issues were detected with the different versions of the application. | - -For applications assessed as **Fix available**, review the table below for details about known issues and ways to fix them that are known to Microsoft. - -| Upgrade Assessment | Action required prior to upgrade? | Issue | What it means | Guidance | -|--------------------|-----------------------------------|----------|-----------------|-------------| -| Fix available | Yes | Blocking upgrade, update application to newest version | The existing version of the application is not compatible with the new operating system and won’t migrate. A compatible version of the application is available. | Update the application before upgrading. | -| Fix available | No | Reinstall application after upgrading | The application is compatible with the new operating system, but must be reinstalled after upgrading. The application is removed during the upgrade process.
          | No action is required for the upgrade to proceed. Reinstall application on the new operating system. | -| Fix available | Yes | Blocking upgrade, but can be reinstalled after upgrading | The application is compatible with the new operating system, but won’t migrate. | Remove the application before upgrading and reinstall on the new operating system.
          | -| Fix available | Yes | Disk encryption blocking upgrade | The application’s encryption features are blocking the upgrade. | Disable the encryption feature before upgrading and enable it again after upgrading.
          | - -### ISV support for applications with Ready for Windows - -[Ready for Windows](https://www.readyforwindows.com/) lists software solutions that are supported and in use for Windows 10. This site leverages data about application adoption from commercial Windows 10 installations and helps IT managers upgrade to Windows 10 with confidence. For more information, see [Ready for Windows Frequently Asked Questions](https://developer.microsoft.com/windows/ready-for-windows/#/faq/). - -Click **Review Applications With Known Issues** to see the status of applications for Ready for Windows and corresponding guidance. For example: - -![Upgrade analytics Ready for Windows status](../images/upgrade-analytics-ready-for-windows-status.png) - -If there are known issues with an application, the specific guidance for that known issue takes precedence over the Ready for Windows guidance. - -![Upgrade analytics Ready for Windows status guidance precedence](../images/upgrade-analytics-ready-for-windows-status-guidance-precedence.png) - -If you query with RollupLevel="NamePublisher", each version of the application can have a different status for Ready for Windows. In this case, different values appear for Ready for Windows. - -![Name publisher rollup](../images/upgrade-analytics-namepub-rollup.png) - -> [!TIP] -> Within the Upgrade Readiness data model, an object of Type **UAApp** refers to a particular application installed on a specific computer. -> -> To support dynamic aggregation and summation of data the Upgrade Readiness solution "rolls up" (aggregates) data in preprocessing. Rolling up to the **Granular** level enables display of the **App** level. In Upgrade Readiness terminology, an **App** is a unique combination of: app name, app vendor, app version, and app language. Thus, at the Granular level, you can see attributes such as **total install count**, which is the number of machines with a specific **App** installed. -> -> Upgrade Readiness also has a roll up level of **NamePublisher**, This level enables you to ignore different app versions within your organization for a particular app. In other words, **NamePublisher** displays statistics about a given app, aggregated across all versions. - -The following table lists possible values for **ReadyForWindows** and what they mean. For more information, see [What does the Adoption Status mean?](https://developer.microsoft.com/en-us/windows/ready-for-windows#/faq/?scrollTo=faqStatuses) - -| Ready for Windows Status | Query rollup level | What this means | Guidance | -|-------------------|--------------------------|-----------------|----------| -|Supported version available | Granular | The software provider has declared support for one or more versions of this application on Windows 10. | The ISV has declared support for a version of this application on Windows 10. | -| Highly adopted | Granular | This version of this application has been highly adopted within the Windows 10 Enterprise ecosystem. | This application has been installed on at least 100,000 commercial Windows 10 devices. | -| Adopted | Granular | This version of this application has been adopted within the Windows 10 Enterprise ecosystem. | This application has been installed on at least 10,000 commercial Windows 10 devices. | -| Insufficient Data | Granular | Too few commercial Windows 10 devices are sharing information about this version of this application for Microsoft to categorize its adoption. | N/A | -| Contact developer | Granular | There may be compatibility issues with this version of the application, so Microsoft recommends contacting the software provider to learn more. | Check [Ready for Windows](https://www.readyforwindows.com/) for additional information.| -|Supported version available | NamePublisher | The software provider has declared support for this application on Windows 10. | The ISV has declared support for a version of this application on Windows 10.| -|Adoption status available | NamePublisher | A Ready for Windows adoption status is available for one or more versions of this application. Please check Ready for Windows to learn more. |Check [Ready for Windows](https://www.readyforwindows.com/) for adoption information for this application.| -| Unknown | Any | There is no Ready for Windows information available for this version of this application. Information may be available for other versions of the application at [Ready for Windows](https://www.readyforwindows.com/). | N/A | - -## Review drivers with known issues - -Drivers that won’t migrate to the new operating system are listed, grouped by availability. - -![Review drivers with known issues](../images/upgrade-analytics-drivers-known.png) - -Availability categories are explained in the table below. - -| Driver availability | Action required before or after upgrade? | What it means | Guidance | -|-----------------------|------------------------------------------|----------------|--------------| -| Available in-box | No, for awareness only | The currently installed version of an application or driver won’t migrate to the new operating system; however, a compatible version is installed with the new operating system.
          | No action is required for the upgrade to proceed. | -| Import from Windows Update | Yes | The currently installed version of a driver won’t migrate to the new operating system; however, a compatible version is available from Windows Update.
          | If the computer automatically receives updates from Windows Update, no action is required. Otherwise, import a new driver from Windows Update after upgrading.
          | -| Available in-box and from Windows Update | Yes | The currently installed version of a driver won’t migrate to the new operating system.

          Although a new driver is installed during upgrade, a newer version is available from Windows Update.
          | If the computer automatically receives updates from Windows Update, no action is required. Otherwise, import a new driver from Windows Update after upgrading.
          | -| Check with vendor | Yes | The driver won’t migrate to the new operating system and we are unable to locate a compatible version.
          | Check with the independent hardware vendor (IHV) who manufactures the driver for a solution. | - -To change a driver’s upgrade decision: - -1. Select **Decide upgrade readiness** and then select the group of drivers you want to review. Select **Table** to view the list in a table. - -2. Select **User changes** to enable user input. - -3. Select the drivers you want to change to a specific upgrade decision and then select the appropriate option from the **Select upgrade decision** list. - -4. Click **Save** when finished. - -## Review low-risk apps and drivers - -Applications and drivers that are meet certain criteria to be considered low risk are displayed on this blade. - -![Blade showing low-risk apps](../images/ua-step2-low-risk.png) - -The first row reports the number of your apps that have an official statement of support on Windows 10 from the software vendor, so you can be confident that they will work on your target operating system. - -The second row (**Apps that are "Highly adopted"**) shows apps that have a ReadyForWindows status of "Highly adopted". This means that they have been installed on at least 100,000 commercial Windows 10 devices, and that Microsoft has not detected significant issues with the app in diagnostic data. Since these apps are prevalent in the ecosystem at large, you can be confident that they will work in your environment as well. - -Each row of the blade uses a different criterion to filter your apps or drivers. You can view a list of applications that meet the criterion by clicking into a row of the blade. For example, if you click the row that says "Apps that are 'Highly adopted'", the result is a list of apps that have a ReadyForWindows status of "Highly adopted". From here, you can bulk-select the results, select **Ready to upgrade**, and then click **Save**. This will mark all apps meeting the "Highly adopted" criterion as "Ready to upgrade"--no further validation is required. Any applications that you have marked as *Mission critical* or *Business critical* are filtered out, as well as any app that has an issue known to Microsoft. This allows you to work with apps in bulk without having to worry about missing a critical app. - -You can customize the criteria further by using the Log Search query language. For example, if a ReadyForWindows status of "Adopted" is not sufficient by itself for you to be confident in an app's compatibility, you can add additional filters. To do this, click the row labeled **Apps that are 'Adopted'**. Then, modify the resulting query to fit your company's risk tolerance. If, for example, you prefer that an app must be "Adopted" and have fewer than 1,000 installations, then add *TotalInstalls < 1000* to the end of the Log Search query. Similarly, you can append additional criteria by using other attributes such as monthly active users or app importance. - ->[!NOTE] ->Apps that you have designated as *Mission critical* or *Business critical* are automatically **excluded** from the counts on this blade. If an app is critical, you should always validate it manually it prior to upgrading. - - At the bottom of the blade, the **OTHER APPS AND DRIVERS IN NEED OF REVIEW** section allows you to quickly access apps you have designated as **Mission critical** or **Business critical**, your remaining apps that still need to be reviewed, and your remaining drivers that need to be reviewed. - - - -## Prioritize app and driver testing - -Planning and executing an OS upgrade project can be overwhelming. When you are tasked with evaluating thousands of applications and drivers to ensure a successful upgrade, it can be difficult to decide where to start. The Upgrade Readiness solution provides valuable assistance for you, helping to determine the most important apps and drivers to unblock and enabling you yo create a proposed action plan. - -### Proposed action plan - -The Upgrade Readiness proposed action plan is an optimally ordered list of apps and drivers that are in need of review. By testing apps and drivers in the order suggested by the proposed action plan, you are able to increase your number of “Ready to upgrade” computers in an efficient manner. The action plan can be a very powerful tool during upgrade planning – but it’s most helpful when it’s used correctly. This topic explains the proposed action plan, describes how to use it, and calls out a few misconceptions and invalid use cases that you should avoid. - -The proposed action plan represents the order thath Microsoft recommends you rationalize the upgrade-readiness of your apps and drivers. By validating apps and drivers in the order proposed, you can ensure that you are testing efficiently. - -Each item in the proposed action plan represents either an application or a driver that you have not yet marked “Ready to upgrade.” - ->Since “Low install count” apps are automatically marked “Ready to upgrade”, you will not see any of these apps in the proposed action plan. - -Each item in the plan has the following attributes: - -| Attribute | Description | Example value | -|-----------------------|------------------------------------------|----------------| -| ItemRank | The location of this item in the context of the proposed action plan. For example, the item with ItemRank 7 is the 7th item in the Plan. It is crucial that the Plan is viewed in order by increasing ItemRank. Sorting the Plan in any other way invalidates the insights that the Plan provides. | 7 | -| ItemType | Whether this item is an app or driver -- possible values are: "App" and "Driver." | App | -| ItemName | The name of the app or driver that is in need of review. | Microsoft Visual C++ 2005 Redistributable (x64) | -| ItemVendor | The vendor of the app or driver. | Microsoft Corporation | -| ItemVersion | The version of the app or driver. | 12.1.0.1 | -| ItemLanguage | If this item is an application, then this field will be the language of the app. If the item is a driver, then this will say "N/A." | English | -| ItemHardwareId | If this item is a driver, then this field will be the hardware id of the driver. If the item is an app, then this will say "N/A." | N/A | -| Upgrade Decision | The upgrade decision you have provided for this app or driver. If you have not defined an upgrade decision, then you will see the default value of “Not reviewed.” | Review in progress | -| ComputersUnblocked | Assuming you have already marked all previous items in the proposed action plan “Ready to upgrade”, this represents the number of additional computers that will become “Ready to upgrade” by testing this app or driver and giving it an upgrade decision of “Ready to upgrade”. For example, if ComputersUnblocked is 200, then resolving any issues associated with the app/driver in question will make 200 new computers “Ready to upgrade.” | 200 | -| CumulativeUnblocked | The total number of computers that will become “Ready to upgrade” if you validate and mark this and all prior items in the proposed action plan “Ready to upgrade”. For example, if ItemRank is 7, and CumulativeUnblocked is 950, then fixing items 1 thru 7 in the proposed action plan will cause 950 of your computers to become “Ready to upgrade.” | 950 | -| CumulativeUnblockedPct | The percentage of your machines that will become “Ready to upgrade” if you make this and all prior items in the proposed action plan “Ready to upgrade.” | 0.24 | - -See the following example action plan items (click the image for a full-size view): - -![Proposed action plan](../images/UR-lift-report.jpg) - -
          -In this example, the 3rd item is an application: Microsoft Bing Sports, a modern app, version 4.20.951.0, published by Microsoft. By validating this app and making its UpgradeDecision “Ready to upgrade”, you can potentially make 1014 computers “Ready to upgrade” – but only after you have already validated items 1 and 2 in the list. By marking items 1, 2, and 3 “Ready to upgrade”, 14779 of your computers will become upgrade-ready. This represents 10.96% of the machines in this workspace. - -#### Using the proposed action plan - -There are several valid use cases for the proposed action plan. But it’s always important to remember that the information presented in the Plan is only accurate when sorted by increasing Item Rank! Here are three potential cases in which you could use the proposed action plan: - -1. Quickly determine how many apps and drivers you’ll need to validate in order to make x% of your computers upgrade-ready. To determine this, simply find the first item in the Plan with a CumulativeUnblockedPct greater than or equal to your desired percentage of upgrade-ready computers. The corresponding ItemRank represents the smallest number of apps and drivers that you can validate in order to reach your upgrade readiness goal. The prior items in the proposed action plan itself represent the most efficient route to reaching your goal. - -2. Use the proposed action plan to prepare a small portion of your machines for a pilot of your target Operating System. Let’s say you want to test a new Operating System by upgrading a few hundred computers. You can use the proposed action plan to determine how many apps and drivers you will need to validate before you can be confident that your pilot will be successful. - -3. If your project deadline is approaching and you only have time to validate a few more apps and drivers, you can use the proposed action plan to determine which apps and drivers you should focus on to maximize the number of computers that you can confidently upgrade. - -#### Misconceptions and things to avoid - -The most common misconceptions about the proposed action plan involve the assumption that each item in the plan is independent of those around it. The apps and drivers in the plan must be considered in the correct order to draw valid conclusions. For example, if you choose to validate items 1, 3, 4, and 5 and mark each of them “Ready to upgrade,” the proposed action plan cannot tell you how many computers will become upgrade-ready as a result of your testing. Even the non-cumulative “ComputersUnblocked” count is dependent upon all prior issues having already been resolved. - -If an item with ItemRank = 7 has a ComputersUnblocked value of 50, do not assume that 50 of your computers will become upgrade-ready if you test this item. However, if you validate items 1 through 6 in the plan, you can make an additional 50 computers upgrade-ready by validating the 7th item in the plan. +--- +title: Upgrade Readiness - Resolve application and driver issues (Windows 10) +ms.reviewer: +manager: laurawi +description: Describes how to resolve application and driver issues that can occur during an upgrade with Upgrade Readiness. +keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, +ms.prod: w10 +audience: itpro author: greg-lindsay +ms.author: greglin +ms.localizationpriority: medium +ms.topic: article +ms.collection: M365-analytics +--- + +# Upgrade Readiness - Step 2: Resolve app and driver issues + +This section of the Upgrade Readiness workflow reports application and driver inventory and shows you which applications have known issues, which applications have no known issues, and which drivers have issues. We identify applications and drivers that need attention and suggest fixes when we know about them. + +## In this section + +The blades in the **Step 2: Resolve issues** section are: + +- [Review applications with known issues](#review-applications-with-known-issues) +- [Review known driver issues](#review-drivers-with-known-issues) +- [Review low-risk apps and drivers](#review-low-risk-apps-and-drivers) +- [Prioritize app and driver testing](#prioritize-app-and-driver-testing) + +>You can change an application’s upgrade decision and a driver’s upgrade decision from the blades in this section. To change an application’s or a driver’s importance level, select **User changes**. Select the item you want to change and then select the appropriate option from the **Select upgrade decision** list. + +Upgrade decisions include: + + +| Upgrade decision | When to use it | Guidance | +|--------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Not reviewed | All drivers are marked as Not reviewed by default.

          Any app that has not been marked **Low install count** will also have an upgrade decision of **Not reviewed** by default.
          | Apps you have not yet reviewed or are waiting to review later should be marked as **Not reviewed**. When you start to investigate an application or a driver to determine upgrade readiness, change their upgrade decision to **Review in progress**.

          | +| Review in progress | When you start to investigate an application or a driver to determine upgrade readiness, change its upgrade decision to **Review in progress**.

          Until you’ve determined that applications and drivers will migrate successfully or you’ve resolved blocking issues, leave the upgrade decision status as **Review in progress**.

          | Once you’ve fixed any issues and validated that the application or driver will migrate successfully, change the upgrade decision to **Ready to upgrade**.
          | +| Ready to upgrade | Mark applications and drivers **Ready to upgrade** once you’ve resolved all blocking issues and you’re confident that they will upgrade successfully, or if you’ve decided to upgrade them as-is. | Applications with no known issues and with low installation rates are marked **Ready to upgrade** by default.

          In Step 1, you might have marked some of your apps as **Ignore**. These should be marked as **Ready to upgrade**. Apps with low installation rates are marked as **Ready to upgrade** by default. Be sure to review any low install count applications for any business critical or important applications that are not yet upgrade-ready, despite their low installation rates.
          | +| Won’t upgrade | By default, no applications or drivers are marked **Won’t upgrade** because only you can make that determination.

          Use **Won’t upgrade** for applications and drivers that you do not work on your target operating system, or that you are unable to upgrade.
          | If, during your investigation into an application or driver, you determine that they should not or cannot be upgraded, mark them **Won’t upgrade**.

          | + +As you review applications with known issues, you can also see ISV support statements or applications using [Ready for Windows](https://www.readyforwindows.com/). + +## Review applications with known issues + +Applications with issues known to Microsoft are listed, grouped by upgrade assessment into **Attention needed** or **Fix available**. + + + +![Review applications with known issues](../images/upgrade-analytics-apps-known-issues.png) + +To change an application's upgrade decision: + +1. Select **Decide upgrade readiness** to view applications with issues. +2. In the table view, select an **UpgradeDecision** value. +3. Select **Decide upgrade readiness** to change the upgrade decision for each application. +4. Select the applications you want to change to a specific upgrade decision and then select the appropriate option from the **Select upgrade decision** list. +5. Click **Save** when finished. + +IMPORTANT: Ensure that you have the most recent versions of the compatibility update and related KBs installed to get the most up-to-date compatibility information. + +For applications assessed as **Attention needed**, review the table below for details about known issues and for guidance about how to resolve them, when possible. + +| Upgrade Assessment | Action required prior to upgrade? | Issue | What it means | Guidance | +|--------------------|-----------------------------------|-----------|-----------------|------------| +| Attention needed | No | Application is removed during upgrade | Compatibility issues were detected and the application will not migrate to the new operating system.
          | No action is required for the upgrade to proceed. | +| Attention needed | Yes | Blocking upgrade | Blocking issues were detected and Upgrade Readiness is not able to remove the application during upgrade.

          The application may work on the new operating system.
          | Remove the application before upgrading, and reinstall and test on new operating system. | +| Attention needed | No | Evaluate application on new OS | The application will migrate, but issues were detected that may impact its performance on the new operating system. | No action is required for the upgrade to proceed, but be sure to test the application on the new operating system.
          | +| Attention needed | No | Does not work with new OS, but won’t block upgrade | The application is not compatible with the new operating system, but won’t block the upgrade. | No action is required for the upgrade to proceed, however, you’ll have to install a compatible version of the application on the new operating system.
          | +| Attention needed | Yes | Does not work with new OS, and will block upgrade | The application is not compatible with the new operating system and will block the upgrade. | Remove the application before upgrading.

          A compatible version of the application may be available.
          | +| Attention needed | Yes | May block upgrade, test application | Issues were detected that may interfere with the upgrade, but need to be investigated further.
          | Test the application’s behavior during upgrade. If it blocks the upgrade, remove it before upgrading and reinstall and test it on the new operating system.
          | +| Attention needed | Maybe | Multiple | Multiple issues are affecting the application. See detailed view for more information.| When you see Multiple in the query detailed view, click **Query** to see details about what issues were detected with the different versions of the application. | + +For applications assessed as **Fix available**, review the table below for details about known issues and ways to fix them that are known to Microsoft. + +| Upgrade Assessment | Action required prior to upgrade? | Issue | What it means | Guidance | +|--------------------|-----------------------------------|----------|-----------------|-------------| +| Fix available | Yes | Blocking upgrade, update application to newest version | The existing version of the application is not compatible with the new operating system and won’t migrate. A compatible version of the application is available. | Update the application before upgrading. | +| Fix available | No | Reinstall application after upgrading | The application is compatible with the new operating system, but must be reinstalled after upgrading. The application is removed during the upgrade process.
          | No action is required for the upgrade to proceed. Reinstall application on the new operating system. | +| Fix available | Yes | Blocking upgrade, but can be reinstalled after upgrading | The application is compatible with the new operating system, but won’t migrate. | Remove the application before upgrading and reinstall on the new operating system.
          | +| Fix available | Yes | Disk encryption blocking upgrade | The application’s encryption features are blocking the upgrade. | Disable the encryption feature before upgrading and enable it again after upgrading.
          | + +### ISV support for applications with Ready for Windows + +[Ready for Windows](https://www.readyforwindows.com/) lists software solutions that are supported and in use for Windows 10. This site leverages data about application adoption from commercial Windows 10 installations and helps IT managers upgrade to Windows 10 with confidence. For more information, see [Ready for Windows Frequently Asked Questions](https://developer.microsoft.com/windows/ready-for-windows/#/faq/). + +Click **Review Applications With Known Issues** to see the status of applications for Ready for Windows and corresponding guidance. For example: + +![Upgrade analytics Ready for Windows status](../images/upgrade-analytics-ready-for-windows-status.png) + +If there are known issues with an application, the specific guidance for that known issue takes precedence over the Ready for Windows guidance. + +![Upgrade analytics Ready for Windows status guidance precedence](../images/upgrade-analytics-ready-for-windows-status-guidance-precedence.png) + +If you query with RollupLevel="NamePublisher", each version of the application can have a different status for Ready for Windows. In this case, different values appear for Ready for Windows. + +![Name publisher rollup](../images/upgrade-analytics-namepub-rollup.png) + +> [!TIP] +> Within the Upgrade Readiness data model, an object of Type **UAApp** refers to a particular application installed on a specific computer. +> +> To support dynamic aggregation and summation of data the Upgrade Readiness solution "rolls up" (aggregates) data in preprocessing. Rolling up to the **Granular** level enables display of the **App** level. In Upgrade Readiness terminology, an **App** is a unique combination of: app name, app vendor, app version, and app language. Thus, at the Granular level, you can see attributes such as **total install count**, which is the number of machines with a specific **App** installed. +> +> Upgrade Readiness also has a roll up level of **NamePublisher**, This level enables you to ignore different app versions within your organization for a particular app. In other words, **NamePublisher** displays statistics about a given app, aggregated across all versions. + +The following table lists possible values for **ReadyForWindows** and what they mean. For more information, see [What does the Adoption Status mean?](https://developer.microsoft.com/en-us/windows/ready-for-windows#/faq/?scrollTo=faqStatuses) + +| Ready for Windows Status | Query rollup level | What this means | Guidance | +|-------------------|--------------------------|-----------------|----------| +|Supported version available | Granular | The software provider has declared support for one or more versions of this application on Windows 10. | The ISV has declared support for a version of this application on Windows 10. | +| Highly adopted | Granular | This version of this application has been highly adopted within the Windows 10 Enterprise ecosystem. | This application has been installed on at least 100,000 commercial Windows 10 devices. | +| Adopted | Granular | This version of this application has been adopted within the Windows 10 Enterprise ecosystem. | This application has been installed on at least 10,000 commercial Windows 10 devices. | +| Insufficient Data | Granular | Too few commercial Windows 10 devices are sharing information about this version of this application for Microsoft to categorize its adoption. | N/A | +| Contact developer | Granular | There may be compatibility issues with this version of the application, so Microsoft recommends contacting the software provider to learn more. | Check [Ready for Windows](https://www.readyforwindows.com/) for additional information.| +|Supported version available | NamePublisher | The software provider has declared support for this application on Windows 10. | The ISV has declared support for a version of this application on Windows 10.| +|Adoption status available | NamePublisher | A Ready for Windows adoption status is available for one or more versions of this application. Please check Ready for Windows to learn more. |Check [Ready for Windows](https://www.readyforwindows.com/) for adoption information for this application.| +| Unknown | Any | There is no Ready for Windows information available for this version of this application. Information may be available for other versions of the application at [Ready for Windows](https://www.readyforwindows.com/). | N/A | + +## Review drivers with known issues + +Drivers that won’t migrate to the new operating system are listed, grouped by availability. + +![Review drivers with known issues](../images/upgrade-analytics-drivers-known.png) + +Availability categories are explained in the table below. + +| Driver availability | Action required before or after upgrade? | What it means | Guidance | +|-----------------------|------------------------------------------|----------------|--------------| +| Available in-box | No, for awareness only | The currently installed version of an application or driver won’t migrate to the new operating system; however, a compatible version is installed with the new operating system.
          | No action is required for the upgrade to proceed. | +| Import from Windows Update | Yes | The currently installed version of a driver won’t migrate to the new operating system; however, a compatible version is available from Windows Update.
          | If the computer automatically receives updates from Windows Update, no action is required. Otherwise, import a new driver from Windows Update after upgrading.
          | +| Available in-box and from Windows Update | Yes | The currently installed version of a driver won’t migrate to the new operating system.

          Although a new driver is installed during upgrade, a newer version is available from Windows Update.
          | If the computer automatically receives updates from Windows Update, no action is required. Otherwise, import a new driver from Windows Update after upgrading.
          | +| Check with vendor | Yes | The driver won’t migrate to the new operating system and we are unable to locate a compatible version.
          | Check with the independent hardware vendor (IHV) who manufactures the driver for a solution. | + +To change a driver’s upgrade decision: + +1. Select **Decide upgrade readiness** and then select the group of drivers you want to review. Select **Table** to view the list in a table. + +2. Select **User changes** to enable user input. + +3. Select the drivers you want to change to a specific upgrade decision and then select the appropriate option from the **Select upgrade decision** list. + +4. Click **Save** when finished. + +## Review low-risk apps and drivers + +Applications and drivers that are meet certain criteria to be considered low risk are displayed on this blade. + +![Blade showing low-risk apps](../images/ua-step2-low-risk.png) + +The first row reports the number of your apps that have an official statement of support on Windows 10 from the software vendor, so you can be confident that they will work on your target operating system. + +The second row (**Apps that are "Highly adopted"**) shows apps that have a ReadyForWindows status of "Highly adopted". This means that they have been installed on at least 100,000 commercial Windows 10 devices, and that Microsoft has not detected significant issues with the app in diagnostic data. Since these apps are prevalent in the ecosystem at large, you can be confident that they will work in your environment as well. + +Each row of the blade uses a different criterion to filter your apps or drivers. You can view a list of applications that meet the criterion by clicking into a row of the blade. For example, if you click the row that says "Apps that are 'Highly adopted'", the result is a list of apps that have a ReadyForWindows status of "Highly adopted". From here, you can bulk-select the results, select **Ready to upgrade**, and then click **Save**. This will mark all apps meeting the "Highly adopted" criterion as "Ready to upgrade"--no further validation is required. Any applications that you have marked as *Mission critical* or *Business critical* are filtered out, as well as any app that has an issue known to Microsoft. This allows you to work with apps in bulk without having to worry about missing a critical app. + +You can customize the criteria further by using the Log Search query language. For example, if a ReadyForWindows status of "Adopted" is not sufficient by itself for you to be confident in an app's compatibility, you can add additional filters. To do this, click the row labeled **Apps that are 'Adopted'**. Then, modify the resulting query to fit your company's risk tolerance. If, for example, you prefer that an app must be "Adopted" and have fewer than 1,000 installations, then add *TotalInstalls < 1000* to the end of the Log Search query. Similarly, you can append additional criteria by using other attributes such as monthly active users or app importance. + +>[!NOTE] +>Apps that you have designated as *Mission critical* or *Business critical* are automatically **excluded** from the counts on this blade. If an app is critical, you should always validate it manually it prior to upgrading. + + At the bottom of the blade, the **OTHER APPS AND DRIVERS IN NEED OF REVIEW** section allows you to quickly access apps you have designated as **Mission critical** or **Business critical**, your remaining apps that still need to be reviewed, and your remaining drivers that need to be reviewed. + + + +## Prioritize app and driver testing + +Planning and executing an OS upgrade project can be overwhelming. When you are tasked with evaluating thousands of applications and drivers to ensure a successful upgrade, it can be difficult to decide where to start. The Upgrade Readiness solution provides valuable assistance for you, helping to determine the most important apps and drivers to unblock and enabling you yo create a proposed action plan. + +### Proposed action plan + +The Upgrade Readiness proposed action plan is an optimally ordered list of apps and drivers that are in need of review. By testing apps and drivers in the order suggested by the proposed action plan, you are able to increase your number of “Ready to upgrade” computers in an efficient manner. The action plan can be a very powerful tool during upgrade planning – but it’s most helpful when it’s used correctly. This topic explains the proposed action plan, describes how to use it, and calls out a few misconceptions and invalid use cases that you should avoid. + +The proposed action plan represents the order thath Microsoft recommends you rationalize the upgrade-readiness of your apps and drivers. By validating apps and drivers in the order proposed, you can ensure that you are testing efficiently. + +Each item in the proposed action plan represents either an application or a driver that you have not yet marked “Ready to upgrade.” + +>Since “Low install count” apps are automatically marked “Ready to upgrade”, you will not see any of these apps in the proposed action plan. + +Each item in the plan has the following attributes: + +| Attribute | Description | Example value | +|-----------------------|------------------------------------------|----------------| +| ItemRank | The location of this item in the context of the proposed action plan. For example, the item with ItemRank 7 is the 7th item in the Plan. It is crucial that the Plan is viewed in order by increasing ItemRank. Sorting the Plan in any other way invalidates the insights that the Plan provides. | 7 | +| ItemType | Whether this item is an app or driver -- possible values are: "App" and "Driver." | App | +| ItemName | The name of the app or driver that is in need of review. | Microsoft Visual C++ 2005 Redistributable (x64) | +| ItemVendor | The vendor of the app or driver. | Microsoft Corporation | +| ItemVersion | The version of the app or driver. | 12.1.0.1 | +| ItemLanguage | If this item is an application, then this field will be the language of the app. If the item is a driver, then this will say "N/A." | English | +| ItemHardwareId | If this item is a driver, then this field will be the hardware id of the driver. If the item is an app, then this will say "N/A." | N/A | +| Upgrade Decision | The upgrade decision you have provided for this app or driver. If you have not defined an upgrade decision, then you will see the default value of “Not reviewed.” | Review in progress | +| ComputersUnblocked | Assuming you have already marked all previous items in the proposed action plan “Ready to upgrade”, this represents the number of additional computers that will become “Ready to upgrade” by testing this app or driver and giving it an upgrade decision of “Ready to upgrade”. For example, if ComputersUnblocked is 200, then resolving any issues associated with the app/driver in question will make 200 new computers “Ready to upgrade.” | 200 | +| CumulativeUnblocked | The total number of computers that will become “Ready to upgrade” if you validate and mark this and all prior items in the proposed action plan “Ready to upgrade”. For example, if ItemRank is 7, and CumulativeUnblocked is 950, then fixing items 1 thru 7 in the proposed action plan will cause 950 of your computers to become “Ready to upgrade.” | 950 | +| CumulativeUnblockedPct | The percentage of your machines that will become “Ready to upgrade” if you make this and all prior items in the proposed action plan “Ready to upgrade.” | 0.24 | + +See the following example action plan items (click the image for a full-size view): + +![Proposed action plan](../images/UR-lift-report.jpg) + +
          +In this example, the 3rd item is an application: Microsoft Bing Sports, a modern app, version 4.20.951.0, published by Microsoft. By validating this app and making its UpgradeDecision “Ready to upgrade”, you can potentially make 1014 computers “Ready to upgrade” – but only after you have already validated items 1 and 2 in the list. By marking items 1, 2, and 3 “Ready to upgrade”, 14779 of your computers will become upgrade-ready. This represents 10.96% of the machines in this workspace. + +#### Using the proposed action plan + +There are several valid use cases for the proposed action plan. But it’s always important to remember that the information presented in the Plan is only accurate when sorted by increasing Item Rank! Here are three potential cases in which you could use the proposed action plan: + +1. Quickly determine how many apps and drivers you’ll need to validate in order to make x% of your computers upgrade-ready. To determine this, simply find the first item in the Plan with a CumulativeUnblockedPct greater than or equal to your desired percentage of upgrade-ready computers. The corresponding ItemRank represents the smallest number of apps and drivers that you can validate in order to reach your upgrade readiness goal. The prior items in the proposed action plan itself represent the most efficient route to reaching your goal. + +2. Use the proposed action plan to prepare a small portion of your machines for a pilot of your target Operating System. Let’s say you want to test a new Operating System by upgrading a few hundred computers. You can use the proposed action plan to determine how many apps and drivers you will need to validate before you can be confident that your pilot will be successful. + +3. If your project deadline is approaching and you only have time to validate a few more apps and drivers, you can use the proposed action plan to determine which apps and drivers you should focus on to maximize the number of computers that you can confidently upgrade. + +#### Misconceptions and things to avoid + +The most common misconceptions about the proposed action plan involve the assumption that each item in the plan is independent of those around it. The apps and drivers in the plan must be considered in the correct order to draw valid conclusions. For example, if you choose to validate items 1, 3, 4, and 5 and mark each of them “Ready to upgrade,” the proposed action plan cannot tell you how many computers will become upgrade-ready as a result of your testing. Even the non-cumulative “ComputersUnblocked” count is dependent upon all prior issues having already been resolved. + +If an item with ItemRank = 7 has a ComputersUnblocked value of 50, do not assume that 50 of your computers will become upgrade-ready if you test this item. However, if you validate items 1 through 6 in the plan, you can make an additional 50 computers upgrade-ready by validating the 7th item in the plan. diff --git a/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md b/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md index 3af81df13a..b4cdb30a40 100644 --- a/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md +++ b/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md @@ -1,61 +1,61 @@ ---- -title: Upgrade Readiness - Targeting a new operating system version -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Explains how to run Upgrade Readiness again to target a different operating system version or bulk-approve all apps from a given vendor -ms.prod: w10 -author: greg-lindsay -ms.topic: article -ms.collection: M365-analytics ---- - -# Targeting a new operating system version - -After you've used Upgrade Readiness to help deploy a given version of Windows 10, you might want to use it again to help deploy a newer version of Windows 10. When you change the target operating system version (as described in [Use Upgrade Readiness to manage Windows upgrades](use-upgrade-readiness-to-manage-windows-upgrades.md#target-version)), the app states (Importance, AppOwner, UpgradeDecision, TestPlan, and TestResult) are not reset. Follow this guidance to preserve or reset these states as needed: - -## TestResults - -If you want to preserve the TestResults from the previous operating system version testing, there is nothing you need to do. - -If you want to reset them, click any of the rows in the **Prioritize Application** blade (described in [Upgrade Readiness - Step 1: Identify important apps](upgrade-readiness-identify-apps.md)). This will take you to the **Log Search** user experience. Replace the query in that window with the following query: - -`search in (UAApp) IsRollup == true and RollupLevel == "Granular" and TestResult <> "Not started"` - -After a short period of time, you will see the "user input" perspective render, which will let you bulk-edit the results. Select the check box in the table header, click the **bulk edit** button, and then set the **TestResult** to *Not started*. Leave all other fields as they are. - -## UpgradeDecision - -If you want to preserve the UpgradeDecision from the previous operating system version testing, there is nothing you need to do. - -If you want to reset them, keep these important points in mind: - -- Make sure to *not* reset the **Ready to upgrade** decision for the "long tail" of apps that have importance of **Ignore** or **Low install count**. Doing this will make it extremely difficult to complete the Upgrade Readiness workflow. -- Decide which decisions to reset. For example, one option is just to reset the decisions marked **Ready to upgrade** (in order to retest those), while preserving states of apps marked **Won't upgrade**. Doing this means you won't lose track of this previous marking. Or you can reset everything. - -To do this, type the following query in **Log Search**: - -`search in (UAApp) IsRollup == true and RollupLevel == "Granular" and Importance <> "Ignore" and Importance <> "Low install count" and UpgradeDecision == "Ready to upgrade"` - ->[!NOTE] ->If you just want to reset all **UpgradeDecision** values, you can simply remove `'and UpgradeDecision == "Ready to upgrade"` from the query. - -After a short period of time, you will see the "user input" perspective render, which will let you bulk-edit the results. Select the check box in the table header, click the **bulk edit** button, and then set the **UpgradeDecision** to *Not reviewed*. Leave all other fields as they are. - - -## Bulk-approving apps from a given vendor - -You can bulk-approve all apps from a given vendor (for example, Microsoft) if there are no known compatibility issues. To do this, type the following query in **Log Search**: - -`search in (UAApp) IsRollup == true and RollupLevel == "Granular" and AppVendor has "Microsoft" and UpgradeAssessment=="No known issues" and UpgradeDecision<>"Ready to upgrade"` - -After a short period of time, you will see the "user input" perspective render, which will let you bulk-edit the results. Select the check box in the table header, click the **bulk edit" button**, and then set the **UpgradeDecision** to *Ready to upgrade*. Leave all other fields as they are. - -## Related topics - -[Windows Analytics overview](../update/windows-analytics-overview.md) - -[Manage Windows upgrades with Upgrade Readiness](manage-windows-upgrades-with-upgrade-readiness.md) - -[Get started with Upgrade Readiness](upgrade-readiness-get-started.md) - +--- +title: Upgrade Readiness - Targeting a new operating system version +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Explains how to run Upgrade Readiness again to target a different operating system version or bulk-approve all apps from a given vendor +ms.prod: w10 +audience: itpro author: greg-lindsay +ms.topic: article +ms.collection: M365-analytics +--- + +# Targeting a new operating system version + +After you've used Upgrade Readiness to help deploy a given version of Windows 10, you might want to use it again to help deploy a newer version of Windows 10. When you change the target operating system version (as described in [Use Upgrade Readiness to manage Windows upgrades](use-upgrade-readiness-to-manage-windows-upgrades.md#target-version)), the app states (Importance, AppOwner, UpgradeDecision, TestPlan, and TestResult) are not reset. Follow this guidance to preserve or reset these states as needed: + +## TestResults + +If you want to preserve the TestResults from the previous operating system version testing, there is nothing you need to do. + +If you want to reset them, click any of the rows in the **Prioritize Application** blade (described in [Upgrade Readiness - Step 1: Identify important apps](upgrade-readiness-identify-apps.md)). This will take you to the **Log Search** user experience. Replace the query in that window with the following query: + +`search in (UAApp) IsRollup == true and RollupLevel == "Granular" and TestResult <> "Not started"` + +After a short period of time, you will see the "user input" perspective render, which will let you bulk-edit the results. Select the check box in the table header, click the **bulk edit** button, and then set the **TestResult** to *Not started*. Leave all other fields as they are. + +## UpgradeDecision + +If you want to preserve the UpgradeDecision from the previous operating system version testing, there is nothing you need to do. + +If you want to reset them, keep these important points in mind: + +- Make sure to *not* reset the **Ready to upgrade** decision for the "long tail" of apps that have importance of **Ignore** or **Low install count**. Doing this will make it extremely difficult to complete the Upgrade Readiness workflow. +- Decide which decisions to reset. For example, one option is just to reset the decisions marked **Ready to upgrade** (in order to retest those), while preserving states of apps marked **Won't upgrade**. Doing this means you won't lose track of this previous marking. Or you can reset everything. + +To do this, type the following query in **Log Search**: + +`search in (UAApp) IsRollup == true and RollupLevel == "Granular" and Importance <> "Ignore" and Importance <> "Low install count" and UpgradeDecision == "Ready to upgrade"` + +>[!NOTE] +>If you just want to reset all **UpgradeDecision** values, you can simply remove `'and UpgradeDecision == "Ready to upgrade"` from the query. + +After a short period of time, you will see the "user input" perspective render, which will let you bulk-edit the results. Select the check box in the table header, click the **bulk edit** button, and then set the **UpgradeDecision** to *Not reviewed*. Leave all other fields as they are. + + +## Bulk-approving apps from a given vendor + +You can bulk-approve all apps from a given vendor (for example, Microsoft) if there are no known compatibility issues. To do this, type the following query in **Log Search**: + +`search in (UAApp) IsRollup == true and RollupLevel == "Granular" and AppVendor has "Microsoft" and UpgradeAssessment=="No known issues" and UpgradeDecision<>"Ready to upgrade"` + +After a short period of time, you will see the "user input" perspective render, which will let you bulk-edit the results. Select the check box in the table header, click the **bulk edit" button**, and then set the **UpgradeDecision** to *Ready to upgrade*. Leave all other fields as they are. + +## Related topics + +[Windows Analytics overview](../update/windows-analytics-overview.md) + +[Manage Windows upgrades with Upgrade Readiness](manage-windows-upgrades-with-upgrade-readiness.md) + +[Get started with Upgrade Readiness](upgrade-readiness-get-started.md) + diff --git a/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md b/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md index 7ef0302e8a..8bbc0e4a13 100644 --- a/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md +++ b/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md @@ -1,73 +1,73 @@ ---- -title: Upgrade Readiness - Upgrade Overview (Windows 10) -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Displays the total count of computers sharing data and upgraded. -ms.prod: w10 -author: greg-lindsay -ms.topic: article -ms.collection: M365-analytics ---- - -# Upgrade Readiness - Upgrade overview - -The first blade in the Upgrade Readiness solution is the upgrade overview blade. This blade displays the total count of computers sharing data with Microsoft, and the count of computers upgraded. As you successfully upgrade computers, the count of computers upgraded increases. - -The upgrade overivew blade displays data refresh status, including the date and time of the most recent data update and whether user changes are reflected. The upgrade overview blade also displays the current target OS version. For more information about the target OS version, see [target version](use-upgrade-readiness-to-manage-windows-upgrades.md#target-version). - -The following color-coded status changes are reflected on the upgrade overview blade: - -- The "Last updated" banner: - - No delay in processing device inventory data = "Last updated" banner is displayed in green. - - Delay processing device inventory data = "Last updated" banner is displayed in amber. -- Computers with incomplete data: - - Less than 4% = Count is displayed in green. - - 4% - 10% = Count is displayed in amber. - - Greater than 10% = Count is displayed in red. -- Computers with outdated KB: - - Less than 10% = Count is displayed in green. - - 10% - 30% = Count is displayed in amber. - - Greater than 30% = Count is displayed in red. -- User changes: - - Pending user changes = User changes count displays "Data refresh pending" in amber. - - No pending user changes = User changes count displays "Up to date" in green. -- Target version: - - If the current value matches the recommended value, the version is displayed in green. - - If the current value is an older OS version than the recommended value, but not deprecated, the version is displayed in amber. - - If the current value is a deprecated OS version, the version is displayed in red. - -Click a row to drill down and see details about individual computers. If updates are missing, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md) for information on required updates. - -In the following example, there is no delay in data processing, more than 10% of computers (6k\8k) have incomplete data, more than 30% of computers (6k/8k) require an update, there are no pending user changes, and the currently selected target OS version is the same as the recommended version: - -![Upgrade overview](../images/ur-overview.png) - - - -If data processing is delayed, the "Last updated" banner will indicate the date on which data was last updated. You can continue using your workspace as normal. However, any changes or additional information that is added might not be displayed until data is refreshed. When your workspace is in this state, there is no action required; data is typically refreshed and the display will return to normal again within 24 hours. - -If there are computers with incomplete data, verify that you have installed the latest compatibilty updates. Install the updates if necessary and then run the most recent [Update Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the Microsoft download center. The updated data payload should appear in Upgrade Readiness within 48 hours of a successful run on the deployment script. - -Select **Total computers** for a list of computers and details about them, including: - -- Computer ID and computer name -- Computer manufacturer -- Computer model -- Operating system version and build -- Count of system requirement, application, and driver issues per computer -- Upgrade assessment based on analysis of computer diagnostic data -- Upgrade decision status - -Select **Total applications** for a list of applications discovered on user computers and details about them, including: - -- Application vendor -- Application version -- Count of computers the application is installed on -- Count of computers that opened the application at least once in the past 30 days -- Percentage of computers in your total computer inventory that opened the application in the past 30 days -- Issues detected, if any -- Upgrade assessment based on analysis of application data -- Rollup level +--- +title: Upgrade Readiness - Upgrade Overview (Windows 10) +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Displays the total count of computers sharing data and upgraded. +ms.prod: w10 +audience: itpro author: greg-lindsay +ms.topic: article +ms.collection: M365-analytics +--- + +# Upgrade Readiness - Upgrade overview + +The first blade in the Upgrade Readiness solution is the upgrade overview blade. This blade displays the total count of computers sharing data with Microsoft, and the count of computers upgraded. As you successfully upgrade computers, the count of computers upgraded increases. + +The upgrade overivew blade displays data refresh status, including the date and time of the most recent data update and whether user changes are reflected. The upgrade overview blade also displays the current target OS version. For more information about the target OS version, see [target version](use-upgrade-readiness-to-manage-windows-upgrades.md#target-version). + +The following color-coded status changes are reflected on the upgrade overview blade: + +- The "Last updated" banner: + - No delay in processing device inventory data = "Last updated" banner is displayed in green. + - Delay processing device inventory data = "Last updated" banner is displayed in amber. +- Computers with incomplete data: + - Less than 4% = Count is displayed in green. + - 4% - 10% = Count is displayed in amber. + - Greater than 10% = Count is displayed in red. +- Computers with outdated KB: + - Less than 10% = Count is displayed in green. + - 10% - 30% = Count is displayed in amber. + - Greater than 30% = Count is displayed in red. +- User changes: + - Pending user changes = User changes count displays "Data refresh pending" in amber. + - No pending user changes = User changes count displays "Up to date" in green. +- Target version: + - If the current value matches the recommended value, the version is displayed in green. + - If the current value is an older OS version than the recommended value, but not deprecated, the version is displayed in amber. + - If the current value is a deprecated OS version, the version is displayed in red. + +Click a row to drill down and see details about individual computers. If updates are missing, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md) for information on required updates. + +In the following example, there is no delay in data processing, more than 10% of computers (6k\8k) have incomplete data, more than 30% of computers (6k/8k) require an update, there are no pending user changes, and the currently selected target OS version is the same as the recommended version: + +![Upgrade overview](../images/ur-overview.png) + + + +If data processing is delayed, the "Last updated" banner will indicate the date on which data was last updated. You can continue using your workspace as normal. However, any changes or additional information that is added might not be displayed until data is refreshed. When your workspace is in this state, there is no action required; data is typically refreshed and the display will return to normal again within 24 hours. + +If there are computers with incomplete data, verify that you have installed the latest compatibilty updates. Install the updates if necessary and then run the most recent [Update Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the Microsoft download center. The updated data payload should appear in Upgrade Readiness within 48 hours of a successful run on the deployment script. + +Select **Total computers** for a list of computers and details about them, including: + +- Computer ID and computer name +- Computer manufacturer +- Computer model +- Operating system version and build +- Count of system requirement, application, and driver issues per computer +- Upgrade assessment based on analysis of computer diagnostic data +- Upgrade decision status + +Select **Total applications** for a list of applications discovered on user computers and details about them, including: + +- Application vendor +- Application version +- Count of computers the application is installed on +- Count of computers that opened the application at least once in the past 30 days +- Percentage of computers in your total computer inventory that opened the application in the past 30 days +- Issues detected, if any +- Upgrade assessment based on analysis of application data +- Rollup level diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md index 23551d5256..82f4193c52 100644 --- a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md +++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md @@ -1,216 +1,216 @@ ---- -title: Perform an in-place upgrade to Windows 10 using Configuration Manager (Windows 10) -description: The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. Use a System Center Configuration Manager task sequence to completely automate the process. -ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878 -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: upgrade, update, task sequence, deploy -ms.prod: w10 -ms.localizationpriority: medium -ms.mktglfcycl: deploy -author: greg-lindsay -ms.topic: article ---- - -# Perform an in-place upgrade to Windows 10 using Configuration Manager - - -**Applies to** - -- Windows 10 - -The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. - -## Proof-of-concept environment - - -For the purposes of this topic, we will use three machines: DC01, CM01, and PC0001. DC01 is a domain controller and CM01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0001 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). - -![figure 1](../images/upgrademdt-fig1-machines.png) - -Figure 1. The machines used in this topic. - -## Upgrade to Windows 10 with System Center 2012 R2 Configuration Manager - - -System Center 2012 R2 Configuration Manager SP1 adds support to manage and deploy Windows 10. Although it does not include built-in support to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 to Windows 10, you can build a custom task sequence to perform the necessary tasks. - -## Create the task sequence - - -To help with this process, the Configuration Manager team has published [a blog](https://go.microsoft.com/fwlink/p/?LinkId=620179) that provides a sample task sequence, as well as the [original blog that includes the instructions for setting up the task sequence](https://go.microsoft.com/fwlink/p/?LinkId=620180). To summarize, here are the tasks you need to perform: - -1. Download the [Windows10Upgrade1506.zip](https://go.microsoft.com/fwlink/p/?LinkId=620182) file that contains the sample task sequence and related scripts. Extract the contents onto a network share. -2. Copy the Windows 10 Enterprise RTM x64 media into the extracted but empty **Windows vNext Upgrade Media** folder. -3. Using the Configuration Manager Console, right-click the **Task Sequences** node, and then choose **Import Task Sequence**. Select the **Windows-vNextUpgradeExport.zip** file that you extracted in Step 1. -4. Distribute the two created packages (one contains the Windows 10 Enterprise x64 media, the other contains the related scripts) to the Configuration Manager distribution point. - -For full details and an explanation of the task sequence steps, review the full details of the two blogs that are referenced above. - -## Create a device collection - - -After you create the upgrade task sequence, you can create a collection to test a deployment. In this section, we assume you have the PC0001 machine running Windows 7 SP1, with the Configuration Manager client installed. - -1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: - - General - - - Name: Windows 10 Enterprise x64 Upgrade - - - Limited Collection: All Systems - - - Membership rules: - - - Direct rule - - - Resource Class: System Resource - - - Attribute Name: Name - - - Value: PC0001 - - - Select Resources - - - Select PC0001 - -2. Review the Windows 10 Enterprise x64 Upgrade collection. Do not continue until you see the PC0001 machine in the collection. - -## Deploy the Windows 10 upgrade - - -In this section, you create a deployment for the Windows 10 Enterprise x64 Update application. - -1. On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Windows vNext Upgrade** task sequence, and then select **Deploy**. -2. On the **General** page, select the **Windows 10 Enterprise x64 Upgrade** collection, and then click **Next**. -3. On the **Content** page, click **Next**. -4. On the **Deployment Settings** page, select the following settings, and then click **Next**: - - Action: Install - - - Purpose: Available - -5. On the **Scheduling** page, accept the default settings, and then click **Next**. -6. On the **User Experience** page, accept the default settings, and then click **Next**. -7. On the **Alerts** page, accept the default settings, and then click **Next**. -8. On the **Summary** page, click **Next**, and then click **Close**. - -## Start the Windows 10 upgrade - - -In this section, you start the Windows 10 Upgrade task sequence on PC0001 (currently running Windows 7 SP1). - -1. On PC0001, start the **Software Center**. -2. Select the **Windows vNext Upgrade** task sequence, and then click **Install**. - -When the task sequence begins, it will automatically initiate the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers. - -![figure 2](../images/upgradecfg-fig2-upgrading.png) - -Figure 2. Upgrade from Windows 7 to Windows 10 Enterprise x64 with a task sequence. - -After the task sequence finishes, the computer will be fully upgraded to Windows 10. - -## Upgrade to Windows 10 with System Center Configuration Manager Current Branch - - -With System Center Configuration Manager Current Branch, new built-in functionality makes it easier to upgrade to Windows 10. - -**Note**   -For more details about Configuration Manager Current Branch, see the [Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620205). An [evaluation version is currently available](https://go.microsoft.com/fwlink/p/?LinkId=620206) for you to try. The instructions below are specific to the Technical Preview 2 release and may change after the next version of Configuration Manager is released. - - - -### Create the OS upgrade package - -First, you need to create an operating system upgrade package that contains the full Windows 10 Enterprise x64 installation media. - -1. On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Operating System Upgrade Packages** node, then select **Add Operating System Upgrade Package**. -2. On the **Data Source** page, specify the UNC path to the Windows 10 Enterprise x64 media, and then click **Next**. -3. On the **General** page, specify Windows 10 Enterprise x64 Upgrade, and then click **Next**. -4. On the **Summary** page, click **Next**, and then click **Close**. -5. Right-click the created **Windows 10 Enterprise x64 Update** package, and then select **Distribute Content**. Choose the CM01 distribution point. - -### Create the task sequence - -To create an upgrade task sequence, perform the following steps: - -1. On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Task Sequences** node, and then select **Create Task Sequence**. -2. On the **Create a new task sequence** page, select **Upgrade an operating system from upgrade package**, and then click **Next**. -3. On the **Task Sequence Information** page, specify **Windows 10 Enterprise x64 Upgrade**, and then click **Next**. -4. On the **Upgrade the Windows operating system** page, select the **Windows 10 Enterprise x64 Upgrade operating system upgrade** package, and then click **Next**. -5. Click **Next** through the remaining wizard pages, and then click **Close**. - -![figure 3](../images/upgradecfg-fig3-upgrade.png) - -Figure 3. The Configuration Manager upgrade task sequence. - -### Create a device collection - -After you create the upgrade task sequence, you can create a collection to test a deployment. In this section, we assume you have the PC0001 machine running Windows 7 SP1, with the next version of System Center Configuration Manager client installed. - -1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: - - General - - - Name: Windows 10 Enterprise x64 Upgrade - - - Limited Collection: All Systems - - - Membership rules: - - - Direct rule - - - Resource Class: System Resource - - - Attribute Name: Name - - - Value: PC0001 - - - Select Resources - - - Select PC0001 - -2. Review the Windows 10 Enterprise x64 Upgrade collection. Do not continue until you see the PC0001 machine in the collection. - -### Deploy the Windows 10 upgrade - -In this section, you create a deployment for the Windows 10 Enterprise x64 Update application. - -1. On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Windows vNext Upgrade** task sequence, and then select **Deploy**. -2. On the **General** page, select the **Windows 10 Enterprise x64 Upgrade** collection, and then click **Next**. -3. On the **Content** page, click **Next**. -4. On the **Deployment Settings** page, select the following settings and click **Next**: - - Action: Install - - - Purpose: Available - -5. On the **Scheduling** page, accept the default settings, and then click **Next**. -6. On the **User Experience** page, accept the default settings, and then click **Next**. -7. On the **Alerts** page, accept the default settings, and then click **Next**. -8. On the **Summary** page, click **Next**, and then click **Close**. - -### Start the Windows 10 upgrade - -In this section, you start the Windows 10 Upgrade task sequence on PC0001 (currently running Windows 7 SP1). - -1. On PC0001, start the **Software Center**. -2. Select the **Windows 10 Enterprise x64 Upgrade** task sequence, and then click **Install.** - -When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers. - -After the task sequence completes, the computer will be fully upgraded to Windows 10. - -## Related topics - - -[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md) - -[Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620109) - - - - - - - - - +--- +title: Perform an in-place upgrade to Windows 10 using Configuration Manager (Windows 10) +description: The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. Use a System Center Configuration Manager task sequence to completely automate the process. +ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878 +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: upgrade, update, task sequence, deploy +ms.prod: w10 +ms.localizationpriority: medium +ms.mktglfcycl: deploy +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Perform an in-place upgrade to Windows 10 using Configuration Manager + + +**Applies to** + +- Windows 10 + +The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. + +## Proof-of-concept environment + + +For the purposes of this topic, we will use three machines: DC01, CM01, and PC0001. DC01 is a domain controller and CM01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0001 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). + +![figure 1](../images/upgrademdt-fig1-machines.png) + +Figure 1. The machines used in this topic. + +## Upgrade to Windows 10 with System Center 2012 R2 Configuration Manager + + +System Center 2012 R2 Configuration Manager SP1 adds support to manage and deploy Windows 10. Although it does not include built-in support to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 to Windows 10, you can build a custom task sequence to perform the necessary tasks. + +## Create the task sequence + + +To help with this process, the Configuration Manager team has published [a blog](https://go.microsoft.com/fwlink/p/?LinkId=620179) that provides a sample task sequence, as well as the [original blog that includes the instructions for setting up the task sequence](https://go.microsoft.com/fwlink/p/?LinkId=620180). To summarize, here are the tasks you need to perform: + +1. Download the [Windows10Upgrade1506.zip](https://go.microsoft.com/fwlink/p/?LinkId=620182) file that contains the sample task sequence and related scripts. Extract the contents onto a network share. +2. Copy the Windows 10 Enterprise RTM x64 media into the extracted but empty **Windows vNext Upgrade Media** folder. +3. Using the Configuration Manager Console, right-click the **Task Sequences** node, and then choose **Import Task Sequence**. Select the **Windows-vNextUpgradeExport.zip** file that you extracted in Step 1. +4. Distribute the two created packages (one contains the Windows 10 Enterprise x64 media, the other contains the related scripts) to the Configuration Manager distribution point. + +For full details and an explanation of the task sequence steps, review the full details of the two blogs that are referenced above. + +## Create a device collection + + +After you create the upgrade task sequence, you can create a collection to test a deployment. In this section, we assume you have the PC0001 machine running Windows 7 SP1, with the Configuration Manager client installed. + +1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: + - General + + - Name: Windows 10 Enterprise x64 Upgrade + + - Limited Collection: All Systems + + - Membership rules: + + - Direct rule + + - Resource Class: System Resource + + - Attribute Name: Name + + - Value: PC0001 + + - Select Resources + + - Select PC0001 + +2. Review the Windows 10 Enterprise x64 Upgrade collection. Do not continue until you see the PC0001 machine in the collection. + +## Deploy the Windows 10 upgrade + + +In this section, you create a deployment for the Windows 10 Enterprise x64 Update application. + +1. On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Windows vNext Upgrade** task sequence, and then select **Deploy**. +2. On the **General** page, select the **Windows 10 Enterprise x64 Upgrade** collection, and then click **Next**. +3. On the **Content** page, click **Next**. +4. On the **Deployment Settings** page, select the following settings, and then click **Next**: + - Action: Install + + - Purpose: Available + +5. On the **Scheduling** page, accept the default settings, and then click **Next**. +6. On the **User Experience** page, accept the default settings, and then click **Next**. +7. On the **Alerts** page, accept the default settings, and then click **Next**. +8. On the **Summary** page, click **Next**, and then click **Close**. + +## Start the Windows 10 upgrade + + +In this section, you start the Windows 10 Upgrade task sequence on PC0001 (currently running Windows 7 SP1). + +1. On PC0001, start the **Software Center**. +2. Select the **Windows vNext Upgrade** task sequence, and then click **Install**. + +When the task sequence begins, it will automatically initiate the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers. + +![figure 2](../images/upgradecfg-fig2-upgrading.png) + +Figure 2. Upgrade from Windows 7 to Windows 10 Enterprise x64 with a task sequence. + +After the task sequence finishes, the computer will be fully upgraded to Windows 10. + +## Upgrade to Windows 10 with System Center Configuration Manager Current Branch + + +With System Center Configuration Manager Current Branch, new built-in functionality makes it easier to upgrade to Windows 10. + +**Note**   +For more details about Configuration Manager Current Branch, see the [Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620205). An [evaluation version is currently available](https://go.microsoft.com/fwlink/p/?LinkId=620206) for you to try. The instructions below are specific to the Technical Preview 2 release and may change after the next version of Configuration Manager is released. + + + +### Create the OS upgrade package + +First, you need to create an operating system upgrade package that contains the full Windows 10 Enterprise x64 installation media. + +1. On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Operating System Upgrade Packages** node, then select **Add Operating System Upgrade Package**. +2. On the **Data Source** page, specify the UNC path to the Windows 10 Enterprise x64 media, and then click **Next**. +3. On the **General** page, specify Windows 10 Enterprise x64 Upgrade, and then click **Next**. +4. On the **Summary** page, click **Next**, and then click **Close**. +5. Right-click the created **Windows 10 Enterprise x64 Update** package, and then select **Distribute Content**. Choose the CM01 distribution point. + +### Create the task sequence + +To create an upgrade task sequence, perform the following steps: + +1. On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Task Sequences** node, and then select **Create Task Sequence**. +2. On the **Create a new task sequence** page, select **Upgrade an operating system from upgrade package**, and then click **Next**. +3. On the **Task Sequence Information** page, specify **Windows 10 Enterprise x64 Upgrade**, and then click **Next**. +4. On the **Upgrade the Windows operating system** page, select the **Windows 10 Enterprise x64 Upgrade operating system upgrade** package, and then click **Next**. +5. Click **Next** through the remaining wizard pages, and then click **Close**. + +![figure 3](../images/upgradecfg-fig3-upgrade.png) + +Figure 3. The Configuration Manager upgrade task sequence. + +### Create a device collection + +After you create the upgrade task sequence, you can create a collection to test a deployment. In this section, we assume you have the PC0001 machine running Windows 7 SP1, with the next version of System Center Configuration Manager client installed. + +1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: + - General + + - Name: Windows 10 Enterprise x64 Upgrade + + - Limited Collection: All Systems + + - Membership rules: + + - Direct rule + + - Resource Class: System Resource + + - Attribute Name: Name + + - Value: PC0001 + + - Select Resources + + - Select PC0001 + +2. Review the Windows 10 Enterprise x64 Upgrade collection. Do not continue until you see the PC0001 machine in the collection. + +### Deploy the Windows 10 upgrade + +In this section, you create a deployment for the Windows 10 Enterprise x64 Update application. + +1. On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Windows vNext Upgrade** task sequence, and then select **Deploy**. +2. On the **General** page, select the **Windows 10 Enterprise x64 Upgrade** collection, and then click **Next**. +3. On the **Content** page, click **Next**. +4. On the **Deployment Settings** page, select the following settings and click **Next**: + - Action: Install + + - Purpose: Available + +5. On the **Scheduling** page, accept the default settings, and then click **Next**. +6. On the **User Experience** page, accept the default settings, and then click **Next**. +7. On the **Alerts** page, accept the default settings, and then click **Next**. +8. On the **Summary** page, click **Next**, and then click **Close**. + +### Start the Windows 10 upgrade + +In this section, you start the Windows 10 Upgrade task sequence on PC0001 (currently running Windows 7 SP1). + +1. On PC0001, start the **Software Center**. +2. Select the **Windows 10 Enterprise x64 Upgrade** task sequence, and then click **Install.** + +When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers. + +After the task sequence completes, the computer will be fully upgraded to Windows 10. + +## Related topics + + +[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md) + +[Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620109) + + + + + + + + + diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md index 1b00b1f559..2a7e01c1d8 100644 --- a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md +++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md @@ -1,109 +1,109 @@ ---- -title: Perform an in-place upgrade to Windows 10 with MDT (Windows 10) -description: The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. -ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460 -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: upgrade, update, task sequence, deploy -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -author: greg-lindsay -ms.topic: article ---- - -# Perform an in-place upgrade to Windows 10 with MDT - -**Applies to** -- Windows 10 - -The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 2 task sequence to completely automate the process. - -## Proof-of-concept environment - -For the purposes of this topic, we will use four machines: DC01, MDT01, and PC0001. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0001 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). - -![fig 1](../images/upgrademdt-fig1-machines.png) - -Figure 1. The machines used in this topic. - -## Set up the upgrade task sequence - -MDT adds support for Windows 10 deployment, including a new in-place upgrade task sequence template that makes the process really simple. - -## Create the MDT production deployment share - -The steps to create the deployment share for production are the same as when you created the deployment share to create the custom reference image: - -1. On MDT01, log on as Administrator in the CONTOSO domain with a password of P@ssw0rd. -2. Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. -3. On the **Path** page, in the **Deployment share path** text box, type **E:\\MDTProduction**, and then click **Next**. -4. On the **Share** page, in the **Share name** text box, type **MDTProduction$**, and then click **Next**. -5. On the **Descriptive Name** page, in the **Deployment share** description text box, type **MDT Production**, and then click **Next**. -6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**. -7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share. - -## Add Windows 10 Enterprise x64 (full source) - -In these steps we assume that you have copied the content of a Windows 10 Enterprise x64 ISO to the E:\\Downloads\\Windows 10 Enterprise x64 folder. - -1. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**. -2. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**. -3. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard: - - Full set of source files - - Source directory: E:\\Downloads\\Windows 10 Enterprise x64 - - Destination directory name: W10EX64RTM -4. After you add the operating system, in the **Operating Systems / Windows 10** folder, double-click the added operating system name in the **Operating System** node and change the name to the following: **Windows 10 Enterprise x64 RTM Default Image** - -![figure 2](../images/upgrademdt-fig2-importedos.png) - -Figure 2. The imported Windows 10 operating system after you rename it. - -## Create a task sequence to upgrade to Windows 10 Enterprise - -1. Using the Deployment Workbench, select **Task Sequences** in the **MDT Production** node, and create a folder named **Windows 10**. -2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - - Task sequence ID: W10-X64-UPG - - Task sequence name: Windows 10 Enterprise x64 RTM Upgrade - - Template: Standard Client Upgrade Task Sequence - - Select OS: Windows 10 Enterprise x64 RTM Default Image - - Specify Product Key: Do not specify a product key at this time - - Full Name: Contoso - - Organization: Contoso - - Internet Explorer home page: about:blank - - Admin Password: Do not specify an Administrator Password at this time - -![figure 3](../images/upgrademdt-fig3-tasksequence.png) - -Figure 3. The task sequence to upgrade to Windows 10. - -## Perform the Windows 10 upgrade - -To initiate the in-place upgrade, perform the following steps on PC0003 (currently running Windows 7 SP1). - -1. Start the MDT deployment wizard by running the following command: **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs** -2. Select the **Windows 10 Enterprise x64 RTM Upgrade** task sequence, and then click **Next**. - - ![figure 4](../images/upgrademdt-fig4-selecttask.png) - - Figure 4. Upgrade task sequence. - -3. On the **Credentials** tab, specify the **MDT\_BA** account, P@ssw0rd password, and **CONTOSO** for the domain. (Some or all of these values can be specified in Bootstrap.ini so they are automatically populated.) -4. On the **Ready** tab, click **Begin** to start the task sequence. - When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers. - -![figure 5](../images/upgrademdt-fig5-winupgrade.png) - -Figure 5. Upgrade from Windows 7 to Windows 10 Enterprise x64 with a task sequence. - -After the task sequence completes, the computer will be fully upgraded to Windows 10. - -## Related topics - -[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md) - -[Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117) - +--- +title: Perform an in-place upgrade to Windows 10 with MDT (Windows 10) +description: The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. +ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460 +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: upgrade, update, task sequence, deploy +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: mdt +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Perform an in-place upgrade to Windows 10 with MDT + +**Applies to** +- Windows 10 + +The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 2 task sequence to completely automate the process. + +## Proof-of-concept environment + +For the purposes of this topic, we will use four machines: DC01, MDT01, and PC0001. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0001 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). + +![fig 1](../images/upgrademdt-fig1-machines.png) + +Figure 1. The machines used in this topic. + +## Set up the upgrade task sequence + +MDT adds support for Windows 10 deployment, including a new in-place upgrade task sequence template that makes the process really simple. + +## Create the MDT production deployment share + +The steps to create the deployment share for production are the same as when you created the deployment share to create the custom reference image: + +1. On MDT01, log on as Administrator in the CONTOSO domain with a password of P@ssw0rd. +2. Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. +3. On the **Path** page, in the **Deployment share path** text box, type **E:\\MDTProduction**, and then click **Next**. +4. On the **Share** page, in the **Share name** text box, type **MDTProduction$**, and then click **Next**. +5. On the **Descriptive Name** page, in the **Deployment share** description text box, type **MDT Production**, and then click **Next**. +6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**. +7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share. + +## Add Windows 10 Enterprise x64 (full source) + +In these steps we assume that you have copied the content of a Windows 10 Enterprise x64 ISO to the E:\\Downloads\\Windows 10 Enterprise x64 folder. + +1. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**. +2. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**. +3. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard: + - Full set of source files + - Source directory: E:\\Downloads\\Windows 10 Enterprise x64 + - Destination directory name: W10EX64RTM +4. After you add the operating system, in the **Operating Systems / Windows 10** folder, double-click the added operating system name in the **Operating System** node and change the name to the following: **Windows 10 Enterprise x64 RTM Default Image** + +![figure 2](../images/upgrademdt-fig2-importedos.png) + +Figure 2. The imported Windows 10 operating system after you rename it. + +## Create a task sequence to upgrade to Windows 10 Enterprise + +1. Using the Deployment Workbench, select **Task Sequences** in the **MDT Production** node, and create a folder named **Windows 10**. +2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + - Task sequence ID: W10-X64-UPG + - Task sequence name: Windows 10 Enterprise x64 RTM Upgrade + - Template: Standard Client Upgrade Task Sequence + - Select OS: Windows 10 Enterprise x64 RTM Default Image + - Specify Product Key: Do not specify a product key at this time + - Full Name: Contoso + - Organization: Contoso + - Internet Explorer home page: about:blank + - Admin Password: Do not specify an Administrator Password at this time + +![figure 3](../images/upgrademdt-fig3-tasksequence.png) + +Figure 3. The task sequence to upgrade to Windows 10. + +## Perform the Windows 10 upgrade + +To initiate the in-place upgrade, perform the following steps on PC0003 (currently running Windows 7 SP1). + +1. Start the MDT deployment wizard by running the following command: **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs** +2. Select the **Windows 10 Enterprise x64 RTM Upgrade** task sequence, and then click **Next**. + + ![figure 4](../images/upgrademdt-fig4-selecttask.png) + + Figure 4. Upgrade task sequence. + +3. On the **Credentials** tab, specify the **MDT\_BA** account, P@ssw0rd password, and **CONTOSO** for the domain. (Some or all of these values can be specified in Bootstrap.ini so they are automatically populated.) +4. On the **Ready** tab, click **Begin** to start the task sequence. + When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers. + +![figure 5](../images/upgrademdt-fig5-winupgrade.png) + +Figure 5. Upgrade from Windows 7 to Windows 10 Enterprise x64 with a task sequence. + +After the task sequence completes, the computer will be fully upgraded to Windows 10. + +## Related topics + +[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md) + +[Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117) + diff --git a/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md b/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md index 78f2f9d558..78d70d0d25 100644 --- a/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md +++ b/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md @@ -1,113 +1,113 @@ ---- -title: Upgrade Windows Phone 8.1 to Windows 10 Mobile in an MDM environment (Windows 10) -ms.reviewer: -manager: laurawi -ms.author: greglin -description: This article describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile using MDM. -keywords: upgrade, update, windows, phone, windows 10, mdm, mobile -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdm -author: greg-lindsay -ms.topic: article ---- - -# Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management (MDM) - -**Applies to** - -- Windows 10 Mobile - -## Summary - -This article describes how system administrators can upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile using [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm/) (MDM). - ->[!IMPORTANT] ->If you are not a system administrator, see the [Windows 10 Mobile Upgrade & Updates](https://www.microsoft.com/windows/windows-10-mobile-upgrade) page for details about updating your Windows 8.1 Mobile device to Windows 10 Mobile using the [Upgrade Advisor](https://www.microsoft.com/store/p/upgrade-advisor/9nblggh0f5g4). - -## Upgrading with MDM - -The Windows Phone 8.1 to Windows 10 Mobile upgrade uses an "opt-in" or "seeker" model. To determine if the device is eligible for an upgrade with MDM, see the [How to determine whether an upgrade is available for a device](#howto-upgrade-available) topic in this article. An eligible device must opt-in to be offered the upgrade. For consumers, the Windows 10 Mobile Upgrade Advisor app is available from the Windows Store to perform the opt-in. For Enterprises, Microsoft is offering a centralized management solution through MDM that can push a management policy to each eligible device to perform the opt-in. - -If you use a list of allowed applications (app whitelisting) with MDM, verify that system applications are whitelisted before you upgrade to Windows 10 Mobile. Also, be aware that there are [known issues](https://msdn.microsoft.com/library/windows/hardware/mt299056.aspx#whitelist) with app whitelisting that could adversely affect the device after you upgrade. - -Some enterprises might want to control the availability of the Windows 10 Mobile upgrade to their users. With the opt-in model, the enterprise can blacklist the Upgrade Advisor app to prevent their users from upgrading prematurely. For more information about how to blacklist the Upgrade Advisor app, see the [How to blacklist the Upgrade Advisor app](#howto-blacklist) section in this article. Enterprises that have blacklisted the Upgrade Advisor app can use the solution described in this article to select the upgrade timing on a per-device basis. - -## More information - -To provide enterprises with a solution that's independent of the Upgrade Advisor, a new registry key in the registry configuration service provider (CSP) is available. A special GUID key value is defined. When Microsoft Update (MU) detects the presence of the registry key value on a device, any available upgrade will be made available to the device. - -### Prerequisites - -- Windows Phone 8.1 device with an available upgrade to Windows 10 Mobile. -- Device connected to Wi-Fi or cellular network to perform scan for upgrade. -- Device is already enrolled with an MDM session. -- Device is able to receive the management policy. -- MDM is capable of pushing the management policy to devices. Minimum version numbers for some popular MDM providers that support this solution are: InTune: 5.0.5565, AirWatch: 8.2, Mobile Iron: 9.0. - -### Instructions for the MDM server - -The registry CSP is used to push the GUID value to the following registry key for which the Open Mobile Alliance (OMA) Device Management (DM) client has Read/Write access and for which the Device Update service has Read access. - -``` -[HKLM\Software\Microsoft\Provisioning\OMADM] -"EnterpriseUpgrade"="d369c9b6-2379-466d-9162-afc53361e3c2” -``` - - -The complete SyncML command for the solution is as follows. Note: The SyncML may vary, depending on your MDM solution. - -``` -SyncML xmlns="SYNCML:SYNCML1.1"> - - - 250 - - - ./Vendor/MSFT/Registry/HKLM/SOFTWARE/Microsoft/Provisioning/OMADM/EnterpriseUpgrade - - - chr - - d369c9b6-2379-466d-9162-afc53361e3c2 - - - - - -``` - -The OMA DM server policy description is provided in the following table: - -|Item |Setting | -|------|------------| -| OMA-URI |./Vendor/MSFT/Registry/HKLM/SOFTWARE/Microsoft/Provisioning/OMADM/EnterpriseUpgrade | -| Data Type |String | -| Value |d369c9b6-2379-466d-9162-afc53361e3c2 | - - -After the device consumes the policy, it will be able to receive an available upgrade. - -To disable the policy, delete the **OMADM** registry key or set the **EnterpriseUpgrade** string value to anything other than the GUID. - -### How to determine whether an upgrade is available for a device - -The Windows 10 Mobile Upgrade Advisor app is not designed or intended for Enterprise customers who want to automate the upgrade process. However, the Windows 10 Mobile Upgrade Advisor app is the best mechanism to determine when an upgrade is available. The app dynamically queries whether the upgrade is released for this device model and associated mobile operator (MO). - -We recommend that enterprises use a pilot device with the Windows 10 Mobile Upgrade Advisor app installed. The pilot device provides the device model and MO used by the enterprise. When you run the app on the pilot device, it will tell you that either an upgrade is available, that the device is eligible for upgrade, or that an upgrade is not available for this device. - -Note: The availability of Windows 10 Mobile as an update for existing Windows Phone 8.1 devices varies by device manufacturer, device model, country or region, mobile operator or service provider, hardware limitations, and other factors. To check for compatibility and other important installation information, see the [Windows 10 Mobile FAQ](https://support.microsoft.com/help/10599/windows-10-mobile-how-to-get) page. - -### How to blacklist the Upgrade Advisor app - -Some enterprises may want to block their users from installing the Windows 10 Mobile Upgrade Advisor app. With Windows Phone 8.1, you can allow or deny individual apps by adding specific app publishers or the app globally unique identifier (GUID) from the Window Phone Store to an allow or deny XML list. The GUID for a particular application can be found in the URL for the app in the phone store. For example, the GUID to the Windows 10 Mobile Upgrade Adviser (fbe47e4f-7769-4103-910e-dca8c43e0b07) is displayed in the following URL: - -http://windowsphone.com/s?appid=fbe47e4f-7769-4103-910e-dca8c43e0b07 - -For more information about how to do this, see [Try it out: restrict Windows Phone 8.1 apps](https://technet.microsoft.com/windows/dn771706.aspx). - -## Related topics - -[Windows 10 Mobile and mobile device management](/windows/client-management/windows-10-mobile-and-mdm) +--- +title: Upgrade Windows Phone 8.1 to Windows 10 Mobile in an MDM environment (Windows 10) +ms.reviewer: +manager: laurawi +ms.author: greglin +description: This article describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile using MDM. +keywords: upgrade, update, windows, phone, windows 10, mdm, mobile +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: mdm +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management (MDM) + +**Applies to** + +- Windows 10 Mobile + +## Summary + +This article describes how system administrators can upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile using [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm/) (MDM). + +>[!IMPORTANT] +>If you are not a system administrator, see the [Windows 10 Mobile Upgrade & Updates](https://www.microsoft.com/windows/windows-10-mobile-upgrade) page for details about updating your Windows 8.1 Mobile device to Windows 10 Mobile using the [Upgrade Advisor](https://www.microsoft.com/store/p/upgrade-advisor/9nblggh0f5g4). + +## Upgrading with MDM + +The Windows Phone 8.1 to Windows 10 Mobile upgrade uses an "opt-in" or "seeker" model. To determine if the device is eligible for an upgrade with MDM, see the [How to determine whether an upgrade is available for a device](#howto-upgrade-available) topic in this article. An eligible device must opt-in to be offered the upgrade. For consumers, the Windows 10 Mobile Upgrade Advisor app is available from the Windows Store to perform the opt-in. For Enterprises, Microsoft is offering a centralized management solution through MDM that can push a management policy to each eligible device to perform the opt-in. + +If you use a list of allowed applications (app whitelisting) with MDM, verify that system applications are whitelisted before you upgrade to Windows 10 Mobile. Also, be aware that there are [known issues](https://msdn.microsoft.com/library/windows/hardware/mt299056.aspx#whitelist) with app whitelisting that could adversely affect the device after you upgrade. + +Some enterprises might want to control the availability of the Windows 10 Mobile upgrade to their users. With the opt-in model, the enterprise can blacklist the Upgrade Advisor app to prevent their users from upgrading prematurely. For more information about how to blacklist the Upgrade Advisor app, see the [How to blacklist the Upgrade Advisor app](#howto-blacklist) section in this article. Enterprises that have blacklisted the Upgrade Advisor app can use the solution described in this article to select the upgrade timing on a per-device basis. + +## More information + +To provide enterprises with a solution that's independent of the Upgrade Advisor, a new registry key in the registry configuration service provider (CSP) is available. A special GUID key value is defined. When Microsoft Update (MU) detects the presence of the registry key value on a device, any available upgrade will be made available to the device. + +### Prerequisites + +- Windows Phone 8.1 device with an available upgrade to Windows 10 Mobile. +- Device connected to Wi-Fi or cellular network to perform scan for upgrade. +- Device is already enrolled with an MDM session. +- Device is able to receive the management policy. +- MDM is capable of pushing the management policy to devices. Minimum version numbers for some popular MDM providers that support this solution are: InTune: 5.0.5565, AirWatch: 8.2, Mobile Iron: 9.0. + +### Instructions for the MDM server + +The registry CSP is used to push the GUID value to the following registry key for which the Open Mobile Alliance (OMA) Device Management (DM) client has Read/Write access and for which the Device Update service has Read access. + +``` +[HKLM\Software\Microsoft\Provisioning\OMADM] +"EnterpriseUpgrade"="d369c9b6-2379-466d-9162-afc53361e3c2” +``` + + +The complete SyncML command for the solution is as follows. Note: The SyncML may vary, depending on your MDM solution. + +``` +SyncML xmlns="SYNCML:SYNCML1.1"> + + + 250 + + + ./Vendor/MSFT/Registry/HKLM/SOFTWARE/Microsoft/Provisioning/OMADM/EnterpriseUpgrade + + + chr + + d369c9b6-2379-466d-9162-afc53361e3c2 + + + + + +``` + +The OMA DM server policy description is provided in the following table: + +|Item |Setting | +|------|------------| +| OMA-URI |./Vendor/MSFT/Registry/HKLM/SOFTWARE/Microsoft/Provisioning/OMADM/EnterpriseUpgrade | +| Data Type |String | +| Value |d369c9b6-2379-466d-9162-afc53361e3c2 | + + +After the device consumes the policy, it will be able to receive an available upgrade. + +To disable the policy, delete the **OMADM** registry key or set the **EnterpriseUpgrade** string value to anything other than the GUID. + +### How to determine whether an upgrade is available for a device + +The Windows 10 Mobile Upgrade Advisor app is not designed or intended for Enterprise customers who want to automate the upgrade process. However, the Windows 10 Mobile Upgrade Advisor app is the best mechanism to determine when an upgrade is available. The app dynamically queries whether the upgrade is released for this device model and associated mobile operator (MO). + +We recommend that enterprises use a pilot device with the Windows 10 Mobile Upgrade Advisor app installed. The pilot device provides the device model and MO used by the enterprise. When you run the app on the pilot device, it will tell you that either an upgrade is available, that the device is eligible for upgrade, or that an upgrade is not available for this device. + +Note: The availability of Windows 10 Mobile as an update for existing Windows Phone 8.1 devices varies by device manufacturer, device model, country or region, mobile operator or service provider, hardware limitations, and other factors. To check for compatibility and other important installation information, see the [Windows 10 Mobile FAQ](https://support.microsoft.com/help/10599/windows-10-mobile-how-to-get) page. + +### How to blacklist the Upgrade Advisor app + +Some enterprises may want to block their users from installing the Windows 10 Mobile Upgrade Advisor app. With Windows Phone 8.1, you can allow or deny individual apps by adding specific app publishers or the app globally unique identifier (GUID) from the Window Phone Store to an allow or deny XML list. The GUID for a particular application can be found in the URL for the app in the phone store. For example, the GUID to the Windows 10 Mobile Upgrade Adviser (fbe47e4f-7769-4103-910e-dca8c43e0b07) is displayed in the following URL: + +http://windowsphone.com/s?appid=fbe47e4f-7769-4103-910e-dca8c43e0b07 + +For more information about how to do this, see [Try it out: restrict Windows Phone 8.1 apps](https://technet.microsoft.com/windows/dn771706.aspx). + +## Related topics + +[Windows 10 Mobile and mobile device management](/windows/client-management/windows-10-mobile-and-mdm) diff --git a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md index bc54105187..671ba50c38 100644 --- a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md +++ b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md @@ -1,63 +1,63 @@ ---- -title: Use Upgrade Readiness to manage Windows upgrades (Windows 10) -ms.reviewer: -manager: laurawi -description: Describes how to use Upgrade Readiness to manage Windows upgrades. -keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, -ms.localizationpriority: medium -ms.prod: w10 -author: greg-lindsay -ms.author: greglin -ms.topic: article ---- - -# Use Upgrade Readiness to manage Windows upgrades - ->[!IMPORTANT] ->>**The OMS portal has been deprecated, so you need to switch to the [Azure portal](https://portal.azure.com) now.** The two portals offer the same experience, with some key differences. Learn how to use [Windows Analytics in the Azure Portal](../update/windows-analytics-azure-portal.md). Find out more about the [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition), or jump right in and [Get started with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-readiness-get-started). - -You can use Upgrade Readiness to prioritize and work through application and driver issues, assign and track issue resolution status, and identify computers that are ready to upgrade. Upgrade Readiness enables you to deploy Windows with confidence, knowing that you’ve addressed potential blocking issues. - -- Based on diagnostic data from user computers, Upgrade Readiness identifies application and driver compatibility issues that may block Windows upgrades, allowing you to make data-driven decisions about your organization’s upgrade readiness. -- Information is refreshed daily so you can monitor upgrade progress. Any changes your team makes, such as assigning application importance and marking applications as ready to upgrade, are reflected 24 hours after you make them. - -When you are ready to begin the upgrade process, a workflow is provided to guide you through critical high-level tasks. - -![Series of blades showing Upgrade Overview, Step 1: Identify Important Apps, Prioritize Applications, Step 2: Resolve issues, and Review applications with known issues](../images/ua-cg-15.png) - -Each step in the workflow is enumerated using blue tiles. Helpful data is provided on white tiles to help you get started, to monitor your progress, and to complete each step. - ->**Important**: You can use the [Target version](#target-version) setting to evaluate computers that are running a specified version of Windows before starting the Upgrade Readiness workflow. By default, the Target version is configured to the released version of Windows 10 for the Current Branch for Business (CBB). - -The following information and workflow is provided: - -- [Upgrade overview](upgrade-readiness-upgrade-overview.md): Review compatibility and usage information about computers, applications, and drivers. -- [Step 1: Identify important apps](upgrade-readiness-identify-apps.md): Assign importance levels to prioritize your applications. -- [Step 2: Resolve issues](upgrade-readiness-resolve-issues.md): Identify and resolve problems with applications. -- [Step 3: Deploy](upgrade-readiness-deploy-windows.md): Start the upgrade process. - -Also see the following topic for information about additional items that can be affected by the upgrade process: - -- [Additional insights](upgrade-readiness-additional-insights.md): Find out which MS Office add-ins are installed, and review web site activity. - -## Target version - -The target version setting is used to evaluate the number of computers that are already running the default version of Windows 10, or a later version. The target version of Windows 10 is displayed on the upgrade overview tile. See the following example: - -![Upgrade overview showing target version](../images/ur-target-version.png) - -The default target version in Upgrade Readiness is set to the released version of the Current Branch for Business (CBB). CBB can be determined by reviewing [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). The target version setting is used to evaluate the number of computers that are already running this version of Windows, or a later version. - -The number displayed under **Computers upgraded** in the Upgrade Overview blade is the total number of computers that are already running the same or a later version of Windows compared to the target version. It also is used in the evaluation of apps and drivers: Known issues and guidance for the apps and drivers in Upgrade Readiness is based on the target operating system version. - -You now have the ability to change the Windows 10 version you wish to target. The available options currently are: Windows 10 version 1507, Windows 10 version 1511, Windows 10 version 1607, Windows 10 version 1703, Windows 10 version 1709 and Windows 10 version 1803. - -To change the target version setting, click on **Solutions Settings**, which appears at the top when you open you Upgrade Readiness solution: - -![Upgrade Readiness dialog showing gear labeled Solution Settings](../images/ua-cg-08.png) - ->You must be signed in to Upgrade Readiness as an administrator to view settings. - -On the **Upgrade Readiness Settings** page, choose one of the options in the drop down box and click **Save**. The changes in the target version setting are reflected in evaluations when a new snapshot is uploaded to your workspace. - -![Upgrade Readiness Settings dialog showing gear labeled Save and arrow labeled Cancel](../images/ur-settings.png) +--- +title: Use Upgrade Readiness to manage Windows upgrades (Windows 10) +ms.reviewer: +manager: laurawi +description: Describes how to use Upgrade Readiness to manage Windows upgrades. +keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, +ms.localizationpriority: medium +ms.prod: w10 +audience: itpro author: greg-lindsay +ms.author: greglin +ms.topic: article +--- + +# Use Upgrade Readiness to manage Windows upgrades + +>[!IMPORTANT] +>>**The OMS portal has been deprecated, so you need to switch to the [Azure portal](https://portal.azure.com) now.** The two portals offer the same experience, with some key differences. Learn how to use [Windows Analytics in the Azure Portal](../update/windows-analytics-azure-portal.md). Find out more about the [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition), or jump right in and [Get started with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-readiness-get-started). + +You can use Upgrade Readiness to prioritize and work through application and driver issues, assign and track issue resolution status, and identify computers that are ready to upgrade. Upgrade Readiness enables you to deploy Windows with confidence, knowing that you’ve addressed potential blocking issues. + +- Based on diagnostic data from user computers, Upgrade Readiness identifies application and driver compatibility issues that may block Windows upgrades, allowing you to make data-driven decisions about your organization’s upgrade readiness. +- Information is refreshed daily so you can monitor upgrade progress. Any changes your team makes, such as assigning application importance and marking applications as ready to upgrade, are reflected 24 hours after you make them. + +When you are ready to begin the upgrade process, a workflow is provided to guide you through critical high-level tasks. + +![Series of blades showing Upgrade Overview, Step 1: Identify Important Apps, Prioritize Applications, Step 2: Resolve issues, and Review applications with known issues](../images/ua-cg-15.png) + +Each step in the workflow is enumerated using blue tiles. Helpful data is provided on white tiles to help you get started, to monitor your progress, and to complete each step. + +>**Important**: You can use the [Target version](#target-version) setting to evaluate computers that are running a specified version of Windows before starting the Upgrade Readiness workflow. By default, the Target version is configured to the released version of Windows 10 for the Current Branch for Business (CBB). + +The following information and workflow is provided: + +- [Upgrade overview](upgrade-readiness-upgrade-overview.md): Review compatibility and usage information about computers, applications, and drivers. +- [Step 1: Identify important apps](upgrade-readiness-identify-apps.md): Assign importance levels to prioritize your applications. +- [Step 2: Resolve issues](upgrade-readiness-resolve-issues.md): Identify and resolve problems with applications. +- [Step 3: Deploy](upgrade-readiness-deploy-windows.md): Start the upgrade process. + +Also see the following topic for information about additional items that can be affected by the upgrade process: + +- [Additional insights](upgrade-readiness-additional-insights.md): Find out which MS Office add-ins are installed, and review web site activity. + +## Target version + +The target version setting is used to evaluate the number of computers that are already running the default version of Windows 10, or a later version. The target version of Windows 10 is displayed on the upgrade overview tile. See the following example: + +![Upgrade overview showing target version](../images/ur-target-version.png) + +The default target version in Upgrade Readiness is set to the released version of the Current Branch for Business (CBB). CBB can be determined by reviewing [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). The target version setting is used to evaluate the number of computers that are already running this version of Windows, or a later version. + +The number displayed under **Computers upgraded** in the Upgrade Overview blade is the total number of computers that are already running the same or a later version of Windows compared to the target version. It also is used in the evaluation of apps and drivers: Known issues and guidance for the apps and drivers in Upgrade Readiness is based on the target operating system version. + +You now have the ability to change the Windows 10 version you wish to target. The available options currently are: Windows 10 version 1507, Windows 10 version 1511, Windows 10 version 1607, Windows 10 version 1703, Windows 10 version 1709 and Windows 10 version 1803. + +To change the target version setting, click on **Solutions Settings**, which appears at the top when you open you Upgrade Readiness solution: + +![Upgrade Readiness dialog showing gear labeled Solution Settings](../images/ua-cg-08.png) + +>You must be signed in to Upgrade Readiness as an administrator to view settings. + +On the **Upgrade Readiness Settings** page, choose one of the options in the drop down box and click **Save**. The changes in the target version setting are reflected in evaluations when a new snapshot is uploaded to your workspace. + +![Upgrade Readiness Settings dialog showing gear labeled Save and arrow labeled Cancel](../images/ur-settings.png) diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md index 4b834a7569..72345c3d54 100644 --- a/windows/deployment/upgrade/windows-10-edition-upgrades.md +++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md @@ -1,250 +1,250 @@ ---- -title: Windows 10 edition upgrade (Windows 10) -description: With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. -ms.assetid: A7642E90-A3E7-4A25-8044-C4E402DC462A -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mobile -author: greg-lindsay -ms.topic: article ---- - -# Windows 10 edition upgrade - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkID=690882). For a comprehensive list of all possible upgrade paths to Windows 10, see [Windows 10 upgrade paths](windows-10-upgrade-paths.md). Downgrading the edition of Windows is discussed in the [License expiration](#license-expiration) section on this page. - -For a list of operating systems that qualify for the Windows 10 Pro Upgrade or Windows 10 Enterprise Upgrade through Microsoft Volume Licensing, see [Windows 10 Qualifying Operating Systems](https://download.microsoft.com/download/2/d/1/2d14fe17-66c2-4d4c-af73-e122930b60f6/Windows10-QOS.pdf). - -The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. **Note**: The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607. - -Note: Although it isn't displayed yet in the table, edition upgrade is also possible using [edition upgrade policy](https://docs.microsoft.com/sccm/compliance/deploy-use/upgrade-windows-version) in System Center Configuration Manager. - -![not supported](../images/x_blk.png) (X) = not supported
          -![supported, reboot required](../images/check_grn.png) (green checkmark) = supported, reboot required
          -![supported, no reboot](../images/check_blu.png) (blue checkmark) = supported, no reboot required
          - - - -| Edition upgrade | Using mobile device management (MDM) | Using a provisioning package | Using a command-line tool | Using Microsoft Store for Business or PC | Entering a product key manually | Purchasing a license from the Microsoft Store | -|-----------------| ------------------------------------ | --------------------------- | ------------------------- | -------------------------------------- | ----------------------------------- | --------------------------------------------- | -| **Home > Pro** | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | -| **Home > Pro for Workstations** | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | -| **Home > Pro Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Home > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Pro > Pro for Workstations** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
          (MSfB) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | -| **Pro > Pro Education** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
          (MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | -| **Pro > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
          (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Pro > Enterprise** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
          (1703 - PC)
          (1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | -| **Pro for Workstations > Pro Education** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
          (MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | -| **Pro for Workstations > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
          (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Pro for Workstations > Enterprise** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
          (1703 - PC)
          (1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | -| **Pro Education > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
          (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Enterprise > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
          (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Mobile > Mobile Enterprise** | ![supported, no reboot](../images/check_blu.png) |![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | - -> [!NOTE] -> - For information about upgrade paths in Windows 10 in S mode (for Pro or Education), check out [Windows 10 Pro/Enterprise in S mode](../windows-10-pro-in-s-mode.md) -> - Each desktop edition in the table also has an N and KN SKU. These editions have had media-related functionality removed. Devices with N or KN SKUs installed can be upgraded to corresponding N or KN SKUs using the same methods. ->
          -> - Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes) the term LTSB might still be displayed in some products. This name will change to LTSC with subsequent feature updates. - -## Upgrade using mobile device management (MDM) -- To upgrade desktop editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithProductKey** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](https://go.microsoft.com/fwlink/p/?LinkID=690907). - -- To upgrade mobile editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithLicense** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](https://go.microsoft.com/fwlink/p/?LinkID=690907). - -## Upgrade using a provisioning package -Use Windows Configuration Designer to create a provisioning package to upgrade a desktop edition or mobile edition of Windows 10. To get started, [install Windows Configuration Designer from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22). - -- To create a provisioning package for upgrading desktop editions of Windows 10, go to **Runtime settings > EditionUpgrade > UpgradeEditionWithProductKey** in the **Available customizations** panel in Windows ICD and enter the product key for the upgraded edition. - -- To create a provisioning package for upgrading mobile editions of Windows 10, go to **Runtime settings > EditionUpgrade > UpgradeEditionWithLicense** in the **Available customizations** panel in Windows ICD and enter the product key for the upgraded edition. - -For more info about Windows Configuration Designer, see these topics: -- [Create a provisioining package for Windows 10](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-create-package) -- [Apply a provisioning package](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-apply-package) - - -## Upgrade using a command-line tool -You can run the changepk.exe command-line tool to upgrade devices to a supported edition of Windows 10: - -`changepk.exe /ProductKey ` - -You can also upgrade using slmgr.vbs and a [KMS client setup key](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v%3dws.11)). For example, the following command will upgrade to Windows 10 Enterprise. - -`Cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43` - - -## Upgrade by manually entering a product key -If you are upgrading only a few devices, you may want to enter a product key for the upgraded edition manually. - -**To manually enter a product key** - -1. From either the Start menu or the Start screen, type 'Activation' and click on the Activation shortcut. - -2. Click **Change product key**. - -3. Enter your product key. - -4. Follow the on-screen instructions. - -## Upgrade by purchasing a license from the Microsoft Store -If you do not have a product key, you can upgrade your edition of Windows 10 through the Microsoft Store. - -**To upgrade through the Microsoft Store** - -1. From either the **Start** menu or the **Start** screen, type 'Activation' and click on the Activation shortcut. - -2. Click **Go to Store**. - -3. Follow the on-screen instructions. - - **Note**
          If you are a Windows 10 Home N or Windows 10 Home KN user and have trouble finding your applicable upgrade in the Microsoft Store, click [here](ms-windows-store://windowsupgrade/). - -## License expiration - -Volume license customers whose license has expired will need to change the edition of Windows 10 to an edition with an active license. Switching to a downgraded edition of Windows 10 is possible using the same methods that were used to perform an edition upgrade. If the downgrade path is supported, then your apps and settings can be migrated from the current edition. If a path is not supported, then a clean install is required. - -Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a different product key is not supported. You also cannot downgrade from a later version to an earlier version of the same edition (Ex: Windows 10 Pro 1709 to 1703) unless the rollback process is used. This topic does not discuss version downgrades. - -Note: If you are using [Windows 10 Enterprise Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) and a license expires, devices will automatically revert to the original edition when the grace period expires. - -### Scenario example - -Downgrading from Enterprise -- Original edition: **Professional OEM** -- Upgrade edition: **Enterprise** -- Valid downgrade paths: **Pro, Pro for Workstations, Pro Education, Education** - -You can move directly from Enterprise to any valid destination edition. In this example, downgrading to Pro for Workstations, Pro Education, or Education requires an additional activation key to supersede the firmware-embedded Pro key. In all cases, you must comply with [Microsoft License Terms](https://www.microsoft.com/useterms). If you are a volume license customer, refer to the [Microsoft Volume Licensing Reference Guide](https://www.microsoft.com/en-us/download/details.aspx?id=11091). - -### Supported Windows 10 downgrade paths - -✔ = Supported downgrade path
          - S  = Supported; Not considered a downgrade or an upgrade
          -[blank] = Not supported or not a downgrade
          - -
          - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Destination edition
                HomeProPro for WorkstationsPro EducationEducationEnterprise LTSCEnterprise
          Starting edition
          Home
          Pro
          Pro for Workstations
          Pro Education
          EducationS
          Enterprise LTSC
          EnterpriseS
          - -> **Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions. -> -> **Windows N/KN**: Windows "N" and "KN" SKUs follow the same rules shown above. - -Some slightly more complex scenarios are not represented by the table above. For example, you can perform an upgrade from Pro to Pro for Workstation on a computer with an embedded Pro key using a Pro for Workstation license key, and then later downgrade this computer back to Pro with the firmware-embedded key. The downgrade is allowed but only because the pre-installed OS is Pro. - -## Related topics - -[Windows 10 upgrade paths](https://docs.microsoft.com/windows/deployment/upgrade/windows-10-upgrade-paths)
          -[Windows 10 volume license media](https://docs.microsoft.com/windows/deployment/windows-10-media)
          -[Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) +--- +title: Windows 10 edition upgrade (Windows 10) +description: With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. +ms.assetid: A7642E90-A3E7-4A25-8044-C4E402DC462A +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: mobile +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Windows 10 edition upgrade + +**Applies to** + +- Windows 10 +- Windows 10 Mobile + +With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkID=690882). For a comprehensive list of all possible upgrade paths to Windows 10, see [Windows 10 upgrade paths](windows-10-upgrade-paths.md). Downgrading the edition of Windows is discussed in the [License expiration](#license-expiration) section on this page. + +For a list of operating systems that qualify for the Windows 10 Pro Upgrade or Windows 10 Enterprise Upgrade through Microsoft Volume Licensing, see [Windows 10 Qualifying Operating Systems](https://download.microsoft.com/download/2/d/1/2d14fe17-66c2-4d4c-af73-e122930b60f6/Windows10-QOS.pdf). + +The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. **Note**: The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607. + +Note: Although it isn't displayed yet in the table, edition upgrade is also possible using [edition upgrade policy](https://docs.microsoft.com/sccm/compliance/deploy-use/upgrade-windows-version) in System Center Configuration Manager. + +![not supported](../images/x_blk.png) (X) = not supported
          +![supported, reboot required](../images/check_grn.png) (green checkmark) = supported, reboot required
          +![supported, no reboot](../images/check_blu.png) (blue checkmark) = supported, no reboot required
          + + + +| Edition upgrade | Using mobile device management (MDM) | Using a provisioning package | Using a command-line tool | Using Microsoft Store for Business or PC | Entering a product key manually | Purchasing a license from the Microsoft Store | +|-----------------| ------------------------------------ | --------------------------- | ------------------------- | -------------------------------------- | ----------------------------------- | --------------------------------------------- | +| **Home > Pro** | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | +| **Home > Pro for Workstations** | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | +| **Home > Pro Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Home > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Pro > Pro for Workstations** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
          (MSfB) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | +| **Pro > Pro Education** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
          (MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | +| **Pro > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
          (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Pro > Enterprise** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
          (1703 - PC)
          (1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | +| **Pro for Workstations > Pro Education** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
          (MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | +| **Pro for Workstations > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
          (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Pro for Workstations > Enterprise** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
          (1703 - PC)
          (1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | +| **Pro Education > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
          (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Enterprise > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
          (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Mobile > Mobile Enterprise** | ![supported, no reboot](../images/check_blu.png) |![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | + +> [!NOTE] +> - For information about upgrade paths in Windows 10 in S mode (for Pro or Education), check out [Windows 10 Pro/Enterprise in S mode](../windows-10-pro-in-s-mode.md) +> - Each desktop edition in the table also has an N and KN SKU. These editions have had media-related functionality removed. Devices with N or KN SKUs installed can be upgraded to corresponding N or KN SKUs using the same methods. +>
          +> - Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes) the term LTSB might still be displayed in some products. This name will change to LTSC with subsequent feature updates. + +## Upgrade using mobile device management (MDM) +- To upgrade desktop editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithProductKey** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](https://go.microsoft.com/fwlink/p/?LinkID=690907). + +- To upgrade mobile editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithLicense** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](https://go.microsoft.com/fwlink/p/?LinkID=690907). + +## Upgrade using a provisioning package +Use Windows Configuration Designer to create a provisioning package to upgrade a desktop edition or mobile edition of Windows 10. To get started, [install Windows Configuration Designer from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22). + +- To create a provisioning package for upgrading desktop editions of Windows 10, go to **Runtime settings > EditionUpgrade > UpgradeEditionWithProductKey** in the **Available customizations** panel in Windows ICD and enter the product key for the upgraded edition. + +- To create a provisioning package for upgrading mobile editions of Windows 10, go to **Runtime settings > EditionUpgrade > UpgradeEditionWithLicense** in the **Available customizations** panel in Windows ICD and enter the product key for the upgraded edition. + +For more info about Windows Configuration Designer, see these topics: +- [Create a provisioining package for Windows 10](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-create-package) +- [Apply a provisioning package](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-apply-package) + + +## Upgrade using a command-line tool +You can run the changepk.exe command-line tool to upgrade devices to a supported edition of Windows 10: + +`changepk.exe /ProductKey ` + +You can also upgrade using slmgr.vbs and a [KMS client setup key](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v%3dws.11)). For example, the following command will upgrade to Windows 10 Enterprise. + +`Cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43` + + +## Upgrade by manually entering a product key +If you are upgrading only a few devices, you may want to enter a product key for the upgraded edition manually. + +**To manually enter a product key** + +1. From either the Start menu or the Start screen, type 'Activation' and click on the Activation shortcut. + +2. Click **Change product key**. + +3. Enter your product key. + +4. Follow the on-screen instructions. + +## Upgrade by purchasing a license from the Microsoft Store +If you do not have a product key, you can upgrade your edition of Windows 10 through the Microsoft Store. + +**To upgrade through the Microsoft Store** + +1. From either the **Start** menu or the **Start** screen, type 'Activation' and click on the Activation shortcut. + +2. Click **Go to Store**. + +3. Follow the on-screen instructions. + + **Note**
          If you are a Windows 10 Home N or Windows 10 Home KN user and have trouble finding your applicable upgrade in the Microsoft Store, click [here](ms-windows-store://windowsupgrade/). + +## License expiration + +Volume license customers whose license has expired will need to change the edition of Windows 10 to an edition with an active license. Switching to a downgraded edition of Windows 10 is possible using the same methods that were used to perform an edition upgrade. If the downgrade path is supported, then your apps and settings can be migrated from the current edition. If a path is not supported, then a clean install is required. + +Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a different product key is not supported. You also cannot downgrade from a later version to an earlier version of the same edition (Ex: Windows 10 Pro 1709 to 1703) unless the rollback process is used. This topic does not discuss version downgrades. + +Note: If you are using [Windows 10 Enterprise Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) and a license expires, devices will automatically revert to the original edition when the grace period expires. + +### Scenario example + +Downgrading from Enterprise +- Original edition: **Professional OEM** +- Upgrade edition: **Enterprise** +- Valid downgrade paths: **Pro, Pro for Workstations, Pro Education, Education** + +You can move directly from Enterprise to any valid destination edition. In this example, downgrading to Pro for Workstations, Pro Education, or Education requires an additional activation key to supersede the firmware-embedded Pro key. In all cases, you must comply with [Microsoft License Terms](https://www.microsoft.com/useterms). If you are a volume license customer, refer to the [Microsoft Volume Licensing Reference Guide](https://www.microsoft.com/en-us/download/details.aspx?id=11091). + +### Supported Windows 10 downgrade paths + +✔ = Supported downgrade path
          + S  = Supported; Not considered a downgrade or an upgrade
          +[blank] = Not supported or not a downgrade
          + +
          + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Destination edition
                HomeProPro for WorkstationsPro EducationEducationEnterprise LTSCEnterprise
          Starting edition
          Home
          Pro
          Pro for Workstations
          Pro Education
          EducationS
          Enterprise LTSC
          EnterpriseS
          + +> **Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions. +> +> **Windows N/KN**: Windows "N" and "KN" SKUs follow the same rules shown above. + +Some slightly more complex scenarios are not represented by the table above. For example, you can perform an upgrade from Pro to Pro for Workstation on a computer with an embedded Pro key using a Pro for Workstation license key, and then later downgrade this computer back to Pro with the firmware-embedded key. The downgrade is allowed but only because the pre-installed OS is Pro. + +## Related topics + +[Windows 10 upgrade paths](https://docs.microsoft.com/windows/deployment/upgrade/windows-10-upgrade-paths)
          +[Windows 10 volume license media](https://docs.microsoft.com/windows/deployment/windows-10-media)
          +[Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md index 5b9a5ec10f..c1cf90e9a0 100644 --- a/windows/deployment/upgrade/windows-10-upgrade-paths.md +++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md @@ -9,6 +9,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: medium ms.pagetype: mobile +audience: itpro author: greg-lindsay ms.topic: article --- @@ -27,7 +28,7 @@ This topic provides a summary of available upgrade paths to Windows 10. You can > > **Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions. > -> In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 semi-annual channel](https://docs.microsoft.com/windows/release-information/) to Windows 10 LTSC is not supported. **Note**: Windows 10 LTSC 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You will need to use the Product Key switch if you want to keep your apps. If you don't use the switch the option 'Keep personal files and apps' will be grayed out. The command line would be: setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx using your relevant Windows 10 SAC product key. For example, if using a KMS, the command line would be setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43 +> In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 semi-annual channel](https://docs.microsoft.com/windows/release-information/) to Windows 10 LTSC is not supported. **Note**: Windows 10 LTSC 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You will need to use the Product Key switch if you want to keep your apps. If you don't use the switch the option 'Keep personal files and apps' will be grayed out. The command line would be **setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx**, using your relevant Windows 10 SAC product key. For example, if using a KMS, the command line would be **setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43**. > > **Windows N/KN**: Windows "N" and "KN" SKUs (editions without media-related functionality) follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process. > diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md index 8397184345..f0f918ef4a 100644 --- a/windows/deployment/upgrade/windows-error-reporting.md +++ b/windows/deployment/upgrade/windows-error-reporting.md @@ -1,73 +1,73 @@ ---- -title: Windows error reporting - Windows IT Pro -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. -keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.localizationpriority: medium -ms.topic: article ---- - -# Windows Error Reporting - -**Applies to** -- Windows 10 - ->[!NOTE] -> This is a 300 level topic (moderately advanced). -> See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. - - -When Windows Setup fails, the result and extend code are recorded as an informational event in the Application log by Windows Error Reporting as event 1001. The event name is **WinSetupDiag02**. You can use Event Viewer to review this event, or you can use Windows PowerShell. - -To use Windows PowerShell, type the following commands from an elevated Windows PowerShell prompt: - ->[!IMPORTANT] ->}The following source will be available only if you have updated from a previous version of Windows 10 to a new version. If you installed the current version and have not updated, the source named **WinSetupDiag02** will be unavailable. - -```Powershell -$events = Get-WinEvent -FilterHashtable @{LogName="Application";ID="1001";Data="WinSetupDiag02"} -$event = [xml]$events[0].ToXml() -$event.Event.EventData.Data -``` - -To use Event Viewer: -1. Open Event Viewer and navigate to **Windows Logs\Application**. -2. Click **Find**, and then search for **winsetupdiag02**. -3. Double-click the event that is highlighted. - -Note: For legacy operating systems, the Event Name was WinSetupDiag01. - -Ten parameters are listed in the event: - -| Parameters | -| ------------- | -|P1: The Setup Scenario (1=Media,5=WindowsUpdate,7=Media Creation Tool) | -|P2: Setup Mode (x=default,1=Downlevel,5=Rollback) | -|P3: New OS Architecture (x=default,0=X86,9=AMD64) | -|P4: Install Result (x=default,0=Success,1=Failure,2=Cancel,3=Blocked) | -|**P5: Result Error Code** (Ex: 0xc1900101) | -|**P6: Extend Error Code** (Ex: 0x20017) | -|P7: Source OS build (Ex: 9600) | -|P8: Source OS branch (not typically available) | -|P9: New OS build (Ex: 16299} | -|P10: New OS branch (Ex: rs3_release} | - - -The event will also contain links to log files that can be used to perform a detailed diagnosis of the error. An example of this event from a successful upgrade is shown below. - -![Windows Error Reporting](../images/event.png) - -## Related topics - -[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) -[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) -[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications) -[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) -[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) +--- +title: Windows error reporting - Windows IT Pro +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. +keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.topic: article +--- + +# Windows Error Reporting + +**Applies to** +- Windows 10 + +>[!NOTE] +> This is a 300 level topic (moderately advanced). +> See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. + + +When Windows Setup fails, the result and extend code are recorded as an informational event in the Application log by Windows Error Reporting as event 1001. The event name is **WinSetupDiag02**. You can use Event Viewer to review this event, or you can use Windows PowerShell. + +To use Windows PowerShell, type the following commands from an elevated Windows PowerShell prompt: + +>[!IMPORTANT] +>}The following source will be available only if you have updated from a previous version of Windows 10 to a new version. If you installed the current version and have not updated, the source named **WinSetupDiag02** will be unavailable. + +```Powershell +$events = Get-WinEvent -FilterHashtable @{LogName="Application";ID="1001";Data="WinSetupDiag02"} +$event = [xml]$events[0].ToXml() +$event.Event.EventData.Data +``` + +To use Event Viewer: +1. Open Event Viewer and navigate to **Windows Logs\Application**. +2. Click **Find**, and then search for **winsetupdiag02**. +3. Double-click the event that is highlighted. + +Note: For legacy operating systems, the Event Name was WinSetupDiag01. + +Ten parameters are listed in the event: + +| Parameters | +| ------------- | +|P1: The Setup Scenario (1=Media,5=WindowsUpdate,7=Media Creation Tool) | +|P2: Setup Mode (x=default,1=Downlevel,5=Rollback) | +|P3: New OS Architecture (x=default,0=X86,9=AMD64) | +|P4: Install Result (x=default,0=Success,1=Failure,2=Cancel,3=Blocked) | +|**P5: Result Error Code** (Ex: 0xc1900101) | +|**P6: Extend Error Code** (Ex: 0x20017) | +|P7: Source OS build (Ex: 9600) | +|P8: Source OS branch (not typically available) | +|P9: New OS build (Ex: 16299} | +|P10: New OS branch (Ex: rs3_release} | + + +The event will also contain links to log files that can be used to perform a detailed diagnosis of the error. An example of this event from a successful upgrade is shown below. + +![Windows Error Reporting](../images/event.png) + +## Related topics + +[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) +[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) +[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications) +[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) +[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) diff --git a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md index 3d4945693b..6062bfa905 100644 --- a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md +++ b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md @@ -1,79 +1,79 @@ ---- -title: Windows Upgrade and Migration Considerations (Windows 10) -description: Windows Upgrade and Migration Considerations -ms.assetid: 7f85095c-5922-45e9-b28e-91b1263c7281 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.topic: article ---- - -# Windows upgrade and migration considerations -Files and application settings can be migrated to new hardware running the Windows® operating system, or they can be maintained during an operating system upgrade on the same computer. This topic summarizes the Microsoft® tools you can use to move files and settings between installations in addition to special considerations for performing an upgrade or migration. - -## Upgrade from a previous version of Windows -You can upgrade from an earlier version of Windows, which means you can install the new version of Windows and retain your applications, files, and settings as they were in your previous version of Windows. If you decide to perform a custom installation of Windows instead of an upgrade, your applications and settings will not be maintained. Your personal files, and all Windows files and directories, will be moved to a Windows.old folder. You can access your data in the Windows.old folder after Windows Setup is complete. - -## Migrate files and settings -Migration tools are available to transfer settings from one computer that is running Windows to another. These tools transfer only the program settings, not the programs themselves. - -For more information about application compatibility, see the [Application Compatibility Toolkit (ACT)](https://go.microsoft.com/fwlink/p/?LinkId=131349). - -The User State Migration Tool (USMT) 10.0 is an application intended for administrators who are performing large-scale automated deployments. For deployment to a small number of computers or for individually customized deployments, you can use Windows Easy Transfer. - -### Migrate with Windows Easy Transfer -Windows Easy Transfer is a software wizard for transferring files and settings from one computer that is running Windows to another. It helps you select what to move to your new computer, enables you to set which migration method to use, and then performs the transfer. When the transfer has completed, Windows Easy Transfer Reports shows you what was transferred and provides a list of programs you might want to install on your new computer, in addition to links to other programs you might want to download. - -With Windows Easy Transfer, files and settings can be transferred using a network share, a USB flash drive (UFD), or the Easy Transfer cable. However, you cannot use a regular universal serial bus (USB) cable to transfer files and settings with Windows Easy Transfer. An Easy Transfer cable can be purchased on the Web, from your computer manufacturer, or at an electronics store. - -> [!NOTE] -> Windows Easy Transfer [is not available in Windows 10](https://support.microsoft.com/help/4026265/windows-windows-easy-transfer-is-not-available-in-windows-10). - -### Migrate with the User State Migration Tool -You can use USMT to automate migration during large deployments of the Windows operating system. USMT uses configurable migration rule (.xml) files to control exactly which user accounts, user files, operating system settings, and application settings are migrated and how they are migrated. You can use USMT for both *side-by-side* migrations, where one piece of hardware is being replaced, or *wipe-and-load* (or *refresh*) migrations, when only the operating system is being upgraded. - -## Upgrade and migration considerations -Whether you are upgrading or migrating to a new version of Windows, you must be aware of the following issues and considerations: - -### Application compatibility -For more information about application compatibility in Windows, see [Use Upgrade Readiness to manage Windows upgrades](https://docs.microsoft.com/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades). - -### Multilingual Windows image upgrades -When performing multilingual Windows upgrades, cross-language upgrades are not supported by USMT. If you are upgrading or migrating an operating system with multiple language packs installed, you can upgrade or migrate only to the system default user interface (UI) language. For example, if English is the default but you have a Spanish language pack installed, you can upgrade or migrate only to English. - -If you are using a single-language Windows image that matches the system default UI language of your multilingual operating system, the migration will work. However, all of the language packs will be removed, and you will have to reinstall them after the upgrade is completed. - -### Errorhandler.cmd -When upgrading from an earlier version of Windows, if you intend to use Errorhandler.cmd, you must copy this file into the %WINDIR%\\Setup\\Scripts directory on the old installation. This makes sure that if there are errors during the down-level phase of Windows Setup, the commands in Errorhandler.cmd will run. - -### Data drive ACL migration -During the configuration pass of Windows Setup, the root access control list (ACL) on drives formatted for NTFS that do not appear to have an operating system will be changed to the default Windows XP ACL format. The ACLs on these drives are changed to enable authenticated users to modify access on folders and files. - -Changing the ACLs may affect the performance of Windows Setup if the default Windows XP ACLs are applied to a partition with a large amount of data. Because of these performance concerns, you can change the following registry value to disable this feature: - -``` syntax -Key: HKLM\System\Setup -Type: REG_DWORD -Value: "DDACLSys_Disabled" = 1 -``` - -This feature is disabled if this registry key value exists and is configured to `1`. - -## Related topics -[User State Migration Tool (USMT) Overview Topics](../usmt/usmt-topics.md)
          -[Windows 10 upgrade paths](windows-10-upgrade-paths.md)
          -[Windows 10 edition upgrade](windows-10-edition-upgrades.md) - - -  - -  - - - - - +--- +title: Windows Upgrade and Migration Considerations (Windows 10) +description: Windows Upgrade and Migration Considerations +ms.assetid: 7f85095c-5922-45e9-b28e-91b1263c7281 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Windows upgrade and migration considerations +Files and application settings can be migrated to new hardware running the Windows® operating system, or they can be maintained during an operating system upgrade on the same computer. This topic summarizes the Microsoft® tools you can use to move files and settings between installations in addition to special considerations for performing an upgrade or migration. + +## Upgrade from a previous version of Windows +You can upgrade from an earlier version of Windows, which means you can install the new version of Windows and retain your applications, files, and settings as they were in your previous version of Windows. If you decide to perform a custom installation of Windows instead of an upgrade, your applications and settings will not be maintained. Your personal files, and all Windows files and directories, will be moved to a Windows.old folder. You can access your data in the Windows.old folder after Windows Setup is complete. + +## Migrate files and settings +Migration tools are available to transfer settings from one computer that is running Windows to another. These tools transfer only the program settings, not the programs themselves. + +For more information about application compatibility, see the [Application Compatibility Toolkit (ACT)](https://go.microsoft.com/fwlink/p/?LinkId=131349). + +The User State Migration Tool (USMT) 10.0 is an application intended for administrators who are performing large-scale automated deployments. For deployment to a small number of computers or for individually customized deployments, you can use Windows Easy Transfer. + +### Migrate with Windows Easy Transfer +Windows Easy Transfer is a software wizard for transferring files and settings from one computer that is running Windows to another. It helps you select what to move to your new computer, enables you to set which migration method to use, and then performs the transfer. When the transfer has completed, Windows Easy Transfer Reports shows you what was transferred and provides a list of programs you might want to install on your new computer, in addition to links to other programs you might want to download. + +With Windows Easy Transfer, files and settings can be transferred using a network share, a USB flash drive (UFD), or the Easy Transfer cable. However, you cannot use a regular universal serial bus (USB) cable to transfer files and settings with Windows Easy Transfer. An Easy Transfer cable can be purchased on the Web, from your computer manufacturer, or at an electronics store. + +> [!NOTE] +> Windows Easy Transfer [is not available in Windows 10](https://support.microsoft.com/help/4026265/windows-windows-easy-transfer-is-not-available-in-windows-10). + +### Migrate with the User State Migration Tool +You can use USMT to automate migration during large deployments of the Windows operating system. USMT uses configurable migration rule (.xml) files to control exactly which user accounts, user files, operating system settings, and application settings are migrated and how they are migrated. You can use USMT for both *side-by-side* migrations, where one piece of hardware is being replaced, or *wipe-and-load* (or *refresh*) migrations, when only the operating system is being upgraded. + +## Upgrade and migration considerations +Whether you are upgrading or migrating to a new version of Windows, you must be aware of the following issues and considerations: + +### Application compatibility +For more information about application compatibility in Windows, see [Use Upgrade Readiness to manage Windows upgrades](https://docs.microsoft.com/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades). + +### Multilingual Windows image upgrades +When performing multilingual Windows upgrades, cross-language upgrades are not supported by USMT. If you are upgrading or migrating an operating system with multiple language packs installed, you can upgrade or migrate only to the system default user interface (UI) language. For example, if English is the default but you have a Spanish language pack installed, you can upgrade or migrate only to English. + +If you are using a single-language Windows image that matches the system default UI language of your multilingual operating system, the migration will work. However, all of the language packs will be removed, and you will have to reinstall them after the upgrade is completed. + +### Errorhandler.cmd +When upgrading from an earlier version of Windows, if you intend to use Errorhandler.cmd, you must copy this file into the %WINDIR%\\Setup\\Scripts directory on the old installation. This makes sure that if there are errors during the down-level phase of Windows Setup, the commands in Errorhandler.cmd will run. + +### Data drive ACL migration +During the configuration pass of Windows Setup, the root access control list (ACL) on drives formatted for NTFS that do not appear to have an operating system will be changed to the default Windows XP ACL format. The ACLs on these drives are changed to enable authenticated users to modify access on folders and files. + +Changing the ACLs may affect the performance of Windows Setup if the default Windows XP ACLs are applied to a partition with a large amount of data. Because of these performance concerns, you can change the following registry value to disable this feature: + +``` syntax +Key: HKLM\System\Setup +Type: REG_DWORD +Value: "DDACLSys_Disabled" = 1 +``` + +This feature is disabled if this registry key value exists and is configured to `1`. + +## Related topics +[User State Migration Tool (USMT) Overview Topics](../usmt/usmt-topics.md)
          +[Windows 10 upgrade paths](windows-10-upgrade-paths.md)
          +[Windows 10 edition upgrade](windows-10-edition-upgrades.md) + + +  + +  + + + + + diff --git a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md index 18c68ba130..8a830c5fd9 100644 --- a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md +++ b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md @@ -1,86 +1,86 @@ ---- -title: Getting Started with the User State Migration Tool (USMT) (Windows 10) -description: Getting Started with the User State Migration Tool (USMT) -ms.assetid: 506ff1d2-94b8-4460-8672-56aad963504b -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.topic: article ---- - -# Getting Started with the User State Migration Tool (USMT) -This topic outlines the general process that you should follow to migrate files and settings. - -## In this Topic -- [Step 1: Plan Your Migration](#step-1-plan-your-migration) - -- [Step 2: Collect files and settings from the source computer](#step-2-collect-files-and-settings-from-the-source-computer) - -- [Step 3: Prepare the destination computer and restore files and settings](#step-3-prepare-the-destination-computer-and-restore-files-and-settings) - -## Step 1: Plan your migration -1. [Plan Your Migration](usmt-plan-your-migration.md). Depending on whether your migration scenario is refreshing or replacing computers, you can choose an online migration or an offline migration using Windows Preinstallation Environment (WinPE) or the files in the Windows.old directory. For more information, see [Common Migration Scenarios](usmt-common-migration-scenarios.md). - -2. [Determine What to Migrate](usmt-determine-what-to-migrate.md). Data you might consider migrating includes end-user information, applications settings, operating-system settings, files, folders, and registry keys. - -3. Determine where to store data. Depending on the size of your migration store, you can store the data remotely, locally in a hard-link migration store or on a local external storage device, or directly on the destination computer. For more information, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md). - -4. Use the **/GenMigXML** command-line option to determine which files will be included in your migration, and to determine whether any modifications are necessary. For more information see [ScanState Syntax](usmt-scanstate-syntax.md) - -5. Modify copies of the Migration.xml and MigDocs.xml files and create custom .xml files, if it is required. To modify the migration behavior, such as migrating the **Documents** folder but not the **Music** folder, you can create a custom .xml file or modify the rules in the existing migration .xml files. The document finder, or **MigXmlHelper.GenerateDocPatterns** helper function, can be used to automatically find user documents on a computer without creating extensive custom migration .xml files. - - **Important**   - We recommend that you always make and modify copies of the .xml files included in User State Migration Tool (USMT) 10.0. Never modify the original .xml files. - - You can use the MigXML.xsd file to help you write and validate the .xml files. For more information about how to modify these files, see [USMT XML Reference](usmt-xml-reference.md). - -6. Create a [Config.xml File](usmt-configxml-file.md) if you want to exclude any components from the migration. To create this file, use the [ScanState Syntax](usmt-scanstate-syntax.md) option together with the other .xml files when you use the **ScanState** command. For example, the following command creates a Config.xml file by using the MigDocs and MigApp.xml files: - - `scanstate /genconfig:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scanstate.log` - -7. Review the migration state of the components listed in the Config.xml file, and specify `migrate=no` for any components that you do not want to migrate. - -## Step 2: Collect files and settings from the source computer -1. Back up the source computer. - -2. Close all applications. If some applications are running when you run the **ScanState** command, USMT might not migrate all of the specified data. For example, if Microsoft® Office Outlook® is open, USMT might not migrate PST files. - - **Note**   - USMT will fail if it cannot migrate a file or setting unless you specify the **/C** option. When you specify the **/C** option, USMT will ignore the errors, and log an error every time that it encounters a file that is being used that USMT did not migrate. You can use the **<ErrorControl>** section in the Config.xml file to specify which errors should be ignored, and which should cause the migration to fail. - -3. Run the **ScanState** command on the source computer to collect files and settings. You should specify all of the .xml files that you want the **ScanState** command to use. For example, - - `scanstate \\server\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scan.log` - - **Note**   - If the source computer is running Windows 7, or Windows 8, you must run the **ScanState** command in **Administrator** mode. To run in **Administrator** mode, right-click **Command Prompt**, and then click **Run As Administrator**. If the source computer is running Windows XP, you must run the **ScanState** command from an account that has administrative credentials. For more information about the how the **ScanState** command processes and stores the data, see [How USMT Works](usmt-how-it-works.md). - -4. Run the **USMTUtils** command with the **/Verify** option to ensure that the store you created is not corrupted. - -## Step 3: Prepare the destination computer and restore files and settings -1. Install the operating system on the destination computer. - -2. Install all applications that were on the source computer. Although it is not always required, we recommend installing all applications on the destination computer before you restore the user state. This makes sure that migrated settings are preserved. - - **Note**   - The application version that is installed on the destination computer should be the same version as the one on the source computer. USMT does not support migrating the settings for an older version of an application to a newer version. The exception to this is Microsoft® Office, which USMT can migrate from an older version to a newer version. - -3. Close all applications. If some applications are running when you run the **LoadState** command, USMT might not migrate all of the specified data. For example, if Microsoft Office Outlook is open, USMT might not migrate PST files. - - **Note**   - Use **/C** to continue your migration if errors are encountered, and use the **<ErrorControl>** section in the Config.xml file to specify which errors should be ignored, and which errors should cause the migration to fail. - -4. Run the **LoadState** command on the destination computer. Specify the same set of .xml files that you specified when you used the **ScanState** command. However, you do not have to specify the Config.xml file, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store, but not to the destination computer. To do this, modify the Config.xml file and specify the updated file by using the **LoadState** command. Then, the **LoadState** command will migrate only the files and settings that you want to migrate. For more information about the how the **LoadState** command processes and migrates data, see [How USMT Works](usmt-how-it-works.md). - - For example, the following command migrates the files and settings: - - `loadstate \\server\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:load.log` - - **Note**   - Run the **LoadState** command in administrator mode. To do this, right-click **Command Prompt**, and then click **Run As Administrator**. - -5. Log off after you run the **LoadState** command. Some settings (for example, fonts, wallpaper, and screen saver settings) will not take effect until the next time that the user logs on. +--- +title: Getting Started with the User State Migration Tool (USMT) (Windows 10) +description: Getting Started with the User State Migration Tool (USMT) +ms.assetid: 506ff1d2-94b8-4460-8672-56aad963504b +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Getting Started with the User State Migration Tool (USMT) +This topic outlines the general process that you should follow to migrate files and settings. + +## In this Topic +- [Step 1: Plan Your Migration](#step-1-plan-your-migration) + +- [Step 2: Collect files and settings from the source computer](#step-2-collect-files-and-settings-from-the-source-computer) + +- [Step 3: Prepare the destination computer and restore files and settings](#step-3-prepare-the-destination-computer-and-restore-files-and-settings) + +## Step 1: Plan your migration +1. [Plan Your Migration](usmt-plan-your-migration.md). Depending on whether your migration scenario is refreshing or replacing computers, you can choose an online migration or an offline migration using Windows Preinstallation Environment (WinPE) or the files in the Windows.old directory. For more information, see [Common Migration Scenarios](usmt-common-migration-scenarios.md). + +2. [Determine What to Migrate](usmt-determine-what-to-migrate.md). Data you might consider migrating includes end-user information, applications settings, operating-system settings, files, folders, and registry keys. + +3. Determine where to store data. Depending on the size of your migration store, you can store the data remotely, locally in a hard-link migration store or on a local external storage device, or directly on the destination computer. For more information, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md). + +4. Use the **/GenMigXML** command-line option to determine which files will be included in your migration, and to determine whether any modifications are necessary. For more information see [ScanState Syntax](usmt-scanstate-syntax.md) + +5. Modify copies of the Migration.xml and MigDocs.xml files and create custom .xml files, if it is required. To modify the migration behavior, such as migrating the **Documents** folder but not the **Music** folder, you can create a custom .xml file or modify the rules in the existing migration .xml files. The document finder, or **MigXmlHelper.GenerateDocPatterns** helper function, can be used to automatically find user documents on a computer without creating extensive custom migration .xml files. + + **Important**   + We recommend that you always make and modify copies of the .xml files included in User State Migration Tool (USMT) 10.0. Never modify the original .xml files. + + You can use the MigXML.xsd file to help you write and validate the .xml files. For more information about how to modify these files, see [USMT XML Reference](usmt-xml-reference.md). + +6. Create a [Config.xml File](usmt-configxml-file.md) if you want to exclude any components from the migration. To create this file, use the [ScanState Syntax](usmt-scanstate-syntax.md) option together with the other .xml files when you use the **ScanState** command. For example, the following command creates a Config.xml file by using the MigDocs and MigApp.xml files: + + `scanstate /genconfig:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scanstate.log` + +7. Review the migration state of the components listed in the Config.xml file, and specify `migrate=no` for any components that you do not want to migrate. + +## Step 2: Collect files and settings from the source computer +1. Back up the source computer. + +2. Close all applications. If some applications are running when you run the **ScanState** command, USMT might not migrate all of the specified data. For example, if Microsoft® Office Outlook® is open, USMT might not migrate PST files. + + **Note**   + USMT will fail if it cannot migrate a file or setting unless you specify the **/C** option. When you specify the **/C** option, USMT will ignore the errors, and log an error every time that it encounters a file that is being used that USMT did not migrate. You can use the **<ErrorControl>** section in the Config.xml file to specify which errors should be ignored, and which should cause the migration to fail. + +3. Run the **ScanState** command on the source computer to collect files and settings. You should specify all of the .xml files that you want the **ScanState** command to use. For example, + + `scanstate \\server\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scan.log` + + **Note**   + If the source computer is running Windows 7, or Windows 8, you must run the **ScanState** command in **Administrator** mode. To run in **Administrator** mode, right-click **Command Prompt**, and then click **Run As Administrator**. If the source computer is running Windows XP, you must run the **ScanState** command from an account that has administrative credentials. For more information about the how the **ScanState** command processes and stores the data, see [How USMT Works](usmt-how-it-works.md). + +4. Run the **USMTUtils** command with the **/Verify** option to ensure that the store you created is not corrupted. + +## Step 3: Prepare the destination computer and restore files and settings +1. Install the operating system on the destination computer. + +2. Install all applications that were on the source computer. Although it is not always required, we recommend installing all applications on the destination computer before you restore the user state. This makes sure that migrated settings are preserved. + + **Note**   + The application version that is installed on the destination computer should be the same version as the one on the source computer. USMT does not support migrating the settings for an older version of an application to a newer version. The exception to this is Microsoft® Office, which USMT can migrate from an older version to a newer version. + +3. Close all applications. If some applications are running when you run the **LoadState** command, USMT might not migrate all of the specified data. For example, if Microsoft Office Outlook is open, USMT might not migrate PST files. + + **Note**   + Use **/C** to continue your migration if errors are encountered, and use the **<ErrorControl>** section in the Config.xml file to specify which errors should be ignored, and which errors should cause the migration to fail. + +4. Run the **LoadState** command on the destination computer. Specify the same set of .xml files that you specified when you used the **ScanState** command. However, you do not have to specify the Config.xml file, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store, but not to the destination computer. To do this, modify the Config.xml file and specify the updated file by using the **LoadState** command. Then, the **LoadState** command will migrate only the files and settings that you want to migrate. For more information about the how the **LoadState** command processes and migrates data, see [How USMT Works](usmt-how-it-works.md). + + For example, the following command migrates the files and settings: + + `loadstate \\server\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:load.log` + + **Note**   + Run the **LoadState** command in administrator mode. To do this, right-click **Command Prompt**, and then click **Run As Administrator**. + +5. Log off after you run the **LoadState** command. Some settings (for example, fonts, wallpaper, and screen saver settings) will not take effect until the next time that the user logs on. diff --git a/windows/deployment/usmt/migrate-application-settings.md b/windows/deployment/usmt/migrate-application-settings.md index 42df4ca724..8ca3e5b215 100644 --- a/windows/deployment/usmt/migrate-application-settings.md +++ b/windows/deployment/usmt/migrate-application-settings.md @@ -1,172 +1,172 @@ ---- -title: Migrate Application Settings (Windows 10) -description: Migrate Application Settings -ms.assetid: 28f70a83-0a3e-4a6b-968a-2b78ccd3cc07 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Migrate Application Settings - - -You can create a custom .xml file to migrate specific line-of-business application settings or to change the default migration behavior of the User State Migration Tool (USMT) 10.0. For ScanState and LoadState to use this file, you must specify the custom .xml file on both command lines. - -This topic defines how to author a custom migration .xml file that migrates the settings of an application that is not migrated by default using MigApp.xml. You should migrate the settings after you install the application, but before the user runs the application for the first time. - -This topic does not contain information about how to migrate applications that store settings in an application-specific store, only the applications that store the information in files or in the registry. It also does not contain information about how to migrate the data that users create using the application. For example, if the application creates .doc files using a specific template, this topic does not discuss how to migrate the .doc files and templates themselves. - -## In this Topic - - -- [Before You Begin](#bkmk-beforebegin) - -- [Step 1: Verify that the application is installed on the source computer, and that it is the same version as the version to be installed on the destination computer](#bkmk-step1). - -- [Step 2: Identify settings to collect and determine where each setting is stored on the computer](#bkmk-step2). - -- [Step 3: Identify how to apply the gathered settings](#bkmk-step3). - -- [Step 4: Create the migration XML component for the application](#bkmk-step4). - -- [Step 5: Test the application settings migration](#bkmk-step5). - -## Before You Begin - - -You should identify a test computer that contains the operating system of your source computers, and the application whose settings you want to migrate. For example, if you are planning on migrating from Windows 7 to Windows 10, install Windows 7 on your test computer and then install the application. - -## Step 1: Verify that the application is installed on the source computer, and that it is the same version as the version to be installed on the destination computer. - - -Before USMT migrates the settings, you need it to check whether the application is installed on the source computer, and that it is the correct version. If the application is not installed on the source computer, you probably do not want USMT to spend time searching for the application’s settings. More importantly, if USMT collects settings for an application that is not installed, it may migrate settings that will cause the destination computer to function incorrectly. You should also investigate whether there is more than one version of the application. This is because the new version may not store the settings in the same place, which may lead to unexpected results on the destination computer. - -There are many ways to detect if an application is installed. The best practice is to check for an application uninstall key in the registry, and then search the computer for the executable file that installed the application. It is important that you check for both of these items, because sometimes different versions of the same application share the same uninstall key. So even if the key is there, it may not correspond to the version of the application that you want. - -### Check the registry for an application uninstall key. - -When many applications are installed (especially those installed using the Microsoft® Windows® Installer technology), an application uninstall key is created under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall**. For example, when Adobe Acrobat Reader 7 is installed, it creates a key named **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall \\{AC76BA86-7AD7-1033-7B44-A70000000000}**. Therefore, if a computer contains this key, then Adobe Acrobat Reader 7 is installed on the computer. You can check for the existence of a registry key using the **DoesObjectExist** helper function. - -Usually, you can find this key by searching under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall** for the name of the application, the name of the application executable file, or for the name of the company that makes the application. You can use the Registry Editor (**Regedit.exe** located in the %**SystemRoot**%) to search the registry. - -### Check the file system for the application executable file. - -You should also check the application binaries for the executable that installed the application. To do this, you will first need to determine where the application is installed and what the name of the executable is. Most applications store the installation location of the application binaries in the registry. You should search the registry for the name of the application, the name of the application executable, or for the name of the company that makes the application, until you find the registry value that contains the installation path. Once you have determined the path to the application executable, you can use the **DoesFileVersionMatch** helper function to check for the correct version of the application executable. For an example of how to do this, see the Windows Live™ Messenger section of the MigApp.xml file. - -## Step 2: Identify settings to collect and determine where each setting is stored on the computer. - - -Next, you should go through the user interface and make a list of all of the available settings. You can reduce the list if there are settings that you do not want to migrate. To determine where each setting is stored, you will need to change each setting and monitor the activity on the registry and the file system. You do not need to migrate the binary files and registry settings that are made when the application is installed. This is because you will need to reinstall the application onto the destination computer. You only need to migrate those settings that are customizable. - -### - -**How To Determine Where Each Setting is Stored** - -1. Download a file and registry monitoring tool, such as the Regmon and Filemon tools, from the [Windows Sysinternals Web site](https://go.microsoft.com/fwlink/p/?linkid=36109). - -2. Shut down as many applications as possible to limit the registry and file system activity on the computer. - -3. Filter the output of the tools so it only displays changes being made by the application. - - **Note**   - Most applications store their settings under the user profile. That is, the settings stored in the file system are under the %**UserProfile**% directory, and the settings stored in the registry are under the **HKEY\_CURRENT\_USER** hive. For these applications you can filter the output of the file and registry monitoring tools to show activity only under these locations. This will considerably reduce the amount of output that you will need to examine. - - - -4. Start the monitoring tool(s), change a setting, and look for registry and file system writes that occurred when you changed the setting. Make sure the changes you make actually take effect. For example, if you are changing a setting in Microsoft Word by selecting a check box in the **Options** dialog box, the change typically will not take effect until you close the dialog box by clicking **OK**. - -5. When the setting is changed, note the changes to the file system and registry. There may be more than one file or registry values for each setting. You should identify the minimal set of file and registry changes that are required to change this setting. This set of files and registry keys is what you will need to migrate in order to migrate the setting. - - **Note**   - Changing an application setting invariably leads to writing to registry keys. If possible, filter the output of the file and registry monitor tool to display only writes to files and registry keys/values. - - - -## Step 3: Identify how to apply the gathered settings. - - -If the version of the application on the source computer is the same as the one on the destination computer, then you do not have to modify the collected files and registry keys. By default, USMT migrates the files and registry keys from the source location to the corresponding location on the destination computer. For example, if a file was collected from the C:\\Documents and Settings\\User1\\My Documents folder and the profile directory on the destination computer is located at D:\\Users\\User1, then USMT will automatically migrate the file to D:\\Users\\User1\\My Documents. However, you may need to modify the location of some settings in the following three cases: - -### Case 1: The version of the application on the destination computer is newer than the one on the source computer. - -In this case, the newer version of the application may be able to read the settings from the source computer without modification. That is, the data collected from an older version of the application is sometimes compatible with the newer version of the application. However, you may need to modify the setting location if either of the following is true: - -- **The newer version of the application has the ability to import settings from an older version.** This mapping usually happens the first time a user runs the newer version after the settings have been migrated. Some applications do this automatically after settings are migrated; however, other applications will only do this if the application was upgraded from the older version. When the application is upgraded, a set of files and/or registry keys is installed that indicates the older version of the application was previously installed. If you perform a clean installation of the newer version (which is the case in most migrations), the computer does not contain this set of files and registry keys so the mapping does not occur. In order to trick the newer version of the application into initiating this import process, your migration script may need to create these files and/or registry keys on the destination computer. - - To identify which files and/or registry keys/values need to be created to cause the import, you should upgrade the older version of the application to the newer one and monitor the changes made to the file system and registry by using the same process described in [How To determine where each setting is stored](#bkmkdetermine). Once you know the set of files that the computer needs, you can use the <`addObjects`> element to add them to the destination computer. - -- [The newer version of the application cannot read settings from the source computer and it is also unable to import the settings into the new format.](#bkmkdetermine) In this case, you will need to create a mapping for each setting from the old locations to the new locations. To do this, determine where the newer version stores each setting using the process described in How to determine where each setting is stored. After you have created the mapping, apply the settings to the new location on the destination computer using the <`locationModify`> element, and the **RelativeMove** and **ExactMove** helper functions. - -### Case 2: The destination computer already contains settings for the application. - -We recommend that you migrate the settings after you install the application, but before the user runs the application for the first time. We recommend this because this ensures that there are no settings on the destination computer when you migrate the settings. If you must install the application before the migration, you should delete any existing settings using the <`destinationCleanup`> element. If for any reason you want to preserve the settings that are on the destination computer, you can use the <`merge`> element and **DestinationPriority** helper function. - -### Case 3: The application overwrites settings when it is installed. - -We recommend that you migrate the settings after you install the application, but before the user runs the application for the first time. We recommend this because this ensures that there are no settings on the destination computer when you migrate the settings. Also, when some applications are installed, they overwrite any existing settings that are on the computer. In this scenario, if you migrated the data before you installed the application, your customized settings would be overwritten. This is common for applications that store settings in locations that are outside of the user profile (typically these are settings that apply to all users). These universal settings are sometimes overwritten when an application is installed, and they are replaced by default values. To avoid this, you must install these applications before migrating the files and settings to the destination computer. By default with USMT, data from the source computer overwrites data that already exists in the same location on the destination computer. - -## Step 4: Create the migration XML component for the application - - -After you have completed steps 1 through 3, you will need to create a custom migration .xml file that migrates the application based on the information that you now have. You can use the MigApp.xml file as a model because it contains examples of many of the concepts discussed in this topic. You can also see [Custom XML Examples](usmt-custom-xml-examples.md) for another sample .xml file. - -**Note**   -We recommend that you create a separate .xml file instead of adding your script to the **MigApp.xml** file. This is because the **MigApp.xml** file is a very large file and it will be difficult to read and edit. In addition, if you reinstall USMT for some reason, the **MigApp.xml** file will be overwritten by the default version of the file and you will lose your customized version. - - - -**Important**   -Some applications store information in the user profile that should not be migrated (for example, application installation paths, the computer name, and so on). You should make sure to exclude these files and registry keys from the migration. - - - -Your script should do the following: - -1. Check whether the application and correct version is installed by: - - - Searching for the installation uninstall key under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall** using the **DoesObjectExist** helper function. - - - Checking for the correct version of the application executable file using the **DoesFileVersionMatch** helper function. - -2. If the correct version of the application is installed, then ensure that each setting is migrated to the appropriate location on the destination computer. - - - If the versions of the applications are the same on both the source and destination computers, migrate each setting using the <`include`> and <`exclude`> elements. - - - If the version of the application on the destination computer is newer than the one on the source computer, and the application cannot import the settings, your script should either 1) add the set of files that trigger the import using the <`addObjects`> element or 2) create a mapping that applies the old settings to the correct location on the destination computer using the <`locationModify`> element, and the **RelativeMove** and **ExactMove** helper functions. - - - If you must install the application before migrating the settings, delete any settings that are already on the destination computer using the <`destinationCleanup`> element. - -For information about the .xml elements and helper functions, see [XML Elements Library](usmt-xml-elements-library.md). - -## Step 5: Test the application settings migration - - -On a test computer, install the operating system that will be installed on the destination computers. For example, if you are planning on migrating from Windows 7 to Windows 10, install Windows 10 and the application. Next, run LoadState on the test computer and verify that all settings migrate. Make corrections if necessary and repeat the process until all the necessary settings are migrated correctly. - -To speed up the time it takes to collect and migrate the data, you can migrate only one user at a time, and you can exclude all other components from the migration except the application that you are testing. To specify only User1 in the migration, type: **/ue:\*\\\* /ui:user1**. For more information, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md) and User options in the [ScanState Syntax](usmt-scanstate-syntax.md) topic. To troubleshoot a problem, check the progress log, and the ScanState and LoadState logs, which contain warnings and errors that may point to problems with the migration. - -## Related topics - - -[USMT XML Reference](usmt-xml-reference.md) - -[Conflicts and Precedence](usmt-conflicts-and-precedence.md) - -[XML Elements Library](usmt-xml-elements-library.md) - -[Log Files](usmt-log-files.md) - - - - - - - - - +--- +title: Migrate Application Settings (Windows 10) +description: Migrate Application Settings +ms.assetid: 28f70a83-0a3e-4a6b-968a-2b78ccd3cc07 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Migrate Application Settings + + +You can create a custom .xml file to migrate specific line-of-business application settings or to change the default migration behavior of the User State Migration Tool (USMT) 10.0. For ScanState and LoadState to use this file, you must specify the custom .xml file on both command lines. + +This topic defines how to author a custom migration .xml file that migrates the settings of an application that is not migrated by default using MigApp.xml. You should migrate the settings after you install the application, but before the user runs the application for the first time. + +This topic does not contain information about how to migrate applications that store settings in an application-specific store, only the applications that store the information in files or in the registry. It also does not contain information about how to migrate the data that users create using the application. For example, if the application creates .doc files using a specific template, this topic does not discuss how to migrate the .doc files and templates themselves. + +## In this Topic + + +- [Before You Begin](#bkmk-beforebegin) + +- [Step 1: Verify that the application is installed on the source computer, and that it is the same version as the version to be installed on the destination computer](#bkmk-step1). + +- [Step 2: Identify settings to collect and determine where each setting is stored on the computer](#bkmk-step2). + +- [Step 3: Identify how to apply the gathered settings](#bkmk-step3). + +- [Step 4: Create the migration XML component for the application](#bkmk-step4). + +- [Step 5: Test the application settings migration](#bkmk-step5). + +## Before You Begin + + +You should identify a test computer that contains the operating system of your source computers, and the application whose settings you want to migrate. For example, if you are planning on migrating from Windows 7 to Windows 10, install Windows 7 on your test computer and then install the application. + +## Step 1: Verify that the application is installed on the source computer, and that it is the same version as the version to be installed on the destination computer. + + +Before USMT migrates the settings, you need it to check whether the application is installed on the source computer, and that it is the correct version. If the application is not installed on the source computer, you probably do not want USMT to spend time searching for the application’s settings. More importantly, if USMT collects settings for an application that is not installed, it may migrate settings that will cause the destination computer to function incorrectly. You should also investigate whether there is more than one version of the application. This is because the new version may not store the settings in the same place, which may lead to unexpected results on the destination computer. + +There are many ways to detect if an application is installed. The best practice is to check for an application uninstall key in the registry, and then search the computer for the executable file that installed the application. It is important that you check for both of these items, because sometimes different versions of the same application share the same uninstall key. So even if the key is there, it may not correspond to the version of the application that you want. + +### Check the registry for an application uninstall key. + +When many applications are installed (especially those installed using the Microsoft® Windows® Installer technology), an application uninstall key is created under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall**. For example, when Adobe Acrobat Reader 7 is installed, it creates a key named **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall \\{AC76BA86-7AD7-1033-7B44-A70000000000}**. Therefore, if a computer contains this key, then Adobe Acrobat Reader 7 is installed on the computer. You can check for the existence of a registry key using the **DoesObjectExist** helper function. + +Usually, you can find this key by searching under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall** for the name of the application, the name of the application executable file, or for the name of the company that makes the application. You can use the Registry Editor (**Regedit.exe** located in the %**SystemRoot**%) to search the registry. + +### Check the file system for the application executable file. + +You should also check the application binaries for the executable that installed the application. To do this, you will first need to determine where the application is installed and what the name of the executable is. Most applications store the installation location of the application binaries in the registry. You should search the registry for the name of the application, the name of the application executable, or for the name of the company that makes the application, until you find the registry value that contains the installation path. Once you have determined the path to the application executable, you can use the **DoesFileVersionMatch** helper function to check for the correct version of the application executable. For an example of how to do this, see the Windows Live™ Messenger section of the MigApp.xml file. + +## Step 2: Identify settings to collect and determine where each setting is stored on the computer. + + +Next, you should go through the user interface and make a list of all of the available settings. You can reduce the list if there are settings that you do not want to migrate. To determine where each setting is stored, you will need to change each setting and monitor the activity on the registry and the file system. You do not need to migrate the binary files and registry settings that are made when the application is installed. This is because you will need to reinstall the application onto the destination computer. You only need to migrate those settings that are customizable. + +### + +**How To Determine Where Each Setting is Stored** + +1. Download a file and registry monitoring tool, such as the Regmon and Filemon tools, from the [Windows Sysinternals Web site](https://go.microsoft.com/fwlink/p/?linkid=36109). + +2. Shut down as many applications as possible to limit the registry and file system activity on the computer. + +3. Filter the output of the tools so it only displays changes being made by the application. + + **Note**   + Most applications store their settings under the user profile. That is, the settings stored in the file system are under the %**UserProfile**% directory, and the settings stored in the registry are under the **HKEY\_CURRENT\_USER** hive. For these applications you can filter the output of the file and registry monitoring tools to show activity only under these locations. This will considerably reduce the amount of output that you will need to examine. + + + +4. Start the monitoring tool(s), change a setting, and look for registry and file system writes that occurred when you changed the setting. Make sure the changes you make actually take effect. For example, if you are changing a setting in Microsoft Word by selecting a check box in the **Options** dialog box, the change typically will not take effect until you close the dialog box by clicking **OK**. + +5. When the setting is changed, note the changes to the file system and registry. There may be more than one file or registry values for each setting. You should identify the minimal set of file and registry changes that are required to change this setting. This set of files and registry keys is what you will need to migrate in order to migrate the setting. + + **Note**   + Changing an application setting invariably leads to writing to registry keys. If possible, filter the output of the file and registry monitor tool to display only writes to files and registry keys/values. + + + +## Step 3: Identify how to apply the gathered settings. + + +If the version of the application on the source computer is the same as the one on the destination computer, then you do not have to modify the collected files and registry keys. By default, USMT migrates the files and registry keys from the source location to the corresponding location on the destination computer. For example, if a file was collected from the C:\\Documents and Settings\\User1\\My Documents folder and the profile directory on the destination computer is located at D:\\Users\\User1, then USMT will automatically migrate the file to D:\\Users\\User1\\My Documents. However, you may need to modify the location of some settings in the following three cases: + +### Case 1: The version of the application on the destination computer is newer than the one on the source computer. + +In this case, the newer version of the application may be able to read the settings from the source computer without modification. That is, the data collected from an older version of the application is sometimes compatible with the newer version of the application. However, you may need to modify the setting location if either of the following is true: + +- **The newer version of the application has the ability to import settings from an older version.** This mapping usually happens the first time a user runs the newer version after the settings have been migrated. Some applications do this automatically after settings are migrated; however, other applications will only do this if the application was upgraded from the older version. When the application is upgraded, a set of files and/or registry keys is installed that indicates the older version of the application was previously installed. If you perform a clean installation of the newer version (which is the case in most migrations), the computer does not contain this set of files and registry keys so the mapping does not occur. In order to trick the newer version of the application into initiating this import process, your migration script may need to create these files and/or registry keys on the destination computer. + + To identify which files and/or registry keys/values need to be created to cause the import, you should upgrade the older version of the application to the newer one and monitor the changes made to the file system and registry by using the same process described in [How To determine where each setting is stored](#bkmkdetermine). Once you know the set of files that the computer needs, you can use the <`addObjects`> element to add them to the destination computer. + +- [The newer version of the application cannot read settings from the source computer and it is also unable to import the settings into the new format.](#bkmkdetermine) In this case, you will need to create a mapping for each setting from the old locations to the new locations. To do this, determine where the newer version stores each setting using the process described in How to determine where each setting is stored. After you have created the mapping, apply the settings to the new location on the destination computer using the <`locationModify`> element, and the **RelativeMove** and **ExactMove** helper functions. + +### Case 2: The destination computer already contains settings for the application. + +We recommend that you migrate the settings after you install the application, but before the user runs the application for the first time. We recommend this because this ensures that there are no settings on the destination computer when you migrate the settings. If you must install the application before the migration, you should delete any existing settings using the <`destinationCleanup`> element. If for any reason you want to preserve the settings that are on the destination computer, you can use the <`merge`> element and **DestinationPriority** helper function. + +### Case 3: The application overwrites settings when it is installed. + +We recommend that you migrate the settings after you install the application, but before the user runs the application for the first time. We recommend this because this ensures that there are no settings on the destination computer when you migrate the settings. Also, when some applications are installed, they overwrite any existing settings that are on the computer. In this scenario, if you migrated the data before you installed the application, your customized settings would be overwritten. This is common for applications that store settings in locations that are outside of the user profile (typically these are settings that apply to all users). These universal settings are sometimes overwritten when an application is installed, and they are replaced by default values. To avoid this, you must install these applications before migrating the files and settings to the destination computer. By default with USMT, data from the source computer overwrites data that already exists in the same location on the destination computer. + +## Step 4: Create the migration XML component for the application + + +After you have completed steps 1 through 3, you will need to create a custom migration .xml file that migrates the application based on the information that you now have. You can use the MigApp.xml file as a model because it contains examples of many of the concepts discussed in this topic. You can also see [Custom XML Examples](usmt-custom-xml-examples.md) for another sample .xml file. + +**Note**   +We recommend that you create a separate .xml file instead of adding your script to the **MigApp.xml** file. This is because the **MigApp.xml** file is a very large file and it will be difficult to read and edit. In addition, if you reinstall USMT for some reason, the **MigApp.xml** file will be overwritten by the default version of the file and you will lose your customized version. + + + +**Important**   +Some applications store information in the user profile that should not be migrated (for example, application installation paths, the computer name, and so on). You should make sure to exclude these files and registry keys from the migration. + + + +Your script should do the following: + +1. Check whether the application and correct version is installed by: + + - Searching for the installation uninstall key under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall** using the **DoesObjectExist** helper function. + + - Checking for the correct version of the application executable file using the **DoesFileVersionMatch** helper function. + +2. If the correct version of the application is installed, then ensure that each setting is migrated to the appropriate location on the destination computer. + + - If the versions of the applications are the same on both the source and destination computers, migrate each setting using the <`include`> and <`exclude`> elements. + + - If the version of the application on the destination computer is newer than the one on the source computer, and the application cannot import the settings, your script should either 1) add the set of files that trigger the import using the <`addObjects`> element or 2) create a mapping that applies the old settings to the correct location on the destination computer using the <`locationModify`> element, and the **RelativeMove** and **ExactMove** helper functions. + + - If you must install the application before migrating the settings, delete any settings that are already on the destination computer using the <`destinationCleanup`> element. + +For information about the .xml elements and helper functions, see [XML Elements Library](usmt-xml-elements-library.md). + +## Step 5: Test the application settings migration + + +On a test computer, install the operating system that will be installed on the destination computers. For example, if you are planning on migrating from Windows 7 to Windows 10, install Windows 10 and the application. Next, run LoadState on the test computer and verify that all settings migrate. Make corrections if necessary and repeat the process until all the necessary settings are migrated correctly. + +To speed up the time it takes to collect and migrate the data, you can migrate only one user at a time, and you can exclude all other components from the migration except the application that you are testing. To specify only User1 in the migration, type: **/ue:\*\\\* /ui:user1**. For more information, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md) and User options in the [ScanState Syntax](usmt-scanstate-syntax.md) topic. To troubleshoot a problem, check the progress log, and the ScanState and LoadState logs, which contain warnings and errors that may point to problems with the migration. + +## Related topics + + +[USMT XML Reference](usmt-xml-reference.md) + +[Conflicts and Precedence](usmt-conflicts-and-precedence.md) + +[XML Elements Library](usmt-xml-elements-library.md) + +[Log Files](usmt-log-files.md) + + + + + + + + + diff --git a/windows/deployment/usmt/migration-store-types-overview.md b/windows/deployment/usmt/migration-store-types-overview.md index b27a83634c..2d1d744fa6 100644 --- a/windows/deployment/usmt/migration-store-types-overview.md +++ b/windows/deployment/usmt/migration-store-types-overview.md @@ -1,81 +1,81 @@ ---- -title: Migration Store Types Overview (Windows 10) -description: Migration Store Types Overview -ms.assetid: 3b6ce746-76c6-43ff-8cd5-02ed0ae0cf70 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Migration Store Types Overview - - -When planning your migration, you should determine which migration store type best meets your needs. As part of these considerations, determine how much space is required to run the User State Migration Tool (USMT) 10.0 components on your source and destination computers. You should also determine the space needed to create and host the migration store, whether you are using a local share, network share, or storage device. - -## In This Topic - - -[Migration Store Types](#bkmk-types) - -[Local Store vs. Remote Store](#bkmk-localvremote) - -[The /localonly Command-Line Option](#bkmk-localonly) - -## Migration Store Types - - -This section describes the three migration store types available in USMT. - -### Uncompressed (UNC) - -The uncompressed (UNC) migration store is an uncompressed directory with a mirror image of the folder hierarchy being migrated. Each directory and file retains the same access permissions that it has on the local file system. You can use Windows Explorer to view this migration store type. Settings are stored in a catalog file that also describes how to restore files on the destination computer. - -### Compressed - -The compressed migration store is a single image file that contains all files being migrated and a catalog file. This image file is often encrypted and protected with a password, and cannot be navigated with Windows Explorer. - -### Hard-Link - -A hard-link migration store functions as a map that defines how a collection of bits on the hard disk are “wired” into the file system. You use the new USMT hard-link migration store in the PC Refresh scenario only. This is because the hard-link migration store is maintained on the local computer while the old operating system is removed and the new operating system is installed. Using a hard-link migration store saves network bandwidth and minimizes the server use needed to accomplish the migration. - -You use a command-line option,**/hardlink** , to create a hard-link migration store, which functions the same as an uncompressed migration store. Files are not duplicated on the local computer when user state is captured, nor are they duplicated when user state is restored. For more information, see [Hard-Link Migration Store](usmt-hard-link-migration-store.md). - -The following flowchart illustrates the procedural differences between a local migration store and a remote migration store. In this example, a hard-link migration store is used for the local store. - -![migration store comparison](images/dep-win8-l-usmt-migrationcomparemigstores.gif) - -## Local Store vs. Remote Store - - -If you have enough space and you are migrating the user state back to the same computer, storing data on a local device is normally the best option to reduce server storage costs and network performance issues. You can store the data locally either on a different partition or on a removable device such as a USB flash drive (UFD). Also, depending on the imaging technology that you are using, you might be able to store the data on the partition that is being re-imaged, if the data will be protected from deletion during the process. To increase performance, store the data on high-speed drives that use a high-speed network connection. It is also good practice to ensure that the migration is the only task the server is performing. - -If there is not enough local disk space, or if you are moving the user state to another computer, then you must store the data remotely. For example, you can store it in on a shared folder, on removable media such as a UFD drive, or you can store it directly on the destination computer. For example, create and share C:\\store on the destination computer. Then run the ScanState command on the source computer and save the files and settings to \\\\*DestinationComputerName*\\store. Then, run the **LoadState** command on the destination computer and specify **C:\\Store** as the store location. By doing this, you do not need to save the files to a server. - -**Important**   -If possible, have users store their data within their %UserProfile%\\My Documents and %UserProfile%\\Application Data folders. This will reduce the chance of USMT missing critical user data that is located in a directory that USMT is not configured to check. - - - -### The /localonly Command-Line Option - -You should use this option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify **/LocalOnly**, see [ScanState Syntax](usmt-scanstate-syntax.md). - -## Related topics - - -[Plan Your Migration](usmt-plan-your-migration.md) - - - - - - - - - +--- +title: Migration Store Types Overview (Windows 10) +description: Migration Store Types Overview +ms.assetid: 3b6ce746-76c6-43ff-8cd5-02ed0ae0cf70 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Migration Store Types Overview + + +When planning your migration, you should determine which migration store type best meets your needs. As part of these considerations, determine how much space is required to run the User State Migration Tool (USMT) 10.0 components on your source and destination computers. You should also determine the space needed to create and host the migration store, whether you are using a local share, network share, or storage device. + +## In This Topic + + +[Migration Store Types](#bkmk-types) + +[Local Store vs. Remote Store](#bkmk-localvremote) + +[The /localonly Command-Line Option](#bkmk-localonly) + +## Migration Store Types + + +This section describes the three migration store types available in USMT. + +### Uncompressed (UNC) + +The uncompressed (UNC) migration store is an uncompressed directory with a mirror image of the folder hierarchy being migrated. Each directory and file retains the same access permissions that it has on the local file system. You can use Windows Explorer to view this migration store type. Settings are stored in a catalog file that also describes how to restore files on the destination computer. + +### Compressed + +The compressed migration store is a single image file that contains all files being migrated and a catalog file. This image file is often encrypted and protected with a password, and cannot be navigated with Windows Explorer. + +### Hard-Link + +A hard-link migration store functions as a map that defines how a collection of bits on the hard disk are “wired” into the file system. You use the new USMT hard-link migration store in the PC Refresh scenario only. This is because the hard-link migration store is maintained on the local computer while the old operating system is removed and the new operating system is installed. Using a hard-link migration store saves network bandwidth and minimizes the server use needed to accomplish the migration. + +You use a command-line option,**/hardlink** , to create a hard-link migration store, which functions the same as an uncompressed migration store. Files are not duplicated on the local computer when user state is captured, nor are they duplicated when user state is restored. For more information, see [Hard-Link Migration Store](usmt-hard-link-migration-store.md). + +The following flowchart illustrates the procedural differences between a local migration store and a remote migration store. In this example, a hard-link migration store is used for the local store. + +![migration store comparison](images/dep-win8-l-usmt-migrationcomparemigstores.gif) + +## Local Store vs. Remote Store + + +If you have enough space and you are migrating the user state back to the same computer, storing data on a local device is normally the best option to reduce server storage costs and network performance issues. You can store the data locally either on a different partition or on a removable device such as a USB flash drive (UFD). Also, depending on the imaging technology that you are using, you might be able to store the data on the partition that is being re-imaged, if the data will be protected from deletion during the process. To increase performance, store the data on high-speed drives that use a high-speed network connection. It is also good practice to ensure that the migration is the only task the server is performing. + +If there is not enough local disk space, or if you are moving the user state to another computer, then you must store the data remotely. For example, you can store it in on a shared folder, on removable media such as a UFD drive, or you can store it directly on the destination computer. For example, create and share C:\\store on the destination computer. Then run the ScanState command on the source computer and save the files and settings to \\\\*DestinationComputerName*\\store. Then, run the **LoadState** command on the destination computer and specify **C:\\Store** as the store location. By doing this, you do not need to save the files to a server. + +**Important**   +If possible, have users store their data within their %UserProfile%\\My Documents and %UserProfile%\\Application Data folders. This will reduce the chance of USMT missing critical user data that is located in a directory that USMT is not configured to check. + + + +### The /localonly Command-Line Option + +You should use this option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify **/LocalOnly**, see [ScanState Syntax](usmt-scanstate-syntax.md). + +## Related topics + + +[Plan Your Migration](usmt-plan-your-migration.md) + + + + + + + + + diff --git a/windows/deployment/usmt/offline-migration-reference.md b/windows/deployment/usmt/offline-migration-reference.md index 4b040c9e52..2eab7ea7b8 100644 --- a/windows/deployment/usmt/offline-migration-reference.md +++ b/windows/deployment/usmt/offline-migration-reference.md @@ -8,6 +8,7 @@ ms.author: greglin ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.date: 04/19/2017 ms.topic: article @@ -104,7 +105,7 @@ It is possible to run the ScanState tool while the drive remains encrypted by su User-group membership is not preserved during offline migrations. You must configure a **<ProfileControl>** section in the Config.xml file to specify the groups that the migrated users should be made members of. The following example places all migrated users into the Users group: -```xml +``` xml @@ -242,7 +243,7 @@ Syntax: <failOnMultipleWinDir>1</failOnMultipleWinDir> or Syntax: &l The following XML example illustrates some of the elements discussed earlier in this topic. -```xml +``` xml C:\Windows diff --git a/windows/deployment/usmt/understanding-migration-xml-files.md b/windows/deployment/usmt/understanding-migration-xml-files.md index afdad114f9..bc484bd496 100644 --- a/windows/deployment/usmt/understanding-migration-xml-files.md +++ b/windows/deployment/usmt/understanding-migration-xml-files.md @@ -8,6 +8,7 @@ ms.author: greglin ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.date: 04/19/2017 ms.topic: article @@ -225,7 +226,7 @@ You can use multiple XML files with the ScanState and LoadState tools. Each of t For example, you can use all of the XML migration file types for a single migration, as in the following example: -``` syntax +``` Scanstate /config:c:\myFolder\config.xml /i:migapps.xml /i:migdocs.xml /i:customrules.xml ``` @@ -258,14 +259,14 @@ To generate the XML migration rules file for a source computer: 3. At the command prompt, type: - ``` syntax + ``` cd /d scanstate.exe /genmigxml: ``` Where *<USMTpath>* is the location on your source computer where you have saved the USMT files and tools, and *<filepath.xml>* is the full path to a file where you can save the report. For example, type: - ``` syntax + ``` cd /d c:\USMT scanstate.exe /genmigxml:"C:\Documents and Settings\USMT Tester\Desktop\genMig.xml" ``` @@ -313,13 +314,13 @@ The MigDocs.xml file calls the **GenerateDocPatterns** function, which takes thr **Usage:** -``` syntax +``` MigXmlHelper.GenerateDocPatterns ("", "", "") ``` To create include data patterns for only the system drive: -```xml +``` xml @@ -329,7 +330,7 @@ To create include data patterns for only the system drive: To create an include rule to gather files for registered extensions from the %PROGRAMFILES% directory: -```xml +``` xml @@ -339,7 +340,7 @@ To create an include rule to gather files for registered extensions from the %PR To create exclude data patterns: -```xml +``` xml @@ -440,7 +441,7 @@ To exclude the new text document.txt file as well as any .txt files in “new fo To exclude Rule 1, there needs to be an exact match of the file name. However, for Rule 2, you can create a pattern to exclude files by using the file name extension. -```xml +``` xml D:\Newfolder\[new text document.txt] @@ -453,7 +454,7 @@ To exclude Rule 1, there needs to be an exact match of the file name. However, f If you do not know the file name or location of the file, but you do know the file name extension, you can use the **GenerateDrivePatterns** function. However, the rule will be less specific than the default include rule generated by the MigDocs.xml file, so it will not have precedence. You must use the <UnconditionalExclude> element to give this rule precedence over the default include rule. For more information about the order of precedence for XML migration rules, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). -```xml +``` xml @@ -465,7 +466,7 @@ If you do not know the file name or location of the file, but you do know the fi If you want the <UnconditionalExclude> element to apply to both the system and user context, you can create a third component using the **UserandSystem** context. Rules in this component will be run in both contexts. -```xml +``` xml MigDocExcludes @@ -490,7 +491,7 @@ The application data directory is the most common location that you would need t This rule will include .pst files that are located in the default location, but are not linked to Microsoft Outlook. Use the user context to run this rule for each user on the computer. -```xml +``` xml %CSIDL_LOCAL_APPDATA%\Microsoft\Outlook\*[*.pst] @@ -502,7 +503,7 @@ This rule will include .pst files that are located in the default location, but For locations outside the user profile, such as the Program Files folder, you can add the rule to the system context component. -```xml +``` xml %CSIDL_PROGRAM_FILES%\*[*.pst] diff --git a/windows/deployment/usmt/usmt-best-practices.md b/windows/deployment/usmt/usmt-best-practices.md index abd95bff7e..48782e0bdc 100644 --- a/windows/deployment/usmt/usmt-best-practices.md +++ b/windows/deployment/usmt/usmt-best-practices.md @@ -8,6 +8,7 @@ ms.author: greglin ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.date: 04/19/2017 ms.topic: article @@ -98,7 +99,7 @@ As the authorized administrator, it is your responsibility to protect the privac Although it is not a requirement, it is good practice for <CustomFileName> to match the name of the file. For example, the following is from the MigApp.xml file: - ```xml + ``` xml ``` diff --git a/windows/deployment/usmt/usmt-choose-migration-store-type.md b/windows/deployment/usmt/usmt-choose-migration-store-type.md index 50445e7561..75c4393563 100644 --- a/windows/deployment/usmt/usmt-choose-migration-store-type.md +++ b/windows/deployment/usmt/usmt-choose-migration-store-type.md @@ -1,65 +1,65 @@ ---- -title: Choose a Migration Store Type (Windows 10) -description: Choose a Migration Store Type -ms.assetid: 4e163e90-9c57-490b-b849-2ed52ab6765f -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Choose a Migration Store Type - - -One of the main considerations for planning your migration is to determine which migration store type best meets your needs. As part of these considerations, determine how much space is required to run the User State Migration Tool (USMT) 10.0 components on your source and destination computers, and how much space is needed to create and host the migration store, whether you are using a local share, network share, or storage device. The final consideration is ensuring that user date integrity is maintained by encrypting the migration store. - -## In This Section - - - ---- - - - - - - - - - - - - - - - - - - -

          Migration Store Types Overview

          Choose the migration store type that works best for your needs and migration scenario.

          Estimate Migration Store Size

          Estimate the amount of disk space needed for computers in your organization based on information about your organization's infrastructure.

          Hard-Link Migration Store

          Learn about hard-link migration stores and the scenarios in which they are used.

          Migration Store Encryption

          Learn about the using migration store encryption to protect user data integrity during a migration.

          - - - -## Related topics - - -[Plan Your Migration](usmt-plan-your-migration.md) - -[User State Migration Tool (USMT) How-to topics](usmt-how-to.md) - - - - - - - - - +--- +title: Choose a Migration Store Type (Windows 10) +description: Choose a Migration Store Type +ms.assetid: 4e163e90-9c57-490b-b849-2ed52ab6765f +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Choose a Migration Store Type + + +One of the main considerations for planning your migration is to determine which migration store type best meets your needs. As part of these considerations, determine how much space is required to run the User State Migration Tool (USMT) 10.0 components on your source and destination computers, and how much space is needed to create and host the migration store, whether you are using a local share, network share, or storage device. The final consideration is ensuring that user date integrity is maintained by encrypting the migration store. + +## In This Section + + + ++++ + + + + + + + + + + + + + + + + + + +

          Migration Store Types Overview

          Choose the migration store type that works best for your needs and migration scenario.

          Estimate Migration Store Size

          Estimate the amount of disk space needed for computers in your organization based on information about your organization's infrastructure.

          Hard-Link Migration Store

          Learn about hard-link migration stores and the scenarios in which they are used.

          Migration Store Encryption

          Learn about the using migration store encryption to protect user data integrity during a migration.

          + + + +## Related topics + + +[Plan Your Migration](usmt-plan-your-migration.md) + +[User State Migration Tool (USMT) How-to topics](usmt-how-to.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-command-line-syntax.md b/windows/deployment/usmt/usmt-command-line-syntax.md index 2f513af87c..43d9d9c686 100644 --- a/windows/deployment/usmt/usmt-command-line-syntax.md +++ b/windows/deployment/usmt/usmt-command-line-syntax.md @@ -1,54 +1,54 @@ ---- -title: User State Migration Tool (USMT) Command-line Syntax (Windows 10) -description: User State Migration Tool (USMT) Command-line Syntax -ms.assetid: f9d205c9-e824-46c7-8d8b-d7e4b52fd514 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# User State Migration Tool (USMT) Command-line Syntax - - -The User State Migration Tool (USMT) 10.0 migrates user files and settings during large deployments of Windows. To improve and simplify the migration process, USMT captures desktop, network, and application settings in addition to a user's files. USMT then migrates these items to a new Windows installation. - -## In This Section - - - ---- - - - - - - - - - - - - - - -

          ScanState Syntax

          Lists the command-line options for using the ScanState tool.

          LoadState Syntax

          Lists the command-line options for using the LoadState tool.

          UsmtUtils Syntax

          Lists the command-line options for using the UsmtUtils tool.

          - - - - - - - - - - - +--- +title: User State Migration Tool (USMT) Command-line Syntax (Windows 10) +description: User State Migration Tool (USMT) Command-line Syntax +ms.assetid: f9d205c9-e824-46c7-8d8b-d7e4b52fd514 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# User State Migration Tool (USMT) Command-line Syntax + + +The User State Migration Tool (USMT) 10.0 migrates user files and settings during large deployments of Windows. To improve and simplify the migration process, USMT captures desktop, network, and application settings in addition to a user's files. USMT then migrates these items to a new Windows installation. + +## In This Section + + + ++++ + + + + + + + + + + + + + + +

          ScanState Syntax

          Lists the command-line options for using the ScanState tool.

          LoadState Syntax

          Lists the command-line options for using the LoadState tool.

          UsmtUtils Syntax

          Lists the command-line options for using the UsmtUtils tool.

          + + + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-common-issues.md b/windows/deployment/usmt/usmt-common-issues.md index 45c41d0914..49aa08dbfe 100644 --- a/windows/deployment/usmt/usmt-common-issues.md +++ b/windows/deployment/usmt/usmt-common-issues.md @@ -1,340 +1,340 @@ ---- -title: Common Issues (Windows 10) -description: Common Issues -ms.assetid: 5a37e390-8617-4768-9eee-50397fbbb2e1 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.date: 09/19/2017 -author: greg-lindsay -ms.topic: article ---- - -# Common Issues - - -The following sections discuss common issues that you might see when you run the User State Migration Tool (USMT) 10.0 tools. USMT produces log files that describe in further detail any errors that occurred during the migration process. These logs can be used to troubleshoot migration failures. - -## In This Topic - - -[User Account Problems](#user) - -[Command-line Problems](#command) - -[XML File Problems](#xml) - -[Migration Problems](#migration) - -[Offline Migration Problems](#bkmk-offline) - -[Hard Link Migration Problems](#bkmk-hardlink) - -[USMT does not migrate the Start layout](#usmt-does-not-migrate-the-start-layout) - -## General Guidelines for Identifying Migration Problems - - -When you encounter a problem or error message during migration, you can use the following general guidelines to help determine the source of the problem: - -- Examine the ScanState, LoadState, and UsmtUtils logs to obtain the exact USMT error messages and Windows® application programming interface (API) error messages. For more information about USMT return codes and error messages, see [Return Codes](usmt-return-codes.md). For more information about Windows API error messages, type **nethelpmsg** on the command line. - - In most cases, the ScanState and LoadState logs indicate why a USMT migration is failing. We recommend that you use the **/v**:5 option when testing your migration. This verbosity level can be adjusted in a production migration; however, reducing the verbosity level might make it more difficult to diagnose failures that are encountered during production migrations. You can use a verbosity level higher than 5 if you want the log files output to go to a debugger. - - **Note** - Running the ScanState and LoadState tools with the **/v**:5 option creates a detailed log file. Although this option makes the log file large, the extra detail can help you determine where migration errors occurred. - - - -- Use the **/Verify** option in the UsmtUtils tool to determine whether any files in a compressed migration store are corrupted. For more information, see [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md). - -- Use the **/Extract** option in the UsmtUtils tool to extract files from a compressed migration store. For more information, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md). - -- Create a progress log using the **/Progress** option to monitor your migration. - -- For the source and destination computers, obtain operating system information, and versions of applications such as Internet Explorer and any other relevant programs. Then verify the exact steps that are needed to reproduce the problem. This information might help you to understand what is wrong and to reproduce the issue in your testing environment. - -- Log off after you run the LoadState tool. Some settings—for example, fonts, desktop backgrounds, and screen-saver settings—will not take effect until the next time the end user logs on. - -- Close all applications before running ScanState or LoadState tools. If some applications are running during the ScanState or LoadState process, USMT might not migrate some data. For example, if Microsoft Outlook® is open, USMT might not migrate PST files. - - **Note** - USMT will fail if it cannot migrate a file or setting unless you specify the **/c** option. When you specify the **/c** option, USMT ignores errors. However, it logs an error when it encounters a file that is in use that did not migrate. - - - -## User Account Problems - - -The following sections describe common user account problems. Expand the section to see recommended solutions. - -### I'm having problems creating local accounts on the destination computer. - -**Resolution:** For more information about creating accounts and migrating local accounts, see [Migrate User Accounts](usmt-migrate-user-accounts.md). - -### Not all of the user accounts were migrated to the destination computer. - -**Causes/Resolutions** There are two possible causes for this problem: - -When running the ScanState tool on Windows Vista, or the ScanState and LoadState tools on Windows 7, Windows 8, or Windows 10, you must run them in Administrator mode from an account with administrative credentials to ensure that all specified users are migrated. To run in Administrator mode: - -1. Click **Start**. - -2. Click **All Programs**. - -3. Click **Accessories**. - -4. Right-click **Command Prompt**. - -5. Click **Run as administrator**. - -Then specify your LoadState or ScanState command. If you do not run USMT in Administrator mode, only the user profile that is logged on will be included in the migration. - -Any user accounts on the computer that have not been used will not be migrated. For example, if you add User1 to the computer, but User1 never logs on, then USMT will not migrate the User1 account. - -### User accounts that I excluded were migrated to the destination computer. - -**Cause:** The command that you specified might have had conflicting **/ui** and **/ue** options. If a user is specified with the **/ui** option and is also specified to be excluded with either the **/ue** or **/uel** options, the user will be included in the migration. For example, if you specify `/ui:domain1\* /ue:domain1\user1`, then User1 will be migrated because the **/ui** option takes precedence. - -**Resolution:** For more information about how to use the **/ui** and **/ue** options together, see the examples in the [ScanState Syntax](usmt-scanstate-syntax.md) topic. - -### I am using the /uel option, but many accounts are still being included in the migration. - -**Cause** The **/uel** option depends on the last modified date of the users' NTUser.dat file. There are scenarios in which this last modified date might not match the users' last logon date. - -**Resolution** This is a limitation of the **/uel** option. You might need to exclude these users manually with the **/ue** option. - -### The LoadState tool reports an error as return code 71 and fails to restore a user profile during a migration test. - -**Cause:** During a migration test, if you run the ScanState tool on your test computer and then delete user profiles in order to test the LoadState tool on the same computer, you may have a conflicting key present in the registry. Using the **net use** command to remove a user profile will delete folders and files associated with that profile, but will not remove the registry key. - -**Resolution:** To delete a user profile, use the **User Accounts** item in Control Panel. To correct an incomplete deletion of a user profile: - -1. Open the registry editor by typing `regedit` at an elevated command prompt. - -2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList`. - - Each user profile is stored in a System Identifier key under `ProfileList`. - -3. Delete the key for the user profile you are trying to remove. - -### Files that were not encrypted before the migration are now encrypted with the account used to run the LoadState tool. - -**Cause:** The ScanState tool was run using the **/EFS: copyraw** option to migrate encrypted files and Encrypting File System (EFS) certificates. The encryption attribute was set on a folder that was migrated, but the attribute was removed from file contents of that folder prior to migration. - -**Resolution:** Before using the ScanState tool for a migration that includes encrypted files and EFS certificates, you can run the Cipher tool at the command prompt to review and change encryption settings on files and folders. You must remove the encryption attribute from folders that contain unencrypted files or encrypt the contents of all files within an encrypted folder. - -To remove encryption from files that have already been migrated incorrectly, you must log on to the computer with the account that you used to run the LoadState tool and then remove the encryption from the affected files. - -### The LoadState tool reports an error as return code 71 and a Windows Error 2202 in the log file. - -**Cause:** The computer name was changed during an offline migration of a local user profile. - -**Resolution:** You can use the **/mu** option when you run the LoadState tool to specify a new name for the user. For example, - -``` syntax -loadstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore -/progress:prog.log /l:load.log /mu:fareast\user1:farwest\user1 -``` - -## Command-line Problems - - -The following sections describe common command-line problems. Expand the section to see recommended solutions. - -### I received the following error message: "Usage Error: You cannot specify a file path with any of the command-line options that exceeds 256 characters." - -**Cause:** You might receive this error message in some cases even if you do not specify a long store or file path, because the path length is calculated based on the absolute path. For example, if you run the **scanstate.exe /o store** command from C:\\Program Files\\USMT40, then each character in "`C:\Program Files\USMT40`" will be added to the length of "store" to get the length of the path. - -**Resolution:** Ensure that the total path length—the store path plus the current directory—does not exceed 256 characters. - -### I received the following error message: "USMT was unable to create the log file(s). Ensure that you have write access to the log directory." - -**Cause:** If you are running the ScanState or LoadState tools from a shared network resource, you will receive this error message if you do not specify **/l**. - -**Resolution:** To fix this issue in this scenario, specify the **/l:scan.log** or **/l:load.log** option. - -## XML File Problems - - -The following sections describe common XML file problems. Expand the section to see recommended solutions. - -### I used the /genconfig option to create a Config.xml file, but I see only a few applications and components that are in MigApp.xml. Why does Config.xml not contain all of the same applications? - -**Cause:** Config.xml will contain only operating system components, applications, and the user document sections that are in both of the .xml files and are installed on the computer when you run the **/genconfig** option. Otherwise, these applications and components will not appear in the Config.xml file. - -**Resolution:** Install all of the desired applications on the computer before running the **/genconfig** option. Then run ScanState with all of the .xml files. For example, run the following: - -`scanstate /genconfig:config.xml /i:migdocs.xml /i:migapp.xml /v:5 /l:scanstate.log` - -### I am having problems with a custom .xml file that I authored, and I cannot verify that the syntax is correct. - -**Resolution:** You can load the XML schema (MigXML.xsd), included with USMT, into your XML authoring tool. For examples, see the [Visual Studio Development Center](https://go.microsoft.com/fwlink/p/?LinkId=74513). Then, load your .xml file in the authoring tool to see if there is a syntax error. In addition, see [USMT XML Reference](usmt-xml-reference.md) for more information about using the XML elements. - -### I am using a MigXML helper function, but the migration isn’t working the way I expected it to.  How do I troubleshoot this issue? - -**Cause:** Typically, this issue is caused by incorrect syntax used in a helper function. You receive a Success return code, but the files you wanted to migrate did not get collected or applied, or weren’t collected or applied in the way you expected. - -**Resolution:** You should search the ScanState or LoadState log for either the component name which contains the MigXML helper function, or the MigXML helper function title, so that you can locate the related warning in the log file. - -## Migration Problems - - -The following sections describe common migration problems. Expand the section to see recommended solutions. - -### Files that I specified to exclude are still being migrated. - -**Cause:** There might be another rule that is including the files. If there is a more specific rule or a conflicting rule, the files will be included in the migration. - -**Resolution:** For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md) and the Diagnostic Log section in [Log Files](usmt-log-files.md). - -### I specified rules to move a folder to a specific location on the destination computer, but it has not migrated correctly. - -**Cause:** There might be an error in the XML syntax. - -**Resolution:** You can use the USMT XML schema (MigXML.xsd) to write and validate migration .xml files. Also see the XML examples in the following topics: - -[Conflicts and Precedence](usmt-conflicts-and-precedence.md) - -[Exclude Files and Settings](usmt-exclude-files-and-settings.md) - -[Reroute Files and Settings](usmt-reroute-files-and-settings.md) - -[Include Files and Settings](usmt-include-files-and-settings.md) - -[Custom XML Examples](usmt-custom-xml-examples.md) - -### After LoadState completes, the new desktop background does not appear on the destination computer. - -There are three typical causes for this issue. - -**Cause \#1:**: Some settings such as fonts, desktop backgrounds, and screen-saver settings are not applied by LoadState until after the destination computer has been restarted. - -**Resolution:** To fix this issue, log off, and then log back on to see the migrated desktop background. - -**Cause \#2:** If the source computer was running Windows® XP and the desktop background was stored in the *Drive*:\\WINDOWS\\Web\\Wallpaper folder—the default folder where desktop backgrounds are stored in Windows XP—the desktop background will not be migrated. Instead, the destination computer will have the default Windows® desktop background. This will occur even if the desktop background was a custom picture that was added to the \\WINDOWS\\Web\\Wallpaper folder. However, if the end user sets a picture as the desktop background that was saved in another location, for example, My Pictures, then the desktop background will migrate. - -**Resolution:** Ensure that the desktop background images that you want to migrate are not in the \\WINDOWS\\Web\\Wallpaper folder on the source computer. - -**Cause \#3:** If ScanState was not run on Windows XP from an account with administrative credentials, some operating system settings will not migrate. For example, desktop background settings, screen-saver selections, modem options, media-player settings, and Remote Access Service (RAS) connection phone book (.pbk) files and settings will not migrate. - -**Resolution:** Run the ScanState and LoadState tools from within an account with administrative credentials. - -### I included MigApp.xml in the migration, but some PST files aren’t migrating. - -**Cause:** The MigApp.xml file migrates only the PST files that are linked to Outlook profiles. - -**Resolution:** To migrate PST files that are not linked to Outlook profiles, you must create a separate migration rule to capture these files. - -### USMT does not migrate the Start layout - -**Description:** You are using USMT to migrate profiles from one installation of Windows 10 to another installation of Windows 10 on different hardware. After migration, the user signs in on the new device and does not have the Start menu layout they had previously configured. - -**Cause:** A code change in the Start Menu with Windows 10 version 1607 and later is incompatible with this USMT function. - -**Resolution:** The following workaround is available: - -1. With the user signed in, back up the Start layout using the following Windows PowerShell command. You can specify a different path if desired: - - ``` - Export-StartLayout -Path "C:\Layout\user1.xml" - ``` -2. Migrate the user's profile with USMT. -3. Before the user signs in on the new device, import the Start layout using the following Windows PowerShell command: - - ``` - Import-StartLayout –LayoutPath "C:\Layout\user1.xml" –MountPath %systemdrive% - ``` - -This workaround changes the Default user's Start layout. The workaround does not scale to a mass migrations or multiuser devices, but it can potentially unblock some scenarios. If other users will sign on to the device you should delete layoutmodification.xml from the Default user profile. Otherwise, all users who sign on to that device will use the imported Start layout. - -## Offline Migration Problems - - -The following sections describe common offline migration problems. Expand the section to see recommended solutions. - -### Some of my system settings do not migrate in an offline migration. - -**Cause:** Some system settings, such as desktop backgrounds and network printers, are not supported in an offline migration. For more information, see [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) - -**Resolution:** In an offline migration, these system settings must be restored manually. - -### The ScanState tool fails with return code 26. - -**Cause:** A common cause of return code 26 is that a temp profile is active on the source computer. This profile maps to c:\\users\\temp. The ScanState log shows a MigStartupOfflineCaught exception that includes the message "User profile duplicate SID error". - -**Resolution:** You can reboot the computer to get rid of the temp profile or you can set MIG\_FAIL\_ON\_PROFILE\_ERROR=0 to skip the error and exclude the temp profile. - -### Include and Exclude rules for migrating user profiles do not work the same offline as they do online. - -**Cause:** When offline, the DNS server cannot be queried to resolve the user name and SID mapping. - -**Resolution:** Use a Security Identifier (SID) to include a user when running the ScanState tool. For example: - -``` syntax -Scanstate /ui:S1-5-21-124525095-708259637-1543119021* -``` - -The wild card (\*) at the end of the SID will migrate the *SID*\_Classes key as well. - -You can also use patterns for SIDs that identify generic users or groups. For example, you can use the */ue:\*-500* option to exclude the local administrator accounts. For more information about Windows SIDs, see [this Microsoft Web site](https://go.microsoft.com/fwlink/p/?LinkId=190277). - -### My script to wipe the disk fails after running the ScanState tool on a 64-bit system. - -**Cause:** The HKLM registry hive is not unloaded after the ScanState tool has finished running. - -**Resolution:** Reboot the computer or unload the registry hive at the command prompt after the ScanState tool has finished running. For example, at a command prompt, type: - -``` syntax -reg.exe unload hklm\$dest$software -``` - -## Hard-Link Migration Problems - - -The following sections describe common hard-link migration problems. Expand the section to see recommended solutions. - -### EFS files are not restored to the new partition. - -**Cause:** EFS files cannot be moved to a new partition with a hard link. The **/efs:hardlink** command-line option is only applicable to files migrated on the same partition. - -**Resolution:** Use the **/efs:copyraw** command-line option to copy EFS files during the migration instead of creating hard links, or manually copy the EFS files from the hard-link store. - -### The ScanState tool cannot delete a previous hard-link migration store. - -**Cause:** The migration store contains hard links to locked files. - -**Resolution:** Use the UsmtUtils tool to delete the store or change the store name. For example, at a command prompt, type: - -``` syntax -USMTutils /rd -``` - -You should also reboot the machine. - - - - - -## Related topics - - -[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) - -[Frequently Asked Questions](usmt-faq.md) - -[Return Codes](usmt-return-codes.md) - -[UsmtUtils Syntax](usmt-utilities.md) - - - - - - - - - +--- +title: Common Issues (Windows 10) +description: Common Issues +ms.assetid: 5a37e390-8617-4768-9eee-50397fbbb2e1 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.date: 09/19/2017 +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Common Issues + + +The following sections discuss common issues that you might see when you run the User State Migration Tool (USMT) 10.0 tools. USMT produces log files that describe in further detail any errors that occurred during the migration process. These logs can be used to troubleshoot migration failures. + +## In This Topic + + +[User Account Problems](#user) + +[Command-line Problems](#command) + +[XML File Problems](#xml) + +[Migration Problems](#migration) + +[Offline Migration Problems](#bkmk-offline) + +[Hard Link Migration Problems](#bkmk-hardlink) + +[USMT does not migrate the Start layout](#usmt-does-not-migrate-the-start-layout) + +## General Guidelines for Identifying Migration Problems + + +When you encounter a problem or error message during migration, you can use the following general guidelines to help determine the source of the problem: + +- Examine the ScanState, LoadState, and UsmtUtils logs to obtain the exact USMT error messages and Windows® application programming interface (API) error messages. For more information about USMT return codes and error messages, see [Return Codes](usmt-return-codes.md). For more information about Windows API error messages, type **nethelpmsg** on the command line. + + In most cases, the ScanState and LoadState logs indicate why a USMT migration is failing. We recommend that you use the **/v**:5 option when testing your migration. This verbosity level can be adjusted in a production migration; however, reducing the verbosity level might make it more difficult to diagnose failures that are encountered during production migrations. You can use a verbosity level higher than 5 if you want the log files output to go to a debugger. + + **Note** + Running the ScanState and LoadState tools with the **/v**:5 option creates a detailed log file. Although this option makes the log file large, the extra detail can help you determine where migration errors occurred. + + + +- Use the **/Verify** option in the UsmtUtils tool to determine whether any files in a compressed migration store are corrupted. For more information, see [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md). + +- Use the **/Extract** option in the UsmtUtils tool to extract files from a compressed migration store. For more information, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md). + +- Create a progress log using the **/Progress** option to monitor your migration. + +- For the source and destination computers, obtain operating system information, and versions of applications such as Internet Explorer and any other relevant programs. Then verify the exact steps that are needed to reproduce the problem. This information might help you to understand what is wrong and to reproduce the issue in your testing environment. + +- Log off after you run the LoadState tool. Some settings—for example, fonts, desktop backgrounds, and screen-saver settings—will not take effect until the next time the end user logs on. + +- Close all applications before running ScanState or LoadState tools. If some applications are running during the ScanState or LoadState process, USMT might not migrate some data. For example, if Microsoft Outlook® is open, USMT might not migrate PST files. + + **Note** + USMT will fail if it cannot migrate a file or setting unless you specify the **/c** option. When you specify the **/c** option, USMT ignores errors. However, it logs an error when it encounters a file that is in use that did not migrate. + + + +## User Account Problems + + +The following sections describe common user account problems. Expand the section to see recommended solutions. + +### I'm having problems creating local accounts on the destination computer. + +**Resolution:** For more information about creating accounts and migrating local accounts, see [Migrate User Accounts](usmt-migrate-user-accounts.md). + +### Not all of the user accounts were migrated to the destination computer. + +**Causes/Resolutions** There are two possible causes for this problem: + +When running the ScanState tool on Windows Vista, or the ScanState and LoadState tools on Windows 7, Windows 8, or Windows 10, you must run them in Administrator mode from an account with administrative credentials to ensure that all specified users are migrated. To run in Administrator mode: + +1. Click **Start**. + +2. Click **All Programs**. + +3. Click **Accessories**. + +4. Right-click **Command Prompt**. + +5. Click **Run as administrator**. + +Then specify your LoadState or ScanState command. If you do not run USMT in Administrator mode, only the user profile that is logged on will be included in the migration. + +Any user accounts on the computer that have not been used will not be migrated. For example, if you add User1 to the computer, but User1 never logs on, then USMT will not migrate the User1 account. + +### User accounts that I excluded were migrated to the destination computer. + +**Cause:** The command that you specified might have had conflicting **/ui** and **/ue** options. If a user is specified with the **/ui** option and is also specified to be excluded with either the **/ue** or **/uel** options, the user will be included in the migration. For example, if you specify `/ui:domain1\* /ue:domain1\user1`, then User1 will be migrated because the **/ui** option takes precedence. + +**Resolution:** For more information about how to use the **/ui** and **/ue** options together, see the examples in the [ScanState Syntax](usmt-scanstate-syntax.md) topic. + +### I am using the /uel option, but many accounts are still being included in the migration. + +**Cause** The **/uel** option depends on the last modified date of the users' NTUser.dat file. There are scenarios in which this last modified date might not match the users' last logon date. + +**Resolution** This is a limitation of the **/uel** option. You might need to exclude these users manually with the **/ue** option. + +### The LoadState tool reports an error as return code 71 and fails to restore a user profile during a migration test. + +**Cause:** During a migration test, if you run the ScanState tool on your test computer and then delete user profiles in order to test the LoadState tool on the same computer, you may have a conflicting key present in the registry. Using the **net use** command to remove a user profile will delete folders and files associated with that profile, but will not remove the registry key. + +**Resolution:** To delete a user profile, use the **User Accounts** item in Control Panel. To correct an incomplete deletion of a user profile: + +1. Open the registry editor by typing `regedit` at an elevated command prompt. + +2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList`. + + Each user profile is stored in a System Identifier key under `ProfileList`. + +3. Delete the key for the user profile you are trying to remove. + +### Files that were not encrypted before the migration are now encrypted with the account used to run the LoadState tool. + +**Cause:** The ScanState tool was run using the **/EFS: copyraw** option to migrate encrypted files and Encrypting File System (EFS) certificates. The encryption attribute was set on a folder that was migrated, but the attribute was removed from file contents of that folder prior to migration. + +**Resolution:** Before using the ScanState tool for a migration that includes encrypted files and EFS certificates, you can run the Cipher tool at the command prompt to review and change encryption settings on files and folders. You must remove the encryption attribute from folders that contain unencrypted files or encrypt the contents of all files within an encrypted folder. + +To remove encryption from files that have already been migrated incorrectly, you must log on to the computer with the account that you used to run the LoadState tool and then remove the encryption from the affected files. + +### The LoadState tool reports an error as return code 71 and a Windows Error 2202 in the log file. + +**Cause:** The computer name was changed during an offline migration of a local user profile. + +**Resolution:** You can use the **/mu** option when you run the LoadState tool to specify a new name for the user. For example, + +``` syntax +loadstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore +/progress:prog.log /l:load.log /mu:fareast\user1:farwest\user1 +``` + +## Command-line Problems + + +The following sections describe common command-line problems. Expand the section to see recommended solutions. + +### I received the following error message: "Usage Error: You cannot specify a file path with any of the command-line options that exceeds 256 characters." + +**Cause:** You might receive this error message in some cases even if you do not specify a long store or file path, because the path length is calculated based on the absolute path. For example, if you run the **scanstate.exe /o store** command from C:\\Program Files\\USMT40, then each character in "`C:\Program Files\USMT40`" will be added to the length of "store" to get the length of the path. + +**Resolution:** Ensure that the total path length—the store path plus the current directory—does not exceed 256 characters. + +### I received the following error message: "USMT was unable to create the log file(s). Ensure that you have write access to the log directory." + +**Cause:** If you are running the ScanState or LoadState tools from a shared network resource, you will receive this error message if you do not specify **/l**. + +**Resolution:** To fix this issue in this scenario, specify the **/l:scan.log** or **/l:load.log** option. + +## XML File Problems + + +The following sections describe common XML file problems. Expand the section to see recommended solutions. + +### I used the /genconfig option to create a Config.xml file, but I see only a few applications and components that are in MigApp.xml. Why does Config.xml not contain all of the same applications? + +**Cause:** Config.xml will contain only operating system components, applications, and the user document sections that are in both of the .xml files and are installed on the computer when you run the **/genconfig** option. Otherwise, these applications and components will not appear in the Config.xml file. + +**Resolution:** Install all of the desired applications on the computer before running the **/genconfig** option. Then run ScanState with all of the .xml files. For example, run the following: + +`scanstate /genconfig:config.xml /i:migdocs.xml /i:migapp.xml /v:5 /l:scanstate.log` + +### I am having problems with a custom .xml file that I authored, and I cannot verify that the syntax is correct. + +**Resolution:** You can load the XML schema (MigXML.xsd), included with USMT, into your XML authoring tool. For examples, see the [Visual Studio Development Center](https://go.microsoft.com/fwlink/p/?LinkId=74513). Then, load your .xml file in the authoring tool to see if there is a syntax error. In addition, see [USMT XML Reference](usmt-xml-reference.md) for more information about using the XML elements. + +### I am using a MigXML helper function, but the migration isn’t working the way I expected it to.  How do I troubleshoot this issue? + +**Cause:** Typically, this issue is caused by incorrect syntax used in a helper function. You receive a Success return code, but the files you wanted to migrate did not get collected or applied, or weren’t collected or applied in the way you expected. + +**Resolution:** You should search the ScanState or LoadState log for either the component name which contains the MigXML helper function, or the MigXML helper function title, so that you can locate the related warning in the log file. + +## Migration Problems + + +The following sections describe common migration problems. Expand the section to see recommended solutions. + +### Files that I specified to exclude are still being migrated. + +**Cause:** There might be another rule that is including the files. If there is a more specific rule or a conflicting rule, the files will be included in the migration. + +**Resolution:** For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md) and the Diagnostic Log section in [Log Files](usmt-log-files.md). + +### I specified rules to move a folder to a specific location on the destination computer, but it has not migrated correctly. + +**Cause:** There might be an error in the XML syntax. + +**Resolution:** You can use the USMT XML schema (MigXML.xsd) to write and validate migration .xml files. Also see the XML examples in the following topics: + +[Conflicts and Precedence](usmt-conflicts-and-precedence.md) + +[Exclude Files and Settings](usmt-exclude-files-and-settings.md) + +[Reroute Files and Settings](usmt-reroute-files-and-settings.md) + +[Include Files and Settings](usmt-include-files-and-settings.md) + +[Custom XML Examples](usmt-custom-xml-examples.md) + +### After LoadState completes, the new desktop background does not appear on the destination computer. + +There are three typical causes for this issue. + +**Cause \#1:**: Some settings such as fonts, desktop backgrounds, and screen-saver settings are not applied by LoadState until after the destination computer has been restarted. + +**Resolution:** To fix this issue, log off, and then log back on to see the migrated desktop background. + +**Cause \#2:** If the source computer was running Windows® XP and the desktop background was stored in the *Drive*:\\WINDOWS\\Web\\Wallpaper folder—the default folder where desktop backgrounds are stored in Windows XP—the desktop background will not be migrated. Instead, the destination computer will have the default Windows® desktop background. This will occur even if the desktop background was a custom picture that was added to the \\WINDOWS\\Web\\Wallpaper folder. However, if the end user sets a picture as the desktop background that was saved in another location, for example, My Pictures, then the desktop background will migrate. + +**Resolution:** Ensure that the desktop background images that you want to migrate are not in the \\WINDOWS\\Web\\Wallpaper folder on the source computer. + +**Cause \#3:** If ScanState was not run on Windows XP from an account with administrative credentials, some operating system settings will not migrate. For example, desktop background settings, screen-saver selections, modem options, media-player settings, and Remote Access Service (RAS) connection phone book (.pbk) files and settings will not migrate. + +**Resolution:** Run the ScanState and LoadState tools from within an account with administrative credentials. + +### I included MigApp.xml in the migration, but some PST files aren’t migrating. + +**Cause:** The MigApp.xml file migrates only the PST files that are linked to Outlook profiles. + +**Resolution:** To migrate PST files that are not linked to Outlook profiles, you must create a separate migration rule to capture these files. + +### USMT does not migrate the Start layout + +**Description:** You are using USMT to migrate profiles from one installation of Windows 10 to another installation of Windows 10 on different hardware. After migration, the user signs in on the new device and does not have the Start menu layout they had previously configured. + +**Cause:** A code change in the Start Menu with Windows 10 version 1607 and later is incompatible with this USMT function. + +**Resolution:** The following workaround is available: + +1. With the user signed in, back up the Start layout using the following Windows PowerShell command. You can specify a different path if desired: + + ``` + Export-StartLayout -Path "C:\Layout\user1.xml" + ``` +2. Migrate the user's profile with USMT. +3. Before the user signs in on the new device, import the Start layout using the following Windows PowerShell command: + + ``` + Import-StartLayout –LayoutPath "C:\Layout\user1.xml" –MountPath %systemdrive% + ``` + +This workaround changes the Default user's Start layout. The workaround does not scale to a mass migrations or multiuser devices, but it can potentially unblock some scenarios. If other users will sign on to the device you should delete layoutmodification.xml from the Default user profile. Otherwise, all users who sign on to that device will use the imported Start layout. + +## Offline Migration Problems + + +The following sections describe common offline migration problems. Expand the section to see recommended solutions. + +### Some of my system settings do not migrate in an offline migration. + +**Cause:** Some system settings, such as desktop backgrounds and network printers, are not supported in an offline migration. For more information, see [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) + +**Resolution:** In an offline migration, these system settings must be restored manually. + +### The ScanState tool fails with return code 26. + +**Cause:** A common cause of return code 26 is that a temp profile is active on the source computer. This profile maps to c:\\users\\temp. The ScanState log shows a MigStartupOfflineCaught exception that includes the message "User profile duplicate SID error". + +**Resolution:** You can reboot the computer to get rid of the temp profile or you can set MIG\_FAIL\_ON\_PROFILE\_ERROR=0 to skip the error and exclude the temp profile. + +### Include and Exclude rules for migrating user profiles do not work the same offline as they do online. + +**Cause:** When offline, the DNS server cannot be queried to resolve the user name and SID mapping. + +**Resolution:** Use a Security Identifier (SID) to include a user when running the ScanState tool. For example: + +``` syntax +Scanstate /ui:S1-5-21-124525095-708259637-1543119021* +``` + +The wild card (\*) at the end of the SID will migrate the *SID*\_Classes key as well. + +You can also use patterns for SIDs that identify generic users or groups. For example, you can use the */ue:\*-500* option to exclude the local administrator accounts. For more information about Windows SIDs, see [this Microsoft Web site](https://go.microsoft.com/fwlink/p/?LinkId=190277). + +### My script to wipe the disk fails after running the ScanState tool on a 64-bit system. + +**Cause:** The HKLM registry hive is not unloaded after the ScanState tool has finished running. + +**Resolution:** Reboot the computer or unload the registry hive at the command prompt after the ScanState tool has finished running. For example, at a command prompt, type: + +``` syntax +reg.exe unload hklm\$dest$software +``` + +## Hard-Link Migration Problems + + +The following sections describe common hard-link migration problems. Expand the section to see recommended solutions. + +### EFS files are not restored to the new partition. + +**Cause:** EFS files cannot be moved to a new partition with a hard link. The **/efs:hardlink** command-line option is only applicable to files migrated on the same partition. + +**Resolution:** Use the **/efs:copyraw** command-line option to copy EFS files during the migration instead of creating hard links, or manually copy the EFS files from the hard-link store. + +### The ScanState tool cannot delete a previous hard-link migration store. + +**Cause:** The migration store contains hard links to locked files. + +**Resolution:** Use the UsmtUtils tool to delete the store or change the store name. For example, at a command prompt, type: + +``` syntax +USMTutils /rd +``` + +You should also reboot the machine. + + + + + +## Related topics + + +[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) + +[Frequently Asked Questions](usmt-faq.md) + +[Return Codes](usmt-return-codes.md) + +[UsmtUtils Syntax](usmt-utilities.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-common-migration-scenarios.md b/windows/deployment/usmt/usmt-common-migration-scenarios.md index 89f0dae0bd..bfc3a1013c 100644 --- a/windows/deployment/usmt/usmt-common-migration-scenarios.md +++ b/windows/deployment/usmt/usmt-common-migration-scenarios.md @@ -1,154 +1,154 @@ ---- -title: Common Migration Scenarios (Windows 10) -description: Common Migration Scenarios -ms.assetid: 1d8170d5-e775-4963-b7a5-b55e8987c1e4 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Common Migration Scenarios - - -You use the User State Migration Tool (USMT) 10.0 when hardware and/or operating system upgrades are planned for a large number of computers. USMT manages the migration of an end-user's digital identity by capturing the user's operating-system settings, application settings, and personal files from a source computer and reinstalling them on a destination computer after the upgrade has occurred. - -One common scenario when only the operating system, and not the hardware, is being upgraded is referred to as *PC refresh*. A second common scenario is known as *PC replacement*, where one piece of hardware is being replaced, typically by newer hardware and a newer operating system. - -## In This Topic - - -[PC Refresh](#bkmk-pcrefresh) - -[Scenario One: PC-refresh offline using Windows PE and a hard-link migration store](#bkmk-onepcrefresh) - -[Scenario Two: PC-refresh using a compressed migration store](#bkmk-twopcrefresh) - -[Scenario Three: PC-refresh using a hard-link migration store](#bkmk-threepcrefresh) - -[Scenario Four: PC-refresh using Windows.old folder and a hard-link migration store](#bkmk-fourpcrefresh) - -[PC Replacement](#bkmk-pcreplace) - -[Scenario One: Offline migration using Windows PE and an external migration store](#bkmk-onepcreplace) - -[Scenario Two: Manual network migration](#bkmk-twopcreplace) - -[Scenario Three: Managed network migration](#bkmk-threepcreplace) - -## PC-Refresh - - -The following diagram shows a PC-refresh migration, also known as a computer refresh migration. First, the administrator migrates the user state from a source computer to an intermediate store. After installing the operating system, the administrator migrates the user state back to the source computer. - -  - -![usmt pc refresh scenario](images/dep-win8-l-usmt-pcrefresh.jpg) - -  - -### Scenario One: PC-refresh offline using Windows PE and a hard-link migration store - -A company has just received funds to update the operating system on all of its computers in the accounting department to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, the update is being handled completely offline, without a network connection. An administrator uses Windows Preinstallation Environment (WinPE) and a hard-link migration store to save each user state to their respective computer. - -1. On each computer, the administrator boots the machine into WinPE and runs the ScanState command-line tool, specifying the **/hardlink /nocompress** command-line options. ScanState saves the user state to a hard-link migration store on each computer, improving performance by minimizing network traffic as well as minimizing migration failures on computers with very limited space available on the hard drive. - -2. On each computer, the administrator installs the company’s standard operating environment (SOE) which includes Windows 10 and other company applications. - -3. The administrator runs the LoadState command-line tool on each computer. LoadState restores each user state back to each computer. - -### Scenario Two: PC-refresh using a compressed migration store - -A company has just received funds to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses a compressed migration store to save the user states to a server. - -1. The administrator runs the ScanState command-line tool on each computer. ScanState saves each user state to a server. - -2. On each computer, the administrator installs the company's standard SOE which includes Windows 10 and other company applications. - -3. The administrator runs the LoadState command-line tool on each source computer, and LoadState restores each user state back to the computer. - -### Scenario Three: PC-refresh using a hard-link migration store - -A company has just received funds to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses a hard-link migration store to save each user state to their respective computer. - -1. The administrator runs the ScanState command-line tool on each computer, specifying the **/hardlink /nocompress** command-line options. ScanState saves the user state to a hard-link migration store on each computer, improving performance by minimizing network traffic as well as minimizing migration failures on computers with very limited space available on the hard drive. - -2. On each computer, the administrator installs the company's SOE which includes Windows 10 and other company applications. - -3. The administrator runs the LoadState command-line tool on each computer. LoadState restores each user state back on each computer. - -### Scenario Four: PC-refresh using Windows.old folder and a hard-link migration store - -A company has decided to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses Windows.old and a hard-link migration store to save each user state to their respective computer. - -1. The administrator clean installs Windows 10 on each computer, making sure that the Windows.old directory is created by installing Windows 10 without formatting or repartitioning and by selecting a partition that contains the previous version of Windows. - -2. On each computer, the administrator installs the company’s SOE which includes company applications. - -3. The administrator runs the ScanState and LoadState command-line tools successively on each computer while specifying the **/hardlink /nocompress** command-line options. - -## PC-Replacement - - -The following diagram shows a PC-replacement migration. First, the administrator migrates the user state from the source computer to an intermediate store. After installing the operating system on the destination computer, the administrator migrates the user state from the store to the destination computer. - -  - -![usmt pc replace scenario](images/dep-win8-l-usmt-pcreplace.jpg) - -  - -### Scenario One: Offline migration using WinPE and an external migration store - -A company is allocating 20 new computers to users in the accounting department. The users each have a source computer with their files and settings. In this scenario, migration is being handled completely offline, without a network connection. - -1. On each source computer, an administrator boots the machine into WinPE and runs ScanState to collect the user state to either a server or an external hard disk. - -2. On each new computer, the administrator installs the company's SOE which includes Windows 10 and other company applications. - -3. On each of the new computers, the administrator runs the LoadState tool, restoring each user state from the migration store to one of the new computers. - -### Scenario Two: Manual network migration - -A company receives 50 new laptops for their managers and needs to reallocate 50 older laptops to new employees. In this scenario, an administrator runs the ScanState tool from the cmd prompt on each computer to collect the user states and save them to a server in a compressed migration store. - -1. The administrator runs the ScanState tool on each of the manager’s old laptops, and saves each user state to a server. - -2. On the new laptops, the administrator installs the company's SOE, which includes Windows 10 and other company applications. - -3. The administrator runs the LoadState tool on the new laptops to migrate the managers’ user states to the appropriate computer. The new laptops are now ready for the managers to use. - -4. On the old computers, the administrator installs the company’s SOE, which includes Windows 10, Microsoft Office, and other company applications. The old computers are now ready for the new employees to use. - -### Scenario Three: Managed network migration - -A company is allocating 20 new computers to users in the accounting department. The users each have a source computer that contains their files and settings. An administrator uses a management technology such as a logon script or a batch file to run ScanState on each source computer to collect the user states and save them to a server in a compressed migration store. - -1. On each source computer, the administrator runs the ScanState tool using Microsoft System Center Configuration Manager (SCCM), Microsoft Deployment Toolkit (MDT), a logon script, a batch file, or a non-Microsoft management technology. ScanState collects the user state from each source computer and then saves it to a server. - -2. On each new computer, the administrator installs the company's SOE, which includes Windows 10 and other company applications. - -3. On each of the new computers, the administrator runs the LoadState tool using System Center Configuration Manager, a logon script, a batch file, or a non-Microsoft management technology. LoadState migrates each user state from the migration store to one of the new computers. - -## Related topics - - -[Plan Your Migration](usmt-plan-your-migration.md) - -[Choose a Migration Store Type](usmt-choose-migration-store-type.md) - -[Offline Migration Reference](offline-migration-reference.md) - -  - -  - - - - - +--- +title: Common Migration Scenarios (Windows 10) +description: Common Migration Scenarios +ms.assetid: 1d8170d5-e775-4963-b7a5-b55e8987c1e4 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Common Migration Scenarios + + +You use the User State Migration Tool (USMT) 10.0 when hardware and/or operating system upgrades are planned for a large number of computers. USMT manages the migration of an end-user's digital identity by capturing the user's operating-system settings, application settings, and personal files from a source computer and reinstalling them on a destination computer after the upgrade has occurred. + +One common scenario when only the operating system, and not the hardware, is being upgraded is referred to as *PC refresh*. A second common scenario is known as *PC replacement*, where one piece of hardware is being replaced, typically by newer hardware and a newer operating system. + +## In This Topic + + +[PC Refresh](#bkmk-pcrefresh) + +[Scenario One: PC-refresh offline using Windows PE and a hard-link migration store](#bkmk-onepcrefresh) + +[Scenario Two: PC-refresh using a compressed migration store](#bkmk-twopcrefresh) + +[Scenario Three: PC-refresh using a hard-link migration store](#bkmk-threepcrefresh) + +[Scenario Four: PC-refresh using Windows.old folder and a hard-link migration store](#bkmk-fourpcrefresh) + +[PC Replacement](#bkmk-pcreplace) + +[Scenario One: Offline migration using Windows PE and an external migration store](#bkmk-onepcreplace) + +[Scenario Two: Manual network migration](#bkmk-twopcreplace) + +[Scenario Three: Managed network migration](#bkmk-threepcreplace) + +## PC-Refresh + + +The following diagram shows a PC-refresh migration, also known as a computer refresh migration. First, the administrator migrates the user state from a source computer to an intermediate store. After installing the operating system, the administrator migrates the user state back to the source computer. + +  + +![usmt pc refresh scenario](images/dep-win8-l-usmt-pcrefresh.jpg) + +  + +### Scenario One: PC-refresh offline using Windows PE and a hard-link migration store + +A company has just received funds to update the operating system on all of its computers in the accounting department to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, the update is being handled completely offline, without a network connection. An administrator uses Windows Preinstallation Environment (WinPE) and a hard-link migration store to save each user state to their respective computer. + +1. On each computer, the administrator boots the machine into WinPE and runs the ScanState command-line tool, specifying the **/hardlink /nocompress** command-line options. ScanState saves the user state to a hard-link migration store on each computer, improving performance by minimizing network traffic as well as minimizing migration failures on computers with very limited space available on the hard drive. + +2. On each computer, the administrator installs the company’s standard operating environment (SOE) which includes Windows 10 and other company applications. + +3. The administrator runs the LoadState command-line tool on each computer. LoadState restores each user state back to each computer. + +### Scenario Two: PC-refresh using a compressed migration store + +A company has just received funds to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses a compressed migration store to save the user states to a server. + +1. The administrator runs the ScanState command-line tool on each computer. ScanState saves each user state to a server. + +2. On each computer, the administrator installs the company's standard SOE which includes Windows 10 and other company applications. + +3. The administrator runs the LoadState command-line tool on each source computer, and LoadState restores each user state back to the computer. + +### Scenario Three: PC-refresh using a hard-link migration store + +A company has just received funds to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses a hard-link migration store to save each user state to their respective computer. + +1. The administrator runs the ScanState command-line tool on each computer, specifying the **/hardlink /nocompress** command-line options. ScanState saves the user state to a hard-link migration store on each computer, improving performance by minimizing network traffic as well as minimizing migration failures on computers with very limited space available on the hard drive. + +2. On each computer, the administrator installs the company's SOE which includes Windows 10 and other company applications. + +3. The administrator runs the LoadState command-line tool on each computer. LoadState restores each user state back on each computer. + +### Scenario Four: PC-refresh using Windows.old folder and a hard-link migration store + +A company has decided to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses Windows.old and a hard-link migration store to save each user state to their respective computer. + +1. The administrator clean installs Windows 10 on each computer, making sure that the Windows.old directory is created by installing Windows 10 without formatting or repartitioning and by selecting a partition that contains the previous version of Windows. + +2. On each computer, the administrator installs the company’s SOE which includes company applications. + +3. The administrator runs the ScanState and LoadState command-line tools successively on each computer while specifying the **/hardlink /nocompress** command-line options. + +## PC-Replacement + + +The following diagram shows a PC-replacement migration. First, the administrator migrates the user state from the source computer to an intermediate store. After installing the operating system on the destination computer, the administrator migrates the user state from the store to the destination computer. + +  + +![usmt pc replace scenario](images/dep-win8-l-usmt-pcreplace.jpg) + +  + +### Scenario One: Offline migration using WinPE and an external migration store + +A company is allocating 20 new computers to users in the accounting department. The users each have a source computer with their files and settings. In this scenario, migration is being handled completely offline, without a network connection. + +1. On each source computer, an administrator boots the machine into WinPE and runs ScanState to collect the user state to either a server or an external hard disk. + +2. On each new computer, the administrator installs the company's SOE which includes Windows 10 and other company applications. + +3. On each of the new computers, the administrator runs the LoadState tool, restoring each user state from the migration store to one of the new computers. + +### Scenario Two: Manual network migration + +A company receives 50 new laptops for their managers and needs to reallocate 50 older laptops to new employees. In this scenario, an administrator runs the ScanState tool from the cmd prompt on each computer to collect the user states and save them to a server in a compressed migration store. + +1. The administrator runs the ScanState tool on each of the manager’s old laptops, and saves each user state to a server. + +2. On the new laptops, the administrator installs the company's SOE, which includes Windows 10 and other company applications. + +3. The administrator runs the LoadState tool on the new laptops to migrate the managers’ user states to the appropriate computer. The new laptops are now ready for the managers to use. + +4. On the old computers, the administrator installs the company’s SOE, which includes Windows 10, Microsoft Office, and other company applications. The old computers are now ready for the new employees to use. + +### Scenario Three: Managed network migration + +A company is allocating 20 new computers to users in the accounting department. The users each have a source computer that contains their files and settings. An administrator uses a management technology such as a logon script or a batch file to run ScanState on each source computer to collect the user states and save them to a server in a compressed migration store. + +1. On each source computer, the administrator runs the ScanState tool using Microsoft System Center Configuration Manager (SCCM), Microsoft Deployment Toolkit (MDT), a logon script, a batch file, or a non-Microsoft management technology. ScanState collects the user state from each source computer and then saves it to a server. + +2. On each new computer, the administrator installs the company's SOE, which includes Windows 10 and other company applications. + +3. On each of the new computers, the administrator runs the LoadState tool using System Center Configuration Manager, a logon script, a batch file, or a non-Microsoft management technology. LoadState migrates each user state from the migration store to one of the new computers. + +## Related topics + + +[Plan Your Migration](usmt-plan-your-migration.md) + +[Choose a Migration Store Type](usmt-choose-migration-store-type.md) + +[Offline Migration Reference](offline-migration-reference.md) + +  + +  + + + + + diff --git a/windows/deployment/usmt/usmt-configxml-file.md b/windows/deployment/usmt/usmt-configxml-file.md index 62d952f3be..db0aad8633 100644 --- a/windows/deployment/usmt/usmt-configxml-file.md +++ b/windows/deployment/usmt/usmt-configxml-file.md @@ -8,6 +8,7 @@ ms.author: greglin ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.date: 04/19/2017 ms.topic: article @@ -95,7 +96,7 @@ The following example specifies that all locked files, regardless of their locat Additionally, the order in the **<ErrorControl>** section implies priority. In this example, the first **<nonFatal>** tag takes precedence over the second **<fatal>** tag. This precedence is applied, regardless of how many tags are listed. -```xml +``` xml * [*] @@ -265,7 +266,7 @@ The **<ErrorControl>** section can be configured to conditionally ignore f -```xml +``` xml diff --git a/windows/deployment/usmt/usmt-conflicts-and-precedence.md b/windows/deployment/usmt/usmt-conflicts-and-precedence.md index 528a5076a2..5b40bd3e9d 100644 --- a/windows/deployment/usmt/usmt-conflicts-and-precedence.md +++ b/windows/deployment/usmt/usmt-conflicts-and-precedence.md @@ -8,6 +8,7 @@ ms.author: greglin ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.date: 04/19/2017 ms.topic: article @@ -68,7 +69,7 @@ If you have an <include> rule in one component and a <locationModify> The following .xml file migrates all files from C:\\Userdocs, including .mp3 files, because the <exclude> rule is specified in a separate component. -```xml +``` xml User Documents @@ -102,7 +103,7 @@ The following .xml file migrates all files from C:\\Userdocs, including .mp3 fil Specifying `migrate="no"` in the Config.xml file is the same as deleting the corresponding component from the migration .xml file. However, if you set `migrate="no"` for My Documents, but you have a rule similar to the one shown below in a migration .xml file (which includes all of the .doc files from My Documents), then only the .doc files will be migrated, and all other files will be excluded. -```xml +``` xml %CSIDL_PERSONAL%\* [*.doc] @@ -135,7 +136,7 @@ If there are conflicting rules within a component, the most specific rule is app In the following example, mp3 files will not be excluded from the migration. This is because directory names take precedence over the file extensions. -```xml +``` xml C:\Data\* [*] @@ -390,7 +391,7 @@ The destination computer contains the following files: You have a custom .xml file that contains the following code: -```xml +``` xml c:\data\* [*] diff --git a/windows/deployment/usmt/usmt-custom-xml-examples.md b/windows/deployment/usmt/usmt-custom-xml-examples.md index 0ef105ca40..66f4f18511 100644 --- a/windows/deployment/usmt/usmt-custom-xml-examples.md +++ b/windows/deployment/usmt/usmt-custom-xml-examples.md @@ -8,6 +8,7 @@ ms.author: greglin ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.topic: article --- @@ -36,7 +37,7 @@ Because the tables in this topic are wide, you may need to adjust the width of i The following is a template for the sections that you need to migrate your application. The template is not functional on its own, but you can use it to write your own .xml file. -```xml +``` xml @@ -195,7 +196,7 @@ This table describes the behavior in the following example .xml file. -```xml +``` xml File Migration Test @@ -231,7 +232,7 @@ This table describes the behavior in the following example .xml file. The behavior for this custom .xml file is described within the <`displayName`> tags in the code. -```xml +``` xml diff --git a/windows/deployment/usmt/usmt-customize-xml-files.md b/windows/deployment/usmt/usmt-customize-xml-files.md index e1e7522f96..9376707ccd 100644 --- a/windows/deployment/usmt/usmt-customize-xml-files.md +++ b/windows/deployment/usmt/usmt-customize-xml-files.md @@ -1,138 +1,138 @@ ---- -title: Customize USMT XML Files (Windows 10) -description: Customize USMT XML Files -ms.assetid: d58363c1-fd13-4f65-8b91-9986659dc93e -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Customize USMT XML Files - - -## In This Topic - - -[Overview](#bkmk-overview) - -[Migration .xml Files](#bkmk-migxml) - -[Custom .xml Files](#bkmk-customxmlfiles) - -[The Config.xml File](#bkmk-configxml) - -[Examples](#bkmk-examples) - -[Additional Information](#bkmk-addlinfo) - -## Overview - - -If you want the **ScanState** and **LoadState** tools to use any of the migration .xml files, specify these files at the command line using the **/i** option. Because the **ScanState** and **LoadState** tools need the .xml files to control the migration, specify the same set of .xml files for both the **ScanState** and **LoadState** commands. However, you do not have to specify the Config.xml file with the **/config** option, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store but not to the destination computer. To do this, modify the Config.xml file and specify the updated file with the **LoadState** command. Then the **LoadState** command will migrate only the files and settings that you want to migrate. - -If you leave out an .xml file from the **LoadState** command, all of the data in the store that was migrated with the missing .xml files will be migrated. However, the migration rules that were specified with the **ScanState** command will not apply. For example, if you leave out an .xml file, and it contains a rerouting rule such as: `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files, and they will be migrated to C:\\data. - -To modify the migration, do one or more of the following. - -- **Modify the migration .xml files.** If you want to exclude a portion of a component—for example, you want to migrate C:\\ but exclude all of the .mp3 files—or if you want to move data to a new location on the destination computer, modify the .xml files. To modify these files, you must be familiar with the migration rules and syntax. If you want **ScanState** and **LoadState** to use these files, specify them at the command line when each command is entered. - -- **Create a custom .xml file.** You can also create a custom .xml file to migrate settings for another application, or to change the migration behavior to suit your needs. For **ScanState** and **LoadState** to use this file, specify them on both command lines. - -- **Create and modify a Config.xml file.** Do this if you want to exclude an entire component from the migration. For example, you can use a Config.xml file to exclude the entire My Documents folder, or exclude the settings for an application. Excluding components using a Config.xml file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. In addition, using a Config.xml file is the only way to exclude the operating system settings from being migrated. - -For more information about excluding data, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic. - -## Migration .xml Files - - -This section describes the migration .xml files that are included with USMT. Each file contains migration rules that control which components are migrated and where they are migrated to on the destination computer. - -**Note**   -You can use the asterisk (\*) wildcard character in each of these files. However, you cannot use a question mark (?) as a wildcard character. - - - -- **The MigApp.xml file.** Specify this file with both the **ScanState** and **LoadState** commands to migrate application settings. - -- **The MigDocs.xml file.** Specify this file with both the **ScanState** and **LoadState** tools to migrate all user folders and files that are found by the **MigXmlHelper.GenerateDocPatterns** helper function. This helper function finds user data that resides on the root of any drive and in the Users directory. However, it does not find and migrate any application data, program files, or any files in the Windows directory. You can modify the MigDocs.xml file. - -- **The MigUser.xml file.** Specify this file with both the **ScanState** and **LoadState** commands to migrate user folders, files, and file types. You can modify the MigUser.xml file. This file does not contain rules that migrate specific user accounts. The only way to specify which user accounts to migrate is on the command line using the **ScanState** and the **LoadState** user options. - - **Note**   - Do not use the MigUser.xml and MigDocs.xml files together. For more information, see the [Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md) and [USMT Best Practices](usmt-best-practices.md) topics. - - - -## Custom .xml Files - - -You can create custom .xml files to customize the migration for your unique needs. For example, you may want to create a custom file to migrate a line-of-business application or to modify the default migration behavior. If you want **ScanState** and **LoadState** to use this file, specify it with both commands. For more information, see the How to Create a Custom .xml File topic. - -## The Config.xml File - - -The Config.xml file is an optional file that you create using the **/genconfig** option with the **ScanState** command. You should create and modify this file if you want to exclude certain components from the migration. In addition, you must create and modify this file if you want to exclude any of the operating system settings from being migrated. The Config.xml file format is different from that of the migration .xml files because it does not contain any migration rules. It contains only a list of the operating system components, applications, and the user documents that can be migrated. For an example, see the [Config.xml File](usmt-configxml-file.md) topic. For this reason, excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. However, you cannot use wildcard characters in a Config.xml file. - -If you want to include all of the default components, you do not need to create the Config.xml file. Alternatively, if you are satisfied with the default migration behavior defined in the MigApp.xml, MigDocs.xml, and MigUser.xml files, and you want to exclude only some components, you can create and modify a Config.xml file and leave the other .xml files in their original state. - -When you run the **ScanState** command with the **/genconfig** option, **ScanState** reads the other .xml files that you specify using the **/i** option to create a custom list of components that can be migrated from the computer. This file will contain only operating system components, applications, and the user document sections that are in both of the .xml files and that are installed on the computer when you run the **ScanState** command with the **/genconfig** option. Therefore, you should create this file on a source computer that contains all of the components, applications, and settings that will be present on the destination computers. This will ensure that this file contains every component that can be migrated. The components are organized into sections: <Applications>, <WindowsComponents>, and <Documents>. To choose not to migrate a component, change its entry to `migrate="no"`. - -After you create this file, you need to specify it only with the **ScanState** command using the **/Config** option for it to affect the migration. However, if you want to exclude additional data that you migrated to the store, modify the Config.xml file and specify the updated file with the **LoadState** command. For example, if you collected the My Documents folder in the store, but you decide that you do not want to migrate the My Documents folder to a destination computer, you can modify the Config.xml file to indicate `migrate="no"` before you run the **LoadState** command, and the file will not be migrated. For more information about the precedence that takes place when excluding data, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic. - -In addition, note the following functionality with the Config.xml file: - -- If a parent component is removed from the migration in the Config.xml file by specifying `migrate="no"`, all of its child components will automatically be removed from the migration, even if the child component is set to `migrate="yes"`. - -- If you mistakenly have two lines of code for the same component where one line specifies `migrate="no"` and the other line specifies `migrate="yes"`, the component will be migrated. - -- In USMT there are several migration policies that can be configured in the Config.xml file. For example, you can configure additional **<ErrorControl>**, **<ProfileControl>**, and **<HardLinkStoreControl>** options. For more information, see the [Config.xml File](usmt-configxml-file.md) topic. - -**Note**   -To exclude a component from the Config.xml file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the Config.xml file will not exclude the component from your migration. - - - -### Examples - -- The following command creates a Config.xml file in the current directory, but it does not create a store: - - `scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:5` - -- The following command creates an encrypted store using the Config.xml file and the default migration .xml files: - - `scanstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /o /config:config.xml /v:5 /encrypt /key:"mykey"` - -- The following command decrypts the store and migrates the files and settings: - - `loadstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /v:5 /decrypt /key:"mykey"` - -## Additional Information - - -- For more information about how to change the files and settings that are migrated, see the [User State Migration Tool (USMT) How-to topics](usmt-how-to.md). - -- For more information about each .xml element, see the [XML Elements Library](usmt-xml-elements-library.md) topic. - -- For answers to common questions, see ".xml files" in the [Frequently Asked Questions](usmt-faq.md) topic. - -## Related topics - - -[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md) - -[USMT Resources](usmt-resources.md) - - - - - - - - - +--- +title: Customize USMT XML Files (Windows 10) +description: Customize USMT XML Files +ms.assetid: d58363c1-fd13-4f65-8b91-9986659dc93e +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Customize USMT XML Files + + +## In This Topic + + +[Overview](#bkmk-overview) + +[Migration .xml Files](#bkmk-migxml) + +[Custom .xml Files](#bkmk-customxmlfiles) + +[The Config.xml File](#bkmk-configxml) + +[Examples](#bkmk-examples) + +[Additional Information](#bkmk-addlinfo) + +## Overview + + +If you want the **ScanState** and **LoadState** tools to use any of the migration .xml files, specify these files at the command line using the **/i** option. Because the **ScanState** and **LoadState** tools need the .xml files to control the migration, specify the same set of .xml files for both the **ScanState** and **LoadState** commands. However, you do not have to specify the Config.xml file with the **/config** option, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store but not to the destination computer. To do this, modify the Config.xml file and specify the updated file with the **LoadState** command. Then the **LoadState** command will migrate only the files and settings that you want to migrate. + +If you leave out an .xml file from the **LoadState** command, all of the data in the store that was migrated with the missing .xml files will be migrated. However, the migration rules that were specified with the **ScanState** command will not apply. For example, if you leave out an .xml file, and it contains a rerouting rule such as: `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files, and they will be migrated to C:\\data. + +To modify the migration, do one or more of the following. + +- **Modify the migration .xml files.** If you want to exclude a portion of a component—for example, you want to migrate C:\\ but exclude all of the .mp3 files—or if you want to move data to a new location on the destination computer, modify the .xml files. To modify these files, you must be familiar with the migration rules and syntax. If you want **ScanState** and **LoadState** to use these files, specify them at the command line when each command is entered. + +- **Create a custom .xml file.** You can also create a custom .xml file to migrate settings for another application, or to change the migration behavior to suit your needs. For **ScanState** and **LoadState** to use this file, specify them on both command lines. + +- **Create and modify a Config.xml file.** Do this if you want to exclude an entire component from the migration. For example, you can use a Config.xml file to exclude the entire My Documents folder, or exclude the settings for an application. Excluding components using a Config.xml file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. In addition, using a Config.xml file is the only way to exclude the operating system settings from being migrated. + +For more information about excluding data, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic. + +## Migration .xml Files + + +This section describes the migration .xml files that are included with USMT. Each file contains migration rules that control which components are migrated and where they are migrated to on the destination computer. + +**Note**   +You can use the asterisk (\*) wildcard character in each of these files. However, you cannot use a question mark (?) as a wildcard character. + + + +- **The MigApp.xml file.** Specify this file with both the **ScanState** and **LoadState** commands to migrate application settings. + +- **The MigDocs.xml file.** Specify this file with both the **ScanState** and **LoadState** tools to migrate all user folders and files that are found by the **MigXmlHelper.GenerateDocPatterns** helper function. This helper function finds user data that resides on the root of any drive and in the Users directory. However, it does not find and migrate any application data, program files, or any files in the Windows directory. You can modify the MigDocs.xml file. + +- **The MigUser.xml file.** Specify this file with both the **ScanState** and **LoadState** commands to migrate user folders, files, and file types. You can modify the MigUser.xml file. This file does not contain rules that migrate specific user accounts. The only way to specify which user accounts to migrate is on the command line using the **ScanState** and the **LoadState** user options. + + **Note**   + Do not use the MigUser.xml and MigDocs.xml files together. For more information, see the [Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md) and [USMT Best Practices](usmt-best-practices.md) topics. + + + +## Custom .xml Files + + +You can create custom .xml files to customize the migration for your unique needs. For example, you may want to create a custom file to migrate a line-of-business application or to modify the default migration behavior. If you want **ScanState** and **LoadState** to use this file, specify it with both commands. For more information, see the How to Create a Custom .xml File topic. + +## The Config.xml File + + +The Config.xml file is an optional file that you create using the **/genconfig** option with the **ScanState** command. You should create and modify this file if you want to exclude certain components from the migration. In addition, you must create and modify this file if you want to exclude any of the operating system settings from being migrated. The Config.xml file format is different from that of the migration .xml files because it does not contain any migration rules. It contains only a list of the operating system components, applications, and the user documents that can be migrated. For an example, see the [Config.xml File](usmt-configxml-file.md) topic. For this reason, excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. However, you cannot use wildcard characters in a Config.xml file. + +If you want to include all of the default components, you do not need to create the Config.xml file. Alternatively, if you are satisfied with the default migration behavior defined in the MigApp.xml, MigDocs.xml, and MigUser.xml files, and you want to exclude only some components, you can create and modify a Config.xml file and leave the other .xml files in their original state. + +When you run the **ScanState** command with the **/genconfig** option, **ScanState** reads the other .xml files that you specify using the **/i** option to create a custom list of components that can be migrated from the computer. This file will contain only operating system components, applications, and the user document sections that are in both of the .xml files and that are installed on the computer when you run the **ScanState** command with the **/genconfig** option. Therefore, you should create this file on a source computer that contains all of the components, applications, and settings that will be present on the destination computers. This will ensure that this file contains every component that can be migrated. The components are organized into sections: <Applications>, <WindowsComponents>, and <Documents>. To choose not to migrate a component, change its entry to `migrate="no"`. + +After you create this file, you need to specify it only with the **ScanState** command using the **/Config** option for it to affect the migration. However, if you want to exclude additional data that you migrated to the store, modify the Config.xml file and specify the updated file with the **LoadState** command. For example, if you collected the My Documents folder in the store, but you decide that you do not want to migrate the My Documents folder to a destination computer, you can modify the Config.xml file to indicate `migrate="no"` before you run the **LoadState** command, and the file will not be migrated. For more information about the precedence that takes place when excluding data, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic. + +In addition, note the following functionality with the Config.xml file: + +- If a parent component is removed from the migration in the Config.xml file by specifying `migrate="no"`, all of its child components will automatically be removed from the migration, even if the child component is set to `migrate="yes"`. + +- If you mistakenly have two lines of code for the same component where one line specifies `migrate="no"` and the other line specifies `migrate="yes"`, the component will be migrated. + +- In USMT there are several migration policies that can be configured in the Config.xml file. For example, you can configure additional **<ErrorControl>**, **<ProfileControl>**, and **<HardLinkStoreControl>** options. For more information, see the [Config.xml File](usmt-configxml-file.md) topic. + +**Note**   +To exclude a component from the Config.xml file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the Config.xml file will not exclude the component from your migration. + + + +### Examples + +- The following command creates a Config.xml file in the current directory, but it does not create a store: + + `scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:5` + +- The following command creates an encrypted store using the Config.xml file and the default migration .xml files: + + `scanstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /o /config:config.xml /v:5 /encrypt /key:"mykey"` + +- The following command decrypts the store and migrates the files and settings: + + `loadstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /v:5 /decrypt /key:"mykey"` + +## Additional Information + + +- For more information about how to change the files and settings that are migrated, see the [User State Migration Tool (USMT) How-to topics](usmt-how-to.md). + +- For more information about each .xml element, see the [XML Elements Library](usmt-xml-elements-library.md) topic. + +- For answers to common questions, see ".xml files" in the [Frequently Asked Questions](usmt-faq.md) topic. + +## Related topics + + +[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md) + +[USMT Resources](usmt-resources.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-determine-what-to-migrate.md b/windows/deployment/usmt/usmt-determine-what-to-migrate.md index c301d5075d..cb04fac7e3 100644 --- a/windows/deployment/usmt/usmt-determine-what-to-migrate.md +++ b/windows/deployment/usmt/usmt-determine-what-to-migrate.md @@ -1,67 +1,67 @@ ---- -title: Determine What to Migrate (Windows 10) -description: Determine What to Migrate -ms.assetid: 01ae1d13-c3eb-4618-b39d-ee5d18d55761 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Determine What to Migrate - - -By default, User State Migration Tool (USMT) 10.0 migrates the items listed in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md), depending on the migration .xml files you specify. These default settings are often enough for a basic migration. - -However, when considering what settings to migrate, you should also consider what settings you would like the user to be able to configure, if any, and what settings you would like to standardize. Many organizations use their migration as an opportunity to create and begin enforcing a better-managed environment. Some of the settings that users can configure on unmanaged computers prior to the migration can be locked on the new, managed computers. For example, standard wallpaper, Internet Explorer security settings, and desktop configuration are some of the items you can choose to standardize. - -To reduce complexity and increase standardization, your organization should consider creating a *standard operating environment (SOE)*. An SOE is a combination of hardware and software that you distribute to all users. This means selecting a baseline for all computers, including standard hardware drivers; core operating system features; core productivity applications, especially if they are under volume licensing; and core utilities. This environment should also include a standard set of security features, as outlined in the organization’s corporate policy. Using a standard operating environment can vastly simplify the migration and reduce overall deployment challenges. - -## In This Section - - - ---- - - - - - - - - - - - - - - - - - - -

          Identify Users

          Use command-line options to specify which users to migrate and how they should be migrated.

          Identify Applications Settings

          Determine which applications you want to migrate and prepare a list of application settings to be migrated.

          Identify Operating System Settings

          Use migration to create a new standard environment on each of the destination computers.

          Identify File Types, Files, and Folders

          Determine and locate the standard, company-specified, and non-standard locations of the file types, files, folders, and settings that you want to migrate.

          - - - -## Related topics - - -[What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) - - - - - - - - - +--- +title: Determine What to Migrate (Windows 10) +description: Determine What to Migrate +ms.assetid: 01ae1d13-c3eb-4618-b39d-ee5d18d55761 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Determine What to Migrate + + +By default, User State Migration Tool (USMT) 10.0 migrates the items listed in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md), depending on the migration .xml files you specify. These default settings are often enough for a basic migration. + +However, when considering what settings to migrate, you should also consider what settings you would like the user to be able to configure, if any, and what settings you would like to standardize. Many organizations use their migration as an opportunity to create and begin enforcing a better-managed environment. Some of the settings that users can configure on unmanaged computers prior to the migration can be locked on the new, managed computers. For example, standard wallpaper, Internet Explorer security settings, and desktop configuration are some of the items you can choose to standardize. + +To reduce complexity and increase standardization, your organization should consider creating a *standard operating environment (SOE)*. An SOE is a combination of hardware and software that you distribute to all users. This means selecting a baseline for all computers, including standard hardware drivers; core operating system features; core productivity applications, especially if they are under volume licensing; and core utilities. This environment should also include a standard set of security features, as outlined in the organization’s corporate policy. Using a standard operating environment can vastly simplify the migration and reduce overall deployment challenges. + +## In This Section + + + ++++ + + + + + + + + + + + + + + + + + + +

          Identify Users

          Use command-line options to specify which users to migrate and how they should be migrated.

          Identify Applications Settings

          Determine which applications you want to migrate and prepare a list of application settings to be migrated.

          Identify Operating System Settings

          Use migration to create a new standard environment on each of the destination computers.

          Identify File Types, Files, and Folders

          Determine and locate the standard, company-specified, and non-standard locations of the file types, files, folders, and settings that you want to migrate.

          + + + +## Related topics + + +[What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-estimate-migration-store-size.md b/windows/deployment/usmt/usmt-estimate-migration-store-size.md index 0c2253be96..34eeb23adc 100644 --- a/windows/deployment/usmt/usmt-estimate-migration-store-size.md +++ b/windows/deployment/usmt/usmt-estimate-migration-store-size.md @@ -1,139 +1,139 @@ ---- -title: Estimate Migration Store Size (Windows 10) -description: Estimate Migration Store Size -ms.assetid: cfb9062b-7a2a-467a-a24e-0b31ce830093 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Estimate Migration Store Size - - -The disk space requirements for a migration are dependent on the size of the migration store and the type of migration. You can estimate the amount of disk space needed for computers in your organization based on information about your organization's infrastructure. You can also calculate the disk space requirements using the ScanState tool. - -## In This Topic - - -- [Hard Disk Space Requirements](#bkmk-spacereqs). Describes the disk space requirements for the migration store and other considerations on the source and destination computers. - -- [Calculate Disk Space Requirements Using the ScanState Tool](#bkmk-calcdiskspace). Describes how to use the ScanState tool to determine how big the migration store will be on a particular computer. - -- [Estimate Migration Store Size](#bkmk-estmigstoresize). Describes how to estimate the average size of migration stores for the computers in your organization, based on your infrastructure. - -## Hard Disk Space Requirements - - -- **Store.** For non-hard-link migrations, you should ensure that there is enough available disk space at the location where you will save your store to contain the data being migrated. You can save your store to another partition, an external storage device such as a USB flash drive or a server. For more information, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md). - -- **Source Computer.** The source computer needs enough available space for the following: - - - [E250 megabytes (MB) minimum of hard disk space.](#bkmk-estmigstoresize) Space is needed to support the User State Migration Tool (USMT) 10.0 operations, for example, growth in the page file. Provided that every volume involved in the migration is formatted as NTFS, 250 MB should be enough space to ensure success for almost every hard-link migration, regardless of the size of the migration. The USMT tools will not create the migration store if 250 MB of disk space is not available. - - - [Temporary space for USMT to run.](#bkmk-estmigstoresize) Additional disk space for the USMT tools to operate is required. This does not include the minimum 250 MB needed to create the migration store. The amount of temporary space required can be calculated using the ScanState tool. - - - [Hard-link migration store.](#bkmk-estmigstoresize) It is not necessary to estimate the size of a hard-link migration store. The only case where the hard-link store can be quite large is when non-NTFS file systems exist on the system and contain data being migrated. - -- [Destination computer.](#bkmk-estmigstoresize) The destination computer needs enough available space for the following: - - - [Operating system.](#bkmk-estmigstoresize) - - - [Applications.](#bkmk-estmigstoresize) - - - [Data being migrated.](#bkmk-estmigstoresize) It is important to consider that in addition to the files being migrated, registry information will also require hard disk space for storage. - - - [Temporary space for USMT to run.](#bkmk-estmigstoresize) Additional disk space for the USMT tools to operate is required. The amount of temporary space required can be calculated using the ScanState tool. - -## Calculate Disk Space Requirements using the ScanState Tool - - -You can use the ScanState tool to calculate the disk space requirements for a particular compressed or uncompressed migration. It is not necessary to estimate the migration store size for a hard-link migration since this method does not create a separate migration store. The ScanState tool provides disk space requirements for the state of the computer at the time the tool is run. The state of the computer may change during day to day use so it is recommended that you use the calculations as an estimate when planning your migration. - -**To run the ScanState tool on the source computer with USMT installed,** - -1. Open a command prompt with administrator privileges. - -2. Navigate to the USMT tools. For example, type - - ``` syntax - cd /d "C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\User State Migration Tool\" - ``` - - Where *<architecture>* is x86 or amd64. - -3. Run the **ScanState** tool to generate an XML report of the space requirements. At the command prompt, type - - ``` syntax - ScanState.exe /p: - ``` - - Where *<StorePath>* is a path to a directory where the migration store will be saved and *<path to a file>* is the path and filename where the XML report for space requirements will be saved. For example, - - ``` syntax - ScanState.exe c:\store /p:c:\spaceRequirements.xml - ``` - - The migration store will not be created by running this command, but `StorePath` is a required parameter. - -The ScanState tool also allows you to estimate disk space requirements based on a customized migration. For example, you might not want to migrate the My Documents folder to the destination computer. You can specify this in a configuration file when you run the ScanState tool. For more information, see [Customize USMT XML Files](usmt-customize-xml-files.md). - -**Note**   -To preserve the functionality of existing applications or scripts that require the previous behavior of USMT, the **/p** option, without specifying *<path to a file>* is still available in USMT. - - - -The space requirements report provides two elements, <**storeSize**> and <**temporarySpace**>. The <**temporarySpace**> value shows the disk space, in bytes, that USMT uses to operate during the migration—this does not include the minimum 250 MB needed to support USMT. The <**storeSize**> value shows the disk space, in bytes, required to host the migration store contents on both the source and destination computers. The following example shows a report generated using **/p:***<path to a file>*. - -```xml - - - - 11010592768 - - - 58189144 - - -``` - -Additionally, USMT performs a compliance check for a required minimum of 250 MB of available disk space and will not create a store if the compliance check fails. - -## Estimate Migration Store Size - - -Determine how much space you will need to store the migrated data. You should base your calculations on the volume of e-mail, personal documents, and system settings for each user. The best way to estimate these is to survey several computers to arrive at an average for the size of the store that you will need. - -The amount of space that is required in the store will vary, depending on the local storage strategies your organization uses. For example, one key element that determines the size of migration data sets is e-mail storage. If e-mail is stored centrally, data sets will be smaller. If e-mail is stored locally, such as offline-storage files, data sets will be larger. Mobile users will typically have larger data sets than workstation users. You should perform tests and inventory the network to determine the average data set size in your organization. - -**Note**   -You can create a space-estimate file (Usmtsize.txt), by using the legacy **/p** command-line option to estimate the size of the store. - - - -When trying to determine how much disk space you will need, consider the following issues: - -- **E-mail** : If users deal with a large volume of e-mail or keep e-mail on their local computers instead of on a mail server, the e-mail can take up as much disk space as all other user files combined. Prior to migrating user data, make sure that users who store e-mail locally synchronize their inboxes with their mail server. - -- **User documents**: Frequently, all of a user's documents fit into less than 50 MB of space, depending on the types of files involved. This estimate assumes typical office work, such as word-processing documents and spreadsheets. This estimate can vary substantially based on the types of documents that your organization uses. For example, an architectural firm that predominantly uses computer-aided design (CAD) files needs much more space than a law firm that primarily uses word-processing documents. You do not need to migrate the documents that users store on file servers through mechanisms such as Folder Redirection, as long as users will have access to these locations after the migration. - -- **User system settings** Five megabytes is usually adequate space to save the registry settings. This requirement can fluctuate, however, based on the number of applications that have been installed. It is rare, however, for the user-specific portion of the registry to exceed 5 MB. - -## Related topics - - -[Common Migration Scenarios](usmt-common-migration-scenarios.md) - - - - - - - - - +--- +title: Estimate Migration Store Size (Windows 10) +description: Estimate Migration Store Size +ms.assetid: cfb9062b-7a2a-467a-a24e-0b31ce830093 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Estimate Migration Store Size + + +The disk space requirements for a migration are dependent on the size of the migration store and the type of migration. You can estimate the amount of disk space needed for computers in your organization based on information about your organization's infrastructure. You can also calculate the disk space requirements using the ScanState tool. + +## In This Topic + + +- [Hard Disk Space Requirements](#bkmk-spacereqs). Describes the disk space requirements for the migration store and other considerations on the source and destination computers. + +- [Calculate Disk Space Requirements Using the ScanState Tool](#bkmk-calcdiskspace). Describes how to use the ScanState tool to determine how big the migration store will be on a particular computer. + +- [Estimate Migration Store Size](#bkmk-estmigstoresize). Describes how to estimate the average size of migration stores for the computers in your organization, based on your infrastructure. + +## Hard Disk Space Requirements + + +- **Store.** For non-hard-link migrations, you should ensure that there is enough available disk space at the location where you will save your store to contain the data being migrated. You can save your store to another partition, an external storage device such as a USB flash drive or a server. For more information, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md). + +- **Source Computer.** The source computer needs enough available space for the following: + + - [E250 megabytes (MB) minimum of hard disk space.](#bkmk-estmigstoresize) Space is needed to support the User State Migration Tool (USMT) 10.0 operations, for example, growth in the page file. Provided that every volume involved in the migration is formatted as NTFS, 250 MB should be enough space to ensure success for almost every hard-link migration, regardless of the size of the migration. The USMT tools will not create the migration store if 250 MB of disk space is not available. + + - [Temporary space for USMT to run.](#bkmk-estmigstoresize) Additional disk space for the USMT tools to operate is required. This does not include the minimum 250 MB needed to create the migration store. The amount of temporary space required can be calculated using the ScanState tool. + + - [Hard-link migration store.](#bkmk-estmigstoresize) It is not necessary to estimate the size of a hard-link migration store. The only case where the hard-link store can be quite large is when non-NTFS file systems exist on the system and contain data being migrated. + +- [Destination computer.](#bkmk-estmigstoresize) The destination computer needs enough available space for the following: + + - [Operating system.](#bkmk-estmigstoresize) + + - [Applications.](#bkmk-estmigstoresize) + + - [Data being migrated.](#bkmk-estmigstoresize) It is important to consider that in addition to the files being migrated, registry information will also require hard disk space for storage. + + - [Temporary space for USMT to run.](#bkmk-estmigstoresize) Additional disk space for the USMT tools to operate is required. The amount of temporary space required can be calculated using the ScanState tool. + +## Calculate Disk Space Requirements using the ScanState Tool + + +You can use the ScanState tool to calculate the disk space requirements for a particular compressed or uncompressed migration. It is not necessary to estimate the migration store size for a hard-link migration since this method does not create a separate migration store. The ScanState tool provides disk space requirements for the state of the computer at the time the tool is run. The state of the computer may change during day to day use so it is recommended that you use the calculations as an estimate when planning your migration. + +**To run the ScanState tool on the source computer with USMT installed,** + +1. Open a command prompt with administrator privileges. + +2. Navigate to the USMT tools. For example, type + + ``` syntax + cd /d "C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\User State Migration Tool\" + ``` + + Where *<architecture>* is x86 or amd64. + +3. Run the **ScanState** tool to generate an XML report of the space requirements. At the command prompt, type + + ``` syntax + ScanState.exe /p: + ``` + + Where *<StorePath>* is a path to a directory where the migration store will be saved and *<path to a file>* is the path and filename where the XML report for space requirements will be saved. For example, + + ``` syntax + ScanState.exe c:\store /p:c:\spaceRequirements.xml + ``` + + The migration store will not be created by running this command, but `StorePath` is a required parameter. + +The ScanState tool also allows you to estimate disk space requirements based on a customized migration. For example, you might not want to migrate the My Documents folder to the destination computer. You can specify this in a configuration file when you run the ScanState tool. For more information, see [Customize USMT XML Files](usmt-customize-xml-files.md). + +**Note**   +To preserve the functionality of existing applications or scripts that require the previous behavior of USMT, the **/p** option, without specifying *<path to a file>* is still available in USMT. + + + +The space requirements report provides two elements, <**storeSize**> and <**temporarySpace**>. The <**temporarySpace**> value shows the disk space, in bytes, that USMT uses to operate during the migration—this does not include the minimum 250 MB needed to support USMT. The <**storeSize**> value shows the disk space, in bytes, required to host the migration store contents on both the source and destination computers. The following example shows a report generated using **/p:***<path to a file>*. + +```xml + + + + 11010592768 + + + 58189144 + + +``` + +Additionally, USMT performs a compliance check for a required minimum of 250 MB of available disk space and will not create a store if the compliance check fails. + +## Estimate Migration Store Size + + +Determine how much space you will need to store the migrated data. You should base your calculations on the volume of e-mail, personal documents, and system settings for each user. The best way to estimate these is to survey several computers to arrive at an average for the size of the store that you will need. + +The amount of space that is required in the store will vary, depending on the local storage strategies your organization uses. For example, one key element that determines the size of migration data sets is e-mail storage. If e-mail is stored centrally, data sets will be smaller. If e-mail is stored locally, such as offline-storage files, data sets will be larger. Mobile users will typically have larger data sets than workstation users. You should perform tests and inventory the network to determine the average data set size in your organization. + +**Note**   +You can create a space-estimate file (Usmtsize.txt), by using the legacy **/p** command-line option to estimate the size of the store. + + + +When trying to determine how much disk space you will need, consider the following issues: + +- **E-mail** : If users deal with a large volume of e-mail or keep e-mail on their local computers instead of on a mail server, the e-mail can take up as much disk space as all other user files combined. Prior to migrating user data, make sure that users who store e-mail locally synchronize their inboxes with their mail server. + +- **User documents**: Frequently, all of a user's documents fit into less than 50 MB of space, depending on the types of files involved. This estimate assumes typical office work, such as word-processing documents and spreadsheets. This estimate can vary substantially based on the types of documents that your organization uses. For example, an architectural firm that predominantly uses computer-aided design (CAD) files needs much more space than a law firm that primarily uses word-processing documents. You do not need to migrate the documents that users store on file servers through mechanisms such as Folder Redirection, as long as users will have access to these locations after the migration. + +- **User system settings** Five megabytes is usually adequate space to save the registry settings. This requirement can fluctuate, however, based on the number of applications that have been installed. It is rare, however, for the user-specific portion of the registry to exceed 5 MB. + +## Related topics + + +[Common Migration Scenarios](usmt-common-migration-scenarios.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-exclude-files-and-settings.md b/windows/deployment/usmt/usmt-exclude-files-and-settings.md index 4566d2d488..21a829f394 100644 --- a/windows/deployment/usmt/usmt-exclude-files-and-settings.md +++ b/windows/deployment/usmt/usmt-exclude-files-and-settings.md @@ -1,279 +1,279 @@ ---- -title: Exclude Files and Settings (Windows 10) -description: Exclude Files and Settings -ms.assetid: df85baf1-6e29-4995-a4bb-ba3f8f7fed0b -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Exclude Files and Settings -When you specify the migration .xml files, MigApp.xml, Migdocs, and MigUser.xml, the User State Migration Tool (USMT) 10.0 migrates the settings and components listed, as discussed in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) You can create a custom .xml file to further specify what to include or exclude in the migration. In addition you can create a Config.xml file to exclude an entire component from a migration. You cannot, however, exclude users by using the migration .xml files or the Config.xml file. The only way to specify which users to include and exclude is by using the User options on the command line in the ScanState tool. For more information, see [ScanState Syntax](usmt-scanstate-syntax.md). - -In this topic: - -- [Create a custom .xml file](#create-a-custom-xml-file). You can use the following elements to specify what to exclude: - - - include and exclude: You can use the <include> and <exclude> elements to exclude objects with conditions. For example, you can migrate all files located in the C:\\ drive, except any .mp3 files. It is important to remember that [Conflicts and Precedence](usmt-conflicts-and-precedence.md) apply to these elements. - - - [unconditionalExclude](#example-1-how-to-migrate-all-files-from-c-except-mp3-files): You can use the <unconditionalExclude> element to globally exclude data. This element takes precedence over all other include and exclude rules in the .xml files. Therefore, this element excludes objects regardless of any other <include> rules that are in the .xml files. For example, you can exclude all .mp3 files on the computer, or you can exclude all files from C:\\UserData. - -- [Create a Config.xml File](#create-a-config-xml-file): You can create and modify a Config.xml file to exclude an entire component from the migration. For example, you can use this file to exclude the settings for one of the default applications. In addition, creating and modifying a Config.xml file is the only way to exclude the operating-system settings that are migrated to computers running Windows. Excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. - -## Create a custom .xml file -We recommend that you create a custom .xml file instead of modifying the default migration .xml files. When you use a custom .xml file, you can keep your changes separate from the default .xml files, which makes it easier to track your modifications. - -### <include> and <exclude> -The migration .xml files, MigApp.xml, MigDocs, and MigUser.xml, contain the <component> element, which typically represents a self-contained component or an application such as Microsoft® Office Outlook® and Word. To exclude the files and registry settings that are associated with these components, use the <include> and <exclude> elements. For example, you can use these elements to migrate all files and settings with pattern X except files and settings with pattern Y, where Y is more specific than X. For the syntax of these elements, see [USMT XML Reference](usmt-xml-reference.md). - -**Note**   -If you specify an <exclude> rule, always specify a corresponding <include> rule. Otherwise, if you do not specify an <include> rule, the specific files or settings will not be included. They will already be excluded from the migration. Thus, an unaccompanied <exclude> rule is unnecessary. - -- [Example 1: How to migrate all files from C:\\ except .mp3 files](#example-1-how-to-migrate-all-files-from-c-except-mp3-files) - -- [Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp](#example-2-how-to-migrate-all-files-located-in-cdata-except-files-in-cdatatmp) - -- [Example 3: How to exclude the files in a folder but include all subfolders](#example-3-how-to-exclude-the-files-in-a-folder-but-include-all-subfolders) - -- [Example 4: How to exclude a file from a specific folder](#example-4-how-to-exclude-a-file-from-a-specific-folder) - -- [Example 5: How to exclude a file from any location](#example-5-how-to-exclude-a-file-from-any-location) - -### Example 1: How to migrate all files from C:\\ except .mp3 files -The following .xml file migrates all files located on the C: drive, except any .mp3 files. - -``` xml - - - - MP3 Files - - - - - C:\* [*] - - - - - C:\* [*.mp3] - - - - - - -``` -### Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp -The following .xml file migrates all files and subfolders in C:\\Data, except the files and subfolders in C:\\Data\\tmp. - -``` xml - - - Test component - - - - - C:\Data\* [*] - - - - - C:\Data\temp\* [*] - - - - - - -``` - -### Example 3: How to exclude the files in a folder but include all subfolders -The following .xml file migrates any subfolders in C:\\EngineeringDrafts, but excludes all files that are in C:\\EngineeringDrafts. - -``` xml - - - Component to migrate all Engineering Drafts Documents without subfolders - - - - - C:\EngineeringDrafts\* [*] - - - - - C:\EngineeringDrafts\ [*] - - - - - - -``` - -### Example 4: How to exclude a file from a specific folder -The following .xml file migrates all files and subfolders in C:\\EngineeringDrafts, except for the Sample.doc file in C:\\EngineeringDrafts. - -``` xml - - - Component to migrate all Engineering Drafts Documents except Sample.doc - - - - - C:\EngineeringDrafts\* [*] - - - - - C:\EngineeringDrafts\ [Sample.doc] - - - - - - -``` - -### Example 5: How to exclude a file from any location -To exclude a Sample.doc file from any location on the C: drive, use the <pattern> element. If multiple files exist with the same name on the C: drive, all of these files will be excluded. - -``` xml - C:\* [Sample.doc] -``` - -To exclude a Sample.doc file from any drive on the computer, use the <script> element. If multiple files exist with the same name, all of these files will be excluded. - -``` xml - -``` -#### Examples of how to use XML to exclude files, folders, and registry keys -Here are some examples of how to use XML to exclude files, folders, and registry keys. For more info, see [USMT XML Reference](usmt-xml-reference.md) - -**Example 1: How to exclude all .mp3 files**
          -The following .xml file excludes all .mp3 files from the migration: - -``` xml - - - Test - - - - - - - - - - - -``` -**Example 2: How to exclude all of the files on a specific drive**
          -The following .xml file excludes only the files located on the C: drive. - -``` xml - - - Test - - - - - c:\*[*] - - - - - - -``` -**Example 3: How to exclude registry keys**
          -The following .xml file unconditionally excludes the HKEY_CURRENT_USER registry key and all of its subkeys. - -``` xml - - - - Test - - - - - HKCU\testReg[*] - - - - - HKCU\*[*] - - - - - - -``` -**Example 4: How to Exclude `C:\Windows` and `C:\Program Files`**
          -The following .xml file unconditionally excludes the system folders of `C:\Windows` and `C:\Program Files`. Note that all \*.docx, \*.xls and \*.ppt files will not be migrated because the <unconditionalExclude> element takes precedence over the <include> element. - -``` xml - - - - Test - - - - - - - - - - - - C:\Program Files\* [*] -C:\Windows\* [*] - - - - - - -``` -## Create a Config XML File -You can create and modify a Config.xml file if you want to exclude components from the migration. Excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. Config.xml is an optional file that you can create using the **/genconfig** command-line option with the ScanState tool. For example, you can use the Config.xml file to exclude the settings for one of the default applications. In addition, creating and modifying this file is the only way to exclude the operating-system settings that are migrated to computers running Windows. - -- **To exclude the settings for a default application:** Specify `migrate="no"` for the application under the <Applications> section of the Config.xml file. - -- **To exclude an operating system setting:** Specify `migrate="no"` for the setting under the <WindowsComponents> section. - -- **To exclude My Documents:** Specify `migrate="no"` for My Documents under the <Documents> section. Note that any <include> rules in the .xml files will still apply. For example, if you have a rule that includes all the .docx files in My Documents, then only the .docx files will be migrated, but the rest of the files will not. - -See [Config.xml File](usmt-configxml-file.md) for more information. - -**Note**   -To exclude a component from the Config.xml file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the Config.xml file will not exclude the component from your migration. - -## Related topics -- [Customize USMT XML Files](usmt-customize-xml-files.md) -- [USMT XML Reference](usmt-xml-reference.md) - - - - - - - - - +--- +title: Exclude Files and Settings (Windows 10) +description: Exclude Files and Settings +ms.assetid: df85baf1-6e29-4995-a4bb-ba3f8f7fed0b +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Exclude Files and Settings +When you specify the migration .xml files, MigApp.xml, Migdocs, and MigUser.xml, the User State Migration Tool (USMT) 10.0 migrates the settings and components listed, as discussed in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) You can create a custom .xml file to further specify what to include or exclude in the migration. In addition you can create a Config.xml file to exclude an entire component from a migration. You cannot, however, exclude users by using the migration .xml files or the Config.xml file. The only way to specify which users to include and exclude is by using the User options on the command line in the ScanState tool. For more information, see [ScanState Syntax](usmt-scanstate-syntax.md). + +In this topic: + +- [Create a custom .xml file](#create-a-custom-xml-file). You can use the following elements to specify what to exclude: + + - include and exclude: You can use the <include> and <exclude> elements to exclude objects with conditions. For example, you can migrate all files located in the C:\\ drive, except any .mp3 files. It is important to remember that [Conflicts and Precedence](usmt-conflicts-and-precedence.md) apply to these elements. + + - [unconditionalExclude](#example-1-how-to-migrate-all-files-from-c-except-mp3-files): You can use the <unconditionalExclude> element to globally exclude data. This element takes precedence over all other include and exclude rules in the .xml files. Therefore, this element excludes objects regardless of any other <include> rules that are in the .xml files. For example, you can exclude all .mp3 files on the computer, or you can exclude all files from C:\\UserData. + +- [Create a Config.xml File](#create-a-config-xml-file): You can create and modify a Config.xml file to exclude an entire component from the migration. For example, you can use this file to exclude the settings for one of the default applications. In addition, creating and modifying a Config.xml file is the only way to exclude the operating-system settings that are migrated to computers running Windows. Excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. + +## Create a custom .xml file +We recommend that you create a custom .xml file instead of modifying the default migration .xml files. When you use a custom .xml file, you can keep your changes separate from the default .xml files, which makes it easier to track your modifications. + +### <include> and <exclude> +The migration .xml files, MigApp.xml, MigDocs, and MigUser.xml, contain the <component> element, which typically represents a self-contained component or an application such as Microsoft® Office Outlook® and Word. To exclude the files and registry settings that are associated with these components, use the <include> and <exclude> elements. For example, you can use these elements to migrate all files and settings with pattern X except files and settings with pattern Y, where Y is more specific than X. For the syntax of these elements, see [USMT XML Reference](usmt-xml-reference.md). + +**Note**   +If you specify an <exclude> rule, always specify a corresponding <include> rule. Otherwise, if you do not specify an <include> rule, the specific files or settings will not be included. They will already be excluded from the migration. Thus, an unaccompanied <exclude> rule is unnecessary. + +- [Example 1: How to migrate all files from C:\\ except .mp3 files](#example-1-how-to-migrate-all-files-from-c-except-mp3-files) + +- [Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp](#example-2-how-to-migrate-all-files-located-in-cdata-except-files-in-cdatatmp) + +- [Example 3: How to exclude the files in a folder but include all subfolders](#example-3-how-to-exclude-the-files-in-a-folder-but-include-all-subfolders) + +- [Example 4: How to exclude a file from a specific folder](#example-4-how-to-exclude-a-file-from-a-specific-folder) + +- [Example 5: How to exclude a file from any location](#example-5-how-to-exclude-a-file-from-any-location) + +### Example 1: How to migrate all files from C:\\ except .mp3 files +The following .xml file migrates all files located on the C: drive, except any .mp3 files. + +``` xml + + + + MP3 Files + + + + + C:\* [*] + + + + + C:\* [*.mp3] + + + + + + +``` +### Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp +The following .xml file migrates all files and subfolders in C:\\Data, except the files and subfolders in C:\\Data\\tmp. + +``` xml + + + Test component + + + + + C:\Data\* [*] + + + + + C:\Data\temp\* [*] + + + + + + +``` + +### Example 3: How to exclude the files in a folder but include all subfolders +The following .xml file migrates any subfolders in C:\\EngineeringDrafts, but excludes all files that are in C:\\EngineeringDrafts. + +``` xml + + + Component to migrate all Engineering Drafts Documents without subfolders + + + + + C:\EngineeringDrafts\* [*] + + + + + C:\EngineeringDrafts\ [*] + + + + + + +``` + +### Example 4: How to exclude a file from a specific folder +The following .xml file migrates all files and subfolders in C:\\EngineeringDrafts, except for the Sample.doc file in C:\\EngineeringDrafts. + +``` xml + + + Component to migrate all Engineering Drafts Documents except Sample.doc + + + + + C:\EngineeringDrafts\* [*] + + + + + C:\EngineeringDrafts\ [Sample.doc] + + + + + + +``` + +### Example 5: How to exclude a file from any location +To exclude a Sample.doc file from any location on the C: drive, use the <pattern> element. If multiple files exist with the same name on the C: drive, all of these files will be excluded. + +``` xml + C:\* [Sample.doc] +``` + +To exclude a Sample.doc file from any drive on the computer, use the <script> element. If multiple files exist with the same name, all of these files will be excluded. + +``` xml + +``` +#### Examples of how to use XML to exclude files, folders, and registry keys +Here are some examples of how to use XML to exclude files, folders, and registry keys. For more info, see [USMT XML Reference](usmt-xml-reference.md) + +**Example 1: How to exclude all .mp3 files**
          +The following .xml file excludes all .mp3 files from the migration: + +``` xml + + + Test + + + + + + + + + + + +``` +**Example 2: How to exclude all of the files on a specific drive**
          +The following .xml file excludes only the files located on the C: drive. + +``` xml + + + Test + + + + + c:\*[*] + + + + + + +``` +**Example 3: How to exclude registry keys**
          +The following .xml file unconditionally excludes the HKEY_CURRENT_USER registry key and all of its subkeys. + +``` xml + + + + Test + + + + + HKCU\testReg[*] + + + + + HKCU\*[*] + + + + + + +``` +**Example 4: How to Exclude `C:\Windows` and `C:\Program Files`**
          +The following .xml file unconditionally excludes the system folders of `C:\Windows` and `C:\Program Files`. Note that all \*.docx, \*.xls and \*.ppt files will not be migrated because the <unconditionalExclude> element takes precedence over the <include> element. + +``` xml + + + + Test + + + + + + + + + + + + C:\Program Files\* [*] +C:\Windows\* [*] + + + + + + +``` +## Create a Config XML File +You can create and modify a Config.xml file if you want to exclude components from the migration. Excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. Config.xml is an optional file that you can create using the **/genconfig** command-line option with the ScanState tool. For example, you can use the Config.xml file to exclude the settings for one of the default applications. In addition, creating and modifying this file is the only way to exclude the operating-system settings that are migrated to computers running Windows. + +- **To exclude the settings for a default application:** Specify `migrate="no"` for the application under the <Applications> section of the Config.xml file. + +- **To exclude an operating system setting:** Specify `migrate="no"` for the setting under the <WindowsComponents> section. + +- **To exclude My Documents:** Specify `migrate="no"` for My Documents under the <Documents> section. Note that any <include> rules in the .xml files will still apply. For example, if you have a rule that includes all the .docx files in My Documents, then only the .docx files will be migrated, but the rest of the files will not. + +See [Config.xml File](usmt-configxml-file.md) for more information. + +**Note**   +To exclude a component from the Config.xml file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the Config.xml file will not exclude the component from your migration. + +## Related topics +- [Customize USMT XML Files](usmt-customize-xml-files.md) +- [USMT XML Reference](usmt-xml-reference.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md index 1eb40410a6..6a97acb78b 100644 --- a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md +++ b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md @@ -1,122 +1,122 @@ ---- -title: Extract Files from a Compressed USMT Migration Store (Windows 10) -description: Extract Files from a Compressed USMT Migration Store -ms.assetid: ad9fbd6e-f89e-4444-8538-9b11566b1f33 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Extract Files from a Compressed USMT Migration Store - - -When you migrate files and settings during a typical PC-refresh migration, you usually create a compressed migration store file on the intermediate store. This migration store is a single image file that contains all files being migrated as well as a catalog file. To protect the compressed file, you can encrypt it by using different encryption algorithms. When you migrate the file back to the source computer after the operating system is installed, you can run the **Usmtutils** command with the **/extract** option to recover the files from the compressed migration store. You can also use the **Usmtutils** command with the **/extract** option any time you need to recover data from a migration store. - -Options used with the **/extract** option can specify: - -- The cryptographic algorithm that was used to create the migration store. - -- The encryption key or the text file that contains the encryption key. - -- Include and exclude patterns for selective data extraction. - -In addition, you can specify the file patterns that you want to extract by using the **/i** option to include file patterns or the **/e** option to exclude file patterns. When both the **/i** option and the **/e** option are used in the same command, include patterns take precedence over exclude patterns. Note that this is different from the include and exclude rules used in the ScanState and LoadState tools. - -## In this topic - - -- [To run the USMTutils tool with the /extract option](#bkmk-extractsyntax) - -- [To extract all files from a compressed migration store](#bkmk-extractallfiles) - -- [To extract specific file types from an encrypted compressed migration store](#bkmk-extractspecificfiles) - -- [To extract all but one, or more, file types from an encrypted compressed migration store](#bkmk-excludefilepattern) - -- [To extract file types using the include pattern and the exclude pattern](#bkmk-includeexcludefiles) - -### To run the USMTutils tool with the /extract option - -To extract files from the compressed migration store onto the destination computer, use the following USMTutils syntax: - -Cd /d <USMTpath> usmtutils /extract <filePath> <destinationPath> \[/i:<includePattern>\] \[/e:<excludePattern>\] \[/l:<logfile>\] \[/decrypt\[:<AlgID>\] {/key:<keystring> | /keyfile:<filename>}\] \[/o\] - -Where the placeholders have the following values: - -- *<USMTpath>* is the location where you have saved the USMT files and tools. - -- *<filePath>* is the location of the migration store. - -- *<destination path>* is the location of the file where you want the **/extract** option to put the extracted migration store contents. - -- *<includePattern>* specifies the pattern for the files to include in the extraction. - -- *<excludePattern>* specifies the pattern for the files to omit from the extraction. - -- *<AlgID>* is the cryptographic algorithm that was used to create the migration store on the **ScanState** command line. - -- *<logfile>* is the location and name of the log file. - -- *<keystring>* is the encryption key that was used to encrypt the migration store. - -- *<filename>* is the location and name of the text file that contains the encryption key. - -### To extract all files from a compressed migration store - -To extract everything from a compressed migration store to a file on the C:\\ drive, type: - -``` syntax -usmtutils /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore -``` - -### To extract specific file types from an encrypted compressed migration store - -To extract specific files, such as .txt and .pdf files, from an encrypted compressed migration store, type: - -``` syntax -usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt,*.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt -``` - -In this example, the file is encrypted and the encryption key is located in a text file called encryptionKey. - -### To extract all but one, or more, file types from an encrypted compressed migration store - -To extract all files except for one file type, such as .exe files, from an encrypted compressed migration store, type: - -``` syntax -usmtutils /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtutilslog.txt -``` - -### To extract file types using the include pattern and the exclude pattern - -To extract files from a compressed migration store, and to exclude files of one type (such as .exe files) while including only specific files, use both the include pattern and the exclude pattern, as in this example: - -``` syntax -usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o -``` - -In this example, if there is a myProject.exe file, it will also be extracted because the include pattern option takes precedence over the exclude pattern option. - -## Related topics - - -[UsmtUtils Syntax](usmt-utilities.md) - -[Return Codes](usmt-return-codes.md) - -[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md) - -  - -  - - - - - +--- +title: Extract Files from a Compressed USMT Migration Store (Windows 10) +description: Extract Files from a Compressed USMT Migration Store +ms.assetid: ad9fbd6e-f89e-4444-8538-9b11566b1f33 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Extract Files from a Compressed USMT Migration Store + + +When you migrate files and settings during a typical PC-refresh migration, you usually create a compressed migration store file on the intermediate store. This migration store is a single image file that contains all files being migrated as well as a catalog file. To protect the compressed file, you can encrypt it by using different encryption algorithms. When you migrate the file back to the source computer after the operating system is installed, you can run the **Usmtutils** command with the **/extract** option to recover the files from the compressed migration store. You can also use the **Usmtutils** command with the **/extract** option any time you need to recover data from a migration store. + +Options used with the **/extract** option can specify: + +- The cryptographic algorithm that was used to create the migration store. + +- The encryption key or the text file that contains the encryption key. + +- Include and exclude patterns for selective data extraction. + +In addition, you can specify the file patterns that you want to extract by using the **/i** option to include file patterns or the **/e** option to exclude file patterns. When both the **/i** option and the **/e** option are used in the same command, include patterns take precedence over exclude patterns. Note that this is different from the include and exclude rules used in the ScanState and LoadState tools. + +## In this topic + + +- [To run the USMTutils tool with the /extract option](#bkmk-extractsyntax) + +- [To extract all files from a compressed migration store](#bkmk-extractallfiles) + +- [To extract specific file types from an encrypted compressed migration store](#bkmk-extractspecificfiles) + +- [To extract all but one, or more, file types from an encrypted compressed migration store](#bkmk-excludefilepattern) + +- [To extract file types using the include pattern and the exclude pattern](#bkmk-includeexcludefiles) + +### To run the USMTutils tool with the /extract option + +To extract files from the compressed migration store onto the destination computer, use the following USMTutils syntax: + +Cd /d <USMTpath> usmtutils /extract <filePath> <destinationPath> \[/i:<includePattern>\] \[/e:<excludePattern>\] \[/l:<logfile>\] \[/decrypt\[:<AlgID>\] {/key:<keystring> | /keyfile:<filename>}\] \[/o\] + +Where the placeholders have the following values: + +- *<USMTpath>* is the location where you have saved the USMT files and tools. + +- *<filePath>* is the location of the migration store. + +- *<destination path>* is the location of the file where you want the **/extract** option to put the extracted migration store contents. + +- *<includePattern>* specifies the pattern for the files to include in the extraction. + +- *<excludePattern>* specifies the pattern for the files to omit from the extraction. + +- *<AlgID>* is the cryptographic algorithm that was used to create the migration store on the **ScanState** command line. + +- *<logfile>* is the location and name of the log file. + +- *<keystring>* is the encryption key that was used to encrypt the migration store. + +- *<filename>* is the location and name of the text file that contains the encryption key. + +### To extract all files from a compressed migration store + +To extract everything from a compressed migration store to a file on the C:\\ drive, type: + +``` syntax +usmtutils /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore +``` + +### To extract specific file types from an encrypted compressed migration store + +To extract specific files, such as .txt and .pdf files, from an encrypted compressed migration store, type: + +``` syntax +usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt,*.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt +``` + +In this example, the file is encrypted and the encryption key is located in a text file called encryptionKey. + +### To extract all but one, or more, file types from an encrypted compressed migration store + +To extract all files except for one file type, such as .exe files, from an encrypted compressed migration store, type: + +``` syntax +usmtutils /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtutilslog.txt +``` + +### To extract file types using the include pattern and the exclude pattern + +To extract files from a compressed migration store, and to exclude files of one type (such as .exe files) while including only specific files, use both the include pattern and the exclude pattern, as in this example: + +``` syntax +usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o +``` + +In this example, if there is a myProject.exe file, it will also be extracted because the include pattern option takes precedence over the exclude pattern option. + +## Related topics + + +[UsmtUtils Syntax](usmt-utilities.md) + +[Return Codes](usmt-return-codes.md) + +[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md) + +  + +  + + + + + diff --git a/windows/deployment/usmt/usmt-faq.md b/windows/deployment/usmt/usmt-faq.md index 21a5b714f0..49092e9f6f 100644 --- a/windows/deployment/usmt/usmt-faq.md +++ b/windows/deployment/usmt/usmt-faq.md @@ -1,137 +1,137 @@ ---- -title: Frequently Asked Questions (Windows 10) -description: Frequently Asked Questions -ms.assetid: 813c13a7-6818-4e6e-9284-7ee49493241b -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Frequently Asked Questions - - -The following sections provide frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT) 10.0. - -## General - - -### How much space is needed on the destination computer? - -The destination computer needs enough available space for the following: - -- Operating system - -- Applications - -- Uncompressed store - -### Can I store the files and settings directly on the destination computer or do I need a server? - -You do not need to save the files to a server. If you are moving the user state to a new computer, you can create the store on a shared folder, on media that you can remove, such as a USB flash drive (UFD), or you can store it directly on the destination computer, as in the following steps: - -1. Create and share the directory C:\\store on the destination computer. - -2. Run the ScanState tool on the source computer and save the files and settings to \\\\*DestinationComputerName*\\store - -3. Run the LoadState tool on the destination computer and specify C:\\store as the store location. - -### Can I migrate data between operating systems with different languages? - -No. USMT does not support migrating data between operating systems with different languages; the source computer's operating-system language must match the destination computer's operating-system language. - -### Can I change the location of the temporary directory on the destination computer? - -Yes. The environment variable USMT\_WORKING\_DIR can be changed to an alternative temporary directory. There are some offline migration scenarios where this is necessary, for example, when the USMT binaries are located on read-only Windows Preinstallation Environment (WinPE) boot media. - -### How do I install USMT? - -Because USMT is included in Windows Assessment and Deployment Kit (Windows ADK), you need to install the Windows ADK package on at least one computer in your environment. However, the USMT binaries are designed to be deployed using xcopy. This means that they are installed on a computer simply by recursively copying the USMT directory from the computer containing the Windows ADK to each client computer. - -### How do I uninstall USMT? - -If you have installed the Windows ADK on the computer, uninstalling Windows ADK will uninstall USMT. For client computers that do not have the Windows ADK installed, you can simply delete the USMT directory to uninstall USMT. - -## Files and Settings - - -### How can I exclude a folder or a certain type of file from the migration? - -You can use the **<unconditionalExclude>** element to globally exclude data from the migration. For example, you can use this element to exclude all MP3 files on the computer or to exclude all files from C:\\UserData. This element excludes objects regardless of any other <include> rules that are in the .xml files. For an example, see <unconditionalExclude> in the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic. For the syntax of this element, see [XML Elements Library](usmt-xml-elements-library.md). - -### What happens to files that were located on a drive that does not exist on the destination computer? - -USMT migrates the files to the %SystemDrive% while maintaining the correct folder hierarchy. For example, if E:\\data\\File.pst is on the source computer, but the destination computer does not have an E:\\ drive, the file will be migrated to C:\\data\\File.pst, if C:\\ is the system drive. This holds true even when <locationModify> rules attempt to move data to a drive that does not exist on the destination computer. - -## USMT .xml Files - - -### Where can I get examples of USMT .xml files? - -The following topics include examples of USMT .xml files: - -- [Exclude Files and Settings](usmt-exclude-files-and-settings.md) - -- [Reroute Files and Settings](usmt-reroute-files-and-settings.md) - -- [Include Files and Settings](usmt-include-files-and-settings.md) - -- [Custom XML Examples](usmt-custom-xml-examples.md) - -### Can I use custom .xml files that were written for USMT 5.0? - -Yes. You can use custom .xml files that were written for USMT 5.0 with USMT for Windows 10. However, in order to use new USMT functionality, you must revisit your custom USMT files and refresh them to include the new command-line options and XML elements. - -### How can I validate the .xml files? - -You can use the USMT XML Schema (MigXML.xsd) to write and validate migration .xml files. - -### Why must I list the .xml files with both the ScanState and LoadState commands? - -The .xml files are not copied to the store as in previous versions of USMT. Because the ScanState and LoadState tools need the .xml files to control the migration, you must specify the same set of .xml files for the **ScanState** and **LoadState** commands. If you used a particular set of mig\*.xml files in the ScanState tool, either called through the "/auto" option, or individually through the "/i" option, then you should use same option to call the exact same mig\*.xml files in the LoadState tool. However, you do not have to specify the Config.xml file, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store, but not to the destination computer. To do this, modify the Config.xml file and specify the updated file with the **LoadState** command. **LoadState** will migrate only the files and settings that you want to migrate. - -If you exclude an .xml file from the **LoadState** command, then all of the data that is in the store that was migrated with the missing .xml files will be migrated. However, the migration rules that were specified for the **ScanState** command will not apply. For example, if you exclude a MigApp.xml file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files. Instead, it will migrate them to C:\\data. - -### Which files can I modify and specify on the command line? - -You can specify the MigUser.xml and MigApp.xml files on the command line. You can modify each of these files. The migration of operating system settings is controlled by the manifests, which you cannot modify. If you want to exclude certain operating-system settings or any other components, create and modify the Config.xml file. - -### What happens if I do not specify the .xml files on the command line? - -- **ScanState** - - If you do not specify any files with the **ScanState** command, all user accounts and default operating system components are migrated. - -- **LoadState** - - If you do not specify any files with the **LoadState** command, all data that is in the store is migrated. However, any target-specific migration rules that were specified in .xml files with the **ScanState** command will not apply. For example, if you exclude a MigApp.xml file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files. Instead, it will migrate them to C:\\data. - -## Conflicts and Precedence - - -### What happens when there are conflicting XML rules or conflicting objects on the destination computer? - -For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). - -## Related topics - - -[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) - -[Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md) - -[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md) - -  - -  - - - - - +--- +title: Frequently Asked Questions (Windows 10) +description: Frequently Asked Questions +ms.assetid: 813c13a7-6818-4e6e-9284-7ee49493241b +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Frequently Asked Questions + + +The following sections provide frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT) 10.0. + +## General + + +### How much space is needed on the destination computer? + +The destination computer needs enough available space for the following: + +- Operating system + +- Applications + +- Uncompressed store + +### Can I store the files and settings directly on the destination computer or do I need a server? + +You do not need to save the files to a server. If you are moving the user state to a new computer, you can create the store on a shared folder, on media that you can remove, such as a USB flash drive (UFD), or you can store it directly on the destination computer, as in the following steps: + +1. Create and share the directory C:\\store on the destination computer. + +2. Run the ScanState tool on the source computer and save the files and settings to \\\\*DestinationComputerName*\\store + +3. Run the LoadState tool on the destination computer and specify C:\\store as the store location. + +### Can I migrate data between operating systems with different languages? + +No. USMT does not support migrating data between operating systems with different languages; the source computer's operating-system language must match the destination computer's operating-system language. + +### Can I change the location of the temporary directory on the destination computer? + +Yes. The environment variable USMT\_WORKING\_DIR can be changed to an alternative temporary directory. There are some offline migration scenarios where this is necessary, for example, when the USMT binaries are located on read-only Windows Preinstallation Environment (WinPE) boot media. + +### How do I install USMT? + +Because USMT is included in Windows Assessment and Deployment Kit (Windows ADK), you need to install the Windows ADK package on at least one computer in your environment. However, the USMT binaries are designed to be deployed using xcopy. This means that they are installed on a computer simply by recursively copying the USMT directory from the computer containing the Windows ADK to each client computer. + +### How do I uninstall USMT? + +If you have installed the Windows ADK on the computer, uninstalling Windows ADK will uninstall USMT. For client computers that do not have the Windows ADK installed, you can simply delete the USMT directory to uninstall USMT. + +## Files and Settings + + +### How can I exclude a folder or a certain type of file from the migration? + +You can use the **<unconditionalExclude>** element to globally exclude data from the migration. For example, you can use this element to exclude all MP3 files on the computer or to exclude all files from C:\\UserData. This element excludes objects regardless of any other <include> rules that are in the .xml files. For an example, see <unconditionalExclude> in the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic. For the syntax of this element, see [XML Elements Library](usmt-xml-elements-library.md). + +### What happens to files that were located on a drive that does not exist on the destination computer? + +USMT migrates the files to the %SystemDrive% while maintaining the correct folder hierarchy. For example, if E:\\data\\File.pst is on the source computer, but the destination computer does not have an E:\\ drive, the file will be migrated to C:\\data\\File.pst, if C:\\ is the system drive. This holds true even when <locationModify> rules attempt to move data to a drive that does not exist on the destination computer. + +## USMT .xml Files + + +### Where can I get examples of USMT .xml files? + +The following topics include examples of USMT .xml files: + +- [Exclude Files and Settings](usmt-exclude-files-and-settings.md) + +- [Reroute Files and Settings](usmt-reroute-files-and-settings.md) + +- [Include Files and Settings](usmt-include-files-and-settings.md) + +- [Custom XML Examples](usmt-custom-xml-examples.md) + +### Can I use custom .xml files that were written for USMT 5.0? + +Yes. You can use custom .xml files that were written for USMT 5.0 with USMT for Windows 10. However, in order to use new USMT functionality, you must revisit your custom USMT files and refresh them to include the new command-line options and XML elements. + +### How can I validate the .xml files? + +You can use the USMT XML Schema (MigXML.xsd) to write and validate migration .xml files. + +### Why must I list the .xml files with both the ScanState and LoadState commands? + +The .xml files are not copied to the store as in previous versions of USMT. Because the ScanState and LoadState tools need the .xml files to control the migration, you must specify the same set of .xml files for the **ScanState** and **LoadState** commands. If you used a particular set of mig\*.xml files in the ScanState tool, either called through the "/auto" option, or individually through the "/i" option, then you should use same option to call the exact same mig\*.xml files in the LoadState tool. However, you do not have to specify the Config.xml file, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store, but not to the destination computer. To do this, modify the Config.xml file and specify the updated file with the **LoadState** command. **LoadState** will migrate only the files and settings that you want to migrate. + +If you exclude an .xml file from the **LoadState** command, then all of the data that is in the store that was migrated with the missing .xml files will be migrated. However, the migration rules that were specified for the **ScanState** command will not apply. For example, if you exclude a MigApp.xml file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files. Instead, it will migrate them to C:\\data. + +### Which files can I modify and specify on the command line? + +You can specify the MigUser.xml and MigApp.xml files on the command line. You can modify each of these files. The migration of operating system settings is controlled by the manifests, which you cannot modify. If you want to exclude certain operating-system settings or any other components, create and modify the Config.xml file. + +### What happens if I do not specify the .xml files on the command line? + +- **ScanState** + + If you do not specify any files with the **ScanState** command, all user accounts and default operating system components are migrated. + +- **LoadState** + + If you do not specify any files with the **LoadState** command, all data that is in the store is migrated. However, any target-specific migration rules that were specified in .xml files with the **ScanState** command will not apply. For example, if you exclude a MigApp.xml file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files. Instead, it will migrate them to C:\\data. + +## Conflicts and Precedence + + +### What happens when there are conflicting XML rules or conflicting objects on the destination computer? + +For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). + +## Related topics + + +[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) + +[Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md) + +[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md) + +  + +  + + + + + diff --git a/windows/deployment/usmt/usmt-general-conventions.md b/windows/deployment/usmt/usmt-general-conventions.md index daad6f47ed..2bffb25cd7 100644 --- a/windows/deployment/usmt/usmt-general-conventions.md +++ b/windows/deployment/usmt/usmt-general-conventions.md @@ -1,106 +1,106 @@ ---- -title: General Conventions (Windows 10) -description: General Conventions -ms.assetid: 5761986e-a847-41bd-bf8e-7c1bd01acbc6 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# General Conventions - - -This topic describes the XML helper functions. - -## In This Topic - - -[General XML Guidelines](#bkmk-general) - -[Helper Functions](#bkmk-helperfunctions) - -## General XML Guidelines - - -Before you modify the .xml files, become familiar with the following guidelines: - -- **XML schema** - - You can use the User State Migration Tool (USMT) 10.0 XML schema, MigXML.xsd, to write and validate migration .xml files. - -- **Conflits** - - In general, when there are conflicts within the XML schema, the most specific pattern takes precedence. For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). - -- **Required elements** - - The required elements for a migration .xml file are **<migration>**, **<component>**, **<role>**, and **<rules>**. - -- **Required child elements** - - - USMT does not fail with an error if you do not specify the required child elements. However, you must specify the required child elements for the parent element to affect the migration. - - - The required child elements apply only to the first definition of the element. If these elements are defined and then referred to using their name, the required child elements do not apply. For example, if you define `` in **<namedElements>**, and you specify `` in **<component>** to refer to this element, the definition inside **<namedElements>** must have the required child elements, but the **<component>** element does not need to have the required child elements. - -- **File names with brackets** - - If you are migrating a file that has a bracket character (\[ or \]) in the file name, you must insert a carat (^) character directly before the bracket for the bracket character to be valid. For example, if there is a file named File.txt, you must specify `c:\documents\mydocs [file^].txt]` instead of `c:\documents\mydocs [file].txt]`. - -- **Using quotation marks** - - When you surround code in quotation marks, you can use either double ("") or single (') quotation marks. - -## Helper Functions - - -You can use the XML helper functions in the [XML Elements Library](usmt-xml-elements-library.md) to change migration behavior. Before you use these functions in an .xml file, note the following: - -- **All of the parameters are strings** - -- **You can leave NULL parameters blank** - - As with parameters with a default value convention, if you have a NULL parameter at the end of a list, you can leave it out. For example, the following function: - - ``` syntax - SomeFunction("My String argument",NULL,NULL) - ``` - - is equivalent to: - - ``` syntax - SomeFunction("My String argument") - ``` - -- **The encoded location used in all the helper functions is an unambiguous string representation for the name of an object** - - It is composed of the node part, optionally followed by the leaf enclosed in square brackets. This makes a clear distinction between nodes and leaves. - - For example, specify the file C:\\Windows\\Notepad.exe: **c:\\Windows\[Notepad.exe\]**. Similarly, specify the directory C:\\Windows\\System32 like this: **c:\\Windows\\System32**; note the absence of the \[\] characters. - - The registry is represented in a similar way. The default value of a registry key is represented as an empty \[\] construct. For example, the default value for the HKLM\\SOFTWARE\\MyKey registry key is **HKLM\\SOFTWARE\\MyKey\[\]**. - -- **You specify a location pattern in a way that is similar to how you specify an actual location** - - The exception is that both the node and leaf part accept patterns. However, a pattern from the node does not extend to the leaf. - - For example, the pattern **c:\\Windows\\\\*** will match the \\Windows directory and all subdirectories, but it will not match any of the files in those directories. To match the files as well, you must specify **c:\\Windows\\\*\[\*\]**. - -## Related topics - - -[USMT XML Reference](usmt-xml-reference.md) - - - - - - - - - +--- +title: General Conventions (Windows 10) +description: General Conventions +ms.assetid: 5761986e-a847-41bd-bf8e-7c1bd01acbc6 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# General Conventions + + +This topic describes the XML helper functions. + +## In This Topic + + +[General XML Guidelines](#bkmk-general) + +[Helper Functions](#bkmk-helperfunctions) + +## General XML Guidelines + + +Before you modify the .xml files, become familiar with the following guidelines: + +- **XML schema** + + You can use the User State Migration Tool (USMT) 10.0 XML schema, MigXML.xsd, to write and validate migration .xml files. + +- **Conflits** + + In general, when there are conflicts within the XML schema, the most specific pattern takes precedence. For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). + +- **Required elements** + + The required elements for a migration .xml file are **<migration>**, **<component>**, **<role>**, and **<rules>**. + +- **Required child elements** + + - USMT does not fail with an error if you do not specify the required child elements. However, you must specify the required child elements for the parent element to affect the migration. + + - The required child elements apply only to the first definition of the element. If these elements are defined and then referred to using their name, the required child elements do not apply. For example, if you define `` in **<namedElements>**, and you specify `` in **<component>** to refer to this element, the definition inside **<namedElements>** must have the required child elements, but the **<component>** element does not need to have the required child elements. + +- **File names with brackets** + + If you are migrating a file that has a bracket character (\[ or \]) in the file name, you must insert a carat (^) character directly before the bracket for the bracket character to be valid. For example, if there is a file named File.txt, you must specify `c:\documents\mydocs [file^].txt]` instead of `c:\documents\mydocs [file].txt]`. + +- **Using quotation marks** + + When you surround code in quotation marks, you can use either double ("") or single (') quotation marks. + +## Helper Functions + + +You can use the XML helper functions in the [XML Elements Library](usmt-xml-elements-library.md) to change migration behavior. Before you use these functions in an .xml file, note the following: + +- **All of the parameters are strings** + +- **You can leave NULL parameters blank** + + As with parameters with a default value convention, if you have a NULL parameter at the end of a list, you can leave it out. For example, the following function: + + ``` syntax + SomeFunction("My String argument",NULL,NULL) + ``` + + is equivalent to: + + ``` syntax + SomeFunction("My String argument") + ``` + +- **The encoded location used in all the helper functions is an unambiguous string representation for the name of an object** + + It is composed of the node part, optionally followed by the leaf enclosed in square brackets. This makes a clear distinction between nodes and leaves. + + For example, specify the file C:\\Windows\\Notepad.exe: **c:\\Windows\[Notepad.exe\]**. Similarly, specify the directory C:\\Windows\\System32 like this: **c:\\Windows\\System32**; note the absence of the \[\] characters. + + The registry is represented in a similar way. The default value of a registry key is represented as an empty \[\] construct. For example, the default value for the HKLM\\SOFTWARE\\MyKey registry key is **HKLM\\SOFTWARE\\MyKey\[\]**. + +- **You specify a location pattern in a way that is similar to how you specify an actual location** + + The exception is that both the node and leaf part accept patterns. However, a pattern from the node does not extend to the leaf. + + For example, the pattern **c:\\Windows\\\\*** will match the \\Windows directory and all subdirectories, but it will not match any of the files in those directories. To match the files as well, you must specify **c:\\Windows\\\*\[\*\]**. + +## Related topics + + +[USMT XML Reference](usmt-xml-reference.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-hard-link-migration-store.md b/windows/deployment/usmt/usmt-hard-link-migration-store.md index bbcdb94333..4b2d8385c2 100644 --- a/windows/deployment/usmt/usmt-hard-link-migration-store.md +++ b/windows/deployment/usmt/usmt-hard-link-migration-store.md @@ -8,6 +8,7 @@ ms.author: greglin ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.date: 04/19/2017 ms.topic: article @@ -209,7 +210,7 @@ You must use the **/nocompress** option with the **/HardLink** option. The following XML sample specifies that files locked by an application under the \\Users directory can remain in place during the migration. It also specifies that locked files that are not located in the \\Users directory should result in the **File in Use** error. It is important to exercise caution when specifying the paths using the **File in Use<createhardlink>** tag in order to minimize scenarios that make the hard-link migration store more difficult to delete. -```xml +``` xml diff --git a/windows/deployment/usmt/usmt-how-it-works.md b/windows/deployment/usmt/usmt-how-it-works.md index 84bf06500d..5c8bbb6d9b 100644 --- a/windows/deployment/usmt/usmt-how-it-works.md +++ b/windows/deployment/usmt/usmt-how-it-works.md @@ -1,150 +1,150 @@ ---- -title: How USMT Works (Windows 10) -description: How USMT Works -ms.assetid: 5c8bd669-9e1e-473d-81e6-652f40b24171 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# How USMT Works - - -USMT includes two tools that migrate settings and data: ScanState and LoadState. ScanState collects information from the source computer, and LoadState applies that information to the destination computer. - -- [ScanState Process](#bkmk-ssprocess) - -- [LoadState Process](#bkmk-lsprocess) - - **Note**   - For more information about how USMT processes the rules and the XML files, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). - - - -## The ScanState Process - - -When you run the ScanState tool on the source computer, it goes through the following process: - -1. It parses and validates the command-line parameters, creates the ScanState.log file, and then begins logging. - -2. It collects information about all of the migration components that need to be migrated. A *migration component* is a logical group of files, registry keys, and values. For example, the set of files, registry keys, and values that store the settings of Adobe Acrobat is grouped into a single migration component. - - There are three types of components: - - - Components that migrate the operating system settings - - - Components that migrate application settings - - - Components that migrate users’ files - - The ScanState tool collects information about the application settings and user data components from the .xml files that are specified on the command line. - - In Windows 7, and Windows 8, the manifest files control how the operating-system settings are migrated. You cannot modify these files. If you want to exclude certain operating-system settings, you must create and modify a Config.xml file. - -3. ScanState determines which user profiles should be migrated. By default, all user profiles on the source computer are migrated. However, you can include and exclude users using the User Options. The public profile in a source computer running Windows 7, Windows 8, and Windows 10 is always migrated, and you cannot exclude these profiles from the migration. - -4. In the "Scanning" phase, ScanState does the following for each user profile selected for migration: - - 1. For each component, ScanState checks the type of the component. If the current user profile is the system profile and the component type is “System” or “UserAndSystem”, the component is selected for this user. Otherwise, the component is ignored. Alternatively, if the current user profile is not the system profile and the component type is “User” or “UserAndSystem”, the component is selected for this user. Otherwise, this component is ignored. - - **Note**   - From this point on, ScanState does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users’ files. ScanState processes all components in the same way. - - - - 2. Each component that is selected in the previous step is processed further. Any profile-specific variables (such as CSIDL\_PERSONAL) are evaluated in the context of the current profile. For example, if the profile that is being processed belongs to “User1”, then CSIDL\_PERSONAL would expand to C:\\Users\\User1\\Documents, assuming that the user profiles are stored in the C:\\Users directory. - - 3. For each selected component, ScanState evaluates the <detects> section. If the condition in the <detects> section evaluates to false, the component is not processed any further. Otherwise, the processing of this component continues. - - 4. For each selected component, ScanState evaluates the <rules> sections. For each <rules> section, if the current user profile is the system profile and the context of the <rules> section is “System” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. Alternatively, if the current user profile is not the system profile and the context of the <rules> section is “User” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. - - 5. ScanState creates a list of migration units that need to be migrated by processing the various subsections under this <rules> section. Each unit is collected if it is mentioned in an <include> subsection, as long as there is not a more specific rule for it in an <exclude> subsection in the same <rules> section. For more information about precedence in the .xml files, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). - - In addition, any migration unit (such as a file, registry key, or set of registry values) that is in an <UnconditionalExclude> section is not migrated. - - **Note**   - ScanState ignores some subsections such as <destinationCleanup> and <locationModify>. These sections are evaluated only on the destination computer. - - - -5. In the "Collecting" phase, ScanState creates a master list of the migration units by combining the lists that were created for each selected user profile. - -6. In the "Saving" phase, ScanState writes the migration units that were collected to the store location. - - **Note**   - ScanState does not modify the source computer in any way. - - - -## The LoadState Process - - -The LoadState process is very similar to the ScanState process. The ScanState tool collects migration units such as file, registry key, or registry values from the source computer and saves them to the store. Similarly, the LoadState tool collects migration units from the store and applies them to the destination computer. - -1. ScanState parses and validates the command-line parameters, creates the ScanState.log file, and then begins logging. - -2. LoadState collects information about the migration components that need to be migrated. - - LoadState obtains information for the application-settings components and user-data components from the migration .xml files that are specified by the LoadState command. - - In Windows 7, and Windows 8, the manifest files control how the operating-system settings are migrated. You cannot modify these files. If you want to exclude certain operating-system settings, you must create and modify a Config.xml file. - -3. LoadState determines which user profiles should be migrated. By default, all user profiles present on the source computer are migrated. However, you can include and exclude users using the User Options. The system profile, the "All users" profile in a source computer running Windows XP, or the Public profile in a source computer running Windows Vista, Windows 7, and Windows 8, is always migrated and you cannot exclude these profiles from the migration. - - - If you are migrating local user accounts and if the accounts do not already exist on the destination computer, you must use the/lac command-line option. If you do not specify the **/lac** option, any local user accounts that are not already present on the destination computer, are not migrated. - - - The **/md** and **/mu** options are processed to rename the user profile on the destination computer, if they have been included when the LoadState command was specified. - - - For each user profile selected from the store, LoadState creates a corresponding user profile on the destination computer. The destination computer does not need to be connected to the domain for domain user profiles to be created. If USMT cannot determine a domain, it attempts to apply the settings to a local account. For more information, see [Identify Users](usmt-identify-users.md). - -4. In the "Scanning" phase, LoadState does the following for each user profile: - - 1. For each component, LoadState checks the type of the component. If the current user profile is the system profile and the component type is “System” or “UserAndSystem”, the component is selected for this user. Otherwise, the component is ignored. Alternatively, if the current user profile is not the system profile and the component type is “User” or “UserAndSystem”, the component is selected for this user. Otherwise, this component is ignored. - - **Note** - From this point on, LoadState does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users’ files. LoadState evaluates all components in the same way. - - - - 2. Each component that is selected is processed further. Any profile-specific variables (such as CSIDL\_PERSONAL) are evaluated in the context of the current profile. For example, if the profile being processed belongs to “User1”, then CSIDL\_PERSONAL would expand to C:\\Users\\User1\\Documents (assuming that the user profiles are stored in the C:\\Users directory). - - **Note** - LoadState ignores the <detects> section specified in a component. At this point, all specified components are considered to be detected and are selected for migration. - - - - 3. For each selected component, LoadState evaluates the <rules> sections. For each <rules> section, if the current user profile is the system profile and the context of the <rules> section is “System” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. Alternatively, if the current user profile is not the system profile and the context of the <rules> section is “User” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. - - 4. LoadState creates a master list of migration units by processing the various subsections under the <rules> section. Each migration unit that is in an <include> subsection is migrated as long, as there is not a more specific rule for it in an <exclude> subsection in the same <rules> section. For more information about precedence, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). - - 5. LoadState evaluates the destination computer-specific subsections; for example, the <destinationCleanup> and <locationModify> subsections. - - 6. If the destination computer is running Windows 7 or Windows 8 then the migunits that were collected by ScanState using downlevel manifest files are processed by LoadState using the corresponding Component Manifest for Windows 7. The downlevel manifest files are not used during LoadState. - - **Important** - It is important to specify the .xml files with the LoadState command if you want LoadState to use them. Otherwise, any destination-specific rules, such as <locationModify>, in these .xml files are ignored, even if the same .xml files were provided when the ScanState command ran. - - - -5. In the "Apply" phase, LoadState writes the migration units that were collected to the various locations on the destination computer. If there are conflicts and there is not a <merge> rule for the object, the default behavior for the registry is for the source to overwrite the destination. The default behavior for files is for the source to be renamed incrementally, for example, OriginalFileName(1).OriginalExtension. Some settings, such as fonts, wallpaper, and screen-saver settings, do not take effect until the next time the user logs on. For this reason, you should log off when the LoadState command actions have completed. - -## Related topics - - -[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md) - - - - - - - - - +--- +title: How USMT Works (Windows 10) +description: How USMT Works +ms.assetid: 5c8bd669-9e1e-473d-81e6-652f40b24171 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# How USMT Works + + +USMT includes two tools that migrate settings and data: ScanState and LoadState. ScanState collects information from the source computer, and LoadState applies that information to the destination computer. + +- [ScanState Process](#bkmk-ssprocess) + +- [LoadState Process](#bkmk-lsprocess) + + **Note**   + For more information about how USMT processes the rules and the XML files, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). + + + +## The ScanState Process + + +When you run the ScanState tool on the source computer, it goes through the following process: + +1. It parses and validates the command-line parameters, creates the ScanState.log file, and then begins logging. + +2. It collects information about all of the migration components that need to be migrated. A *migration component* is a logical group of files, registry keys, and values. For example, the set of files, registry keys, and values that store the settings of Adobe Acrobat is grouped into a single migration component. + + There are three types of components: + + - Components that migrate the operating system settings + + - Components that migrate application settings + + - Components that migrate users’ files + + The ScanState tool collects information about the application settings and user data components from the .xml files that are specified on the command line. + + In Windows 7, and Windows 8, the manifest files control how the operating-system settings are migrated. You cannot modify these files. If you want to exclude certain operating-system settings, you must create and modify a Config.xml file. + +3. ScanState determines which user profiles should be migrated. By default, all user profiles on the source computer are migrated. However, you can include and exclude users using the User Options. The public profile in a source computer running Windows 7, Windows 8, and Windows 10 is always migrated, and you cannot exclude these profiles from the migration. + +4. In the "Scanning" phase, ScanState does the following for each user profile selected for migration: + + 1. For each component, ScanState checks the type of the component. If the current user profile is the system profile and the component type is “System” or “UserAndSystem”, the component is selected for this user. Otherwise, the component is ignored. Alternatively, if the current user profile is not the system profile and the component type is “User” or “UserAndSystem”, the component is selected for this user. Otherwise, this component is ignored. + + **Note**   + From this point on, ScanState does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users’ files. ScanState processes all components in the same way. + + + + 2. Each component that is selected in the previous step is processed further. Any profile-specific variables (such as CSIDL\_PERSONAL) are evaluated in the context of the current profile. For example, if the profile that is being processed belongs to “User1”, then CSIDL\_PERSONAL would expand to C:\\Users\\User1\\Documents, assuming that the user profiles are stored in the C:\\Users directory. + + 3. For each selected component, ScanState evaluates the <detects> section. If the condition in the <detects> section evaluates to false, the component is not processed any further. Otherwise, the processing of this component continues. + + 4. For each selected component, ScanState evaluates the <rules> sections. For each <rules> section, if the current user profile is the system profile and the context of the <rules> section is “System” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. Alternatively, if the current user profile is not the system profile and the context of the <rules> section is “User” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. + + 5. ScanState creates a list of migration units that need to be migrated by processing the various subsections under this <rules> section. Each unit is collected if it is mentioned in an <include> subsection, as long as there is not a more specific rule for it in an <exclude> subsection in the same <rules> section. For more information about precedence in the .xml files, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). + + In addition, any migration unit (such as a file, registry key, or set of registry values) that is in an <UnconditionalExclude> section is not migrated. + + **Note**   + ScanState ignores some subsections such as <destinationCleanup> and <locationModify>. These sections are evaluated only on the destination computer. + + + +5. In the "Collecting" phase, ScanState creates a master list of the migration units by combining the lists that were created for each selected user profile. + +6. In the "Saving" phase, ScanState writes the migration units that were collected to the store location. + + **Note**   + ScanState does not modify the source computer in any way. + + + +## The LoadState Process + + +The LoadState process is very similar to the ScanState process. The ScanState tool collects migration units such as file, registry key, or registry values from the source computer and saves them to the store. Similarly, the LoadState tool collects migration units from the store and applies them to the destination computer. + +1. ScanState parses and validates the command-line parameters, creates the ScanState.log file, and then begins logging. + +2. LoadState collects information about the migration components that need to be migrated. + + LoadState obtains information for the application-settings components and user-data components from the migration .xml files that are specified by the LoadState command. + + In Windows 7, and Windows 8, the manifest files control how the operating-system settings are migrated. You cannot modify these files. If you want to exclude certain operating-system settings, you must create and modify a Config.xml file. + +3. LoadState determines which user profiles should be migrated. By default, all user profiles present on the source computer are migrated. However, you can include and exclude users using the User Options. The system profile, the "All users" profile in a source computer running Windows XP, or the Public profile in a source computer running Windows Vista, Windows 7, and Windows 8, is always migrated and you cannot exclude these profiles from the migration. + + - If you are migrating local user accounts and if the accounts do not already exist on the destination computer, you must use the/lac command-line option. If you do not specify the **/lac** option, any local user accounts that are not already present on the destination computer, are not migrated. + + - The **/md** and **/mu** options are processed to rename the user profile on the destination computer, if they have been included when the LoadState command was specified. + + - For each user profile selected from the store, LoadState creates a corresponding user profile on the destination computer. The destination computer does not need to be connected to the domain for domain user profiles to be created. If USMT cannot determine a domain, it attempts to apply the settings to a local account. For more information, see [Identify Users](usmt-identify-users.md). + +4. In the "Scanning" phase, LoadState does the following for each user profile: + + 1. For each component, LoadState checks the type of the component. If the current user profile is the system profile and the component type is “System” or “UserAndSystem”, the component is selected for this user. Otherwise, the component is ignored. Alternatively, if the current user profile is not the system profile and the component type is “User” or “UserAndSystem”, the component is selected for this user. Otherwise, this component is ignored. + + **Note** + From this point on, LoadState does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users’ files. LoadState evaluates all components in the same way. + + + + 2. Each component that is selected is processed further. Any profile-specific variables (such as CSIDL\_PERSONAL) are evaluated in the context of the current profile. For example, if the profile being processed belongs to “User1”, then CSIDL\_PERSONAL would expand to C:\\Users\\User1\\Documents (assuming that the user profiles are stored in the C:\\Users directory). + + **Note** + LoadState ignores the <detects> section specified in a component. At this point, all specified components are considered to be detected and are selected for migration. + + + + 3. For each selected component, LoadState evaluates the <rules> sections. For each <rules> section, if the current user profile is the system profile and the context of the <rules> section is “System” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. Alternatively, if the current user profile is not the system profile and the context of the <rules> section is “User” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. + + 4. LoadState creates a master list of migration units by processing the various subsections under the <rules> section. Each migration unit that is in an <include> subsection is migrated as long, as there is not a more specific rule for it in an <exclude> subsection in the same <rules> section. For more information about precedence, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). + + 5. LoadState evaluates the destination computer-specific subsections; for example, the <destinationCleanup> and <locationModify> subsections. + + 6. If the destination computer is running Windows 7 or Windows 8 then the migunits that were collected by ScanState using downlevel manifest files are processed by LoadState using the corresponding Component Manifest for Windows 7. The downlevel manifest files are not used during LoadState. + + **Important** + It is important to specify the .xml files with the LoadState command if you want LoadState to use them. Otherwise, any destination-specific rules, such as <locationModify>, in these .xml files are ignored, even if the same .xml files were provided when the ScanState command ran. + + + +5. In the "Apply" phase, LoadState writes the migration units that were collected to the various locations on the destination computer. If there are conflicts and there is not a <merge> rule for the object, the default behavior for the registry is for the source to overwrite the destination. The default behavior for files is for the source to be renamed incrementally, for example, OriginalFileName(1).OriginalExtension. Some settings, such as fonts, wallpaper, and screen-saver settings, do not take effect until the next time the user logs on. For this reason, you should log off when the LoadState command actions have completed. + +## Related topics + + +[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-how-to.md b/windows/deployment/usmt/usmt-how-to.md index f26b1b8cd3..9fdba24603 100644 --- a/windows/deployment/usmt/usmt-how-to.md +++ b/windows/deployment/usmt/usmt-how-to.md @@ -1,35 +1,35 @@ ---- -title: User State Migration Tool (USMT) How-to topics (Windows 10) -description: User State Migration Tool (USMT) How-to topics -ms.assetid: 7b9a2f2a-a43a-4984-9746-a767f9f1c7e3 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# User State Migration Tool (USMT) How-to topics -The following table lists topics that describe how to use User State Migration Tool (USMT) 10.0 to perform specific tasks. - -## In This Section - -|Topic |Description| -|------|-----------| -|[Exclude Files and Settings](usmt-exclude-files-and-settings.md)|Create a custom .xml file to exclude files, file types, folders, or registry settings from your migration.| -|[Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md)|Recover files from a compressed migration store after installing the operating system.| -|[Include Files and Settings](usmt-include-files-and-settings.md)|Create a custom .xml file to include files, file types, folders, or registry settings in your migration.| -|[Migrate Application Settings](migrate-application-settings.md)|Migrate the settings of an application that the MigApp.xml file does not include by default.| -|[Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md)|Migrate Encrypting File System (EFS) certificates by using USMT.| -|[Migrate User Accounts](usmt-migrate-user-accounts.md)|Specify the users to include and exclude in your migration.| -|[Reroute Files and Settings](usmt-reroute-files-and-settings.md)|Create a custom .xml file to reroute files and settings during a migration.| -|[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md)|Determine whether a compressed migration store is intact, or whether it contains corrupt files or a corrupt catalog.| - -## Related topics -- [User State Migration Tool (USMT) Overview Topics](usmt-topics.md) -- [User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) -- [User State Migration Toolkit (USMT) Reference](usmt-reference.md) +--- +title: User State Migration Tool (USMT) How-to topics (Windows 10) +description: User State Migration Tool (USMT) How-to topics +ms.assetid: 7b9a2f2a-a43a-4984-9746-a767f9f1c7e3 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# User State Migration Tool (USMT) How-to topics +The following table lists topics that describe how to use User State Migration Tool (USMT) 10.0 to perform specific tasks. + +## In This Section + +|Topic |Description| +|------|-----------| +|[Exclude Files and Settings](usmt-exclude-files-and-settings.md)|Create a custom .xml file to exclude files, file types, folders, or registry settings from your migration.| +|[Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md)|Recover files from a compressed migration store after installing the operating system.| +|[Include Files and Settings](usmt-include-files-and-settings.md)|Create a custom .xml file to include files, file types, folders, or registry settings in your migration.| +|[Migrate Application Settings](migrate-application-settings.md)|Migrate the settings of an application that the MigApp.xml file does not include by default.| +|[Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md)|Migrate Encrypting File System (EFS) certificates by using USMT.| +|[Migrate User Accounts](usmt-migrate-user-accounts.md)|Specify the users to include and exclude in your migration.| +|[Reroute Files and Settings](usmt-reroute-files-and-settings.md)|Create a custom .xml file to reroute files and settings during a migration.| +|[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md)|Determine whether a compressed migration store is intact, or whether it contains corrupt files or a corrupt catalog.| + +## Related topics +- [User State Migration Tool (USMT) Overview Topics](usmt-topics.md) +- [User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) +- [User State Migration Toolkit (USMT) Reference](usmt-reference.md) diff --git a/windows/deployment/usmt/usmt-identify-application-settings.md b/windows/deployment/usmt/usmt-identify-application-settings.md index 874e4e4399..2a8a430f41 100644 --- a/windows/deployment/usmt/usmt-identify-application-settings.md +++ b/windows/deployment/usmt/usmt-identify-application-settings.md @@ -1,62 +1,62 @@ ---- -title: Identify Applications Settings (Windows 10) -description: Identify Applications Settings -ms.assetid: eda68031-9b02-4a5b-a893-3786a6505381 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Identify Applications Settings - - -When planning for your migration, you should identify which applications and settings you want to migrate. For more information about how to create a custom .xml file to migrate the settings of another application, see [Customize USMT XML Files](usmt-customize-xml-files.md). - -## Applications - - -First, create and prioritize a list of applications that to be migrated. It may be helpful to review the application lists and decide which applications will be redeployed and which applications will be retired. Often, the applications are prioritized based on a combination of how widely the application is used and how complex the application is. - -Next, identify an application owner to be in charge of each application. This is necessary because the developers will not be experts on all of the applications in the organization. The application owner should have the most experience with an application. The application owner provides insight into how the organization installs, configures, and uses the application. - -## Application Settings - - -Next, determine and locate the application settings to be migrated. You can acquire much of the information that you need for this step when you are testing the new applications for compatibility with the new operating system. - -After completing the list of applications to be migrated, review the list and work with each application owner on a list of settings to be migrated. For each setting, determine whether it needs to be migrated or if the default settings are adequate. Then, determine where the setting is located; for example, in the registry or in an .ini file. Next, consider the following questions to determine what needs to be done to migrate the setting successfully: - -- Is the destination version of the application newer than the source version? - -- Do these settings work with the new version? - -- Do the settings need to be moved or altered? - -- Can the first-run process force the application to appear as if it had run already? If so, does this work correctly, or does it break the application? - -After answering these questions, create a custom .xml file to migrate settings. Work with the application owner to develop test cases and to determine the file types that need to be migrated for the application. - -## Locating Where Settings Are Stored - - -See [Migrate Application Settings](migrate-application-settings.md) and follow the directions. - -## Related topics - - -[Determine What to Migrate](usmt-determine-what-to-migrate.md) - -  - -  - - - - - +--- +title: Identify Applications Settings (Windows 10) +description: Identify Applications Settings +ms.assetid: eda68031-9b02-4a5b-a893-3786a6505381 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Identify Applications Settings + + +When planning for your migration, you should identify which applications and settings you want to migrate. For more information about how to create a custom .xml file to migrate the settings of another application, see [Customize USMT XML Files](usmt-customize-xml-files.md). + +## Applications + + +First, create and prioritize a list of applications that to be migrated. It may be helpful to review the application lists and decide which applications will be redeployed and which applications will be retired. Often, the applications are prioritized based on a combination of how widely the application is used and how complex the application is. + +Next, identify an application owner to be in charge of each application. This is necessary because the developers will not be experts on all of the applications in the organization. The application owner should have the most experience with an application. The application owner provides insight into how the organization installs, configures, and uses the application. + +## Application Settings + + +Next, determine and locate the application settings to be migrated. You can acquire much of the information that you need for this step when you are testing the new applications for compatibility with the new operating system. + +After completing the list of applications to be migrated, review the list and work with each application owner on a list of settings to be migrated. For each setting, determine whether it needs to be migrated or if the default settings are adequate. Then, determine where the setting is located; for example, in the registry or in an .ini file. Next, consider the following questions to determine what needs to be done to migrate the setting successfully: + +- Is the destination version of the application newer than the source version? + +- Do these settings work with the new version? + +- Do the settings need to be moved or altered? + +- Can the first-run process force the application to appear as if it had run already? If so, does this work correctly, or does it break the application? + +After answering these questions, create a custom .xml file to migrate settings. Work with the application owner to develop test cases and to determine the file types that need to be migrated for the application. + +## Locating Where Settings Are Stored + + +See [Migrate Application Settings](migrate-application-settings.md) and follow the directions. + +## Related topics + + +[Determine What to Migrate](usmt-determine-what-to-migrate.md) + +  + +  + + + + + diff --git a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md index 2dfe827d3f..45cd2a17a7 100644 --- a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md +++ b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md @@ -1,51 +1,51 @@ ---- -title: Identify File Types, Files, and Folders (Windows 10) -description: Identify File Types, Files, and Folders -ms.assetid: 93bb2a33-c126-4f7a-a961-6c89686d54e0 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Identify File Types, Files, and Folders - - -When planning for your migration, if not using MigDocs.xml, you should identify the file types, files, folders, and settings that you want to migrate. First, you should determine the standard file locations on each computer, such as **My Documents.** , **C:\\Data** , and company-specified locations, such as **\\EngineeringDrafts**. Next, you should determine and locate the non-standard locations. For non-standard locations, consider the following: - -- **File types**. Consider which file types need to be included and excluded from the migration. You can create this list based on common applications used in your organization. Applications normally use specific file name extensions. For example, Microsoft Office Word primarily uses .doc, .docx and .dotx file name extension. However, it also uses other file types, such as templates (.dot files), on a less frequent basis. - -- **Excluded locations**. Consider the locations on the computer that should be excluded from the migration (for example, %WINDIR% and Program Files). - -- **New locations**. Decide where files should be migrated to on the destination computer for example, \\My Documents, a designated folder, or a folder matching the files' name and location on the source computer. For example, you might have shared data on source machine or you might wish to clean up documents outside the user profiles on the source system. Identify any data that needs to be redirected to a new location in the apply phase. This can be accomplished with location modify rules. - -Once you have verified which files and file types that the end users work with regularly, you will need to locate them. Files may be saved to a single folder or scattered across a drive. A good starting point for finding files types to include is to look at the registered file types on the computer. - -**To find the registered file types on a computer running Windows 7 or Windows 8** - -1. Click **Start**. Open **Control Panel**, click **Control Panel Home**, and click **Programs**. - -2. Click **Default Programs**, and click **Associate a file type or protocol with a program**. - -3. On this screen, the registered file types are displayed. - -For more information about how to change the file types, files, and folders that are migrated when you specify the MigUser.xml file, see [User State Migration Tool (USMT) How-to topics](usmt-how-to.md). - -## Related topics - - -[Determine What to Migrate](usmt-determine-what-to-migrate.md) - -  - -  - - - - - +--- +title: Identify File Types, Files, and Folders (Windows 10) +description: Identify File Types, Files, and Folders +ms.assetid: 93bb2a33-c126-4f7a-a961-6c89686d54e0 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Identify File Types, Files, and Folders + + +When planning for your migration, if not using MigDocs.xml, you should identify the file types, files, folders, and settings that you want to migrate. First, you should determine the standard file locations on each computer, such as **My Documents.** , **C:\\Data** , and company-specified locations, such as **\\EngineeringDrafts**. Next, you should determine and locate the non-standard locations. For non-standard locations, consider the following: + +- **File types**. Consider which file types need to be included and excluded from the migration. You can create this list based on common applications used in your organization. Applications normally use specific file name extensions. For example, Microsoft Office Word primarily uses .doc, .docx and .dotx file name extension. However, it also uses other file types, such as templates (.dot files), on a less frequent basis. + +- **Excluded locations**. Consider the locations on the computer that should be excluded from the migration (for example, %WINDIR% and Program Files). + +- **New locations**. Decide where files should be migrated to on the destination computer for example, \\My Documents, a designated folder, or a folder matching the files' name and location on the source computer. For example, you might have shared data on source machine or you might wish to clean up documents outside the user profiles on the source system. Identify any data that needs to be redirected to a new location in the apply phase. This can be accomplished with location modify rules. + +Once you have verified which files and file types that the end users work with regularly, you will need to locate them. Files may be saved to a single folder or scattered across a drive. A good starting point for finding files types to include is to look at the registered file types on the computer. + +**To find the registered file types on a computer running Windows 7 or Windows 8** + +1. Click **Start**. Open **Control Panel**, click **Control Panel Home**, and click **Programs**. + +2. Click **Default Programs**, and click **Associate a file type or protocol with a program**. + +3. On this screen, the registered file types are displayed. + +For more information about how to change the file types, files, and folders that are migrated when you specify the MigUser.xml file, see [User State Migration Tool (USMT) How-to topics](usmt-how-to.md). + +## Related topics + + +[Determine What to Migrate](usmt-determine-what-to-migrate.md) + +  + +  + + + + + diff --git a/windows/deployment/usmt/usmt-identify-operating-system-settings.md b/windows/deployment/usmt/usmt-identify-operating-system-settings.md index cce810e31f..1cffd2aed8 100644 --- a/windows/deployment/usmt/usmt-identify-operating-system-settings.md +++ b/windows/deployment/usmt/usmt-identify-operating-system-settings.md @@ -1,60 +1,60 @@ ---- -title: Identify Operating System Settings (Windows 10) -description: Identify Operating System Settings -ms.assetid: 1704ab18-1765-41fb-a27c-3aa3128fa242 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Identify Operating System Settings - - -When planning for your migration, you should identify which operating system settings you want to migrate and to what extent you want to create a new standard environment on each of the computers. User State Migration Tool (USMT) 10.0 enables you to migrate select settings and keep the default values for all others. The operating system settings include the following: - -- **Apperance.** - - This includes items such as wallpaper, colors, sounds, and the location of the taskbar. - -- **Action.** - - This includes items such as the key-repeat rate, whether double-clicking a folder opens it in a new window or the same window, and whether you need to single-click or double-click an item to open it. - -- **Internet.** - - These are the settings that let you connect to the Internet and control how your browser operates. This includes items such as your home page URL, favorites, bookmarks, cookies, security settings, dial-up connections, and proxy settings. - -- **Mail.** - - This includes the information that you need to connect to your mail server, your signature file, views, mail rules, local mail, and contacts. - -To help you decide which settings to migrate, you should consider any previous migration experiences as well as the results of any surveys and tests that you have conducted. You should also consider the number of help-desk calls related to operating-system settings that you have had in the past, and are able to handle in the future. Also decide how much of the new operating-system functionality you want to take advantage of. - -You should migrate any settings that users need to get their jobs done, those that make the work environment comfortable, and those that will reduce help-desk calls after the migration. Although it is easy to dismiss migrating user preferences, you should consider that users can spend a significant amount of time restoring items such as wallpaper, screen savers, and other customizable user-interface features. Most users do not remember how these settings were applied. Although these items are not critical to migration success, migrating these items increases user productivity and overall satisfaction of the migration process. - -**Note**   -For more information about how to change the operating-system settings that are migrated, see [User State Migration Tool (USMT) How-to topics](usmt-how-to.md). - -For information about the operating-system settings that USMT migrates, see [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) - - - -## Related topics - - -[Determine What to Migrate](usmt-determine-what-to-migrate.md) - - - - - - - - - +--- +title: Identify Operating System Settings (Windows 10) +description: Identify Operating System Settings +ms.assetid: 1704ab18-1765-41fb-a27c-3aa3128fa242 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Identify Operating System Settings + + +When planning for your migration, you should identify which operating system settings you want to migrate and to what extent you want to create a new standard environment on each of the computers. User State Migration Tool (USMT) 10.0 enables you to migrate select settings and keep the default values for all others. The operating system settings include the following: + +- **Apperance.** + + This includes items such as wallpaper, colors, sounds, and the location of the taskbar. + +- **Action.** + + This includes items such as the key-repeat rate, whether double-clicking a folder opens it in a new window or the same window, and whether you need to single-click or double-click an item to open it. + +- **Internet.** + + These are the settings that let you connect to the Internet and control how your browser operates. This includes items such as your home page URL, favorites, bookmarks, cookies, security settings, dial-up connections, and proxy settings. + +- **Mail.** + + This includes the information that you need to connect to your mail server, your signature file, views, mail rules, local mail, and contacts. + +To help you decide which settings to migrate, you should consider any previous migration experiences as well as the results of any surveys and tests that you have conducted. You should also consider the number of help-desk calls related to operating-system settings that you have had in the past, and are able to handle in the future. Also decide how much of the new operating-system functionality you want to take advantage of. + +You should migrate any settings that users need to get their jobs done, those that make the work environment comfortable, and those that will reduce help-desk calls after the migration. Although it is easy to dismiss migrating user preferences, you should consider that users can spend a significant amount of time restoring items such as wallpaper, screen savers, and other customizable user-interface features. Most users do not remember how these settings were applied. Although these items are not critical to migration success, migrating these items increases user productivity and overall satisfaction of the migration process. + +**Note**   +For more information about how to change the operating-system settings that are migrated, see [User State Migration Tool (USMT) How-to topics](usmt-how-to.md). + +For information about the operating-system settings that USMT migrates, see [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) + + + +## Related topics + + +[Determine What to Migrate](usmt-determine-what-to-migrate.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-identify-users.md b/windows/deployment/usmt/usmt-identify-users.md index 4f0534cf76..8168e90730 100644 --- a/windows/deployment/usmt/usmt-identify-users.md +++ b/windows/deployment/usmt/usmt-identify-users.md @@ -1,90 +1,90 @@ ---- -title: Identify Users (Windows 10) -description: Identify Users -ms.assetid: 957a4fe9-79fd-44a2-8c26-33e50f71f9de -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Identify Users - - -It is important to carefully consider how you plan to migrate users. By default, all users are migrated by User State Migration Tool (USMT) 5.0. You must specify which users to include by using the command line. You cannot specify users in the .xml files. For instructions on how to migrate users, see [Migrate User Accounts](usmt-migrate-user-accounts.md). - -## In This Topic - - -- [Migrating Local Accounts](#bkmk-8) - -- [Migrating Domain Accounts](#bkmk-9) - -- [Command-Line Options](#bkmk-7) - -## Migrating Local Accounts - - -Before migrating local accounts, note the following: - -- [You must explicitly specify that local accounts that are not on the destination computer should be migrated.](#bkmk-8) If you are migrating local accounts and the local account does not exist on the destination computer, you must use the/lac option when using the LoadState command. If the **/lac** option is not specified, no local user accounts will be migrated. - -- [Consider whether to enable user accounts that are new to the destination computer.](#bkmk-8) The **/lae** option enables the account that was created with the **/lac** option. However, if you create a disabled local account by using only the **/lac** option, a local administrator must enable the account on the destination computer. - -- [Be careful when specifying a password for local accounts.](#bkmk-8) If you create the local account with a blank password, anyone could log on to that account on the destination computer. If you create the local account with a password, the password is available to anyone with access to the USMT command-line tools. - - **Note** - If there are multiple users on a computer, and you specify a password with the **/lac** option, all migrated users will have the same password. - - - -## Migrating Domain Accounts - - -The source and destination computers do not need to be connected to the domain for domain user profiles to be migrated. - -## Command-Line Options - - -USMT provides several options to migrate multiple users on a single computer. The following command-line options specify which users to migrate. - -- [Specifying users.](#bkmk-8) You can specify which users to migrate with the **/all**, **/ui**, **/uel**, and **/ue** options with both the ScanState and LoadState command-line tools. - - **Important**   - The **/uel** option excludes users based on the **LastModified** date of the Ntuser.dat file. The **/uel** option is not valid in offline migrations. - - - -- [Moving users to another domain.](#bkmk-8) You can move user accounts to another domain using the **/md** option with the LoadState command-line tool. - -- [Creating local accounts.](#bkmk-8) You can create and enable local accounts using the **/lac** and **/lae** options with the LoadState command-line tool. - -- [Renaming user accounts.](#bkmk-8) You can rename user accounts using the **/mu** option. - - **Note**   - By default, if a user name is not specified in any of the command-line options, the user will be migrated. - - - -## Related topics - - -[Determine What to Migrate](usmt-determine-what-to-migrate.md) - -[ScanState Syntax](usmt-scanstate-syntax.md) - -[LoadState Syntax](usmt-loadstate-syntax.md) - - - - - - - - - +--- +title: Identify Users (Windows 10) +description: Identify Users +ms.assetid: 957a4fe9-79fd-44a2-8c26-33e50f71f9de +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Identify Users + + +It is important to carefully consider how you plan to migrate users. By default, all users are migrated by User State Migration Tool (USMT) 5.0. You must specify which users to include by using the command line. You cannot specify users in the .xml files. For instructions on how to migrate users, see [Migrate User Accounts](usmt-migrate-user-accounts.md). + +## In This Topic + + +- [Migrating Local Accounts](#bkmk-8) + +- [Migrating Domain Accounts](#bkmk-9) + +- [Command-Line Options](#bkmk-7) + +## Migrating Local Accounts + + +Before migrating local accounts, note the following: + +- [You must explicitly specify that local accounts that are not on the destination computer should be migrated.](#bkmk-8) If you are migrating local accounts and the local account does not exist on the destination computer, you must use the/lac option when using the LoadState command. If the **/lac** option is not specified, no local user accounts will be migrated. + +- [Consider whether to enable user accounts that are new to the destination computer.](#bkmk-8) The **/lae** option enables the account that was created with the **/lac** option. However, if you create a disabled local account by using only the **/lac** option, a local administrator must enable the account on the destination computer. + +- [Be careful when specifying a password for local accounts.](#bkmk-8) If you create the local account with a blank password, anyone could log on to that account on the destination computer. If you create the local account with a password, the password is available to anyone with access to the USMT command-line tools. + + **Note** + If there are multiple users on a computer, and you specify a password with the **/lac** option, all migrated users will have the same password. + + + +## Migrating Domain Accounts + + +The source and destination computers do not need to be connected to the domain for domain user profiles to be migrated. + +## Command-Line Options + + +USMT provides several options to migrate multiple users on a single computer. The following command-line options specify which users to migrate. + +- [Specifying users.](#bkmk-8) You can specify which users to migrate with the **/all**, **/ui**, **/uel**, and **/ue** options with both the ScanState and LoadState command-line tools. + + **Important**   + The **/uel** option excludes users based on the **LastModified** date of the Ntuser.dat file. The **/uel** option is not valid in offline migrations. + + + +- [Moving users to another domain.](#bkmk-8) You can move user accounts to another domain using the **/md** option with the LoadState command-line tool. + +- [Creating local accounts.](#bkmk-8) You can create and enable local accounts using the **/lac** and **/lae** options with the LoadState command-line tool. + +- [Renaming user accounts.](#bkmk-8) You can rename user accounts using the **/mu** option. + + **Note**   + By default, if a user name is not specified in any of the command-line options, the user will be migrated. + + + +## Related topics + + +[Determine What to Migrate](usmt-determine-what-to-migrate.md) + +[ScanState Syntax](usmt-scanstate-syntax.md) + +[LoadState Syntax](usmt-loadstate-syntax.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-include-files-and-settings.md b/windows/deployment/usmt/usmt-include-files-and-settings.md index 8d0ba60945..c594b6ea7d 100644 --- a/windows/deployment/usmt/usmt-include-files-and-settings.md +++ b/windows/deployment/usmt/usmt-include-files-and-settings.md @@ -8,6 +8,7 @@ ms.author: greglin ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.date: 04/19/2017 ms.topic: article @@ -37,7 +38,7 @@ In this topic: The following .xml file migrates a single registry key. -```xml +``` xml Component to migrate only registry value string @@ -63,7 +64,7 @@ The following examples show how to migrate a folder from a specific drive, and f - **Including subfolders.** The following .xml file migrates all files and subfolders from C:\\EngineeringDrafts to the destination computer. - ```xml + ``` xml Component to migrate all Engineering Drafts Documents including subfolders @@ -82,7 +83,7 @@ The following examples show how to migrate a folder from a specific drive, and f - **Excluding subfolders.** The following .xml file migrates all files from C:\\EngineeringDrafts, but it does not migrate any subfolders within C:\\EngineeringDrafts. - ```xml + ``` xml Component to migrate all Engineering Drafts Documents without subfolders @@ -103,7 +104,7 @@ The following examples show how to migrate a folder from a specific drive, and f The following .xml file migrates all files and subfolders of the EngineeringDrafts folder from any drive on the computer. If multiple folders exist with the same name, then all files with this name are migrated. -```xml +``` xml Component to migrate all Engineering Drafts Documents folder on any drive on the computer @@ -123,7 +124,7 @@ The following .xml file migrates all files and subfolders of the EngineeringDraf The following .xml file migrates all files and subfolders of the EngineeringDrafts folder from any location on the C:\\ drive. If multiple folders exist with the same name, they are all migrated. -```xml +``` xml Component to migrate all Engineering Drafts Documents EngineeringDrafts folder from where ever it exists on the C: drive @@ -146,7 +147,7 @@ The following .xml file migrates all files and subfolders of the EngineeringDraf The following .xml file migrates .mp3 files located in the specified drives on the source computer into the C:\\Music folder on the destination computer. -```xml +``` xml All .mp3 files to My Documents @@ -176,7 +177,7 @@ The following examples show how to migrate a file from a specific folder, and ho - **To migrate a file from a folder.** The following .xml file migrates only the Sample.doc file from C:\\EngineeringDrafts on the source computer to the destination computer. - ```xml + ``` xml Component to migrate all Engineering Drafts Documents @@ -195,13 +196,13 @@ The following examples show how to migrate a file from a specific folder, and ho - **To migrate a file from any location.** To migrate the Sample.doc file from any location on the C:\\ drive, use the <pattern> element, as the following example shows. If multiple files exist with the same name on the C:\\ drive, all of files with this name are migrated. - ```xml + ``` xml C:\* [Sample.doc] ``` To migrate the Sample.doc file from any drive on the computer, use <script> as the following example shows. If multiple files exist with the same name, all files with this name are migrated. - ```xml + ``` xml ``` diff --git a/windows/deployment/usmt/usmt-loadstate-syntax.md b/windows/deployment/usmt/usmt-loadstate-syntax.md index 63c3b443b8..ea390e9871 100644 --- a/windows/deployment/usmt/usmt-loadstate-syntax.md +++ b/windows/deployment/usmt/usmt-loadstate-syntax.md @@ -1,709 +1,709 @@ ---- -title: LoadState Syntax (Windows 10) -description: LoadState Syntax -ms.assetid: 53d2143b-cbe9-4cfc-8506-36e9d429f6d4 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# LoadState Syntax - - -This topic discusses the **LoadState** command syntax and options. - -## In This Topic - - -[Before You Begin](#before) - -[Syntax](#bkmk-s) - -[Storage Options](#bkmk-st) - -[Migration Rule Options](#bkmk-mig) - -[Monitoring Options](#bkmk-mon) - -[User Options](#bkmk-user) - -[Incompatible Command-Line Options](#bkmk-cloi) - -## Before You Begin - - -Before you run the **LoadState** command, note the following: - -- To ensure that all operating system settings migrate, we recommend that you run the **LoadState** commands in administrator mode from an account with administrative credentials. - -- For information about software requirements for running the **LoadState** command, see [USMT Requirements](usmt-requirements.md). - -- You should log off after you run the **LoadState** command. Some settings (for example, fonts, wallpaper, and screensaver settings) will not take effect until the next time the user logs in. - -- Unless otherwise specified, you can use each option only once when running a tool on the command line. - -- **LoadState** does not require domain controller access to apply domain profiles. This functionality is available without any additional configuration. It is not necessary for the source computer to have had domain controller access when the user profile was gathered using **ScanState**. However, domain profiles are inaccessible until the destination computer is joined to the domain. - -- The [Incompatible Command-Line Options](#bkmk-cloi) table lists which options you can use together and which command-line options are incompatible. - -## Syntax - - -This section explains the syntax and usage of the command-line options available when you use the **LoadState** command. The options can be specified in any order. If the option contains a parameter, you can specify either a colon or space separator. - -The **LoadState** command's syntax is: - -loadstate *StorePath* \[/i:\[*Path*\\\]*FileName*\] \[/v:*VerbosityLevel*\] \[/nocompress\] \[/decrypt /key:*KeyString*|/keyfile:\[Path\\\]*FileName*\] \[/l:\[*Path*\\\]*FileName*\] \[/progress:\[*Path*\\\]*FileName*\] \[/r:*TimesToRetry*\] \[/w:*SecondsToWait*\] \[/c\] \[/all\] \[/ui:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/ue:\[\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/uel:*NumberOfDays*|*YYYY/MM/DD*|0\] \[/md:*OldDomain*:*NewDomain*\] \[/mu:*OldDomain*\\*OldUserName*:\[*NewDomain*\\\]*NewUserName*\] \[/lac:\[*Password*\]\] \[/lae\] \[/config:\[*Path*\\\]*FileName*\] \[/?|help\] - -For example, to decrypt the store and migrate the files and settings to a computer running Windows 7 type the following on the command line: - -`loadstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /v:13 /decrypt /key:"mykey"` - -## Storage Options - - -USMT provides the following options that you can use to specify how and where the migrated data is stored. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Command-Line OptionDescription

          StorePath

          Indicates the folder where the files and settings data are stored. You must specify StorePath when using the LoadState command. You cannot specify more than one StorePath.

          /decrypt /key:KeyString

          -

          or

          -

          /decrypt /key:"Key String"

          -

          or

          -

          /decrypt /keyfile:[Path</em>]FileName

          Decrypts the store with the specified key. With this option, you will need to specify the encryption key in one of the following ways:

          -
            -

          • /key:KeyString specifies the encryption key. If there is a space in KeyString, you must surround the argument with quotation marks.

            • -

          • /keyfile:FilePathAndName specifies a text (.txt) file that contains the encryption key

            • -
          -

          KeyString cannot exceed 256 characters.

          -

          The /key and /keyfile options cannot be used on the same command line.

          -

          The /decrypt and /nocompress options cannot be used on the same command line.

          -
          -Important

          Use caution with this option, because anyone who has access to the LoadState command-line script will also have access to the encryption key.

          -
          -
          - -
          -

          For example:

          -

          loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /decrypt /key:mykey

          /decrypt:"encryption strength"

          The /decrypt option accepts a command-line parameter to define the encryption strength specified for the migration store encryption. For more information about supported encryption algorithms, see Migration Store Encryption.

          /hardlink

          Enables user-state data to be restored from a hard-link migration store. The /nocompress parameter must be specified with /hardlink option.

          /nocompress

          Specifies that the store is not compressed. You should only use this option in testing environments. We recommend that you use a compressed store during your actual migration. This option cannot be used with the /decrypt option.

          -

          For example:

          -

          loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /nocompress

          - - - -## Migration Rule Options - - -USMT provides the following options to specify what files you want to migrate. - - ---- - - - - - - - - - - - - - - - - - - - - -
          Command-Line OptionDescription

          /i:[Path]FileName

          (include)

          -

          Specifies an .xml file that contains rules that define what state to migrate. You can specify this option multiple times to include all of your .xml files (MigApp.xml, MigSys.xml, MigDocs.xml and any custom .xml files that you create). Path can be either a relative or full path. If you do not specify the Path variable, then FileName must be located in the current directory.

          -

          For more information about which files to specify, see the "XML files" section of the Frequently Asked Questions topic.

          /config:[Path]FileName

          Specifies the Config.xml file that the LoadState command should use. You cannot specify this option more than once on the command line. Path can be either a relative or full path. If you do not specify the Path variable, then the FileName must be located in the current directory.

          -

          This example migrates the files and settings based on the rules in the Config.xml, MigDocs.xml, and MigApp.xml files:

          -

          loadstate \server\share\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:5 /l:loadstate.log

          /auto:"path to script files"

          This option enables you to specify the location of the default .xml files and then launch your migration. If no path is specified, USMT will use the directory where the USMT binaries are located. The /auto option has the same effect as using the following options: /i:MigDocs.xml /i:MigApp.xml /v:5.

          - - - -## Monitoring Options - - -USMT provides several command-line options that you can use to analyze problems that occur during migration. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Command-Line OptionDescription

          /l:[Path]FileName

          Specifies the location and name of the LoadState log. You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then the log will be created in the current directory. You can specify the /v option to adjust the amount of output.

          -

          If you run the LoadState command from a shared network resource, you must specify this option or USMT will fail with the error: "USMT was unable to create the log file(s)". To fix this issue, use the /l:load.log option.

          /v:<VerbosityLevel>

          (Verbosity)

          -

          Enables verbose output in the LoadState log file. The default value is 0.

          -

          You can set the VerbosityLevel to one of the following levels:

          - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          LevelExplanation

          0

          Only the default errors and warnings are enabled.

          1

          Enables verbose output.

          4

          Enables error and status output.

          5

          Enables verbose and status output.

          8

          Enables error output to a debugger.

          9

          Enables verbose output to a debugger.

          12

          Enables error and status output to a debugger.

          13

          Enables verbose, status, and debugger output.

          -

          -

          For example:

          -

          loadstate \server\share\migration\mystore /v:5 /i:migdocs.xml /i:migapp.xml

          /progress:[Path</em>]FileName

          Creates the optional progress log. You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then FileName will be created in the current directory.

          -

          For example:

          -

          loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /progress:prog.log /l:scanlog.log

          /c

          When this option is specified, the LoadState command will continue to run, even if non-fatal errors occur. Any files or settings that cause an error are logged in the progress log. For example, if there is a large file that will not fit on the computer, the LoadState command will log an error and continue with the migration. Without the /c option, the LoadState command will exit on the first error. You can use the new <ErrorControl> section in the Config.xml file to specify which file or registry read/write errors can be safely ignored and which might cause the migration to fail. This enables the /c command-line option to safely skip all input/output (I/O) errors in your environment. In addition, the /genconfig option now generates a sample <ErrorControl> section that is enabled by specifying error messages and desired behaviors in the Config.xml file.

          /r:<TimesToRetry>

          (Retry)

          -

          Specifies the number of times to retry when an error occurs while migrating the user state from a server. The default is three times. This option is useful in environments where network connectivity is not reliable.

          -

          While restoring the user state, the /r option will not recover data that is lost due to a network-hardware failure, such as a faulty or disconnected network cable, or when a virtual private network (VPN) connection fails. The retry option is intended for large, busy networks where connectivity is satisfactory, but communication latency is a problem.

          /w:<SecondsBeforeRetry>

          (Wait)

          -

          Specifies the time to wait, in seconds, before retrying a network file operation. The default is 1 second.

          /? or /help

          Displays Help on the command line.

          - - - -## User Options - - -By default, all users are migrated. The only way to specify which users to include and exclude is by using the following options. You cannot exclude users in the migration .xml files or by using the Config.xml file. For more information, see [Identify Users](usmt-identify-users.md). - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Command-Line OptionDescription

          /all

          Migrates all of the users on the computer.

          -

          USMT migrates all user accounts on the computer, unless you specifically exclude an account with the /ue or /uel options. For this reason, you do not need to specify this option on the command line. However, if you choose to use the /all option, you cannot also use the /ui, /ue or /uel options.

          /ui:DomainName<em>UserName

          -

          or

          -

          /ui:"DomainName<em>User Name"

          -

          or

          -

          /ui:ComputerName<em>LocalUserName

          (User include)

          -

          Migrates the specified user. By default, all users are included in the migration. Therefore, this option is helpful only when used with the /ue option. You can specify multiple /ui options, but you cannot use the /ui option with the /all option. DomainName and UserName can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotations marks.

          -

          For example:

          -
            -

          • To include only User2 from the Corporate domain, type:

            -

            /ue:* /ui:corporate\user2

            • -
          -
          -Note

          If a user is specified for inclusion with the /ui option, and also is specified to be excluded with either the /ue or /uel options, the user will be included in the migration.

          -
          -
          - -
          -

          For more examples, see the descriptions of the /uel, /ue, and /ui options in this table.

          /uel:<NumberOfDays>

          -

          or

          -

          /uel:<YYYY/MM/DD>

          -

          or

          -

          /uel:0

          (User exclude based on last logon)

          -

          Migrates only the users that logged onto the source computer within the specified time period, based on the Last Modified date of the Ntuser.dat file on the source computer. The /uel option acts as an include rule. For example, the /uel:30 option migrates users who logged on, or whose user account was modified, within the last 30 days from the date when the ScanState command is run. You can specify a number of days or you can specify a date. You cannot use this option with the /all option. USMT retrieves the last logon information from the local computer, so the computer does not need to be connected to the network when you run this option. In addition, if a domain user has logged onto another computer, that logon instance is not considered by USMT.

          -
          -Note

          The /uel option is not valid in offline migrations.

          -
          -
          - -
          -

          Examples:

          -
            -

          • /uel:0 migrates accounts that were logged on to the source computer when the ScanState command was run.

            • -

          • /uel:90 migrates users who have logged on, or whose accounts have been otherwise modified, within the last 90 days.

            • -

          • /uel:1 migrates users whose accounts have been modified within the last 24 hours.

            • -

          • /uel:2002/1/15 migrates users who have logged on or whose accounts have been modified since January 15, 2002.

            • -
          -

          For example:

          -

          loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /uel:0

          /ue:DomainName<em>UserName

          -

          or

          -

          /ue:"DomainName<em>User Name"

          -

          or

          -

          /ue:ComputerName<em>LocalUserName

          (User exclude)

          -

          Excludes the specified users from the migration. You can specify multiple /ue options but you cannot use the /ue option with the /all option. DomainName and UserName can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotation marks.

          -

          For example:

          -

          loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /ue:contoso\user1

          -

          For more examples, see the descriptions of the /uel, /ue, and /ui options in this table.

          /md:OldDomain:NewDomain

          -

          or

          -

          /md:LocalComputerName:NewDomain

          (move domain)

          -

          Specifies a new domain for the user. Use this option to change the domain for users on a computer or to migrate a local user to a domain account. OldDomain may contain the asterisk () wildcard character.

          -

          You can specify this option more than once. You may want to specify multiple /md options if you are consolidating users across multiple domains to a single domain. For example, you could specify the following to consolidate the users from the Corporate and FarNorth domains into the Fabrikam domain: /md:corporate:fabrikam and /md:farnorth:fabrikam.

          -

          If there are conflicts between two /md commands, the first rule that you specify is applied. For example, if you specify the /md:corporate:fabrikam and /md:corporate:farnorth commands, then Corporate users would be mapped to the Fabrikam domain.

          -
          -Note

          If you specify an OldDomain that did not exist on the source computer, the LoadState command will appear to complete successfully, without an error or warning. However, in this case, users will not be moved to NewDomain but will remain in their original domain. For example, if you misspell "contoso" and you specify "/md:contso:fabrikam", the users will remain in contoso on the destination computer.

          -
          -
          - -
          -

          For example:

          -

          loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore

          -

          /progress:prog.log /l:load.log /md:contoso:fabrikam

          /mu:OldDomain<em>OldUserName:[NewDomain]NewUserName

          -

          or

          -

          /mu:OldLocalUserName:NewDomain<em>NewUserName

          Specifies a new user name for the specified user. If the store contains more than one user, you can specify multiple /mu options. You cannot use wildcard characters with this option.

          -

          For example:

          -

          loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore

          -

          /progress:prog.log /l:load.log /mu:contoso\user1:fabrikam\user1

          /lac:[Password]

          (local account create)

          -

          Specifies that if a user account is a local (non-domain) account, and it does not exist on the destination computer, USMT will create the account on the destination computer but it will be disabled. To enable the account, you must also use the /lae option.

          -

          If the /lac option is not specified, any local user accounts that do not already exist on the destination computer will not be migrated.

          -

          Password is the password for the newly created account. An empty password is used by default.

          -
          -Caution

          Use the Password variable with caution because it is provided in plain text and can be obtained by anyone with access to the computer that is running the LoadState command.

          -

          Also, if the computer has multiple users, all migrated users will have the same password.

          -
          -
          - -
          -

          For example:

          -

          loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore

          -

          For instructions, see Migrate User Accounts.

          /lae

          (local account enable)

          -

          Enables the account that was created with the /lac option. You must specify the /lac option with this option.

          -

          For example:

          -

          loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore

          -

          /progress:prog.log /l:load.log /lac:password /lae

          -

          For instructions, see Migrate User Accounts.

          - - - -### Examples for the /ui and /ue options - -The following examples apply to both the **/ui** and **/ue** options. You can replace the **/ue** option with the **/ui** option to include, rather than exclude, the specified users. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          BehaviorCommand

          Exclude the user named User One in the Corporate domain.

          /ue:"corporate\user one"

          Exclude the user named User1 in the Corporate domain.

          /ue:corporate\user1

          Exclude the local user named User1.

          /ue:%computername%\user1

          Exclude all domain users.

          /ue:Domain

          Exclude all local users.

          /ue:%computername%

          Exclude users in all domains named User1, User2, and so on.

          /ue:\user

          - - - -### Using the Options Together - -You can use the **/uel**, **/ue** and **/ui** options together to migrate only the users that you want migrated. - -**The /ui option has precedence over the /ue and /uel options.** If a user is specified to be included using the **/ui** option, and also specified to be excluded using either the **/ue** or **/uel** options, the user will be included in the migration. For example, if you specify `/ui:contoso\* /ue:contoso\user1`, then User1 will be migrated, because the **/ui** option takes precedence over the **/ue** option. - -**The /uel option takes precedence over the /ue option.** If a user has logged on within the specified time period set by the **/uel** option, that user’s profile will be migrated even if they are excluded by using the **/ue** option. For example, if you specify `/ue:contoso\user1 /uel:14`, the User1 will be migrated if they have logged on to the computer within the last 14 days. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
          BehaviorCommand

          Include only User2 from the Fabrikam domain and exclude all other users.

          /ue:* /ui:fabrikam\user2

          Include only the local user named User1 and exclude all other users.

          /ue:* /ui:user1

          Include only the domain users from Contoso, except Contoso\User1.

          This behavior cannot be completed using a single command. Instead, to migrate this set of users, you will need to specify the following:

          -
            -

          • Using the ScanState command-line tool, type: /ue:* /ui:contoso

            • -

          • Using the LoadState command-line tool, type: /ue:contoso\user1

            • -

          Include only local (non-domain) users.

          /ue: /ui:%computername%*

          - - - -## Incompatible Command-Line Options - - -The following table indicates which command-line options are not compatible with the **LoadState** command. If the table entry for a particular combination is blank, the options are compatible and you can use them together. The X symbol means that the options are not compatible. For example, you cannot use the **/nocompress** option with the **/encrypt** option. - - ------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Command-Line Option/keyfile/nocompress/genconfig/all

          /i

          /v

          /nocompress

          N/A

          X

          /key

          X

          X

          /decrypt

          Required*

          X

          X

          /keyfile

          N/A

          X

          /l

          /progress

          X

          /r

          X

          /w

          X

          /c

          X

          /p

          X

          N/A

          /all

          X

          /ui

          X

          X

          /ue

          X

          X

          /uel

          X

          X

          /genconfig

          N/A

          /config

          X

          StorePath

          /md

          /mu

          /lae

          /lac

          - - - -**Note** -You must specify either the **/key** or **/keyfile** option with the **/encrypt** option. - - - -## Related topics - - -[XML Elements Library](usmt-xml-elements-library.md) - - - - - - - - - +--- +title: LoadState Syntax (Windows 10) +description: LoadState Syntax +ms.assetid: 53d2143b-cbe9-4cfc-8506-36e9d429f6d4 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# LoadState Syntax + + +This topic discusses the **LoadState** command syntax and options. + +## In This Topic + + +[Before You Begin](#before) + +[Syntax](#bkmk-s) + +[Storage Options](#bkmk-st) + +[Migration Rule Options](#bkmk-mig) + +[Monitoring Options](#bkmk-mon) + +[User Options](#bkmk-user) + +[Incompatible Command-Line Options](#bkmk-cloi) + +## Before You Begin + + +Before you run the **LoadState** command, note the following: + +- To ensure that all operating system settings migrate, we recommend that you run the **LoadState** commands in administrator mode from an account with administrative credentials. + +- For information about software requirements for running the **LoadState** command, see [USMT Requirements](usmt-requirements.md). + +- You should log off after you run the **LoadState** command. Some settings (for example, fonts, wallpaper, and screensaver settings) will not take effect until the next time the user logs in. + +- Unless otherwise specified, you can use each option only once when running a tool on the command line. + +- **LoadState** does not require domain controller access to apply domain profiles. This functionality is available without any additional configuration. It is not necessary for the source computer to have had domain controller access when the user profile was gathered using **ScanState**. However, domain profiles are inaccessible until the destination computer is joined to the domain. + +- The [Incompatible Command-Line Options](#bkmk-cloi) table lists which options you can use together and which command-line options are incompatible. + +## Syntax + + +This section explains the syntax and usage of the command-line options available when you use the **LoadState** command. The options can be specified in any order. If the option contains a parameter, you can specify either a colon or space separator. + +The **LoadState** command's syntax is: + +loadstate *StorePath* \[/i:\[*Path*\\\]*FileName*\] \[/v:*VerbosityLevel*\] \[/nocompress\] \[/decrypt /key:*KeyString*|/keyfile:\[Path\\\]*FileName*\] \[/l:\[*Path*\\\]*FileName*\] \[/progress:\[*Path*\\\]*FileName*\] \[/r:*TimesToRetry*\] \[/w:*SecondsToWait*\] \[/c\] \[/all\] \[/ui:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/ue:\[\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/uel:*NumberOfDays*|*YYYY/MM/DD*|0\] \[/md:*OldDomain*:*NewDomain*\] \[/mu:*OldDomain*\\*OldUserName*:\[*NewDomain*\\\]*NewUserName*\] \[/lac:\[*Password*\]\] \[/lae\] \[/config:\[*Path*\\\]*FileName*\] \[/?|help\] + +For example, to decrypt the store and migrate the files and settings to a computer running Windows 7 type the following on the command line: + +`loadstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /v:13 /decrypt /key:"mykey"` + +## Storage Options + + +USMT provides the following options that you can use to specify how and where the migrated data is stored. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Command-Line OptionDescription

          StorePath

          Indicates the folder where the files and settings data are stored. You must specify StorePath when using the LoadState command. You cannot specify more than one StorePath.

          /decrypt /key:KeyString

          +

          or

          +

          /decrypt /key:"Key String"

          +

          or

          +

          /decrypt /keyfile:[Path</em>]FileName

          Decrypts the store with the specified key. With this option, you will need to specify the encryption key in one of the following ways:

          +
            +

          • /key:KeyString specifies the encryption key. If there is a space in KeyString, you must surround the argument with quotation marks.

            • +

          • /keyfile:FilePathAndName specifies a text (.txt) file that contains the encryption key

            • +
          +

          KeyString cannot exceed 256 characters.

          +

          The /key and /keyfile options cannot be used on the same command line.

          +

          The /decrypt and /nocompress options cannot be used on the same command line.

          +
          +Important

          Use caution with this option, because anyone who has access to the LoadState command-line script will also have access to the encryption key.

          +
          +
          + +
          +

          For example:

          +

          loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /decrypt /key:mykey

          /decrypt:"encryption strength"

          The /decrypt option accepts a command-line parameter to define the encryption strength specified for the migration store encryption. For more information about supported encryption algorithms, see Migration Store Encryption.

          /hardlink

          Enables user-state data to be restored from a hard-link migration store. The /nocompress parameter must be specified with /hardlink option.

          /nocompress

          Specifies that the store is not compressed. You should only use this option in testing environments. We recommend that you use a compressed store during your actual migration. This option cannot be used with the /decrypt option.

          +

          For example:

          +

          loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /nocompress

          + + + +## Migration Rule Options + + +USMT provides the following options to specify what files you want to migrate. + + ++++ + + + + + + + + + + + + + + + + + + + + +
          Command-Line OptionDescription

          /i:[Path]FileName

          (include)

          +

          Specifies an .xml file that contains rules that define what state to migrate. You can specify this option multiple times to include all of your .xml files (MigApp.xml, MigSys.xml, MigDocs.xml and any custom .xml files that you create). Path can be either a relative or full path. If you do not specify the Path variable, then FileName must be located in the current directory.

          +

          For more information about which files to specify, see the "XML files" section of the Frequently Asked Questions topic.

          /config:[Path]FileName

          Specifies the Config.xml file that the LoadState command should use. You cannot specify this option more than once on the command line. Path can be either a relative or full path. If you do not specify the Path variable, then the FileName must be located in the current directory.

          +

          This example migrates the files and settings based on the rules in the Config.xml, MigDocs.xml, and MigApp.xml files:

          +

          loadstate \server\share\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:5 /l:loadstate.log

          /auto:"path to script files"

          This option enables you to specify the location of the default .xml files and then launch your migration. If no path is specified, USMT will use the directory where the USMT binaries are located. The /auto option has the same effect as using the following options: /i:MigDocs.xml /i:MigApp.xml /v:5.

          + + + +## Monitoring Options + + +USMT provides several command-line options that you can use to analyze problems that occur during migration. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Command-Line OptionDescription

          /l:[Path]FileName

          Specifies the location and name of the LoadState log. You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then the log will be created in the current directory. You can specify the /v option to adjust the amount of output.

          +

          If you run the LoadState command from a shared network resource, you must specify this option or USMT will fail with the error: "USMT was unable to create the log file(s)". To fix this issue, use the /l:load.log option.

          /v:<VerbosityLevel>

          (Verbosity)

          +

          Enables verbose output in the LoadState log file. The default value is 0.

          +

          You can set the VerbosityLevel to one of the following levels:

          + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          LevelExplanation

          0

          Only the default errors and warnings are enabled.

          1

          Enables verbose output.

          4

          Enables error and status output.

          5

          Enables verbose and status output.

          8

          Enables error output to a debugger.

          9

          Enables verbose output to a debugger.

          12

          Enables error and status output to a debugger.

          13

          Enables verbose, status, and debugger output.

          +

          +

          For example:

          +

          loadstate \server\share\migration\mystore /v:5 /i:migdocs.xml /i:migapp.xml

          /progress:[Path</em>]FileName

          Creates the optional progress log. You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then FileName will be created in the current directory.

          +

          For example:

          +

          loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /progress:prog.log /l:scanlog.log

          /c

          When this option is specified, the LoadState command will continue to run, even if non-fatal errors occur. Any files or settings that cause an error are logged in the progress log. For example, if there is a large file that will not fit on the computer, the LoadState command will log an error and continue with the migration. Without the /c option, the LoadState command will exit on the first error. You can use the new <ErrorControl> section in the Config.xml file to specify which file or registry read/write errors can be safely ignored and which might cause the migration to fail. This enables the /c command-line option to safely skip all input/output (I/O) errors in your environment. In addition, the /genconfig option now generates a sample <ErrorControl> section that is enabled by specifying error messages and desired behaviors in the Config.xml file.

          /r:<TimesToRetry>

          (Retry)

          +

          Specifies the number of times to retry when an error occurs while migrating the user state from a server. The default is three times. This option is useful in environments where network connectivity is not reliable.

          +

          While restoring the user state, the /r option will not recover data that is lost due to a network-hardware failure, such as a faulty or disconnected network cable, or when a virtual private network (VPN) connection fails. The retry option is intended for large, busy networks where connectivity is satisfactory, but communication latency is a problem.

          /w:<SecondsBeforeRetry>

          (Wait)

          +

          Specifies the time to wait, in seconds, before retrying a network file operation. The default is 1 second.

          /? or /help

          Displays Help on the command line.

          + + + +## User Options + + +By default, all users are migrated. The only way to specify which users to include and exclude is by using the following options. You cannot exclude users in the migration .xml files or by using the Config.xml file. For more information, see [Identify Users](usmt-identify-users.md). + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Command-Line OptionDescription

          /all

          Migrates all of the users on the computer.

          +

          USMT migrates all user accounts on the computer, unless you specifically exclude an account with the /ue or /uel options. For this reason, you do not need to specify this option on the command line. However, if you choose to use the /all option, you cannot also use the /ui, /ue or /uel options.

          /ui:DomainName<em>UserName

          +

          or

          +

          /ui:"DomainName<em>User Name"

          +

          or

          +

          /ui:ComputerName<em>LocalUserName

          (User include)

          +

          Migrates the specified user. By default, all users are included in the migration. Therefore, this option is helpful only when used with the /ue option. You can specify multiple /ui options, but you cannot use the /ui option with the /all option. DomainName and UserName can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotations marks.

          +

          For example:

          +
            +

          • To include only User2 from the Corporate domain, type:

            +

            /ue:* /ui:corporate\user2

            • +
          +
          +Note

          If a user is specified for inclusion with the /ui option, and also is specified to be excluded with either the /ue or /uel options, the user will be included in the migration.

          +
          +
          + +
          +

          For more examples, see the descriptions of the /uel, /ue, and /ui options in this table.

          /uel:<NumberOfDays>

          +

          or

          +

          /uel:<YYYY/MM/DD>

          +

          or

          +

          /uel:0

          (User exclude based on last logon)

          +

          Migrates only the users that logged onto the source computer within the specified time period, based on the Last Modified date of the Ntuser.dat file on the source computer. The /uel option acts as an include rule. For example, the /uel:30 option migrates users who logged on, or whose user account was modified, within the last 30 days from the date when the ScanState command is run. You can specify a number of days or you can specify a date. You cannot use this option with the /all option. USMT retrieves the last logon information from the local computer, so the computer does not need to be connected to the network when you run this option. In addition, if a domain user has logged onto another computer, that logon instance is not considered by USMT.

          +
          +Note

          The /uel option is not valid in offline migrations.

          +
          +
          + +
          +

          Examples:

          +
            +

          • /uel:0 migrates accounts that were logged on to the source computer when the ScanState command was run.

            • +

          • /uel:90 migrates users who have logged on, or whose accounts have been otherwise modified, within the last 90 days.

            • +

          • /uel:1 migrates users whose accounts have been modified within the last 24 hours.

            • +

          • /uel:2002/1/15 migrates users who have logged on or whose accounts have been modified since January 15, 2002.

            • +
          +

          For example:

          +

          loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /uel:0

          /ue:DomainName<em>UserName

          +

          or

          +

          /ue:"DomainName<em>User Name"

          +

          or

          +

          /ue:ComputerName<em>LocalUserName

          (User exclude)

          +

          Excludes the specified users from the migration. You can specify multiple /ue options but you cannot use the /ue option with the /all option. DomainName and UserName can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotation marks.

          +

          For example:

          +

          loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /ue:contoso\user1

          +

          For more examples, see the descriptions of the /uel, /ue, and /ui options in this table.

          /md:OldDomain:NewDomain

          +

          or

          +

          /md:LocalComputerName:NewDomain

          (move domain)

          +

          Specifies a new domain for the user. Use this option to change the domain for users on a computer or to migrate a local user to a domain account. OldDomain may contain the asterisk () wildcard character.

          +

          You can specify this option more than once. You may want to specify multiple /md options if you are consolidating users across multiple domains to a single domain. For example, you could specify the following to consolidate the users from the Corporate and FarNorth domains into the Fabrikam domain: /md:corporate:fabrikam and /md:farnorth:fabrikam.

          +

          If there are conflicts between two /md commands, the first rule that you specify is applied. For example, if you specify the /md:corporate:fabrikam and /md:corporate:farnorth commands, then Corporate users would be mapped to the Fabrikam domain.

          +
          +Note

          If you specify an OldDomain that did not exist on the source computer, the LoadState command will appear to complete successfully, without an error or warning. However, in this case, users will not be moved to NewDomain but will remain in their original domain. For example, if you misspell "contoso" and you specify "/md:contso:fabrikam", the users will remain in contoso on the destination computer.

          +
          +
          + +
          +

          For example:

          +

          loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore

          +

          /progress:prog.log /l:load.log /md:contoso:fabrikam

          /mu:OldDomain<em>OldUserName:[NewDomain]NewUserName

          +

          or

          +

          /mu:OldLocalUserName:NewDomain<em>NewUserName

          Specifies a new user name for the specified user. If the store contains more than one user, you can specify multiple /mu options. You cannot use wildcard characters with this option.

          +

          For example:

          +

          loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore

          +

          /progress:prog.log /l:load.log /mu:contoso\user1:fabrikam\user1

          /lac:[Password]

          (local account create)

          +

          Specifies that if a user account is a local (non-domain) account, and it does not exist on the destination computer, USMT will create the account on the destination computer but it will be disabled. To enable the account, you must also use the /lae option.

          +

          If the /lac option is not specified, any local user accounts that do not already exist on the destination computer will not be migrated.

          +

          Password is the password for the newly created account. An empty password is used by default.

          +
          +Caution

          Use the Password variable with caution because it is provided in plain text and can be obtained by anyone with access to the computer that is running the LoadState command.

          +

          Also, if the computer has multiple users, all migrated users will have the same password.

          +
          +
          + +
          +

          For example:

          +

          loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore

          +

          For instructions, see Migrate User Accounts.

          /lae

          (local account enable)

          +

          Enables the account that was created with the /lac option. You must specify the /lac option with this option.

          +

          For example:

          +

          loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore

          +

          /progress:prog.log /l:load.log /lac:password /lae

          +

          For instructions, see Migrate User Accounts.

          + + + +### Examples for the /ui and /ue options + +The following examples apply to both the **/ui** and **/ue** options. You can replace the **/ue** option with the **/ui** option to include, rather than exclude, the specified users. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          BehaviorCommand

          Exclude the user named User One in the Corporate domain.

          /ue:"corporate\user one"

          Exclude the user named User1 in the Corporate domain.

          /ue:corporate\user1

          Exclude the local user named User1.

          /ue:%computername%\user1

          Exclude all domain users.

          /ue:Domain

          Exclude all local users.

          /ue:%computername%

          Exclude users in all domains named User1, User2, and so on.

          /ue:\user

          + + + +### Using the Options Together + +You can use the **/uel**, **/ue** and **/ui** options together to migrate only the users that you want migrated. + +**The /ui option has precedence over the /ue and /uel options.** If a user is specified to be included using the **/ui** option, and also specified to be excluded using either the **/ue** or **/uel** options, the user will be included in the migration. For example, if you specify `/ui:contoso\* /ue:contoso\user1`, then User1 will be migrated, because the **/ui** option takes precedence over the **/ue** option. + +**The /uel option takes precedence over the /ue option.** If a user has logged on within the specified time period set by the **/uel** option, that user’s profile will be migrated even if they are excluded by using the **/ue** option. For example, if you specify `/ue:contoso\user1 /uel:14`, the User1 will be migrated if they have logged on to the computer within the last 14 days. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + +
          BehaviorCommand

          Include only User2 from the Fabrikam domain and exclude all other users.

          /ue:* /ui:fabrikam\user2

          Include only the local user named User1 and exclude all other users.

          /ue:* /ui:user1

          Include only the domain users from Contoso, except Contoso\User1.

          This behavior cannot be completed using a single command. Instead, to migrate this set of users, you will need to specify the following:

          +
            +

          • Using the ScanState command-line tool, type: /ue:* /ui:contoso

            • +

          • Using the LoadState command-line tool, type: /ue:contoso\user1

            • +

          Include only local (non-domain) users.

          /ue: /ui:%computername%*

          + + + +## Incompatible Command-Line Options + + +The following table indicates which command-line options are not compatible with the **LoadState** command. If the table entry for a particular combination is blank, the options are compatible and you can use them together. The X symbol means that the options are not compatible. For example, you cannot use the **/nocompress** option with the **/encrypt** option. + + +++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Command-Line Option/keyfile/nocompress/genconfig/all

          /i

          /v

          /nocompress

          N/A

          X

          /key

          X

          X

          /decrypt

          Required*

          X

          X

          /keyfile

          N/A

          X

          /l

          /progress

          X

          /r

          X

          /w

          X

          /c

          X

          /p

          X

          N/A

          /all

          X

          /ui

          X

          X

          /ue

          X

          X

          /uel

          X

          X

          /genconfig

          N/A

          /config

          X

          StorePath

          /md

          /mu

          /lae

          /lac

          + + + +**Note** +You must specify either the **/key** or **/keyfile** option with the **/encrypt** option. + + + +## Related topics + + +[XML Elements Library](usmt-xml-elements-library.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-log-files.md b/windows/deployment/usmt/usmt-log-files.md index daba5ef2e2..d9917d3495 100644 --- a/windows/deployment/usmt/usmt-log-files.md +++ b/windows/deployment/usmt/usmt-log-files.md @@ -8,6 +8,7 @@ ms.author: greglin ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.date: 04/19/2017 ms.topic: article @@ -252,7 +253,7 @@ The following examples describe common scenarios in which you can use the diagno Let’s imagine that we have the following directory structure and that we want the “data” directory to be included in the migration along with the “New Text Document.txt” file in the “New Folder.” The directory of **C:\\data** contains: -``` syntax +``` 01/21/2009 10:08 PM . 01/21/2009 10:08 PM .. 01/21/2009 10:08 PM New Folder @@ -263,7 +264,7 @@ Let’s imagine that we have the following directory structure and that we want The directory of **C:\\data\\New Folder** contains: -``` syntax +``` 01/21/2009 10:08 PM . 01/21/2009 10:08 PM .. 01/21/2009 10:08 PM 0 New Text Document.txt @@ -294,7 +295,7 @@ To migrate these files you author the following migration XML: However, upon testing the migration you notice that the “New Text Document.txt” file isn’t included in the migration. To troubleshoot this failure, the migration can be repeated with the environment variable MIG\_ENABLE\_DIAG set such that the diagnostic log is generated. Upon searching the diagnostic log for the component “DATA1”, the following XML section is discovered: -```xml +``` xml @@ -315,13 +316,13 @@ Analysis of this XML section reveals the migunit that was created when the migra An analysis of the XML elements reference topic reveals that the <pattern> tag needs to be modified as follows: -```xml +``` xml c:\data\* [*] ``` When the migration is preformed again with the modified tag, the diagnostic log reveals the following: -```xml +``` xml @@ -346,7 +347,7 @@ This diagnostic log confirms that the modified <pattern> value enables the In this scenario, you have the following directory structure and you want all files in the “data” directory to migrate, except for text files. The **C:\\Data** folder contains: -``` syntax +``` Directory of C:\Data 01/21/2009 10:08 PM . @@ -359,7 +360,7 @@ Directory of C:\Data The **C:\\Data\\New Folder\\** contains: -``` syntax +``` 01/21/2009 10:08 PM . 01/21/2009 10:08 PM .. 01/21/2009 10:08 PM 0 New Text Document.txt @@ -396,7 +397,7 @@ You author the following migration XML: However, upon testing the migration you notice that all the text files are still included in the migration. In order to troubleshoot this issue, the migration can be performed with the environment variable MIG\_ENABLE\_DIAG set so that the diagnostic log is generated. Upon searching the diagnostic log for the component “DATA1”, the following XML section is discovered: -```xml +``` xml @@ -453,7 +454,7 @@ Upon reviewing the diagnostic log, you confirm that the files are still migratin Your revised migration XML script excludes the files from migrating, as confirmed in the diagnostic log: -```xml +``` xml diff --git a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md index 0e3db8dd0c..706f2c6a6e 100644 --- a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md +++ b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md @@ -1,55 +1,55 @@ ---- -title: Migrate EFS Files and Certificates (Windows 10) -description: Migrate EFS Files and Certificates -ms.assetid: 7f19a753-ec45-4433-b297-cc30f16fdee1 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Migrate EFS Files and Certificates - - -This topic describes how to migrate Encrypting File System (EFS) certificates. For more information about the **/efs** For options, see [ScanState Syntax](usmt-scanstate-syntax.md). - -## To Migrate EFS Files and Certificates - - -Encrypting File System (EFS) certificates will be migrated automatically. However, by default, the User State Migration Tool (USMT) 10.0 fails if an encrypted file is found (unless you specify an **/efs** option). Therefore, you must specify **/efs:abort | skip | decryptcopy | copyraw | hardlink** with the ScanState command to migrate the encrypted files. Then, when you run the LoadState command on the destination computer, the encrypted file and the EFS certificate will be automatically migrated. - -**Note**   -The **/efs** options are not used with the LoadState command. - - - -Before using the ScanState tool for a migration that includes encrypted files and EFS certificates, you must ensure that all files in an encrypted folder are encrypted as well or remove the encryption attribute from folders that contain unencrypted files. If the encryption attribute has been removed from a file but not from the parent folder, the file will be encrypted during the migration using the credentials of the account used to run the LoadState tool. - -You can run the Cipher tool at a Windows command prompt to review and change encryption settings on files and folders. For example, to remove encryption from a folder, at a command prompt type: - -``` syntax -Cipher /D /S: -``` - -Where *<Path>* is the full path of the topmost parent directory where the encryption attribute is set. - -## Related topics - - -[What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) - -[Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md) - - - - - - - - - +--- +title: Migrate EFS Files and Certificates (Windows 10) +description: Migrate EFS Files and Certificates +ms.assetid: 7f19a753-ec45-4433-b297-cc30f16fdee1 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Migrate EFS Files and Certificates + + +This topic describes how to migrate Encrypting File System (EFS) certificates. For more information about the **/efs** For options, see [ScanState Syntax](usmt-scanstate-syntax.md). + +## To Migrate EFS Files and Certificates + + +Encrypting File System (EFS) certificates will be migrated automatically. However, by default, the User State Migration Tool (USMT) 10.0 fails if an encrypted file is found (unless you specify an **/efs** option). Therefore, you must specify **/efs:abort | skip | decryptcopy | copyraw | hardlink** with the ScanState command to migrate the encrypted files. Then, when you run the LoadState command on the destination computer, the encrypted file and the EFS certificate will be automatically migrated. + +**Note**   +The **/efs** options are not used with the LoadState command. + + + +Before using the ScanState tool for a migration that includes encrypted files and EFS certificates, you must ensure that all files in an encrypted folder are encrypted as well or remove the encryption attribute from folders that contain unencrypted files. If the encryption attribute has been removed from a file but not from the parent folder, the file will be encrypted during the migration using the credentials of the account used to run the LoadState tool. + +You can run the Cipher tool at a Windows command prompt to review and change encryption settings on files and folders. For example, to remove encryption from a folder, at a command prompt type: + +``` syntax +Cipher /D /S: +``` + +Where *<Path>* is the full path of the topmost parent directory where the encryption attribute is set. + +## Related topics + + +[What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) + +[Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-migrate-user-accounts.md b/windows/deployment/usmt/usmt-migrate-user-accounts.md index 0842197047..663964c7eb 100644 --- a/windows/deployment/usmt/usmt-migrate-user-accounts.md +++ b/windows/deployment/usmt/usmt-migrate-user-accounts.md @@ -1,96 +1,96 @@ ---- -title: Migrate User Accounts (Windows 10) -description: Migrate User Accounts -ms.assetid: a3668361-43c8-4fd2-b26e-9a2deaeaeb09 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Migrate User Accounts - - -By default, all users are migrated. The only way to specify which users to include and exclude is on the command line by using the User options. You cannot specify users in the migration XML files or by using the Config.xml file. - -## In this Topic - - -- [To migrate all user accounts and user settings](#bkmk-migrateall) - -- [To migrate two domain accounts (User1 and User2)](#bkmk-migratetwo) - -- [To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain](#bkmk-migratemoveuserone) - -## To migrate all user accounts and user settings -Links to detailed explanations of commands are available in the Related Topics section. - -1. Log on to the source computer as an administrator, and specify the following in a **Command-Prompt** window: - - `scanstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml /o` - -2. Log on to the destination computer as an administrator. - -3. Do one of the following: - - - If you are migrating domain accounts, specify: - - `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml` - - - If you are migrating local accounts along with domain accounts, specify: - - `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml /lac /lae` - - **Note**   - You do not have to specify the **/lae** option, which enables the account that was created with the **/lac** option. Instead, you can create a disabled local account by specifying only the **/lac** option, and then a local administrator needs to enable the account on the destination computer. - - - -## To migrate two domain accounts (User1 and User2) -Links to detailed explanations of commands are available in the Related Topics section. - -1. Log on to the source computer as an administrator, and specify: - - `scanstate \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:fabrikam\user2 /i:migdocs.xml /i:migapp.xml /o` - -2. Log on to the destination computer as an administrator. - -3. Specify the following: - - `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml` - -## To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain -Links to detailed explanations of commands are available in the Related Topics section. - -1. Log on to the source computer as an administrator, and type the following at the command-line prompt: - - `scanstate \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:contoso\user2 /i:migdocs.xml /i:migapp.xml /o` - -2. Log on to the destination computer as an administrator. - -3. Specify the following: - - `loadstate \\server\share\migration\mystore /mu:contoso\user1:fabrikam\user2 /i:migdocs.xml /i:migapp.xml` - -## Related topics - - -[Identify Users](usmt-identify-users.md) - -[ScanState Syntax](usmt-scanstate-syntax.md) - -[LoadState Syntax](usmt-loadstate-syntax.md) - - - - - - - - - +--- +title: Migrate User Accounts (Windows 10) +description: Migrate User Accounts +ms.assetid: a3668361-43c8-4fd2-b26e-9a2deaeaeb09 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Migrate User Accounts + + +By default, all users are migrated. The only way to specify which users to include and exclude is on the command line by using the User options. You cannot specify users in the migration XML files or by using the Config.xml file. + +## In this Topic + + +- [To migrate all user accounts and user settings](#bkmk-migrateall) + +- [To migrate two domain accounts (User1 and User2)](#bkmk-migratetwo) + +- [To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain](#bkmk-migratemoveuserone) + +## To migrate all user accounts and user settings +Links to detailed explanations of commands are available in the Related Topics section. + +1. Log on to the source computer as an administrator, and specify the following in a **Command-Prompt** window: + + `scanstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml /o` + +2. Log on to the destination computer as an administrator. + +3. Do one of the following: + + - If you are migrating domain accounts, specify: + + `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml` + + - If you are migrating local accounts along with domain accounts, specify: + + `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml /lac /lae` + + **Note**   + You do not have to specify the **/lae** option, which enables the account that was created with the **/lac** option. Instead, you can create a disabled local account by specifying only the **/lac** option, and then a local administrator needs to enable the account on the destination computer. + + + +## To migrate two domain accounts (User1 and User2) +Links to detailed explanations of commands are available in the Related Topics section. + +1. Log on to the source computer as an administrator, and specify: + + `scanstate \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:fabrikam\user2 /i:migdocs.xml /i:migapp.xml /o` + +2. Log on to the destination computer as an administrator. + +3. Specify the following: + + `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml` + +## To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain +Links to detailed explanations of commands are available in the Related Topics section. + +1. Log on to the source computer as an administrator, and type the following at the command-line prompt: + + `scanstate \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:contoso\user2 /i:migdocs.xml /i:migapp.xml /o` + +2. Log on to the destination computer as an administrator. + +3. Specify the following: + + `loadstate \\server\share\migration\mystore /mu:contoso\user1:fabrikam\user2 /i:migdocs.xml /i:migapp.xml` + +## Related topics + + +[Identify Users](usmt-identify-users.md) + +[ScanState Syntax](usmt-scanstate-syntax.md) + +[LoadState Syntax](usmt-loadstate-syntax.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-migration-store-encryption.md b/windows/deployment/usmt/usmt-migration-store-encryption.md index 007c4b258a..8ef1ea7592 100644 --- a/windows/deployment/usmt/usmt-migration-store-encryption.md +++ b/windows/deployment/usmt/usmt-migration-store-encryption.md @@ -1,76 +1,76 @@ ---- -title: Migration Store Encryption (Windows 10) -description: Migration Store Encryption -ms.assetid: b28c2657-b986-4487-bd38-cb81500b831d -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Migration Store Encryption - - -This topic discusses User State Migration Tool (USMT) 10.0 options for migration store encryption to protect the integrity of user data during a migration. - -## USMT Encryption Options - - -USMT enables support for stronger encryption algorithms, called Advanced Encryption Standard (AES), in several bit-level options. AES is a National Institute of Standards and Technology (NIST) specification for the encryption of electronic data. - -The encryption algorithm you choose must be specified for both the **ScanState** and the **LoadState** commands, so that these commands can create or read the store during encryption and decryption. The new encryption algorithms can be specified on the **ScanState** and the **LoadState** command lines by using the **/encrypt**:*"encryptionstrength"* and the **/decrypt**:*"encryptionstrength"* command-line options. All of the encryption application programming interfaces (APIs) used by USMT are available in Windows 7, Windows 8, and Windows 10 operating systems. However, export restrictions might limit the set of algorithms that are available to computers in certain locales. You can use the Usmtutils.exe file to determine which encryption algorithms are available to the computers' locales before you begin the migration. - -The following table describes the command-line encryption options in USMT. - - ----- - - - - - - - - - - - - - - - - - - - -
          ComponentOptionDescription

          ScanState

          /encrypt<AES, AES_128, AES_192, AES_256, 3DES, 3DES_112>

          This option and argument specify that the migration store is encrypted and which algorithm to use. When the algorithm argument is not provided, the ScanState tool employs the 3DES algorithm.

          LoadState

          /decrypt<AES, AES_128, AES_192, AES_256, 3DES, 3DES_112>

          This option and argument specify that the store must be decrypted and which algorithm to use. When the algorithm argument is not provided, the LoadState tool employs the 3DES algorithm.

          - - - -**Important**   -Some encryption algorithms may not be available on your systems. You can verify which algorithms are available by running the UsmtUtils command with the **/ec** option. For more information see [UsmtUtils Syntax](usmt-utilities.md) - - - -## Related topics - - -[Plan Your Migration](usmt-plan-your-migration.md) - - - - - - - - - +--- +title: Migration Store Encryption (Windows 10) +description: Migration Store Encryption +ms.assetid: b28c2657-b986-4487-bd38-cb81500b831d +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Migration Store Encryption + + +This topic discusses User State Migration Tool (USMT) 10.0 options for migration store encryption to protect the integrity of user data during a migration. + +## USMT Encryption Options + + +USMT enables support for stronger encryption algorithms, called Advanced Encryption Standard (AES), in several bit-level options. AES is a National Institute of Standards and Technology (NIST) specification for the encryption of electronic data. + +The encryption algorithm you choose must be specified for both the **ScanState** and the **LoadState** commands, so that these commands can create or read the store during encryption and decryption. The new encryption algorithms can be specified on the **ScanState** and the **LoadState** command lines by using the **/encrypt**:*"encryptionstrength"* and the **/decrypt**:*"encryptionstrength"* command-line options. All of the encryption application programming interfaces (APIs) used by USMT are available in Windows 7, Windows 8, and Windows 10 operating systems. However, export restrictions might limit the set of algorithms that are available to computers in certain locales. You can use the Usmtutils.exe file to determine which encryption algorithms are available to the computers' locales before you begin the migration. + +The following table describes the command-line encryption options in USMT. + + +++++ + + + + + + + + + + + + + + + + + + + +
          ComponentOptionDescription

          ScanState

          /encrypt<AES, AES_128, AES_192, AES_256, 3DES, 3DES_112>

          This option and argument specify that the migration store is encrypted and which algorithm to use. When the algorithm argument is not provided, the ScanState tool employs the 3DES algorithm.

          LoadState

          /decrypt<AES, AES_128, AES_192, AES_256, 3DES, 3DES_112>

          This option and argument specify that the store must be decrypted and which algorithm to use. When the algorithm argument is not provided, the LoadState tool employs the 3DES algorithm.

          + + + +**Important**   +Some encryption algorithms may not be available on your systems. You can verify which algorithms are available by running the UsmtUtils command with the **/ec** option. For more information see [UsmtUtils Syntax](usmt-utilities.md) + + + +## Related topics + + +[Plan Your Migration](usmt-plan-your-migration.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-overview.md b/windows/deployment/usmt/usmt-overview.md index d35c195f0f..6d80871901 100644 --- a/windows/deployment/usmt/usmt-overview.md +++ b/windows/deployment/usmt/usmt-overview.md @@ -1,60 +1,60 @@ ---- -title: User State Migration Tool (USMT) Overview (Windows 10) -description: User State Migration Tool (USMT) Overview -ms.assetid: 3b649431-ad09-4b17-895a-3fec7ac0a81f -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 10/16/2017 -ms.topic: article ---- - -# User State Migration Tool (USMT) Overview -You can use User State Migration Tool (USMT) 10.0 to streamline and simplify user state migration during large deployments of Windows operating systems. USMT captures user accounts, user files, operating system settings, and application settings, and then migrates them to a new Windows installation. You can use USMT for both PC replacement and PC refresh migrations. For more information, see [Common Migration Scenarios](usmt-common-migration-scenarios.md). - -USMT enables you to do the following: - -- Configure your migration according to your business needs by using the migration rule (.xml) files to control exactly which files and settings are migrated and how they are migrated. For more information about how to modify these files, see [USMT XML Reference](usmt-xml-reference.md). - -- Fit your customized migration into your automated deployment process by using the ScanState and LoadState tools, which control collecting and restoring the user files and settings. For more information, see [User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md). - -- Perform offline migrations. You can run migrations offline by using the ScanState command in Windows Preinstallation Environment (WinPE) or you can perform migrations from previous installations of Windows contained in Windows.old directories. For more information about migration types, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md) and [Offline Migration Reference](offline-migration-reference.md). - -## Benefits -USMT provides the following benefits to businesses that are deploying Windows operating systems: - -- Safely migrates user accounts, operating system and application settings. - -- Lowers the cost of deploying Windows by preserving user state. - -- Reduces end-user downtime required to customize desktops and find missing files. - -- Reduces help-desk calls. - -- Reduces the time needed for the user to become familiar with the new operating system. - -- Increases employee satisfaction with the migration experience. - -## Limitations -USMT is intended for administrators who are performing large-scale automated deployments. If you are only migrating the user states of a few computers, you can use [PCmover Express](https://go.microsoft.com/fwlink/?linkid=620915). PCmover Express is a tool created by Microsoft's partner, Laplink. - -There are some scenarios in which the use of USMT is not recommended. These include: - -- Migrations that require end-user interaction. - -- Migrations that require customization on a machine-by-machine basis. - -## Related topics -- [User State Migration Tool (USMT) Technical Reference](usmt-technical-reference.md) - - -  - - - - - +--- +title: User State Migration Tool (USMT) Overview (Windows 10) +description: User State Migration Tool (USMT) Overview +ms.assetid: 3b649431-ad09-4b17-895a-3fec7ac0a81f +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 10/16/2017 +ms.topic: article +--- + +# User State Migration Tool (USMT) Overview +You can use User State Migration Tool (USMT) 10.0 to streamline and simplify user state migration during large deployments of Windows operating systems. USMT captures user accounts, user files, operating system settings, and application settings, and then migrates them to a new Windows installation. You can use USMT for both PC replacement and PC refresh migrations. For more information, see [Common Migration Scenarios](usmt-common-migration-scenarios.md). + +USMT enables you to do the following: + +- Configure your migration according to your business needs by using the migration rule (.xml) files to control exactly which files and settings are migrated and how they are migrated. For more information about how to modify these files, see [USMT XML Reference](usmt-xml-reference.md). + +- Fit your customized migration into your automated deployment process by using the ScanState and LoadState tools, which control collecting and restoring the user files and settings. For more information, see [User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md). + +- Perform offline migrations. You can run migrations offline by using the ScanState command in Windows Preinstallation Environment (WinPE) or you can perform migrations from previous installations of Windows contained in Windows.old directories. For more information about migration types, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md) and [Offline Migration Reference](offline-migration-reference.md). + +## Benefits +USMT provides the following benefits to businesses that are deploying Windows operating systems: + +- Safely migrates user accounts, operating system and application settings. + +- Lowers the cost of deploying Windows by preserving user state. + +- Reduces end-user downtime required to customize desktops and find missing files. + +- Reduces help-desk calls. + +- Reduces the time needed for the user to become familiar with the new operating system. + +- Increases employee satisfaction with the migration experience. + +## Limitations +USMT is intended for administrators who are performing large-scale automated deployments. If you are only migrating the user states of a few computers, you can use [PCmover Express](https://go.microsoft.com/fwlink/?linkid=620915). PCmover Express is a tool created by Microsoft's partner, Laplink. + +There are some scenarios in which the use of USMT is not recommended. These include: + +- Migrations that require end-user interaction. + +- Migrations that require customization on a machine-by-machine basis. + +## Related topics +- [User State Migration Tool (USMT) Technical Reference](usmt-technical-reference.md) + + +  + + + + + diff --git a/windows/deployment/usmt/usmt-plan-your-migration.md b/windows/deployment/usmt/usmt-plan-your-migration.md index 6b8319c12a..1fa60664bd 100644 --- a/windows/deployment/usmt/usmt-plan-your-migration.md +++ b/windows/deployment/usmt/usmt-plan-your-migration.md @@ -1,71 +1,71 @@ ---- -title: Plan Your Migration (Windows 10) -description: Plan Your Migration -ms.assetid: c951f7df-850e-47ad-b31b-87f902955e3e -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Plan Your Migration - - -Before you use the User State Migration Tool (USMT) 10.0 to perform your migration, we recommend that you plan your migration carefully. Planning can help your migration proceed smoothly and can reduce the risk of migration failure. - -In migration planning, both organizations and individuals must first identify what to migrate, including user settings, applications and application settings, and personal data files and folders. Identifying the applications to migrate is especially important so that you can avoid capturing data about applications that may be phased out. - -One of the most important requirements for migrating settings and data is restoring only the information that the destination computer requires. Although the data that you capture on the source computer may be more comprehensive than the restoration data for backup purposes, restoring data or settings for applications that you will not install on the destination system is redundant. This can also introduce instability in a newly deployed computer. - -## In This Section - - - ---- - - - - - - - - - - - - - - - - - - - - - - -

          Common Migration Scenarios

          Determine whether you will perform a refresh migration or a replace migration.

          What Does USMT Migrate?

          Learn which applications, user data, and operating system components USMT migrates.

          Choose a Migration Store Type

          Choose an uncompressed, compressed, or hard-link migration store.

          Determine What to Migrate

          Identify user accounts, application settings, operating system settings, and files that you want to migrate inside your organization.

          Test Your Migration

          Test your migration before you deploy Windows to all users.

          - - - -## Related topics - - -[USMT XML Reference](usmt-xml-reference.md) - - - - - - - - - +--- +title: Plan Your Migration (Windows 10) +description: Plan Your Migration +ms.assetid: c951f7df-850e-47ad-b31b-87f902955e3e +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Plan Your Migration + + +Before you use the User State Migration Tool (USMT) 10.0 to perform your migration, we recommend that you plan your migration carefully. Planning can help your migration proceed smoothly and can reduce the risk of migration failure. + +In migration planning, both organizations and individuals must first identify what to migrate, including user settings, applications and application settings, and personal data files and folders. Identifying the applications to migrate is especially important so that you can avoid capturing data about applications that may be phased out. + +One of the most important requirements for migrating settings and data is restoring only the information that the destination computer requires. Although the data that you capture on the source computer may be more comprehensive than the restoration data for backup purposes, restoring data or settings for applications that you will not install on the destination system is redundant. This can also introduce instability in a newly deployed computer. + +## In This Section + + + ++++ + + + + + + + + + + + + + + + + + + + + + + +

          Common Migration Scenarios

          Determine whether you will perform a refresh migration or a replace migration.

          What Does USMT Migrate?

          Learn which applications, user data, and operating system components USMT migrates.

          Choose a Migration Store Type

          Choose an uncompressed, compressed, or hard-link migration store.

          Determine What to Migrate

          Identify user accounts, application settings, operating system settings, and files that you want to migrate inside your organization.

          Test Your Migration

          Test your migration before you deploy Windows to all users.

          + + + +## Related topics + + +[USMT XML Reference](usmt-xml-reference.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-recognized-environment-variables.md b/windows/deployment/usmt/usmt-recognized-environment-variables.md index 29f59d9b74..d2862feb9a 100644 --- a/windows/deployment/usmt/usmt-recognized-environment-variables.md +++ b/windows/deployment/usmt/usmt-recognized-environment-variables.md @@ -1,470 +1,470 @@ ---- -title: Recognized Environment Variables (Windows 10) -description: Recognized Environment Variables -ms.assetid: 2b0ac412-e131-456e-8f0c-c26249b5f3df -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Recognized Environment Variables - - -When using the XML files MigDocs.xml, MigApp.xml, and MigUser.xml, you can use environment variables to identify folders that may be different on different computers. Constant special item ID list (CSIDL) values provide a way to identify folders that applications use frequently but may not have the same name or location on any given computer. For example, the documents folder may be C:\\Users\\<Username>\\My Documents on one computer and C:\\Documents and Settings on another. You can use the asterisk (\*) wildcard character in MigUser.xml, MigApp.xml and MigDoc.xml files. However, you cannot use the asterisk (\*) wildcard characters in the Config.xml file. - -## In This Topic - - -- [Variables that are processed for the operating system and in the context of each user](#bkmk-1) - -- [Variables that are recognized only in the user context](#bkmk-2) - -## Variables that are processed for the operating system and in the context of each user - - -You can use these variables within sections in the .xml files with `context=UserAndSystem`, `context=User`, and `context=System`. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          VariableExplanation

          ALLUSERSAPPDATA

          Same as CSIDL_COMMON_APPDATA.

          ALLUSERSPROFILE

          Refers to %PROFILESFOLDER%\Public or %PROFILESFOLDER%\all users.

          COMMONPROGRAMFILES

          Same as CSIDL_PROGRAM_FILES_COMMON.

          COMMONPROGRAMFILES(X86)

          Refers to the C:\Program Files (x86)\Common Files folder on 64-bit systems.

          CSIDL_COMMON_ADMINTOOLS

          Version 10.0. The file-system directory that contains administrative tools for all users of the computer.

          CSIDL_COMMON_ALTSTARTUP

          The file-system directory that corresponds to the non-localized Startup program group for all users.

          CSIDL_COMMON_APPDATA

          The file-system directory that contains application data for all users. A typical path Windows is C:\ProgramData.

          CSIDL_COMMON_DESKTOPDIRECTORY

          The file-system directory that contains files and folders that appear on the desktop for all users. A typical Windows® XP path is C:\Documents and Settings\All Users\Desktop. A typical path is C:\Users\Public\Desktop.

          CSIDL_COMMON_DOCUMENTS

          The file-system directory that contains documents that are common to all users. A typical path in Windows XP is C:\Documents and Settings\All Users\Documents. A typical path is C:\Users\Public\Documents.

          CSIDL_COMMON_FAVORITES

          The file-system directory that serves as a common repository for favorites common to all users. A typical path is C:\Users\Public\Favorites.

          CSIDL_COMMON_MUSIC

          The file-system directory that serves as a repository for music files common to all users. A typical path is C:\Users\Public\Music.

          CSIDL_COMMON_PICTURES

          The file-system directory that serves as a repository for image files common to all users. A typical path is C:\Users\Public\Pictures.

          CSIDL_COMMON_PROGRAMS

          The file-system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\ProgramData\Microsoft\Windows\Start Menu\Programs.

          CSIDL_COMMON_STARTMENU

          The file-system directory that contains the programs and folders which appear on the Start menu for all users. A typical path in Windows is C:\ProgramData\Microsoft\Windows\Start Menu.

          CSIDL_COMMON_STARTUP

          The file-system directory that contains the programs that appear in the Startup folder for all users. A typical path in Windows XP is C:\Documents and Settings\All Users\Start Menu\Programs\Startup. A typical path is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup.

          CSIDL_COMMON_TEMPLATES

          The file-system directory that contains the templates that are available to all users. A typical path is C:\ProgramData\Microsoft\Windows\Templates.

          CSIDL_COMMON_VIDEO

          The file-system directory that serves as a repository for video files common to all users. A typical path is C:\Users\Public\Videos.

          CSIDL_DEFAULT_APPDATA

          Refers to the Appdata folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_LOCAL_APPDATA

          Refers to the local Appdata folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_COOKIES

          Refers to the Cookies folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_CONTACTS

          Refers to the Contacts folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_DESKTOP

          Refers to the Desktop folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_DOWNLOADS

          Refers to the Downloads folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_FAVORITES

          Refers to the Favorites folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_HISTORY

          Refers to the History folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_INTERNET_CACHE

          Refers to the Internet Cache folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_PERSONAL

          Refers to the Personal folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_MYDOCUMENTS

          Refers to the My Documents folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_MYPICTURES

          Refers to the My Pictures folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_MYMUSIC

          Refers to the My Music folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_MYVIDEO

          Refers to the My Videos folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_RECENT

          Refers to the Recent folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_SENDTO

          Refers to the Send To folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_STARTMENU

          Refers to the Start Menu folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_PROGRAMS

          Refers to the Programs folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_STARTUP

          Refers to the Startup folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_TEMPLATES

          Refers to the Templates folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_QUICKLAUNCH

          Refers to the Quick Launch folder inside %DEFAULTUSERPROFILE%.

          CSIDL_FONTS

          A virtual folder containing fonts. A typical path is C:\Windows\Fonts.

          CSIDL_PROGRAM_FILESX86

          The Program Files folder on 64-bit systems. A typical path is C:\Program Files(86).

          CSIDL_PROGRAM_FILES_COMMONX86

          A folder for components that are shared across applications on 64-bit systems. A typical path is C:\Program Files(86)\Common.

          CSIDL_PROGRAM_FILES

          The Program Files folder. A typical path is C:\Program Files.

          CSIDL_PROGRAM_FILES_COMMON

          A folder for components that are shared across applications. A typical path is C:\Program Files\Common.

          CSIDL_RESOURCES

          The file-system directory that contains resource data. A typical path is C:\Windows\Resources.

          CSIDL_SYSTEM

          The Windows System folder. A typical path is C:\Windows\System32.

          CSIDL_WINDOWS

          The Windows directory or system root. This corresponds to the %WINDIR% or %SYSTEMROOT% environment variables. A typical path is C:\Windows.

          DEFAULTUSERPROFILE

          Refers to the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList [DefaultUserProfile].

          PROFILESFOLDER

          Refers to the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList [ProfilesDirectory].

          PROGRAMFILES

          Same as CSIDL_PROGRAM_FILES.

          PROGRAMFILES(X86)

          Refers to the C:\Program Files (x86) folder on 64-bit systems.

          SYSTEM

          Refers to %WINDIR%\system32.

          SYSTEM16

          Refers to %WINDIR%\system.

          SYSTEM32

          Refers to %WINDIR%\system32.

          SYSTEMPROFILE

          Refers to the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18 [ProfileImagePath].

          SYSTEMROOT

          Refers to the root of the system drive.

          WINDIR

          Refers to the Windows folder located on the system drive.

          - -  - -## Variables that are recognized only in the user context - - -You can use these variables in the .xml files within sections with `context=User` and `context=UserAndSystem`. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          VariableExplanation

          APPDATA

          Same as CSIDL_APPDATA.

          CSIDL_ADMINTOOLS

          The file-system directory that is used to store administrative tools for an individual user. The Microsoft® Management Console (MMC) saves customized consoles to this directory, which roams with the user profile.

          CSIDL_ALTSTARTUP

          The file-system directory that corresponds to the user's non-localized Startup program group.

          CSIDL_APPDATA

          The file-system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\username\Application Data or C:\Users\username\AppData\Roaming.

          CSIDL_BITBUCKET

          The virtual folder that contains the objects in the user's Recycle Bin.

          CSIDL_CDBURN_AREA

          The file-system directory acting as a staging area for files waiting to be written to CD. A typical path is C:\Users\username\AppData\Local\Microsoft\Windows\MasteredBurning\Disc Burning.

          CSIDL_CONNECTIONS

          The virtual folder representing Network Connections that contains network and dial-up connections.

          CSIDL_CONTACTS

          This refers to the Contacts folder in %CSIDL_PROFILE%.

          CSIDL_CONTROLS

          The virtual folder that contains icons for the Control Panel items.

          CSIDL_COOKIES

          The file-system directory that serves as a common repository for Internet cookies. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies.

          CSIDL_DESKTOP

          The virtual folder representing the Windows desktop.

          CSIDL_DESKTOPDIRECTORY

          The file-system directory used to physically store file objects on the desktop, which should not be confused with the desktop folder itself. A typical path is C:\Users\username\Desktop.

          CSIDL_DRIVES

          The virtual folder representing My Computer that contains everything on the local computer: storage devices, printers, and Control Panel. The folder may also contain mapped network drives.

          CSIDL_FAVORITES

          The file-system directory that serves as a common repository for the user's favorites. A typical path is C:\Users\Username\Favorites.

          CSIDL_HISTORY

          The file-system directory that serves as a common repository for Internet history items.

          CSIDL_INTERNET

          A virtual folder for Internet Explorer.

          CSIDL_INTERNET_CACHE

          The file-system directory that serves as a common repository for temporary Internet files. A typical path is C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files

          CSIDL_LOCAL_APPDATA

          The file-system directory that serves as a data repository for local, non-roaming applications. A typical path is C:\Users\username\AppData\Local.

          CSIDL_MYDOCUMENTS

          The virtual folder representing My Documents.A typical path is C:\Users\Username\Documents.

          CSIDL_MYMUSIC

          The file-system directory that serves as a common repository for music files. A typical path is C:\Users\Username\Music.

          CSIDL_MYPICTURES

          The file-system directory that serves as a common repository for image files. A typical path is C:\Users\Username\Pictures.

          CSIDL_MYVIDEO

          The file-system directory that serves as a common repository for video files. A typical path is C:\Users\Username\Videos.

          CSIDL_NETHOOD

          A file-system directory that contains the link objects that may exist in the My Network Places virtual folder. It is not the same as CSIDL_NETWORK, which represents the network namespace root. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Network Shortcuts.

          CSIDL_NETWORK

          A virtual folder representing My Network Places, the root of the network namespace hierarchy.

          CSIDL_PERSONAL

          The virtual folder representing the My Documents desktop item. This is equivalent to CSIDL_MYDOCUMENTS.

          -

          A typical path is C:\Documents and Settings\username\My Documents.

          CSIDL_PLAYLISTS

          The virtual folder used to store play albums, typically C:\Users\username\My Music\Playlists.

          CSIDL_PRINTERS

          The virtual folder that contains installed printers.

          CSIDL_PRINTHOOD

          The file-system directory that contains the link objects that can exist in the Printers virtual folder. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Printer Shortcuts.

          CSIDL_PROFILE

          The user's profile folder. A typical path is C:\Users\Username.

          CSIDL_PROGRAMS

          The file-system directory that contains the user's program groups, which are themselves file-system directories. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs.

          CSIDL_RECENT

          The file-system directory that contains shortcuts to the user's most recently used documents. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Recent.

          CSIDL_SENDTO

          The file-system directory that contains Send To menu items. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\SendTo.

          CSIDL_STARTMENU

          The file-system directory that contains Start menu items. A typical path in Windows XP is C:\Documents and Settings\username\Start Menu. A typical path in Windows Vista, Windows 7, or Windows 8 is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu.

          CSIDL_STARTUP

          The file-system directory that corresponds to the user's Startup program group. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.

          CSIDL_TEMPLATES

          The file-system directory that serves as a common repository for document templates. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Templates.

          HOMEPATH

          Same as the standard environment variable.

          TEMP

          The temporary folder on the computer. A typical path is %USERPROFILE%\AppData\Local\Temp.

          TMP

          The temporary folder on the computer. A typical path is %USERPROFILE%\AppData\Local\Temp.

          USERPROFILE

          Same as CSIDL_PROFILE.

          USERSID

          Represents the current user-account security identifier (SID). For example,

          -

          S-1-5-21-1714567821-1326601894-715345443-1026.

          - -  - -## Related topics - - -[USMT XML Reference](usmt-xml-reference.md) - -  - -  - - - - - +--- +title: Recognized Environment Variables (Windows 10) +description: Recognized Environment Variables +ms.assetid: 2b0ac412-e131-456e-8f0c-c26249b5f3df +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Recognized Environment Variables + + +When using the XML files MigDocs.xml, MigApp.xml, and MigUser.xml, you can use environment variables to identify folders that may be different on different computers. Constant special item ID list (CSIDL) values provide a way to identify folders that applications use frequently but may not have the same name or location on any given computer. For example, the documents folder may be C:\\Users\\<Username>\\My Documents on one computer and C:\\Documents and Settings on another. You can use the asterisk (\*) wildcard character in MigUser.xml, MigApp.xml and MigDoc.xml files. However, you cannot use the asterisk (\*) wildcard characters in the Config.xml file. + +## In This Topic + + +- [Variables that are processed for the operating system and in the context of each user](#bkmk-1) + +- [Variables that are recognized only in the user context](#bkmk-2) + +## Variables that are processed for the operating system and in the context of each user + + +You can use these variables within sections in the .xml files with `context=UserAndSystem`, `context=User`, and `context=System`. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          VariableExplanation

          ALLUSERSAPPDATA

          Same as CSIDL_COMMON_APPDATA.

          ALLUSERSPROFILE

          Refers to %PROFILESFOLDER%\Public or %PROFILESFOLDER%\all users.

          COMMONPROGRAMFILES

          Same as CSIDL_PROGRAM_FILES_COMMON.

          COMMONPROGRAMFILES(X86)

          Refers to the C:\Program Files (x86)\Common Files folder on 64-bit systems.

          CSIDL_COMMON_ADMINTOOLS

          Version 10.0. The file-system directory that contains administrative tools for all users of the computer.

          CSIDL_COMMON_ALTSTARTUP

          The file-system directory that corresponds to the non-localized Startup program group for all users.

          CSIDL_COMMON_APPDATA

          The file-system directory that contains application data for all users. A typical path Windows is C:\ProgramData.

          CSIDL_COMMON_DESKTOPDIRECTORY

          The file-system directory that contains files and folders that appear on the desktop for all users. A typical Windows® XP path is C:\Documents and Settings\All Users\Desktop. A typical path is C:\Users\Public\Desktop.

          CSIDL_COMMON_DOCUMENTS

          The file-system directory that contains documents that are common to all users. A typical path in Windows XP is C:\Documents and Settings\All Users\Documents. A typical path is C:\Users\Public\Documents.

          CSIDL_COMMON_FAVORITES

          The file-system directory that serves as a common repository for favorites common to all users. A typical path is C:\Users\Public\Favorites.

          CSIDL_COMMON_MUSIC

          The file-system directory that serves as a repository for music files common to all users. A typical path is C:\Users\Public\Music.

          CSIDL_COMMON_PICTURES

          The file-system directory that serves as a repository for image files common to all users. A typical path is C:\Users\Public\Pictures.

          CSIDL_COMMON_PROGRAMS

          The file-system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\ProgramData\Microsoft\Windows\Start Menu\Programs.

          CSIDL_COMMON_STARTMENU

          The file-system directory that contains the programs and folders which appear on the Start menu for all users. A typical path in Windows is C:\ProgramData\Microsoft\Windows\Start Menu.

          CSIDL_COMMON_STARTUP

          The file-system directory that contains the programs that appear in the Startup folder for all users. A typical path in Windows XP is C:\Documents and Settings\All Users\Start Menu\Programs\Startup. A typical path is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup.

          CSIDL_COMMON_TEMPLATES

          The file-system directory that contains the templates that are available to all users. A typical path is C:\ProgramData\Microsoft\Windows\Templates.

          CSIDL_COMMON_VIDEO

          The file-system directory that serves as a repository for video files common to all users. A typical path is C:\Users\Public\Videos.

          CSIDL_DEFAULT_APPDATA

          Refers to the Appdata folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_LOCAL_APPDATA

          Refers to the local Appdata folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_COOKIES

          Refers to the Cookies folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_CONTACTS

          Refers to the Contacts folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_DESKTOP

          Refers to the Desktop folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_DOWNLOADS

          Refers to the Downloads folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_FAVORITES

          Refers to the Favorites folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_HISTORY

          Refers to the History folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_INTERNET_CACHE

          Refers to the Internet Cache folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_PERSONAL

          Refers to the Personal folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_MYDOCUMENTS

          Refers to the My Documents folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_MYPICTURES

          Refers to the My Pictures folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_MYMUSIC

          Refers to the My Music folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_MYVIDEO

          Refers to the My Videos folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_RECENT

          Refers to the Recent folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_SENDTO

          Refers to the Send To folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_STARTMENU

          Refers to the Start Menu folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_PROGRAMS

          Refers to the Programs folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_STARTUP

          Refers to the Startup folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_TEMPLATES

          Refers to the Templates folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_QUICKLAUNCH

          Refers to the Quick Launch folder inside %DEFAULTUSERPROFILE%.

          CSIDL_FONTS

          A virtual folder containing fonts. A typical path is C:\Windows\Fonts.

          CSIDL_PROGRAM_FILESX86

          The Program Files folder on 64-bit systems. A typical path is C:\Program Files(86).

          CSIDL_PROGRAM_FILES_COMMONX86

          A folder for components that are shared across applications on 64-bit systems. A typical path is C:\Program Files(86)\Common.

          CSIDL_PROGRAM_FILES

          The Program Files folder. A typical path is C:\Program Files.

          CSIDL_PROGRAM_FILES_COMMON

          A folder for components that are shared across applications. A typical path is C:\Program Files\Common.

          CSIDL_RESOURCES

          The file-system directory that contains resource data. A typical path is C:\Windows\Resources.

          CSIDL_SYSTEM

          The Windows System folder. A typical path is C:\Windows\System32.

          CSIDL_WINDOWS

          The Windows directory or system root. This corresponds to the %WINDIR% or %SYSTEMROOT% environment variables. A typical path is C:\Windows.

          DEFAULTUSERPROFILE

          Refers to the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList [DefaultUserProfile].

          PROFILESFOLDER

          Refers to the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList [ProfilesDirectory].

          PROGRAMFILES

          Same as CSIDL_PROGRAM_FILES.

          PROGRAMFILES(X86)

          Refers to the C:\Program Files (x86) folder on 64-bit systems.

          SYSTEM

          Refers to %WINDIR%\system32.

          SYSTEM16

          Refers to %WINDIR%\system.

          SYSTEM32

          Refers to %WINDIR%\system32.

          SYSTEMPROFILE

          Refers to the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18 [ProfileImagePath].

          SYSTEMROOT

          Refers to the root of the system drive.

          WINDIR

          Refers to the Windows folder located on the system drive.

          + +  + +## Variables that are recognized only in the user context + + +You can use these variables in the .xml files within sections with `context=User` and `context=UserAndSystem`. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          VariableExplanation

          APPDATA

          Same as CSIDL_APPDATA.

          CSIDL_ADMINTOOLS

          The file-system directory that is used to store administrative tools for an individual user. The Microsoft® Management Console (MMC) saves customized consoles to this directory, which roams with the user profile.

          CSIDL_ALTSTARTUP

          The file-system directory that corresponds to the user's non-localized Startup program group.

          CSIDL_APPDATA

          The file-system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\username\Application Data or C:\Users\username\AppData\Roaming.

          CSIDL_BITBUCKET

          The virtual folder that contains the objects in the user's Recycle Bin.

          CSIDL_CDBURN_AREA

          The file-system directory acting as a staging area for files waiting to be written to CD. A typical path is C:\Users\username\AppData\Local\Microsoft\Windows\MasteredBurning\Disc Burning.

          CSIDL_CONNECTIONS

          The virtual folder representing Network Connections that contains network and dial-up connections.

          CSIDL_CONTACTS

          This refers to the Contacts folder in %CSIDL_PROFILE%.

          CSIDL_CONTROLS

          The virtual folder that contains icons for the Control Panel items.

          CSIDL_COOKIES

          The file-system directory that serves as a common repository for Internet cookies. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies.

          CSIDL_DESKTOP

          The virtual folder representing the Windows desktop.

          CSIDL_DESKTOPDIRECTORY

          The file-system directory used to physically store file objects on the desktop, which should not be confused with the desktop folder itself. A typical path is C:\Users\username\Desktop.

          CSIDL_DRIVES

          The virtual folder representing My Computer that contains everything on the local computer: storage devices, printers, and Control Panel. The folder may also contain mapped network drives.

          CSIDL_FAVORITES

          The file-system directory that serves as a common repository for the user's favorites. A typical path is C:\Users\Username\Favorites.

          CSIDL_HISTORY

          The file-system directory that serves as a common repository for Internet history items.

          CSIDL_INTERNET

          A virtual folder for Internet Explorer.

          CSIDL_INTERNET_CACHE

          The file-system directory that serves as a common repository for temporary Internet files. A typical path is C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files

          CSIDL_LOCAL_APPDATA

          The file-system directory that serves as a data repository for local, non-roaming applications. A typical path is C:\Users\username\AppData\Local.

          CSIDL_MYDOCUMENTS

          The virtual folder representing My Documents.A typical path is C:\Users\Username\Documents.

          CSIDL_MYMUSIC

          The file-system directory that serves as a common repository for music files. A typical path is C:\Users\Username\Music.

          CSIDL_MYPICTURES

          The file-system directory that serves as a common repository for image files. A typical path is C:\Users\Username\Pictures.

          CSIDL_MYVIDEO

          The file-system directory that serves as a common repository for video files. A typical path is C:\Users\Username\Videos.

          CSIDL_NETHOOD

          A file-system directory that contains the link objects that may exist in the My Network Places virtual folder. It is not the same as CSIDL_NETWORK, which represents the network namespace root. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Network Shortcuts.

          CSIDL_NETWORK

          A virtual folder representing My Network Places, the root of the network namespace hierarchy.

          CSIDL_PERSONAL

          The virtual folder representing the My Documents desktop item. This is equivalent to CSIDL_MYDOCUMENTS.

          +

          A typical path is C:\Documents and Settings\username\My Documents.

          CSIDL_PLAYLISTS

          The virtual folder used to store play albums, typically C:\Users\username\My Music\Playlists.

          CSIDL_PRINTERS

          The virtual folder that contains installed printers.

          CSIDL_PRINTHOOD

          The file-system directory that contains the link objects that can exist in the Printers virtual folder. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Printer Shortcuts.

          CSIDL_PROFILE

          The user's profile folder. A typical path is C:\Users\Username.

          CSIDL_PROGRAMS

          The file-system directory that contains the user's program groups, which are themselves file-system directories. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs.

          CSIDL_RECENT

          The file-system directory that contains shortcuts to the user's most recently used documents. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Recent.

          CSIDL_SENDTO

          The file-system directory that contains Send To menu items. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\SendTo.

          CSIDL_STARTMENU

          The file-system directory that contains Start menu items. A typical path in Windows XP is C:\Documents and Settings\username\Start Menu. A typical path in Windows Vista, Windows 7, or Windows 8 is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu.

          CSIDL_STARTUP

          The file-system directory that corresponds to the user's Startup program group. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.

          CSIDL_TEMPLATES

          The file-system directory that serves as a common repository for document templates. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Templates.

          HOMEPATH

          Same as the standard environment variable.

          TEMP

          The temporary folder on the computer. A typical path is %USERPROFILE%\AppData\Local\Temp.

          TMP

          The temporary folder on the computer. A typical path is %USERPROFILE%\AppData\Local\Temp.

          USERPROFILE

          Same as CSIDL_PROFILE.

          USERSID

          Represents the current user-account security identifier (SID). For example,

          +

          S-1-5-21-1714567821-1326601894-715345443-1026.

          + +  + +## Related topics + + +[USMT XML Reference](usmt-xml-reference.md) + +  + +  + + + + + diff --git a/windows/deployment/usmt/usmt-reference.md b/windows/deployment/usmt/usmt-reference.md index 2ab5b4c6c7..c5bcd4193c 100644 --- a/windows/deployment/usmt/usmt-reference.md +++ b/windows/deployment/usmt/usmt-reference.md @@ -1,77 +1,77 @@ ---- -title: User State Migration Toolkit (USMT) Reference (Windows 10) -description: User State Migration Toolkit (USMT) Reference -ms.assetid: 2135dbcf-de49-4cea-b2fb-97dd016e1a1a -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# User State Migration Toolkit (USMT) Reference - - -## In This Section - - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

          USMT Requirements

          Describes operating system, hardware, and software requirements, and user prerequisites.

          USMT Best Practices

          Discusses general and security-related best practices when using USMT.

          How USMT Works

          Learn about the processes behind the ScanState and LoadState tools.

          Plan Your Migration

          Choose what to migrate and the best migration scenario for your enterprise.

          User State Migration Tool (USMT) Command-line Syntax

          Explore command-line options for the ScanState, LoadState, and UsmtUtils tools.

          USMT XML Reference

          Learn about customizing a migration with XML files.

          Offline Migration Reference

          Find requirements, best practices, and other considerations for performing a migration offline.

          - - - -## Related topics - - -[User State Migration Tool (USMT) Overview Topics](usmt-topics.md) - -[User State Migration Tool (USMT) How-to topics](usmt-how-to.md) - -[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) - - - - - - - - - +--- +title: User State Migration Toolkit (USMT) Reference (Windows 10) +description: User State Migration Toolkit (USMT) Reference +ms.assetid: 2135dbcf-de49-4cea-b2fb-97dd016e1a1a +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# User State Migration Toolkit (USMT) Reference + + +## In This Section + + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

          USMT Requirements

          Describes operating system, hardware, and software requirements, and user prerequisites.

          USMT Best Practices

          Discusses general and security-related best practices when using USMT.

          How USMT Works

          Learn about the processes behind the ScanState and LoadState tools.

          Plan Your Migration

          Choose what to migrate and the best migration scenario for your enterprise.

          User State Migration Tool (USMT) Command-line Syntax

          Explore command-line options for the ScanState, LoadState, and UsmtUtils tools.

          USMT XML Reference

          Learn about customizing a migration with XML files.

          Offline Migration Reference

          Find requirements, best practices, and other considerations for performing a migration offline.

          + + + +## Related topics + + +[User State Migration Tool (USMT) Overview Topics](usmt-topics.md) + +[User State Migration Tool (USMT) How-to topics](usmt-how-to.md) + +[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-requirements.md b/windows/deployment/usmt/usmt-requirements.md index 20590672c3..45af228e40 100644 --- a/windows/deployment/usmt/usmt-requirements.md +++ b/windows/deployment/usmt/usmt-requirements.md @@ -1,161 +1,161 @@ ---- -title: USMT Requirements (Windows 10) -description: USMT Requirements -ms.assetid: 2b0cf3a3-9032-433f-9622-1f9df59d6806 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 05/03/2017 -ms.topic: article ---- - -# USMT Requirements - - -## In This Topic - - -- [Supported Operating Systems](#bkmk-1) -- [Windows PE](#windows-pe) -- [Credentials](#credentials) -- [Config.xml](#configxml) -- [LoadState](#loadstate) -- [Hard Disk Requirements](#bkmk-3) -- [User Prerequisites](#bkmk-userprereqs) - -## Supported Operating Systems - - -The User State Migration Tool (USMT) 10.0 does not have any explicit RAM or CPU speed requirements for either the source or destination computers. If your computer complies with the system requirements of the operating system, it also complies with the requirements for USMT. You need an intermediate store location large enough to hold all of the migrated data and settings, and the same amount of hard disk space on the destination computer for the migrated files and settings. - -The following table lists the operating systems supported in USMT. - - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Operating SystemsScanState (source computer)LoadState (destination computer)

          32-bit versions of Windows 7

          X

          X

          64-bit versions of Windows 7

          X

          X

          32-bit versions of Windows 8

          X

          X

          64-bit versions of Windows 8

          X

          X

          32-bit versions of Windows 10

          X

          X

          64-bit versions of Windows 10

          X

          X

          - - - -**Note**   -You can migrate a 32-bit operating system to a 64-bit operating system. However, you cannot migrate a 64-bit operating system to a 32-bit operating system. - -USMT does not support any of the Windows Server® operating systems, Windows 2000, Windows XP, or any of the starter editions for Windows Vista or Windows 7. - -USMT for Windows 10 should not be used for migrating from Windows 7 to Windows 8.1. It is meant to migrate to Windows 10. -For more information about previous releases of the USMT tools, see [User State Migration Tool (USMT) 4.0 User’s Guide](https://go.microsoft.com/fwlink/p/?LinkId=246564).  - -## Windows PE - -- **Must use latest version of Window PE.** For example, to migrate to Windows 10, you'll need Windows PE 5.1. For more info, see [What's New in Windows PE](https://msdn.microsoft.com/library/windows/hardware/dn938350.aspx). - -## Credentials - -- **Run as administrator** - When manually running the **ScanState** and **LoadState** tools on Windows 7, Windows 8 or Windows 10 you must run them from an elevated command prompt to ensure that all specified users are migrated. If you do not run USMT from an elevated prompt, only the user profile that is logged on will be included in the migration. - -To open an elevated command prompt: - -1. Click **Start**. -2. Enter **cmd** in the search function. -3. Depending on the OS you are using, **cmd** or **Command Prompt** is displayed. -3. Right-click **cmd** or **Command Prompt**, and then click **Run as administrator**. -4. If the current user is not already an administrator, you will be prompted to enter administrator credentials. - -**Important**
          -You must run USMT using an account with full administrative permissions, including the following privileges: - -- SeBackupPrivilege (Back up files and directories) -- SeDebugPrivilege (Debug programs) -- SeRestorePrivilege (Restore files and directories) -- SeSecurityPrivilege (Manage auditing and security log) -- SeTakeOwnership Privilege (Take ownership of files or other objects) - - -## Config.xml - -- **Specify the /c option and <ErrorControl> settings in the Config.xml file.**
          - USMT will fail if it cannot migrate a file or setting, unless you specify the **/c** option. When you specify the **/c** option, USMT logs an error each time it encounters a file that is in use that did not migrate, but the migration will not be interrupted. In USMT, you can specify in the Config.xml file which types of errors should allow the migration to continue, and which should cause the migration to fail. For more information about error reporting, and the **<ErrorControl>** element, see [Config.xml File](usmt-configxml-file.md), [Log Files](usmt-log-files.md), and [XML Elements Library](usmt-xml-elements-library.md). - -## LoadState - -- **Install applications before running the LoadState command.**
          - Install all applications on the destination computer before restoring the user state. This ensures that migrated settings are preserved. - -## Hard-Disk Requirements - - -Ensure that there is enough available space in the migration-store location and on the source and destination computers. For more information, see [Estimate Migration Store Size](usmt-estimate-migration-store-size.md). - -## User Prerequisites - - -This documentation assumes that IT professionals using USMT understand command-line tools. The documentation also assumes that IT professionals using USMT to author MigXML rules understand the following: - -- The navigation and hierarchy of the Windows registry. -- The files and file types that applications use. -- The methods to extract application and setting information manually from applications created by internal software-development groups and non-Microsoft software vendors. -- XML-authoring basics. - -## Related topics - - -[Plan Your Migration](usmt-plan-your-migration.md)
          -[Estimate Migration Store Size](usmt-estimate-migration-store-size.md)
          -[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
          - - - - - - - - - +--- +title: USMT Requirements (Windows 10) +description: USMT Requirements +ms.assetid: 2b0cf3a3-9032-433f-9622-1f9df59d6806 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 05/03/2017 +ms.topic: article +--- + +# USMT Requirements + + +## In This Topic + + +- [Supported Operating Systems](#bkmk-1) +- [Windows PE](#windows-pe) +- [Credentials](#credentials) +- [Config.xml](#configxml) +- [LoadState](#loadstate) +- [Hard Disk Requirements](#bkmk-3) +- [User Prerequisites](#bkmk-userprereqs) + +## Supported Operating Systems + + +The User State Migration Tool (USMT) 10.0 does not have any explicit RAM or CPU speed requirements for either the source or destination computers. If your computer complies with the system requirements of the operating system, it also complies with the requirements for USMT. You need an intermediate store location large enough to hold all of the migrated data and settings, and the same amount of hard disk space on the destination computer for the migrated files and settings. + +The following table lists the operating systems supported in USMT. + + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Operating SystemsScanState (source computer)LoadState (destination computer)

          32-bit versions of Windows 7

          X

          X

          64-bit versions of Windows 7

          X

          X

          32-bit versions of Windows 8

          X

          X

          64-bit versions of Windows 8

          X

          X

          32-bit versions of Windows 10

          X

          X

          64-bit versions of Windows 10

          X

          X

          + + + +**Note**   +You can migrate a 32-bit operating system to a 64-bit operating system. However, you cannot migrate a 64-bit operating system to a 32-bit operating system. + +USMT does not support any of the Windows Server® operating systems, Windows 2000, Windows XP, or any of the starter editions for Windows Vista or Windows 7. + +USMT for Windows 10 should not be used for migrating from Windows 7 to Windows 8.1. It is meant to migrate to Windows 10. +For more information about previous releases of the USMT tools, see [User State Migration Tool (USMT) 4.0 User’s Guide](https://go.microsoft.com/fwlink/p/?LinkId=246564).  + +## Windows PE + +- **Must use latest version of Window PE.** For example, to migrate to Windows 10, you'll need Windows PE 5.1. For more info, see [What's New in Windows PE](https://msdn.microsoft.com/library/windows/hardware/dn938350.aspx). + +## Credentials + +- **Run as administrator** + When manually running the **ScanState** and **LoadState** tools on Windows 7, Windows 8 or Windows 10 you must run them from an elevated command prompt to ensure that all specified users are migrated. If you do not run USMT from an elevated prompt, only the user profile that is logged on will be included in the migration. + +To open an elevated command prompt: + +1. Click **Start**. +2. Enter **cmd** in the search function. +3. Depending on the OS you are using, **cmd** or **Command Prompt** is displayed. +3. Right-click **cmd** or **Command Prompt**, and then click **Run as administrator**. +4. If the current user is not already an administrator, you will be prompted to enter administrator credentials. + +**Important**
          +You must run USMT using an account with full administrative permissions, including the following privileges: + +- SeBackupPrivilege (Back up files and directories) +- SeDebugPrivilege (Debug programs) +- SeRestorePrivilege (Restore files and directories) +- SeSecurityPrivilege (Manage auditing and security log) +- SeTakeOwnership Privilege (Take ownership of files or other objects) + + +## Config.xml + +- **Specify the /c option and <ErrorControl> settings in the Config.xml file.**
          + USMT will fail if it cannot migrate a file or setting, unless you specify the **/c** option. When you specify the **/c** option, USMT logs an error each time it encounters a file that is in use that did not migrate, but the migration will not be interrupted. In USMT, you can specify in the Config.xml file which types of errors should allow the migration to continue, and which should cause the migration to fail. For more information about error reporting, and the **<ErrorControl>** element, see [Config.xml File](usmt-configxml-file.md), [Log Files](usmt-log-files.md), and [XML Elements Library](usmt-xml-elements-library.md). + +## LoadState + +- **Install applications before running the LoadState command.**
          + Install all applications on the destination computer before restoring the user state. This ensures that migrated settings are preserved. + +## Hard-Disk Requirements + + +Ensure that there is enough available space in the migration-store location and on the source and destination computers. For more information, see [Estimate Migration Store Size](usmt-estimate-migration-store-size.md). + +## User Prerequisites + + +This documentation assumes that IT professionals using USMT understand command-line tools. The documentation also assumes that IT professionals using USMT to author MigXML rules understand the following: + +- The navigation and hierarchy of the Windows registry. +- The files and file types that applications use. +- The methods to extract application and setting information manually from applications created by internal software-development groups and non-Microsoft software vendors. +- XML-authoring basics. + +## Related topics + + +[Plan Your Migration](usmt-plan-your-migration.md)
          +[Estimate Migration Store Size](usmt-estimate-migration-store-size.md)
          +[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
          + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-reroute-files-and-settings.md b/windows/deployment/usmt/usmt-reroute-files-and-settings.md index ea0c442a2a..22f64e513e 100644 --- a/windows/deployment/usmt/usmt-reroute-files-and-settings.md +++ b/windows/deployment/usmt/usmt-reroute-files-and-settings.md @@ -8,6 +8,7 @@ ms.author: greglin ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.date: 04/19/2017 ms.topic: article @@ -31,7 +32,7 @@ In this topic: The following custom .xml file migrates the directories and files from C:\\EngineeringDrafts into the My Documents folder of every user. %CSIDL\_PERSONAL% is the virtual folder representing the My Documents desktop item, which is equivalent to CSIDL\_MYDOCUMENTS. -```xml +``` xml Engineering Drafts Documents to Personal Folder @@ -60,7 +61,7 @@ The following custom .xml file migrates the directories and files from C:\\Engin The following custom .xml file reroutes .mp3 files located in the fixed drives on the source computer into the C:\\Music folder on the destination computer. -```xml +``` xml All .mp3 files to My Documents @@ -88,7 +89,7 @@ The following custom .xml file reroutes .mp3 files located in the fixed drives o The following custom .xml file migrates the Sample.doc file from C:\\EngineeringDrafts into the My Documents folder of every user. %CSIDL\_PERSONAL% is the virtual folder representing the My Documents desktop item, which is equivalent to CSIDL\_MYDOCUMENTS. -```xml +``` xml Sample.doc into My Documents diff --git a/windows/deployment/usmt/usmt-resources.md b/windows/deployment/usmt/usmt-resources.md index 32ed639508..eaaa49a5d4 100644 --- a/windows/deployment/usmt/usmt-resources.md +++ b/windows/deployment/usmt/usmt-resources.md @@ -1,50 +1,50 @@ ---- -title: USMT Resources (Windows 10) -description: USMT Resources -ms.assetid: a0b266c7-4bcb-49f1-b63c-48c6ace86b43 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# USMT Resources - - -## USMT Online Resources - - -- [ADK Release Notes](https://msdn.microsoft.com/library/windows/hardware/dn927348.aspx) - -- Microsoft Visual Studio - - - You can use the User State Migration Tool (USMT) XML schema (the MigXML.xsd file) to validate the migration .xml files using an XML authoring tool such as Microsoft® Visual Studio®. - - For more information about how to use the schema with your XML authoring environment, see the environment’s documentation. - -- [Ask the Directory Services Team blog](https://go.microsoft.com/fwlink/p/?LinkId=226365) - -- Forums: - - - [Microsoft Deployment Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=226386) - - - [Configuration Manager Operating System Deployment](https://go.microsoft.com/fwlink/p/?LinkId=226388) - -## Related topics - - -[User State Migration Tool (USMT) Overview Topics](usmt-topics.md) - -  - -  - - - - - +--- +title: USMT Resources (Windows 10) +description: USMT Resources +ms.assetid: a0b266c7-4bcb-49f1-b63c-48c6ace86b43 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# USMT Resources + + +## USMT Online Resources + + +- [ADK Release Notes](https://msdn.microsoft.com/library/windows/hardware/dn927348.aspx) + +- Microsoft Visual Studio + + - You can use the User State Migration Tool (USMT) XML schema (the MigXML.xsd file) to validate the migration .xml files using an XML authoring tool such as Microsoft® Visual Studio®. + + For more information about how to use the schema with your XML authoring environment, see the environment’s documentation. + +- [Ask the Directory Services Team blog](https://go.microsoft.com/fwlink/p/?LinkId=226365) + +- Forums: + + - [Microsoft Deployment Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=226386) + + - [Configuration Manager Operating System Deployment](https://go.microsoft.com/fwlink/p/?LinkId=226388) + +## Related topics + + +[User State Migration Tool (USMT) Overview Topics](usmt-topics.md) + +  + +  + + + + + diff --git a/windows/deployment/usmt/usmt-return-codes.md b/windows/deployment/usmt/usmt-return-codes.md index 18d223385b..c137197a5c 100644 --- a/windows/deployment/usmt/usmt-return-codes.md +++ b/windows/deployment/usmt/usmt-return-codes.md @@ -1,786 +1,786 @@ ---- -title: Return Codes (Windows 10) -description: Return Codes -ms.assetid: e71bbc6b-d5a6-4e48-ad01-af0012b35f22 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Return Codes - - -This topic describes User State Migration Tool (USMT) 10.0 return codes and error messages. Also included is a table listing the USMT return codes with their associated mitigation steps. In addition, this topic provides tips to help you use the logfiles to determine why you received an error. - -Understanding the requirements for running USMT can help minimize errors in your USMT migrations. For more information, see [USMT Requirements](usmt-requirements.md). - -## In This Topic - - -[USMT Return Codes](#bkmk-returncodes) - -[USMT Error Messages](#bkmk-errormessages) - -[Troubleshooting Return Codes and Error Messages](#bkmk-tscodeserrors) - -## USMT Return Codes - - -If you encounter an error in your USMT migration, you can use return codes and the more specific information provided in the associated USMT error messages to troubleshoot the issue and to identify mitigation steps. - -Return codes are grouped into the following broad categories that describe their area of error reporting: - -Success or User Cancel - -Invalid Command Lines - -Setup and Initialization - -Non-fatal Errors - -Fatal Errors - -As a best practice, we recommend that you set verbosity level to 5, **/v**:5, on the **ScanState**, **LoadState**, and **USMTUtils** command lines so that the most detailed reporting is available in the respective USMT logs. You can use a higher verbosity level if you want the log files output to go to a debugger. - -## USMT Error Messages - - -Error messages provide more detailed information about the migration problem than the associated return code. For example, the **ScanState**, **LoadState**, or **USMTUtils** tool might return a code of "11” (for “USMT\_INVALID\_PARAMETERS") and a related error message that reads "/key and /keyfile both specified". The error message is displayed at the command prompt and is identified in the **ScanState**, **LoadState**, or **USMTUtils** log files to help you determine why the return code was received. - -You can obtain more information about any listed Windows application programming interface (API) system error codes by typing **net helpmsg** on the command line and, then typing the error code number. For more information about System Error Codes, see [this Microsoft Web site](https://go.microsoft.com/fwlink/p/?LinkId=147060). - -## Troubleshooting Return Codes and Error Messages - - -The following table lists each return code by numeric value, along with the associated error messages and suggested troubleshooting actions. - - ------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Return code valueReturn codeError messageTroubleshooting, mitigation, workaroundsCategory

          0

          USMT_SUCCESS

          Successful run

          Not applicable

          Success or Cancel

          1

          USMT_DISPLAY_HELP

          Command line help requested

          Not applicable

          Success or Cancel

          2

          USMT_STATUS_CANCELED

          Gather was aborted because of an EFS file

          Not applicable

          User chose to cancel (such as pressing CTRL+C)

          Not applicable

          Success or Cancel

          3

          USMT_WOULD_HAVE_FAILED

          At least one error was skipped as a result of /c

          Review ScanState, LoadState, or UsmtUtils log for details about command-line errors.

          11

          USMT_INVALID_PARAMETERS

          /all conflicts with /ui, /ue or /uel

          Review ScanState log or LoadState log for details about command-line errors.

          /auto expects an optional parameter for the script folder

          Review ScanState log or LoadState log for details about command-line errors.

          /encrypt can't be used with /nocompress

          Review ScanState log or LoadState log for details about command-line errors.

          /encrypt requires /key or /keyfile

          Review ScanState log or LoadState log for details about command-line errors.

          /genconfig can't be used with most other options

          Review ScanState log or LoadState log for details about command-line errors.

          /genmigxml can't be used with most other options

          Review ScanState log or LoadState log for details about command-line errors.

          /hardlink requires /nocompress

          Review ScanState log or LoadState log for details about command-line errors.

          /key and /keyfile both specified

          Review ScanState log or LoadState log for details about command-line errors.

          /key or /keyfile used without enabling encryption

          Review ScanState log or LoadState log for details about command-line errors.

          /lae is only used with /lac

          Review ScanState log or LoadState log for details about command-line errors.

          /listfiles cannot be used with /p

          Review ScanState log or LoadState log for details about command-line errors.

          /offline requires a valid path to an XML file describing offline paths

          Review ScanState log or LoadState log for details about command-line errors.

          /offlinewindir requires a valid path to offline windows folder

          Review ScanState log or LoadState log for details about command-line errors.

          /offlinewinold requires a valid path to offline windows folder

          Review ScanState log or LoadState log for details about command-line errors.

          A command was already specified

          Verify that the command-line syntax is correct and that there are no duplicate commands.

          An option argument is missing

          Review ScanState log or LoadState log for details about command-line errors.

          An option is specified more than once and is ambiguous

          Review ScanState log or LoadState log for details about command-line errors.

          By default /auto selects all users and uses the highest log verbosity level. Switches like /all, /ui, /ue, /v are not allowed.

          Review ScanState log or LoadState log for details about command-line errors.

          Command line arguments are required. Specify /? for options.

          Review ScanState log or LoadState log for details about command-line errors.

          Command line option is not valid

          Review ScanState log or LoadState log for details about command-line errors.

          EFS parameter specified is not valid for /efs

          Review ScanState log or LoadState log for details about command-line errors.

          File argument is invalid for /genconfig

          Review ScanState log or LoadState log for details about command-line errors.

          File argument is invalid for /genmigxml

          Review ScanState log or LoadState log for details about command-line errors.

          Invalid space estimate path. Check the parameters and/or file system permissions

          Review ScanState log or LoadState log for details about command-line errors.

          List file path argument is invalid for /listfiles

          Review ScanState log or LoadState log for details about command-line errors.

          Retry argument must be an integer

          Review ScanState log or LoadState log for details about command-line errors.

          Settings store argument specified is invalid

          Review ScanState log or LoadState log for details about command-line errors. Make sure that the store path is accessible and that the proper permission levels are set.

          Specified encryption algorithm is not supported

          Review ScanState log or LoadState log for details about command-line errors.

          The /efs:hardlink requires /hardlink

          Review ScanState log or LoadState log for details about command-line errors.

          The /targetWindows7 option is only available for Windows XP, Windows Vista, and Windows 7

          Review ScanState log or LoadState log for details about command-line errors.

          The store parameter is required but not specified

          Review ScanState log or LoadState log for details about command-line errors.

          The source-to-target domain mapping is invalid for /md

          Review ScanState log or LoadState log for details about command-line errors.

          The source-to-target user account mapping is invalid for /mu

          Review ScanState log or LoadState log for details about command-line errors.

          Undefined or incomplete command line option

          Review ScanState log or LoadState log for details about command-line errors.

          Invalid Command Lines

          Use /nocompress, or provide an XML file path with /p"pathtoafile" to get a compressed store size estimate

          Review ScanState log or LoadState log for details about command-line errors.

          User exclusion argument is invalid

          Review ScanState log or LoadState log for details about command-line errors.

          Verbosity level must be specified as a sum of the desired log options: Verbose (0x01), Record Objects (0x04), Echo to debug port (0x08)

          Review ScanState log or LoadState log for details about command-line errors.

          Volume shadow copy feature is not supported with a hardlink store

          Review ScanState log or LoadState log for details about command-line errors.

          Wait delay argument must be an integer

          Review ScanState log or LoadState log for details about command-line errors.

          12

          USMT_ERROR_OPTION_PARAM_TOO_LARGE

          Command line arguments cannot exceed 256 characters

          Review ScanState log or LoadState log for details about command-line errors.

          Invalid Command Lines

          Specified settings store path exceeds the maximum allowed length of 256 characters

          Review ScanState log or LoadState log for details about command-line errors.

          13

          USMT_INIT_LOGFILE_FAILED

          Log path argument is invalid for /l

          When /l is specified in the ScanState command line, USMT validates the path. Verify that the drive and other information, for example file system characters, are correct.

          Invalid Command Lines

          14

          USMT_ERROR_USE_LAC

          Unable to create a local account because /lac was not specified

          When creating local accounts, the command-line options /lac and /lae should be used.

          Invalid Command Lines

          26

          USMT_INIT_ERROR

          Multiple Windows installations found

          Listfiles.txt could not be created. Verify that the location you specified for the creation of this file is valid.

          Setup and Initialization

          Software malfunction or unknown exception

          Check all loaded .xml files for errors, common error when using /I to load the Config.xml file.

          Unable to find a valid Windows directory to proceed with requested offline operation; Check if offline input file is present and has valid entries

          Verify that the offline input file is present and that it has valid entries. USMT could not find valid offline operating system. Verify your offline directory mapping.

          27

          USMT_INVALID_STORE_LOCATION

          A store path can't be used because an existing store exists; specify /o to overwrite

          Specify /o to overwrite an existing intermediate or migration store.

          Setup and Initialization

          A store path is missing or has incomplete data

          Make sure that the store path is accessible and that the proper permission levels are set.

          An error occurred during store creation

          Make sure that the store path is accessible and that the proper permission levels are set. Specify /o to overwrite an existing intermediate or migration store.

          An inappropriate device such as a floppy disk was specified for the store

          Make sure that the store path is accessible and that the proper permission levels are set.

          Invalid store path; check the store parameter and/or file system permissions

          Invalid store path; check the store parameter and/or file system permissions

          The file layout and/or file content is not recognized as a valid store

          Make sure that the store path is accessible and that the proper permission levels are set. Specify /o to overwrite an existing intermediate or migration store.

          The store path holds a store incompatible with the current USMT version

          Make sure that the store path is accessible and that the proper permission levels are set.

          The store save location is read-only or does not support a requested storage option

          Make sure that the store path is accessible and that the proper permission levels are set.

          28

          USMT_UNABLE_GET_SCRIPTFILES

          Script file is invalid for /i

          Check all specified migration .xml files for errors. This is a common error when using /i to load the Config.xml file.

          Setup and Initialization

          Unable to find a script file specified by /i

          Verify the location of your script files, and ensure that the command-line options are correct.

          29

          USMT_FAILED_MIGSTARTUP

          A minimum of 250 MB of free space is required for temporary files

          Verify that the system meets the minimum temporary disk space requirement of 250 MB. As a workaround, you can set the environment variable USMT_WORKING_DIR=<path> to redirect the temporary files working directory.

          Setup and Initialization

          Another process is preventing migration; only one migration tool can run at a time

          Check the ScanState log file for migration .xml file errors.

          Failed to start main processing, look in log for system errors or check the installation

          Check the ScanState log file for migration .xml file errors.

          Migration failed because of an XML error; look in the log for specific details

          Check the ScanState log file for migration .xml file errors.

          Unable to automatically map the drive letters to match the online drive letter layout; Use /offline to provide a mapping table

          Check the ScanState log file for migration .xml file errors.

          31

          USMT_UNABLE_FINDMIGUNITS

          An error occurred during the discover phase; the log should have more specific information

          Check the ScanState log file for migration .xml file errors.

          Setup and Initialization

          32

          USMT_FAILED_SETMIGRATIONTYPE

          An error occurred processing the migration system

          Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line.

          Setup and Initialization

          33

          USMT_UNABLE_READKEY

          Error accessing the file specified by the /keyfile parameter

          Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line.

          Setup and Initialization

          The encryption key must have at least one character

          Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line.

          34

          USMT_ERROR_INSUFFICIENT_RIGHTS

          Directory removal requires elevated privileges

          Log on as Administrator, and run with elevated privileges.

          Setup and Initialization

          No rights to create user profiles; log in as Administrator; run with elevated privileges

          Log on as Administrator, and run with elevated privileges.

          No rights to read or delete user profiles; log in as Administrator, run with elevated privileges

          Log on as Administrator, and run with elevated privileges.

          35

          USMT_UNABLE_DELETE_STORE

          A reboot is required to remove the store

          Reboot to delete any files that could not be deleted when the command was executed.

          Setup and Initialization

          A store path can't be used because it contains data that could not be overwritten

          A migration store could not be deleted. If you are using a hardlink migration store you might have a locked file in it. You should manually delete the store, or use USMTUtils /rd command to delete the store.

          There was an error removing the store

          Review ScanState log or LoadState log for details about command-line errors.

          36

          USMT_ERROR_UNSUPPORTED_PLATFORM

          Compliance check failure; please check the logs for details

          Investigate whether there is an active temporary profile on the system.

          Setup and Initialization

          Use of /offline is not supported during apply

          The /offline command was not used while running in the Windows Preinstallation Environment (WinPE).

          Use /offline to run gather on this platform

          The /offline command was not used while running in WinPE.

          37

          USMT_ERROR_NO_INVALID_KEY

          The store holds encrypted data but the correct encryption key was not provided

          Verify that you have included the correct encryption /key or /keyfile.

          Setup and Initialization

          38

          USMT_ERROR_CORRUPTED_NOTENCRYPTED_STORE

          An error occurred during store access

          Review ScanState log or LoadState log for details about command-line errors. Make sure that the store path is accessible and that the proper permission levels are set.

          Setup and Initialization

          39

          USMT_UNABLE_TO_READ_CONFIG_FILE

          Error reading Config.xml

          Review ScanState log or LoadState log for details about command-line errors in the Config.xml file.

          Setup and Initialization

          File argument is invalid for /config

          Check the command line you used to load the Config.xml file. You can use online Help by typing /? on the command line.

          40

          USMT_ERROR_UNABLE_CREATE_PROGRESS_LOG

          Error writing to the progress log

          The Progress log could not be created. Verify that the location is valid and that you have write access.

          Setup and Initialization

          Progress log argument is invalid for /progress

          The Progress log could not be created. Verify that the location is valid and that you have write access.

          41

          USMT_PREFLIGHT_FILE_CREATION_FAILED

          Can't overwrite existing file

          The Progress log could not be created. Verify that the location is valid and that you have write access.

          Setup and Initialization

          Invalid space estimate path. Check the parameters and/or file system permissions

          Review ScanState log or LoadState log for details about command-line errors.

          42

          USMT_ERROR_CORRUPTED_STORE

          The store contains one or more corrupted files

          Review UsmtUtils log for details about the corrupted files. For information on how to extract the files that are not corrupted, see Extract Files from a Compressed USMT Migration Store.

          61

          USMT_MIGRATION_STOPPED_NONFATAL

          Processing stopped due to an I/O error

          USMT exited but can continue with the /c command-line option, with the optional configurable <ErrorControl> section or by using the /vsc command-line option.

          Non-fatal Errors

          71

          USMT_INIT_OPERATING_ENVIRONMENT_FAILED

          A Windows Win32 API error occurred

          Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details.

          Fatal Errors

          An error occurred when attempting to initialize the diagnostic mechanisms such as the log

          Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details.

          Failed to record diagnostic information

          Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details.

          Unable to start. Make sure you are running USMT with elevated privileges

          Exit USMT and log in again with elevated privileges.

          72

          USMT_UNABLE_DOMIGRATION

          An error occurred closing the store

          Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.

          Fatal Errors

          An error occurred in the apply process

          Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.

          An error occurred in the gather process

          Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.

          Out of disk space while writing the store

          Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.

          Out of temporary disk space on the local system

          Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.

          - - - -## Related topics - - -[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) - -[Log Files](usmt-log-files.md) - - - - - - - - - +--- +title: Return Codes (Windows 10) +description: Return Codes +ms.assetid: e71bbc6b-d5a6-4e48-ad01-af0012b35f22 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Return Codes + + +This topic describes User State Migration Tool (USMT) 10.0 return codes and error messages. Also included is a table listing the USMT return codes with their associated mitigation steps. In addition, this topic provides tips to help you use the logfiles to determine why you received an error. + +Understanding the requirements for running USMT can help minimize errors in your USMT migrations. For more information, see [USMT Requirements](usmt-requirements.md). + +## In This Topic + + +[USMT Return Codes](#bkmk-returncodes) + +[USMT Error Messages](#bkmk-errormessages) + +[Troubleshooting Return Codes and Error Messages](#bkmk-tscodeserrors) + +## USMT Return Codes + + +If you encounter an error in your USMT migration, you can use return codes and the more specific information provided in the associated USMT error messages to troubleshoot the issue and to identify mitigation steps. + +Return codes are grouped into the following broad categories that describe their area of error reporting: + +Success or User Cancel + +Invalid Command Lines + +Setup and Initialization + +Non-fatal Errors + +Fatal Errors + +As a best practice, we recommend that you set verbosity level to 5, **/v**:5, on the **ScanState**, **LoadState**, and **USMTUtils** command lines so that the most detailed reporting is available in the respective USMT logs. You can use a higher verbosity level if you want the log files output to go to a debugger. + +## USMT Error Messages + + +Error messages provide more detailed information about the migration problem than the associated return code. For example, the **ScanState**, **LoadState**, or **USMTUtils** tool might return a code of "11” (for “USMT\_INVALID\_PARAMETERS") and a related error message that reads "/key and /keyfile both specified". The error message is displayed at the command prompt and is identified in the **ScanState**, **LoadState**, or **USMTUtils** log files to help you determine why the return code was received. + +You can obtain more information about any listed Windows application programming interface (API) system error codes by typing **net helpmsg** on the command line and, then typing the error code number. For more information about System Error Codes, see [this Microsoft Web site](https://go.microsoft.com/fwlink/p/?LinkId=147060). + +## Troubleshooting Return Codes and Error Messages + + +The following table lists each return code by numeric value, along with the associated error messages and suggested troubleshooting actions. + + +++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Return code valueReturn codeError messageTroubleshooting, mitigation, workaroundsCategory

          0

          USMT_SUCCESS

          Successful run

          Not applicable

          Success or Cancel

          1

          USMT_DISPLAY_HELP

          Command line help requested

          Not applicable

          Success or Cancel

          2

          USMT_STATUS_CANCELED

          Gather was aborted because of an EFS file

          Not applicable

          User chose to cancel (such as pressing CTRL+C)

          Not applicable

          Success or Cancel

          3

          USMT_WOULD_HAVE_FAILED

          At least one error was skipped as a result of /c

          Review ScanState, LoadState, or UsmtUtils log for details about command-line errors.

          11

          USMT_INVALID_PARAMETERS

          /all conflicts with /ui, /ue or /uel

          Review ScanState log or LoadState log for details about command-line errors.

          /auto expects an optional parameter for the script folder

          Review ScanState log or LoadState log for details about command-line errors.

          /encrypt can't be used with /nocompress

          Review ScanState log or LoadState log for details about command-line errors.

          /encrypt requires /key or /keyfile

          Review ScanState log or LoadState log for details about command-line errors.

          /genconfig can't be used with most other options

          Review ScanState log or LoadState log for details about command-line errors.

          /genmigxml can't be used with most other options

          Review ScanState log or LoadState log for details about command-line errors.

          /hardlink requires /nocompress

          Review ScanState log or LoadState log for details about command-line errors.

          /key and /keyfile both specified

          Review ScanState log or LoadState log for details about command-line errors.

          /key or /keyfile used without enabling encryption

          Review ScanState log or LoadState log for details about command-line errors.

          /lae is only used with /lac

          Review ScanState log or LoadState log for details about command-line errors.

          /listfiles cannot be used with /p

          Review ScanState log or LoadState log for details about command-line errors.

          /offline requires a valid path to an XML file describing offline paths

          Review ScanState log or LoadState log for details about command-line errors.

          /offlinewindir requires a valid path to offline windows folder

          Review ScanState log or LoadState log for details about command-line errors.

          /offlinewinold requires a valid path to offline windows folder

          Review ScanState log or LoadState log for details about command-line errors.

          A command was already specified

          Verify that the command-line syntax is correct and that there are no duplicate commands.

          An option argument is missing

          Review ScanState log or LoadState log for details about command-line errors.

          An option is specified more than once and is ambiguous

          Review ScanState log or LoadState log for details about command-line errors.

          By default /auto selects all users and uses the highest log verbosity level. Switches like /all, /ui, /ue, /v are not allowed.

          Review ScanState log or LoadState log for details about command-line errors.

          Command line arguments are required. Specify /? for options.

          Review ScanState log or LoadState log for details about command-line errors.

          Command line option is not valid

          Review ScanState log or LoadState log for details about command-line errors.

          EFS parameter specified is not valid for /efs

          Review ScanState log or LoadState log for details about command-line errors.

          File argument is invalid for /genconfig

          Review ScanState log or LoadState log for details about command-line errors.

          File argument is invalid for /genmigxml

          Review ScanState log or LoadState log for details about command-line errors.

          Invalid space estimate path. Check the parameters and/or file system permissions

          Review ScanState log or LoadState log for details about command-line errors.

          List file path argument is invalid for /listfiles

          Review ScanState log or LoadState log for details about command-line errors.

          Retry argument must be an integer

          Review ScanState log or LoadState log for details about command-line errors.

          Settings store argument specified is invalid

          Review ScanState log or LoadState log for details about command-line errors. Make sure that the store path is accessible and that the proper permission levels are set.

          Specified encryption algorithm is not supported

          Review ScanState log or LoadState log for details about command-line errors.

          The /efs:hardlink requires /hardlink

          Review ScanState log or LoadState log for details about command-line errors.

          The /targetWindows7 option is only available for Windows XP, Windows Vista, and Windows 7

          Review ScanState log or LoadState log for details about command-line errors.

          The store parameter is required but not specified

          Review ScanState log or LoadState log for details about command-line errors.

          The source-to-target domain mapping is invalid for /md

          Review ScanState log or LoadState log for details about command-line errors.

          The source-to-target user account mapping is invalid for /mu

          Review ScanState log or LoadState log for details about command-line errors.

          Undefined or incomplete command line option

          Review ScanState log or LoadState log for details about command-line errors.

          Invalid Command Lines

          Use /nocompress, or provide an XML file path with /p"pathtoafile" to get a compressed store size estimate

          Review ScanState log or LoadState log for details about command-line errors.

          User exclusion argument is invalid

          Review ScanState log or LoadState log for details about command-line errors.

          Verbosity level must be specified as a sum of the desired log options: Verbose (0x01), Record Objects (0x04), Echo to debug port (0x08)

          Review ScanState log or LoadState log for details about command-line errors.

          Volume shadow copy feature is not supported with a hardlink store

          Review ScanState log or LoadState log for details about command-line errors.

          Wait delay argument must be an integer

          Review ScanState log or LoadState log for details about command-line errors.

          12

          USMT_ERROR_OPTION_PARAM_TOO_LARGE

          Command line arguments cannot exceed 256 characters

          Review ScanState log or LoadState log for details about command-line errors.

          Invalid Command Lines

          Specified settings store path exceeds the maximum allowed length of 256 characters

          Review ScanState log or LoadState log for details about command-line errors.

          13

          USMT_INIT_LOGFILE_FAILED

          Log path argument is invalid for /l

          When /l is specified in the ScanState command line, USMT validates the path. Verify that the drive and other information, for example file system characters, are correct.

          Invalid Command Lines

          14

          USMT_ERROR_USE_LAC

          Unable to create a local account because /lac was not specified

          When creating local accounts, the command-line options /lac and /lae should be used.

          Invalid Command Lines

          26

          USMT_INIT_ERROR

          Multiple Windows installations found

          Listfiles.txt could not be created. Verify that the location you specified for the creation of this file is valid.

          Setup and Initialization

          Software malfunction or unknown exception

          Check all loaded .xml files for errors, common error when using /I to load the Config.xml file.

          Unable to find a valid Windows directory to proceed with requested offline operation; Check if offline input file is present and has valid entries

          Verify that the offline input file is present and that it has valid entries. USMT could not find valid offline operating system. Verify your offline directory mapping.

          27

          USMT_INVALID_STORE_LOCATION

          A store path can't be used because an existing store exists; specify /o to overwrite

          Specify /o to overwrite an existing intermediate or migration store.

          Setup and Initialization

          A store path is missing or has incomplete data

          Make sure that the store path is accessible and that the proper permission levels are set.

          An error occurred during store creation

          Make sure that the store path is accessible and that the proper permission levels are set. Specify /o to overwrite an existing intermediate or migration store.

          An inappropriate device such as a floppy disk was specified for the store

          Make sure that the store path is accessible and that the proper permission levels are set.

          Invalid store path; check the store parameter and/or file system permissions

          Invalid store path; check the store parameter and/or file system permissions

          The file layout and/or file content is not recognized as a valid store

          Make sure that the store path is accessible and that the proper permission levels are set. Specify /o to overwrite an existing intermediate or migration store.

          The store path holds a store incompatible with the current USMT version

          Make sure that the store path is accessible and that the proper permission levels are set.

          The store save location is read-only or does not support a requested storage option

          Make sure that the store path is accessible and that the proper permission levels are set.

          28

          USMT_UNABLE_GET_SCRIPTFILES

          Script file is invalid for /i

          Check all specified migration .xml files for errors. This is a common error when using /i to load the Config.xml file.

          Setup and Initialization

          Unable to find a script file specified by /i

          Verify the location of your script files, and ensure that the command-line options are correct.

          29

          USMT_FAILED_MIGSTARTUP

          A minimum of 250 MB of free space is required for temporary files

          Verify that the system meets the minimum temporary disk space requirement of 250 MB. As a workaround, you can set the environment variable USMT_WORKING_DIR=<path> to redirect the temporary files working directory.

          Setup and Initialization

          Another process is preventing migration; only one migration tool can run at a time

          Check the ScanState log file for migration .xml file errors.

          Failed to start main processing, look in log for system errors or check the installation

          Check the ScanState log file for migration .xml file errors.

          Migration failed because of an XML error; look in the log for specific details

          Check the ScanState log file for migration .xml file errors.

          Unable to automatically map the drive letters to match the online drive letter layout; Use /offline to provide a mapping table

          Check the ScanState log file for migration .xml file errors.

          31

          USMT_UNABLE_FINDMIGUNITS

          An error occurred during the discover phase; the log should have more specific information

          Check the ScanState log file for migration .xml file errors.

          Setup and Initialization

          32

          USMT_FAILED_SETMIGRATIONTYPE

          An error occurred processing the migration system

          Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line.

          Setup and Initialization

          33

          USMT_UNABLE_READKEY

          Error accessing the file specified by the /keyfile parameter

          Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line.

          Setup and Initialization

          The encryption key must have at least one character

          Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line.

          34

          USMT_ERROR_INSUFFICIENT_RIGHTS

          Directory removal requires elevated privileges

          Log on as Administrator, and run with elevated privileges.

          Setup and Initialization

          No rights to create user profiles; log in as Administrator; run with elevated privileges

          Log on as Administrator, and run with elevated privileges.

          No rights to read or delete user profiles; log in as Administrator, run with elevated privileges

          Log on as Administrator, and run with elevated privileges.

          35

          USMT_UNABLE_DELETE_STORE

          A reboot is required to remove the store

          Reboot to delete any files that could not be deleted when the command was executed.

          Setup and Initialization

          A store path can't be used because it contains data that could not be overwritten

          A migration store could not be deleted. If you are using a hardlink migration store you might have a locked file in it. You should manually delete the store, or use USMTUtils /rd command to delete the store.

          There was an error removing the store

          Review ScanState log or LoadState log for details about command-line errors.

          36

          USMT_ERROR_UNSUPPORTED_PLATFORM

          Compliance check failure; please check the logs for details

          Investigate whether there is an active temporary profile on the system.

          Setup and Initialization

          Use of /offline is not supported during apply

          The /offline command was not used while running in the Windows Preinstallation Environment (WinPE).

          Use /offline to run gather on this platform

          The /offline command was not used while running in WinPE.

          37

          USMT_ERROR_NO_INVALID_KEY

          The store holds encrypted data but the correct encryption key was not provided

          Verify that you have included the correct encryption /key or /keyfile.

          Setup and Initialization

          38

          USMT_ERROR_CORRUPTED_NOTENCRYPTED_STORE

          An error occurred during store access

          Review ScanState log or LoadState log for details about command-line errors. Make sure that the store path is accessible and that the proper permission levels are set.

          Setup and Initialization

          39

          USMT_UNABLE_TO_READ_CONFIG_FILE

          Error reading Config.xml

          Review ScanState log or LoadState log for details about command-line errors in the Config.xml file.

          Setup and Initialization

          File argument is invalid for /config

          Check the command line you used to load the Config.xml file. You can use online Help by typing /? on the command line.

          40

          USMT_ERROR_UNABLE_CREATE_PROGRESS_LOG

          Error writing to the progress log

          The Progress log could not be created. Verify that the location is valid and that you have write access.

          Setup and Initialization

          Progress log argument is invalid for /progress

          The Progress log could not be created. Verify that the location is valid and that you have write access.

          41

          USMT_PREFLIGHT_FILE_CREATION_FAILED

          Can't overwrite existing file

          The Progress log could not be created. Verify that the location is valid and that you have write access.

          Setup and Initialization

          Invalid space estimate path. Check the parameters and/or file system permissions

          Review ScanState log or LoadState log for details about command-line errors.

          42

          USMT_ERROR_CORRUPTED_STORE

          The store contains one or more corrupted files

          Review UsmtUtils log for details about the corrupted files. For information on how to extract the files that are not corrupted, see Extract Files from a Compressed USMT Migration Store.

          61

          USMT_MIGRATION_STOPPED_NONFATAL

          Processing stopped due to an I/O error

          USMT exited but can continue with the /c command-line option, with the optional configurable <ErrorControl> section or by using the /vsc command-line option.

          Non-fatal Errors

          71

          USMT_INIT_OPERATING_ENVIRONMENT_FAILED

          A Windows Win32 API error occurred

          Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details.

          Fatal Errors

          An error occurred when attempting to initialize the diagnostic mechanisms such as the log

          Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details.

          Failed to record diagnostic information

          Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details.

          Unable to start. Make sure you are running USMT with elevated privileges

          Exit USMT and log in again with elevated privileges.

          72

          USMT_UNABLE_DOMIGRATION

          An error occurred closing the store

          Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.

          Fatal Errors

          An error occurred in the apply process

          Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.

          An error occurred in the gather process

          Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.

          Out of disk space while writing the store

          Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.

          Out of temporary disk space on the local system

          Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.

          + + + +## Related topics + + +[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) + +[Log Files](usmt-log-files.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md index 77c1c1b5d6..83afe8628b 100644 --- a/windows/deployment/usmt/usmt-scanstate-syntax.md +++ b/windows/deployment/usmt/usmt-scanstate-syntax.md @@ -1,873 +1,873 @@ ---- -title: ScanState Syntax (Windows 10) -description: ScanState Syntax -ms.assetid: 004c755f-33db-49e4-8a3b-37beec1480ea -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# ScanState Syntax - - -The ScanState command is used with the User State Migration Tool (USMT) 10.0 to scan the source computer, collect the files and settings, and create a store. - -## In This Topic - - -[Before You Begin](#bkmk-beforeyoubegin) - -[Syntax](#bkmk-syntax) - -[Storage Options](#bkmk-storageoptions) - -[Migration Rule Options](#bkmk-migrationruleoptions) - -[Monitoring Options](#bkmk-monitoringoptions) - -[User Options](#bkmk-useroptions) - -[Encrypted File Options](#bkmk-efs) - -[Incompatible Command-Line Options](#bkmk-iclo) - -## Before You Begin - - -Before you run the **ScanState** command, note the following: - -- To ensure that all operating system settings migrate, in most cases you must run the **ScanState** commands in administrator mode from an account with administrative credentials. - -- If you encrypt the migration store, you will be required to enter an encryption key or a path to a file containing the encryption key. Be sure to make note of the key or the key file location, because this information is not kept anywhere in the migration store. You will need this information when you run the LoadState command to decrypt the migration store, or if you need to run the recovery utility. An incorrect or missing key or key file results in an error message. - -- For information about software requirements for running the **ScanState** command, see [USMT Requirements](usmt-requirements.md). - -- Unless otherwise noted, you can use each option only once when running a tool on the command line. - -- You can gather domain accounts without the source computer having domain controller access. This functionality is available without any additional configuration. - -- The [Incompatible Command-Line Options](#bkmk-iclo) table lists which options you can use together and which command-line options are incompatible. - -- The directory location where you save the migration store will be excluded from the scan. For example, if you save the migration store to the root of the D drive, the D drive and all of its subdirectories will be excluded from the scan. - -## Syntax - - -This section explains the syntax and usage of the **ScanState** command-line options. The options can be specified in any order. If the option contains a parameter, you can use either a colon or a space separator. - -The **ScanState** command's syntax is: - -scanstate \[*StorePath*\] \[/apps\] \[/ppkg:*FileName*\] \[/i:\[*Path*\\\]*FileName*\] \[/o\] \[/v:*VerbosityLevel*\] \[/nocompress\] \[/localonly\] \[/encrypt /key:*KeyString*|/keyfile:\[Path\\\]*FileName*\] \[/l:\[*Path*\\\]*FileName*\] \[/progress:\[*Path*\\\]*FileName*\] \[/r:*TimesToRetry*\] \[/w:*SecondsBeforeRetry*\] \[/c\] \[/p\] \[/all\] \[/ui:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/ue:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/uel:*NumberOfDays*|*YYYY/MM/DD*|0\] \[/efs:abort|skip|decryptcopy|copyraw\] \[/genconfig:\[*Path*\\\]*FileName*\[/config:\[*Path*\\\]*FileName*\] \[/?|help\] - -For example: - -To create a Config.xml file in the current directory, use: - -`scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:13` - -To create an encrypted store using the Config.xml file and the default migration .xml files, use: - -`scanstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /o /config:config.xml /v:13 /encrypt /key:"mykey"` - -## Storage Options - - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Command-Line OptionDescription

          StorePath

          Indicates a folder where files and settings will be saved. Note that StorePath cannot be C:\. You must specify the StorePath option in the ScanState command, except when using the /genconfig option. You cannot specify more than one StorePath location.

          /apps

          Scans the image for apps and includes them and their associated registry settings.

          /ppkg [<FileName>]

          Exports to a specific file location.

          /o

          Required to overwrite any existing data in the migration store or Config.xml file. If not specified, the ScanState command will fail if the migration store already contains data. You cannot use this option more than once on a command line.

          /vsc

          This option enables the volume shadow-copy service to migrate files that are locked or in use. This command-line option eliminates most file-locking errors that are typically encountered by the <ErrorControl> section.

          -

          This option can be used only with the ScanState executable file and cannot be combined with the /hardlink option.

          /hardlink

          Enables the creation of a hard-link migration store at the specified location. The /nocompress option must be specified with the /hardlink option.

          /encrypt [{/key:<KeyString> | /keyfile:<file>]}

          Encrypts the store with the specified key. Encryption is disabled by default. With this option, you will need to specify the encryption key in one of the following ways:

          -
            -

          • /key:KeyString specifies the encryption key. If there is a space in KeyString, you will need to surround KeyString with quotation marks.

            • -

          • /keyfile:FilePathAndName specifies a text (.txt) file that contains the encryption key.

            • -
          -

          We recommend that KeyString be at least eight characters long, but it cannot exceed 256 characters. The /key and /keyfile options cannot be used on the same command line. The /encrypt and /nocompress options cannot be used on the same command line.

          -
          -Important

          You should use caution with this option, because anyone who has access to the ScanState command-line script will also have access to the encryption key.

          -
          -
          - -
          -

          The following example shows the ScanState command and the /key option:

          -

          scanstate /i:migdocs.xml /i:migapp.xml \server\share\migration\mystore /encrypt /key:mykey

          /encrypt:<EncryptionStrength>

          The /encrypt option accepts a command-line parameter to define the encryption strength to be used for encryption of the migration store. For more information about supported encryption algorithms, see Migration Store Encryption.

          /nocompress

          Disables compression of data and saves the files to a hidden folder named "File" at StorePath\USMT. Compression is enabled by default. Combining the /nocompress option with the /hardlink option generates a hard-link migration store. You can use the uncompressed store to view what USMT stored, troubleshoot a problem, or run an antivirus utility against the files. You should use this option only in testing environments, because we recommend that you use a compressed store during your actual migration, unless you are combining the /nocompress option with the /hardlink option.

          -

          The /nocompress and /encrypt options cannot be used together in one statement on the command line. However, if you do choose to migrate an uncompressed store, the LoadState command will migrate each file directly from the store to the correct location on the destination computer without a temporary location.

          -

          For example:

          -

          scanstate /i:migdocs.xml /i:migapp.xml \server\share\migration\mystore /nocompress

          - - - -## Run the ScanState Command on an Offline Windows System - - -You can run the **ScanState** command in Windows Preinstallation Environment (WinPE). In addition, USMT supports migrations from previous installations of Windows contained in Windows.old directories. The offline directory can be a Windows directory when you run the **ScanState** command in WinPE or a Windows.old directory when you run the **ScanState** command in Windows. - -There are several benefits to running the **ScanState** command on an offline Windows image, including: - -- **Improved Performance.** - - Because WinPE is a thin operating system, there are fewer running services. In this environment, the **ScanState** command has more access to the local hardware resources, enabling **ScanState** to perform migration operations more quickly. - -- **Simplified end to end deployment process.** - - Migrating data from Windows.old simplifies the end-to-end deployment process by enabling the migration process to occur after the new operating system is installed. - -- **Improved success of migration.** - - The migration success rate is increased because files will not be locked for editing while offline, and because WinPE provides administrator access to files in the offline Windows file system, eliminating the need for administrator-level access to the online system. - -- **Ability to recover an unbootable computer.** - - It might be possible to recover and migrate data from an unbootable computer. - -## Offline Migration Options - - - ---- - - - - - - - - - - - - - - - - - - - - -
          Command-Line OptionDefinition

          /offline:"path to an offline.xml file"

          This option is used to define a path to an offline .xml file that might specify other offline migration options, for example, an offline Windows directory or any domain or folder redirection required in your migration.

          /offlinewindir:"path to a Windows directory"

          This option specifies the offline Windows directory that the ScanState command gathers user state from. The offline directory can be Windows.old when you run the ScanState command in Windows or a Windows directory when you run the ScanState command in WinPE.

          /offlinewinold:"Windows.old directory"

          This command-line option enables the offline migration mode and starts the migration from the location specified. It is only intended to be used in Windows.old migration scenarios, where the migration is occurring from a Windows.old directory.

          - - - -## Migration Rule Options - - -USMT provides the following options to specify what files you want to migrate. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Command-Line OptionDescription

          /i:[Path]FileName

          (include)

          -

          Specifies an .xml file that contains rules that define what user, application or system state to migrate. You can specify this option multiple times to include all of your .xml files (MigApp.xml, MigDocs.xml, and any custom .xml files that you create). Path can be either a relative or full path. If you do not specify the Path variable, then FileName must be located in the current directory. For more information about which files to specify, see the "XML Files" section of the Frequently Asked Questions topic.

          /genconfig:[Path]FileName

          (Generate Config.xml)

          -

          Generates the optional Config.xml file, but does not create a migration store. To ensure that this file contains every component, application and setting that can be migrated, you should create this file on a source computer that contains all the components, applications and settings that will be present on the destination computers. In addition, you should specify the other migration .xml files, using the /i option, when you specify this option.

          -

          After you create this file, you will need to make use of it with the ScanState command using the /config option.

          -

          The only options that you can specify with this option are the /i, /v, and /l options. You cannot specify StorePath, because the /genconfig option does not create a store. Path can be either a relative or full path. If you do not specify the Path variable, then FileName will be created in the current directory.

          -

          Examples:

          -
            -

          • The following example creates a Config.xml file in the current directory:

            -

            scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:13

            • -

          /config:[Path</em>]FileName

          Specifies the Config.xml file that the ScanState command should use to create the store. You cannot use this option more than once on the command line. Path can be either a relative or full path. If you do not specify the Path variable, then FileName must be located in the current directory.

          -

          The following example creates a store using the Config.xml file, MigDocs.xml, and MigApp.xml files:

          -

          scanstate \server\share\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scan.log

          -

          The following example migrates the files and settings to the destination computer using the Config.xml, MigDocs.xml, and MigApp.xml files:

          -

          loadstate \server\share\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:load.log

          /auto:path to script files

          This option enables you to specify the location of the default .xml files and then begin the migration. If no path is specified, USMT will reference the directory where the USMT binaries are located. The /auto option has the same effect as using the following options: /i:MigDocs.xml /i:MigApp.xml /v:5.

          /genmigxml:path to a file

          This option specifies that the ScanState command should use the document finder to create and export an .xml file that defines how to migrate all of the files on the computer on which the ScanState command is running.

          /targetwindows8

          Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 8 or Windows 8.1 instead of Windows 10. You should use this command line option in the following scenarios:

          -
            -

          • To create a Config.xml file by using the /genconfig option. Using the /targetwindows8 option optimizes the Config.xml file so that it only contains components that relate to Windows 8 or Windows 8.1.

            • -

          • To create a migration store. Using the /targetwindows8 option ensures that the ScanState tool gathers the correct set of operating system settings. Without the /targetwindows8 command-line option, some settings can be lost during the migration.

            • -

          /targetwindows7

          Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 7 instead of Windows 10. You should use this command line option in the following scenarios:

          -
            -

          • To create a Config.xml file by using the /genconfig option. Using the /targetwindows7 option optimizes the Config.xml file so that it only contains components that relate to Windows 7.

            • -

          • To create a migration store. Using the /targetwindows7 option ensures that the ScanState tool gathers the correct set of operating system settings. Without the /targetwindows7 command-line option, some settings can be lost during the migration.

            • -

          /localonly

          Migrates only files that are stored on the local computer, regardless of the rules in the .xml files that you specify on the command line. You should use this option when you want to exclude the data from removable drives on the source computer, such as USB flash drives (UFDs), some external hard drives, and so on, and when there are network drives mapped on the source computer. If the /localonly option is not specified, then the ScanState command will copy files from these removable or network drives into the store.

          -

          Anything that is not considered a fixed drive by the OS will be excluded by /localonly. In some cases large external hard drives are considered fixed drives. These drives can be explicitly excluded from migration by using a custom.xml file. For more information about how to exclude all files on a specific drive, see Exclude Files and Settings.

          -

          The /localonly command-line option includes or excludes data in the migration as identified in the following table:

          - ---- - - - - - - - - - - - - - - - - - - - - -
          Drive typeBehavior with /localonly

          Removable drives such as a USB flash drive

          Excluded

          Network drives

          Excluded

          Fixed drives

          Included

          -

          - - - -## Monitoring Options - - -USMT provides several options that you can use to analyze problems that occur during migration. - -**Note** -The ScanState log is created by default, but you can specify the name and location of the log with the **/l** option. - - - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Command-Line OptionDescription

          /listfiles:<FileName>

          You can use the /listfiles command-line option with the ScanState command to generate a text file that lists all of the files included in the migration.

          /l:[Path]FileName

          Specifies the location and name of the ScanState log.

          -

          You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then the log will be created in the current directory. You can use the /v option to adjust the amount of output.

          -

          If you run the ScanState or LoadState commands from a shared network resource, you must specify this option or USMT will fail with the following error: "USMT was unable to create the log file(s)". To fix this issue, use the /l:scan.log command.

          /v:<VerbosityLevel>

          (Verbosity)

          -

          Enables verbose output in the ScanState log file. The default value is 0.

          -

          You can set the VerbosityLevel to one of the following levels:

          - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          LevelExplanation

          0

          Only the default errors and warnings are enabled.

          1

          Enables verbose output.

          4

          Enables error and status output.

          5

          Enables verbose and status output.

          8

          Enables error output to a debugger.

          9

          Enables verbose output to a debugger.

          12

          Enables error and status output to a debugger.

          13

          Enables verbose, status, and debugger output.

          -

          -

          For example:

          -

          scanstate \server\share\migration\mystore /v:13 /i:migdocs.xml /i:migapp.xml

          -

          /progress:[Path</em>]FileName

          Creates the optional progress log. You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then FileName will be created in the current directory.

          -

          For example:

          -

          scanstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /progress:prog.log /l:scanlog.log

          /c

          When this option is specified, the ScanState command will continue to run, even if non-fatal errors occur. Any files or settings that cause an error are logged in the progress log. For example, if there is a large file that will not fit in the store, the ScanState command will log an error and continue with the migration. In addition, if a file is open or in use by an application, USMT may not be able to migrate the file and will log an error. Without the /c option, the ScanState command will exit on the first error.

          -

          You can use the new <ErrorControl> section in the Config.xml file to specify which file or registry read/write errors can be safely ignored and which might cause the migration to fail. This enables the /c command-line option to safely skip all input/output (I/O) errors in your environment. In addition, the /genconfig option now generates a sample <ErrorControl> section that is enabled by specifying error messages and desired behaviors in the Config.xml file.

          /r:<TimesToRetry>

          (Retry)

          -

          Specifies the number of times to retry when an error occurs while saving the user state to a server. The default is three times. This option is useful in environments where network connectivity is not reliable.

          -

          While storing the user state, the /r option will not be able to recover data that is lost due to a network-hardware failure, such as a faulty or disconnected network cable, or when a virtual private network (VPN) connection fails. The retry option is intended for large, busy networks where connectivity is satisfactory, but communication latency is a problem.

          /w:<SecondsBeforeRetry>

          (Wait)

          -

          Specifies the time to wait, in seconds, before retrying a network file operation. The default is 1 second.

          /p:<pathToFile>

          When the ScanState command runs, it will create an .xml file in the path specified. This .xml file includes improved space estimations for the migration store. The following example shows how to create this .xml file:

          -

          Scanstate.exe C:\MigrationLocation [additional parameters]

          -

          /p:"C:\MigrationStoreSize.xml"

          -

          For more information, see Estimate Migration Store Size.

          -

          To preserve the functionality of existing applications or scripts that require the previous behavior of USMT, you can use the /p option, without specifying "pathtoafile", in USMT. If you specify only the /p option, the storage space estimations are created in the same manner as with USMT3.x releases.

          /? or /help

          Displays Help at the command line.

          - - - -## User Options - - -By default, all users are migrated. The only way to specify which users to include and exclude is by using the following options. You cannot exclude users in the migration .xml files or using the Config.xml file. For more information, see [Identify Users](usmt-identify-users.md) and [Migrate User Accounts](usmt-migrate-user-accounts.md). - - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
          Command-Line OptionDescription

          /all

          Migrates all of the users on the computer.

          -

          USMT migrates all user accounts on the computer, unless you specifically exclude an account with either the /ue or /uel options. For this reason, you do not need to specify this option on the command line. However, if you choose to specify the /all option, you cannot also use the /ui, /ue or /uel options.

          /ui:<DomainName>\<UserName>

          -

          or

          -

          /ui:<ComputerName>\<LocalUserName>

          (User include)

          -

          Migrates the specified users. By default, all users are included in the migration. Therefore, this option is helpful only when used with the /ue or /uel options. You can specify multiple /ui options, but you cannot use the /ui option with the /all option. DomainName and UserName can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotation marks.

          -
          -Note

          If a user is specified for inclusion with the /ui option, and also is specified to be excluded with either the /ue or /uel options, the user will be included in the migration.

          -
          -
          - -
          -

          For example:

          -
            -

            To include only User2 from the Fabrikam domain, type:

            -

            /ue:*\* /ui:fabrikam\user2

            -

            To migrate all users from the Fabrikam domain, and only the user accounts from other domains that have been active or otherwise modified in the last 30 days, type:

            -

            /uel:30 /ui:fabrikam\*

            -

            In this example, a user account from the Contoso domain that was last modified 2 months ago will not be migrated.

            -
          -

          For more examples, see the descriptions of the /ue and /ui options in this table.

          /uel:<NumberOfDays>

          -

          or

          -

          /uel:<YYYY/MM/DD>

          -

          or

          -

          /uel:0

          (User exclude based on last logon)

          -

          Migrates the users that logged onto the source computer within the specified time period, based on the Last Modified date of the Ntuser.dat file on the source computer. The /uel option acts as an include rule. For example, the /uel:30 option migrates users who logged on, or whose account was modified, within the last 30 days from the date when the ScanState command is run.

          -

          You can specify a number of days or you can specify a date. You cannot use this option with the /all option. USMT retrieves the last logon information from the local computer, so the computer does not need to be connected to the network when you run this option. In addition, if a domain user has logged onto another computer, that logon instance is not considered by USMT.

          -
          -Note

          The /uel option is not valid in offline migrations.

          -
          -
          - -
          -
            -

          • /uel:0 migrates any users who are currently logged on.

            • -

          • /uel:90 migrates users who have logged on, or whose accounts have been otherwise modified, within the last 90 days.

            • -

          • /uel:1 migrates users whose account has been modified within the last 24 hours.

            • -

          • /uel:2002/1/15 migrates users who have logged on or been modified January 15, 2002 or afterwards.

            • -
          -

          For example:

          -

          scanstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore /uel:0

          /ue:<DomainName>\<UserName>

          -

          -or-

          -

          -

          /ue:<ComputerName>\<LocalUserName>

          (User exclude)

          -

          Excludes the specified users from the migration. You can specify multiple /ue options. You cannot use this option with the /all option. <DomainName> and <UserName> can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you need to surround it with quotation marks.

          -

          For example:

          -

          scanstate /i:migdocs.xml /i:migapp.xml \\server\share\migration\mystore /ue:contoso\user1

          - - - -## How to Use /ui and /ue - - -The following examples apply to both the /**ui** and /**ue** options. You can replace the /**ue** option with the /**ui** option to include, rather than exclude, the specified users. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          BehaviorCommand

          Exclude the user named User One in the Fabrikam domain.

          /ue:"fabrikam\user one"

          Exclude the user named User1 in the Fabrikam domain.

          /ue:fabrikam\user1

          Exclude the local user named User1.

          /ue:%computername%\user1

          Exclude all domain users.

          /ue:Domain\*

          Exclude all local users.

          /ue:%computername%\*

          Exclude users in all domains named User1, User2, and so on.

          /ue:*\user*

          - - - -## Using the Options Together - - -You can use the /**uel**, /**ue** and /**ui** options together to migrate only the users that you want migrated. - -The /**ui** option has precedence over the /**ue** and /**uel** options. If a user is specified to be included using the /**ui** option, and also specified to be excluded using either the /**ue** or /**uel** options, the user will be included in the migration. For example, if you specify `/ui:contoso\* /ue:contoso\user1`, then User1 will be migrated, because the /**ui** option takes precedence over the /**ue** option. - -The /**uel** option takes precedence over the /**ue** option. If a user has logged on within the specified time period set by the /**uel** option, that user’s profile will be migrated even if they are excluded by using the /**ue** option. For example, if you specify `/ue:fixed\user1 /uel:14`, the User1 will be migrated if they have logged on to the computer within the last 14 days. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
          BehaviorCommand

          Include only User2 from the Fabrikam domain and exclude all other users.

          /ue:*\* /ui:fabrikam\user2

          Include only the local user named User1 and exclude all other users.

          /ue:*\* /ui:user1

          Include only the domain users from Contoso, except Contoso\User1.

          This behavior cannot be completed using a single command. Instead, to migrate this set of users, you will need to specify the following:

          -
            -

          • On the ScanState command line, type: /ue:*\* /ui:contoso\*

            • -

          • On the LoadState command line, type: /ue:contoso\user1

            • -

          Include only local (non-domain) users.

          /ue:*\* /ui:%computername%\*

          - - - -## Encrypted File Options - - -You can use the following options to migrate encrypted files. In all cases, by default, USMT fails if an encrypted file is found unless you specify an /**efs** option. To migrate encrypted files, you must change the default behavior. - -For more information, see [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md). - -**Note** -EFS certificates will be migrated automatically when migrating to Windows 7, Windows 8 or Windows 10. Therefore, you should specify the /**efs:copyraw** option with the **ScanState** command to migrate the encrypted files - - - -**Caution** -Take caution when migrating encrypted files. If you migrate an encrypted file without also migrating the certificate, end users will not be able to access the file after the migration. - - - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Command-Line OptionExplanation

          /efs:hardlink

          Creates a hard link to the EFS file instead of copying it. Use only with the /hardlink and the /nocompress options.

          /efs:abort

          Causes the ScanState command to fail with an error code, if an Encrypting File System (EFS) file is found on the source computer. Enabled by default.

          /efs:skip

          Causes the ScanState command to ignore EFS files.

          /efs:decryptcopy

          Causes the ScanState command to decrypt the file, if possible, before saving it to the migration store, and to fail if the file cannot be decrypted. If the ScanState command succeeds, the file will be unencrypted in the migration store, and once you run the LoadState command, the file will be copied to the destination computer.

          /efs:copyraw

          Causes the ScanState command to copy the files in the encrypted format. The files will be inaccessible on the destination computer until the EFS certificates are migrated. EFS certificates will be automatically migrated; however, by default USMT fails if an encrypted file is found, unless you specify an /efs option. Therefore you should specify the /efs:copyraw option with the ScanState command to migrate the encrypted file. Then, when you run the LoadState command, the encrypted file and the EFS certificate will be automatically migrated.

          -

          For example:

          -

          ScanState /i:migdocs.xml /i:migapp.xml \server\share\migration\mystore /efs:copyraw

          -
          -Important

          All files must be encrypted if the parent folder is encrypted. If the encryption attribute on a file inside an encrypted folder has been removed, the file will be encrypted during the migration using the credentials of the account used to run the LoadState tool. For more information, see Migrate EFS Files and Certificates.

          -
          -
          - -
          - - - -## Incompatible Command-Line Options - - -The following table indicates which command-line options are not compatible with the **ScanState** command. If the table entry for a particular combination is blank, the options are compatible and you can use them together. The X symbol means that the options are not compatible. For example, you cannot use the **/nocompress** option with the **/encrypt** option. - - ------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Command-Line Option/keyfile/nocompress/genconfig/all

          /i

          /o

          /v

          /nocompress

          X

          N/A

          /localonly

          X

          /key

          X

          X

          /encrypt

          Required*

          X

          X

          /keyfile

          N/A

          X

          /l

          /progress

          X

          /r

          X

          /w

          X

          /c

          X

          /p

          X

          N/A

          /all

          X

          /ui

          X

          X

          /ue

          X

          X

          /uel

          X

          X

          /efs:<option>

          X

          /genconfig

          N/A

          /config

          X

          <StorePath>

          X

          - - - -**Note** -You must specify either the /**key** or /**keyfile** option with the /**encrypt** option. - - - -## Related topics - - -[XML Elements Library](usmt-xml-elements-library.md) - - - - - - - - - +--- +title: ScanState Syntax (Windows 10) +description: ScanState Syntax +ms.assetid: 004c755f-33db-49e4-8a3b-37beec1480ea +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# ScanState Syntax + + +The ScanState command is used with the User State Migration Tool (USMT) 10.0 to scan the source computer, collect the files and settings, and create a store. + +## In This Topic + + +[Before You Begin](#bkmk-beforeyoubegin) + +[Syntax](#bkmk-syntax) + +[Storage Options](#bkmk-storageoptions) + +[Migration Rule Options](#bkmk-migrationruleoptions) + +[Monitoring Options](#bkmk-monitoringoptions) + +[User Options](#bkmk-useroptions) + +[Encrypted File Options](#bkmk-efs) + +[Incompatible Command-Line Options](#bkmk-iclo) + +## Before You Begin + + +Before you run the **ScanState** command, note the following: + +- To ensure that all operating system settings migrate, in most cases you must run the **ScanState** commands in administrator mode from an account with administrative credentials. + +- If you encrypt the migration store, you will be required to enter an encryption key or a path to a file containing the encryption key. Be sure to make note of the key or the key file location, because this information is not kept anywhere in the migration store. You will need this information when you run the LoadState command to decrypt the migration store, or if you need to run the recovery utility. An incorrect or missing key or key file results in an error message. + +- For information about software requirements for running the **ScanState** command, see [USMT Requirements](usmt-requirements.md). + +- Unless otherwise noted, you can use each option only once when running a tool on the command line. + +- You can gather domain accounts without the source computer having domain controller access. This functionality is available without any additional configuration. + +- The [Incompatible Command-Line Options](#bkmk-iclo) table lists which options you can use together and which command-line options are incompatible. + +- The directory location where you save the migration store will be excluded from the scan. For example, if you save the migration store to the root of the D drive, the D drive and all of its subdirectories will be excluded from the scan. + +## Syntax + + +This section explains the syntax and usage of the **ScanState** command-line options. The options can be specified in any order. If the option contains a parameter, you can use either a colon or a space separator. + +The **ScanState** command's syntax is: + +scanstate \[*StorePath*\] \[/apps\] \[/ppkg:*FileName*\] \[/i:\[*Path*\\\]*FileName*\] \[/o\] \[/v:*VerbosityLevel*\] \[/nocompress\] \[/localonly\] \[/encrypt /key:*KeyString*|/keyfile:\[Path\\\]*FileName*\] \[/l:\[*Path*\\\]*FileName*\] \[/progress:\[*Path*\\\]*FileName*\] \[/r:*TimesToRetry*\] \[/w:*SecondsBeforeRetry*\] \[/c\] \[/p\] \[/all\] \[/ui:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/ue:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/uel:*NumberOfDays*|*YYYY/MM/DD*|0\] \[/efs:abort|skip|decryptcopy|copyraw\] \[/genconfig:\[*Path*\\\]*FileName*\[/config:\[*Path*\\\]*FileName*\] \[/?|help\] + +For example: + +To create a Config.xml file in the current directory, use: + +`scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:13` + +To create an encrypted store using the Config.xml file and the default migration .xml files, use: + +`scanstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /o /config:config.xml /v:13 /encrypt /key:"mykey"` + +## Storage Options + + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Command-Line OptionDescription

          StorePath

          Indicates a folder where files and settings will be saved. Note that StorePath cannot be C:\. You must specify the StorePath option in the ScanState command, except when using the /genconfig option. You cannot specify more than one StorePath location.

          /apps

          Scans the image for apps and includes them and their associated registry settings.

          /ppkg [<FileName>]

          Exports to a specific file location.

          /o

          Required to overwrite any existing data in the migration store or Config.xml file. If not specified, the ScanState command will fail if the migration store already contains data. You cannot use this option more than once on a command line.

          /vsc

          This option enables the volume shadow-copy service to migrate files that are locked or in use. This command-line option eliminates most file-locking errors that are typically encountered by the <ErrorControl> section.

          +

          This option can be used only with the ScanState executable file and cannot be combined with the /hardlink option.

          /hardlink

          Enables the creation of a hard-link migration store at the specified location. The /nocompress option must be specified with the /hardlink option.

          /encrypt [{/key:<KeyString> | /keyfile:<file>]}

          Encrypts the store with the specified key. Encryption is disabled by default. With this option, you will need to specify the encryption key in one of the following ways:

          +
            +

          • /key:KeyString specifies the encryption key. If there is a space in KeyString, you will need to surround KeyString with quotation marks.

            • +

          • /keyfile:FilePathAndName specifies a text (.txt) file that contains the encryption key.

            • +
          +

          We recommend that KeyString be at least eight characters long, but it cannot exceed 256 characters. The /key and /keyfile options cannot be used on the same command line. The /encrypt and /nocompress options cannot be used on the same command line.

          +
          +Important

          You should use caution with this option, because anyone who has access to the ScanState command-line script will also have access to the encryption key.

          +
          +
          + +
          +

          The following example shows the ScanState command and the /key option:

          +

          scanstate /i:migdocs.xml /i:migapp.xml \server\share\migration\mystore /encrypt /key:mykey

          /encrypt:<EncryptionStrength>

          The /encrypt option accepts a command-line parameter to define the encryption strength to be used for encryption of the migration store. For more information about supported encryption algorithms, see Migration Store Encryption.

          /nocompress

          Disables compression of data and saves the files to a hidden folder named "File" at StorePath\USMT. Compression is enabled by default. Combining the /nocompress option with the /hardlink option generates a hard-link migration store. You can use the uncompressed store to view what USMT stored, troubleshoot a problem, or run an antivirus utility against the files. You should use this option only in testing environments, because we recommend that you use a compressed store during your actual migration, unless you are combining the /nocompress option with the /hardlink option.

          +

          The /nocompress and /encrypt options cannot be used together in one statement on the command line. However, if you do choose to migrate an uncompressed store, the LoadState command will migrate each file directly from the store to the correct location on the destination computer without a temporary location.

          +

          For example:

          +

          scanstate /i:migdocs.xml /i:migapp.xml \server\share\migration\mystore /nocompress

          + + + +## Run the ScanState Command on an Offline Windows System + + +You can run the **ScanState** command in Windows Preinstallation Environment (WinPE). In addition, USMT supports migrations from previous installations of Windows contained in Windows.old directories. The offline directory can be a Windows directory when you run the **ScanState** command in WinPE or a Windows.old directory when you run the **ScanState** command in Windows. + +There are several benefits to running the **ScanState** command on an offline Windows image, including: + +- **Improved Performance.** + + Because WinPE is a thin operating system, there are fewer running services. In this environment, the **ScanState** command has more access to the local hardware resources, enabling **ScanState** to perform migration operations more quickly. + +- **Simplified end to end deployment process.** + + Migrating data from Windows.old simplifies the end-to-end deployment process by enabling the migration process to occur after the new operating system is installed. + +- **Improved success of migration.** + + The migration success rate is increased because files will not be locked for editing while offline, and because WinPE provides administrator access to files in the offline Windows file system, eliminating the need for administrator-level access to the online system. + +- **Ability to recover an unbootable computer.** + + It might be possible to recover and migrate data from an unbootable computer. + +## Offline Migration Options + + + ++++ + + + + + + + + + + + + + + + + + + + + +
          Command-Line OptionDefinition

          /offline:"path to an offline.xml file"

          This option is used to define a path to an offline .xml file that might specify other offline migration options, for example, an offline Windows directory or any domain or folder redirection required in your migration.

          /offlinewindir:"path to a Windows directory"

          This option specifies the offline Windows directory that the ScanState command gathers user state from. The offline directory can be Windows.old when you run the ScanState command in Windows or a Windows directory when you run the ScanState command in WinPE.

          /offlinewinold:"Windows.old directory"

          This command-line option enables the offline migration mode and starts the migration from the location specified. It is only intended to be used in Windows.old migration scenarios, where the migration is occurring from a Windows.old directory.

          + + + +## Migration Rule Options + + +USMT provides the following options to specify what files you want to migrate. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Command-Line OptionDescription

          /i:[Path]FileName

          (include)

          +

          Specifies an .xml file that contains rules that define what user, application or system state to migrate. You can specify this option multiple times to include all of your .xml files (MigApp.xml, MigDocs.xml, and any custom .xml files that you create). Path can be either a relative or full path. If you do not specify the Path variable, then FileName must be located in the current directory. For more information about which files to specify, see the "XML Files" section of the Frequently Asked Questions topic.

          /genconfig:[Path]FileName

          (Generate Config.xml)

          +

          Generates the optional Config.xml file, but does not create a migration store. To ensure that this file contains every component, application and setting that can be migrated, you should create this file on a source computer that contains all the components, applications and settings that will be present on the destination computers. In addition, you should specify the other migration .xml files, using the /i option, when you specify this option.

          +

          After you create this file, you will need to make use of it with the ScanState command using the /config option.

          +

          The only options that you can specify with this option are the /i, /v, and /l options. You cannot specify StorePath, because the /genconfig option does not create a store. Path can be either a relative or full path. If you do not specify the Path variable, then FileName will be created in the current directory.

          +

          Examples:

          +
            +

          • The following example creates a Config.xml file in the current directory:

            +

            scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:13

            • +

          /config:[Path</em>]FileName

          Specifies the Config.xml file that the ScanState command should use to create the store. You cannot use this option more than once on the command line. Path can be either a relative or full path. If you do not specify the Path variable, then FileName must be located in the current directory.

          +

          The following example creates a store using the Config.xml file, MigDocs.xml, and MigApp.xml files:

          +

          scanstate \server\share\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scan.log

          +

          The following example migrates the files and settings to the destination computer using the Config.xml, MigDocs.xml, and MigApp.xml files:

          +

          loadstate \server\share\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:load.log

          /auto:path to script files

          This option enables you to specify the location of the default .xml files and then begin the migration. If no path is specified, USMT will reference the directory where the USMT binaries are located. The /auto option has the same effect as using the following options: /i:MigDocs.xml /i:MigApp.xml /v:5.

          /genmigxml:path to a file

          This option specifies that the ScanState command should use the document finder to create and export an .xml file that defines how to migrate all of the files on the computer on which the ScanState command is running.

          /targetwindows8

          Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 8 or Windows 8.1 instead of Windows 10. You should use this command line option in the following scenarios:

          +
            +

          • To create a Config.xml file by using the /genconfig option. Using the /targetwindows8 option optimizes the Config.xml file so that it only contains components that relate to Windows 8 or Windows 8.1.

            • +

          • To create a migration store. Using the /targetwindows8 option ensures that the ScanState tool gathers the correct set of operating system settings. Without the /targetwindows8 command-line option, some settings can be lost during the migration.

            • +

          /targetwindows7

          Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 7 instead of Windows 10. You should use this command line option in the following scenarios:

          +
            +

          • To create a Config.xml file by using the /genconfig option. Using the /targetwindows7 option optimizes the Config.xml file so that it only contains components that relate to Windows 7.

            • +

          • To create a migration store. Using the /targetwindows7 option ensures that the ScanState tool gathers the correct set of operating system settings. Without the /targetwindows7 command-line option, some settings can be lost during the migration.

            • +

          /localonly

          Migrates only files that are stored on the local computer, regardless of the rules in the .xml files that you specify on the command line. You should use this option when you want to exclude the data from removable drives on the source computer, such as USB flash drives (UFDs), some external hard drives, and so on, and when there are network drives mapped on the source computer. If the /localonly option is not specified, then the ScanState command will copy files from these removable or network drives into the store.

          +

          Anything that is not considered a fixed drive by the OS will be excluded by /localonly. In some cases large external hard drives are considered fixed drives. These drives can be explicitly excluded from migration by using a custom.xml file. For more information about how to exclude all files on a specific drive, see Exclude Files and Settings.

          +

          The /localonly command-line option includes or excludes data in the migration as identified in the following table:

          + ++++ + + + + + + + + + + + + + + + + + + + + +
          Drive typeBehavior with /localonly

          Removable drives such as a USB flash drive

          Excluded

          Network drives

          Excluded

          Fixed drives

          Included

          +

          + + + +## Monitoring Options + + +USMT provides several options that you can use to analyze problems that occur during migration. + +**Note** +The ScanState log is created by default, but you can specify the name and location of the log with the **/l** option. + + + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Command-Line OptionDescription

          /listfiles:<FileName>

          You can use the /listfiles command-line option with the ScanState command to generate a text file that lists all of the files included in the migration.

          /l:[Path]FileName

          Specifies the location and name of the ScanState log.

          +

          You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then the log will be created in the current directory. You can use the /v option to adjust the amount of output.

          +

          If you run the ScanState or LoadState commands from a shared network resource, you must specify this option or USMT will fail with the following error: "USMT was unable to create the log file(s)". To fix this issue, use the /l:scan.log command.

          /v:<VerbosityLevel>

          (Verbosity)

          +

          Enables verbose output in the ScanState log file. The default value is 0.

          +

          You can set the VerbosityLevel to one of the following levels:

          + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          LevelExplanation

          0

          Only the default errors and warnings are enabled.

          1

          Enables verbose output.

          4

          Enables error and status output.

          5

          Enables verbose and status output.

          8

          Enables error output to a debugger.

          9

          Enables verbose output to a debugger.

          12

          Enables error and status output to a debugger.

          13

          Enables verbose, status, and debugger output.

          +

          +

          For example:

          +

          scanstate \server\share\migration\mystore /v:13 /i:migdocs.xml /i:migapp.xml

          +

          /progress:[Path</em>]FileName

          Creates the optional progress log. You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then FileName will be created in the current directory.

          +

          For example:

          +

          scanstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /progress:prog.log /l:scanlog.log

          /c

          When this option is specified, the ScanState command will continue to run, even if non-fatal errors occur. Any files or settings that cause an error are logged in the progress log. For example, if there is a large file that will not fit in the store, the ScanState command will log an error and continue with the migration. In addition, if a file is open or in use by an application, USMT may not be able to migrate the file and will log an error. Without the /c option, the ScanState command will exit on the first error.

          +

          You can use the new <ErrorControl> section in the Config.xml file to specify which file or registry read/write errors can be safely ignored and which might cause the migration to fail. This enables the /c command-line option to safely skip all input/output (I/O) errors in your environment. In addition, the /genconfig option now generates a sample <ErrorControl> section that is enabled by specifying error messages and desired behaviors in the Config.xml file.

          /r:<TimesToRetry>

          (Retry)

          +

          Specifies the number of times to retry when an error occurs while saving the user state to a server. The default is three times. This option is useful in environments where network connectivity is not reliable.

          +

          While storing the user state, the /r option will not be able to recover data that is lost due to a network-hardware failure, such as a faulty or disconnected network cable, or when a virtual private network (VPN) connection fails. The retry option is intended for large, busy networks where connectivity is satisfactory, but communication latency is a problem.

          /w:<SecondsBeforeRetry>

          (Wait)

          +

          Specifies the time to wait, in seconds, before retrying a network file operation. The default is 1 second.

          /p:<pathToFile>

          When the ScanState command runs, it will create an .xml file in the path specified. This .xml file includes improved space estimations for the migration store. The following example shows how to create this .xml file:

          +

          Scanstate.exe C:\MigrationLocation [additional parameters]

          +

          /p:"C:\MigrationStoreSize.xml"

          +

          For more information, see Estimate Migration Store Size.

          +

          To preserve the functionality of existing applications or scripts that require the previous behavior of USMT, you can use the /p option, without specifying "pathtoafile", in USMT. If you specify only the /p option, the storage space estimations are created in the same manner as with USMT3.x releases.

          /? or /help

          Displays Help at the command line.

          + + + +## User Options + + +By default, all users are migrated. The only way to specify which users to include and exclude is by using the following options. You cannot exclude users in the migration .xml files or using the Config.xml file. For more information, see [Identify Users](usmt-identify-users.md) and [Migrate User Accounts](usmt-migrate-user-accounts.md). + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + +
          Command-Line OptionDescription

          /all

          Migrates all of the users on the computer.

          +

          USMT migrates all user accounts on the computer, unless you specifically exclude an account with either the /ue or /uel options. For this reason, you do not need to specify this option on the command line. However, if you choose to specify the /all option, you cannot also use the /ui, /ue or /uel options.

          /ui:<DomainName>\<UserName>

          +

          or

          +

          /ui:<ComputerName>\<LocalUserName>

          (User include)

          +

          Migrates the specified users. By default, all users are included in the migration. Therefore, this option is helpful only when used with the /ue or /uel options. You can specify multiple /ui options, but you cannot use the /ui option with the /all option. DomainName and UserName can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotation marks.

          +
          +Note

          If a user is specified for inclusion with the /ui option, and also is specified to be excluded with either the /ue or /uel options, the user will be included in the migration.

          +
          +
          + +
          +

          For example:

          +
            +

            To include only User2 from the Fabrikam domain, type:

            +

            /ue:*\* /ui:fabrikam\user2

            +

            To migrate all users from the Fabrikam domain, and only the user accounts from other domains that have been active or otherwise modified in the last 30 days, type:

            +

            /uel:30 /ui:fabrikam\*

            +

            In this example, a user account from the Contoso domain that was last modified 2 months ago will not be migrated.

            +
          +

          For more examples, see the descriptions of the /ue and /ui options in this table.

          /uel:<NumberOfDays>

          +

          or

          +

          /uel:<YYYY/MM/DD>

          +

          or

          +

          /uel:0

          (User exclude based on last logon)

          +

          Migrates the users that logged onto the source computer within the specified time period, based on the Last Modified date of the Ntuser.dat file on the source computer. The /uel option acts as an include rule. For example, the /uel:30 option migrates users who logged on, or whose account was modified, within the last 30 days from the date when the ScanState command is run.

          +

          You can specify a number of days or you can specify a date. You cannot use this option with the /all option. USMT retrieves the last logon information from the local computer, so the computer does not need to be connected to the network when you run this option. In addition, if a domain user has logged onto another computer, that logon instance is not considered by USMT.

          +
          +Note

          The /uel option is not valid in offline migrations.

          +
          +
          + +
          +
            +

          • /uel:0 migrates any users who are currently logged on.

            • +

          • /uel:90 migrates users who have logged on, or whose accounts have been otherwise modified, within the last 90 days.

            • +

          • /uel:1 migrates users whose account has been modified within the last 24 hours.

            • +

          • /uel:2002/1/15 migrates users who have logged on or been modified January 15, 2002 or afterwards.

            • +
          +

          For example:

          +

          scanstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore /uel:0

          /ue:<DomainName>\<UserName>

          +

          -or-

          +

          +

          /ue:<ComputerName>\<LocalUserName>

          (User exclude)

          +

          Excludes the specified users from the migration. You can specify multiple /ue options. You cannot use this option with the /all option. <DomainName> and <UserName> can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you need to surround it with quotation marks.

          +

          For example:

          +

          scanstate /i:migdocs.xml /i:migapp.xml \\server\share\migration\mystore /ue:contoso\user1

          + + + +## How to Use /ui and /ue + + +The following examples apply to both the /**ui** and /**ue** options. You can replace the /**ue** option with the /**ui** option to include, rather than exclude, the specified users. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          BehaviorCommand

          Exclude the user named User One in the Fabrikam domain.

          /ue:"fabrikam\user one"

          Exclude the user named User1 in the Fabrikam domain.

          /ue:fabrikam\user1

          Exclude the local user named User1.

          /ue:%computername%\user1

          Exclude all domain users.

          /ue:Domain\*

          Exclude all local users.

          /ue:%computername%\*

          Exclude users in all domains named User1, User2, and so on.

          /ue:*\user*

          + + + +## Using the Options Together + + +You can use the /**uel**, /**ue** and /**ui** options together to migrate only the users that you want migrated. + +The /**ui** option has precedence over the /**ue** and /**uel** options. If a user is specified to be included using the /**ui** option, and also specified to be excluded using either the /**ue** or /**uel** options, the user will be included in the migration. For example, if you specify `/ui:contoso\* /ue:contoso\user1`, then User1 will be migrated, because the /**ui** option takes precedence over the /**ue** option. + +The /**uel** option takes precedence over the /**ue** option. If a user has logged on within the specified time period set by the /**uel** option, that user’s profile will be migrated even if they are excluded by using the /**ue** option. For example, if you specify `/ue:fixed\user1 /uel:14`, the User1 will be migrated if they have logged on to the computer within the last 14 days. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + +
          BehaviorCommand

          Include only User2 from the Fabrikam domain and exclude all other users.

          /ue:*\* /ui:fabrikam\user2

          Include only the local user named User1 and exclude all other users.

          /ue:*\* /ui:user1

          Include only the domain users from Contoso, except Contoso\User1.

          This behavior cannot be completed using a single command. Instead, to migrate this set of users, you will need to specify the following:

          +
            +

          • On the ScanState command line, type: /ue:*\* /ui:contoso\*

            • +

          • On the LoadState command line, type: /ue:contoso\user1

            • +

          Include only local (non-domain) users.

          /ue:*\* /ui:%computername%\*

          + + + +## Encrypted File Options + + +You can use the following options to migrate encrypted files. In all cases, by default, USMT fails if an encrypted file is found unless you specify an /**efs** option. To migrate encrypted files, you must change the default behavior. + +For more information, see [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md). + +**Note** +EFS certificates will be migrated automatically when migrating to Windows 7, Windows 8 or Windows 10. Therefore, you should specify the /**efs:copyraw** option with the **ScanState** command to migrate the encrypted files + + + +**Caution** +Take caution when migrating encrypted files. If you migrate an encrypted file without also migrating the certificate, end users will not be able to access the file after the migration. + + + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Command-Line OptionExplanation

          /efs:hardlink

          Creates a hard link to the EFS file instead of copying it. Use only with the /hardlink and the /nocompress options.

          /efs:abort

          Causes the ScanState command to fail with an error code, if an Encrypting File System (EFS) file is found on the source computer. Enabled by default.

          /efs:skip

          Causes the ScanState command to ignore EFS files.

          /efs:decryptcopy

          Causes the ScanState command to decrypt the file, if possible, before saving it to the migration store, and to fail if the file cannot be decrypted. If the ScanState command succeeds, the file will be unencrypted in the migration store, and once you run the LoadState command, the file will be copied to the destination computer.

          /efs:copyraw

          Causes the ScanState command to copy the files in the encrypted format. The files will be inaccessible on the destination computer until the EFS certificates are migrated. EFS certificates will be automatically migrated; however, by default USMT fails if an encrypted file is found, unless you specify an /efs option. Therefore you should specify the /efs:copyraw option with the ScanState command to migrate the encrypted file. Then, when you run the LoadState command, the encrypted file and the EFS certificate will be automatically migrated.

          +

          For example:

          +

          ScanState /i:migdocs.xml /i:migapp.xml \server\share\migration\mystore /efs:copyraw

          +
          +Important

          All files must be encrypted if the parent folder is encrypted. If the encryption attribute on a file inside an encrypted folder has been removed, the file will be encrypted during the migration using the credentials of the account used to run the LoadState tool. For more information, see Migrate EFS Files and Certificates.

          +
          +
          + +
          + + + +## Incompatible Command-Line Options + + +The following table indicates which command-line options are not compatible with the **ScanState** command. If the table entry for a particular combination is blank, the options are compatible and you can use them together. The X symbol means that the options are not compatible. For example, you cannot use the **/nocompress** option with the **/encrypt** option. + + +++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Command-Line Option/keyfile/nocompress/genconfig/all

          /i

          /o

          /v

          /nocompress

          X

          N/A

          /localonly

          X

          /key

          X

          X

          /encrypt

          Required*

          X

          X

          /keyfile

          N/A

          X

          /l

          /progress

          X

          /r

          X

          /w

          X

          /c

          X

          /p

          X

          N/A

          /all

          X

          /ui

          X

          X

          /ue

          X

          X

          /uel

          X

          X

          /efs:<option>

          X

          /genconfig

          N/A

          /config

          X

          <StorePath>

          X

          + + + +**Note** +You must specify either the /**key** or /**keyfile** option with the /**encrypt** option. + + + +## Related topics + + +[XML Elements Library](usmt-xml-elements-library.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-technical-reference.md b/windows/deployment/usmt/usmt-technical-reference.md index 9b8726e0ce..1ee21e76d4 100644 --- a/windows/deployment/usmt/usmt-technical-reference.md +++ b/windows/deployment/usmt/usmt-technical-reference.md @@ -1,59 +1,59 @@ ---- -title: User State Migration Tool (USMT) Technical Reference (Windows 10) -description: The User State Migration Tool (USMT) is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals. -ms.assetid: f90bf58b-5529-4520-a9f8-b6cb4e4d3add -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# User State Migration Tool (USMT) Technical Reference -The User State Migration Tool (USMT) is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals. - -Download the Windows ADK [from this website](https://go.microsoft.com/fwlink/p/?LinkID=526803). - -**USMT support for Microsoft Office** ->USMT in the Windows ADK for Windows 10, version 1511 (10.1.10586.0) supports migration of user settings for installations of Microsoft Office 2003, 2007, 2010, and 2013.
          ->USMT in the Windows ADK for Windows 10, version 1607 (10.1.14393.0) adds support for migration of user settings for installations of Microsoft Office 2016. - -USMT includes three command-line tools: - -- ScanState.exe
          -- LoadState.exe
          -- UsmtUtils.exe - -USMT also includes a set of three modifiable .xml files: - -- MigApp.xml
          -- MigDocs.xml
          -- MigUser.xml - -Additionally, you can create custom .xml files to support your migration needs. You can also create a Config.xml file to specify files or settings to exclude from the migration. - -USMT tools can be used on several versions of Windows operating systems, for more information, see [USMT Requirements](usmt-requirements.md). For more information about previous releases of the USMT tools, see [User State Migration Tool (USMT) 4.0 User’s Guide](https://go.microsoft.com/fwlink/p/?LinkId=246564). - -## In This Section -|Topic |Description| -|------|-----------| -|[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)|Describes what’s new in USMT, how to get started with USMT, and the benefits and limitations of using USMT.| -|[User State Migration Tool (USMT) How-to topics](usmt-how-to.md)|Includes step-by-step instructions for using USMT, as well as how-to topics for conducting tasks in USMT.| -|[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)|Provides answers to frequently asked questions and common issues in USMT, as well as a reference for return codes used in USMT.| -|[User State Migration Toolkit (USMT) Reference](usmt-reference.md)|Includes reference information for migration planning, migration best practices, command-line syntax, using XML, and requirements for using USMT.| - -## Related topics -- [Windows Assessment and Deployment Kit](https://msdn.microsoft.com/library/windows/hardware/dn247001.aspx) - -  - -  - - - - - +--- +title: User State Migration Tool (USMT) Technical Reference (Windows 10) +description: The User State Migration Tool (USMT) is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals. +ms.assetid: f90bf58b-5529-4520-a9f8-b6cb4e4d3add +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# User State Migration Tool (USMT) Technical Reference +The User State Migration Tool (USMT) is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals. + +Download the Windows ADK [from this website](https://go.microsoft.com/fwlink/p/?LinkID=526803). + +**USMT support for Microsoft Office** +>USMT in the Windows ADK for Windows 10, version 1511 (10.1.10586.0) supports migration of user settings for installations of Microsoft Office 2003, 2007, 2010, and 2013.
          +>USMT in the Windows ADK for Windows 10, version 1607 (10.1.14393.0) adds support for migration of user settings for installations of Microsoft Office 2016. + +USMT includes three command-line tools: + +- ScanState.exe
          +- LoadState.exe
          +- UsmtUtils.exe + +USMT also includes a set of three modifiable .xml files: + +- MigApp.xml
          +- MigDocs.xml
          +- MigUser.xml + +Additionally, you can create custom .xml files to support your migration needs. You can also create a Config.xml file to specify files or settings to exclude from the migration. + +USMT tools can be used on several versions of Windows operating systems, for more information, see [USMT Requirements](usmt-requirements.md). For more information about previous releases of the USMT tools, see [User State Migration Tool (USMT) 4.0 User’s Guide](https://go.microsoft.com/fwlink/p/?LinkId=246564). + +## In This Section +|Topic |Description| +|------|-----------| +|[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)|Describes what’s new in USMT, how to get started with USMT, and the benefits and limitations of using USMT.| +|[User State Migration Tool (USMT) How-to topics](usmt-how-to.md)|Includes step-by-step instructions for using USMT, as well as how-to topics for conducting tasks in USMT.| +|[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)|Provides answers to frequently asked questions and common issues in USMT, as well as a reference for return codes used in USMT.| +|[User State Migration Toolkit (USMT) Reference](usmt-reference.md)|Includes reference information for migration planning, migration best practices, command-line syntax, using XML, and requirements for using USMT.| + +## Related topics +- [Windows Assessment and Deployment Kit](https://msdn.microsoft.com/library/windows/hardware/dn247001.aspx) + +  + +  + + + + + diff --git a/windows/deployment/usmt/usmt-test-your-migration.md b/windows/deployment/usmt/usmt-test-your-migration.md index bbe67d5535..7c4185278b 100644 --- a/windows/deployment/usmt/usmt-test-your-migration.md +++ b/windows/deployment/usmt/usmt-test-your-migration.md @@ -1,53 +1,53 @@ ---- -title: Test Your Migration (Windows 10) -description: Test Your Migration -ms.assetid: 754af276-8386-4eac-8079-3d1e45964a0d -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Test Your Migration - - -Always test your migration plan in a controlled laboratory setting before you deploy it to your entire organization. In your test environment, you need at least one computer for each type of operating system from which you are migrating data. - -After you have thoroughly tested the entire migration process on a single computer running each of your source operating systems, conduct a pilot migration with a small group of users. After migrating a few typical user states to the intermediate store, note the space required and adjust your initial calculations accordingly. For details about estimating the space needed for your migration, see [Estimate Migration Store Size](usmt-estimate-migration-store-size.md). You might also need to adjust the registry-setting and file-location information in your migration-rule files. If you make changes, test the migration again. Then verify that all data and settings have migrated as expected. A pilot migration also gives you an opportunity to test your space estimates for the intermediate store. - -If your test migration encounters any errors, examine the ScanState and LoadState logs to obtain the exact User State Migration Tool (USMT) 10.0 return code and associated error messages or Windows application programming interface (API) error message. For more information about USMT return codes and error messages, see [Return Codes](usmt-return-codes.md). You can also obtain more information about a Windows API error message by typing **net helpmsg** and the error message number on the command line. - -In most cases, the ScanState and LoadState logs indicate why a USMT migration is failing. We recommend that you use the **/v**:5 option when testing your migration. This verbosity level can be adjusted in a production migration. Reducing the verbosity level might make it more difficult to diagnose failures that are encountered during production migrations. You can use a higher verbosity level if you want the log files output to go to a debugger. - -**Note**   -Running the ScanState and LoadState tools with the **/v**:5 option creates a detailed log file. Although this option makes the log file large, it is helpful in determining where migration errors occurred. - - - -After you have determined that the pilot migration successfully migrated the specified files and settings, you are ready to add USMT to the server that is running Microsoft® System Center Configuration Manager (SCCM), or a non-Microsoft management technology. For more information, see [Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=140246). - -**Note**   -For testing purposes, you can create an uncompressed store using the **/hardlink /nocompress** option. When compression is disabled, the ScanState tool saves the files and settings to a hidden folder named "File" at *StorePath*\\USMT. You can use the uncompressed store to view what USMT has stored or to troubleshoot a problem, or you can run an antivirus utility against the files. Additionally, you can also use the **/listfiles** command-line option and the diagnostic log to list the files that were gathered and to troubleshoot problems with your migration. - - - -## Related topics - - -[Plan Your Migration](usmt-plan-your-migration.md) - -[Log Files](usmt-log-files.md) - - - - - - - - - +--- +title: Test Your Migration (Windows 10) +description: Test Your Migration +ms.assetid: 754af276-8386-4eac-8079-3d1e45964a0d +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Test Your Migration + + +Always test your migration plan in a controlled laboratory setting before you deploy it to your entire organization. In your test environment, you need at least one computer for each type of operating system from which you are migrating data. + +After you have thoroughly tested the entire migration process on a single computer running each of your source operating systems, conduct a pilot migration with a small group of users. After migrating a few typical user states to the intermediate store, note the space required and adjust your initial calculations accordingly. For details about estimating the space needed for your migration, see [Estimate Migration Store Size](usmt-estimate-migration-store-size.md). You might also need to adjust the registry-setting and file-location information in your migration-rule files. If you make changes, test the migration again. Then verify that all data and settings have migrated as expected. A pilot migration also gives you an opportunity to test your space estimates for the intermediate store. + +If your test migration encounters any errors, examine the ScanState and LoadState logs to obtain the exact User State Migration Tool (USMT) 10.0 return code and associated error messages or Windows application programming interface (API) error message. For more information about USMT return codes and error messages, see [Return Codes](usmt-return-codes.md). You can also obtain more information about a Windows API error message by typing **net helpmsg** and the error message number on the command line. + +In most cases, the ScanState and LoadState logs indicate why a USMT migration is failing. We recommend that you use the **/v**:5 option when testing your migration. This verbosity level can be adjusted in a production migration. Reducing the verbosity level might make it more difficult to diagnose failures that are encountered during production migrations. You can use a higher verbosity level if you want the log files output to go to a debugger. + +**Note**   +Running the ScanState and LoadState tools with the **/v**:5 option creates a detailed log file. Although this option makes the log file large, it is helpful in determining where migration errors occurred. + + + +After you have determined that the pilot migration successfully migrated the specified files and settings, you are ready to add USMT to the server that is running Microsoft® System Center Configuration Manager (SCCM), or a non-Microsoft management technology. For more information, see [Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=140246). + +**Note**   +For testing purposes, you can create an uncompressed store using the **/hardlink /nocompress** option. When compression is disabled, the ScanState tool saves the files and settings to a hidden folder named "File" at *StorePath*\\USMT. You can use the uncompressed store to view what USMT has stored or to troubleshoot a problem, or you can run an antivirus utility against the files. Additionally, you can also use the **/listfiles** command-line option and the diagnostic log to list the files that were gathered and to troubleshoot problems with your migration. + + + +## Related topics + + +[Plan Your Migration](usmt-plan-your-migration.md) + +[Log Files](usmt-log-files.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-topics.md b/windows/deployment/usmt/usmt-topics.md index 4c60bb319d..69321a476c 100644 --- a/windows/deployment/usmt/usmt-topics.md +++ b/windows/deployment/usmt/usmt-topics.md @@ -1,30 +1,30 @@ ---- -title: User State Migration Tool (USMT) Overview Topics (Windows 10) -description: User State Migration Tool (USMT) Overview Topics -ms.assetid: 23170271-130b-416f-a7a7-c2f6adc32eee -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# User State Migration Tool (USMT) Overview Topics -The User State Migration Tool (USMT) 10.0 provides a highly customizable user-profile migration experience for IT professionals. USMT includes three command-line tools: ScanState.exe, LoadState.exe, and UsmtUtils.exe. USMT also includes a set of three modifiable .xml files: MigApp.xml, MigDocs.xml, and MigUser.xml. Additionally, you can create custom .xml files to support your migration needs. You can also create a Config.xml file to specify files or settings to exclude from the migration. - -## In This Section - -|Topic |Description| -|------|-----------| -|[User State Migration Tool (USMT) Overview](usmt-overview.md)|Describes the benefits and limitations of using USMT.| -|[Getting Started with the User State Migration Tool (USMT)](getting-started-with-the-user-state-migration-tool.md)|Describes the general process to follow to migrate files and settings, and provides links to more information.| -|[Windows Upgrade and Migration Considerations](../upgrade/windows-upgrade-and-migration-considerations.md)|Discusses the Microsoft® tools you can use to move files and settings between installations, as well as special considerations for performing an upgrade or migration.| - -## Related topics -- [User State Migration Tool (USMT) How-to topics](usmt-how-to.md) -- [User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) -- [User State Migration Toolkit (USMT) Reference](usmt-reference.md) +--- +title: User State Migration Tool (USMT) Overview Topics (Windows 10) +description: User State Migration Tool (USMT) Overview Topics +ms.assetid: 23170271-130b-416f-a7a7-c2f6adc32eee +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# User State Migration Tool (USMT) Overview Topics +The User State Migration Tool (USMT) 10.0 provides a highly customizable user-profile migration experience for IT professionals. USMT includes three command-line tools: ScanState.exe, LoadState.exe, and UsmtUtils.exe. USMT also includes a set of three modifiable .xml files: MigApp.xml, MigDocs.xml, and MigUser.xml. Additionally, you can create custom .xml files to support your migration needs. You can also create a Config.xml file to specify files or settings to exclude from the migration. + +## In This Section + +|Topic |Description| +|------|-----------| +|[User State Migration Tool (USMT) Overview](usmt-overview.md)|Describes the benefits and limitations of using USMT.| +|[Getting Started with the User State Migration Tool (USMT)](getting-started-with-the-user-state-migration-tool.md)|Describes the general process to follow to migrate files and settings, and provides links to more information.| +|[Windows Upgrade and Migration Considerations](../upgrade/windows-upgrade-and-migration-considerations.md)|Discusses the Microsoft® tools you can use to move files and settings between installations, as well as special considerations for performing an upgrade or migration.| + +## Related topics +- [User State Migration Tool (USMT) How-to topics](usmt-how-to.md) +- [User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) +- [User State Migration Toolkit (USMT) Reference](usmt-reference.md) diff --git a/windows/deployment/usmt/usmt-troubleshooting.md b/windows/deployment/usmt/usmt-troubleshooting.md index 29613f1c1c..085f3892d2 100644 --- a/windows/deployment/usmt/usmt-troubleshooting.md +++ b/windows/deployment/usmt/usmt-troubleshooting.md @@ -1,73 +1,73 @@ ---- -title: User State Migration Tool (USMT) Troubleshooting (Windows 10) -description: User State Migration Tool (USMT) Troubleshooting -ms.assetid: 770f45bb-2284-463f-a29c-69c04f437533 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# User State Migration Tool (USMT) Troubleshooting - - -The following table describes topics that address common User State Migration Tool (USMT) 10.0 issues and questions. These topics describe tools that you can use to troubleshoot issues that arise during your migration. - -## In This Section - - - ---- - - - - - - - - - - - - - - - - - - - - - - -

          Common Issues

          Find troubleshooting solutions for common problems in USMT.

          Frequently Asked Questions

          Find answers to questions about how to use USMT.

          Log Files

          Learn how to enable logging to help you troubleshoot issues in USMT.

          Return Codes

          Learn how to use return codes to identify problems in USMT.

          USMT Resources

          Find more information and support for using USMT.

          - - - -## Related topics - - -[USMT Best Practices](usmt-best-practices.md) - -[User State Migration Tool (USMT) Overview Topics](usmt-topics.md) - -[User State Migration Tool (USMT) How-to topics](usmt-how-to.md) - -[User State Migration Toolkit (USMT) Reference](usmt-reference.md) - - - - - - - - - +--- +title: User State Migration Tool (USMT) Troubleshooting (Windows 10) +description: User State Migration Tool (USMT) Troubleshooting +ms.assetid: 770f45bb-2284-463f-a29c-69c04f437533 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# User State Migration Tool (USMT) Troubleshooting + + +The following table describes topics that address common User State Migration Tool (USMT) 10.0 issues and questions. These topics describe tools that you can use to troubleshoot issues that arise during your migration. + +## In This Section + + + ++++ + + + + + + + + + + + + + + + + + + + + + + +

          Common Issues

          Find troubleshooting solutions for common problems in USMT.

          Frequently Asked Questions

          Find answers to questions about how to use USMT.

          Log Files

          Learn how to enable logging to help you troubleshoot issues in USMT.

          Return Codes

          Learn how to use return codes to identify problems in USMT.

          USMT Resources

          Find more information and support for using USMT.

          + + + +## Related topics + + +[USMT Best Practices](usmt-best-practices.md) + +[User State Migration Tool (USMT) Overview Topics](usmt-topics.md) + +[User State Migration Tool (USMT) How-to topics](usmt-how-to.md) + +[User State Migration Toolkit (USMT) Reference](usmt-reference.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-utilities.md b/windows/deployment/usmt/usmt-utilities.md index aad70a5dee..4e9269a29d 100644 --- a/windows/deployment/usmt/usmt-utilities.md +++ b/windows/deployment/usmt/usmt-utilities.md @@ -1,351 +1,351 @@ ---- -title: UsmtUtils Syntax (Windows 10) -description: UsmtUtils Syntax -ms.assetid: cdab7f2d-dd68-4016-b9ed-41ffa743b65c -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# UsmtUtils Syntax - - -This topic describes the syntax for the utilities available in User State Migration Tool (USMT) 10.0 through the command-line interface. These utilities: - -- Improve your ability to determine cryptographic options for your migration. - -- Assist in removing hard-link stores that cannot otherwise be deleted due to a sharing lock. - -- Verify whether the catalog file or any of the other files in the compressed migration store have become corrupted. - -- Extract files from the compressed migration store when you migrate files and settings to the destination computer. - -## In This Topic - - -[Usmtutils.exe](#bkmk-usmtutils-exe) - -[Verify Options](#bkmk-verifyoptions) - -[Extract Options](#bkmk-extractoptions) - -## Usmtutils.exe - - -The following table lists command-line options for USMTutils.exe. The sections that follow provide further command-line options for the **/verify** and the **/extract** options. - -The syntax for UsmtUtils.exe is: - -usmtutils \[/ec | /rd *<storeDir>* | /verify *<filepath>* \[options\] | /extract *<filepath>* *<destinationPath>* \[options\]\] - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Command-line OptionDescription

          /ec

          Returns a list of supported cryptographic algorithms (AlgIDs) on the current system. You can use this on a destination computer to determine which algorithm to use with the /encrypt command before you run the ScanState tool on the source computer.

          /rd<storeDir>

          Removes the directory path specified by the <storeDir> argument on the computer. You can use this command to delete hard-link migration stores that cannot otherwise be deleted at a command prompt due to a sharing lock. If the migration store spans multiple volumes on a given drive, it will be deleted from all of these volumes.

          -

          For example:

          -

          usmtutils /rd D:\MyHardLinkStore

          /y

          Overrides the accept deletions prompt when used with the /rd option. When you use the /y option with the /rd option, you will not be prompted to accept the deletions before USMT deletes the directories.

          /verify

          Returns information on whether the compressed migration store is intact or whether it contains corrupted files or a corrupted catalog.

          -

          See Verify Options for syntax and options to use with /verify.

          /extract

          Recovers files from a compressed USMT migration store.

          -

          See Extract Options for syntax and options to use with /extract.

          - - - -## Verify Options - - -Use the **/verify** option when you want to determine whether a compressed migration store is intact or whether it contains corrupted files or a corrupted catalog. For more information on how to use the **/verify** option, see [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md). - -The syntax for **/verify** is: - -usmtutils /verify\[:*<reportType>*\] *<filePath>* \[/l:*<logfile>*\] \[/v:*VerbosityLevel*\] \[/decrypt \[:*<AlgID>*\] {/key:*<keystring>* | /keyfile:*<filename>*}\] - - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
          Command-line OptionDescription

          <reportType>

          Specifies whether to report on all files, corrupted files only, or the status of the catalog.

          -
            -

          • Summary. Returns both the number of files that are intact and the number of files that are corrupted in the migration store. If no algorithm is specified, the summary report is displayed as a default.

            • -

          • all. Returns a tab-delimited list of all of the files in the compressed migration store and the status for each file. Each line contains the file name followed by a tab spacing, and either “CORRUPTED” or “OK” depending on the status of the file. The last entry reports the corruption status of the "CATALOG" of the store. A catalog file contains metadata for all files in a migration store. The LoadState tool requires a valid catalog file in order to open the migration store. Returns "OK" if the catalog file is intact and LoadState can open the migration store and "CORRUPTED" if the migration store is corrupted.

            • -

          • failureonly. Returns a tab-delimited list of only the files that are corrupted in the compressed migration store.

            • -

          • Catalog. Returns only the status of the catalog file.

            • -
          /l: -

          <logfilePath>

          Specifies the location and name of the log file.

          /v:<VerbosityLevel>

          (Verbosity)

          -

          Enables verbose output in the UsmtUtils log file. The default value is 0.

          -

          You can set the VerbosityLevel to one of the following levels:

          - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          LevelExplanation

          0

          Only the default errors and warnings are enabled.

          1

          Enables verbose output.

          4

          Enables error and status output.

          5

          Enables verbose and status output.

          8

          Enables error output to a debugger.

          9

          Enables verbose output to a debugger.

          12

          Enables error and status output to a debugger.

          13

          Enables verbose, status, and debugger output.

          -

           

          /decrypt<AlgID>/:<KeyString>

          -

          or

          -

          /decrypt<AlgID>/:<“Key String”>

          -

          or

          -

          /decrypt:<AlgID>/keyfile:<FileName>

          Specifies that the /encrypt option was used to create the migration store with the ScanState tool. To decrypt the migration store, specify a /key or /keyfile option as follows:

          -
            -

          • <AlgID> specifies the cryptographic algorithm that was used to create the migration store on the ScanState command line. If no algorithm is specified, ScanState and UsmtUtils use the 3DES algorithm as a default.

            -

            <AlgID> valid values include: AES_128, AES_192, AES_256, 3DES, or 3DES_112.

            • -

          • /key:<KeyString> specifies the encryption key. If there is a space in <KeyString>, you must surround the argument with quotation marks.

            • -

          • /keyfile: <FileName> specifies the location and name of a text (.txt) file that contains the encryption key.

            • -
          -

          For more information about supported encryption algorithms, see Migration Store Encryption

          - - - -Some examples of **/verify** commands: - -- `usmtutils /verify D:\MyMigrationStore\store.mig` - -- `usmtutils /verify:catalog D:\MyMigrationStore\store.mig` - -- `usmtutils /verify:all D:\MyMigrationStore\store.mig /decrypt /l:D:\UsmtUtilsLog.txt` - -- `usmtutils /verify:failureonly D:\MyMigrationStore\store.mig /decrypt:AES_192 /keyfile:D:\encryptionKey.txt` - -## Extract Options - - -Use the **/extract** option to recover files from a compressed USMT migration store if it will not restore normally with loadstate. For more information on how to use the **/extract** option, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md). - -The syntax for **/extract** is: - -/extract *<filePath>* *<destinationPath>* \[/i:*<includePattern>*\] \[/e: *<excludePattern>*\] \[/l: *<logfile>*\] \[/v: *VerbosityLevel>*\] \[/decrypt\[:*<AlgID>*\] {key: *<keystring>* | /keyfile: *<filename>*}\] \[/o\] - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Command-line OptionDescription

          <filePath>

          Path to the USMT migration store.

          -

          For example:

          -

          D:\MyMigrationStore\USMT\store.mig

          <destinationPath>

          Path to the folder where the tool puts the individual files.

          /i:<includePattern>

          Specifies a pattern for files to include in the extraction. You can specify more than one pattern. Separate patterns with a comma or a semicolon. You can use /i: <includePattern> and /e: <excludePattern> options in the same command. When both include and exclude patterns are used on the command line, include patterns take precedence over exclude patterns.

          /e:<excludePattern>

          Specifies a pattern for files to omit from the extraction. You can specify more than one pattern. Separate patterns with a comma or a semicolon. You can use /i: <includePattern> and /e: <excludePattern> options in the same command. When both include and exclude patterns are used on the command line, include patterns take precedence over exclude patterns.

          /l:<logfilePath>

          Specifies the location and name of the log file.

          /v:<VerbosityLevel>

          (Verbosity)

          -

          Enables verbose output in the UsmtUtils log file. The default value is 0.

          -

          You can set the VerbosityLevel to one of the following levels:

          - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          LevelExplanation

          0

          Only the default errors and warnings are enabled.

          1

          Enables verbose output.

          4

          Enables error and status output.

          5

          Enables verbose and status output.

          8

          Enables error output to a debugger.

          9

          Enables verbose output to a debugger.

          12

          Enables error and status output to a debugger.

          13

          Enables verbose, status, and debugger output.

          -

           

          /decrypt<AlgID>/key:<KeyString>

          -

          or

          -

          /decrypt<AlgID>/:<“Key String”>

          -

          or

          -

          /decrypt:<AlgID>/keyfile:<FileName>

          Specifies that the /encrypt option was used to create the migration store with the ScanState tool. To decrypt the migration store, you must also specify a /key or /keyfile option as follows:

          -
            -

          • <AlgID> specifies the cryptographic algorithm that was used to create the migration store on the ScanState command line. If no algorithm is specified, ScanState and UsmtUtils use the 3DES algorithm as a default.

            -

            <AlgID> valid values include: AES_128, AES_192, AES_256, 3DES, or 3DES_112.

            • -

          • /key: <KeyString> specifies the encryption key. If there is a space in <KeyString>, you must surround the argument with quotation marks.

            • -

          • /keyfile:<FileName> specifies a text (.txt) file that contains the encryption key

            • -
          -

          For more information about supported encryption algorithms, see Migration Store Encryption.

          /o

          Overwrites existing output files.

          - - - -Some examples of **/extract** commands: - -- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore` - -- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt, *.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt` - -- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtlog.txt` - -- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o` - -## Related topics - - -[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md) - -[Return Codes](usmt-return-codes.md) - - - - - - - - - +--- +title: UsmtUtils Syntax (Windows 10) +description: UsmtUtils Syntax +ms.assetid: cdab7f2d-dd68-4016-b9ed-41ffa743b65c +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# UsmtUtils Syntax + + +This topic describes the syntax for the utilities available in User State Migration Tool (USMT) 10.0 through the command-line interface. These utilities: + +- Improve your ability to determine cryptographic options for your migration. + +- Assist in removing hard-link stores that cannot otherwise be deleted due to a sharing lock. + +- Verify whether the catalog file or any of the other files in the compressed migration store have become corrupted. + +- Extract files from the compressed migration store when you migrate files and settings to the destination computer. + +## In This Topic + + +[Usmtutils.exe](#bkmk-usmtutils-exe) + +[Verify Options](#bkmk-verifyoptions) + +[Extract Options](#bkmk-extractoptions) + +## Usmtutils.exe + + +The following table lists command-line options for USMTutils.exe. The sections that follow provide further command-line options for the **/verify** and the **/extract** options. + +The syntax for UsmtUtils.exe is: + +usmtutils \[/ec | /rd *<storeDir>* | /verify *<filepath>* \[options\] | /extract *<filepath>* *<destinationPath>* \[options\]\] + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Command-line OptionDescription

          /ec

          Returns a list of supported cryptographic algorithms (AlgIDs) on the current system. You can use this on a destination computer to determine which algorithm to use with the /encrypt command before you run the ScanState tool on the source computer.

          /rd<storeDir>

          Removes the directory path specified by the <storeDir> argument on the computer. You can use this command to delete hard-link migration stores that cannot otherwise be deleted at a command prompt due to a sharing lock. If the migration store spans multiple volumes on a given drive, it will be deleted from all of these volumes.

          +

          For example:

          +

          usmtutils /rd D:\MyHardLinkStore

          /y

          Overrides the accept deletions prompt when used with the /rd option. When you use the /y option with the /rd option, you will not be prompted to accept the deletions before USMT deletes the directories.

          /verify

          Returns information on whether the compressed migration store is intact or whether it contains corrupted files or a corrupted catalog.

          +

          See Verify Options for syntax and options to use with /verify.

          /extract

          Recovers files from a compressed USMT migration store.

          +

          See Extract Options for syntax and options to use with /extract.

          + + + +## Verify Options + + +Use the **/verify** option when you want to determine whether a compressed migration store is intact or whether it contains corrupted files or a corrupted catalog. For more information on how to use the **/verify** option, see [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md). + +The syntax for **/verify** is: + +usmtutils /verify\[:*<reportType>*\] *<filePath>* \[/l:*<logfile>*\] \[/v:*VerbosityLevel*\] \[/decrypt \[:*<AlgID>*\] {/key:*<keystring>* | /keyfile:*<filename>*}\] + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + +
          Command-line OptionDescription

          <reportType>

          Specifies whether to report on all files, corrupted files only, or the status of the catalog.

          +
            +

          • Summary. Returns both the number of files that are intact and the number of files that are corrupted in the migration store. If no algorithm is specified, the summary report is displayed as a default.

            • +

          • all. Returns a tab-delimited list of all of the files in the compressed migration store and the status for each file. Each line contains the file name followed by a tab spacing, and either “CORRUPTED” or “OK” depending on the status of the file. The last entry reports the corruption status of the "CATALOG" of the store. A catalog file contains metadata for all files in a migration store. The LoadState tool requires a valid catalog file in order to open the migration store. Returns "OK" if the catalog file is intact and LoadState can open the migration store and "CORRUPTED" if the migration store is corrupted.

            • +

          • failureonly. Returns a tab-delimited list of only the files that are corrupted in the compressed migration store.

            • +

          • Catalog. Returns only the status of the catalog file.

            • +
          /l: +

          <logfilePath>

          Specifies the location and name of the log file.

          /v:<VerbosityLevel>

          (Verbosity)

          +

          Enables verbose output in the UsmtUtils log file. The default value is 0.

          +

          You can set the VerbosityLevel to one of the following levels:

          + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          LevelExplanation

          0

          Only the default errors and warnings are enabled.

          1

          Enables verbose output.

          4

          Enables error and status output.

          5

          Enables verbose and status output.

          8

          Enables error output to a debugger.

          9

          Enables verbose output to a debugger.

          12

          Enables error and status output to a debugger.

          13

          Enables verbose, status, and debugger output.

          +

           

          /decrypt<AlgID>/:<KeyString>

          +

          or

          +

          /decrypt<AlgID>/:<“Key String”>

          +

          or

          +

          /decrypt:<AlgID>/keyfile:<FileName>

          Specifies that the /encrypt option was used to create the migration store with the ScanState tool. To decrypt the migration store, specify a /key or /keyfile option as follows:

          +
            +

          • <AlgID> specifies the cryptographic algorithm that was used to create the migration store on the ScanState command line. If no algorithm is specified, ScanState and UsmtUtils use the 3DES algorithm as a default.

            +

            <AlgID> valid values include: AES_128, AES_192, AES_256, 3DES, or 3DES_112.

            • +

          • /key:<KeyString> specifies the encryption key. If there is a space in <KeyString>, you must surround the argument with quotation marks.

            • +

          • /keyfile: <FileName> specifies the location and name of a text (.txt) file that contains the encryption key.

            • +
          +

          For more information about supported encryption algorithms, see Migration Store Encryption

          + + + +Some examples of **/verify** commands: + +- `usmtutils /verify D:\MyMigrationStore\store.mig` + +- `usmtutils /verify:catalog D:\MyMigrationStore\store.mig` + +- `usmtutils /verify:all D:\MyMigrationStore\store.mig /decrypt /l:D:\UsmtUtilsLog.txt` + +- `usmtutils /verify:failureonly D:\MyMigrationStore\store.mig /decrypt:AES_192 /keyfile:D:\encryptionKey.txt` + +## Extract Options + + +Use the **/extract** option to recover files from a compressed USMT migration store if it will not restore normally with loadstate. For more information on how to use the **/extract** option, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md). + +The syntax for **/extract** is: + +/extract *<filePath>* *<destinationPath>* \[/i:*<includePattern>*\] \[/e: *<excludePattern>*\] \[/l: *<logfile>*\] \[/v: *VerbosityLevel>*\] \[/decrypt\[:*<AlgID>*\] {key: *<keystring>* | /keyfile: *<filename>*}\] \[/o\] + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Command-line OptionDescription

          <filePath>

          Path to the USMT migration store.

          +

          For example:

          +

          D:\MyMigrationStore\USMT\store.mig

          <destinationPath>

          Path to the folder where the tool puts the individual files.

          /i:<includePattern>

          Specifies a pattern for files to include in the extraction. You can specify more than one pattern. Separate patterns with a comma or a semicolon. You can use /i: <includePattern> and /e: <excludePattern> options in the same command. When both include and exclude patterns are used on the command line, include patterns take precedence over exclude patterns.

          /e:<excludePattern>

          Specifies a pattern for files to omit from the extraction. You can specify more than one pattern. Separate patterns with a comma or a semicolon. You can use /i: <includePattern> and /e: <excludePattern> options in the same command. When both include and exclude patterns are used on the command line, include patterns take precedence over exclude patterns.

          /l:<logfilePath>

          Specifies the location and name of the log file.

          /v:<VerbosityLevel>

          (Verbosity)

          +

          Enables verbose output in the UsmtUtils log file. The default value is 0.

          +

          You can set the VerbosityLevel to one of the following levels:

          + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          LevelExplanation

          0

          Only the default errors and warnings are enabled.

          1

          Enables verbose output.

          4

          Enables error and status output.

          5

          Enables verbose and status output.

          8

          Enables error output to a debugger.

          9

          Enables verbose output to a debugger.

          12

          Enables error and status output to a debugger.

          13

          Enables verbose, status, and debugger output.

          +

           

          /decrypt<AlgID>/key:<KeyString>

          +

          or

          +

          /decrypt<AlgID>/:<“Key String”>

          +

          or

          +

          /decrypt:<AlgID>/keyfile:<FileName>

          Specifies that the /encrypt option was used to create the migration store with the ScanState tool. To decrypt the migration store, you must also specify a /key or /keyfile option as follows:

          +
            +

          • <AlgID> specifies the cryptographic algorithm that was used to create the migration store on the ScanState command line. If no algorithm is specified, ScanState and UsmtUtils use the 3DES algorithm as a default.

            +

            <AlgID> valid values include: AES_128, AES_192, AES_256, 3DES, or 3DES_112.

            • +

          • /key: <KeyString> specifies the encryption key. If there is a space in <KeyString>, you must surround the argument with quotation marks.

            • +

          • /keyfile:<FileName> specifies a text (.txt) file that contains the encryption key

            • +
          +

          For more information about supported encryption algorithms, see Migration Store Encryption.

          /o

          Overwrites existing output files.

          + + + +Some examples of **/extract** commands: + +- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore` + +- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt, *.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt` + +- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtlog.txt` + +- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o` + +## Related topics + + +[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md) + +[Return Codes](usmt-return-codes.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md index 16fd8bd5bc..4fc36c33bc 100644 --- a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md +++ b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md @@ -1,429 +1,429 @@ ---- -title: What does USMT migrate (Windows 10) -description: What does USMT migrate -ms.assetid: f613987d-0f17-43fe-9717-6465865ceda7 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 09/12/2017 -ms.topic: article ---- - -# What does USMT migrate? - - -## In this topic - - -- [Default migration scripts](#bkmk-defaultmigscripts) - -- [User Data](#bkmk-3) - -- [Operating-system components](#bkmk-4) - -- [Supported applications](#bkmk-2) - -- [What USMT does not migrate](#no) - -## Default migration scripts - - -The User State Migration Tool (USMT) 10.0 is designed so that an IT engineer can precisely define migrations using the USMT .xml scripting language. USMT provides the following sample scripts: - -- **MigApp.XML.** Rules to migrate application settings. - -- **MigDocs.XML.** Rules that use the **MigXmlHelper.GenerateDocPatterns** helper function, which can be used to automatically find user documents on a computer without the need to author extensive custom migration .xml files. - -- **MigUser.XML.** Rules to migrate user profiles and user data. - - MigUser.xml gathers everything in a user’s profile and then does a file extension- based search of most of the system for other user data. If data doesn’t match either of these criteria, the data won’t be migrated. For the most part, this file describes a "core" migration. - - The following data does not migrate with MigUser.xml: - - - Files outside the user profile that don’t match one of the file extensions in MigUser.xml. - - - Access control lists (ACLs) for folders outside the user profile. - -## User data - - -This section describes the user data that USMT migrates by default, using the MigUser.xml file. It also defines how to migrate ACLs. - -- **Folders from each user profile.** When you specify the MigUser.xml file, USMT migrates everything in a user’s profiles including the following: - - My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites. - - >[!IMPORTANT] - >Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](https://docs.microsoft.com/windows/deployment/usmt/usmt-common-issues#usmt-does-not-migrate-the-start-layout). - -- **Folders from the All Users and Public profiles.** When you specify the MigUser.xml file, USMT also migrates the following from the **All Users** profile in Windows® XP, or the **Public** profile in Windows Vista, Windows 7, or Windows 8: - - - Shared Documents - - - Shared Video - - - Shared Music - - - Shared desktop files - - - Shared Pictures - - - Shared Start menu - - - Shared Favorites - -- **File types.** When you specify the MigUser.xml file, the ScanState tool searches the fixed drives, collects and then migrates files with any of the following file extensions: - - **.accdb, .ch3, .csv, .dif, .doc\*, .dot\*, .dqy, .iqy, .mcw, .mdb\*, .mpp, .one\*, .oqy, .or6, .pot\*, .ppa, .pps\*, .ppt\*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl\*, .vsd, .wk\*, .wpd, .wps, .wq1, .wri, .xl\*, .xla, .xlb, .xls\*.** - - **Note**   - The asterisk (\*) stands for zero or more characters. - - - -- **Access control lists.** USMT migrates ACLs for specified files and folders from computers running both Windows® XP and Windows Vista. For example, if you migrate a file named File1.txt that is read-only for User1 and read/write for User2, these settings will still apply on the destination computer after the migration. - -**Important**   -To migrate ACLs, you must specify the directory to migrate in the MigUser.xml file. Using file patterns like \*.doc will not migrate a directory. The source ACL information is migrated only when you explicitly specify the directory. For example, `c:\test docs`. - - - -## Operating-system components - - -USMT migrates operating-system components to a destination computer from computers running Windows 7 and Windows 8 - -The following components are migrated by default using the manifest files: - -- Accessibility settings - -- Address book - -- Command-prompt settings - -- \*Desktop wallpaper - -- EFS files - -- Favorites - -- Folder options - -- Fonts - -- Group membership. USMT migrates users’ group settings. The groups to which a user belongs can be found by right-clicking **My Computer** on the Start menu and then clicking **Manage**. When running an offline migration, the use of a **<ProfileControl>** section in the Config.xml file is required. - -- \*Windows Internet Explorer® settings - -- Microsoft® Open Database Connectivity (ODBC) settings - -- Mouse and keyboard settings - -- Network drive mapping - -- \*Network printer mapping - -- \*Offline files - -- \*Phone and modem options - -- RAS connection and phone book (.pbk) files - -- \*Regional settings - -- Remote Access - -- \*Taskbar settings - -- User personal certificates (all) - -- Windows Mail. - -- \*Windows Media Player - -- Windows Rights Management - -\* These settings are not available for an offline migration. For more information, see [Offline Migration Reference](offline-migration-reference.md). - -**Important**   -This list may not be complete. There may be additional components that are migrated. - - - -**Note**   -Some settings, such as fonts, are not applied by the LoadState tool until after the destination computer has been restarted. For this reason, restart the destination computer after you run the LoadState tool. - - - -## Supported applications - - -Although it is not required for all applications, it is good practice to install all applications on the destination computer before restoring the user state. Installing applications before migrating settings helps to ensure that the migrated settings are not overwritten by the application installers. - -**Note**   -The versions of installed applications must match on the source and destination computers. USMT does not support migrating the settings of an earlier version of an application to a later version, except for Microsoft Office. - - - -**Note**   -USMT migrates only the settings that have been used or modified by the user. If there is an application setting on the source computer that was not touched by the user, the setting may not migrate. - - - -When you specify the MigApp.xml file, USMT migrates the settings for the following applications: - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          ProductVersion

          Adobe Acrobat Reader

          9

          AOL Instant Messenger

          6.8

          Adobe Creative Suite

          2

          Adobe Photoshop CS

          8, 9

          Adobe ImageReady CS

          Apple iTunes

          6, 7, 8

          Apple QuickTime Player

          5, 6, 7

          Apple Safari

          3.1.2

          Google Chrome

          beta

          Google Picasa

          3

          Google Talk

          beta

          IBM Lotus 1-2-3

          9

          IBM Lotus Notes

          6,7, 8

          IBM Lotus Organizer

          5

          IBM Lotus WordPro

          9.9

          Intuit Quicken Deluxe

          2009

          Money Plus Business

          2008

          Money Plus Home

          2008

          Mozilla Firefox

          3

          Microsoft Office

          2003, 2007, 2010

          Microsoft Office Access®

          2003, 2007, 2010

          Microsoft Office Excel®

          2003, 2007, 2010

          Microsoft Office FrontPage®

          2003, 2007, 2010

          Microsoft Office OneNote®

          2003, 2007, 2010

          Microsoft Office Outlook®

          2003, 2007, 2010

          Microsoft Office PowerPoint®

          2003, 2007, 2010

          Microsoft Office Publisher

          2003, 2007, 2010

          Microsoft Office Word

          2003, 2007, 2010

          Opera Software Opera

          9.5

          Microsoft Outlook Express

          (only mailbox file)

          Microsoft Project

          2003, 2007

          Microsoft Office Visio®

          2003, 2007

          RealPlayer Basic

          11

          Sage Peachtree

          2009

          Skype

          3.8

          Windows Live Mail

          12, 14

          Windows Live Messenger

          8.5, 14

          Windows Live MovieMaker

          14

          Windows Live Photo Gallery

          12, 14

          Windows Live Writer

          12, 14

          Windows Mail

          (Windows 7 and 8)

          Microsoft Works

          9

          Yahoo Messenger

          9

          Microsoft Zune™ Software

          3

          - - - -## What USMT does not migrate - - -The following is a list of the settings that USMT does not migrate. If you are having a problem that is not listed here, see [Common Issues](usmt-common-issues.md). - -### Application settings - -USMT does not migrate the following application settings: - -- Settings from earlier versions of an application. The versions of each application must match on the source and destination computers. USMT does not support migrating the settings of an earlier version of an application to a later version, except for Microsoft Office. USMT can migrate from an earlier version of Microsoft Office to a later version. - -- Application settings and some operating-system settings when a local account is created. For example, if you run /lac to create a local account on the destination computer, USMT will migrate the user data, but only some of the operating-system settings, such as wallpaper and screensaver settings, and no application settings will migrate. - -- Microsoft Project settings, when migrating from Office 2003 to Office 2007 system. - -- ICQ Pro settings, if ICQ Pro is installed in a different location on the destination computer. To successfully migrate the settings of ICQ Pro, you must install ICQ Pro in the same location on the destination computer as it was on the source computer. Otherwise, after you run the LoadState tool, the application will not start. You may encounter problems when: - - - You change the default installation location on 32-bit destination computers. - - - You attempt to migrate from a 32-bit computer to a 64-bit computer. This is because the ICQ Pro default installation directory is different on the two types of computers. When you install ICQ Pro on a 32-bit computer, the default location is "C:\\Program Files\\...". The ICQ Pro default installation directory on an x64-based computer, however, is “C:\\Program Files (x86)\\...”. - -### Operating-System settings - -USMT does not migrate the following operating-system settings. - -- Local printers, hardware-related settings, drivers, passwords, application binary files, synchronization files, DLL files, or other executable files. - -- Permissions for shared folders. After migration, you must manually re-share any folders that were shared on the source computer. - -- Files and settings migrating between operating systems with different languages. The operating system of the source computer must match the language of the operating system on the destination computer. - -- Customized icons for shortcuts may not migrate. - -- Taskbar settings, when the source computer is running Windows XP. - -You should also note the following: - -- You should run USMT from an account with administrative credentials. Otherwise, some data will not migrate. When running the ScanState and LoadState tools you must run the tools in Administrator mode from an account with administrative credentials. If you do not run USMT in Administrator mode, only the user profile that is logged on will be included in the migration. In addition, you must run the ScanState tool on Windows XP from an account with administrative credentials. Otherwise, some operating-system settings will not migrate. To run in Administrator mode, click **Start**, click **All Programs**, click **Accessories**, right-click **Command Prompt**, and then click **Run as administrator**. - -- You can use the /**localonly** option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify /**localonly**, see [ScanState Syntax](usmt-scanstate-syntax.md). - -### Start menu layout - -Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](https://docs.microsoft.com/windows/deployment/usmt/usmt-common-issues#usmt-does-not-migrate-the-start-layout). - -## Related topics - - -[Plan your migration](usmt-plan-your-migration.md) - - - - - - - - - +--- +title: What does USMT migrate (Windows 10) +description: What does USMT migrate +ms.assetid: f613987d-0f17-43fe-9717-6465865ceda7 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 09/12/2017 +ms.topic: article +--- + +# What does USMT migrate? + + +## In this topic + + +- [Default migration scripts](#bkmk-defaultmigscripts) + +- [User Data](#bkmk-3) + +- [Operating-system components](#bkmk-4) + +- [Supported applications](#bkmk-2) + +- [What USMT does not migrate](#no) + +## Default migration scripts + + +The User State Migration Tool (USMT) 10.0 is designed so that an IT engineer can precisely define migrations using the USMT .xml scripting language. USMT provides the following sample scripts: + +- **MigApp.XML.** Rules to migrate application settings. + +- **MigDocs.XML.** Rules that use the **MigXmlHelper.GenerateDocPatterns** helper function, which can be used to automatically find user documents on a computer without the need to author extensive custom migration .xml files. + +- **MigUser.XML.** Rules to migrate user profiles and user data. + + MigUser.xml gathers everything in a user’s profile and then does a file extension- based search of most of the system for other user data. If data doesn’t match either of these criteria, the data won’t be migrated. For the most part, this file describes a "core" migration. + + The following data does not migrate with MigUser.xml: + + - Files outside the user profile that don’t match one of the file extensions in MigUser.xml. + + - Access control lists (ACLs) for folders outside the user profile. + +## User data + + +This section describes the user data that USMT migrates by default, using the MigUser.xml file. It also defines how to migrate ACLs. + +- **Folders from each user profile.** When you specify the MigUser.xml file, USMT migrates everything in a user’s profiles including the following: + + My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites. + + >[!IMPORTANT] + >Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](https://docs.microsoft.com/windows/deployment/usmt/usmt-common-issues#usmt-does-not-migrate-the-start-layout). + +- **Folders from the All Users and Public profiles.** When you specify the MigUser.xml file, USMT also migrates the following from the **All Users** profile in Windows® XP, or the **Public** profile in Windows Vista, Windows 7, or Windows 8: + + - Shared Documents + + - Shared Video + + - Shared Music + + - Shared desktop files + + - Shared Pictures + + - Shared Start menu + + - Shared Favorites + +- **File types.** When you specify the MigUser.xml file, the ScanState tool searches the fixed drives, collects and then migrates files with any of the following file extensions: + + **.accdb, .ch3, .csv, .dif, .doc\*, .dot\*, .dqy, .iqy, .mcw, .mdb\*, .mpp, .one\*, .oqy, .or6, .pot\*, .ppa, .pps\*, .ppt\*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl\*, .vsd, .wk\*, .wpd, .wps, .wq1, .wri, .xl\*, .xla, .xlb, .xls\*.** + + **Note**   + The asterisk (\*) stands for zero or more characters. + + + +- **Access control lists.** USMT migrates ACLs for specified files and folders from computers running both Windows® XP and Windows Vista. For example, if you migrate a file named File1.txt that is read-only for User1 and read/write for User2, these settings will still apply on the destination computer after the migration. + +**Important**   +To migrate ACLs, you must specify the directory to migrate in the MigUser.xml file. Using file patterns like \*.doc will not migrate a directory. The source ACL information is migrated only when you explicitly specify the directory. For example, `c:\test docs`. + + + +## Operating-system components + + +USMT migrates operating-system components to a destination computer from computers running Windows 7 and Windows 8 + +The following components are migrated by default using the manifest files: + +- Accessibility settings + +- Address book + +- Command-prompt settings + +- \*Desktop wallpaper + +- EFS files + +- Favorites + +- Folder options + +- Fonts + +- Group membership. USMT migrates users’ group settings. The groups to which a user belongs can be found by right-clicking **My Computer** on the Start menu and then clicking **Manage**. When running an offline migration, the use of a **<ProfileControl>** section in the Config.xml file is required. + +- \*Windows Internet Explorer® settings + +- Microsoft® Open Database Connectivity (ODBC) settings + +- Mouse and keyboard settings + +- Network drive mapping + +- \*Network printer mapping + +- \*Offline files + +- \*Phone and modem options + +- RAS connection and phone book (.pbk) files + +- \*Regional settings + +- Remote Access + +- \*Taskbar settings + +- User personal certificates (all) + +- Windows Mail. + +- \*Windows Media Player + +- Windows Rights Management + +\* These settings are not available for an offline migration. For more information, see [Offline Migration Reference](offline-migration-reference.md). + +**Important**   +This list may not be complete. There may be additional components that are migrated. + + + +**Note**   +Some settings, such as fonts, are not applied by the LoadState tool until after the destination computer has been restarted. For this reason, restart the destination computer after you run the LoadState tool. + + + +## Supported applications + + +Although it is not required for all applications, it is good practice to install all applications on the destination computer before restoring the user state. Installing applications before migrating settings helps to ensure that the migrated settings are not overwritten by the application installers. + +**Note**   +The versions of installed applications must match on the source and destination computers. USMT does not support migrating the settings of an earlier version of an application to a later version, except for Microsoft Office. + + + +**Note**   +USMT migrates only the settings that have been used or modified by the user. If there is an application setting on the source computer that was not touched by the user, the setting may not migrate. + + + +When you specify the MigApp.xml file, USMT migrates the settings for the following applications: + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          ProductVersion

          Adobe Acrobat Reader

          9

          AOL Instant Messenger

          6.8

          Adobe Creative Suite

          2

          Adobe Photoshop CS

          8, 9

          Adobe ImageReady CS

          Apple iTunes

          6, 7, 8

          Apple QuickTime Player

          5, 6, 7

          Apple Safari

          3.1.2

          Google Chrome

          beta

          Google Picasa

          3

          Google Talk

          beta

          IBM Lotus 1-2-3

          9

          IBM Lotus Notes

          6,7, 8

          IBM Lotus Organizer

          5

          IBM Lotus WordPro

          9.9

          Intuit Quicken Deluxe

          2009

          Money Plus Business

          2008

          Money Plus Home

          2008

          Mozilla Firefox

          3

          Microsoft Office

          2003, 2007, 2010

          Microsoft Office Access®

          2003, 2007, 2010

          Microsoft Office Excel®

          2003, 2007, 2010

          Microsoft Office FrontPage®

          2003, 2007, 2010

          Microsoft Office OneNote®

          2003, 2007, 2010

          Microsoft Office Outlook®

          2003, 2007, 2010

          Microsoft Office PowerPoint®

          2003, 2007, 2010

          Microsoft Office Publisher

          2003, 2007, 2010

          Microsoft Office Word

          2003, 2007, 2010

          Opera Software Opera

          9.5

          Microsoft Outlook Express

          (only mailbox file)

          Microsoft Project

          2003, 2007

          Microsoft Office Visio®

          2003, 2007

          RealPlayer Basic

          11

          Sage Peachtree

          2009

          Skype

          3.8

          Windows Live Mail

          12, 14

          Windows Live Messenger

          8.5, 14

          Windows Live MovieMaker

          14

          Windows Live Photo Gallery

          12, 14

          Windows Live Writer

          12, 14

          Windows Mail

          (Windows 7 and 8)

          Microsoft Works

          9

          Yahoo Messenger

          9

          Microsoft Zune™ Software

          3

          + + + +## What USMT does not migrate + + +The following is a list of the settings that USMT does not migrate. If you are having a problem that is not listed here, see [Common Issues](usmt-common-issues.md). + +### Application settings + +USMT does not migrate the following application settings: + +- Settings from earlier versions of an application. The versions of each application must match on the source and destination computers. USMT does not support migrating the settings of an earlier version of an application to a later version, except for Microsoft Office. USMT can migrate from an earlier version of Microsoft Office to a later version. + +- Application settings and some operating-system settings when a local account is created. For example, if you run /lac to create a local account on the destination computer, USMT will migrate the user data, but only some of the operating-system settings, such as wallpaper and screensaver settings, and no application settings will migrate. + +- Microsoft Project settings, when migrating from Office 2003 to Office 2007 system. + +- ICQ Pro settings, if ICQ Pro is installed in a different location on the destination computer. To successfully migrate the settings of ICQ Pro, you must install ICQ Pro in the same location on the destination computer as it was on the source computer. Otherwise, after you run the LoadState tool, the application will not start. You may encounter problems when: + + - You change the default installation location on 32-bit destination computers. + + - You attempt to migrate from a 32-bit computer to a 64-bit computer. This is because the ICQ Pro default installation directory is different on the two types of computers. When you install ICQ Pro on a 32-bit computer, the default location is "C:\\Program Files\\...". The ICQ Pro default installation directory on an x64-based computer, however, is “C:\\Program Files (x86)\\...”. + +### Operating-System settings + +USMT does not migrate the following operating-system settings. + +- Local printers, hardware-related settings, drivers, passwords, application binary files, synchronization files, DLL files, or other executable files. + +- Permissions for shared folders. After migration, you must manually re-share any folders that were shared on the source computer. + +- Files and settings migrating between operating systems with different languages. The operating system of the source computer must match the language of the operating system on the destination computer. + +- Customized icons for shortcuts may not migrate. + +- Taskbar settings, when the source computer is running Windows XP. + +You should also note the following: + +- You should run USMT from an account with administrative credentials. Otherwise, some data will not migrate. When running the ScanState and LoadState tools you must run the tools in Administrator mode from an account with administrative credentials. If you do not run USMT in Administrator mode, only the user profile that is logged on will be included in the migration. In addition, you must run the ScanState tool on Windows XP from an account with administrative credentials. Otherwise, some operating-system settings will not migrate. To run in Administrator mode, click **Start**, click **All Programs**, click **Accessories**, right-click **Command Prompt**, and then click **Run as administrator**. + +- You can use the /**localonly** option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify /**localonly**, see [ScanState Syntax](usmt-scanstate-syntax.md). + +### Start menu layout + +Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](https://docs.microsoft.com/windows/deployment/usmt/usmt-common-issues#usmt-does-not-migrate-the-start-layout). + +## Related topics + + +[Plan your migration](usmt-plan-your-migration.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-xml-elements-library.md b/windows/deployment/usmt/usmt-xml-elements-library.md index d64010f54e..bfbd4e2c61 100644 --- a/windows/deployment/usmt/usmt-xml-elements-library.md +++ b/windows/deployment/usmt/usmt-xml-elements-library.md @@ -8,6 +8,7 @@ ms.author: greglin ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.date: 04/19/2017 ms.topic: article @@ -138,7 +139,7 @@ Syntax: The following example is from the MigApp.xml file: -```xml +``` xml %HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [UpgradeVersion] @@ -212,7 +213,7 @@ Syntax: The following example is from the MigApp.xml file: -```xml +``` xml %HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [Lang] DWORD @@ -275,7 +276,7 @@ Syntax: The following example is from the MigApp.xml file: -```xml +``` xml %HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [Lang] DWORD @@ -455,7 +456,7 @@ For example, In the code sample below, the <condition> elements, A and B, are joined together by the AND operator because they are in separate <conditions> sections. For example: -```xml +``` xml A @@ -468,7 +469,7 @@ In the code sample below, the <condition> elements, A and B, are joined to However, in the code sample below, the <condition> elements, A and B, are joined together by the OR operator because they are in the same <conditions> section. -```xml +``` xml A @@ -826,7 +827,7 @@ For example: ~~~ For example: -```xml +``` xml MigXmlHelper.DoesStringContentEqual("File","%USERNAME%","") ``` ~~~ @@ -914,7 +915,7 @@ For example: ~~~ For example: -```xml +``` xml MigXmlHelper.IsSameObject("File","%CSIDL_FAVORITES%","%CSIDL_COMMON_FAVORITES%") %CSIDL_FAVORITES%\* [*] @@ -1055,7 +1056,7 @@ Syntax: The following example is from the MigApp.xml file: -```xml +``` xml MigXmlHelper.IsNative64Bit() @@ -1152,13 +1153,13 @@ The following functions generate patterns out of the content of an object. These ~~~ For example: -```xml +``` xml ``` and -```xml +``` xml ``` ~~~ @@ -1243,7 +1244,7 @@ and ~~~ For example: -```xml +``` xml @@ -1365,7 +1366,7 @@ The following functions change the content of objects as they are migrated. Thes ~~~ For example: -```xml +``` xml HKCU\Control Panel\Desktop [ScreenSaveUsePassword] @@ -1622,7 +1623,7 @@ Syntax: The following code sample shows how the <description> element defines the "My custom component" description.: -```xml +``` xml My custom component ``` @@ -1677,7 +1678,7 @@ Syntax: For example: -```xml +``` xml HKCU\Software\Lotus\123\99.0\DDE Preferences\* [*] @@ -1807,7 +1808,7 @@ Syntax: The following example is from the MigApp.xml file. -```xml +``` xml MigXmlHelper.DoesFileVersionMatch("%Lotus123InstPath%\123w.exe","ProductVersion","9.*") @@ -1878,7 +1879,7 @@ Syntax: For example: -```xml +``` xml MigXmlHelper.DoesObjectExist("Registry","HKCU\Software\Adobe\Photoshop\8.0") @@ -1889,7 +1890,7 @@ For example: and -```xml +``` xml @@ -1945,7 +1946,7 @@ Syntax: For example: -```xml +``` xml Command Prompt settings ``` @@ -2012,7 +2013,7 @@ Syntax: In this scenario, you want to generate the location of objects at run time depending on the configuration of the destination computer. For example, you must do this if an application writes data in the directory where it is installed, and users can install the application anywhere on the computer. If the application writes a registry value hklm\\software\\companyname\\install \[path\] and then updates this value with the location where the application is installed, then the only way for you to migrate the required data correctly is to define an environment variable. For example: -```xml +``` xml @@ -2022,7 +2023,7 @@ In this scenario, you want to generate the location of objects at run time depen Then you can use an include rule as follows. You can use any of the [<script> functions](#scriptfunctions) to perform similar tasks. -```xml +``` xml %INSTALLPATH%\ [*.xyz] @@ -2032,7 +2033,7 @@ Then you can use an include rule as follows. You can use any of the [<script& Second, you can also filter registry values that contain data that you need. The following example extracts the first string (before the separator ",") in the value of the registry Hklm\\software\\companyname\\application\\ \[Path\]. -```xml +``` xml @@ -2050,7 +2051,7 @@ Second, you can also filter registry values that contain data that you need. The In this scenario, you want to migrate five files named File1.txt, File2.txt, and so on, from %SYSTEMDRIVE%\\data\\userdata\\dir1\\dir2\\. To do this you must have the following <include> rule in an .xml file: -```xml +``` xml %SYSTEMDRIVE%\data\userdata\dir1\dir2 [File1.txt] @@ -2064,7 +2065,7 @@ In this scenario, you want to migrate five files named File1.txt, File2.txt, and Instead of typing the path five times, you can create a variable for the location as follows: -```xml +``` xml %SYSTEMDRIVE%\data\userdata\dir1\dir2 @@ -2074,7 +2075,7 @@ Instead of typing the path five times, you can create a variable for the locatio Then, you can specify the variable in an <include> rule as follows: -```xml +``` xml %DATAPATH% [File1.txt] @@ -2133,7 +2134,7 @@ Syntax: For example, from the MigUser.xml file: -```xml +``` xml %CSIDL_MYMUSIC%\* [*] @@ -2190,7 +2191,7 @@ Syntax: Example: -```xml +``` xml @@ -2297,7 +2298,7 @@ Syntax: For example, if you want to migrate all \*.doc files from the source computer, specifying the following code under the <component> element: -```xml +``` xml doc @@ -2305,7 +2306,7 @@ For example, if you want to migrate all \*.doc files from the source computer, s is the same as specifying the following code below the <rules> element: -```xml +``` xml @@ -2418,7 +2419,7 @@ Syntax: The following example is from the MigUser.xml file: -```xml +``` xml My Video @@ -2501,7 +2502,7 @@ The following functions return a Boolean value. You can use them to migrate cert For example: - ```xml + ``` xml %CSIDL_COMMON_VIDEO%\* [*] @@ -2517,7 +2518,7 @@ The following functions return a Boolean value. You can use them to migrate cert In the following example, HKCU\\Control Panel\\International \[Locale\] will be included in the store, but it will not be migrated to the destination computer: - ```xml + ``` xml HKCU\Control Panel\International [Locale] @@ -2634,7 +2635,7 @@ Syntax: The following example is from the MigApp.xml file: -```xml +``` xml %HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [UpgradeVersion] @@ -2695,7 +2696,7 @@ Syntax: The following example is from the MigApp.xml file: -```xml +``` xml %CSIDL_APPDATA%\Microsoft\Office\ [Access10.pip] @@ -2740,7 +2741,7 @@ The following functions change the location of objects as they are migrated when ~~~ For example: -```xml +``` xml HKCU\Keyboard Layout\Toggle [] @@ -2817,7 +2818,7 @@ For example: ~~~ For example: -```xml +``` xml %CSIDL_COMMON_FAVORITES%\* [*] @@ -2923,7 +2924,7 @@ Syntax: The following example is from the MigUser.xml file: -```xml +``` xml @@ -2948,7 +2949,7 @@ These functions control how collisions are resolved. For example: - ```xml + ``` xml HKCU\Software\Microsoft\Office\9.0\PhotoDraw\ [MyPictures] @@ -3037,7 +3038,7 @@ These functions control how collisions are resolved. For example: - ```xml + ``` xml %HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Publisher [UpgradeVersion] @@ -3097,7 +3098,7 @@ Syntax: The following example is from the MigApp.xml file: -```xml +``` xml ``` @@ -3138,7 +3139,7 @@ This filter helper function can be used to filter the migration of files based o -```xml +``` xml File_size @@ -3194,7 +3195,7 @@ Syntax: The following example is from the MigApp.xml file: -```xml +``` xml %HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [UpgradeVersion] @@ -3230,7 +3231,7 @@ Syntax: The following example is from the MigUser.xml file: -```xml +``` xml My Music @@ -3273,7 +3274,7 @@ This is an internal USMT element. Do not use this element. You can use this element to specify multiple objects. You can specify multiple <pattern> elements for each <objectSet> element and they will be combined. If you are specifying files, you may want to use GenerateDrivePatterns with <script> instead. GenerateDrivePatterns is basically the same as a <pattern> rule, without the drive letter specification. For example, the following two lines of code are similar: -```xml +``` xml C:\Folder\* [Sample.doc] ``` @@ -3336,13 +3337,13 @@ For example: - To migrate a single registry key: - ```xml + ``` xml HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache [Persistent] ``` - To migrate the EngineeringDrafts folder and any subfolders from the C: drive: - ```xml + ``` xml C:\EngineeringDrafts\* [*] ``` @@ -3352,13 +3353,13 @@ For example: - To migrate the Sample.doc file from C:\\EngineeringDrafts: - ```xml + ``` xml C:\EngineeringDrafts\ [Sample.doc] ``` - To migrate the Sample.doc file from where ever it exists on the C: drive use pattern in the following way. If multiple files exist with the same name on the C: drive, then all of these files will be migrated. - ```xml + ``` xml C:\* [Sample.doc] ``` @@ -3484,7 +3485,7 @@ Syntax: The following example is from the MigUser.xml file. For more examples, see the MigApp.xml file: -```xml +``` xml Start Menu @@ -3571,7 +3572,7 @@ Syntax: The following example is from the MigUser.xml file: -```xml +``` xml My Music @@ -3679,7 +3680,7 @@ Examples: To migrate the Sample.doc file from any drive on the source computer, use <script> as follows. If multiple files exist with the same name, all such files will get migrated. -```xml +``` xml ``` @@ -3744,7 +3745,7 @@ These functions return either a string or a pattern. ~~~ For example: -```xml +``` xml @@ -3849,7 +3850,7 @@ If GenerateUserPattens('File','%userprofile% \[\*.doc\]','FALSE') is called whil The following is example code for this scenario. The first <rules> element migrates all.doc files on the source computer with the exception of those inside C:\\Documents and Settings. The second <rules> elements will migrate all .doc files from C:\\Documents and Settings with the exception of the .doc files in the profiles of the other users. Because the second <rules> element will be processed in each migrated user context, the end result will be the desired behavior. The end result is the one we expected. -```xml +``` xml @@ -3915,7 +3916,7 @@ This helper function invokes the document finder to scan the system for all file -```xml +``` xml MigDocUser @@ -3942,7 +3943,7 @@ The following scripts have no return value. You can use the following errors wit - **AskForLogoff()**. Prompts the user to log off at the end of the migration. For example: - ```xml + ``` xml @@ -3952,7 +3953,7 @@ The following scripts have no return value. You can use the following errors wit - **KillExplorer()**. Stops Explorer.exe for the current user context. This allows access to certain keys and files that are kept open when Explorer.exe is running. For example: - ```xml + ``` xml @@ -3960,7 +3961,7 @@ The following scripts have no return value. You can use the following errors wit - **RegisterFonts(FileEncodedLocation)**. Registers the given font or all of the fonts in the given directory. For example: - ```xml + ``` xml @@ -3970,7 +3971,7 @@ The following scripts have no return value. You can use the following errors wit - **RestartExplorer().** Restarts Explorer.exe at the end of the migration. For example: - ```xml + ``` xml @@ -4020,7 +4021,7 @@ Syntax: For example: -```xml +``` xml %CSIDL_COMMON_APPDATA%\QuickTime @@ -4045,7 +4046,7 @@ Syntax: The following .xml file excludes all .mp3 files from migration. For additional examples of how to use this element, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md). -```xml +``` xml Test @@ -4116,7 +4117,7 @@ Syntax: The following example is from the MigApp.xml file: -```xml +``` xml HKLM\Software @@ -4168,7 +4169,7 @@ Syntax: For example: -```xml +``` xml 4.* ``` diff --git a/windows/deployment/usmt/usmt-xml-reference.md b/windows/deployment/usmt/usmt-xml-reference.md index 8dda62c31d..e69e94db8f 100644 --- a/windows/deployment/usmt/usmt-xml-reference.md +++ b/windows/deployment/usmt/usmt-xml-reference.md @@ -1,78 +1,78 @@ ---- -title: USMT XML Reference (Windows 10) -description: USMT XML Reference -ms.assetid: fb946975-0fee-4ec0-b3ef-7c34945ee96f -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# USMT XML Reference - - -This section contains topics that you can use to work with and to customize the migration XML files. - -## In This Section - - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

          Understanding Migration XML Files

          Provides an overview of the default and custom migration XML files and includes guidelines for creating and editing a customized version of the MigDocs.xml file.

          Config.xml File

          Describes the Config.xml file and policies concerning its configuration.

          Customize USMT XML Files

          Describes how to customize USMT XML files.

          Custom XML Examples

          Gives examples of XML files for various migration scenarios.

          Conflicts and Precedence

          Describes the precedence of migration rules and how conflicts are handled.

          General Conventions

          Describes the XML helper functions.

          XML File Requirements

          Describes the requirements for custom XML files.

          Recognized Environment Variables

          Describes environment variables recognized by USMT.

          XML Elements Library

          Describes the XML elements and helper functions for authoring migration XML files to use with USMT.

          - - - - - - - - - - - +--- +title: USMT XML Reference (Windows 10) +description: USMT XML Reference +ms.assetid: fb946975-0fee-4ec0-b3ef-7c34945ee96f +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# USMT XML Reference + + +This section contains topics that you can use to work with and to customize the migration XML files. + +## In This Section + + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

          Understanding Migration XML Files

          Provides an overview of the default and custom migration XML files and includes guidelines for creating and editing a customized version of the MigDocs.xml file.

          Config.xml File

          Describes the Config.xml file and policies concerning its configuration.

          Customize USMT XML Files

          Describes how to customize USMT XML files.

          Custom XML Examples

          Gives examples of XML files for various migration scenarios.

          Conflicts and Precedence

          Describes the precedence of migration rules and how conflicts are handled.

          General Conventions

          Describes the XML helper functions.

          XML File Requirements

          Describes the requirements for custom XML files.

          Recognized Environment Variables

          Describes environment variables recognized by USMT.

          XML Elements Library

          Describes the XML elements and helper functions for authoring migration XML files to use with USMT.

          + + + + + + + + + + + diff --git a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md index 5c83d3b22e..433a6a1605 100644 --- a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md +++ b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md @@ -1,128 +1,128 @@ ---- -title: Verify the Condition of a Compressed Migration Store (Windows 10) -description: Verify the Condition of a Compressed Migration Store -ms.assetid: 4a3fda96-5f7d-494a-955f-6b865ec9fcae -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Verify the Condition of a Compressed Migration Store - - -When you migrate files and settings during a typical PC-refresh migration, the user state is usually stored in a compressed folder on the intermediate store. This compressed folder, also called the compressed migration store, is a single image file that contains: - -- All of the files being migrated. - -- The user’s settings. - -- A catalog file that contains metadata for all files in the migration store. - -When you run the **LoadState** command to load the data from these files to the destination computer, LoadState requires a valid catalog file in order to open the migration store. You can run the **UsmtUtils** command with the **/verify** option to determine whether the compressed migration store is intact, or whether it contains corrupted files or a corrupted catalog. You should run the **/verify** option on the migration store before you overwrite the original user-state files and settings. - -When you use the **/verify** option, you can specify what type of information to report in the UsmtUtils log file. These report types are: - -- **Catalog**: Displays the status of only the catalog file. - -- **All**: Displays the status of all files, including the catalog file. - -- **Failure only**: Displays only the files that are corrupted. - -## In This Topic - - -The following sections demonstrate how to run the **UsmtUtils** command with the **/verify** option, and how to specify the information to display in the UsmtUtils log file. - -- [The UsmtUtils syntax for the /verify option](#bkmk-verifysyntax) - -- [To verify that the migration store is intact](#bkmk-verifyintactstore) - -- [To verify the status of only the catalog file](#bkmk-verifycatalog) - -- [To verify the status of all files](#bkmk-verifyallfiles) - -- [To verify the status of the files and return only the corrupted files](#bkmk-returncorrupted) - -### The UsmtUtils Syntax for the /verify Option - -To verify the condition of a compressed migration store, use the following UsmtUtils syntax: - -cd /d<USMTpath>usmtutils /verify\[:<reportType>\] <filePath> \[/l:<logfile>\] \[/decrypt \[:<AlgID>\] {/key:<keystring> | /keyfile:<filename>}\] - -Where the placeholders have the following values: - -- *<USMTpath>* is the location where you have saved the USMT files and tools. - -- *<reportType>* specifies whether to report on all files, corrupted files only, or the status of the catalog. - -- *<filePath>* is the location of the compressed migration store. - -- *<logfile>* is the location and name of the log file. - -- *<AlgID>* is the cryptographic algorithm that was used to create the migration store on the **ScanState** command line. - -- *<keystring>* is the encryption key that was used to encrypt the migration store. - -- *<filename>* is the location and name of the text file that contains the encryption key. - -### To Verify that the Migration Store is Intact - -To verify whether the migration store is intact or whether it contains corrupted files or a corrupted catalog, type: - -``` syntax -usmtutils /verify D:\MyMigrationStore\store.mig -``` - -Because no report type is specified, UsmtUtils displays the default summary report. - -### To Verify the Status of Only the Catalog File - -To verify whether the catalog file is corrupted or intact, type: - -``` syntax -usmtutils /verify:catalog D:\MyMigrationStore\store.mig -``` - -### To Verify the Status of all Files - -To verify whether there are any corrupted files in the compressed migration store, and to specify the name and location of the log file, type: - -`usmtutils /verify:all D:\MyMigrationStore\store.mig /decrypt /l:D:\UsmtUtilsLog.txt` - -In addition to verifying the status of all files, this example decrypts the files. Because no encryption algorithm is specified, UsmtUtils uses the default 3DES cryptographic algorithm. - -### To Verify the Status of the Files and Return Only the Corrupted Files - -In this example, the log file will only list the files that became corrupted during the ScanState process. This list will include the catalog file if it is also corrupted. - -``` syntax -usmtutils /verify:failureonly D:\MyMigrationStore\USMT\store.mig /decrypt:AES_192 /keyfile:D:\encryptionKey.txt -``` - -This example also decrypts the files by specifying the cryptographic algorithm and the location of the file that contains the encryption key. - -### Next Steps - -If the **/verify** option indicates that there are corrupted files in the migration store, you can use the **/extract** option in the UsmtUtils tool to recover data from some corrupted stores. For more information, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md). - -## Related topics - - -[UsmtUtils Syntax](usmt-utilities.md) - -[Return Codes](usmt-return-codes.md) - -  - -  - - - - - +--- +title: Verify the Condition of a Compressed Migration Store (Windows 10) +description: Verify the Condition of a Compressed Migration Store +ms.assetid: 4a3fda96-5f7d-494a-955f-6b865ec9fcae +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Verify the Condition of a Compressed Migration Store + + +When you migrate files and settings during a typical PC-refresh migration, the user state is usually stored in a compressed folder on the intermediate store. This compressed folder, also called the compressed migration store, is a single image file that contains: + +- All of the files being migrated. + +- The user’s settings. + +- A catalog file that contains metadata for all files in the migration store. + +When you run the **LoadState** command to load the data from these files to the destination computer, LoadState requires a valid catalog file in order to open the migration store. You can run the **UsmtUtils** command with the **/verify** option to determine whether the compressed migration store is intact, or whether it contains corrupted files or a corrupted catalog. You should run the **/verify** option on the migration store before you overwrite the original user-state files and settings. + +When you use the **/verify** option, you can specify what type of information to report in the UsmtUtils log file. These report types are: + +- **Catalog**: Displays the status of only the catalog file. + +- **All**: Displays the status of all files, including the catalog file. + +- **Failure only**: Displays only the files that are corrupted. + +## In This Topic + + +The following sections demonstrate how to run the **UsmtUtils** command with the **/verify** option, and how to specify the information to display in the UsmtUtils log file. + +- [The UsmtUtils syntax for the /verify option](#bkmk-verifysyntax) + +- [To verify that the migration store is intact](#bkmk-verifyintactstore) + +- [To verify the status of only the catalog file](#bkmk-verifycatalog) + +- [To verify the status of all files](#bkmk-verifyallfiles) + +- [To verify the status of the files and return only the corrupted files](#bkmk-returncorrupted) + +### The UsmtUtils Syntax for the /verify Option + +To verify the condition of a compressed migration store, use the following UsmtUtils syntax: + +cd /d<USMTpath>usmtutils /verify\[:<reportType>\] <filePath> \[/l:<logfile>\] \[/decrypt \[:<AlgID>\] {/key:<keystring> | /keyfile:<filename>}\] + +Where the placeholders have the following values: + +- *<USMTpath>* is the location where you have saved the USMT files and tools. + +- *<reportType>* specifies whether to report on all files, corrupted files only, or the status of the catalog. + +- *<filePath>* is the location of the compressed migration store. + +- *<logfile>* is the location and name of the log file. + +- *<AlgID>* is the cryptographic algorithm that was used to create the migration store on the **ScanState** command line. + +- *<keystring>* is the encryption key that was used to encrypt the migration store. + +- *<filename>* is the location and name of the text file that contains the encryption key. + +### To Verify that the Migration Store is Intact + +To verify whether the migration store is intact or whether it contains corrupted files or a corrupted catalog, type: + +``` syntax +usmtutils /verify D:\MyMigrationStore\store.mig +``` + +Because no report type is specified, UsmtUtils displays the default summary report. + +### To Verify the Status of Only the Catalog File + +To verify whether the catalog file is corrupted or intact, type: + +``` syntax +usmtutils /verify:catalog D:\MyMigrationStore\store.mig +``` + +### To Verify the Status of all Files + +To verify whether there are any corrupted files in the compressed migration store, and to specify the name and location of the log file, type: + +`usmtutils /verify:all D:\MyMigrationStore\store.mig /decrypt /l:D:\UsmtUtilsLog.txt` + +In addition to verifying the status of all files, this example decrypts the files. Because no encryption algorithm is specified, UsmtUtils uses the default 3DES cryptographic algorithm. + +### To Verify the Status of the Files and Return Only the Corrupted Files + +In this example, the log file will only list the files that became corrupted during the ScanState process. This list will include the catalog file if it is also corrupted. + +``` syntax +usmtutils /verify:failureonly D:\MyMigrationStore\USMT\store.mig /decrypt:AES_192 /keyfile:D:\encryptionKey.txt +``` + +This example also decrypts the files by specifying the cryptographic algorithm and the location of the file that contains the encryption key. + +### Next Steps + +If the **/verify** option indicates that there are corrupted files in the migration store, you can use the **/extract** option in the UsmtUtils tool to recover data from some corrupted stores. For more information, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md). + +## Related topics + + +[UsmtUtils Syntax](usmt-utilities.md) + +[Return Codes](usmt-return-codes.md) + +  + +  + + + + + diff --git a/windows/deployment/usmt/xml-file-requirements.md b/windows/deployment/usmt/xml-file-requirements.md index 89576c00a4..aeae8b54ae 100644 --- a/windows/deployment/usmt/xml-file-requirements.md +++ b/windows/deployment/usmt/xml-file-requirements.md @@ -8,6 +8,7 @@ ms.author: greglin ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.date: 04/19/2017 ms.topic: article @@ -20,20 +21,20 @@ When creating custom .xml files, note the following requirements: - **The file must be in Unicode Transformation Format-8 (UTF-8).** You must save the file in this format, and you must specify the following syntax at the beginning of each .xml file: - ```xml + ``` xml ``` - **The file must have a unique migration urlid**. The urlid of each file that you specify on the command line must be different. If two migration .xml files have the same urlid, the second .xml file that is specified on the command line will not be processed. This is because USMT uses the urlid to define the components within the file. For example, you must specify the following syntax at the beginning of each file: - ```xml + ``` xml ``` - **Each component in the file must have a display name in order for it to appear in the Config.xml file.** This is because the Config.xml file defines the components by the display name and the migration urlid. For example, specify the following syntax: - ```xml + ``` xml My Application ``` diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md index 11795953dd..1ed8638bcc 100644 --- a/windows/deployment/vda-subscription-activation.md +++ b/windows/deployment/vda-subscription-activation.md @@ -1,149 +1,149 @@ ---- -title: Configure VDA for Windows 10 Subscription Activation -ms.reviewer: -manager: laurawi -ms.author: greg-lindsay -description: How to enable Windows 10 Enterprise E3 and E5 subscriptions for VDA -keywords: upgrade, update, task sequence, deploy -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -author: greg-lindsay -ms.topic: article -ms.collection: M365-modern-desktop ---- - -# Configure VDA for Windows 10 Subscription Activation - -This document describes how to configure virtual machines (VMs) to enable [Windows 10 Subscription Activation](windows-10-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based licensing mechanism for managing access to virtual desktops. - -Deployment instructions are provided for the following scenarios: -1. [Active Directory-joined VMs](#active-directory-joined-vms) -2. [Azure Active Directory-joined VMs](#azure-active-directory-joined-vms) -3. [Azure Gallery VMs](#azure-gallery-vms) - -## Requirements - -- VMs must be running Windows 10 Pro, version 1703 (also known as the Creator's Update) or later. -- VMs must be Active Directory-joined or Azure Active Directory (AAD)-joined. -- VMs must be generation 1. -- VMs must hosted by a [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH). - -## Activation - -### Scenario 1 -- The VM is running Windows 10, version 1803 or later. -- The VM is hosted in Azure or another [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH). - - When a user with VDA rights signs in to the VM using their AAD credentials, the VM is automatically stepped-up to Enterprise and activated. There is no need to perform Windows 10 Pro activation. This eliminates the need to maintain KMS or MAK in the qualifying cloud infrastructure. - -### Scenario 2 -- The Hyper-V host and the VM are both running Windows 10, version 1803 or later. - - [Inherited Activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation#inherited-activation) is enabled. All VMs created by a user with a Windows 10 E3 or E5 license are automatically activated independent of whether a user signs in with a local account or using an Azure Active Directory account. - -### Scenario 3 -- The VM is running Windows 10, version 1703 or 1709, or the hoster is not an authorized [QMTH](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) partner. - - In this scenario, the underlying Windows 10 Pro license must be activated prior to Subscription Activation of Windows 10 Enterprise. Activation is accomplished using a Windows 10 Pro Generic Volume License Key (GVLK) and a Volume License KMS activation server provided by the hoster. Alternatively, a KMS activation server on your corporate network can be used if you have configured a private connection, such as [ExpressRoute](https://azure.microsoft.com/services/expressroute/) or [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/). - -For examples of activation issues, see [Troubleshoot the user experience](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses#troubleshoot-the-user-experience). - -## Active Directory-joined VMs - -1. Use the following instructions to prepare the VM for Azure: [Prepare a Windows VHD or VHDX to upload to Azure](https://docs.microsoft.com/azure/virtual-machines/windows/prepare-for-upload-vhd-image) -2. (Optional) To disable network level authentication, type the following at an elevated command prompt: - - ``` - REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f - ``` - -3. At an elevated command prompt, type **sysdm.cpl** and press ENTER. -4. On the Remote tab, choose **Allow remote connections to this computer** and then click **Select Users**. -5. Click **Add**, type **Authenticated users**, and then click **OK** three times. -6. Follow the instructions to use sysprep at [Steps to generalize a VHD](https://docs.microsoft.com/azure/virtual-machines/windows/prepare-for-upload-vhd-image#steps-to-generalize-a-vhd) and then start the VM again. -7. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd). -8. Open Windows Configuration Designer and click **Provison desktop services**. -9. If you must activate Windows 10 Pro as described for [scenario 3](#scenario-3), complete the following steps. Otherwise, skip to step 10. - - 1. Under **Name**, type **Desktop AD Enrollment Pro GVLK**, click **Finish**, and then on the **Set up device** page enter a device name. - - Note: You can use a different project name, but this name is also used with dism.exe in a subsequent step. - 2. Under **Enter product key** type the Pro GVLK key: **W269N-WFGWX-YVC9B-4J6C9-T83GX**. -10. On the Set up network page, choose **Off**. -11. On the Account Management page, choose **Enroll into Active Directory** and then enter the account details. - - Note: This step is different for [Azure AD-joined VMs](#azure-active-directory-joined-vms). -12. On the Add applications page, add applications if desired. This step is optional. -13. On the Add certificates page, add certificates if desired. This step is optional. -14. On the Finish page, click **Create**. -15. If you must activate Windows 10 Pro as described for [scenario 3](#scenario-3), complete the following steps. Otherwise, skip to step 16. - 1. In file explorer, double-click the VHD to mount the disk image. Determine the drive letter of the mounted image. - 2. Type the following at an elevated commnand prompt. Replace the letter **G** with the drive letter of the mounted image, and enter the project name you used if it is different than the one suggested: - - ``` - Dism.exe /Image=G:\ /Add-ProvisioningPackage /PackagePath: "Desktop AD Enrollment Pro GVLK.ppkg" - ``` - 3. Right-click the mounted image in file explorer and click **Eject**. -16. See instructions at [Upload and create VM from generalized VHD](https://docs.microsoft.com/azure/virtual-machines/windows/upload-generalized-managed#log-in-to-azure) to log in to Azure, get your storage account details, upload the VHD, and create a managed image. - -## Azure Active Directory-joined VMs - ->[!IMPORTANT] ->Azure Active Directory (Azure AD) provisioning packages have a 180 day limit on bulk token usage. You will need to update the provisioning package and re-inject it into the image after 180 days. Existing virtual machines that are Azure AD-joined and deployed will not need to be recreated. - -For Azure AD-joined VMs, follow the same instructions (above) as for [Active Directory-joined VMs](#active-directory-joined-vms) with the following exceptions: -- In step 9, during setup with Windows Configuration Designer, under **Name**, type a name for the project that indicates it is not for Active Directory joined VMs, such as **Desktop Bulk Enrollment Token Pro GVLK**. -- In step 11, during setup with Windows Configuration Designer, on the Account Management page, instead of enrolling in Active Directory, choose **Enroll in Azure AD**, click **Get Bulk Token**, sign in and add the bulk token using your organization's credentials. -- In step 15, sub-step 2, when entering the PackagePath, use the project name you entered in step 9 (ex: **Desktop Bulk Enrollment Token Pro GVLK.ppkg**) -- When attempting to access the VM using remote desktop, you will need to create a custom RDP settings file as described below in [Create custom RDP settings for Azure](#create-custom-rdp-settings-for-azure). - -## Azure Gallery VMs - -1. (Optional) To disable network level authentication, type the following at an elevated command prompt: - - ``` - REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f - ``` - -2. At an elevated command prompt, type **sysdm.cpl** and press ENTER. -3. On the Remote tab, choose **Allow remote connections to this computer** and then click **Select Users**. -4. Click **Add**, type **Authenticated users**, and then click **OK** three times. -5. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd). -6. Open Windows Configuration Designer and click **Provison desktop services**. -7. If you must activate Windows 10 Pro as described for [scenario 3](#scenario-3), complete the following steps. Otherwise, skip to step 8. - 1. Under **Name**, type **Desktop Bulk Enrollment Token Pro GVLK**, click **Finish**, and then on the **Set up device** page enter a device name. - 2. Under **Enter product key** type the Pro GVLK key: **W269N-WFGWX-YVC9B-4J6C9-T83GX**. -8. Under **Name**, type **Desktop Bulk Enrollment**, click **Finish**, and then on the **Set up device** page enter a device name. -9. On the Set up network page, choose **Off**. -10. On the Account Management page, choose **Enroll in Azure AD**, click **Get Bulk Token**, sign in, and add the bulk token using your organizations credentials. -11. On the Add applications page, add applications if desired. This step is optional. -12. On the Add certificates page, add certificates if desired. This step is optional. -13. On the Finish page, click **Create**. -14. Copy the .ppkg file to the remote Virtual machine. Double click to initiate the provisioning package install. This will reboot the system. - -- When attempting to access the VM using remote desktop, you will need to create a custom RDP settings file as described [below](#create-custom-rdp-settings-for-azure). - -## Create custom RDP settings for Azure - -To create custom RDP settings for Azure: - -1. Open Remote Desktop Connection and enter the IP address or DNS name for the remote host. -2. Click **Show Options**, and then under Connection settings click **Save As** and save the RDP file to the location where you will use it. -3. Close the Remote Desktop Connection window and open Notepad. -4. Drag the RDP file into the Notepad window to edit it. -5. Enter or replace the line that specifies authentication level with the following two lines of text: - - ```text - enablecredsspsupport:i:0 - authentication level:i:2 - ``` -6. **enablecredsspsupport** and **authentication level** should each appear only once in the file. -7. Save your changes, and then use this custom RDP file with your Azure AD credentials to connect to the Azure VM. - -## Related topics - -[Windows 10 Subscription Activation](windows-10-subscription-activation.md) -
          [Recommended settings for VDI desktops](https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations) -
          [Licensing the Windows Desktop for VDI Environments](https://download.microsoft.com/download/1/1/4/114A45DD-A1F7-4910-81FD-6CAF401077D0/Microsoft%20VDI%20and%20VDA%20FAQ%20v3%200.pdf) - +--- +title: Configure VDA for Windows 10 Subscription Activation +ms.reviewer: +manager: laurawi +ms.audience: itpro author: greg-lindsay +description: How to enable Windows 10 Enterprise E3 and E5 subscriptions for VDA +keywords: upgrade, update, task sequence, deploy +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: mdt +audience: itpro author: greg-lindsay +ms.topic: article +ms.collection: M365-modern-desktop +--- + +# Configure VDA for Windows 10 Subscription Activation + +This document describes how to configure virtual machines (VMs) to enable [Windows 10 Subscription Activation](windows-10-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based licensing mechanism for managing access to virtual desktops. + +Deployment instructions are provided for the following scenarios: +1. [Active Directory-joined VMs](#active-directory-joined-vms) +2. [Azure Active Directory-joined VMs](#azure-active-directory-joined-vms) +3. [Azure Gallery VMs](#azure-gallery-vms) + +## Requirements + +- VMs must be running Windows 10 Pro, version 1703 (also known as the Creator's Update) or later. +- VMs must be Active Directory-joined or Azure Active Directory (AAD)-joined. +- VMs must be generation 1. +- VMs must hosted by a [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH). + +## Activation + +### Scenario 1 +- The VM is running Windows 10, version 1803 or later. +- The VM is hosted in Azure or another [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH). + + When a user with VDA rights signs in to the VM using their AAD credentials, the VM is automatically stepped-up to Enterprise and activated. There is no need to perform Windows 10 Pro activation. This eliminates the need to maintain KMS or MAK in the qualifying cloud infrastructure. + +### Scenario 2 +- The Hyper-V host and the VM are both running Windows 10, version 1803 or later. + + [Inherited Activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation#inherited-activation) is enabled. All VMs created by a user with a Windows 10 E3 or E5 license are automatically activated independent of whether a user signs in with a local account or using an Azure Active Directory account. + +### Scenario 3 +- The VM is running Windows 10, version 1703 or 1709, or the hoster is not an authorized [QMTH](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) partner. + + In this scenario, the underlying Windows 10 Pro license must be activated prior to Subscription Activation of Windows 10 Enterprise. Activation is accomplished using a Windows 10 Pro Generic Volume License Key (GVLK) and a Volume License KMS activation server provided by the hoster. Alternatively, a KMS activation server on your corporate network can be used if you have configured a private connection, such as [ExpressRoute](https://azure.microsoft.com/services/expressroute/) or [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/). + +For examples of activation issues, see [Troubleshoot the user experience](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses#troubleshoot-the-user-experience). + +## Active Directory-joined VMs + +1. Use the following instructions to prepare the VM for Azure: [Prepare a Windows VHD or VHDX to upload to Azure](https://docs.microsoft.com/azure/virtual-machines/windows/prepare-for-upload-vhd-image) +2. (Optional) To disable network level authentication, type the following at an elevated command prompt: + + ``` + REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f + ``` + +3. At an elevated command prompt, type **sysdm.cpl** and press ENTER. +4. On the Remote tab, choose **Allow remote connections to this computer** and then click **Select Users**. +5. Click **Add**, type **Authenticated users**, and then click **OK** three times. +6. Follow the instructions to use sysprep at [Steps to generalize a VHD](https://docs.microsoft.com/azure/virtual-machines/windows/prepare-for-upload-vhd-image#steps-to-generalize-a-vhd) and then start the VM again. +7. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd). +8. Open Windows Configuration Designer and click **Provison desktop services**. +9. If you must activate Windows 10 Pro as described for [scenario 3](#scenario-3), complete the following steps. Otherwise, skip to step 10. + + 1. Under **Name**, type **Desktop AD Enrollment Pro GVLK**, click **Finish**, and then on the **Set up device** page enter a device name. + - Note: You can use a different project name, but this name is also used with dism.exe in a subsequent step. + 2. Under **Enter product key** type the Pro GVLK key: **W269N-WFGWX-YVC9B-4J6C9-T83GX**. +10. On the Set up network page, choose **Off**. +11. On the Account Management page, choose **Enroll into Active Directory** and then enter the account details. + - Note: This step is different for [Azure AD-joined VMs](#azure-active-directory-joined-vms). +12. On the Add applications page, add applications if desired. This step is optional. +13. On the Add certificates page, add certificates if desired. This step is optional. +14. On the Finish page, click **Create**. +15. If you must activate Windows 10 Pro as described for [scenario 3](#scenario-3), complete the following steps. Otherwise, skip to step 16. + 1. In file explorer, double-click the VHD to mount the disk image. Determine the drive letter of the mounted image. + 2. Type the following at an elevated commnand prompt. Replace the letter **G** with the drive letter of the mounted image, and enter the project name you used if it is different than the one suggested: + + ``` + Dism.exe /Image=G:\ /Add-ProvisioningPackage /PackagePath: "Desktop AD Enrollment Pro GVLK.ppkg" + ``` + 3. Right-click the mounted image in file explorer and click **Eject**. +16. See instructions at [Upload and create VM from generalized VHD](https://docs.microsoft.com/azure/virtual-machines/windows/upload-generalized-managed#log-in-to-azure) to log in to Azure, get your storage account details, upload the VHD, and create a managed image. + +## Azure Active Directory-joined VMs + +>[!IMPORTANT] +>Azure Active Directory (Azure AD) provisioning packages have a 180 day limit on bulk token usage. You will need to update the provisioning package and re-inject it into the image after 180 days. Existing virtual machines that are Azure AD-joined and deployed will not need to be recreated. + +For Azure AD-joined VMs, follow the same instructions (above) as for [Active Directory-joined VMs](#active-directory-joined-vms) with the following exceptions: +- In step 9, during setup with Windows Configuration Designer, under **Name**, type a name for the project that indicates it is not for Active Directory joined VMs, such as **Desktop Bulk Enrollment Token Pro GVLK**. +- In step 11, during setup with Windows Configuration Designer, on the Account Management page, instead of enrolling in Active Directory, choose **Enroll in Azure AD**, click **Get Bulk Token**, sign in and add the bulk token using your organization's credentials. +- In step 15, sub-step 2, when entering the PackagePath, use the project name you entered in step 9 (ex: **Desktop Bulk Enrollment Token Pro GVLK.ppkg**) +- When attempting to access the VM using remote desktop, you will need to create a custom RDP settings file as described below in [Create custom RDP settings for Azure](#create-custom-rdp-settings-for-azure). + +## Azure Gallery VMs + +1. (Optional) To disable network level authentication, type the following at an elevated command prompt: + + ``` + REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f + ``` + +2. At an elevated command prompt, type **sysdm.cpl** and press ENTER. +3. On the Remote tab, choose **Allow remote connections to this computer** and then click **Select Users**. +4. Click **Add**, type **Authenticated users**, and then click **OK** three times. +5. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd). +6. Open Windows Configuration Designer and click **Provison desktop services**. +7. If you must activate Windows 10 Pro as described for [scenario 3](#scenario-3), complete the following steps. Otherwise, skip to step 8. + 1. Under **Name**, type **Desktop Bulk Enrollment Token Pro GVLK**, click **Finish**, and then on the **Set up device** page enter a device name. + 2. Under **Enter product key** type the Pro GVLK key: **W269N-WFGWX-YVC9B-4J6C9-T83GX**. +8. Under **Name**, type **Desktop Bulk Enrollment**, click **Finish**, and then on the **Set up device** page enter a device name. +9. On the Set up network page, choose **Off**. +10. On the Account Management page, choose **Enroll in Azure AD**, click **Get Bulk Token**, sign in, and add the bulk token using your organizations credentials. +11. On the Add applications page, add applications if desired. This step is optional. +12. On the Add certificates page, add certificates if desired. This step is optional. +13. On the Finish page, click **Create**. +14. Copy the .ppkg file to the remote Virtual machine. Double click to initiate the provisioning package install. This will reboot the system. + +- When attempting to access the VM using remote desktop, you will need to create a custom RDP settings file as described [below](#create-custom-rdp-settings-for-azure). + +## Create custom RDP settings for Azure + +To create custom RDP settings for Azure: + +1. Open Remote Desktop Connection and enter the IP address or DNS name for the remote host. +2. Click **Show Options**, and then under Connection settings click **Save As** and save the RDP file to the location where you will use it. +3. Close the Remote Desktop Connection window and open Notepad. +4. Drag the RDP file into the Notepad window to edit it. +5. Enter or replace the line that specifies authentication level with the following two lines of text: + + ```text + enablecredsspsupport:i:0 + authentication level:i:2 + ``` +6. **enablecredsspsupport** and **authentication level** should each appear only once in the file. +7. Save your changes, and then use this custom RDP file with your Azure AD credentials to connect to the Azure VM. + +## Related topics + +[Windows 10 Subscription Activation](windows-10-subscription-activation.md) +
          [Recommended settings for VDI desktops](https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations) +
          [Licensing the Windows Desktop for VDI Environments](https://download.microsoft.com/download/1/1/4/114A45DD-A1F7-4910-81FD-6CAF401077D0/Microsoft%20VDI%20and%20VDA%20FAQ%20v3%200.pdf) + diff --git a/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md b/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md index 78990c1268..772b7e9d11 100644 --- a/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md +++ b/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md @@ -1,56 +1,56 @@ ---- -title: Activate by Proxy an Active Directory Forest (Windows 10) -description: Activate by Proxy an Active Directory Forest -ms.assetid: 6475fc87-a6f7-4fa8-b0aa-de19f2dea7e5 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Activate by Proxy an Active Directory Forest - -You can use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate by proxy an Active Directory (AD) forest for an isolated workgroup that does not have Internet access. ADBA enables certain volume products to inherit activation from the domain. - -**Important**   -ADBA is only applicable to Generic Volume License Keys (GVLKs) and KMS Host key (CSVLK). To use ADBA, one or more KMS Host keys (CSVLK) must be installed on the AD forest, and client keys (GVLKs) must be installed on the client products. - -In a typical proxy-activation scenario, the VAMT host computer distributes a product key to one or more client computers and collects the installation ID (IID) from each computer. The VAMT host computer sends the IIDs to Microsoft on behalf of the client computers and obtains the corresponding Confirmation IDs (CIDs). The VAMT host computer then installs the CIDs on the client computer to complete the activation. If you use this activation method, only the VAMT host computer needs to have Internet access. - -**Note**   -For workgroups that are isolated from any larger network, you can still perform an AD forest activation. This requires installing a second instance of VAMT on a computer in the isolated group and using removable media to transfer activation data between that computer and another VAMT host computer that has Internet access. You can also activate by proxy a KMS Host key (CSVLK) in the core network if you do not want the host computer to connect to Microsoft over the Internet. - -## Requirements - -Before performing proxy activation, ensure that the network and the VAMT installation meet the following requirements: -- There is an instance of VAMT that is installed on a computer that has Internet access. If you are performing proxy activation for an isolated workgroup, you must also have VAMT installed on one of the computers in the workgroup. -- VAMT has administrative permissions to the Active Directory domain. - -**To perform an Active Directory forest proxy activation** - -1. Open VAMT. -2. In the left-side pane, click the **Active Directory-Based Activation** node. -3. In the right-side **Actions** pane, click **Proxy activate forest** to open the **Install Product Key** dialog box. -4. In the **Install Product Key** dialog box, select the KMS Host key (CSVLK) that you want to activate. -5. If you want to rename the ADBA object, enter a new Active Directory-Based Activation Object name. If you want to rename the ADBA object, you must do it now. After you click **Install Key**, the name cannot be changed. -6. Enter the name of the file where you want to save the offline installation ID, or browse to the file location and then click **Open**. If you are activating an AD forest in an isolated workgroup, save the .cilx file to a removable media device. -7. Click **Install Key**. VAMT displays the **Activating Active Directory** dialog box until it completes the requested action. The activated object and the date that it was created appear in the **Active Directory-Based Activation** node in the center pane. -9. Insert the removable media into the VAMT host that has Internet access. Make sure that you are on the root node, and that the **Volume Activation Management Tool** view is displayed in the center pane. -10. In the right-side **Actions** pane, click **Acquire confirmation IDs for CILX** to open the **Acquire confirmation IDs for file** dialog box. -11. In the **Acquire confirmation IDs for file** dialog box, browse to where the .cilx file you exported from the isolated workgroup host computer is located. Select the file, and then click **Open**. VAMT displays an **Acquiring Confirmation IDs** message while it contacts Microsoft and acquires the CIDs. -12. When the CID collection process is complete, VAMT displays a **Volume Activation Management Tool** message that shows how many confirmation IDs were successfully acquired, and the name of the file to which the IDs were saved. Click **OK** to close the message. -13. Remove the storage device that contains the .cilx file from the Internet-connected VAMT host computer and insert it into the VAMT host computer in the isolated workgroup. -14. Open VAMT and then click the **Active Directory-Based Activation** node in the left-side pane. -15. In the right-side **Actions** pane, click **Apply confirmation ID to Active Directory domain**, browse to the .cilx file and then click **Open**. - -VAMT displays the **Activating Active Directory** dialog box until it completes the requested action. The activated object and the date that it was created appear in the **Active Directory-Based Activation** node in the center pane. - -## Related topics - -- [Add and Remove Computers](add-remove-computers-vamt.md) +--- +title: Activate by Proxy an Active Directory Forest (Windows 10) +description: Activate by Proxy an Active Directory Forest +ms.assetid: 6475fc87-a6f7-4fa8-b0aa-de19f2dea7e5 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Activate by Proxy an Active Directory Forest + +You can use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate by proxy an Active Directory (AD) forest for an isolated workgroup that does not have Internet access. ADBA enables certain volume products to inherit activation from the domain. + +**Important**   +ADBA is only applicable to Generic Volume License Keys (GVLKs) and KMS Host key (CSVLK). To use ADBA, one or more KMS Host keys (CSVLK) must be installed on the AD forest, and client keys (GVLKs) must be installed on the client products. + +In a typical proxy-activation scenario, the VAMT host computer distributes a product key to one or more client computers and collects the installation ID (IID) from each computer. The VAMT host computer sends the IIDs to Microsoft on behalf of the client computers and obtains the corresponding Confirmation IDs (CIDs). The VAMT host computer then installs the CIDs on the client computer to complete the activation. If you use this activation method, only the VAMT host computer needs to have Internet access. + +**Note**   +For workgroups that are isolated from any larger network, you can still perform an AD forest activation. This requires installing a second instance of VAMT on a computer in the isolated group and using removable media to transfer activation data between that computer and another VAMT host computer that has Internet access. You can also activate by proxy a KMS Host key (CSVLK) in the core network if you do not want the host computer to connect to Microsoft over the Internet. + +## Requirements + +Before performing proxy activation, ensure that the network and the VAMT installation meet the following requirements: +- There is an instance of VAMT that is installed on a computer that has Internet access. If you are performing proxy activation for an isolated workgroup, you must also have VAMT installed on one of the computers in the workgroup. +- VAMT has administrative permissions to the Active Directory domain. + +**To perform an Active Directory forest proxy activation** + +1. Open VAMT. +2. In the left-side pane, click the **Active Directory-Based Activation** node. +3. In the right-side **Actions** pane, click **Proxy activate forest** to open the **Install Product Key** dialog box. +4. In the **Install Product Key** dialog box, select the KMS Host key (CSVLK) that you want to activate. +5. If you want to rename the ADBA object, enter a new Active Directory-Based Activation Object name. If you want to rename the ADBA object, you must do it now. After you click **Install Key**, the name cannot be changed. +6. Enter the name of the file where you want to save the offline installation ID, or browse to the file location and then click **Open**. If you are activating an AD forest in an isolated workgroup, save the .cilx file to a removable media device. +7. Click **Install Key**. VAMT displays the **Activating Active Directory** dialog box until it completes the requested action. The activated object and the date that it was created appear in the **Active Directory-Based Activation** node in the center pane. +9. Insert the removable media into the VAMT host that has Internet access. Make sure that you are on the root node, and that the **Volume Activation Management Tool** view is displayed in the center pane. +10. In the right-side **Actions** pane, click **Acquire confirmation IDs for CILX** to open the **Acquire confirmation IDs for file** dialog box. +11. In the **Acquire confirmation IDs for file** dialog box, browse to where the .cilx file you exported from the isolated workgroup host computer is located. Select the file, and then click **Open**. VAMT displays an **Acquiring Confirmation IDs** message while it contacts Microsoft and acquires the CIDs. +12. When the CID collection process is complete, VAMT displays a **Volume Activation Management Tool** message that shows how many confirmation IDs were successfully acquired, and the name of the file to which the IDs were saved. Click **OK** to close the message. +13. Remove the storage device that contains the .cilx file from the Internet-connected VAMT host computer and insert it into the VAMT host computer in the isolated workgroup. +14. Open VAMT and then click the **Active Directory-Based Activation** node in the left-side pane. +15. In the right-side **Actions** pane, click **Apply confirmation ID to Active Directory domain**, browse to the .cilx file and then click **Open**. + +VAMT displays the **Activating Active Directory** dialog box until it completes the requested action. The activated object and the date that it was created appear in the **Active Directory-Based Activation** node in the center pane. + +## Related topics + +- [Add and Remove Computers](add-remove-computers-vamt.md) diff --git a/windows/deployment/volume-activation/activate-forest-vamt.md b/windows/deployment/volume-activation/activate-forest-vamt.md index 0f46e1a22e..06362064ff 100644 --- a/windows/deployment/volume-activation/activate-forest-vamt.md +++ b/windows/deployment/volume-activation/activate-forest-vamt.md @@ -1,50 +1,50 @@ ---- -title: Activate an Active Directory Forest Online (Windows 10) -description: Activate an Active Directory Forest Online -ms.assetid: 9b5bc193-799b-4aa5-9d3e-0e495f7195d3 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Activate an Active Directory Forest Online - -You can use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate an Active Directory (AD) forest over the Internet. ADBA enables certain products to inherit activation from the domain. - -**Important**   -ADBA is only applicable to Generic Volume License Keys (GVLKs) and KMS Host keys (CSVLKs). To use ADBA, one or more KMS Host keys (CSVLKs) must be installed on the AD forest, and client keys (GVLKs) must be installed on the client products. - -## Requirements - -Before performing online activation, ensure that the network and the VAMT installation meet the following requirements: -- VAMT is installed on a host computer that has Internet access. -- VAMT has administrative permissions to the Active Directory domain. -- The KMS Host key (CSVLK) you intend to use is added to VAMT in the **Product Keys** node. - -**To perform an online Active Directory forest activation** - -1. Open VAMT. -2. In the left-side pane, click the **Active Directory-Based Activation** node. -3. In the right-side **Actions** pane, click **Online activate forest** to open the **Install Product Key** dialog box. -4. In the **Install Product Key** dialog box, select the KMS Host key (CSVLK) that you want to apply to the AD forest. -5. If required, enter a new Active Directory-Based Activation Object name - - **Important**   - If you want to rename the ADBA object, you must do it now. After you click **Install Key**, the name cannot be changed. - -6. Click **Install Key**. -7. VAMT displays the **Activating Active Directory** dialog box until it completes the requested action. - -The activated object and the date that is was created appear in the **Active Directory-Based Activation** node in the center pane. - -## Related topics - -- [Scenario 1: Online Activation](scenario-online-activation-vamt.md) -- [Add and Remove Computers](add-remove-computers-vamt.md) +--- +title: Activate an Active Directory Forest Online (Windows 10) +description: Activate an Active Directory Forest Online +ms.assetid: 9b5bc193-799b-4aa5-9d3e-0e495f7195d3 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Activate an Active Directory Forest Online + +You can use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate an Active Directory (AD) forest over the Internet. ADBA enables certain products to inherit activation from the domain. + +**Important**   +ADBA is only applicable to Generic Volume License Keys (GVLKs) and KMS Host keys (CSVLKs). To use ADBA, one or more KMS Host keys (CSVLKs) must be installed on the AD forest, and client keys (GVLKs) must be installed on the client products. + +## Requirements + +Before performing online activation, ensure that the network and the VAMT installation meet the following requirements: +- VAMT is installed on a host computer that has Internet access. +- VAMT has administrative permissions to the Active Directory domain. +- The KMS Host key (CSVLK) you intend to use is added to VAMT in the **Product Keys** node. + +**To perform an online Active Directory forest activation** + +1. Open VAMT. +2. In the left-side pane, click the **Active Directory-Based Activation** node. +3. In the right-side **Actions** pane, click **Online activate forest** to open the **Install Product Key** dialog box. +4. In the **Install Product Key** dialog box, select the KMS Host key (CSVLK) that you want to apply to the AD forest. +5. If required, enter a new Active Directory-Based Activation Object name + + **Important**   + If you want to rename the ADBA object, you must do it now. After you click **Install Key**, the name cannot be changed. + +6. Click **Install Key**. +7. VAMT displays the **Activating Active Directory** dialog box until it completes the requested action. + +The activated object and the date that is was created appear in the **Active Directory-Based Activation** node in the center pane. + +## Related topics + +- [Scenario 1: Online Activation](scenario-online-activation-vamt.md) +- [Add and Remove Computers](add-remove-computers-vamt.md) diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md index 40953c27e9..2ab639a904 100644 --- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md +++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md @@ -1,101 +1,101 @@ ---- -title: Activate using Active Directory-based activation (Windows 10) -description: Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. -ms.assetid: 08cce6b7-7b5b-42cf-b100-66c363a846af -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: vamt, volume activation, activation, windows activation -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.localizationpriority: medium -ms.date: 07/27/2017 -ms.topic: article ---- - -# Activate using Active Directory-based activation -**Applies to** -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows Server 2012 R2 -- Windows Server 2012 -- Windows Server 2016 - -**Looking for retail activation?** -- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) - -Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. Active Directory-based activation requires that the forest schema be updated by adprep.exe on a computer running Windows Server 2012 or Windows Server 2012 R2, but after the schema is updated, older domain controllers can still activate clients. -Any domain-joined computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2 with a GVLK will be activated automatically and transparently. They will stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the Licensing service starts. When this service starts, the computer contacts AD DS automatically, receives the activation object, and is activated without user intervention. -To allow computers with GVLKs to activate themselves, use the Volume Activation Tools console in Windows Server 2012 R2 or the VAMT in earlier versions of Windows Server to create an object in the AD DS forest. You create this activation object by submitting a KMS host key to Microsoft, as shown in Figure 10. -The process proceeds as follows: -1. Perform one of the following tasks: - - Install the Volume Activation Services server role on a domain controller running Windows Server 2012 R2, and add a KMS host key by using the Volume Activation Tools Wizard. - - Extend the domain to the Windows Server 2012 R2 schema level, and add a KMS host key by using the VAMT. -2. Microsoft verifies the KMS host key, and an activation object is created. -3. Client computers are activated by receiving the activation object from a domain controller during startup. - - ![Active Directory-based activation flow](../images/volumeactivationforwindows81-10.jpg) - - **Figure 10**. The Active Directory-based activation flow - -For environments in which all computers are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2, and they are joined to a domain, Active Directory-based activation is the best option for activating all client computers and servers, and you may be able to remove any KMS hosts from your environment. -If an environment will continue to contain earlier volume licensing operating systems and applications or if you have workgroup computers outside the domain, you need to maintain a KMS host to maintain activation status for earlier volume licensing editions of Windows and Office. -Clients that are activated with Active Directory-based activation will maintain their activated state for up to 180 days since the last contact with the domain, but they will periodically attempt to reactivate before then and at the end of the 180day period. By default, this reactivation event occurs every seven days. -When a reactivation event occurs, the client queries AD DS for the activation object. Client computers examine the activation object and compare it to the local edition as defined by the GVLK. If the object and GVLK match, reactivation occurs. If the AD DS object cannot be retrieved, client computers use KMS activation. If the computer is removed from the domain, when the computer or the Software Protection service is restarted, the operating system will change the status from activated to not activated, and the computer will try to activate with KMS. -## Step-by-step configuration: Active Directory-based activation -**Note**   -You must be a member of the local Administrators group on all computers mentioned in these steps. You also need to be a member of the Enterprise Administrators group, because setting up Active Directory-based activation changes forest-wide settings. -**To configure Active Directory-based activation on Windows Server 2012 R2, complete the following steps:** -1. Use an account with Domain Administrator and Enterprise Administrator credentials to sign in to a domain controller. -2. Launch Server Manager. -3. Add the Volume Activation Services role, as shown in Figure 11. - - ![Adding the Volume Activation Services role](../images/volumeactivationforwindows81-11.jpg) - - **Figure 11**. Adding the Volume Activation Services role - -4. Click the link to launch the Volume Activation Tools (Figure 12). - - ![Launching the Volume Activation Tools](../images/volumeactivationforwindows81-12.jpg) - - **Figure 12**. Launching the Volume Activation Tools - -5. Select the **Active Directory-Based Activation** option (Figure 13). - - ![Selecting Active Directory-Based Activation](../images/volumeactivationforwindows81-13.jpg) - - **Figure 13**. Selecting Active Directory-Based Activation - -6. Enter your KMS host key and (optionally) a display name (Figure 14). - - ![Choosing how to activate your product](../images/volumeactivationforwindows81-15.jpg) - - **Figure 14**. Entering your KMS host key - -7. Activate your KMS host key by phone or online (Figure 15). - - ![Entering your KMS host key](../images/volumeactivationforwindows81-14.jpg) - - **Figure 15**. Choosing how to activate your product - -8. After activating the key, click **Commit**, and then click **Close**. - -## Verifying the configuration of Active Directory-based activation - -To verify your Active Directory-based activation configuration, complete the following steps: -1. After you configure Active Directory-based activation, start a computer that is running an edition of Windows that is configured by volume licensing. -2. If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK by running the **slmgr.vbs /ipk** command and specifying the GLVK as the new product key. -3. If the computer is not joined to your domain, join it to the domain. -4. Sign in to the computer. -5. Open Windows Explorer, right-click **Computer**, and then click **Properties**. -6. Scroll down to the **Windows activation** section, and verify that this client has been activated. - - **Note**
          - If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmgr.vbs /dlv** command also indicates whether KMS has been used. - -## See also -- [Volume Activation for Windows 10](volume-activation-windows-10.md) +--- +title: Activate using Active Directory-based activation (Windows 10) +description: Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. +ms.assetid: 08cce6b7-7b5b-42cf-b100-66c363a846af +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: vamt, volume activation, activation, windows activation +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.date: 07/27/2017 +ms.topic: article +--- + +# Activate using Active Directory-based activation +**Applies to** +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows Server 2012 R2 +- Windows Server 2012 +- Windows Server 2016 + +**Looking for retail activation?** +- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) + +Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. Active Directory-based activation requires that the forest schema be updated by adprep.exe on a computer running Windows Server 2012 or Windows Server 2012 R2, but after the schema is updated, older domain controllers can still activate clients. +Any domain-joined computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2 with a GVLK will be activated automatically and transparently. They will stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the Licensing service starts. When this service starts, the computer contacts AD DS automatically, receives the activation object, and is activated without user intervention. +To allow computers with GVLKs to activate themselves, use the Volume Activation Tools console in Windows Server 2012 R2 or the VAMT in earlier versions of Windows Server to create an object in the AD DS forest. You create this activation object by submitting a KMS host key to Microsoft, as shown in Figure 10. +The process proceeds as follows: +1. Perform one of the following tasks: + - Install the Volume Activation Services server role on a domain controller running Windows Server 2012 R2, and add a KMS host key by using the Volume Activation Tools Wizard. + - Extend the domain to the Windows Server 2012 R2 schema level, and add a KMS host key by using the VAMT. +2. Microsoft verifies the KMS host key, and an activation object is created. +3. Client computers are activated by receiving the activation object from a domain controller during startup. + + ![Active Directory-based activation flow](../images/volumeactivationforwindows81-10.jpg) + + **Figure 10**. The Active Directory-based activation flow + +For environments in which all computers are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2, and they are joined to a domain, Active Directory-based activation is the best option for activating all client computers and servers, and you may be able to remove any KMS hosts from your environment. +If an environment will continue to contain earlier volume licensing operating systems and applications or if you have workgroup computers outside the domain, you need to maintain a KMS host to maintain activation status for earlier volume licensing editions of Windows and Office. +Clients that are activated with Active Directory-based activation will maintain their activated state for up to 180 days since the last contact with the domain, but they will periodically attempt to reactivate before then and at the end of the 180day period. By default, this reactivation event occurs every seven days. +When a reactivation event occurs, the client queries AD DS for the activation object. Client computers examine the activation object and compare it to the local edition as defined by the GVLK. If the object and GVLK match, reactivation occurs. If the AD DS object cannot be retrieved, client computers use KMS activation. If the computer is removed from the domain, when the computer or the Software Protection service is restarted, the operating system will change the status from activated to not activated, and the computer will try to activate with KMS. +## Step-by-step configuration: Active Directory-based activation +**Note**   +You must be a member of the local Administrators group on all computers mentioned in these steps. You also need to be a member of the Enterprise Administrators group, because setting up Active Directory-based activation changes forest-wide settings. +**To configure Active Directory-based activation on Windows Server 2012 R2, complete the following steps:** +1. Use an account with Domain Administrator and Enterprise Administrator credentials to sign in to a domain controller. +2. Launch Server Manager. +3. Add the Volume Activation Services role, as shown in Figure 11. + + ![Adding the Volume Activation Services role](../images/volumeactivationforwindows81-11.jpg) + + **Figure 11**. Adding the Volume Activation Services role + +4. Click the link to launch the Volume Activation Tools (Figure 12). + + ![Launching the Volume Activation Tools](../images/volumeactivationforwindows81-12.jpg) + + **Figure 12**. Launching the Volume Activation Tools + +5. Select the **Active Directory-Based Activation** option (Figure 13). + + ![Selecting Active Directory-Based Activation](../images/volumeactivationforwindows81-13.jpg) + + **Figure 13**. Selecting Active Directory-Based Activation + +6. Enter your KMS host key and (optionally) a display name (Figure 14). + + ![Choosing how to activate your product](../images/volumeactivationforwindows81-15.jpg) + + **Figure 14**. Entering your KMS host key + +7. Activate your KMS host key by phone or online (Figure 15). + + ![Entering your KMS host key](../images/volumeactivationforwindows81-14.jpg) + + **Figure 15**. Choosing how to activate your product + +8. After activating the key, click **Commit**, and then click **Close**. + +## Verifying the configuration of Active Directory-based activation + +To verify your Active Directory-based activation configuration, complete the following steps: +1. After you configure Active Directory-based activation, start a computer that is running an edition of Windows that is configured by volume licensing. +2. If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK by running the **slmgr.vbs /ipk** command and specifying the GLVK as the new product key. +3. If the computer is not joined to your domain, join it to the domain. +4. Sign in to the computer. +5. Open Windows Explorer, right-click **Computer**, and then click **Properties**. +6. Scroll down to the **Windows activation** section, and verify that this client has been activated. + + **Note**
          + If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmgr.vbs /dlv** command also indicates whether KMS has been used. + +## See also +- [Volume Activation for Windows 10](volume-activation-windows-10.md) diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md index aff4f923e1..01010689aa 100644 --- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md +++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md @@ -1,144 +1,144 @@ ---- -title: Activate using Key Management Service (Windows 10) -ms.assetid: f2417bfe-7d25-4e82-bc07-de316caa8dac -ms.reviewer: -manager: laurawi -ms.author: greglin -description: -keywords: vamt, volume activation, activation, windows activation -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.localizationpriority: medium -ms.date: 10/16/2017 -ms.topic: article ---- - -# Activate using Key Management Service - -**Applies to** -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2012 -- Windows Server 2008 R2 - -**Looking for retail activation?** - -- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) - -There are three possible scenarios for volume activation of Windows 10 or Windows Server 2012 R2 by using a Key Management Service (KMS) host: -- Host KMS on a computer running Windows 10 -- Host KMS on a computer running Windows Server 2012 R2 -- Host KMS on a computer running an earlier version of Windows - -Check out [Windows 10 Volume Activation Tips](https://blogs.technet.microsoft.com/askcore/2015/09/15/windows-10-volume-activation-tips/). - -## Key Management Service in Windows 10 - -Installing a KMS host key on a computer running Windows 10 allows you to activate other computers running Windows 10 against this KMS host and earlier versions of the client operating system, such as Windows 8.1 or Windows 7. -Clients locate the KMS server by using resource records in DNS, so some configuration of DNS may be required. This scenario can be beneficial if your organization uses volume activation for clients and MAK-based activation for a smaller number of servers. -To enable KMS functionality, a KMS key is installed on a KMS host; then, the host is activated over the Internet or by phone using Microsoft’s activation services. - -**Configure KMS in Windows 10** - -1. Open an elevated command prompt. -2. Enter one of the following commands. - - To install a KMS key, type **slmgr.vbs /ipk <KmsKey>**. - - To activate online, type **slmgr.vbs /ato**. - - To activate by using the telephone, type **slui.exe 4**. -3. After activating the KMS key, restart the Software Protection Service. - -For more information, see the information for Windows 7 in [Deploy KMS Activation](https://go.microsoft.com/fwlink/p/?LinkId=717032). - -## Key Management Service in Windows Server 2012 R2 -Installing a KMS host key on a computer running Windows Server allows you to activate computers running Windows Server 2012 R2, Windows Server 2008 R2, Windows Server 2008, Windows 10, Windows 8.1, Windows 7, and Windows Vista. - -**Note**   -You cannot install a client KMS key into the KMS in Windows Server. - -This scenario is commonly used in larger organizations that do not find the overhead of using a server a burden. - -**Note**   - -If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise, see [KB 3086418](https://go.microsoft.com/fwlink/p/?LinkId=620687). - -**Configure KMS in Windows Server 2012 R2** - -1. Sign in to a computer running Windows Server 2012 R2 with an account that has local administrative credentials. -2. Launch Server Manager. -3. Add the Volume Activation Services role, as shown in Figure 4. - - ![Adding the Volume Activation Services role in Server Manager](../images/volumeactivationforwindows81-04.jpg) - - **Figure 4**. Adding the Volume Activation Services role in Server Manager\ - -4. When the role installation is complete, click the link to launch the Volume Activation Tools (Figure 5). - - ![Launching the Volume Activation Tools](../images/volumeactivationforwindows81-05.jpg) - - **Figure 5**. Launching the Volume Activation Tools - - 5. Select the **Key Management Service (KMS)** option, and specify the computer that will act as the KMS host (Figure 6). - This can be the same computer on which you installed the role or another computer. For example, it can be a client computer running Windows 10. - - ![Configuring the computer as a KMS host](../images/volumeactivationforwindows81-06.jpg) - - **Figure 6**. Configuring the computer as a KMS host - -5. Install your KMS host key by typing it in the text box, and then click **Commit** (Figure 7). - - ![Installing your KMS host key](../images/volumeactivationforwindows81-07.jpg) - - **Figure 7**. Installing your KMS host key - -6. If asked to confirm replacement of an existing key, click **Yes**. -7. After the product key is installed, you must activate it. Click **Next** (Figure 8). - - ![Activating the software](../images/volumeactivationforwindows81-08.jpg) - - **Figure 8**. Activating the software - - The KMS key can be activated online or by phone. See Figure 9. - - ![Choosing to activate online](../images/volumeactivationforwindows81-09.jpg) - - **Figure 9**. Choosing to activate online - -Now that the KMS host is configured, it will begin to listen for activation requests. However, it will not activate clients successfully until the activation threshold is met. - -## Verifying the configuration of Key Management Service - -You can verify KMS volume activation from the KMS host server or from the client computer. KMS volume activation requires a minimum threshold of 25 computers before activation requests will be processed. The verification process described here will increment the activation count each time a client computer contacts the KMS host, but unless the activation threshold is reached, the verification will take the form of an error message rather than a confirmation message. -**Note**   - -If you configured Active Directory-based activation before configuring KMS activation, you must use a client computer that will not first try to activate itself by using Active Directory-based activation. You could use a workgroup computer that is not joined to a domain or a computer running Windows 7 or Windows Server 2008 R2. - -To verify that KMS volume activation works, complete the following steps: - -1. On the KMS host, open the event log and confirm that DNS publishing is successful. -2. On a client computer, open a Command Prompt window, type **Slmgr.vbs /ato**, and then press ENTER.

          -The **/ato** command causes the operating system to attempt activation by using whichever key has been installed in the operating system. The response should show the license state and detailed Windows version information. -3. On a client computer or the KMS host, open an elevated Command Prompt window, type **Slmgr /dlv**, and then press ENTER.

          - -The **/dlv** command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This confirms that KMS is functioning correctly, even though the client has not been activated. - -For more information about the use and syntax of slmgr.vbs, see [Slmgr.vbs Options](https://go.microsoft.com/fwlink/p/?LinkId=733639). - -## Key Management Service in earlier versions of Windows - -If you have already established a KMS infrastructure in your organization for an earlier version of Windows, you may want to continue using that infrastructure to activate computers running Windows 10 or Windows Server 2012 R2. Your existing KMS host must be running Windows 7 or later. To upgrade your KMS host, complete the following steps: - -1. Download and install the correct update for your current KMS host operating system. Restart the computer as directed. -2. Request a new KMS host key from the Volume Licensing Service Center. -3. Install the new KMS host key on your KMS host. -4. Activate the new KMS host key by running the slmgr.vbs script. - -For detailed instructions, see [Update that enables Windows 8.1 and Windows 8 KMS hosts to activate a later version of Windows](https://go.microsoft.com/fwlink/p/?LinkId=618265) and [Update that enables Windows 7 and Windows Server 2008 R2 KMS hosts to activate Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=626590). - -## See also -- [Volume Activation for Windows 10](volume-activation-windows-10.md) +--- +title: Activate using Key Management Service (Windows 10) +ms.assetid: f2417bfe-7d25-4e82-bc07-de316caa8dac +ms.reviewer: +manager: laurawi +ms.author: greglin +description: +keywords: vamt, volume activation, activation, windows activation +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.date: 10/16/2017 +ms.topic: article +--- + +# Activate using Key Management Service + +**Applies to** +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2012 +- Windows Server 2008 R2 + +**Looking for retail activation?** + +- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) + +There are three possible scenarios for volume activation of Windows 10 or Windows Server 2012 R2 by using a Key Management Service (KMS) host: +- Host KMS on a computer running Windows 10 +- Host KMS on a computer running Windows Server 2012 R2 +- Host KMS on a computer running an earlier version of Windows + +Check out [Windows 10 Volume Activation Tips](https://blogs.technet.microsoft.com/askcore/2015/09/15/windows-10-volume-activation-tips/). + +## Key Management Service in Windows 10 + +Installing a KMS host key on a computer running Windows 10 allows you to activate other computers running Windows 10 against this KMS host and earlier versions of the client operating system, such as Windows 8.1 or Windows 7. +Clients locate the KMS server by using resource records in DNS, so some configuration of DNS may be required. This scenario can be beneficial if your organization uses volume activation for clients and MAK-based activation for a smaller number of servers. +To enable KMS functionality, a KMS key is installed on a KMS host; then, the host is activated over the Internet or by phone using Microsoft’s activation services. + +**Configure KMS in Windows 10** + +1. Open an elevated command prompt. +2. Enter one of the following commands. + - To install a KMS key, type **slmgr.vbs /ipk <KmsKey>**. + - To activate online, type **slmgr.vbs /ato**. + - To activate by using the telephone, type **slui.exe 4**. +3. After activating the KMS key, restart the Software Protection Service. + +For more information, see the information for Windows 7 in [Deploy KMS Activation](https://go.microsoft.com/fwlink/p/?LinkId=717032). + +## Key Management Service in Windows Server 2012 R2 +Installing a KMS host key on a computer running Windows Server allows you to activate computers running Windows Server 2012 R2, Windows Server 2008 R2, Windows Server 2008, Windows 10, Windows 8.1, Windows 7, and Windows Vista. + +**Note**   +You cannot install a client KMS key into the KMS in Windows Server. + +This scenario is commonly used in larger organizations that do not find the overhead of using a server a burden. + +**Note**   + +If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise, see [KB 3086418](https://go.microsoft.com/fwlink/p/?LinkId=620687). + +**Configure KMS in Windows Server 2012 R2** + +1. Sign in to a computer running Windows Server 2012 R2 with an account that has local administrative credentials. +2. Launch Server Manager. +3. Add the Volume Activation Services role, as shown in Figure 4. + + ![Adding the Volume Activation Services role in Server Manager](../images/volumeactivationforwindows81-04.jpg) + + **Figure 4**. Adding the Volume Activation Services role in Server Manager\ + +4. When the role installation is complete, click the link to launch the Volume Activation Tools (Figure 5). + + ![Launching the Volume Activation Tools](../images/volumeactivationforwindows81-05.jpg) + + **Figure 5**. Launching the Volume Activation Tools + + 5. Select the **Key Management Service (KMS)** option, and specify the computer that will act as the KMS host (Figure 6). + This can be the same computer on which you installed the role or another computer. For example, it can be a client computer running Windows 10. + + ![Configuring the computer as a KMS host](../images/volumeactivationforwindows81-06.jpg) + + **Figure 6**. Configuring the computer as a KMS host + +5. Install your KMS host key by typing it in the text box, and then click **Commit** (Figure 7). + + ![Installing your KMS host key](../images/volumeactivationforwindows81-07.jpg) + + **Figure 7**. Installing your KMS host key + +6. If asked to confirm replacement of an existing key, click **Yes**. +7. After the product key is installed, you must activate it. Click **Next** (Figure 8). + + ![Activating the software](../images/volumeactivationforwindows81-08.jpg) + + **Figure 8**. Activating the software + + The KMS key can be activated online or by phone. See Figure 9. + + ![Choosing to activate online](../images/volumeactivationforwindows81-09.jpg) + + **Figure 9**. Choosing to activate online + +Now that the KMS host is configured, it will begin to listen for activation requests. However, it will not activate clients successfully until the activation threshold is met. + +## Verifying the configuration of Key Management Service + +You can verify KMS volume activation from the KMS host server or from the client computer. KMS volume activation requires a minimum threshold of 25 computers before activation requests will be processed. The verification process described here will increment the activation count each time a client computer contacts the KMS host, but unless the activation threshold is reached, the verification will take the form of an error message rather than a confirmation message. +**Note**   + +If you configured Active Directory-based activation before configuring KMS activation, you must use a client computer that will not first try to activate itself by using Active Directory-based activation. You could use a workgroup computer that is not joined to a domain or a computer running Windows 7 or Windows Server 2008 R2. + +To verify that KMS volume activation works, complete the following steps: + +1. On the KMS host, open the event log and confirm that DNS publishing is successful. +2. On a client computer, open a Command Prompt window, type **Slmgr.vbs /ato**, and then press ENTER.

          +The **/ato** command causes the operating system to attempt activation by using whichever key has been installed in the operating system. The response should show the license state and detailed Windows version information. +3. On a client computer or the KMS host, open an elevated Command Prompt window, type **Slmgr /dlv**, and then press ENTER.

          + +The **/dlv** command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This confirms that KMS is functioning correctly, even though the client has not been activated. + +For more information about the use and syntax of slmgr.vbs, see [Slmgr.vbs Options](https://go.microsoft.com/fwlink/p/?LinkId=733639). + +## Key Management Service in earlier versions of Windows + +If you have already established a KMS infrastructure in your organization for an earlier version of Windows, you may want to continue using that infrastructure to activate computers running Windows 10 or Windows Server 2012 R2. Your existing KMS host must be running Windows 7 or later. To upgrade your KMS host, complete the following steps: + +1. Download and install the correct update for your current KMS host operating system. Restart the computer as directed. +2. Request a new KMS host key from the Volume Licensing Service Center. +3. Install the new KMS host key on your KMS host. +4. Activate the new KMS host key by running the slmgr.vbs script. + +For detailed instructions, see [Update that enables Windows 8.1 and Windows 8 KMS hosts to activate a later version of Windows](https://go.microsoft.com/fwlink/p/?LinkId=618265) and [Update that enables Windows 7 and Windows Server 2008 R2 KMS hosts to activate Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=626590). + +## See also +- [Volume Activation for Windows 10](volume-activation-windows-10.md) diff --git a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md index 2ca1ee6338..0664a272c5 100644 --- a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md +++ b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md @@ -1,127 +1,127 @@ ---- -title: Activate clients running Windows 10 (Windows 10) -description: After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy. -ms.assetid: 39446e49-ad7c-48dc-9f18-f85a11ded643 -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: vamt, volume activation, activation, windows activation -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.localizationpriority: medium -ms.date: 07/27/2017 -ms.topic: article ---- - -# Activate clients running Windows 10 - -**Applies to** -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2012 -- Windows Server 2008 R2 - -**Looking for retail activation?** - -- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) - -After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy. If the computer has been configured with a Generic Volume License Key (GVLK), neither IT nor the user need take any action. It just works. -Enterprise edition images and installation media should already be configured with the GVLK. When the client computer starts, the Licensing service examines the current licensing condition of the computer. -If activation or reactivation is required, the following sequence occurs: -1. If the computer is a member of a domain, it asks a domain controller for a volume activation object. If Active Directory-based activation is configured, the domain controller returns the object. If the object matches the edition of the software that is installed and the computer has a matching GVLK, the computer is activated (or reactivated), and it will not need to be activated again for 180 days, although the operating system will attempt reactivation at much shorter, regular intervals. -2. If the computer is not a member of a domain or if the volume activation object is not available, the computer will issue a DNS query to attempt to locate a KMS server. If a KMS server can be contacted, activation occurs if the KMS has a key that matches the computer’s GVLK. -3. The computer tries to activate against Microsoft servers if it is configured with a MAK. - -If the client is not able to activate itself successfully, it will periodically try again. The frequency of the retry attempts depends on the current licensing state and whether the client computer has been successfully activated in the past. For example, if the client computer had been previously activated by Active Directory-based activation, it will periodically try to contact the domain controller at each restart. - -## How Key Management Service works - -KMS uses a client–server topology. KMS client computers can locate KMS host computers by using DNS or a static configuration. KMS clients contact the KMS host by using RPCs carried over TCP/IP. - -### Key Management Service activation thresholds - -You can activate physical computers and virtual machines by contacting a KMS host. To qualify for KMS activation, there must be a minimum number of qualifying computers (called the activation threshold). KMS clients will be activated only after this threshold has been met. Each KMS host counts the number of computers that have requested activation until the threshold is met. - -A KMS host responds to each valid activation request from a KMS client with the count of how many computers have already contacted the KMS host for activation. Client computers that receive a count below the activation threshold are not activated. For example, if the first two computers that contact the KMS host are running Windows 10, the first receives an activation count of 1, and the second receives an activation count of 2. If the next computer is a virtual machine on a computer running Windows 10, it receives an activation count of 3, and so on. None of these computers will be activated, because computers running Windows 10, like other client operating system versions, must receive an activation count of 25 or more. -When KMS clients are waiting for the KMS to reach the activation threshold, they will connect to the KMS host every two hours to get the current activation count. They will be activated when the threshold is met. - -In our example, if the next computer that contacts the KMS host is running Windows Server 2012 R2, it receives an activation count of 4, because activation counts are cumulative. If a computer running Windows Server 2012 R2 receives an activation count that is 5 or more, it is activated. If a computer running Windows 10 receives an activation count of 25 or more, it is activated. - -### Activation count cache - -To track the activation threshold, the KMS host keeps a record of the KMS clients that request activation. The KMS host gives each KMS client a client ID designation, and the KMS host saves each client ID in a table. By default, each activation request remains in the table for up to 30 days. When a client renews its activation, the cached client ID is removed from the table, a new record is created, and the 30day period begins again. If a KMS client computer does not renew its activation within 30 days, the KMS host removes the corresponding client ID from the table and reduces the activation count by one. -However, the KMS host only caches twice the number of client IDs that are required to meet the activation threshold. Therefore, only the 50 most recent client IDs are kept in the table, and a client ID could be removed much sooner than 30 days. -The total size of the cache is set by the type of client computer that is attempting to activate. If a KMS host receives activation requests only from servers, the cache will hold only 10 client IDs (twice the required 5). If a client computer running Windows 10 contacts that KMS host, KMS increases the cache size to 50 to accommodate the higher threshold. KMS never reduces the cache size. - -### Key Management Service connectivity - -KMS activation requires TCP/IP connectivity. By default, KMS hosts and clients use DNS to publish and find the KMS. The default settings can be used, which require little or no administrative action, or KMS hosts and client computers can be manually configured based on network configuration and security requirements. - -### Key Management Service activation renewal - -KMS activations are valid for 180 days (the *activation validity interval*). To remain activated, KMS client computers must renew their activation by connecting to the KMS host at least once every 180 days. By default, KMS client computers attempt to renew their activation every 7 days. If KMS activation fails, the client computer retries every two hours. After a client computer’s activation is renewed, the activation validity interval begins again. - -### Publication of the Key Management Service - -The KMS uses service (SRV) resource records in DNS to store and communicate the locations of KMS hosts. KMS hosts use the DNS dynamic update protocol, if available, to publish the KMS service (SRV) resource records. If dynamic update is not available or the KMS host does not have rights to publish the resource records, the DNS records must be published manually, or you must configure client computers to connect to specific KMS hosts. - -### Client discovery of the Key Management Service - -By default, KMS client computers query DNS for KMS information. The first time a KMS client computer queries DNS for KMS information, it randomly chooses a KMS host from the list of service (SRV) resource records that DNS returns. The address of a DNS server that contains the service (SRV) resource records can be listed as a suffixed entry on KMS client computers, which allows one DNS server to advertise the service (SRV) resource records for KMS, and KMS client computers with other primary DNS servers to find it. -Priority and weight parameters can be added to the DnsDomainPublishList registry value for KMS. Establishing KMS host priority groupings and weighting within each group allows you to specify which KMS host the client computers should try first and balances traffic among multiple KMS hosts. Only Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 provide these priority and weight parameters. -If the KMS host that a client computer selects does not respond, the KMS client computer removes that KMS host from its list of service (SRV) resource records and randomly selects another KMS host from the list. When a KMS host responds, the KMS client computer caches the name of the KMS host and uses it for subsequent activation and renewal attempts. If the cached KMS host does not respond on a subsequent renewal, the KMS client computer discovers a new KMS host by querying DNS for KMS service (SRV) resource records. -By default, client computers connect to the KMS host for activation by using anonymous RPCs through TCP port 1688. (You can change the default port.) After establishing a TCP session with the KMS host, the client computer sends a single request packet. The KMS host responds with the activation count. If the count meets or exceeds the activation threshold for that operating system, the client computer is activated and the session is closed. The KMS client computer uses this same process for renewal requests. 250 bytes are used for communication each way. - -### Domain Name System server configuration - -The default KMS automatic publishing feature requires the service (SRV) resource record and support for DNS dynamic update protocol. KMS client computer default behavior and the KMS service (SRV) resource record publishing are supported on a DNS server that is running Microsoft software or any other DNS server that supports service (SRV) resource records (per Internet Engineering Task Force \[IETF\] Request for Comments \[RFC\] 2782) and dynamic updates (per IETF RFC 2136). For example, Berkeley Internet Domain Name versions 8.x and 9.x support service (SRV) resource records and dynamic update. -The KMS host must be configured so that it has the credentials needed to create and update the following resource records on the DNS servers: service (SRV), IPv4 host (A), and IPv6 host (AAAA), or the records need to be created manually. The recommended solution for giving the KMS host the needed credentials is to create a security group in AD DS, then add all KMS hosts to that group. On a DNS server that is running Microsoft software, ensure that this security group is given full control over the \_VLMCS.\_TCP record in each DNS domain that will contain the KMS service (SRV) resource records. - -### Activating the first Key Management Service host - -KMS hosts on the network need to install a KMS key, and then be activated with Microsoft. Installation of a KMS key enables the KMS on the KMS host. After installing the KMS key, complete the activation of the KMS host by telephone or online. Beyond this initial activation, a KMS host does not communicate any information to Microsoft. KMS keys are only installed on KMS hosts, never on individual KMS client computers. - -### Activating subsequent Key Management Service hosts - -Each KMS key can be installed on up to six KMS hosts. These hosts can be physical computers or virtual machines. After activating a KMS host, the same host can be reactivated up to nine times with the same key. If the organization needs more than six KMS hosts, you can request additional activations for your organization’s KMS key by calling a Microsoft Volume [Licensing Activation Center](https://go.microsoft.com/fwlink/p/?LinkID=618264) to request an exception. - -## How Multiple Activation Key works - -A MAK is used for one-time activation with Microsoft’s hosted activation services. Each MAK has a predetermined number of allowed activations. This number is based on volume licensing agreements, and it might not match the organization’s exact license count. Each activation that uses a MAK with the Microsoft hosted activation service counts toward the activation limit. - -You can activate computers by using a MAK in two ways: -- **MAK independent activation**. Each computer independently connects and is activated with Microsoft over the Internet or by telephone. MAK independent activation is best suited to computers within an organization that do not maintain a connection to the corporate network. MAK independent activation is shown in Figure 16. - - ![MAK independent activation](../images/volumeactivationforwindows81-16.jpg) - - **Figure 16**. MAK independent activation -- **MAK proxy activation**. MAK proxy activation enables a centralized activation request on behalf of multiple computers with one connection to Microsoft. You configure MAK proxy activation by using the VAMT. MAK proxy activation is appropriate for environments in which security concerns restrict direct access to the Internet or the corporate network. It is also suited for development and test labs that lack this connectivity. MAK proxy activation with the VAMT is shown in Figure 17. - - ![MAK proxy activation with the VAMT](../images/volumeactivationforwindows81-17.jpg) - - **Figure 17**. MAK proxy activation with the VAMT - -A MAK is recommended for computers that rarely or never connect to the corporate network and for environments in which the number of computers that require activation does not meet the KMS activation threshold. - -You can use a MAK for individual computers or with an image that can be duplicated or installed by using Microsoft deployment solutions. You can also use a MAK on a computer that was originally configured to use KMS activation. This is useful for moving a computer off the core network to a disconnected environment. - -### Multiple Activation Key architecture and activation - -MAK independent activation installs a MAK product key on a client computer. The key instructs that computer to activate itself with Microsoft servers over the Internet. -In MAK proxy activation, the VAMT installs a MAK product key on a client computer, obtains the installation ID from the target computer, sends the installation ID to Microsoft on behalf of the client, and obtains a confirmation ID. The tool then activates the client computer by installing the confirmation ID. - -## Activating as a standard user - -Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 do not require administrator privileges for activation, but this change does not allow standard user accounts to remove computers running Windows 7 or Windows Server 2008 R2 from the activated state. An administrator account is still required for other activation- or license-related tasks, such as “rearm.” - -## See also - -- [Volume Activation for Windows 10](volume-activation-windows-10.md) -  -  +--- +title: Activate clients running Windows 10 (Windows 10) +description: After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy. +ms.assetid: 39446e49-ad7c-48dc-9f18-f85a11ded643 +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: vamt, volume activation, activation, windows activation +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.date: 07/27/2017 +ms.topic: article +--- + +# Activate clients running Windows 10 + +**Applies to** +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2012 +- Windows Server 2008 R2 + +**Looking for retail activation?** + +- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) + +After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy. If the computer has been configured with a Generic Volume License Key (GVLK), neither IT nor the user need take any action. It just works. +Enterprise edition images and installation media should already be configured with the GVLK. When the client computer starts, the Licensing service examines the current licensing condition of the computer. +If activation or reactivation is required, the following sequence occurs: +1. If the computer is a member of a domain, it asks a domain controller for a volume activation object. If Active Directory-based activation is configured, the domain controller returns the object. If the object matches the edition of the software that is installed and the computer has a matching GVLK, the computer is activated (or reactivated), and it will not need to be activated again for 180 days, although the operating system will attempt reactivation at much shorter, regular intervals. +2. If the computer is not a member of a domain or if the volume activation object is not available, the computer will issue a DNS query to attempt to locate a KMS server. If a KMS server can be contacted, activation occurs if the KMS has a key that matches the computer’s GVLK. +3. The computer tries to activate against Microsoft servers if it is configured with a MAK. + +If the client is not able to activate itself successfully, it will periodically try again. The frequency of the retry attempts depends on the current licensing state and whether the client computer has been successfully activated in the past. For example, if the client computer had been previously activated by Active Directory-based activation, it will periodically try to contact the domain controller at each restart. + +## How Key Management Service works + +KMS uses a client–server topology. KMS client computers can locate KMS host computers by using DNS or a static configuration. KMS clients contact the KMS host by using RPCs carried over TCP/IP. + +### Key Management Service activation thresholds + +You can activate physical computers and virtual machines by contacting a KMS host. To qualify for KMS activation, there must be a minimum number of qualifying computers (called the activation threshold). KMS clients will be activated only after this threshold has been met. Each KMS host counts the number of computers that have requested activation until the threshold is met. + +A KMS host responds to each valid activation request from a KMS client with the count of how many computers have already contacted the KMS host for activation. Client computers that receive a count below the activation threshold are not activated. For example, if the first two computers that contact the KMS host are running Windows 10, the first receives an activation count of 1, and the second receives an activation count of 2. If the next computer is a virtual machine on a computer running Windows 10, it receives an activation count of 3, and so on. None of these computers will be activated, because computers running Windows 10, like other client operating system versions, must receive an activation count of 25 or more. +When KMS clients are waiting for the KMS to reach the activation threshold, they will connect to the KMS host every two hours to get the current activation count. They will be activated when the threshold is met. + +In our example, if the next computer that contacts the KMS host is running Windows Server 2012 R2, it receives an activation count of 4, because activation counts are cumulative. If a computer running Windows Server 2012 R2 receives an activation count that is 5 or more, it is activated. If a computer running Windows 10 receives an activation count of 25 or more, it is activated. + +### Activation count cache + +To track the activation threshold, the KMS host keeps a record of the KMS clients that request activation. The KMS host gives each KMS client a client ID designation, and the KMS host saves each client ID in a table. By default, each activation request remains in the table for up to 30 days. When a client renews its activation, the cached client ID is removed from the table, a new record is created, and the 30day period begins again. If a KMS client computer does not renew its activation within 30 days, the KMS host removes the corresponding client ID from the table and reduces the activation count by one. +However, the KMS host only caches twice the number of client IDs that are required to meet the activation threshold. Therefore, only the 50 most recent client IDs are kept in the table, and a client ID could be removed much sooner than 30 days. +The total size of the cache is set by the type of client computer that is attempting to activate. If a KMS host receives activation requests only from servers, the cache will hold only 10 client IDs (twice the required 5). If a client computer running Windows 10 contacts that KMS host, KMS increases the cache size to 50 to accommodate the higher threshold. KMS never reduces the cache size. + +### Key Management Service connectivity + +KMS activation requires TCP/IP connectivity. By default, KMS hosts and clients use DNS to publish and find the KMS. The default settings can be used, which require little or no administrative action, or KMS hosts and client computers can be manually configured based on network configuration and security requirements. + +### Key Management Service activation renewal + +KMS activations are valid for 180 days (the *activation validity interval*). To remain activated, KMS client computers must renew their activation by connecting to the KMS host at least once every 180 days. By default, KMS client computers attempt to renew their activation every 7 days. If KMS activation fails, the client computer retries every two hours. After a client computer’s activation is renewed, the activation validity interval begins again. + +### Publication of the Key Management Service + +The KMS uses service (SRV) resource records in DNS to store and communicate the locations of KMS hosts. KMS hosts use the DNS dynamic update protocol, if available, to publish the KMS service (SRV) resource records. If dynamic update is not available or the KMS host does not have rights to publish the resource records, the DNS records must be published manually, or you must configure client computers to connect to specific KMS hosts. + +### Client discovery of the Key Management Service + +By default, KMS client computers query DNS for KMS information. The first time a KMS client computer queries DNS for KMS information, it randomly chooses a KMS host from the list of service (SRV) resource records that DNS returns. The address of a DNS server that contains the service (SRV) resource records can be listed as a suffixed entry on KMS client computers, which allows one DNS server to advertise the service (SRV) resource records for KMS, and KMS client computers with other primary DNS servers to find it. +Priority and weight parameters can be added to the DnsDomainPublishList registry value for KMS. Establishing KMS host priority groupings and weighting within each group allows you to specify which KMS host the client computers should try first and balances traffic among multiple KMS hosts. Only Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 provide these priority and weight parameters. +If the KMS host that a client computer selects does not respond, the KMS client computer removes that KMS host from its list of service (SRV) resource records and randomly selects another KMS host from the list. When a KMS host responds, the KMS client computer caches the name of the KMS host and uses it for subsequent activation and renewal attempts. If the cached KMS host does not respond on a subsequent renewal, the KMS client computer discovers a new KMS host by querying DNS for KMS service (SRV) resource records. +By default, client computers connect to the KMS host for activation by using anonymous RPCs through TCP port 1688. (You can change the default port.) After establishing a TCP session with the KMS host, the client computer sends a single request packet. The KMS host responds with the activation count. If the count meets or exceeds the activation threshold for that operating system, the client computer is activated and the session is closed. The KMS client computer uses this same process for renewal requests. 250 bytes are used for communication each way. + +### Domain Name System server configuration + +The default KMS automatic publishing feature requires the service (SRV) resource record and support for DNS dynamic update protocol. KMS client computer default behavior and the KMS service (SRV) resource record publishing are supported on a DNS server that is running Microsoft software or any other DNS server that supports service (SRV) resource records (per Internet Engineering Task Force \[IETF\] Request for Comments \[RFC\] 2782) and dynamic updates (per IETF RFC 2136). For example, Berkeley Internet Domain Name versions 8.x and 9.x support service (SRV) resource records and dynamic update. +The KMS host must be configured so that it has the credentials needed to create and update the following resource records on the DNS servers: service (SRV), IPv4 host (A), and IPv6 host (AAAA), or the records need to be created manually. The recommended solution for giving the KMS host the needed credentials is to create a security group in AD DS, then add all KMS hosts to that group. On a DNS server that is running Microsoft software, ensure that this security group is given full control over the \_VLMCS.\_TCP record in each DNS domain that will contain the KMS service (SRV) resource records. + +### Activating the first Key Management Service host + +KMS hosts on the network need to install a KMS key, and then be activated with Microsoft. Installation of a KMS key enables the KMS on the KMS host. After installing the KMS key, complete the activation of the KMS host by telephone or online. Beyond this initial activation, a KMS host does not communicate any information to Microsoft. KMS keys are only installed on KMS hosts, never on individual KMS client computers. + +### Activating subsequent Key Management Service hosts + +Each KMS key can be installed on up to six KMS hosts. These hosts can be physical computers or virtual machines. After activating a KMS host, the same host can be reactivated up to nine times with the same key. If the organization needs more than six KMS hosts, you can request additional activations for your organization’s KMS key by calling a Microsoft Volume [Licensing Activation Center](https://go.microsoft.com/fwlink/p/?LinkID=618264) to request an exception. + +## How Multiple Activation Key works + +A MAK is used for one-time activation with Microsoft’s hosted activation services. Each MAK has a predetermined number of allowed activations. This number is based on volume licensing agreements, and it might not match the organization’s exact license count. Each activation that uses a MAK with the Microsoft hosted activation service counts toward the activation limit. + +You can activate computers by using a MAK in two ways: +- **MAK independent activation**. Each computer independently connects and is activated with Microsoft over the Internet or by telephone. MAK independent activation is best suited to computers within an organization that do not maintain a connection to the corporate network. MAK independent activation is shown in Figure 16. + + ![MAK independent activation](../images/volumeactivationforwindows81-16.jpg) + + **Figure 16**. MAK independent activation +- **MAK proxy activation**. MAK proxy activation enables a centralized activation request on behalf of multiple computers with one connection to Microsoft. You configure MAK proxy activation by using the VAMT. MAK proxy activation is appropriate for environments in which security concerns restrict direct access to the Internet or the corporate network. It is also suited for development and test labs that lack this connectivity. MAK proxy activation with the VAMT is shown in Figure 17. + + ![MAK proxy activation with the VAMT](../images/volumeactivationforwindows81-17.jpg) + + **Figure 17**. MAK proxy activation with the VAMT + +A MAK is recommended for computers that rarely or never connect to the corporate network and for environments in which the number of computers that require activation does not meet the KMS activation threshold. + +You can use a MAK for individual computers or with an image that can be duplicated or installed by using Microsoft deployment solutions. You can also use a MAK on a computer that was originally configured to use KMS activation. This is useful for moving a computer off the core network to a disconnected environment. + +### Multiple Activation Key architecture and activation + +MAK independent activation installs a MAK product key on a client computer. The key instructs that computer to activate itself with Microsoft servers over the Internet. +In MAK proxy activation, the VAMT installs a MAK product key on a client computer, obtains the installation ID from the target computer, sends the installation ID to Microsoft on behalf of the client, and obtains a confirmation ID. The tool then activates the client computer by installing the confirmation ID. + +## Activating as a standard user + +Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 do not require administrator privileges for activation, but this change does not allow standard user accounts to remove computers running Windows 7 or Windows Server 2008 R2 from the activated state. An administrator account is still required for other activation- or license-related tasks, such as “rearm.” + +## See also + +- [Volume Activation for Windows 10](volume-activation-windows-10.md) +  +  diff --git a/windows/deployment/volume-activation/active-directory-based-activation-overview.md b/windows/deployment/volume-activation/active-directory-based-activation-overview.md index df06a4be92..b0c4c10975 100644 --- a/windows/deployment/volume-activation/active-directory-based-activation-overview.md +++ b/windows/deployment/volume-activation/active-directory-based-activation-overview.md @@ -1,43 +1,43 @@ ---- -title: Active Directory-Based Activation Overview (Windows 10) -description: Active Directory-Based Activation Overview -ms.assetid: c1dac3bd-6a86-4c45-83dd-421e63a398c0 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 12/07/2018 -ms.topic: article ---- - -# Active Directory-Based Activation overview - -Active Directory-Based Activation (ADBA) enables enterprises to activate computers through a connection to their domain. Many companies have computers at offsite locations that use products that are registered to the company. Previously these computers needed to either use a retail key or a Multiple Activation Key (MAK), or physically connect to the network in order to activate their products by using Key Management Services (KMS). ADBA provides a way to activate these products if the computers can join the company’s domain. When the user joins their computer to the domain, the ADBA object automatically activates Windows installed on their computer, as long as the computer has a Generic Volume License Key (GVLK) installed. No single physical computer is required to act as the activation object, because it is distributed throughout the domain. - -## ADBA scenarios - -You might use ADBA if you only want to activate domain joined devices. - -If you have a server hosting the KMS service, it can be necessary to reactivate licenses if the server is replaced with a new host. This is not necessary When ADBA is used. - -ADBA can also make load balancing easier when multiple KMS servers are present since the client can connect to any domain controller. This is simpler than using the DNS service to load balance by configuring priority and weight values. - -Some VDI solutions also require that new clients activate during creation before they are added to the pool. In this scenario, ADBA can eliminate potential VDI issues that might arise due to a KMS outage. - - -## ADBA methods - -VAMT enables IT Professionals to manage and activate the ADBA object. Activation can be performed using the following methods: -- Online activation: To activate an ADBA forest online, the user selects the **Online activate forest** function, selects a KMS Host key (CSVLK) to use, and gives the ADBA Object a name. -- Proxy activation: For a proxy activation, the user first selects the **Proxy activate forest** function, selects a KMS Host key (CSVLK) to use, gives the ADBA Object a name, and provides a file name to save the CILx file that contains the Installation ID. Next, the user takes that file to a computer that is running VAMT with an Internet connection and then selects the **Acquire confirmation IDs for CILX** function on the VAMT landing page, and provides the original CILx file. When VAMT has loaded the Confirmation IDs into the original CILx file, the user takes this file back to the original VAMT instance, where the user completes the proxy activation process by selecting the **Apply confirmation ID to Active Directory domain** function. - -## Related topics - -- [How to Activate an Active Directory Forest Online](https://go.microsoft.com/fwlink/p/?LinkId=246565) -- [How to Proxy Activate an Active Directory Forest](https://go.microsoft.com/fwlink/p/?LinkId=246566) -  -  +--- +title: Active Directory-Based Activation Overview (Windows 10) +description: Active Directory-Based Activation Overview +ms.assetid: c1dac3bd-6a86-4c45-83dd-421e63a398c0 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 12/07/2018 +ms.topic: article +--- + +# Active Directory-Based Activation overview + +Active Directory-Based Activation (ADBA) enables enterprises to activate computers through a connection to their domain. Many companies have computers at offsite locations that use products that are registered to the company. Previously these computers needed to either use a retail key or a Multiple Activation Key (MAK), or physically connect to the network in order to activate their products by using Key Management Services (KMS). ADBA provides a way to activate these products if the computers can join the company’s domain. When the user joins their computer to the domain, the ADBA object automatically activates Windows installed on their computer, as long as the computer has a Generic Volume License Key (GVLK) installed. No single physical computer is required to act as the activation object, because it is distributed throughout the domain. + +## ADBA scenarios + +You might use ADBA if you only want to activate domain joined devices. + +If you have a server hosting the KMS service, it can be necessary to reactivate licenses if the server is replaced with a new host. This is not necessary When ADBA is used. + +ADBA can also make load balancing easier when multiple KMS servers are present since the client can connect to any domain controller. This is simpler than using the DNS service to load balance by configuring priority and weight values. + +Some VDI solutions also require that new clients activate during creation before they are added to the pool. In this scenario, ADBA can eliminate potential VDI issues that might arise due to a KMS outage. + + +## ADBA methods + +VAMT enables IT Professionals to manage and activate the ADBA object. Activation can be performed using the following methods: +- Online activation: To activate an ADBA forest online, the user selects the **Online activate forest** function, selects a KMS Host key (CSVLK) to use, and gives the ADBA Object a name. +- Proxy activation: For a proxy activation, the user first selects the **Proxy activate forest** function, selects a KMS Host key (CSVLK) to use, gives the ADBA Object a name, and provides a file name to save the CILx file that contains the Installation ID. Next, the user takes that file to a computer that is running VAMT with an Internet connection and then selects the **Acquire confirmation IDs for CILX** function on the VAMT landing page, and provides the original CILx file. When VAMT has loaded the Confirmation IDs into the original CILx file, the user takes this file back to the original VAMT instance, where the user completes the proxy activation process by selecting the **Apply confirmation ID to Active Directory domain** function. + +## Related topics + +- [How to Activate an Active Directory Forest Online](https://go.microsoft.com/fwlink/p/?LinkId=246565) +- [How to Proxy Activate an Active Directory Forest](https://go.microsoft.com/fwlink/p/?LinkId=246566) +  +  diff --git a/windows/deployment/volume-activation/add-manage-products-vamt.md b/windows/deployment/volume-activation/add-manage-products-vamt.md index f913c13504..255bda4716 100644 --- a/windows/deployment/volume-activation/add-manage-products-vamt.md +++ b/windows/deployment/volume-activation/add-manage-products-vamt.md @@ -1,30 +1,30 @@ ---- -title: Add and Manage Products (Windows 10) -description: Add and Manage Products -ms.assetid: a48fbc23-917d-40f7-985c-e49702c05e51 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Add and Manage Products - -This section describes how to add client computers into the Volume Activation Management Tool (VAMT). After the computers are added, you can manage the products that are installed on your network. - -## In this Section - -|Topic |Description | -|------|------------| -|[Add and Remove Computers](add-remove-computers-vamt.md) |Describes how to add client computers to VAMT. | -|[Update Product Status](update-product-status-vamt.md) |Describes how to update the status of product license. | -|[Remove Products](remove-products-vamt.md) |Describes how to remove a product from the product list. | - - - +--- +title: Add and Manage Products (Windows 10) +description: Add and Manage Products +ms.assetid: a48fbc23-917d-40f7-985c-e49702c05e51 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Add and Manage Products + +This section describes how to add client computers into the Volume Activation Management Tool (VAMT). After the computers are added, you can manage the products that are installed on your network. + +## In this Section + +|Topic |Description | +|------|------------| +|[Add and Remove Computers](add-remove-computers-vamt.md) |Describes how to add client computers to VAMT. | +|[Update Product Status](update-product-status-vamt.md) |Describes how to update the status of product license. | +|[Remove Products](remove-products-vamt.md) |Describes how to remove a product from the product list. | + + + diff --git a/windows/deployment/volume-activation/add-remove-computers-vamt.md b/windows/deployment/volume-activation/add-remove-computers-vamt.md index 0f68956571..0784cbb98a 100644 --- a/windows/deployment/volume-activation/add-remove-computers-vamt.md +++ b/windows/deployment/volume-activation/add-remove-computers-vamt.md @@ -1,63 +1,63 @@ ---- -title: Add and Remove Computers (Windows 10) -description: Add and Remove Computers -ms.assetid: cb6f3a78-ece0-4dc7-b086-cb003d82cd52 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.pagetype: activation -ms.date: 04/25/2017 -ms.topic: article ---- - -# Add and Remove Computers - -You can add computers that have any of the supported Windows or Office products installed to a Volume Activation Management Tool (VAMT) database by using the **Discover products** function. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general LDAP query. You can remove computers from a VAMT database by using the **Delete** function. After you add the computers, you can add the products that are installed on the computers by running the **Update license status** function. - -Before adding computers, ensure that the Windows Management Instrumentation (WMI) firewall exception required by VAMT has been enabled on all target computers. For more information see [Configure Client Computers](configure-client-computers-vamt.md). - -## To add computers to a VAMT database - -1. Open VAMT. -2. Click **Discover products** in the **Actions** menu in the right-side pane to open the **Discover Products** dialog box. -3. In the **Discover products** dialog box, click **Search for computers in the Active Directory** to display the search options, then click the search option you want to use. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general LDAP query. - - To search for computers in an Active Directory domain, click **Search for computers in the Active Directory**, then under **Domain Filter Criteria**, in the list of domain names click the name of the domain you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer within the domain. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a". - - To search by individual computer name or IP address, click **Manually enter name or IP address**, then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. Note that VAMT supports both IPv4 and IPV6 addressing. - - To search for computers in a workgroup, click **Search for computers in the workgroup**, then under **Workgroup Filter Criteria**, in the list of workgroup names click the name of the workgroup you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer within the workgroup. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a". - - To search for computers by using a general LDAP query, click **Search with LDAP query** and enter your query in the text box provided. VAMT will validate only the LDAP query syntax, but will otherwise run the query without further checks. -4. Click **Search**. -5. VAMT searches for the specified computers and adds them to the VAMT database. During the search, VAMT displays the **Finding computers** message shown below. - To cancel the search, click **Cancel**. When the search is complete the names of the newly-discovered computers appear in the product list view in the center pane. - - ![VAMT, Finding computers dialog box](images/dep-win8-l-vamt-findingcomputerdialog.gif) - - **Important**   - This step adds only the computers to the VAMT database, and not the products that are installed on the computers. To add the products, you need to run the **Update license status** function. - -## To add products to VAMT - -1. In the **Products** list, select the computers that need to have their product information added to the VAMT database. -2. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. -3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. - - To filter the list by computer name, enter a name in the **Computer Name** box. - - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. -4. Click **Filter**. VAMT displays the filtered list in the center pane. -5. In the right-side **Actions** pane, click **Update license status** and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials different from the ones you used to log into the computer. If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and click **OK**. -6. VAMT displays the **Collecting product information** dialog box while it collects the licensing status of all supported products on the selected computers. When the process is finished, the updated licensing status of each product will appear in the product list view in the center pane. - - **Note**   - If a computer has more than one supported product installed, VAMT adds an entry for each product. The entry appears under the appropriate product heading. - -## To remove computers from a VAMT database - -You can delete a computer by clicking on it in the product list view, and then clicking **Delete** in the **Selected Item** menu in the right-hand pane. In the **Confirm Delete Selected Products** dialog box that appears, click **Yes** to delete the computer. If a computer has multiple products listed, you must delete each product to completely remove the computer from the VAMT database. - -## Related topics - -- [Add and Manage Products](add-manage-products-vamt.md) - - +--- +title: Add and Remove Computers (Windows 10) +description: Add and Remove Computers +ms.assetid: cb6f3a78-ece0-4dc7-b086-cb003d82cd52 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.pagetype: activation +ms.date: 04/25/2017 +ms.topic: article +--- + +# Add and Remove Computers + +You can add computers that have any of the supported Windows or Office products installed to a Volume Activation Management Tool (VAMT) database by using the **Discover products** function. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general LDAP query. You can remove computers from a VAMT database by using the **Delete** function. After you add the computers, you can add the products that are installed on the computers by running the **Update license status** function. + +Before adding computers, ensure that the Windows Management Instrumentation (WMI) firewall exception required by VAMT has been enabled on all target computers. For more information see [Configure Client Computers](configure-client-computers-vamt.md). + +## To add computers to a VAMT database + +1. Open VAMT. +2. Click **Discover products** in the **Actions** menu in the right-side pane to open the **Discover Products** dialog box. +3. In the **Discover products** dialog box, click **Search for computers in the Active Directory** to display the search options, then click the search option you want to use. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general LDAP query. + - To search for computers in an Active Directory domain, click **Search for computers in the Active Directory**, then under **Domain Filter Criteria**, in the list of domain names click the name of the domain you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer within the domain. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a". + - To search by individual computer name or IP address, click **Manually enter name or IP address**, then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. Note that VAMT supports both IPv4 and IPV6 addressing. + - To search for computers in a workgroup, click **Search for computers in the workgroup**, then under **Workgroup Filter Criteria**, in the list of workgroup names click the name of the workgroup you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer within the workgroup. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a". + - To search for computers by using a general LDAP query, click **Search with LDAP query** and enter your query in the text box provided. VAMT will validate only the LDAP query syntax, but will otherwise run the query without further checks. +4. Click **Search**. +5. VAMT searches for the specified computers and adds them to the VAMT database. During the search, VAMT displays the **Finding computers** message shown below. + To cancel the search, click **Cancel**. When the search is complete the names of the newly-discovered computers appear in the product list view in the center pane. + + ![VAMT, Finding computers dialog box](images/dep-win8-l-vamt-findingcomputerdialog.gif) + + **Important**   + This step adds only the computers to the VAMT database, and not the products that are installed on the computers. To add the products, you need to run the **Update license status** function. + +## To add products to VAMT + +1. In the **Products** list, select the computers that need to have their product information added to the VAMT database. +2. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. +3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. + - To filter the list by computer name, enter a name in the **Computer Name** box. + - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. +4. Click **Filter**. VAMT displays the filtered list in the center pane. +5. In the right-side **Actions** pane, click **Update license status** and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials different from the ones you used to log into the computer. If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and click **OK**. +6. VAMT displays the **Collecting product information** dialog box while it collects the licensing status of all supported products on the selected computers. When the process is finished, the updated licensing status of each product will appear in the product list view in the center pane. + + **Note**   + If a computer has more than one supported product installed, VAMT adds an entry for each product. The entry appears under the appropriate product heading. + +## To remove computers from a VAMT database + +You can delete a computer by clicking on it in the product list view, and then clicking **Delete** in the **Selected Item** menu in the right-hand pane. In the **Confirm Delete Selected Products** dialog box that appears, click **Yes** to delete the computer. If a computer has multiple products listed, you must delete each product to completely remove the computer from the VAMT database. + +## Related topics + +- [Add and Manage Products](add-manage-products-vamt.md) + + diff --git a/windows/deployment/volume-activation/add-remove-product-key-vamt.md b/windows/deployment/volume-activation/add-remove-product-key-vamt.md index 93ac0b75a1..fc7b9b051d 100644 --- a/windows/deployment/volume-activation/add-remove-product-key-vamt.md +++ b/windows/deployment/volume-activation/add-remove-product-key-vamt.md @@ -1,39 +1,39 @@ ---- -title: Add and Remove a Product Key (Windows 10) -description: Add and Remove a Product Key -ms.assetid: feac32bb-fb96-4802-81b8-c69220dcfcce -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Add and Remove a Product Key - -Before you can use a Multiple Activation Key (MAK), retail, or KMS Host key (CSVLK) product key, you must first add it to the Volume Activation Management Tool (VAMT) database. - -## To Add a Product Key - -1. Open VAMT. -2. In the left-side pane, right-click the **Product Keys** node to open the **Actions** menu. -3. Click **Add product keys** to open the **Add Product Keys** dialog box. -4. In the **Add Product Keys** dialog box, select from one of the following methods to add product keys: - - To add product keys manually, click **Enter product key(s) separated by line breaks**, enter one or more product keys separated by line breaks, and click **Add Key(s)**. - - To import a Comma Separated Values (CSV) file containing a list of product keys, click **Select a product key file to import**, browse to the file location, click **Open** to import the file, and then click **Add Key(s)**. - - **Note**   - If you are activating a large number of products with a MAK, you should refresh the activation count of the MAK, to ensure that the MAK can support the required number of activations. In the product key list in the center pane, select the MAK and click **Refresh product key data online** in the right-side pane to contact Microsoft and retrieve the number of remaining activations for the MAK. This step requires Internet access. You can only retrieve the remaining activation count for MAKs. - -## Remove a Product Key - -- To remove a product key from the list, simply select the key in the list and click **Delete** on the **Selected Items** menu in the right-side pane. Click **Yes** to confirm deletion of the product key. Removing a product key from the VAMT database will not affect the activation state of any products or computers on the network. - -## Related topics - -- [Manage Product Keys](manage-product-keys-vamt.md) +--- +title: Add and Remove a Product Key (Windows 10) +description: Add and Remove a Product Key +ms.assetid: feac32bb-fb96-4802-81b8-c69220dcfcce +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Add and Remove a Product Key + +Before you can use a Multiple Activation Key (MAK), retail, or KMS Host key (CSVLK) product key, you must first add it to the Volume Activation Management Tool (VAMT) database. + +## To Add a Product Key + +1. Open VAMT. +2. In the left-side pane, right-click the **Product Keys** node to open the **Actions** menu. +3. Click **Add product keys** to open the **Add Product Keys** dialog box. +4. In the **Add Product Keys** dialog box, select from one of the following methods to add product keys: + - To add product keys manually, click **Enter product key(s) separated by line breaks**, enter one or more product keys separated by line breaks, and click **Add Key(s)**. + - To import a Comma Separated Values (CSV) file containing a list of product keys, click **Select a product key file to import**, browse to the file location, click **Open** to import the file, and then click **Add Key(s)**. + + **Note**   + If you are activating a large number of products with a MAK, you should refresh the activation count of the MAK, to ensure that the MAK can support the required number of activations. In the product key list in the center pane, select the MAK and click **Refresh product key data online** in the right-side pane to contact Microsoft and retrieve the number of remaining activations for the MAK. This step requires Internet access. You can only retrieve the remaining activation count for MAKs. + +## Remove a Product Key + +- To remove a product key from the list, simply select the key in the list and click **Delete** on the **Selected Items** menu in the right-side pane. Click **Yes** to confirm deletion of the product key. Removing a product key from the VAMT database will not affect the activation state of any products or computers on the network. + +## Related topics + +- [Manage Product Keys](manage-product-keys-vamt.md) diff --git a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md index e311d05013..d56ff58a30 100644 --- a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md +++ b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md @@ -1,71 +1,71 @@ ---- -title: Appendix Information sent to Microsoft during activation (Windows 10) -ms.assetid: 4bfff495-07d0-4385-86e3-7a077cbd64b8 -ms.reviewer: -manager: laurawi -ms.author: greglin -description: -keywords: vamt, volume activation, activation, windows activation -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.localizationpriority: medium -ms.date: 07/27/2017 -ms.topic: article ---- - -# Appendix: Information sent to Microsoft during activation -**Applies to** -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2012 -- Windows Server 2008 R2 - -**Looking for retail activation?** - -- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) - -When you activate a computer running Windows 10, the following information is sent to Microsoft: - -- The Microsoft product code (a five-digit code that identifies the Windows product you are activating) -- A channel ID or site code that identifies how the Windows product was originally obtained - - For example, a channel ID or site code identifies whether the product was originally purchased from a retail store, obtained as an evaluation copy, obtained through a volume licensing program, or preinstalled by a computer manufacturer. - -- The date of installation and whether the installation was successful -- Information that helps confirm that your Windows product key has not been altered -- Computer make and model -- Version information for the operating system and software -- Region and language settings -- A unique number called a *globally unique identifier*, which is assigned to your computer -- Product key (hashed) and product ID -- BIOS name, revision number, and revision date -- Volume serial number (hashed) of the hard disk drive -- The result of the activation check - - This includes error codes and the following information about any activation exploits and related malicious or unauthorized software that was found or disabled: - - - The activation exploit’s identifier - - The activation exploit’s current state, such as cleaned or quarantined - - Computer manufacturer’s identification - - The activation exploit’s file name and hash in addition to a hash of related software components that may indicate the presence of an activation exploit -- The name and a hash of the contents of your computer’s startup instructions file -- If your Windows license is on a subscription basis, information about how your subscription works - -Standard computer information is also sent, but your computer’s IP address is only retained temporarily. - -## Use of information - -Microsoft uses the information to confirm that you have a licensed copy of the software. Microsoft does not use the information to contact individual consumers. -For additional details, see [Windows 10 Privacy Statement](https://go.microsoft.com/fwlink/p/?LinkId=619879). - -## See also - -- [Volume Activation for Windows 10](volume-activation-windows-10.md) -  -  +--- +title: Appendix Information sent to Microsoft during activation (Windows 10) +ms.assetid: 4bfff495-07d0-4385-86e3-7a077cbd64b8 +ms.reviewer: +manager: laurawi +ms.author: greglin +description: +keywords: vamt, volume activation, activation, windows activation +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.date: 07/27/2017 +ms.topic: article +--- + +# Appendix: Information sent to Microsoft during activation +**Applies to** +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2012 +- Windows Server 2008 R2 + +**Looking for retail activation?** + +- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) + +When you activate a computer running Windows 10, the following information is sent to Microsoft: + +- The Microsoft product code (a five-digit code that identifies the Windows product you are activating) +- A channel ID or site code that identifies how the Windows product was originally obtained + + For example, a channel ID or site code identifies whether the product was originally purchased from a retail store, obtained as an evaluation copy, obtained through a volume licensing program, or preinstalled by a computer manufacturer. + +- The date of installation and whether the installation was successful +- Information that helps confirm that your Windows product key has not been altered +- Computer make and model +- Version information for the operating system and software +- Region and language settings +- A unique number called a *globally unique identifier*, which is assigned to your computer +- Product key (hashed) and product ID +- BIOS name, revision number, and revision date +- Volume serial number (hashed) of the hard disk drive +- The result of the activation check + + This includes error codes and the following information about any activation exploits and related malicious or unauthorized software that was found or disabled: + + - The activation exploit’s identifier + - The activation exploit’s current state, such as cleaned or quarantined + - Computer manufacturer’s identification + - The activation exploit’s file name and hash in addition to a hash of related software components that may indicate the presence of an activation exploit +- The name and a hash of the contents of your computer’s startup instructions file +- If your Windows license is on a subscription basis, information about how your subscription works + +Standard computer information is also sent, but your computer’s IP address is only retained temporarily. + +## Use of information + +Microsoft uses the information to confirm that you have a licensed copy of the software. Microsoft does not use the information to contact individual consumers. +For additional details, see [Windows 10 Privacy Statement](https://go.microsoft.com/fwlink/p/?LinkId=619879). + +## See also + +- [Volume Activation for Windows 10](volume-activation-windows-10.md) +  +  diff --git a/windows/deployment/volume-activation/configure-client-computers-vamt.md b/windows/deployment/volume-activation/configure-client-computers-vamt.md index c602675503..9cd6a07136 100644 --- a/windows/deployment/volume-activation/configure-client-computers-vamt.md +++ b/windows/deployment/volume-activation/configure-client-computers-vamt.md @@ -1,94 +1,94 @@ ---- -title: Configure Client Computers (Windows 10) -description: Configure Client Computers -ms.assetid: a48176c9-b05c-4dd5-a9ef-83073e2370fc -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Configure Client Computers - -To enable the Volume Activation Management Tool (VAMT) to function correctly, certain configuration changes are required on all client computers: - -- An exception must be set in the client computer's firewall. -- A registry key must be created and set properly, for computers in a workgroup; otherwise, Windows® User Account Control (UAC) will not allow remote administrative operations. - -Organizations where the VAMT will be widely used may benefit from making these changes inside the master image for Windows. - -**Important**   -This procedure only applies to clients running Windows Vista or later. For clients running Windows XP Service Pack 1, see [Connecting Through Windows Firewall](https://go.microsoft.com/fwlink/p/?LinkId=182933). - -## Configuring the Windows Firewall to allow VAMT access - -Enable the VAMT to access client computers using the **Windows Firewall** Control Panel: -1. Open Control Panel and double-click **System and Security**. -2. Click **Windows Firewall**. -3. Click **Allow a program or feature through Windows Firewall**. -4. Click the **Change settings** option. -5. Select the **Windows Management Instrumentation (WMI)** checkbox. -6. Click **OK**. - - **Warning**   - By default, Windows Firewall Exceptions only apply to traffic originating on the local subnet. To expand the exception to apply to multiple subnets, you need to change the exception settings in the Windows Firewall with Advanced Security, as described below. - -## Configure Windows Firewall to allow VAMT access across multiple subnets - -Enable the VAMT to access client computers across multiple subnets using the **Windows Firewall with Advanced Security** Control Panel: - -![VAMT Firewall configuration for multiple subnets](images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif) - -1. Open the Control Panel and double-click **Administrative Tools**. -2. Click **Windows Firewall with Advanced Security**. -3. Make your changes for each of the following three WMI items, for the applicable Network Profile (Domain, Public, Private): - - Windows Management Instrumentation (ASync-In) - - Windows Management Instrumentation (DCOM-In) - - Windows Management Instrumentation (WMI-In) - -4. In the **Windows Firewall with Advanced Security** dialog box, select **Inbound Rules** from the left-hand panel. - -5. Right-click the desired rule and select **Properties** to open the **Properties** dialog box. - - - On the **General** tab, select the **Allow the connection** checkbox. - - On the **Scope** tab, change the Remote IP Address setting from "Local Subnet" (default) to allow the specific access you need. - - On the **Advanced** tab, verify selection of all profiles that are applicable to the network (Domain or Private/Public). - -In certain scenarios, only a limited set of TCP/IP ports are allowed through a hardware firewall. Administrators must ensure that WMI (which relies on RPC over TCP/IP) is allowed through these types of firewalls. By default, the WMI port is a dynamically allocated random port above 1024. The following Microsoft knowledge article discusses how administrators can limit the range of dynamically-allocated ports. This is useful if, for example, the hardware firewall only allows traffic in a certain range of ports. -For more info, see [How to configure RPC dynamic port allocation to work with firewalls](https://go.microsoft.com/fwlink/p/?LinkId=182911). - -## Create a registry value for the VAMT to access workgroup-joined computer - -**Caution**   -This section contains information about how to modify the registry. Make sure to back up the registry before you modify it; in addition, ensure that you know how to restore the registry, if a problem occurs. For more information about how to back up, restore, and modify the registry, see [Windows registry information for advanced users](https://go.microsoft.com/fwlink/p/?LinkId=182912). - -On the client computer, create the following registry key using regedit.exe. - -1. Navigate to `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system` -2. Enter the following details: - **Value Name: LocalAccountTokenFilterPolicy** - **Type: DWORD** - **Value Data: 1** - **Note**   - To discover VAMT-manageable Windows computers in workgroups, you must enable network discovery on each client. - -## Deployment options - -There are several options for organizations to configure the WMI firewall exception for computers: -- **Image.** Add the configurations to the master Windows image deployed to all clients. -- **Group Policy.** If the clients are part of a domain, then all clients can be configured using Group Policy. The Group Policy setting for the WMI firewall exception is found in GPMC.MSC at: **Computer Configuration\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Inbound Rules**. -- **Script.** Execute a script using Microsoft System Center Configuration Manager or a third-party remote script execution facility. -- **Manual.** Configure the WMI firewall exception individually on each client. -The above configurations will open an additional port through the Windows Firewall on target computers and should be performed on computers that are protected by a network firewall. In order to allow VAMT to query the up-to-date licensing status, the WMI exception must be maintained. We recommend administrators consult their network security policies and make clear decisions when creating the WMI exception. - -## Related topics - -- [Install and Configure VAMT](install-configure-vamt.md) - - +--- +title: Configure Client Computers (Windows 10) +description: Configure Client Computers +ms.assetid: a48176c9-b05c-4dd5-a9ef-83073e2370fc +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Configure Client Computers + +To enable the Volume Activation Management Tool (VAMT) to function correctly, certain configuration changes are required on all client computers: + +- An exception must be set in the client computer's firewall. +- A registry key must be created and set properly, for computers in a workgroup; otherwise, Windows® User Account Control (UAC) will not allow remote administrative operations. + +Organizations where the VAMT will be widely used may benefit from making these changes inside the master image for Windows. + +**Important**   +This procedure only applies to clients running Windows Vista or later. For clients running Windows XP Service Pack 1, see [Connecting Through Windows Firewall](https://go.microsoft.com/fwlink/p/?LinkId=182933). + +## Configuring the Windows Firewall to allow VAMT access + +Enable the VAMT to access client computers using the **Windows Firewall** Control Panel: +1. Open Control Panel and double-click **System and Security**. +2. Click **Windows Firewall**. +3. Click **Allow a program or feature through Windows Firewall**. +4. Click the **Change settings** option. +5. Select the **Windows Management Instrumentation (WMI)** checkbox. +6. Click **OK**. + + **Warning**   + By default, Windows Firewall Exceptions only apply to traffic originating on the local subnet. To expand the exception to apply to multiple subnets, you need to change the exception settings in the Windows Firewall with Advanced Security, as described below. + +## Configure Windows Firewall to allow VAMT access across multiple subnets + +Enable the VAMT to access client computers across multiple subnets using the **Windows Firewall with Advanced Security** Control Panel: + +![VAMT Firewall configuration for multiple subnets](images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif) + +1. Open the Control Panel and double-click **Administrative Tools**. +2. Click **Windows Firewall with Advanced Security**. +3. Make your changes for each of the following three WMI items, for the applicable Network Profile (Domain, Public, Private): + - Windows Management Instrumentation (ASync-In) + - Windows Management Instrumentation (DCOM-In) + - Windows Management Instrumentation (WMI-In) + +4. In the **Windows Firewall with Advanced Security** dialog box, select **Inbound Rules** from the left-hand panel. + +5. Right-click the desired rule and select **Properties** to open the **Properties** dialog box. + + - On the **General** tab, select the **Allow the connection** checkbox. + - On the **Scope** tab, change the Remote IP Address setting from "Local Subnet" (default) to allow the specific access you need. + - On the **Advanced** tab, verify selection of all profiles that are applicable to the network (Domain or Private/Public). + +In certain scenarios, only a limited set of TCP/IP ports are allowed through a hardware firewall. Administrators must ensure that WMI (which relies on RPC over TCP/IP) is allowed through these types of firewalls. By default, the WMI port is a dynamically allocated random port above 1024. The following Microsoft knowledge article discusses how administrators can limit the range of dynamically-allocated ports. This is useful if, for example, the hardware firewall only allows traffic in a certain range of ports. +For more info, see [How to configure RPC dynamic port allocation to work with firewalls](https://go.microsoft.com/fwlink/p/?LinkId=182911). + +## Create a registry value for the VAMT to access workgroup-joined computer + +**Caution**   +This section contains information about how to modify the registry. Make sure to back up the registry before you modify it; in addition, ensure that you know how to restore the registry, if a problem occurs. For more information about how to back up, restore, and modify the registry, see [Windows registry information for advanced users](https://go.microsoft.com/fwlink/p/?LinkId=182912). + +On the client computer, create the following registry key using regedit.exe. + +1. Navigate to `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system` +2. Enter the following details: + **Value Name: LocalAccountTokenFilterPolicy** + **Type: DWORD** + **Value Data: 1** + **Note**   + To discover VAMT-manageable Windows computers in workgroups, you must enable network discovery on each client. + +## Deployment options + +There are several options for organizations to configure the WMI firewall exception for computers: +- **Image.** Add the configurations to the master Windows image deployed to all clients. +- **Group Policy.** If the clients are part of a domain, then all clients can be configured using Group Policy. The Group Policy setting for the WMI firewall exception is found in GPMC.MSC at: **Computer Configuration\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Inbound Rules**. +- **Script.** Execute a script using Microsoft System Center Configuration Manager or a third-party remote script execution facility. +- **Manual.** Configure the WMI firewall exception individually on each client. +The above configurations will open an additional port through the Windows Firewall on target computers and should be performed on computers that are protected by a network firewall. In order to allow VAMT to query the up-to-date licensing status, the WMI exception must be maintained. We recommend administrators consult their network security policies and make clear decisions when creating the WMI exception. + +## Related topics + +- [Install and Configure VAMT](install-configure-vamt.md) + + diff --git a/windows/deployment/volume-activation/import-export-vamt-data.md b/windows/deployment/volume-activation/import-export-vamt-data.md index 5bdfd8a7ce..5b77d96564 100644 --- a/windows/deployment/volume-activation/import-export-vamt-data.md +++ b/windows/deployment/volume-activation/import-export-vamt-data.md @@ -1,51 +1,51 @@ ---- -title: Import and Export VAMT Data (Windows 10) -description: Import and Export VAMT Data -ms.assetid: 09a2c595-1a61-4da6-bd46-4ba8763cfd4f -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Import and Export VAMT Data - -You can use the Volume Activation Management Tool (VAMT) to import product-activation data from a Computer Information List (.cilx or .cil) file into SQL Server, and to export product-activation data into a .cilx file. A .cilx file is an XML file that stores computer and product-activation data. -You can import data or export data during the following scenarios: -- Import and merge data from previous versions of VAMT. -- Export data to use to perform proxy activations. - -**Warning**   -Editing a .cilx file using an application other than VAMT can corrupt the .cilx file and is not supported. - -## Import VAMT Data - -**To import data into VAMT** -1. Open VAMT. -2. In the right-side **Actions** pane, click **Import list** to open the **Import List** dialog box. -3. In the **Import List** dialog box, navigate to the .cilx file location, select the file, and click **Open**. -4. In the **Volume Activation Management Tool** dialog box, click **OK** to begin the import. VAMT displays a progress message while the file is being imported. Click **OK** when a message appears and confirms that the import has completed successfully. - -## Export VAMT Data - -Exporting VAMT data from a non-Internet-connected VAMT host computer is the first step of proxy activation using multiple VAMT hosts. To export product-activation data to a .cilx file: -1. In the left-side pane, you can click a product you want to export data for, or click **Products** if the list contains data for all products. -2. If you want to export only part of the data in a product list, in the product list view in the center pane select the products you want to export. -3. In the right-side **Actions** pane on, click **Export list** to open the **Export List** dialog box. -4. In the **Export List** dialog box, click **Browse** to navigate to the .cilx file. -5. Under **Export options**, select one of the following data-type options: - - Export products and product keys - - Export products only - - Export proxy activation data only. Selecting this option ensures that the export contains only the licensing information required for the proxy web service to obtain CIDs from Microsoft. No Personally Identifiable Information (PII) is contained in the exported .cilx file when this selection is checked. -6. If you have selected products to export, select the **Export selected product rows only** check box. -7. Click **Save**. VAMT displays a progress message while the data is being exported. Click **OK** when a message appears and confirms that the export has completed successfully. - -## Related topics - -- [Perform Proxy Activation](proxy-activation-vamt.md) +--- +title: Import and Export VAMT Data (Windows 10) +description: Import and Export VAMT Data +ms.assetid: 09a2c595-1a61-4da6-bd46-4ba8763cfd4f +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Import and Export VAMT Data + +You can use the Volume Activation Management Tool (VAMT) to import product-activation data from a Computer Information List (.cilx or .cil) file into SQL Server, and to export product-activation data into a .cilx file. A .cilx file is an XML file that stores computer and product-activation data. +You can import data or export data during the following scenarios: +- Import and merge data from previous versions of VAMT. +- Export data to use to perform proxy activations. + +**Warning**   +Editing a .cilx file using an application other than VAMT can corrupt the .cilx file and is not supported. + +## Import VAMT Data + +**To import data into VAMT** +1. Open VAMT. +2. In the right-side **Actions** pane, click **Import list** to open the **Import List** dialog box. +3. In the **Import List** dialog box, navigate to the .cilx file location, select the file, and click **Open**. +4. In the **Volume Activation Management Tool** dialog box, click **OK** to begin the import. VAMT displays a progress message while the file is being imported. Click **OK** when a message appears and confirms that the import has completed successfully. + +## Export VAMT Data + +Exporting VAMT data from a non-Internet-connected VAMT host computer is the first step of proxy activation using multiple VAMT hosts. To export product-activation data to a .cilx file: +1. In the left-side pane, you can click a product you want to export data for, or click **Products** if the list contains data for all products. +2. If you want to export only part of the data in a product list, in the product list view in the center pane select the products you want to export. +3. In the right-side **Actions** pane on, click **Export list** to open the **Export List** dialog box. +4. In the **Export List** dialog box, click **Browse** to navigate to the .cilx file. +5. Under **Export options**, select one of the following data-type options: + - Export products and product keys + - Export products only + - Export proxy activation data only. Selecting this option ensures that the export contains only the licensing information required for the proxy web service to obtain CIDs from Microsoft. No Personally Identifiable Information (PII) is contained in the exported .cilx file when this selection is checked. +6. If you have selected products to export, select the **Export selected product rows only** check box. +7. Click **Save**. VAMT displays a progress message while the data is being exported. Click **OK** when a message appears and confirms that the export has completed successfully. + +## Related topics + +- [Perform Proxy Activation](proxy-activation-vamt.md) diff --git a/windows/deployment/volume-activation/install-configure-vamt.md b/windows/deployment/volume-activation/install-configure-vamt.md index 5ac36425a9..dc1c9eaa35 100644 --- a/windows/deployment/volume-activation/install-configure-vamt.md +++ b/windows/deployment/volume-activation/install-configure-vamt.md @@ -1,34 +1,34 @@ ---- -title: Install and Configure VAMT (Windows 10) -description: Install and Configure VAMT -ms.assetid: 5c7ae9b9-0dbc-4277-bc4f-8b3e4ab0bf50 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.localizationpriority: medium -ms.date: 07/27/2017 -ms.topic: article ---- - -# Install and Configure VAMT - -This section describes how to install and configure the Volume Activation Management Tool (VAMT). - -## In this Section - -|Topic |Description | -|------|------------| -|[VAMT Requirements](vamt-requirements.md) |Provides system requirements for installing VAMT on a host computer. | -|[Install VAMT](install-vamt.md) |Describes how to get and install VAMT. | -|[Configure Client Computers](configure-client-computers-vamt.md) |Describes how to configure client computers on your network to work with VAMT. | - -## Related topics - -- [Introduction to VAMT](introduction-vamt.md) -  -  +--- +title: Install and Configure VAMT (Windows 10) +description: Install and Configure VAMT +ms.assetid: 5c7ae9b9-0dbc-4277-bc4f-8b3e4ab0bf50 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.date: 07/27/2017 +ms.topic: article +--- + +# Install and Configure VAMT + +This section describes how to install and configure the Volume Activation Management Tool (VAMT). + +## In this Section + +|Topic |Description | +|------|------------| +|[VAMT Requirements](vamt-requirements.md) |Provides system requirements for installing VAMT on a host computer. | +|[Install VAMT](install-vamt.md) |Describes how to get and install VAMT. | +|[Configure Client Computers](configure-client-computers-vamt.md) |Describes how to configure client computers on your network to work with VAMT. | + +## Related topics + +- [Introduction to VAMT](introduction-vamt.md) +  +  diff --git a/windows/deployment/volume-activation/install-kms-client-key-vamt.md b/windows/deployment/volume-activation/install-kms-client-key-vamt.md index 2674b655be..3fe43074c1 100644 --- a/windows/deployment/volume-activation/install-kms-client-key-vamt.md +++ b/windows/deployment/volume-activation/install-kms-client-key-vamt.md @@ -1,43 +1,43 @@ ---- -title: Install a KMS Client Key (Windows 10) -description: Install a KMS Client Key -ms.assetid: d234468e-7917-4cf5-b0a8-4968454f7759 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.localizationpriority: medium -ms.date: 07/27/2017 -ms.topic: article ---- - -# Install a KMS Client Key - -You can use the Volume Activation Management Tool (VAMT) to install Generic Volume License Key (GVLK), or KMS client, product keys. For example, if you are converting a MAK-activated product to KMS activation. - -**Note**   -By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products. - -**To install a KMS Client key** -1. Open VAMT. -2. In the left-side pane click **Products** to open the product list view in the center pane. -3. In the products list view in the center pane, select the products that need to have GVLKs installed. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. -4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. - - To filter the list by computer name, enter a name in the **Computer Name** box. - - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. -5. Click **Filter**. VAMT displays the filtered list in the center pane. -6. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box. -7. The **Install Product Key** dialog box displays the keys that are available to be installed. -8. Select the **Automatically select an AD or KMS client key** option and then click **Install Key**. - - VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. - - The same status is shown under the **Status of Last Action** column in the product list view in the center pane. - -## Related topics - -- [Perform KMS Activation](kms-activation-vamt.md) +--- +title: Install a KMS Client Key (Windows 10) +description: Install a KMS Client Key +ms.assetid: d234468e-7917-4cf5-b0a8-4968454f7759 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.date: 07/27/2017 +ms.topic: article +--- + +# Install a KMS Client Key + +You can use the Volume Activation Management Tool (VAMT) to install Generic Volume License Key (GVLK), or KMS client, product keys. For example, if you are converting a MAK-activated product to KMS activation. + +**Note**   +By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products. + +**To install a KMS Client key** +1. Open VAMT. +2. In the left-side pane click **Products** to open the product list view in the center pane. +3. In the products list view in the center pane, select the products that need to have GVLKs installed. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. +4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. + - To filter the list by computer name, enter a name in the **Computer Name** box. + - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. +5. Click **Filter**. VAMT displays the filtered list in the center pane. +6. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box. +7. The **Install Product Key** dialog box displays the keys that are available to be installed. +8. Select the **Automatically select an AD or KMS client key** option and then click **Install Key**. + + VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. + + The same status is shown under the **Status of Last Action** column in the product list view in the center pane. + +## Related topics + +- [Perform KMS Activation](kms-activation-vamt.md) diff --git a/windows/deployment/volume-activation/install-product-key-vamt.md b/windows/deployment/volume-activation/install-product-key-vamt.md index 3ca3caf3c4..96908f97d1 100644 --- a/windows/deployment/volume-activation/install-product-key-vamt.md +++ b/windows/deployment/volume-activation/install-product-key-vamt.md @@ -1,45 +1,45 @@ ---- -title: Install a Product Key (Windows 10) -description: Install a Product Key -ms.assetid: 78812c87-2208-4f8b-9c2c-5a8a18b2d648 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.localizationpriority: medium -ms.date: 07/27/2017 -ms.topic: article ---- - -# Install a Product Key - -You can use the Volume Activation Management Tool (VAMT) to install retail, Multiple Activation Key (MAK), and KMS Host key (CSVLK). - -**To install a Product key** -1. Open VAMT. -2. In the left-side pane, click the product that you want to install keys onto. -3. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. -4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. - - To filter the list by computer name, enter a name in the **Computer Name** box. - - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. -5. Click **Filter**. -6. In the products list view in the center pane, sort the list if needed and then select the products that need to have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product. -7. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box. -8. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAK based on the selected products. You can select a recommended product key or a product key from the **All Product Keys** list. Use the scroll bar if you need to view the **Description** for each key. When you have selected the product key you want to install, click **Install Key**. Note that only one key can be installed at a time. -9. VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. - - The same status is shown under the **Status of Last Action** column in the product list view in the center pane. - - **Note**   - Product key installation will fail if VAMT finds mismatched key types or editions. VAMT will display the failure status and will continue the installation for the next product in the list. For more information on choosing the correct MAK or KMS Host key (CSVLK), see [How to Choose the Right - Volume License Key for Windows](https://go.microsoft.com/fwlink/p/?linkid=238382). - -## Related topics - -- [Manage Product Keys](manage-product-keys-vamt.md) - - +--- +title: Install a Product Key (Windows 10) +description: Install a Product Key +ms.assetid: 78812c87-2208-4f8b-9c2c-5a8a18b2d648 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.date: 07/27/2017 +ms.topic: article +--- + +# Install a Product Key + +You can use the Volume Activation Management Tool (VAMT) to install retail, Multiple Activation Key (MAK), and KMS Host key (CSVLK). + +**To install a Product key** +1. Open VAMT. +2. In the left-side pane, click the product that you want to install keys onto. +3. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. +4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. + - To filter the list by computer name, enter a name in the **Computer Name** box. + - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. +5. Click **Filter**. +6. In the products list view in the center pane, sort the list if needed and then select the products that need to have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product. +7. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box. +8. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAK based on the selected products. You can select a recommended product key or a product key from the **All Product Keys** list. Use the scroll bar if you need to view the **Description** for each key. When you have selected the product key you want to install, click **Install Key**. Note that only one key can be installed at a time. +9. VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. + + The same status is shown under the **Status of Last Action** column in the product list view in the center pane. + + **Note**   + Product key installation will fail if VAMT finds mismatched key types or editions. VAMT will display the failure status and will continue the installation for the next product in the list. For more information on choosing the correct MAK or KMS Host key (CSVLK), see [How to Choose the Right + Volume License Key for Windows](https://go.microsoft.com/fwlink/p/?linkid=238382). + +## Related topics + +- [Manage Product Keys](manage-product-keys-vamt.md) + + diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md index cf26bea3e6..9a229185cc 100644 --- a/windows/deployment/volume-activation/install-vamt.md +++ b/windows/deployment/volume-activation/install-vamt.md @@ -1,74 +1,74 @@ ---- -title: Install VAMT (Windows 10) -description: Install VAMT -ms.assetid: 2eabd3e2-0a68-43a5-8189-2947e46482fc -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.localizationpriority: medium -ms.date: 03/11/2019 -ms.topic: article ---- - -# Install VAMT - -This topic describes how to install the Volume Activation Management Tool (VAMT). - -## Install VAMT - -You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10. - ->[!IMPORTANT] ->VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products’ license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For Active Directory-Based Activation use, for best results we recommend running VAMT while logged on as a domain administrator.  - ->[!NOTE] ->The VAMT Microsoft Management Console snap-in ships as an x86 package. - -### Requirements - -- [Windows Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience), with internet access and all updates applied -- [Windows 10, version 1809 ADK](https://go.microsoft.com/fwlink/?linkid=2026036) -- [SQL Server 2017 Express](https://www.microsoft.com/sql-server/sql-server-editions-express) - -### Install SQL Server 2017 Express - -1. Download and open the [SQL Server 2017 Express](https://www.microsoft.com/sql-server/sql-server-editions-express) package. -2. Select **Basic**. -3. Accept the license terms. -4. Enter an install location or use the default path, and then select **Install**. -5. On the completion page, note the instance name for your installation, select **Close**, and then select **Yes**. - ![In this example, the instance name is SQLEXPRESS01](images/sql-instance.png) - -### Install VAMT using the ADK - -1. Download and open the [Windows 10, version 1809 ADK](https://go.microsoft.com/fwlink/?linkid=2026036) package. -2. Enter an install location or use the default path, and then select **Next**. -3. Select a privacy setting, and then select **Next**. -4. Accept the license terms. -5. On the **Select the features you want to install** page, select **Volume Activation Management Tool (VAMT)**, and then select **Install**. (You can select additional features to install as well.) -6. On the completion page, select **Close**. - -### Configure VAMT to connect to SQL Server 2017 Express - -1. Open **Volume Active Management Tool 3.1** from the Start menu. -2. Enter the server instance name and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example. - - ![Server name is .\SQLEXPRESS and database name is VAMT](images/vamt-db.png) - - - - -## Uninstall VAMT - -To uninstall VAMT using the **Programs and Features** Control Panel: -1. Open **Control Panel** and select **Programs and Features**. -2. Select **Assessment and Deployment Kit** from the list of installed programs and click **Change**. Follow the instructions in the Windows ADK installer to remove VAMT. - - - - +--- +title: Install VAMT (Windows 10) +description: Install VAMT +ms.assetid: 2eabd3e2-0a68-43a5-8189-2947e46482fc +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.date: 03/11/2019 +ms.topic: article +--- + +# Install VAMT + +This topic describes how to install the Volume Activation Management Tool (VAMT). + +## Install VAMT + +You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10. + +>[!IMPORTANT] +>VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products’ license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For Active Directory-Based Activation use, for best results we recommend running VAMT while logged on as a domain administrator.  + +>[!NOTE] +>The VAMT Microsoft Management Console snap-in ships as an x86 package. + +### Requirements + +- [Windows Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience), with internet access and all updates applied +- [Windows 10, version 1809 ADK](https://go.microsoft.com/fwlink/?linkid=2026036) +- [SQL Server 2017 Express](https://www.microsoft.com/sql-server/sql-server-editions-express) + +### Install SQL Server 2017 Express + +1. Download and open the [SQL Server 2017 Express](https://www.microsoft.com/sql-server/sql-server-editions-express) package. +2. Select **Basic**. +3. Accept the license terms. +4. Enter an install location or use the default path, and then select **Install**. +5. On the completion page, note the instance name for your installation, select **Close**, and then select **Yes**. + ![In this example, the instance name is SQLEXPRESS01](images/sql-instance.png) + +### Install VAMT using the ADK + +1. Download and open the [Windows 10, version 1809 ADK](https://go.microsoft.com/fwlink/?linkid=2026036) package. +2. Enter an install location or use the default path, and then select **Next**. +3. Select a privacy setting, and then select **Next**. +4. Accept the license terms. +5. On the **Select the features you want to install** page, select **Volume Activation Management Tool (VAMT)**, and then select **Install**. (You can select additional features to install as well.) +6. On the completion page, select **Close**. + +### Configure VAMT to connect to SQL Server 2017 Express + +1. Open **Volume Active Management Tool 3.1** from the Start menu. +2. Enter the server instance name and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example. + + ![Server name is .\SQLEXPRESS and database name is VAMT](images/vamt-db.png) + + + + +## Uninstall VAMT + +To uninstall VAMT using the **Programs and Features** Control Panel: +1. Open **Control Panel** and select **Programs and Features**. +2. Select **Assessment and Deployment Kit** from the list of installed programs and click **Change**. Follow the instructions in the Windows ADK installer to remove VAMT. + + + + diff --git a/windows/deployment/volume-activation/introduction-vamt.md b/windows/deployment/volume-activation/introduction-vamt.md index 57f8ef18af..791d49e497 100644 --- a/windows/deployment/volume-activation/introduction-vamt.md +++ b/windows/deployment/volume-activation/introduction-vamt.md @@ -1,66 +1,66 @@ ---- -title: Introduction to VAMT (Windows 10) -description: Introduction to VAMT -ms.assetid: 0439685e-0bae-4967-b0d4-dd84ca6d7fa7 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Introduction to VAMT - -The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office®, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has one of the following Windows operating systems: Windows® 7, Windows 8, Windows 8.1, Windows 10,Windows Server 2008 R2, or Windows Server 2012. - -**Note**   -VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated. - -## In this Topic -- [Managing Multiple Activation Key (MAK) and Retail Activation](#bkmk-managingmak) -- [Managing Key Management Service (KMS) Activation](#bkmk-managingkms) -- [Enterprise Environment](#bkmk-enterpriseenvironment) -- [VAMT User Interface](#bkmk-userinterface) - -## Managing Multiple Activation Key (MAK) and Retail Activation - -You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios: -- **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft. -- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host. - -## Managing Key Management Service (KMS) Activation - -In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010. -VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type product key; therefore, the experience for product key entry and activation management are identical for both these product key types. - -## Enterprise Environment - -VAMT is commonly implemented in enterprise environments. The following illustrates three common environments—Core Network, Secure Zone, and Isolated Lab. - -![VAMT in the enterprise](images/dep-win8-l-vamt-image001-enterprise.jpg) - -In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have additional firewall protection. -The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab. - -## VAMT User Interface - -The following screenshot shows the VAMT graphical user interface. - -![VAMT user interface](images/vamtuserinterfaceupdated.jpg) - -VAMT provides a single, graphical user interface for managing activations, and for performing other activation-related tasks such as: -- **Adding and removing computers.** You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query. -- **Discovering products.** You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers. -- **Monitoring activation status.** You can collect activation information about each product, including the last 5 characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information. -- **Managing product keys.** You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs. -- **Managing activation data.** VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format. - -## Related topics -- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md) - - +--- +title: Introduction to VAMT (Windows 10) +description: Introduction to VAMT +ms.assetid: 0439685e-0bae-4967-b0d4-dd84ca6d7fa7 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Introduction to VAMT + +The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office®, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has one of the following Windows operating systems: Windows® 7, Windows 8, Windows 8.1, Windows 10,Windows Server 2008 R2, or Windows Server 2012. + +**Note**   +VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated. + +## In this Topic +- [Managing Multiple Activation Key (MAK) and Retail Activation](#bkmk-managingmak) +- [Managing Key Management Service (KMS) Activation](#bkmk-managingkms) +- [Enterprise Environment](#bkmk-enterpriseenvironment) +- [VAMT User Interface](#bkmk-userinterface) + +## Managing Multiple Activation Key (MAK) and Retail Activation + +You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios: +- **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft. +- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host. + +## Managing Key Management Service (KMS) Activation + +In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010. +VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type product key; therefore, the experience for product key entry and activation management are identical for both these product key types. + +## Enterprise Environment + +VAMT is commonly implemented in enterprise environments. The following illustrates three common environments—Core Network, Secure Zone, and Isolated Lab. + +![VAMT in the enterprise](images/dep-win8-l-vamt-image001-enterprise.jpg) + +In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have additional firewall protection. +The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab. + +## VAMT User Interface + +The following screenshot shows the VAMT graphical user interface. + +![VAMT user interface](images/vamtuserinterfaceupdated.jpg) + +VAMT provides a single, graphical user interface for managing activations, and for performing other activation-related tasks such as: +- **Adding and removing computers.** You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query. +- **Discovering products.** You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers. +- **Monitoring activation status.** You can collect activation information about each product, including the last 5 characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information. +- **Managing product keys.** You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs. +- **Managing activation data.** VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format. + +## Related topics +- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md) + + diff --git a/windows/deployment/volume-activation/kms-activation-vamt.md b/windows/deployment/volume-activation/kms-activation-vamt.md index a72215d2ee..d109d49ad1 100644 --- a/windows/deployment/volume-activation/kms-activation-vamt.md +++ b/windows/deployment/volume-activation/kms-activation-vamt.md @@ -1,49 +1,49 @@ ---- -title: Perform KMS Activation (Windows 10) -description: Perform KMS Activation -ms.assetid: 5a3ae8e6-083e-4153-837e-ab0a225c1d10 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Perform KMS Activation - -The Volume Activation Management Tool (VAMT) can be used to perform volume activation using the Key Management Service (KMS). You can use VAMT to activate Generic Volume Licensing Keys, or KMS client keys, on products accessible to VAMT. GVLKs are the default product keys used by the volume-license editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft Office 2010. GVLKs are already installed in volume-license editions of these products. - -## Requirements - -Before configuring KMS activation, ensure that your network and VAMT installation meet the following requirements: -- KMS host is set up and enabled. -- KMS clients can access the KMS host. -- VAMT is installed on a central computer with network access to all client computers. -- The products to be activated have been added to VAMT. For more information on adding product keys, see [Install a KMS Client Key](install-kms-client-key-vamt.md). -- VAMT has administrative permissions on all computers to be activated, and Windows Management Instrumentation (WMI) is accessible through the Windows Firewall. For more information, see [Configure Client Computers](configure-client-computers-vamt.md). - -## To configure devices for KMS activation - -**To configure devices for KMS activation** -1. Open VAMT. -2. If necessary, set up the KMS activation preferences. If you don’t need to set up the preferences, skip to step 6 in this procedure. Otherwise, continue to step 2. -3. To set up the preferences, on the menu bar click **View**, then click **Preferences** to open the **Volume Activation Management Tool Preferences** dialog box. -4. Under **Key Management Services host selection**, select one of the following options: - - **Find a KMS host automatically using DNS (default)**. If you choose this option, VAMT first clears any previously configured KMS host on the target computer and instructs the computer to query the Domain Name Service (DNS) to locate a KMS host and attempt activation. - - **Find a KMS host using DNS in this domain for supported products**. Enter the domain name. If you choose this option, VAMT first clears any previously configured KMS host on the target computer and instructs the computer to query the DNS in the specified domain to locate a KMS host and attempt activation. - - **Use specific KMS host**. Enter the KMS host name and KMS host port. For environments which do not use DNS for KMS host identification, VAMT sets the specified KMS host name and KMS host port on the target computer, and then instructs the computer to attempt activation with the specific KMS host. -5. Click **Apply**, and then click **OK** to close the **Volume Activation Management Tool Preferences** dialog box. -6. Select the products to be activated by selecting individual products in the product list view in the center pane. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. - - To filter the list by computer name, enter a name in the **Computer Name** box. - - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. -7. Click **Filter**. VAMT displays the filtered list in the center pane. -8. In the right-side pane, click **Activate** in the **Selected Items** menu, and then click **Volume activate**. -9. Click a credential option. Choose **Alternate credentials** only if you are activating products that require administrator credentials different from the ones you are currently using. -10. If you are supplying alternate credentials, at the prompt, type the appropriate user name and password and click **OK**. -VAMT displays the **Volume Activation** dialog box until it completes the requested action. When the process is finished, the updated activation status of each product appears in the product list view in the center pane. -  +--- +title: Perform KMS Activation (Windows 10) +description: Perform KMS Activation +ms.assetid: 5a3ae8e6-083e-4153-837e-ab0a225c1d10 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Perform KMS Activation + +The Volume Activation Management Tool (VAMT) can be used to perform volume activation using the Key Management Service (KMS). You can use VAMT to activate Generic Volume Licensing Keys, or KMS client keys, on products accessible to VAMT. GVLKs are the default product keys used by the volume-license editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft Office 2010. GVLKs are already installed in volume-license editions of these products. + +## Requirements + +Before configuring KMS activation, ensure that your network and VAMT installation meet the following requirements: +- KMS host is set up and enabled. +- KMS clients can access the KMS host. +- VAMT is installed on a central computer with network access to all client computers. +- The products to be activated have been added to VAMT. For more information on adding product keys, see [Install a KMS Client Key](install-kms-client-key-vamt.md). +- VAMT has administrative permissions on all computers to be activated, and Windows Management Instrumentation (WMI) is accessible through the Windows Firewall. For more information, see [Configure Client Computers](configure-client-computers-vamt.md). + +## To configure devices for KMS activation + +**To configure devices for KMS activation** +1. Open VAMT. +2. If necessary, set up the KMS activation preferences. If you don’t need to set up the preferences, skip to step 6 in this procedure. Otherwise, continue to step 2. +3. To set up the preferences, on the menu bar click **View**, then click **Preferences** to open the **Volume Activation Management Tool Preferences** dialog box. +4. Under **Key Management Services host selection**, select one of the following options: + - **Find a KMS host automatically using DNS (default)**. If you choose this option, VAMT first clears any previously configured KMS host on the target computer and instructs the computer to query the Domain Name Service (DNS) to locate a KMS host and attempt activation. + - **Find a KMS host using DNS in this domain for supported products**. Enter the domain name. If you choose this option, VAMT first clears any previously configured KMS host on the target computer and instructs the computer to query the DNS in the specified domain to locate a KMS host and attempt activation. + - **Use specific KMS host**. Enter the KMS host name and KMS host port. For environments which do not use DNS for KMS host identification, VAMT sets the specified KMS host name and KMS host port on the target computer, and then instructs the computer to attempt activation with the specific KMS host. +5. Click **Apply**, and then click **OK** to close the **Volume Activation Management Tool Preferences** dialog box. +6. Select the products to be activated by selecting individual products in the product list view in the center pane. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. + - To filter the list by computer name, enter a name in the **Computer Name** box. + - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. +7. Click **Filter**. VAMT displays the filtered list in the center pane. +8. In the right-side pane, click **Activate** in the **Selected Items** menu, and then click **Volume activate**. +9. Click a credential option. Choose **Alternate credentials** only if you are activating products that require administrator credentials different from the ones you are currently using. +10. If you are supplying alternate credentials, at the prompt, type the appropriate user name and password and click **OK**. +VAMT displays the **Volume Activation** dialog box until it completes the requested action. When the process is finished, the updated activation status of each product appears in the product list view in the center pane. +  diff --git a/windows/deployment/volume-activation/local-reactivation-vamt.md b/windows/deployment/volume-activation/local-reactivation-vamt.md index 9b6d9f5afe..309dd5a702 100644 --- a/windows/deployment/volume-activation/local-reactivation-vamt.md +++ b/windows/deployment/volume-activation/local-reactivation-vamt.md @@ -1,47 +1,47 @@ ---- -title: Perform Local Reactivation (Windows 10) -description: Perform Local Reactivation -ms.assetid: aacd5ded-da11-4d27-a866-3f57332f5dec -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Perform Local Reactivation - -If you reinstall Windows® or Microsoft® Office 2010 on a computer that was initially activated using proxy activation (MAK, retail, or CSLVK (KMS host)), and have not made significant changes to the hardware, use this local reactivation procedure to reactivate the program on that computer. -Local reactivation relies upon data that was created during the initial proxy activation and stored in the Volume Activation Management Tool (VAMT) database. The database contains the installation ID (IID) and confirmation ID (Pending CID). Local reactivation uses this data to reapply the CID and reactivate those products. Reapplying the same CID conserves the remaining activations on the key. - -**Note**   -During the initial proxy activation, the CID is bound to a digital “fingerprint”, which is calculated from values assigned to several different hardware components in the computer. If the computer has had significant hardware changes, this fingerprint will no longer match the CID. In this case, you must obtain a new CID for the computer from Microsoft. - -## To Perform a Local Reactivation - -**To perform a local reactivation** -1. Open VAMT. Make sure that you are connected to the desired database. -2. In the left-side pane, click the product you want to reactivate to display the products list. -3. In the product list view in the center pane, select the desired products to be reactivated. You can sort the list by computer name by clicking on the **Computer Name** heading. You can also use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. -4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. - - To filter the list by computer name, enter a name in the **Computer Name** box. - - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. -5. Click **Filter**. VAMT displays the filtered list in the center pane. -6. In the right-side pane, click **Activate**, and then click **Apply Confirmation ID**. -7. Click a credential option. Choose **Alternate credentials** only if you are reactivating products that require administrator credentials different from the ones you are currently using. -8. If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and click **OK**. - - VAMT displays the **Apply Confirmation ID** dialog box. - -10. If you are using a different product key than the product key used for initial activation, you must complete a new activation to obtain a new CID. -11. If you are activating a product that requires administrator credentials different from the ones you are currently using, select the **Use Alternate Credentials** check box. -12. Click **OK**. - -## Related topics - -- [Manage Activations](manage-activations-vamt.md) +--- +title: Perform Local Reactivation (Windows 10) +description: Perform Local Reactivation +ms.assetid: aacd5ded-da11-4d27-a866-3f57332f5dec +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Perform Local Reactivation + +If you reinstall Windows® or Microsoft® Office 2010 on a computer that was initially activated using proxy activation (MAK, retail, or CSLVK (KMS host)), and have not made significant changes to the hardware, use this local reactivation procedure to reactivate the program on that computer. +Local reactivation relies upon data that was created during the initial proxy activation and stored in the Volume Activation Management Tool (VAMT) database. The database contains the installation ID (IID) and confirmation ID (Pending CID). Local reactivation uses this data to reapply the CID and reactivate those products. Reapplying the same CID conserves the remaining activations on the key. + +**Note**   +During the initial proxy activation, the CID is bound to a digital “fingerprint”, which is calculated from values assigned to several different hardware components in the computer. If the computer has had significant hardware changes, this fingerprint will no longer match the CID. In this case, you must obtain a new CID for the computer from Microsoft. + +## To Perform a Local Reactivation + +**To perform a local reactivation** +1. Open VAMT. Make sure that you are connected to the desired database. +2. In the left-side pane, click the product you want to reactivate to display the products list. +3. In the product list view in the center pane, select the desired products to be reactivated. You can sort the list by computer name by clicking on the **Computer Name** heading. You can also use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. +4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. + - To filter the list by computer name, enter a name in the **Computer Name** box. + - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. +5. Click **Filter**. VAMT displays the filtered list in the center pane. +6. In the right-side pane, click **Activate**, and then click **Apply Confirmation ID**. +7. Click a credential option. Choose **Alternate credentials** only if you are reactivating products that require administrator credentials different from the ones you are currently using. +8. If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and click **OK**. + + VAMT displays the **Apply Confirmation ID** dialog box. + +10. If you are using a different product key than the product key used for initial activation, you must complete a new activation to obtain a new CID. +11. If you are activating a product that requires administrator credentials different from the ones you are currently using, select the **Use Alternate Credentials** check box. +12. Click **OK**. + +## Related topics + +- [Manage Activations](manage-activations-vamt.md) diff --git a/windows/deployment/volume-activation/manage-activations-vamt.md b/windows/deployment/volume-activation/manage-activations-vamt.md index 36a4814fd5..318cd0cb65 100644 --- a/windows/deployment/volume-activation/manage-activations-vamt.md +++ b/windows/deployment/volume-activation/manage-activations-vamt.md @@ -1,33 +1,33 @@ ---- -title: Manage Activations (Windows 10) -description: Manage Activations -ms.assetid: 53bad9ed-9430-4f64-a8de-80613870862c -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Manage Activations - -This section describes how to activate a client computer, by using a variety of activation methods. - -## In this Section - -|Topic |Description | -|------|------------| -|[Perform Online Activation](online-activation-vamt.md) |Describes how to activate a client computer over the Internet. | -|[Perform Proxy Activation](proxy-activation-vamt.md) |Describes how to perform volume activation for client products that do not have Internet access. | -|[Perform KMS Activation](kms-activation-vamt.md) |Describes how perform volume activation using the Key Management Service (KMS). | -|[Perform Local Reactivation](local-reactivation-vamt.md) |Describes how to reactivate an operating system or Office program that was reinstalled. | -|[Activate an Active Directory Forest Online](activate-forest-vamt.md) |Describes how to use Active Directory-Based Activation to online activate an Active Directory forest. | -|[Activate by Proxy an Active Directory Forest](activate-forest-by-proxy-vamt.md) |Describes how to use Active Directory-Based Activation to proxy activate an Active Directory forest that is not connected to the Internet. | - - - +--- +title: Manage Activations (Windows 10) +description: Manage Activations +ms.assetid: 53bad9ed-9430-4f64-a8de-80613870862c +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Manage Activations + +This section describes how to activate a client computer, by using a variety of activation methods. + +## In this Section + +|Topic |Description | +|------|------------| +|[Perform Online Activation](online-activation-vamt.md) |Describes how to activate a client computer over the Internet. | +|[Perform Proxy Activation](proxy-activation-vamt.md) |Describes how to perform volume activation for client products that do not have Internet access. | +|[Perform KMS Activation](kms-activation-vamt.md) |Describes how perform volume activation using the Key Management Service (KMS). | +|[Perform Local Reactivation](local-reactivation-vamt.md) |Describes how to reactivate an operating system or Office program that was reinstalled. | +|[Activate an Active Directory Forest Online](activate-forest-vamt.md) |Describes how to use Active Directory-Based Activation to online activate an Active Directory forest. | +|[Activate by Proxy an Active Directory Forest](activate-forest-by-proxy-vamt.md) |Describes how to use Active Directory-Based Activation to proxy activate an Active Directory forest that is not connected to the Internet. | + + + diff --git a/windows/deployment/volume-activation/manage-product-keys-vamt.md b/windows/deployment/volume-activation/manage-product-keys-vamt.md index 80fd4d4ff0..bedd50af8f 100644 --- a/windows/deployment/volume-activation/manage-product-keys-vamt.md +++ b/windows/deployment/volume-activation/manage-product-keys-vamt.md @@ -1,29 +1,29 @@ ---- -title: Manage Product Keys (Windows 10) -description: Manage Product Keys -ms.assetid: 4c6c4216-b4b7-437c-904e-4cb257f913cd -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Manage Product Keys - -This section describes how to add and remove a product key from the Volume Activation Management Tool (VAMT). After you add a product key to VAMT, you can install that product key on a product or products you select in the VAMT database. -## In this Section - -|Topic |Description | -|------|------------| -|[Add and Remove a Product Key](add-remove-product-key-vamt.md) |Describes how to add a product key to the VAMT database. | -|[Install a Product Key](install-product-key-vamt.md) |Describes how to install a product key for specific product. | -|[Install a KMS Client Key](install-kms-client-key-vamt.md) |Describes how to install a GVLK (KMS client) key. | - - - +--- +title: Manage Product Keys (Windows 10) +description: Manage Product Keys +ms.assetid: 4c6c4216-b4b7-437c-904e-4cb257f913cd +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Manage Product Keys + +This section describes how to add and remove a product key from the Volume Activation Management Tool (VAMT). After you add a product key to VAMT, you can install that product key on a product or products you select in the VAMT database. +## In this Section + +|Topic |Description | +|------|------------| +|[Add and Remove a Product Key](add-remove-product-key-vamt.md) |Describes how to add a product key to the VAMT database. | +|[Install a Product Key](install-product-key-vamt.md) |Describes how to install a product key for specific product. | +|[Install a KMS Client Key](install-kms-client-key-vamt.md) |Describes how to install a GVLK (KMS client) key. | + + + diff --git a/windows/deployment/volume-activation/manage-vamt-data.md b/windows/deployment/volume-activation/manage-vamt-data.md index e647b8109a..7d068975cd 100644 --- a/windows/deployment/volume-activation/manage-vamt-data.md +++ b/windows/deployment/volume-activation/manage-vamt-data.md @@ -1,25 +1,25 @@ ---- -title: Manage VAMT Data (Windows 10) -description: Manage VAMT Data -ms.assetid: 233eefa4-3125-4965-a12d-297a67079dc4 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Manage VAMT Data - -This section describes how to save, import, export, and merge a Computer Information List (CILX) file using the Volume Activation Management Tool (VAMT). - -## In this Section -|Topic |Description | -|------|------------| -|[Import and Export VAMT Data](import-export-vamt-data.md) |Describes how to import and export VAMT data. | -|[Use VAMT in Windows PowerShell](use-vamt-in-windows-powershell.md) |Describes how to access Windows PowerShell and how to import the VAMT PowerShell module. | +--- +title: Manage VAMT Data (Windows 10) +description: Manage VAMT Data +ms.assetid: 233eefa4-3125-4965-a12d-297a67079dc4 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Manage VAMT Data + +This section describes how to save, import, export, and merge a Computer Information List (CILX) file using the Volume Activation Management Tool (VAMT). + +## In this Section +|Topic |Description | +|------|------------| +|[Import and Export VAMT Data](import-export-vamt-data.md) |Describes how to import and export VAMT data. | +|[Use VAMT in Windows PowerShell](use-vamt-in-windows-powershell.md) |Describes how to access Windows PowerShell and how to import the VAMT PowerShell module. | diff --git a/windows/deployment/volume-activation/monitor-activation-client.md b/windows/deployment/volume-activation/monitor-activation-client.md index 91adf217f6..ea131b996d 100644 --- a/windows/deployment/volume-activation/monitor-activation-client.md +++ b/windows/deployment/volume-activation/monitor-activation-client.md @@ -1,45 +1,44 @@ ---- -title: Monitor activation (Windows 10) -ms.assetid: 264a3e86-c880-4be4-8828-bf4c839dfa26 -ms.reviewer: -manager: laurawi -audience: itpro -ms.author: greglin -description: -keywords: vamt, volume activation, activation, windows activation -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.localizationpriority: medium -ms.topic: article ---- - -# Monitor activation - -**Applies to** -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2012 -- Windows Server 2008 R2 - -**Looking for retail activation?** - -- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) - -You can monitor the success of the activation process for a computer running Windows in several ways. The most popular methods include: -- Using the Volume Licensing Service Center website to track use of MAK keys. -- Using the **Slmgr /dlv** command on a client computer or on the KMS host. (For a full list of options, see [Slmgr.vbs Options](https://technet.microsoft.com/library/ff793433.aspx).) -- Viewing the licensing status, which is exposed through Windows Management Instrumentation (WMI); therefore, it is available to non-Microsoft or custom tools that can access WMI. (Windows PowerShell can also access WMI information.) -- Most licensing actions and events are recorded in the Event log (ex: Application Log events 12288-12290). -- Microsoft System Center Operations Manager and the KMS Management Pack can provide insight and information to users of System Center Operations Manager. -- See [Troubleshooting activation error codes](https://docs.microsoft.com/windows-server/get-started/activation-error-codes) for information about troubleshooting procedures for Multiple Activation Key (MAK) or the Key Management Service (KMS). -- The VAMT provides a single site from which to manage and monitor volume activations. This is explained in the next section. - -## See also - -[Volume Activation for Windows 10](volume-activation-windows-10.md) \ No newline at end of file +--- +title: Monitor activation (Windows 10) +ms.assetid: 264a3e86-c880-4be4-8828-bf4c839dfa26 +ms.reviewer: +manager: laurawi +ms.author: greglin +description: +keywords: vamt, volume activation, activation, windows activation +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.topic: article +--- + +# Monitor activation + +**Applies to** +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2012 +- Windows Server 2008 R2 + +**Looking for retail activation?** + +- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) + +You can monitor the success of the activation process for a computer running Windows in several ways. The most popular methods include: +- Using the Volume Licensing Service Center website to track use of MAK keys. +- Using the **Slmgr /dlv** command on a client computer or on the KMS host. (For a full list of options, see [Slmgr.vbs Options](https://technet.microsoft.com/library/ff793433.aspx).) +- Viewing the licensing status, which is exposed through Windows Management Instrumentation (WMI); therefore, it is available to non-Microsoft or custom tools that can access WMI. (Windows PowerShell can also access WMI information.) +- Most licensing actions and events are recorded in the Event log (ex: Application Log events 12288-12290). +- Microsoft System Center Operations Manager and the KMS Management Pack can provide insight and information to users of System Center Operations Manager. +- See [Troubleshooting activation error codes](https://docs.microsoft.com/windows-server/get-started/activation-error-codes) for information about troubleshooting procedures for Multiple Activation Key (MAK) or the Key Management Service (KMS). +- The VAMT provides a single site from which to manage and monitor volume activations. This is explained in the next section. + +## See also + +[Volume Activation for Windows 10](volume-activation-windows-10.md) diff --git a/windows/deployment/volume-activation/online-activation-vamt.md b/windows/deployment/volume-activation/online-activation-vamt.md index d9a73bae46..45f237024f 100644 --- a/windows/deployment/volume-activation/online-activation-vamt.md +++ b/windows/deployment/volume-activation/online-activation-vamt.md @@ -1,55 +1,55 @@ ---- -title: Perform Online Activation (Windows 10) -description: Perform Online Activation -ms.assetid: 8381792b-a454-4e66-9b4c-e6e4c9303823 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Perform Online Activation - -You can use the Volume Activation Management Tool (VAMT) to enable client products to be activated over the Internet. You can install the client products with any kind of product key that is eligible for online activation—Multiple Activation Key (MAK), retail, and Windows Key Management Services (KMS) host key. - -## Requirements - -Before performing online activation, ensure that the network and the VAMT installation meet the following requirements: -- VAMT is installed on a central computer that has network access to all client computers. -- Both the VAMT host and client computers have Internet access. -- The products that you want to activate are added to VAMT. -- VAMT has administrative permissions on all computers that you intend to activate, and that Windows Management Instrumentation (WMI) can be accessed through the Windows firewall. For more information, see [Configure Client Computers](configure-client-computers-vamt.md). - -The product keys that are installed on the client products must have a sufficient number of remaining activations. If you are activating a MAK key, you can retrieve the remaining number of activations for that key by selecting the MAK in the product key list in the center pane and then clicking -**Refresh product key data online** in the right-side pane. This retrieves the number of remaining activations for the MAK from Microsoft. Note that this step requires Internet access and that the remaining activation count can only be retrieved for MAKs. - -## To Perform an Online Activation - -**To perform an online activation** -1. Open VAMT. -2. In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. -3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. - - To filter the list by computer name, enter a name in the **Computer Name** box. - - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. -4. Click **Filter**. VAMT displays the filtered list in the center pane. -5. Select the products that you want to activate. You can use the **CTRL** key or the **SHIFT** key to select more than one product. -6. Click **Activate** in the **Selected Items** menu in the right-side **Actions** pane and then point to **Activate**. If the **Actions** pane is not displayed, click the Show/Hide Action Pane button, which is located on the toolbar to the right of the Help button. -7. Point to **Online activate**, and then select the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password. -8. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. - - The same status is shown under the **Status of Last Action** column in the products list view in the center pane. - - **Note**   - Online activation does not enable you to save the Confirmation IDs (CIDs). As a result, you cannot perform local reactivation. - - **Note** - You can use online activation to select products that have different key types and activate the products at the same time. - -## Related topics -- [Manage Activations](manage-activations-vamt.md) +--- +title: Perform Online Activation (Windows 10) +description: Perform Online Activation +ms.assetid: 8381792b-a454-4e66-9b4c-e6e4c9303823 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Perform Online Activation + +You can use the Volume Activation Management Tool (VAMT) to enable client products to be activated over the Internet. You can install the client products with any kind of product key that is eligible for online activation—Multiple Activation Key (MAK), retail, and Windows Key Management Services (KMS) host key. + +## Requirements + +Before performing online activation, ensure that the network and the VAMT installation meet the following requirements: +- VAMT is installed on a central computer that has network access to all client computers. +- Both the VAMT host and client computers have Internet access. +- The products that you want to activate are added to VAMT. +- VAMT has administrative permissions on all computers that you intend to activate, and that Windows Management Instrumentation (WMI) can be accessed through the Windows firewall. For more information, see [Configure Client Computers](configure-client-computers-vamt.md). + +The product keys that are installed on the client products must have a sufficient number of remaining activations. If you are activating a MAK key, you can retrieve the remaining number of activations for that key by selecting the MAK in the product key list in the center pane and then clicking +**Refresh product key data online** in the right-side pane. This retrieves the number of remaining activations for the MAK from Microsoft. Note that this step requires Internet access and that the remaining activation count can only be retrieved for MAKs. + +## To Perform an Online Activation + +**To perform an online activation** +1. Open VAMT. +2. In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. +3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. + - To filter the list by computer name, enter a name in the **Computer Name** box. + - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. +4. Click **Filter**. VAMT displays the filtered list in the center pane. +5. Select the products that you want to activate. You can use the **CTRL** key or the **SHIFT** key to select more than one product. +6. Click **Activate** in the **Selected Items** menu in the right-side **Actions** pane and then point to **Activate**. If the **Actions** pane is not displayed, click the Show/Hide Action Pane button, which is located on the toolbar to the right of the Help button. +7. Point to **Online activate**, and then select the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password. +8. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. + + The same status is shown under the **Status of Last Action** column in the products list view in the center pane. + + **Note**   + Online activation does not enable you to save the Confirmation IDs (CIDs). As a result, you cannot perform local reactivation. + + **Note** + You can use online activation to select products that have different key types and activate the products at the same time. + +## Related topics +- [Manage Activations](manage-activations-vamt.md) diff --git a/windows/deployment/volume-activation/plan-for-volume-activation-client.md b/windows/deployment/volume-activation/plan-for-volume-activation-client.md index 92c3657316..c5c02eb7d8 100644 --- a/windows/deployment/volume-activation/plan-for-volume-activation-client.md +++ b/windows/deployment/volume-activation/plan-for-volume-activation-client.md @@ -1,232 +1,232 @@ ---- -title: Plan for volume activation (Windows 10) -description: Product activation is the process of validating software with the manufacturer after it has been installed on a specific computer. -ms.assetid: f84b005b-c362-4a70-a84e-4287c0d2e4ca -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: vamt, volume activation, activation, windows activation -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.localizationpriority: medium -ms.date: 09/27/2017 -ms.topic: article ---- - -# Plan for volume activation - -**Applies to** -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2012 -- Windows Server 2008 R2 - -**Looking for retail activation?** - -- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) - -*Product activation* is the process of validating software with the manufacturer after it has been installed on a specific computer. Activation confirms that the product is genuine—not a fraudulent copy—and that the product key or serial number is valid and has not been compromised or revoked. Activation also establishes a link or relationship between the product key and the particular installation. - -During the activation process, information about the specific installation is examined. In the case of online activations, this information is sent to a server at Microsoft. This information may include the software version, the product key, the IP address of the computer, and information about the device. The activation methods that Microsoft uses are designed to help protect user privacy, and they cannot be used to track back to the computer or user. The gathered data confirms that the software is a legally licensed copy, and this data is used for statistical analysis. Microsoft does not use this information to identify or contact the user or the organization. - ->[!NOTE] ->The IP address is used only to verify the location of the request, because some editions of Windows (such as “Starter” editions) can only be activated within certain geographical target markets. - -## Distribution channels and activation - -In general, Microsoft software is obtained through three main channels: retail, original equipment manufacturer (OEM), and volume licensing agreements. Different activations methods are available through each channel. Because organizations are free to obtain software through multiple channels (for example, buying some at retail and others through a volume licensing program) most organizations choose to use a combination of activation methods. - -### Retail activations - -The retail activation method has not changed in several versions of Windows and Windows Server. Each purchased copy comes with one unique product key (often referred to as a retail key). The user enters this key during product installation. The computer uses this retail key to complete the activation after the installation is complete. Most activations are performed online, but telephone activation is also available. -Recently, retail keys have been expanded into new distribution scenarios. Product key cards are available to activate products that have been preinstalled or downloaded. Programs such as Windows Anytime Upgrade and Get Genuine allow users to acquire legal keys separately from the software. These electronically distributed keys may come with media that contains software, they can come as a software shipment, or they may be provided on a printed card or electronic copy. Products are activated the same way with any of these retail keys. - -### Original equipment manufacturer - -Most original equipment manufacturers (OEMs) sell systems that include a standard build of the Windows operating system. The hardware vendor activates Windows by associating the operating system with the firmware (BIOS) of the computer. This occurs before the computer is sent to the customer, and no additional actions are required. -OEM activation is valid as long as the customer uses the OEM-provided image on the system. OEM activation is available only for computers that are purchased through OEM channels and have the Windows operating system preinstalled. - -### Volume licensing - -Volume licensing offers customized programs that are tailored to the size and purchasing preference of the organization. To become a volume licensing customer, the organization must set up a volume licensing agreement with Microsoft.There is a common misunderstanding about acquiring licenses for a new computer through volume licensing. There are two legal ways to acquire a full Windows client license for a new computer: -- Have the license preinstalled through the OEM. -- Purchase a fully packaged retail product. - -The licenses that are provided through volume licensing programs such as Open License, Select License, and Enterprise Agreements cover upgrades to Windows client operating systems only. An existing retail or OEM operating system license is needed for each computer running Windows 10, Windows 8.1 Pro, Windows 8 Pro, Windows 7 Professional or Ultimate, or Windows XP Professional before the upgrade rights obtained through volume licensing can be exercised. -Volume licensing is also available through certain subscription or membership programs, such as the Microsoft Partner Network and MSDN. These volume licenses may contain specific restrictions or other changes to the general terms applicable to volume licensing. - -**Note**   -Some editions of the operating system, such as Windows 10 Enterprise, and some editions of application software are available only through volume licensing agreements or subscriptions. - -## Activation models - -For a user or IT department, there are no significant choices about how to activate products that are acquired through retail or OEM channels. The OEM performs the activation at the factory, and the user or the IT department need take no activation steps. - -With a retail product, the Volume Activation Management Tool (VAMT), which is discussed later in this guide, helps you track and manage keys. For each retail activation, you can choose: -- Online activation -- Telephone activation -- VAMT proxy activation - -Telephone activation is primarily used in situations where a computer is isolated from all networks. VAMT proxy activation (with retail keys) is sometimes used when an IT department wants to centralize retail activations or when a computer with a retail version of the operating system is isolated from the Internet but connected to the LAN. For volume-licensed products, however, you must determine the best method or combination of methods to use in your environment. For Windows 10 Pro and Enterprise, you can choose from three models: -- MAKs -- KMS -- Active Directory-based activation - -**Note**   -A specialized method, Token-based activation, is available for specific situations when approved customers rely on a public key infrastructure in a completely isolated, and usually high-security, environment. For more information, contact your Microsoft Account Team or your service representative. -Token-based Activation option is available for Windows 10 Enterprise LTSB editions (Version 1507 and 1607). - -### Multiple activation key - -A Multiple Activation Key (MAK) is commonly used in small- or mid-sized organizations that have a volume licensing agreement, but they do not meet the requirements to operate a KMS or they prefer a simpler approach. A MAK also -allows permanent activation of computers that are isolated from the KMS or are part of an isolated network that does not have enough computers to use the KMS. - -To use a MAK, the computers to be activated must have a MAK installed. The MAK is used for one-time activation with the Microsoft online hosted activation services, by telephone, or by using VAMT proxy activation. -In the simplest terms, a MAK acts like a retail key, except that a MAK is valid for activating multiple computers. Each MAK can be used a specific number of times. The VAMT can assist in tracking the number of activations that have been performed with each key and how many remain. - -Organizations can download MAK and KMS keys from the [Volume Licensing Service Center](https://go.microsoft.com/fwlink/p/?LinkId=618213) website. Each MAK has a preset number of activations, which are based on a percentage of the count of licenses the organization purchases; however, you can increase the number of activations that are available with your MAK by calling Microsoft. - -### Key Management Service - -With the Key Management Service (KMS), IT pros can complete activations on their local network, eliminating the need for individual computers to connect to Microsoft for product activation. The KMS is a lightweight service that does not require a dedicated system and can easily be cohosted on a system that provides other services. - -Volume editions of Windows 10 and Windows Server 2012 R2 (in addition to volume editions of operating system editions since Windows Vista and Windows Server 2008) automatically connect to a system that hosts the KMS to request activation. No action is required from the user. - -The KMS requires a minimum number of computers (physical computers or virtual machines) in a network environment. The organization must have at least five computers to activate Windows Server 2012 R2 and at least 25 computers to activate client computers that are running Windows 10. These minimums are referred to as *activation thresholds*. - -Planning to use the KMS includes selecting the best location for the KMS host and how many KMS hosts to have. One KMS host can handle a large number of activations, but organizations will often deploy two KMS hosts to ensure availability. Only rarely would more than two KMS hosts be used. The KMS can be hosted on a client computer or on a server, and it can be run on older versions of the operating system if proper configuration steps are taken. Setting up your KMS is discussed later in this guide. - -### Active Directory-based activation - -Active Directory-based activation is the newest type of volume activation, and it was introduced in Windows 8. In many ways, Active Directory-based activation is similar to activation by using the KMS, but the activated computer does not need to maintain periodic connectivity with the KMS host. Instead, a domain-joined computer running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 queries AD DS for a volume activation object that is stored in the domain. The operating system checks the digital signatures that are contained in the activation object, and then activates the device. - -Active Directory-based activation allows enterprises to activate computers through a connection to their domain. Many companies have computers at remote or branch locations, where it is impractical to connect to a KMS, or would not reach the KMS activation threshold. Rather than use MAKs, Active Directory-based activation provides a way to activate computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 as long as the computers can contact the company’s domain. Active Directory-based activation offers the advantage of extending volume activation services everywhere you already have a domain presence. - -## Network and connectivity - -A modern business network has many nuances and interconnections. This section examines evaluating your network and the connections that are available to determine how volume activations will occur. - -### Core network - -Your core network is that part of your network that enjoys stable, high-speed, reliable connectivity to infrastructure servers. In many cases, the core network is also connected to the Internet, although that is not a requirement to use the KMS or Active Directory-based activation after the KMS server or AD DS is configured and active. Your core network likely consists of many network segments. In many organizations, the core network makes up the vast majority of the business network. - -In the core network, a centralized KMS solution is usually recommended. You can also use Active Directory-based activation, but in many organizations, KMS will still be required to activate older client computers and computers that are not joined to the domain. Some administrators prefer to run both solutions to have the most flexibility, while others prefer to choose only a KMS-based solution for simplicity. Active Directory-based activation as the only solution is workable if all of the clients in your organization are running Windows 10, Windows 8.1, or Windows 8. - -A typical core network that includes a KMS host is shown in Figure 1. - -![Typical core network](../images/volumeactivationforwindows81-01.jpg) - -**Figure 1**. Typical core network - -### Isolated networks - -In a large network, it is all but guaranteed that some segments will be isolated, either for security reasons or because of geography or connectivity issues. - -**Isolated for security** - -Sometimes called a *high-security zone*, a particular network segment may be isolated from the core network by a firewall or disconnected from other networks totally. The best solution for activating computers in an isolated network depends on the security policies in place in the organization. - -If the isolated network can access the core network by using outbound requests on TCP port 1688, and it is allowed to receive remote procedure calls (RPCs), you can perform activation by using the KMS in the core network, thereby avoiding the need to reach additional activation thresholds. - -If the isolated network participates fully in the corporate forest, and it can make typical connections to domain controllers, such as using Lightweight Directory Access Protocol (LDAP) for queries and Domain Name Service (DNS) for name resolution, this is a good opportunity to use Active Directory-based activation for Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, and Windows Server 2012 R2. - -If the isolated network cannot communicate with the core network’s KMS server, and it cannot use Active Directory-based activation, you can set up a KMS host in the isolated network. This configuration is shown in Figure 2. However, if the isolated network contains only a few computers, it will not reach the KMS activation threshold. In that case, you can activate by using MAKs. - -If the network is fully isolated, MAK-independent activation would be the recommended choice, perhaps using the telephone option. But VAMT proxy activation may also be possible. You can also use MAKs to activate new computers during setup, before they are placed in the isolated network. - -![New KMS host in an isolated network](../images/volumeactivationforwindows81-02.jpg) - -**Figure 2**. New KMS host in an isolated network - -**Branch offices and distant networks** -From mining operations to ships at sea, organizations often have a few computers that are not easily connected to the core network or the Internet. Some organizations have network segments at branch offices that are large and well-connected internally, but have a slow or unreliable WAN link to the rest of the organization. In these situations, you have several options: -- **Active Directory-based activation**. In any site where the client computers are running Windows 10, Active Directory-based activation is supported, and it can be activated by joining the domain. -- **Local KMS**. If a site has 25 or more client computers, it can activate against a local KMS server. -- **Remote (core) KMS**. If the remote site has connectivity to an existing KMS (perhaps through a virtual private network (VPN) to the core network), that KMS can be used. Using the existing KMS means that you only need to meet the activation threshold on that server. -- **MAK activation**. If the site has only a few computers and no connectivity to an existing KMS host, MAK activation is the best option. - -### Disconnected computers - -Some users may be in remote locations or may travel to many locations. This scenario is common for roaming clients, such as the computers that are used by salespeople or other users who are offsite but not at branch locations. This scenario can also apply to remote branch office locations that have no connection to the core network. You can consider this an “isolated network,” where the number of computers is one. Disconnected computers can use Active Directory-based activation, the KMS, or MAK depending on the client version and how often the computers connect to the core network. -If the computer is joined to the domain and running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 8, you can use Active Directory-based activation—directly or through a VPN—at least once every 180 days. If the computer connects to a network with a KMS host at least every 180 days, but it does not support Active Directory-based activation, you can use KMS activation. Otherwise for computers that rarely or never connect to the network, use MAK independent activation (by using the telephone or the Internet). - -### Test and development labs - -Lab environments often have large numbers of virtual machines, and physical computers and virtual machines in labs are reconfigured frequently. Therefore, first determine whether the computers in test and development labs require activation. Editions of Windows 10 that include volume licensing will operate normally, even if they cannot activate immediately. -If you have ensured that your test or development copies of the operating system are within the license agreement, you may not need to activate the lab computers if they will be rebuilt frequently. If you require that the lab computers be activated, treat the lab as an isolated network and use the methods described earlier in this guide. -In labs that have a high turnover of computers and a small number of KMS clients, you must monitor the KMS activation count. You might need to adjust the time that the KMS caches the activation requests. The default is 30 days. - -## Mapping your network to activation methods - -Now it’s time to assemble the pieces into a working solution. By evaluating your network connectivity, the numbers of computers you have at each site, and the operating system versions in use in your environment, you have collected the information you need to determine which activation methods will work best for you. You can fill-in information in Table 1 to help you make this determination. - -**Table 1**. Criteria for activation methods - -|Criterion |Activation method | -|----------|------------------| -|Number of domain-joined computers that support Active Directory-based activation (computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2) and will connect to a domain controller at least every 180 days. Computers can be mobile, semi-isolated, or located in a branch office or the core network. |Active Directory-based activation | -|Number of computers in the core network that will connect (directly or through a VPN) at least every 180 days

          Note
          The core network must meet the KMS activation threshold. |KMS (central) | -|Number of computers that do not connect to the network at least once every 180 days (or if no network meets the activation threshold) |MAM | -|Number of computers in semi-isolated networks that have connectivity to the KMS in the core network |KMS (central) | -|Number of computers in isolated networks where the KMS activation threshold is met |KMS (local) | -|Number of computers in isolated networks where the KMS activation threshold is not met |MAK | -|Number of computers in test and development labs that will not be activated |None| -|Number of computers that do not have a retail volume license |Retail (online or phone) | -|Number of computers that do not have an OEM volume license |OEM (at factory) | -|Total number of computer activations

          Note
          This total should match the total number of licensed computers in your organization. | - -## Choosing and acquiring keys - -When you know which keys you need, you must obtain them. Generally speaking, volume licensing keys are collected in two ways: -- Go to the **Product Keys** section of the [Volume Licensing Service Center](https://go.microsoft.com/fwlink/p/?LinkID=618213) for the following agreements: Open, Open Value, Select, Enterprise, and Services Provider License. -- Contact your [Microsoft Activation Center](https://go.microsoft.com/fwlink/p/?LinkId=618264). - -### KMS host keys - -A KMS host needs a key that activates, or authenticates, the KMS host with Microsoft. This key is usually referred to as the *KMS host key*, but it is formally known as a *Microsoft Customer Specific Volume License Key* (CSVLK). Most documentation and Internet references earlier than Windows 8.1 use the term KMS key, but CSVLK is becoming more common in current documentation and management tools. - -A KMS host running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 can activate both Windows Server and Windows client operating systems. A KMS host key is also needed to create the activation objects in AD DS, as described later in this guide. You will need a KMS host key for any KMS that you want to set up and if you are going to use Active Directory-based activation. - -### Generic volume licensing keys - -When you create installation media or images for client computers that will be activated by KMS or Active Directory-based activation, install a generic volume license key (GVLK) for the edition of Windows you are creating. GVLKs are also referred to as KMS client setup keys. - -Installation media from Microsoft for Enterprise editions of the Windows operating system may already contain the GVLK. One GVLK is available for each type of installation. Note that the GLVK will not activate the software against Microsoft activation servers, only against a KMS or Active Directory-based activation object. In other words, the GVLK does not work unless a valid KMS host key can be found. GVLKs are the only product keys that do not need to be kept confidential. - -Typically, you will not need to manually enter a GVLK unless a computer has been activated with a MAK or a retail key and it is being converted to a KMS activation or to Active Directory-based activation. If you need to locate the GVLK for a particular client edition, see [Appendix A: KMS Client Setup Keys](https://technet.microsoft.com/library/jj612867.aspx). - -### Multiple activation keys - -You will also need MAK keys with the appropriate number of activations available. You can see how many times a MAK has been used on the Volume Licensing Service Center website or in the VAMT. - -## Selecting a KMS host - -The KMS does not require a dedicated server. It can be cohosted with other services, such as AD DS domain controllers and read-only domain controllers. -KMS hosts can run on physical computers or virtual machines that are running any supported Windows operating system. A KMS host that is running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 can activate any Windows client or server operating system that supports volume activation. A KMS host that is running Windows 10 can activate only computers running Windows 10, Windows 8.1, Windows 8, Windows 7, or Windows Vista. -A single KMS host can support unlimited numbers of KMS clients, but Microsoft recommends deploying a minimum of two KMS hosts for failover purposes. However, as more clients are activated through Active Directory-based activation, the KMS and the redundancy of the KMS will become less important. Most organizations can use as few as two KMS hosts for their entire infrastructure. - -The flow of KMS activation is shown in Figure 3, and it follows this sequence: - -1. An administrator uses the VAMT console to configure a KMS host and install a KMS host key. -2. Microsoft validates the KMS host key, and the KMS host starts to listen for requests. -3. The KMS host updates resource records in DNS to allow clients to locate the KMS host. (Manually adding DNS records is required if your environment does not support DNS dynamic update protocol.) -4. A client configured with a GVLK uses DNS to locate the KMS host. -5. The client sends one packet to the KMS host. -6. The KMS host records information about the requesting client (by using a client ID). Client IDs are used to maintain the count of clients and detect when the same computer is requesting activation again. The client ID is only used to determine whether the activation thresholds are met. The IDs are not stored permanently or transmitted to Microsoft. If the KMS is restarted, the client ID collection starts again. -7. If the KMS host has a KMS host key that matches the products in the GVLK, the KMS host sends a single packet back to the client. This packet contains a count of the number of computers that have requested activation from this KMS host. -8. If the count exceeds the activation threshold for the product that is being activated, the client is activated. If the activation threshold has not yet been met, the client will try again. - -![KMS activation flow](../images/volumeactivationforwindows81-03.jpg) - -**Figure 3**. KMS activation flow - -## See also -- [Volume Activation for Windows 10](volume-activation-windows-10.md) - - +--- +title: Plan for volume activation (Windows 10) +description: Product activation is the process of validating software with the manufacturer after it has been installed on a specific computer. +ms.assetid: f84b005b-c362-4a70-a84e-4287c0d2e4ca +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: vamt, volume activation, activation, windows activation +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.date: 09/27/2017 +ms.topic: article +--- + +# Plan for volume activation + +**Applies to** +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2012 +- Windows Server 2008 R2 + +**Looking for retail activation?** + +- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) + +*Product activation* is the process of validating software with the manufacturer after it has been installed on a specific computer. Activation confirms that the product is genuine—not a fraudulent copy—and that the product key or serial number is valid and has not been compromised or revoked. Activation also establishes a link or relationship between the product key and the particular installation. + +During the activation process, information about the specific installation is examined. In the case of online activations, this information is sent to a server at Microsoft. This information may include the software version, the product key, the IP address of the computer, and information about the device. The activation methods that Microsoft uses are designed to help protect user privacy, and they cannot be used to track back to the computer or user. The gathered data confirms that the software is a legally licensed copy, and this data is used for statistical analysis. Microsoft does not use this information to identify or contact the user or the organization. + +>[!NOTE] +>The IP address is used only to verify the location of the request, because some editions of Windows (such as “Starter” editions) can only be activated within certain geographical target markets. + +## Distribution channels and activation + +In general, Microsoft software is obtained through three main channels: retail, original equipment manufacturer (OEM), and volume licensing agreements. Different activations methods are available through each channel. Because organizations are free to obtain software through multiple channels (for example, buying some at retail and others through a volume licensing program) most organizations choose to use a combination of activation methods. + +### Retail activations + +The retail activation method has not changed in several versions of Windows and Windows Server. Each purchased copy comes with one unique product key (often referred to as a retail key). The user enters this key during product installation. The computer uses this retail key to complete the activation after the installation is complete. Most activations are performed online, but telephone activation is also available. +Recently, retail keys have been expanded into new distribution scenarios. Product key cards are available to activate products that have been preinstalled or downloaded. Programs such as Windows Anytime Upgrade and Get Genuine allow users to acquire legal keys separately from the software. These electronically distributed keys may come with media that contains software, they can come as a software shipment, or they may be provided on a printed card or electronic copy. Products are activated the same way with any of these retail keys. + +### Original equipment manufacturer + +Most original equipment manufacturers (OEMs) sell systems that include a standard build of the Windows operating system. The hardware vendor activates Windows by associating the operating system with the firmware (BIOS) of the computer. This occurs before the computer is sent to the customer, and no additional actions are required. +OEM activation is valid as long as the customer uses the OEM-provided image on the system. OEM activation is available only for computers that are purchased through OEM channels and have the Windows operating system preinstalled. + +### Volume licensing + +Volume licensing offers customized programs that are tailored to the size and purchasing preference of the organization. To become a volume licensing customer, the organization must set up a volume licensing agreement with Microsoft.There is a common misunderstanding about acquiring licenses for a new computer through volume licensing. There are two legal ways to acquire a full Windows client license for a new computer: +- Have the license preinstalled through the OEM. +- Purchase a fully packaged retail product. + +The licenses that are provided through volume licensing programs such as Open License, Select License, and Enterprise Agreements cover upgrades to Windows client operating systems only. An existing retail or OEM operating system license is needed for each computer running Windows 10, Windows 8.1 Pro, Windows 8 Pro, Windows 7 Professional or Ultimate, or Windows XP Professional before the upgrade rights obtained through volume licensing can be exercised. +Volume licensing is also available through certain subscription or membership programs, such as the Microsoft Partner Network and MSDN. These volume licenses may contain specific restrictions or other changes to the general terms applicable to volume licensing. + +**Note**   +Some editions of the operating system, such as Windows 10 Enterprise, and some editions of application software are available only through volume licensing agreements or subscriptions. + +## Activation models + +For a user or IT department, there are no significant choices about how to activate products that are acquired through retail or OEM channels. The OEM performs the activation at the factory, and the user or the IT department need take no activation steps. + +With a retail product, the Volume Activation Management Tool (VAMT), which is discussed later in this guide, helps you track and manage keys. For each retail activation, you can choose: +- Online activation +- Telephone activation +- VAMT proxy activation + +Telephone activation is primarily used in situations where a computer is isolated from all networks. VAMT proxy activation (with retail keys) is sometimes used when an IT department wants to centralize retail activations or when a computer with a retail version of the operating system is isolated from the Internet but connected to the LAN. For volume-licensed products, however, you must determine the best method or combination of methods to use in your environment. For Windows 10 Pro and Enterprise, you can choose from three models: +- MAKs +- KMS +- Active Directory-based activation + +**Note**   +A specialized method, Token-based activation, is available for specific situations when approved customers rely on a public key infrastructure in a completely isolated, and usually high-security, environment. For more information, contact your Microsoft Account Team or your service representative. +Token-based Activation option is available for Windows 10 Enterprise LTSB editions (Version 1507 and 1607). + +### Multiple activation key + +A Multiple Activation Key (MAK) is commonly used in small- or mid-sized organizations that have a volume licensing agreement, but they do not meet the requirements to operate a KMS or they prefer a simpler approach. A MAK also +allows permanent activation of computers that are isolated from the KMS or are part of an isolated network that does not have enough computers to use the KMS. + +To use a MAK, the computers to be activated must have a MAK installed. The MAK is used for one-time activation with the Microsoft online hosted activation services, by telephone, or by using VAMT proxy activation. +In the simplest terms, a MAK acts like a retail key, except that a MAK is valid for activating multiple computers. Each MAK can be used a specific number of times. The VAMT can assist in tracking the number of activations that have been performed with each key and how many remain. + +Organizations can download MAK and KMS keys from the [Volume Licensing Service Center](https://go.microsoft.com/fwlink/p/?LinkId=618213) website. Each MAK has a preset number of activations, which are based on a percentage of the count of licenses the organization purchases; however, you can increase the number of activations that are available with your MAK by calling Microsoft. + +### Key Management Service + +With the Key Management Service (KMS), IT pros can complete activations on their local network, eliminating the need for individual computers to connect to Microsoft for product activation. The KMS is a lightweight service that does not require a dedicated system and can easily be cohosted on a system that provides other services. + +Volume editions of Windows 10 and Windows Server 2012 R2 (in addition to volume editions of operating system editions since Windows Vista and Windows Server 2008) automatically connect to a system that hosts the KMS to request activation. No action is required from the user. + +The KMS requires a minimum number of computers (physical computers or virtual machines) in a network environment. The organization must have at least five computers to activate Windows Server 2012 R2 and at least 25 computers to activate client computers that are running Windows 10. These minimums are referred to as *activation thresholds*. + +Planning to use the KMS includes selecting the best location for the KMS host and how many KMS hosts to have. One KMS host can handle a large number of activations, but organizations will often deploy two KMS hosts to ensure availability. Only rarely would more than two KMS hosts be used. The KMS can be hosted on a client computer or on a server, and it can be run on older versions of the operating system if proper configuration steps are taken. Setting up your KMS is discussed later in this guide. + +### Active Directory-based activation + +Active Directory-based activation is the newest type of volume activation, and it was introduced in Windows 8. In many ways, Active Directory-based activation is similar to activation by using the KMS, but the activated computer does not need to maintain periodic connectivity with the KMS host. Instead, a domain-joined computer running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 queries AD DS for a volume activation object that is stored in the domain. The operating system checks the digital signatures that are contained in the activation object, and then activates the device. + +Active Directory-based activation allows enterprises to activate computers through a connection to their domain. Many companies have computers at remote or branch locations, where it is impractical to connect to a KMS, or would not reach the KMS activation threshold. Rather than use MAKs, Active Directory-based activation provides a way to activate computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 as long as the computers can contact the company’s domain. Active Directory-based activation offers the advantage of extending volume activation services everywhere you already have a domain presence. + +## Network and connectivity + +A modern business network has many nuances and interconnections. This section examines evaluating your network and the connections that are available to determine how volume activations will occur. + +### Core network + +Your core network is that part of your network that enjoys stable, high-speed, reliable connectivity to infrastructure servers. In many cases, the core network is also connected to the Internet, although that is not a requirement to use the KMS or Active Directory-based activation after the KMS server or AD DS is configured and active. Your core network likely consists of many network segments. In many organizations, the core network makes up the vast majority of the business network. + +In the core network, a centralized KMS solution is usually recommended. You can also use Active Directory-based activation, but in many organizations, KMS will still be required to activate older client computers and computers that are not joined to the domain. Some administrators prefer to run both solutions to have the most flexibility, while others prefer to choose only a KMS-based solution for simplicity. Active Directory-based activation as the only solution is workable if all of the clients in your organization are running Windows 10, Windows 8.1, or Windows 8. + +A typical core network that includes a KMS host is shown in Figure 1. + +![Typical core network](../images/volumeactivationforwindows81-01.jpg) + +**Figure 1**. Typical core network + +### Isolated networks + +In a large network, it is all but guaranteed that some segments will be isolated, either for security reasons or because of geography or connectivity issues. + +**Isolated for security** + +Sometimes called a *high-security zone*, a particular network segment may be isolated from the core network by a firewall or disconnected from other networks totally. The best solution for activating computers in an isolated network depends on the security policies in place in the organization. + +If the isolated network can access the core network by using outbound requests on TCP port 1688, and it is allowed to receive remote procedure calls (RPCs), you can perform activation by using the KMS in the core network, thereby avoiding the need to reach additional activation thresholds. + +If the isolated network participates fully in the corporate forest, and it can make typical connections to domain controllers, such as using Lightweight Directory Access Protocol (LDAP) for queries and Domain Name Service (DNS) for name resolution, this is a good opportunity to use Active Directory-based activation for Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, and Windows Server 2012 R2. + +If the isolated network cannot communicate with the core network’s KMS server, and it cannot use Active Directory-based activation, you can set up a KMS host in the isolated network. This configuration is shown in Figure 2. However, if the isolated network contains only a few computers, it will not reach the KMS activation threshold. In that case, you can activate by using MAKs. + +If the network is fully isolated, MAK-independent activation would be the recommended choice, perhaps using the telephone option. But VAMT proxy activation may also be possible. You can also use MAKs to activate new computers during setup, before they are placed in the isolated network. + +![New KMS host in an isolated network](../images/volumeactivationforwindows81-02.jpg) + +**Figure 2**. New KMS host in an isolated network + +**Branch offices and distant networks** +From mining operations to ships at sea, organizations often have a few computers that are not easily connected to the core network or the Internet. Some organizations have network segments at branch offices that are large and well-connected internally, but have a slow or unreliable WAN link to the rest of the organization. In these situations, you have several options: +- **Active Directory-based activation**. In any site where the client computers are running Windows 10, Active Directory-based activation is supported, and it can be activated by joining the domain. +- **Local KMS**. If a site has 25 or more client computers, it can activate against a local KMS server. +- **Remote (core) KMS**. If the remote site has connectivity to an existing KMS (perhaps through a virtual private network (VPN) to the core network), that KMS can be used. Using the existing KMS means that you only need to meet the activation threshold on that server. +- **MAK activation**. If the site has only a few computers and no connectivity to an existing KMS host, MAK activation is the best option. + +### Disconnected computers + +Some users may be in remote locations or may travel to many locations. This scenario is common for roaming clients, such as the computers that are used by salespeople or other users who are offsite but not at branch locations. This scenario can also apply to remote branch office locations that have no connection to the core network. You can consider this an “isolated network,” where the number of computers is one. Disconnected computers can use Active Directory-based activation, the KMS, or MAK depending on the client version and how often the computers connect to the core network. +If the computer is joined to the domain and running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 8, you can use Active Directory-based activation—directly or through a VPN—at least once every 180 days. If the computer connects to a network with a KMS host at least every 180 days, but it does not support Active Directory-based activation, you can use KMS activation. Otherwise for computers that rarely or never connect to the network, use MAK independent activation (by using the telephone or the Internet). + +### Test and development labs + +Lab environments often have large numbers of virtual machines, and physical computers and virtual machines in labs are reconfigured frequently. Therefore, first determine whether the computers in test and development labs require activation. Editions of Windows 10 that include volume licensing will operate normally, even if they cannot activate immediately. +If you have ensured that your test or development copies of the operating system are within the license agreement, you may not need to activate the lab computers if they will be rebuilt frequently. If you require that the lab computers be activated, treat the lab as an isolated network and use the methods described earlier in this guide. +In labs that have a high turnover of computers and a small number of KMS clients, you must monitor the KMS activation count. You might need to adjust the time that the KMS caches the activation requests. The default is 30 days. + +## Mapping your network to activation methods + +Now it’s time to assemble the pieces into a working solution. By evaluating your network connectivity, the numbers of computers you have at each site, and the operating system versions in use in your environment, you have collected the information you need to determine which activation methods will work best for you. You can fill-in information in Table 1 to help you make this determination. + +**Table 1**. Criteria for activation methods + +|Criterion |Activation method | +|----------|------------------| +|Number of domain-joined computers that support Active Directory-based activation (computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2) and will connect to a domain controller at least every 180 days. Computers can be mobile, semi-isolated, or located in a branch office or the core network. |Active Directory-based activation | +|Number of computers in the core network that will connect (directly or through a VPN) at least every 180 days

          Note
          The core network must meet the KMS activation threshold. |KMS (central) | +|Number of computers that do not connect to the network at least once every 180 days (or if no network meets the activation threshold) |MAM | +|Number of computers in semi-isolated networks that have connectivity to the KMS in the core network |KMS (central) | +|Number of computers in isolated networks where the KMS activation threshold is met |KMS (local) | +|Number of computers in isolated networks where the KMS activation threshold is not met |MAK | +|Number of computers in test and development labs that will not be activated |None| +|Number of computers that do not have a retail volume license |Retail (online or phone) | +|Number of computers that do not have an OEM volume license |OEM (at factory) | +|Total number of computer activations

          Note
          This total should match the total number of licensed computers in your organization. | + +## Choosing and acquiring keys + +When you know which keys you need, you must obtain them. Generally speaking, volume licensing keys are collected in two ways: +- Go to the **Product Keys** section of the [Volume Licensing Service Center](https://go.microsoft.com/fwlink/p/?LinkID=618213) for the following agreements: Open, Open Value, Select, Enterprise, and Services Provider License. +- Contact your [Microsoft Activation Center](https://go.microsoft.com/fwlink/p/?LinkId=618264). + +### KMS host keys + +A KMS host needs a key that activates, or authenticates, the KMS host with Microsoft. This key is usually referred to as the *KMS host key*, but it is formally known as a *Microsoft Customer Specific Volume License Key* (CSVLK). Most documentation and Internet references earlier than Windows 8.1 use the term KMS key, but CSVLK is becoming more common in current documentation and management tools. + +A KMS host running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 can activate both Windows Server and Windows client operating systems. A KMS host key is also needed to create the activation objects in AD DS, as described later in this guide. You will need a KMS host key for any KMS that you want to set up and if you are going to use Active Directory-based activation. + +### Generic volume licensing keys + +When you create installation media or images for client computers that will be activated by KMS or Active Directory-based activation, install a generic volume license key (GVLK) for the edition of Windows you are creating. GVLKs are also referred to as KMS client setup keys. + +Installation media from Microsoft for Enterprise editions of the Windows operating system may already contain the GVLK. One GVLK is available for each type of installation. Note that the GLVK will not activate the software against Microsoft activation servers, only against a KMS or Active Directory-based activation object. In other words, the GVLK does not work unless a valid KMS host key can be found. GVLKs are the only product keys that do not need to be kept confidential. + +Typically, you will not need to manually enter a GVLK unless a computer has been activated with a MAK or a retail key and it is being converted to a KMS activation or to Active Directory-based activation. If you need to locate the GVLK for a particular client edition, see [Appendix A: KMS Client Setup Keys](https://technet.microsoft.com/library/jj612867.aspx). + +### Multiple activation keys + +You will also need MAK keys with the appropriate number of activations available. You can see how many times a MAK has been used on the Volume Licensing Service Center website or in the VAMT. + +## Selecting a KMS host + +The KMS does not require a dedicated server. It can be cohosted with other services, such as AD DS domain controllers and read-only domain controllers. +KMS hosts can run on physical computers or virtual machines that are running any supported Windows operating system. A KMS host that is running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 can activate any Windows client or server operating system that supports volume activation. A KMS host that is running Windows 10 can activate only computers running Windows 10, Windows 8.1, Windows 8, Windows 7, or Windows Vista. +A single KMS host can support unlimited numbers of KMS clients, but Microsoft recommends deploying a minimum of two KMS hosts for failover purposes. However, as more clients are activated through Active Directory-based activation, the KMS and the redundancy of the KMS will become less important. Most organizations can use as few as two KMS hosts for their entire infrastructure. + +The flow of KMS activation is shown in Figure 3, and it follows this sequence: + +1. An administrator uses the VAMT console to configure a KMS host and install a KMS host key. +2. Microsoft validates the KMS host key, and the KMS host starts to listen for requests. +3. The KMS host updates resource records in DNS to allow clients to locate the KMS host. (Manually adding DNS records is required if your environment does not support DNS dynamic update protocol.) +4. A client configured with a GVLK uses DNS to locate the KMS host. +5. The client sends one packet to the KMS host. +6. The KMS host records information about the requesting client (by using a client ID). Client IDs are used to maintain the count of clients and detect when the same computer is requesting activation again. The client ID is only used to determine whether the activation thresholds are met. The IDs are not stored permanently or transmitted to Microsoft. If the KMS is restarted, the client ID collection starts again. +7. If the KMS host has a KMS host key that matches the products in the GVLK, the KMS host sends a single packet back to the client. This packet contains a count of the number of computers that have requested activation from this KMS host. +8. If the count exceeds the activation threshold for the product that is being activated, the client is activated. If the activation threshold has not yet been met, the client will try again. + +![KMS activation flow](../images/volumeactivationforwindows81-03.jpg) + +**Figure 3**. KMS activation flow + +## See also +- [Volume Activation for Windows 10](volume-activation-windows-10.md) + + diff --git a/windows/deployment/volume-activation/proxy-activation-vamt.md b/windows/deployment/volume-activation/proxy-activation-vamt.md index 805b3dfd6c..ff4ab4c6f5 100644 --- a/windows/deployment/volume-activation/proxy-activation-vamt.md +++ b/windows/deployment/volume-activation/proxy-activation-vamt.md @@ -1,58 +1,58 @@ ---- -title: Perform Proxy Activation (Windows 10) -description: Perform Proxy Activation -ms.assetid: 35a919ed-f1cc-4d10-9c88-9bd634549dc3 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Perform Proxy Activation - -You can use the Volume Activation Management Tool (VAMT) to perform activation for client computers that do not have Internet access. The client products can be installed with any type of product key that is eligible for proxy activation: Multiple activation Key (MAK), KMS Host key (CSVLK), or retail key. - -In a typical proxy-activation scenario, the VAMT host computer distributes a MAK to one or more client computers and collects the installation ID (IID) from each computer. The VAMT host computer sends the IIDs to Microsoft on behalf of the client computers and obtains the corresponding Confirmation IDs (CIDs). The VAMT host computer then installs the CIDs on the client computer to complete the activation. Using this activation method, only the VAMT host computer needs Internet access. - -**Note**   -For workgroups that are completely isolated from any larger network, you can still perform MAK, KMS Host key (CSVLK), or retail proxy activation. This requires installing a second instance of VAMT on a computer within the isolated group and using removable media to transfer activation data between that computer and another VAMT host computer that has Internet access. For more information about this scenario, see [Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md). Similarly, you can proxy activate a KMS Host key (CSVLK) located in an isolated network. You can also proxy activate a KMS Host key (CSVLK) in the core network if you do not want the KMS host computer to connect to Microsoft over the Internet.  - -## Requirements - -Before performing proxy activation, ensure that your network and the VAMT installation meet the following requirements: -- There is an instance of VAMT that is installed on a computer that has Internet access. If you are performing proxy activation for an isolated workgroup, you also need to have VAMT installed on one of the computers in the workgroup. -- The products to be activated have been added to VAMT and are installed with a retail product key, a KMS Host key (CSVLK) or a MAK. If the products have not been installed with a proper product key, refer to the steps in the [Add and Remove a Product Key](add-remove-product-key-vamt.md) section for instructions on how to install a product key. -- VAMT has administrative permissions on all products to be activated and Windows Management Instrumentation (WMI) is accessible through the Windows firewall. -- For workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md). -The product keys that are installed on the client products must have a sufficient number of remaining activations. If you are activating a MAK key, you can retrieve the remaining number of activations for that key by selecting the MAK in the product key list in the center pane and then clicking **Refresh product key data online** in the right-side pane. This retrieves the number of remaining activations for the MAK from Microsoft. Note that this step requires Internet access and that the remaining activation count can only be retrieved for MAKs. - -## To Perform Proxy Activation - -**To perform proxy activation** - -1. Open VAMT. -2. If necessary, install product keys. For more information see: - - [Install a Product Key](install-product-key-vamt.md) to install retail, MAK, or KMS Host key (CSVLK). - - [Install a KMS Client Key](install-kms-client-key-vamt.md) to install GVLK (KMS client) keys. -3. In the **Products** list in the center pane, select the individual products to be activated. You can use the **Filter** function to narrow your search for products by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. -4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. - - To filter the list by computer name, enter a name in the **Computer Name** box. - - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. -5. Click **Filter**. VAMT displays the filtered list in the center pane. -6. In the right-side pane, click **Activate** and then click **Proxy activate** to open the **Proxy Activate** dialog box. -7. In the **Proxy Activate** dialog box click **Apply Confirmation ID, apply to selected machine(s) and activate**. -8. If you are activating products that require administrator credentials different from the ones you are currently using, select the **Use Alternate Credentials** checkbox. -9. Click **OK**. -10. VAMT displays the **Activating products** dialog box until it completes the requested action. If you selected the **Alternate Credentials** option, you will be prompted to enter the credentials. - - **Note**   - You can use proxy activation to select products that have different key types and activate the products at the same time. - - - +--- +title: Perform Proxy Activation (Windows 10) +description: Perform Proxy Activation +ms.assetid: 35a919ed-f1cc-4d10-9c88-9bd634549dc3 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Perform Proxy Activation + +You can use the Volume Activation Management Tool (VAMT) to perform activation for client computers that do not have Internet access. The client products can be installed with any type of product key that is eligible for proxy activation: Multiple activation Key (MAK), KMS Host key (CSVLK), or retail key. + +In a typical proxy-activation scenario, the VAMT host computer distributes a MAK to one or more client computers and collects the installation ID (IID) from each computer. The VAMT host computer sends the IIDs to Microsoft on behalf of the client computers and obtains the corresponding Confirmation IDs (CIDs). The VAMT host computer then installs the CIDs on the client computer to complete the activation. Using this activation method, only the VAMT host computer needs Internet access. + +**Note**   +For workgroups that are completely isolated from any larger network, you can still perform MAK, KMS Host key (CSVLK), or retail proxy activation. This requires installing a second instance of VAMT on a computer within the isolated group and using removable media to transfer activation data between that computer and another VAMT host computer that has Internet access. For more information about this scenario, see [Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md). Similarly, you can proxy activate a KMS Host key (CSVLK) located in an isolated network. You can also proxy activate a KMS Host key (CSVLK) in the core network if you do not want the KMS host computer to connect to Microsoft over the Internet.  + +## Requirements + +Before performing proxy activation, ensure that your network and the VAMT installation meet the following requirements: +- There is an instance of VAMT that is installed on a computer that has Internet access. If you are performing proxy activation for an isolated workgroup, you also need to have VAMT installed on one of the computers in the workgroup. +- The products to be activated have been added to VAMT and are installed with a retail product key, a KMS Host key (CSVLK) or a MAK. If the products have not been installed with a proper product key, refer to the steps in the [Add and Remove a Product Key](add-remove-product-key-vamt.md) section for instructions on how to install a product key. +- VAMT has administrative permissions on all products to be activated and Windows Management Instrumentation (WMI) is accessible through the Windows firewall. +- For workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md). +The product keys that are installed on the client products must have a sufficient number of remaining activations. If you are activating a MAK key, you can retrieve the remaining number of activations for that key by selecting the MAK in the product key list in the center pane and then clicking **Refresh product key data online** in the right-side pane. This retrieves the number of remaining activations for the MAK from Microsoft. Note that this step requires Internet access and that the remaining activation count can only be retrieved for MAKs. + +## To Perform Proxy Activation + +**To perform proxy activation** + +1. Open VAMT. +2. If necessary, install product keys. For more information see: + - [Install a Product Key](install-product-key-vamt.md) to install retail, MAK, or KMS Host key (CSVLK). + - [Install a KMS Client Key](install-kms-client-key-vamt.md) to install GVLK (KMS client) keys. +3. In the **Products** list in the center pane, select the individual products to be activated. You can use the **Filter** function to narrow your search for products by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. +4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. + - To filter the list by computer name, enter a name in the **Computer Name** box. + - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. +5. Click **Filter**. VAMT displays the filtered list in the center pane. +6. In the right-side pane, click **Activate** and then click **Proxy activate** to open the **Proxy Activate** dialog box. +7. In the **Proxy Activate** dialog box click **Apply Confirmation ID, apply to selected machine(s) and activate**. +8. If you are activating products that require administrator credentials different from the ones you are currently using, select the **Use Alternate Credentials** checkbox. +9. Click **OK**. +10. VAMT displays the **Activating products** dialog box until it completes the requested action. If you selected the **Alternate Credentials** option, you will be prompted to enter the credentials. + + **Note**   + You can use proxy activation to select products that have different key types and activate the products at the same time. + + + diff --git a/windows/deployment/volume-activation/remove-products-vamt.md b/windows/deployment/volume-activation/remove-products-vamt.md index 5869a5725e..65dd923d7e 100644 --- a/windows/deployment/volume-activation/remove-products-vamt.md +++ b/windows/deployment/volume-activation/remove-products-vamt.md @@ -1,35 +1,35 @@ ---- -title: Remove Products (Windows 10) -description: Remove Products -ms.assetid: 4d44379e-dda1-4a8f-8ebf-395b6c0dad8e -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Remove Products - -To remove one or more products from the Volume Activation Management Tool (VAMT), you can delete them from the product list view in the center pane. - -**To delete one or more products** -1. Click a product node in the left-side pane. -2. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. -3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. - - To filter the list by computer name, enter a name in the **Computer Name** box. - - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. -4. Click **Filter**. VAMT displays the filtered list in the center pane. -5. Select the products you want to delete. -6. Click **Delete** in the **Selected Items** menu in the right-side pane. -7. On the **Confirm Delete Selected Products** dialog box, click **OK**. - -## Related topics -- [Add and Manage Products](add-manage-products-vamt.md) -  -  +--- +title: Remove Products (Windows 10) +description: Remove Products +ms.assetid: 4d44379e-dda1-4a8f-8ebf-395b6c0dad8e +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Remove Products + +To remove one or more products from the Volume Activation Management Tool (VAMT), you can delete them from the product list view in the center pane. + +**To delete one or more products** +1. Click a product node in the left-side pane. +2. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. +3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. + - To filter the list by computer name, enter a name in the **Computer Name** box. + - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. +4. Click **Filter**. VAMT displays the filtered list in the center pane. +5. Select the products you want to delete. +6. Click **Delete** in the **Selected Items** menu in the right-side pane. +7. On the **Confirm Delete Selected Products** dialog box, click **OK**. + +## Related topics +- [Add and Manage Products](add-manage-products-vamt.md) +  +  diff --git a/windows/deployment/volume-activation/scenario-kms-activation-vamt.md b/windows/deployment/volume-activation/scenario-kms-activation-vamt.md index 6fb201f1e4..34263037b3 100644 --- a/windows/deployment/volume-activation/scenario-kms-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-kms-activation-vamt.md @@ -1,48 +1,48 @@ ---- -title: Scenario 3 KMS Client Activation (Windows 10) -description: Scenario 3 KMS Client Activation -ms.assetid: 72b04e8f-cd35-490c-91ab-27ea799b05d0 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Scenario 3: KMS Client Activation - -In this scenario, you use the Volume Activation Management Tool (VAMT) to activate Key Management Service (KMS) client keys or Generic Volume License Keys (GVLKs). This can be performed on either Core Network or Isolated Lab computers. By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products. You do not have to enter a key to activate a product as a GVLK, unless you are converting a MAK-activated product to a KMS activation. For more information, see [Install a KMS Client Key](install-kms-client-key-vamt.md). - -The procedure that is described below assumes the following: -- The KMS Service is enabled and available to all KMS clients. -- VAMT has been installed and computers have been added to the VAMT database. See Parts 1 through 4 in either [Scenario 1: Online Activation](scenario-online-activation-vamt.md) or [Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) for more information. - -## Activate KMS Clients - -1. Open VAMT. -2. To set the KMS activation options, on the menu bar click **View**. Then click **Preferences** to open the **Volume Activation Management Tool Preferences** dialog box. -3. In the **Volume Activation Management Tool Preferences** dialog box, under **KMS Management Services host selection** select from the following options: - - **Find a KMS host automatically using DNS**. This is the default setting. VAMT will instruct the computer to query the Domain Name Service (DNS) to locate a KMS host and perform activation. If the client contains a registry key with a valid KMS host, that value will be used instead. - - **Find a KMS host using DNS in this domain for supported products**. Select this option if you use a specific domain, and enter the name of the domain. - - **Use specific KMS host**. Select this option for environments which do not use DNS for KMS host identification, and manually enter the KMS host name and select the KMS host port. VAMT will set the specified KMS host name and KMS host port on the target computer, and then instruct the computer to perform activation with the specific KMS host. -4. In the left-side pane, in the **Products** node, click the product that you want to activate. -5. In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. -6. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. - - To filter the list by computer name, enter a name in the **Computer Name** box. - - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. -7. Click **Filter**. VAMT displays the filtered list in the center pane. -8. Select the products that you want to activate. -9. Click **Activate** in the **Selected Items** menu in the right-side **Actions** pane, click **Activate**, point to **Volume activate**, and then click the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password. -10. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. - -The same status is shown under the **Status of Last Action** column in the products list view in the center pane. - -## Related topics -- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md) -  -  +--- +title: Scenario 3 KMS Client Activation (Windows 10) +description: Scenario 3 KMS Client Activation +ms.assetid: 72b04e8f-cd35-490c-91ab-27ea799b05d0 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Scenario 3: KMS Client Activation + +In this scenario, you use the Volume Activation Management Tool (VAMT) to activate Key Management Service (KMS) client keys or Generic Volume License Keys (GVLKs). This can be performed on either Core Network or Isolated Lab computers. By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products. You do not have to enter a key to activate a product as a GVLK, unless you are converting a MAK-activated product to a KMS activation. For more information, see [Install a KMS Client Key](install-kms-client-key-vamt.md). + +The procedure that is described below assumes the following: +- The KMS Service is enabled and available to all KMS clients. +- VAMT has been installed and computers have been added to the VAMT database. See Parts 1 through 4 in either [Scenario 1: Online Activation](scenario-online-activation-vamt.md) or [Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) for more information. + +## Activate KMS Clients + +1. Open VAMT. +2. To set the KMS activation options, on the menu bar click **View**. Then click **Preferences** to open the **Volume Activation Management Tool Preferences** dialog box. +3. In the **Volume Activation Management Tool Preferences** dialog box, under **KMS Management Services host selection** select from the following options: + - **Find a KMS host automatically using DNS**. This is the default setting. VAMT will instruct the computer to query the Domain Name Service (DNS) to locate a KMS host and perform activation. If the client contains a registry key with a valid KMS host, that value will be used instead. + - **Find a KMS host using DNS in this domain for supported products**. Select this option if you use a specific domain, and enter the name of the domain. + - **Use specific KMS host**. Select this option for environments which do not use DNS for KMS host identification, and manually enter the KMS host name and select the KMS host port. VAMT will set the specified KMS host name and KMS host port on the target computer, and then instruct the computer to perform activation with the specific KMS host. +4. In the left-side pane, in the **Products** node, click the product that you want to activate. +5. In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. +6. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. + - To filter the list by computer name, enter a name in the **Computer Name** box. + - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. +7. Click **Filter**. VAMT displays the filtered list in the center pane. +8. Select the products that you want to activate. +9. Click **Activate** in the **Selected Items** menu in the right-side **Actions** pane, click **Activate**, point to **Volume activate**, and then click the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password. +10. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. + +The same status is shown under the **Status of Last Action** column in the products list view in the center pane. + +## Related topics +- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md) +  +  diff --git a/windows/deployment/volume-activation/scenario-online-activation-vamt.md b/windows/deployment/volume-activation/scenario-online-activation-vamt.md index 2e35cec348..865dbdf623 100644 --- a/windows/deployment/volume-activation/scenario-online-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-online-activation-vamt.md @@ -1,136 +1,136 @@ ---- -title: Scenario 1 Online Activation (Windows 10) -description: Scenario 1 Online Activation -ms.assetid: 94dba40e-383a-41e4-b74b-9e884facdfd3 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Scenario 1: Online Activation - -In this scenario, the Volume Activation Management Tool (VAMT) is deployed in the Core Network environment. VAMT is installed on a central computer that has network access to all of the client computers. Both the VAMT host and the client computers have Internet access. The following illustration shows a diagram of an online activation scenario for Multiple Activation Keys (MAKs). You can use this scenario for online activation of the following key types: -- Multiple Activation Key (MAK) -- Windows Key Management Service (KMS) keys: - - KMS Host key (CSVLK) - - Generic Volume License Key (GVLK), or KMS client key -- Retail -The Secure Zone represents higher-security Core Network computers that have additional firewall protection. - -![VAMT firewall configuration for multiple subnets](images/dep-win8-l-vamt-makindependentactivationscenario.jpg) - -## In This Topic -- [Install and start VAMT on a networked host computer](#bkmk-partone) -- [Configure the Windows Management Instrumentation firewall exception on target computers](#bkmk-parttwo) -- [Connect to VAMT database](#bkmk-partthree) -- [Discover products](#bkmk-partfour) -- [Sort and filter the list of computers](#bkmk-partfive) -- [Collect status information from the computers in the list](#bkmk-partsix) -- [Add product keys and determine the remaining activation count](#bkmk-partseven) -- [Install the product keys](#bkmk-parteight) -- [Activate the client products](#bkmk-partnine) - -## Step 1: Install and start VAMT on a networked host computer - -1. Install VAMT on the host computer. -2. Click the VAMT icon in the **Start** menu to open VAMT. - -## Step 2: Configure the Windows Management Instrumentation firewall exception on target computers - -- Ensure that the Windows Management Instrumentation (WMI) firewall exception has been enabled for all target computers. For more information, see [Configure Client Computers](configure-client-computers-vamt.md). - - **Note**   - To retrieve product license status, VAMT must have administrative permissions on the remote computers and WMI must be available through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md). - -## Step 3: Connect to a VAMT database - -1. If you are not already connected to a database, the **Database Connection Settings** dialog box appears when you open VAMT. Select the server and database where the keys that must be activated are located. -2. Click **Connect**. -3. If you are already connected to a database, VAMT displays an inventory of the products and product keys in the center pane, and a license overview of the computers in the database. If you need to connect to a different database, click **Successfully connected to Server** to open **the Database Connection Settings** dialog box. For more information about how to create VAMT databases and adding VAMT data, see [Manage VAMT Data](manage-vamt-data.md) - -## Step 4: Discover products - -1. In the left-side pane, in the **Products** node Products, click the product that you want to activate. -2. To open the **Discover Products** dialog box, click **Discover products** in the **Actions** menu in the right-side pane. -3. In the **Discover Products** dialog box, click **Search for computers in the Active Directory** to display the search options, and then click the search options that you want to use. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general Lightweight Directory Access Protocol (LDAP) query: - - To search for computers in an Active Directory domain, click **Search for computers in the Active Directory**. Then under **Domain Filter Criteria**, in the list of domain names click the name of the domain that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for specific computers in the domain. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only those computer names that start with the letter "a". - - To search by individual computer name or IP address, click **Manually enter name or IP address**. Then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. Note that VAMT supports both IPv4 and IPV6 addressing. - - To search for computers in a workgroup, click **Search for computers in the workgroup**. Then under **Workgroup Filter Criteria**, in the list of workgroup names, click the name of the workgroup that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer in the workgroup. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a". - - To search for computers by using a general LDAP query, click **Search with LDAP query** and enter your query in the text box that appears. VAMT will validate the LDAP query syntax, but will otherwise run the query without additional checks. -4. Click **Search**. - - When the search is complete, the products that VAMT discovers appear in the product list view in the center pane. - -## Step 5: Sort and filter the list of computers - -You can sort the list of products so that it is easier to find the computers that require product keys to be activated: -1. On the menu bar at the top of the center pane, click **Group by**, and then click **Product**, **Product Key Type**, or **License Status**. -2. To sort the list further, you can click one of the column headings to sort by that column. -3. You can also use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. -4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. - - To filter the list by computer name, enter a name in the **Computer Name** box. - - To filter the list by product name, product key type, or license status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. -5. Click **Filter**. VAMT displays the filtered list in the product list view in the center pane. - -## Step 6: Collect status information from the computers in the list - -To collect the status from select computers in the database, you can select computers in the product list view by using one of the following methods: -- To select a block of consecutively listed computers, click the first computer that you want to select, and then click the last computer while pressing the **Shift** key. -- To select computers which are not listed consecutively, hold down the **Ctrl** key and select each computer for which you want to collect the status information. - **To collect status information from the selected computers** -- In the right-side **Actions** pane, click **Update license status** in the **Selected Items** menu and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials that are different from the ones that you used to log on to the computer. Otherwise, click **Current Credentials** and continue to step 2.If you are supplying alternate credentials, in the **Windows Security** dialog box, type the appropriate user name and password and then click **OK**. -- VAMT displays the **Collecting product information** dialog box while it collects the license status of all supported products on the selected computers. When the process is finished, the updated license status of each product will appear in the product list view in the center pane. - - **Note** - If a computer has more than one supported product installed, VAMT adds an entry for each product. The entry appears under the appropriate product heading. - -## Step 7: Add product keys and determine the remaining activation count - -1. Click the **Product Keys** node in the left-side pane, and then click **Add Product Keys** in the right-side pane to open the **Add Product Keys** dialog box. -2. In the **Add Product Key** dialog box, you can select from one of the following methods to add product keys: - - To add product keys manually, click **Enter product key(s) separated by line breaks**, enter one or more product keys, and then click **Add Key(s)**. - - To import a Comma Separated Values File (CSV) that contains a list of product keys, click **Select a product key file to import**, browse to the file location, click **Open** to import the file, and then click **Add Key(s)**. - - The keys that you have added appear in the **Product Keys** list view in the center pane. - - **Important**   - If you are activating many products with a MAK, refresh the activation count of the MAK to ensure that the MAK can support the required number of activations. In the product key list in the center pane, select the MAK and then click **Refresh product key data online** in the right-side pane to contact Microsoft and retrieve the number of remaining activations for the MAK. This step requires Internet access. You can only retrieve the remaining activation count for MAKs. - -## Step 8: Install the product keys - -1. In the left-side pane, click the product that you want to install keys on to. -2. If necessary, sort and filter the list of products so that it is easier to find the computers that must have a product key installed. See [Step 5: Sort and filter the list of computers](#bkmk-partfive). -3. In the **Products** list view pane, select the individual products which must have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product. -4. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box. -5. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAKs based on the selected products. If you are installing a MAK you can select a recommended product key or any other MAK from the **All Product Keys List**. If you are not installing a MAK, select a product key from the **All Product Keys** list. Use the scroll bar if you want to view the **Description** for each key. When you have selected the product key that you want to install, click **Install Key**. Note that only one key can be installed at a time. -6. VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. - - The same status appears under the **Status of Last Action** column in the product list view in the center pane. - **Note**   - - Product key installation will fail if VAMT finds mismatched key types or editions. VAMT will display the failure status and will continue the installation for the next product in the list. For more information on choosing the correct product key, see [How to Choose the Right Volume License Key for Windows.](https://go.microsoft.com/fwlink/p/?linkid=238382) - -## Step 9: Activate the client products - -1. Select the individual products that you want to activate in the list-view pane. -2. On the menu bar, click **Action**, point to **Activate** and point to **Online activate**. You can also right-click the selected computers(s) to display the **Action** menu, point to **Activate** and point to **Online activate**. You can also click **Activate** in the **Selected Items** menu in the right-hand pane to access the **Activate** option. -3. If you are activating product keys using your current credential, click **Current credential** and continue to step 5. If you are activating products that require an administrator credential that is different from the one you are currently using, click the **Alternate credential** option. -4. Enter your alternate user name and password and click **OK**. -5. The **Activate** option contacts the Microsoft product-activation server over the Internet and requests activation for the selected products. VAMT displays the **Activating products** dialog box until the requested actions are completed. - - **Note**   - Installing a MAK and overwriting the GVLK on client products must be done with care. If the RTM version of Windows Vista has been installed on the computer for more than 30 days, then its initial grace period has expired. As a result, it will enter Reduced Functionality Mode (RFM) if online activation is not completed successfully before the next logon attempt. However, you can use online activation to recover properly configured computers from RFM, as long as the computers are available on the network. - - RFM only applies to the RTM version of Windows Vista or the retail editions of Microsoft Office 2010. Windows Vista with SP1 or later, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and volume editions of Office 2010 will not enter RFM. - -## Related topics -- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md) - - +--- +title: Scenario 1 Online Activation (Windows 10) +description: Scenario 1 Online Activation +ms.assetid: 94dba40e-383a-41e4-b74b-9e884facdfd3 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Scenario 1: Online Activation + +In this scenario, the Volume Activation Management Tool (VAMT) is deployed in the Core Network environment. VAMT is installed on a central computer that has network access to all of the client computers. Both the VAMT host and the client computers have Internet access. The following illustration shows a diagram of an online activation scenario for Multiple Activation Keys (MAKs). You can use this scenario for online activation of the following key types: +- Multiple Activation Key (MAK) +- Windows Key Management Service (KMS) keys: + - KMS Host key (CSVLK) + - Generic Volume License Key (GVLK), or KMS client key +- Retail +The Secure Zone represents higher-security Core Network computers that have additional firewall protection. + +![VAMT firewall configuration for multiple subnets](images/dep-win8-l-vamt-makindependentactivationscenario.jpg) + +## In This Topic +- [Install and start VAMT on a networked host computer](#bkmk-partone) +- [Configure the Windows Management Instrumentation firewall exception on target computers](#bkmk-parttwo) +- [Connect to VAMT database](#bkmk-partthree) +- [Discover products](#bkmk-partfour) +- [Sort and filter the list of computers](#bkmk-partfive) +- [Collect status information from the computers in the list](#bkmk-partsix) +- [Add product keys and determine the remaining activation count](#bkmk-partseven) +- [Install the product keys](#bkmk-parteight) +- [Activate the client products](#bkmk-partnine) + +## Step 1: Install and start VAMT on a networked host computer + +1. Install VAMT on the host computer. +2. Click the VAMT icon in the **Start** menu to open VAMT. + +## Step 2: Configure the Windows Management Instrumentation firewall exception on target computers + +- Ensure that the Windows Management Instrumentation (WMI) firewall exception has been enabled for all target computers. For more information, see [Configure Client Computers](configure-client-computers-vamt.md). + + **Note**   + To retrieve product license status, VAMT must have administrative permissions on the remote computers and WMI must be available through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md). + +## Step 3: Connect to a VAMT database + +1. If you are not already connected to a database, the **Database Connection Settings** dialog box appears when you open VAMT. Select the server and database where the keys that must be activated are located. +2. Click **Connect**. +3. If you are already connected to a database, VAMT displays an inventory of the products and product keys in the center pane, and a license overview of the computers in the database. If you need to connect to a different database, click **Successfully connected to Server** to open **the Database Connection Settings** dialog box. For more information about how to create VAMT databases and adding VAMT data, see [Manage VAMT Data](manage-vamt-data.md) + +## Step 4: Discover products + +1. In the left-side pane, in the **Products** node Products, click the product that you want to activate. +2. To open the **Discover Products** dialog box, click **Discover products** in the **Actions** menu in the right-side pane. +3. In the **Discover Products** dialog box, click **Search for computers in the Active Directory** to display the search options, and then click the search options that you want to use. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general Lightweight Directory Access Protocol (LDAP) query: + - To search for computers in an Active Directory domain, click **Search for computers in the Active Directory**. Then under **Domain Filter Criteria**, in the list of domain names click the name of the domain that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for specific computers in the domain. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only those computer names that start with the letter "a". + - To search by individual computer name or IP address, click **Manually enter name or IP address**. Then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. Note that VAMT supports both IPv4 and IPV6 addressing. + - To search for computers in a workgroup, click **Search for computers in the workgroup**. Then under **Workgroup Filter Criteria**, in the list of workgroup names, click the name of the workgroup that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer in the workgroup. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a". + - To search for computers by using a general LDAP query, click **Search with LDAP query** and enter your query in the text box that appears. VAMT will validate the LDAP query syntax, but will otherwise run the query without additional checks. +4. Click **Search**. + + When the search is complete, the products that VAMT discovers appear in the product list view in the center pane. + +## Step 5: Sort and filter the list of computers + +You can sort the list of products so that it is easier to find the computers that require product keys to be activated: +1. On the menu bar at the top of the center pane, click **Group by**, and then click **Product**, **Product Key Type**, or **License Status**. +2. To sort the list further, you can click one of the column headings to sort by that column. +3. You can also use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. +4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. + - To filter the list by computer name, enter a name in the **Computer Name** box. + - To filter the list by product name, product key type, or license status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. +5. Click **Filter**. VAMT displays the filtered list in the product list view in the center pane. + +## Step 6: Collect status information from the computers in the list + +To collect the status from select computers in the database, you can select computers in the product list view by using one of the following methods: +- To select a block of consecutively listed computers, click the first computer that you want to select, and then click the last computer while pressing the **Shift** key. +- To select computers which are not listed consecutively, hold down the **Ctrl** key and select each computer for which you want to collect the status information. + **To collect status information from the selected computers** +- In the right-side **Actions** pane, click **Update license status** in the **Selected Items** menu and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials that are different from the ones that you used to log on to the computer. Otherwise, click **Current Credentials** and continue to step 2.If you are supplying alternate credentials, in the **Windows Security** dialog box, type the appropriate user name and password and then click **OK**. +- VAMT displays the **Collecting product information** dialog box while it collects the license status of all supported products on the selected computers. When the process is finished, the updated license status of each product will appear in the product list view in the center pane. + + **Note** + If a computer has more than one supported product installed, VAMT adds an entry for each product. The entry appears under the appropriate product heading. + +## Step 7: Add product keys and determine the remaining activation count + +1. Click the **Product Keys** node in the left-side pane, and then click **Add Product Keys** in the right-side pane to open the **Add Product Keys** dialog box. +2. In the **Add Product Key** dialog box, you can select from one of the following methods to add product keys: + - To add product keys manually, click **Enter product key(s) separated by line breaks**, enter one or more product keys, and then click **Add Key(s)**. + - To import a Comma Separated Values File (CSV) that contains a list of product keys, click **Select a product key file to import**, browse to the file location, click **Open** to import the file, and then click **Add Key(s)**. + + The keys that you have added appear in the **Product Keys** list view in the center pane. + + **Important**   + If you are activating many products with a MAK, refresh the activation count of the MAK to ensure that the MAK can support the required number of activations. In the product key list in the center pane, select the MAK and then click **Refresh product key data online** in the right-side pane to contact Microsoft and retrieve the number of remaining activations for the MAK. This step requires Internet access. You can only retrieve the remaining activation count for MAKs. + +## Step 8: Install the product keys + +1. In the left-side pane, click the product that you want to install keys on to. +2. If necessary, sort and filter the list of products so that it is easier to find the computers that must have a product key installed. See [Step 5: Sort and filter the list of computers](#bkmk-partfive). +3. In the **Products** list view pane, select the individual products which must have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product. +4. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box. +5. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAKs based on the selected products. If you are installing a MAK you can select a recommended product key or any other MAK from the **All Product Keys List**. If you are not installing a MAK, select a product key from the **All Product Keys** list. Use the scroll bar if you want to view the **Description** for each key. When you have selected the product key that you want to install, click **Install Key**. Note that only one key can be installed at a time. +6. VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. + + The same status appears under the **Status of Last Action** column in the product list view in the center pane. + **Note**   + + Product key installation will fail if VAMT finds mismatched key types or editions. VAMT will display the failure status and will continue the installation for the next product in the list. For more information on choosing the correct product key, see [How to Choose the Right Volume License Key for Windows.](https://go.microsoft.com/fwlink/p/?linkid=238382) + +## Step 9: Activate the client products + +1. Select the individual products that you want to activate in the list-view pane. +2. On the menu bar, click **Action**, point to **Activate** and point to **Online activate**. You can also right-click the selected computers(s) to display the **Action** menu, point to **Activate** and point to **Online activate**. You can also click **Activate** in the **Selected Items** menu in the right-hand pane to access the **Activate** option. +3. If you are activating product keys using your current credential, click **Current credential** and continue to step 5. If you are activating products that require an administrator credential that is different from the one you are currently using, click the **Alternate credential** option. +4. Enter your alternate user name and password and click **OK**. +5. The **Activate** option contacts the Microsoft product-activation server over the Internet and requests activation for the selected products. VAMT displays the **Activating products** dialog box until the requested actions are completed. + + **Note**   + Installing a MAK and overwriting the GVLK on client products must be done with care. If the RTM version of Windows Vista has been installed on the computer for more than 30 days, then its initial grace period has expired. As a result, it will enter Reduced Functionality Mode (RFM) if online activation is not completed successfully before the next logon attempt. However, you can use online activation to recover properly configured computers from RFM, as long as the computers are available on the network. + + RFM only applies to the RTM version of Windows Vista or the retail editions of Microsoft Office 2010. Windows Vista with SP1 or later, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and volume editions of Office 2010 will not enter RFM. + +## Related topics +- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md) + + diff --git a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md index c86af07eeb..3c52c27790 100644 --- a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md @@ -9,6 +9,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation +audience: itpro author: greg-lindsay ms.date: 04/25/2017 ms.topic: article diff --git a/windows/deployment/volume-activation/update-product-status-vamt.md b/windows/deployment/volume-activation/update-product-status-vamt.md index 35c36497d3..038839adb4 100644 --- a/windows/deployment/volume-activation/update-product-status-vamt.md +++ b/windows/deployment/volume-activation/update-product-status-vamt.md @@ -1,38 +1,38 @@ ---- -title: Update Product Status (Windows 10) -description: Update Product Status -ms.assetid: 39d4abd4-801a-4e8f-9b8c-425a24a96764 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Update Product Status - -After you add computers to the VAMT database, you need to use the **Update license status** function to add the products that are installed on the computers. You can also use the **Update license status** at any time to retrieve the most current license status for any products in the VAMT database. -To retrieve license status, VAMT must have administrative permissions on all selected computers and Windows Management Instrumentation (WMI) must be accessible through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md). - -**Note**   -The license-status query requires a valid computer name for each system queried. If the VAMT database contains computers that were added without Personally Identifiable Information, computer names will not be available for those computers, and the status for these computers will not be updated. - -## Update the license status of a product - -1. Open VAMT. -2. In the **Products** list, select one or more products that need to have their status updated. -3. In the right-side **Actions** pane, click **Update license status** and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials different from the ones you used to log into the computer. -4. If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and click **OK**. - - VAMT displays the **Collecting product information** dialog box while it collects the status of all selected products. When the process is finished, the updated licensing status of each product will appear in the product list view in the center pane. - - **Note**   - If a previously discovered Microsoft Office 2010 product has been uninstalled from the remote computer, updating its licensing status will cause the entry to be deleted from the **Office** product list view, and, consequently, the total number of discovered products will be smaller. However, the Windows installation of the same computer will not be deleted and will always be shown in the **Windows** products list view. - -## Related topics -- [Add and Manage Products](add-manage-products-vamt.md) +--- +title: Update Product Status (Windows 10) +description: Update Product Status +ms.assetid: 39d4abd4-801a-4e8f-9b8c-425a24a96764 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Update Product Status + +After you add computers to the VAMT database, you need to use the **Update license status** function to add the products that are installed on the computers. You can also use the **Update license status** at any time to retrieve the most current license status for any products in the VAMT database. +To retrieve license status, VAMT must have administrative permissions on all selected computers and Windows Management Instrumentation (WMI) must be accessible through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md). + +**Note**   +The license-status query requires a valid computer name for each system queried. If the VAMT database contains computers that were added without Personally Identifiable Information, computer names will not be available for those computers, and the status for these computers will not be updated. + +## Update the license status of a product + +1. Open VAMT. +2. In the **Products** list, select one or more products that need to have their status updated. +3. In the right-side **Actions** pane, click **Update license status** and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials different from the ones you used to log into the computer. +4. If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and click **OK**. + + VAMT displays the **Collecting product information** dialog box while it collects the status of all selected products. When the process is finished, the updated licensing status of each product will appear in the product list view in the center pane. + + **Note**   + If a previously discovered Microsoft Office 2010 product has been uninstalled from the remote computer, updating its licensing status will cause the entry to be deleted from the **Office** product list view, and, consequently, the total number of discovered products will be smaller. However, the Windows installation of the same computer will not be deleted and will always be shown in the **Windows** products list view. + +## Related topics +- [Add and Manage Products](add-manage-products-vamt.md) diff --git a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md index eac425c66b..39f4344b23 100644 --- a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md +++ b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md @@ -1,79 +1,79 @@ ---- -title: Use the Volume Activation Management Tool (Windows 10) -description: The Volume Activation Management Tool (VAMT) provides several useful features, including the ability to perform VAMT proxy activation and to track and monitor several types of product keys. -ms.assetid: b11f0aee-7b60-44d1-be40-c960fc6c4c47 -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: vamt, volume activation, activation, windows activation -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.localizationpriority: medium -ms.date: 07/27/2017 -ms.topic: article ---- - -# Use the Volume Activation Management Tool - -**Applies to** -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2012 -- Windows Server 2008 R2 - -**Looking for retail activation?** -- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) - -The Volume Activation Management Tool (VAMT) provides several useful features, including the ability to perform VAMT proxy activation and to track and monitor several types of product keys. - -By using the VAMT, you can automate and centrally manage the volume, retail, and MAK activation process for Windows, Office, and select other Microsoft products. The VAMT can manage volume activation by using MAKs or KMS. It is a standard Microsoft Management Console snap-in, and it can be -installed on any computer running Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2. - -The VAMT is distributed as part of the Windows Assessment and Deployment Kit (Windows ADK), which is a free download available from Microsoft Download Center. For more information, see [Windows Assessment and Deployment Kit (Windows ADK) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526740). - -In Windows Server 2012 R2, you can install the VAMT directly from Server Manager without downloading the Windows ADK by selecting the Volume Activation Services role or the Remote Server Administration Tools/Role Administration Tools/Volume Activation Tools feature. - -## Activating with the Volume Activation Management Tool - -You can use the VAMT to complete the activation process in products by using MAK and retail keys, and you can work with computers individually or in groups. The VAMT enables two activation scenarios: -- **Online activation**. Online activation enables you to activate over the Internet any products that are installed with MAK, KMS host, or retail product keys. You can activate one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft. -- **Proxy activation**. This activation method enables you to perform volume activation for products that are installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS host key, or retail product key to one or more client products and collects the installation ID from each client product. The VAMT host sends the installation IDs to Microsoft on behalf of the client products and obtains the corresponding confirmation IDs. The VAMT host then installs the confirmation IDs on the client products to complete their activation. - By using this method, only the VAMT host computer requires Internet access. Proxy activation by using the VAMT is beneficial for isolated network segments and for cases where your organization has a mix of retail, MAK, and KMS-based activations. - -## Tracking products and computers with the Volume Activation Management Tool - -The VAMT provides an overview of the activation and licensing status of computers across your network, as shown in Figure 18. Several prebuilt reports are also available to help you proactively manage licensing. - -![VAMT showing the licensing status of multiple computers](../images/volumeactivationforwindows81-18.jpg) - -**Figure 18**. The VAMT showing the licensing status of multiple computers - -## Tracking key usage with the Volume Activation Management Tool - -The VAMT makes it easier to track the various keys that are issued to your organization. You can enter each key into VAMT, and then the VAMT can use those keys for online or proxy activation of clients. The tool can also describe what type of key it is and to which product group it belongs. The VAMT is the most convenient way to quickly determine how many activations remain on a MAK. Figure 19 shows an example of key types and usage. - -![VAMT showing key types and usage](../images/volumeactivationforwindows81-19.jpg) - -**Figure 19**. The VAMT showing key types and usage - -## Other Volume Activation Management Tool features - -The VAMT stores information in a Microsoft SQL Server database for performance and flexibility, and it provides a single graphical user interface for managing activations and performing other activation-related tasks, such as: -- **Adding and removing computers**. You can use the VAMT to discover computers in the local environment. The VAMT can discover computers by querying AD DS, workgroups, or individual computer names or IP addresses, or through a general LDAP query. -- **Discovering products**. You can use the VAMT to discover Windows, Windows Server, Office, and select other products that are installed on the client computers. -- **Managing activation data**. The VAMT stores activation data in a SQL Server database. The tool can export this data in XML format to other VAMT hosts or to an archive. - -For more information, see: -- [Volume Activation Management Tool (VAMT) Overview](https://go.microsoft.com/fwlink/p/?LinkId=618266) -- [VAMT Step-by-Step Scenarios](https://go.microsoft.com/fwlink/p/?LinkId=618267) - -## See also -- [Volume Activation for Windows 10](volume-activation-windows-10.md) -  -  +--- +title: Use the Volume Activation Management Tool (Windows 10) +description: The Volume Activation Management Tool (VAMT) provides several useful features, including the ability to perform VAMT proxy activation and to track and monitor several types of product keys. +ms.assetid: b11f0aee-7b60-44d1-be40-c960fc6c4c47 +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: vamt, volume activation, activation, windows activation +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.date: 07/27/2017 +ms.topic: article +--- + +# Use the Volume Activation Management Tool + +**Applies to** +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2012 +- Windows Server 2008 R2 + +**Looking for retail activation?** +- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) + +The Volume Activation Management Tool (VAMT) provides several useful features, including the ability to perform VAMT proxy activation and to track and monitor several types of product keys. + +By using the VAMT, you can automate and centrally manage the volume, retail, and MAK activation process for Windows, Office, and select other Microsoft products. The VAMT can manage volume activation by using MAKs or KMS. It is a standard Microsoft Management Console snap-in, and it can be +installed on any computer running Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2. + +The VAMT is distributed as part of the Windows Assessment and Deployment Kit (Windows ADK), which is a free download available from Microsoft Download Center. For more information, see [Windows Assessment and Deployment Kit (Windows ADK) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526740). + +In Windows Server 2012 R2, you can install the VAMT directly from Server Manager without downloading the Windows ADK by selecting the Volume Activation Services role or the Remote Server Administration Tools/Role Administration Tools/Volume Activation Tools feature. + +## Activating with the Volume Activation Management Tool + +You can use the VAMT to complete the activation process in products by using MAK and retail keys, and you can work with computers individually or in groups. The VAMT enables two activation scenarios: +- **Online activation**. Online activation enables you to activate over the Internet any products that are installed with MAK, KMS host, or retail product keys. You can activate one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft. +- **Proxy activation**. This activation method enables you to perform volume activation for products that are installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS host key, or retail product key to one or more client products and collects the installation ID from each client product. The VAMT host sends the installation IDs to Microsoft on behalf of the client products and obtains the corresponding confirmation IDs. The VAMT host then installs the confirmation IDs on the client products to complete their activation. + By using this method, only the VAMT host computer requires Internet access. Proxy activation by using the VAMT is beneficial for isolated network segments and for cases where your organization has a mix of retail, MAK, and KMS-based activations. + +## Tracking products and computers with the Volume Activation Management Tool + +The VAMT provides an overview of the activation and licensing status of computers across your network, as shown in Figure 18. Several prebuilt reports are also available to help you proactively manage licensing. + +![VAMT showing the licensing status of multiple computers](../images/volumeactivationforwindows81-18.jpg) + +**Figure 18**. The VAMT showing the licensing status of multiple computers + +## Tracking key usage with the Volume Activation Management Tool + +The VAMT makes it easier to track the various keys that are issued to your organization. You can enter each key into VAMT, and then the VAMT can use those keys for online or proxy activation of clients. The tool can also describe what type of key it is and to which product group it belongs. The VAMT is the most convenient way to quickly determine how many activations remain on a MAK. Figure 19 shows an example of key types and usage. + +![VAMT showing key types and usage](../images/volumeactivationforwindows81-19.jpg) + +**Figure 19**. The VAMT showing key types and usage + +## Other Volume Activation Management Tool features + +The VAMT stores information in a Microsoft SQL Server database for performance and flexibility, and it provides a single graphical user interface for managing activations and performing other activation-related tasks, such as: +- **Adding and removing computers**. You can use the VAMT to discover computers in the local environment. The VAMT can discover computers by querying AD DS, workgroups, or individual computer names or IP addresses, or through a general LDAP query. +- **Discovering products**. You can use the VAMT to discover Windows, Windows Server, Office, and select other products that are installed on the client computers. +- **Managing activation data**. The VAMT stores activation data in a SQL Server database. The tool can export this data in XML format to other VAMT hosts or to an archive. + +For more information, see: +- [Volume Activation Management Tool (VAMT) Overview](https://go.microsoft.com/fwlink/p/?LinkId=618266) +- [VAMT Step-by-Step Scenarios](https://go.microsoft.com/fwlink/p/?LinkId=618267) + +## See also +- [Volume Activation for Windows 10](volume-activation-windows-10.md) +  +  diff --git a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md index cc4e0d99a9..e54f6338f1 100644 --- a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md +++ b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md @@ -9,6 +9,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation +audience: itpro author: greg-lindsay ms.date: 04/25/2017 ms.topic: article @@ -32,11 +33,11 @@ The Volume Activation Management Tool (VAMT) PowerShell cmdlets can be used to p For example, if the Windows ADK is installed in the default location of `C:\Program Files(x86)\Windows Kits\10`, type: - ``` ps1 + ``` powershell cd “C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT 3.0” ``` - Import the VAMT PowerShell module. To import the module, type the following at a command prompt: - ```powershell + ``` powershell Import-Module .\VAMT.psd1 ``` Where **Import-Module** imports a module only into the current session. To import the module into all sessions, add an **Import-Module** command to a Windows PowerShell profile. For more information about profiles, type `get-help about_profiles`. @@ -44,11 +45,11 @@ The Volume Activation Management Tool (VAMT) PowerShell cmdlets can be used to p ## To Get Help for VAMT PowerShell cmdlets You can view all of the help sections for a VAMT PowerShell cmdlet, or you can view only the section that you are interested in. To view all of the Help content for a VAMT cmdlet, type: -``` ps1 +``` powershell get-help -all ``` For example, type: -``` ps1 +``` powershell get-help get-VamtProduct -all ``` @@ -58,18 +59,18 @@ The update-help cmdlet is not supported for VAMT PowerShell cmdlets. To view onl **To view VAMT PowerShell Help sections** 1. To get the syntax to use with a cmdlet, type the following at a command prompt: - ``` ps1 + ``` powershell get-help ``` For example, type: - ``` ps1 + ``` powershell get-help get-VamtProduct ``` 2. To see examples using a cmdlet, type: - ``` ps1 + ``` powershell get-help -examples ``` For example, type: - ``` ps1 + ``` powershell get-help get-VamtProduct -examples ``` diff --git a/windows/deployment/volume-activation/vamt-known-issues.md b/windows/deployment/volume-activation/vamt-known-issues.md index a8b0716151..70933d12f6 100644 --- a/windows/deployment/volume-activation/vamt-known-issues.md +++ b/windows/deployment/volume-activation/vamt-known-issues.md @@ -1,25 +1,25 @@ ---- -title: VAMT Known Issues (Windows 10) -description: VAMT Known Issues -ms.assetid: 8992f1f3-830a-4ce7-a248-f3a6377ab77f -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# VAMT Known Issues - -The following list contains the current known issues with the Volume Activation Management Tool (VAMT) 3.0. -- The VAMT Windows Management Infrastructure (WMI) remote operations may take longer to execute if the target computer is in a sleep or standby state. -- Recovery of Non-Genuine computers is a two-step process. VAMT can be used to install a new product key and activate the computer. However, the computer itself must visit the [Windows Genuine Advantage](https://go.microsoft.com/fwlink/p/?linkid=182914) Web site to revalidate the computer's Genuine status. Upon successfully completing this step, the computer will be restored to full functionality. For more information on recovering Non-Genuine Windows computers, go to [Windows Volume Activation](https://go.microsoft.com/fwlink/p/?linkid=184668). -- When opening a Computer Information List (.cil file) saved in a previous version of VAMT, the edition information is not shown for each product in the center pane. Users must update the product status again to obtain the edition information. -- The remaining activation count can only be retrieved for MAKs. -  -  +--- +title: VAMT Known Issues (Windows 10) +description: VAMT Known Issues +ms.assetid: 8992f1f3-830a-4ce7-a248-f3a6377ab77f +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# VAMT Known Issues + +The following list contains the current known issues with the Volume Activation Management Tool (VAMT) 3.0. +- The VAMT Windows Management Infrastructure (WMI) remote operations may take longer to execute if the target computer is in a sleep or standby state. +- Recovery of Non-Genuine computers is a two-step process. VAMT can be used to install a new product key and activate the computer. However, the computer itself must visit the [Windows Genuine Advantage](https://go.microsoft.com/fwlink/p/?linkid=182914) Web site to revalidate the computer's Genuine status. Upon successfully completing this step, the computer will be restored to full functionality. For more information on recovering Non-Genuine Windows computers, go to [Windows Volume Activation](https://go.microsoft.com/fwlink/p/?linkid=184668). +- When opening a Computer Information List (.cil file) saved in a previous version of VAMT, the edition information is not shown for each product in the center pane. Users must update the product status again to obtain the edition information. +- The remaining activation count can only be retrieved for MAKs. +  +  diff --git a/windows/deployment/volume-activation/vamt-requirements.md b/windows/deployment/volume-activation/vamt-requirements.md index db74ca8874..264ebca94c 100644 --- a/windows/deployment/volume-activation/vamt-requirements.md +++ b/windows/deployment/volume-activation/vamt-requirements.md @@ -1,47 +1,47 @@ ---- -title: VAMT Requirements (Windows 10) -description: VAMT Requirements -ms.assetid: d14d152b-ab8a-43cb-a8fd-2279364007b9 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# VAMT Requirements - -This topic includes info about the product key and system requirements for VAMT. - -## Product Key Requirements - -The Volume Activation Management Tool (VAMT) can be used to perform activations using any of the following types of product keys. - -|Product key type |Where to obtain | -|-----------------|----------------| -|

          • Multiple Activation Key (MAK)
          • Key Management Service (KMS) host key (CSVLK)
          • KMS client setup keys (GVLK)
          |Volume licensing keys can only be obtained with a signed contract from Microsoft. For more info, see the [Microsoft Volume Licensing portal](https://go.microsoft.com/fwlink/p/?LinkId=227282). | -|Retail product keys |Obtained at time of product purchase. | - -## System Requirements - -The following table lists the system requirements for the VAMT host computer. - -|Item |Minimum system requirement | -|-----|---------------------------| -|Computer and Processor |1 GHz x86 or x64 processor | -|Memory |1 GB RAM for x86 or 2 GB RAM for x64 | -|Hard Disk |16 GB available hard disk space for x86 or 20 GB for x64 | -|External Drive|Removable media (Optional) | -|Display |1024x768 or higher resolution monitor | -|Network |Connectivity to remote computers via Windows® Management Instrumentation (TCP/IP) and Microsoft® Activation Web Service on the Internet via HTTPS | -|Operating System |Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, or Windows Server 2012. | -|Additional Requirements |
          • Connection to a SQL Server database. For more info, see [Install VAMT](install-vamt.md).
          • PowerShell 3.0: For Windows 8, Windows 8.1, Windows 10, and Windows Server® 2012, PowerShell is included in the installation. For previous versions of Windows and -Windows Server, you must download PowerShell 3.0. To download PowerShell, go to [Download Windows PowerShell 3.0](https://go.microsoft.com/fwlink/p/?LinkId=218356).
          • If installing on Windows Server 2008 R2, you must also install .NET Framework 3.51.
          | - -## Related topics -- [Install and Configure VAMT](install-configure-vamt.md) +--- +title: VAMT Requirements (Windows 10) +description: VAMT Requirements +ms.assetid: d14d152b-ab8a-43cb-a8fd-2279364007b9 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# VAMT Requirements + +This topic includes info about the product key and system requirements for VAMT. + +## Product Key Requirements + +The Volume Activation Management Tool (VAMT) can be used to perform activations using any of the following types of product keys. + +|Product key type |Where to obtain | +|-----------------|----------------| +|
          • Multiple Activation Key (MAK)
          • Key Management Service (KMS) host key (CSVLK)
          • KMS client setup keys (GVLK)
          |Volume licensing keys can only be obtained with a signed contract from Microsoft. For more info, see the [Microsoft Volume Licensing portal](https://go.microsoft.com/fwlink/p/?LinkId=227282). | +|Retail product keys |Obtained at time of product purchase. | + +## System Requirements + +The following table lists the system requirements for the VAMT host computer. + +|Item |Minimum system requirement | +|-----|---------------------------| +|Computer and Processor |1 GHz x86 or x64 processor | +|Memory |1 GB RAM for x86 or 2 GB RAM for x64 | +|Hard Disk |16 GB available hard disk space for x86 or 20 GB for x64 | +|External Drive|Removable media (Optional) | +|Display |1024x768 or higher resolution monitor | +|Network |Connectivity to remote computers via Windows® Management Instrumentation (TCP/IP) and Microsoft® Activation Web Service on the Internet via HTTPS | +|Operating System |Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, or Windows Server 2012. | +|Additional Requirements |
          • Connection to a SQL Server database. For more info, see [Install VAMT](install-vamt.md).
          • PowerShell 3.0: For Windows 8, Windows 8.1, Windows 10, and Windows Server® 2012, PowerShell is included in the installation. For previous versions of Windows and +Windows Server, you must download PowerShell 3.0. To download PowerShell, go to [Download Windows PowerShell 3.0](https://go.microsoft.com/fwlink/p/?LinkId=218356).
          • If installing on Windows Server 2008 R2, you must also install .NET Framework 3.51.
          | + +## Related topics +- [Install and Configure VAMT](install-configure-vamt.md) diff --git a/windows/deployment/volume-activation/vamt-step-by-step.md b/windows/deployment/volume-activation/vamt-step-by-step.md index 396863340c..ae1576bb5f 100644 --- a/windows/deployment/volume-activation/vamt-step-by-step.md +++ b/windows/deployment/volume-activation/vamt-step-by-step.md @@ -1,32 +1,32 @@ ---- -title: VAMT Step-by-Step Scenarios (Windows 10) -description: VAMT Step-by-Step Scenarios -ms.assetid: 455c542c-4860-4b57-a1f0-7e2d28e11a10 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# VAMT Step-by-Step Scenarios - -This section provides step-by-step instructions on implementing the Volume Activation Management Tool (VAMT) in typical environments. VAMT supports many common scenarios; the scenarios in this section describe some of the most common to get you started. - -## In this Section - -|Topic |Description | -|------|------------| -|[Scenario 1: Online Activation](scenario-online-activation-vamt.md) |Describes how to distribute Multiple Activation Keys (MAKs) to products installed on one or more connected computers within a network, and how to instruct these products to contact Microsoft over the Internet for activation. | -|[Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) |Describes how to use two VAMT host computers — the first one with Internet access and a second computer within an isolated workgroup — as proxies to perform MAK volume activation for workgroup computers that do not have Internet access. | -|[Scenario 3: KMS Client Activation](scenario-kms-activation-vamt.md) |Describes how to use VAMT to configure client products for Key Management Service (KMS) activation. By default, volume license editions of Windows 10, Windows Vista, Windows® 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. | - -## Related topics -- [Introduction to VAMT](introduction-vamt.md) -  -  +--- +title: VAMT Step-by-Step Scenarios (Windows 10) +description: VAMT Step-by-Step Scenarios +ms.assetid: 455c542c-4860-4b57-a1f0-7e2d28e11a10 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# VAMT Step-by-Step Scenarios + +This section provides step-by-step instructions on implementing the Volume Activation Management Tool (VAMT) in typical environments. VAMT supports many common scenarios; the scenarios in this section describe some of the most common to get you started. + +## In this Section + +|Topic |Description | +|------|------------| +|[Scenario 1: Online Activation](scenario-online-activation-vamt.md) |Describes how to distribute Multiple Activation Keys (MAKs) to products installed on one or more connected computers within a network, and how to instruct these products to contact Microsoft over the Internet for activation. | +|[Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) |Describes how to use two VAMT host computers — the first one with Internet access and a second computer within an isolated workgroup — as proxies to perform MAK volume activation for workgroup computers that do not have Internet access. | +|[Scenario 3: KMS Client Activation](scenario-kms-activation-vamt.md) |Describes how to use VAMT to configure client products for Key Management Service (KMS) activation. By default, volume license editions of Windows 10, Windows Vista, Windows® 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. | + +## Related topics +- [Introduction to VAMT](introduction-vamt.md) +  +  diff --git a/windows/deployment/volume-activation/volume-activation-management-tool.md b/windows/deployment/volume-activation/volume-activation-management-tool.md index d8bb56ec77..b517ac9410 100644 --- a/windows/deployment/volume-activation/volume-activation-management-tool.md +++ b/windows/deployment/volume-activation/volume-activation-management-tool.md @@ -1,43 +1,43 @@ ---- -title: Volume Activation Management Tool (VAMT) Technical Reference (Windows 10) -description: The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. -ms.assetid: 1df0f795-f41c-473b-850c-e98af1ad2f2a -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Volume Activation Management Tool (VAMT) Technical Reference - -The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. -VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in that requires the Microsoft Management Console (MMC) 3.0. VAMT can be installed on any computer that has one of the following Windows operating systems: -- Windows® 7 or above -- Windows Server 2008 R2 or above - - -**Important**   -VAMT is designed to manage volume activation for: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 (or obove), Microsoft Office 2010 (or above). - -VAMT is only available in an EN-US (x86) package. - -## In this Section - -|Topic |Description | -|------|------------| -|[Introduction to VAMT](introduction-vamt.md) |Provides a description of VAMT and common usages. | -|[Active Directory-Based Activation Overview](active-directory-based-activation-overview.md) |Describes Active Directory-Based Activation scenarios. | -|[Install and Configure VAMT](install-configure-vamt.md) |Describes how to install VAMT and use it to configure client computers on your network. | -|[Add and Manage Products](add-manage-products-vamt.md) |Describes how to add client computers into VAMT. | -|[Manage Product Keys](manage-product-keys-vamt.md) |Describes how to add and remove a product key from VAMT. | -|[Manage Activations](manage-activations-vamt.md) |Describes how to activate a client computer by using a variety of activation methods. | -|[Manage VAMT Data](manage-vamt-data.md) |Describes how to save, import, export, and merge a Computer Information List (CILX) file using VAMT. | -|[VAMT Step-by-Step Scenarios](vamt-step-by-step.md) |Provides step-by-step instructions for using VAMT in typical environments. | -|[VAMT Known Issues](vamt-known-issues.md) |Lists known issues in VAMT. | - +--- +title: Volume Activation Management Tool (VAMT) Technical Reference (Windows 10) +description: The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. +ms.assetid: 1df0f795-f41c-473b-850c-e98af1ad2f2a +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Volume Activation Management Tool (VAMT) Technical Reference + +The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. +VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in that requires the Microsoft Management Console (MMC) 3.0. VAMT can be installed on any computer that has one of the following Windows operating systems: +- Windows® 7 or above +- Windows Server 2008 R2 or above + + +**Important**   +VAMT is designed to manage volume activation for: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 (or obove), Microsoft Office 2010 (or above). + +VAMT is only available in an EN-US (x86) package. + +## In this Section + +|Topic |Description | +|------|------------| +|[Introduction to VAMT](introduction-vamt.md) |Provides a description of VAMT and common usages. | +|[Active Directory-Based Activation Overview](active-directory-based-activation-overview.md) |Describes Active Directory-Based Activation scenarios. | +|[Install and Configure VAMT](install-configure-vamt.md) |Describes how to install VAMT and use it to configure client computers on your network. | +|[Add and Manage Products](add-manage-products-vamt.md) |Describes how to add client computers into VAMT. | +|[Manage Product Keys](manage-product-keys-vamt.md) |Describes how to add and remove a product key from VAMT. | +|[Manage Activations](manage-activations-vamt.md) |Describes how to activate a client computer by using a variety of activation methods. | +|[Manage VAMT Data](manage-vamt-data.md) |Describes how to save, import, export, and merge a Computer Information List (CILX) file using VAMT. | +|[VAMT Step-by-Step Scenarios](vamt-step-by-step.md) |Provides step-by-step instructions for using VAMT in typical environments. | +|[VAMT Known Issues](vamt-known-issues.md) |Lists known issues in VAMT. | + diff --git a/windows/deployment/volume-activation/volume-activation-windows-10.md b/windows/deployment/volume-activation/volume-activation-windows-10.md index 49204c7ae4..0d0a77909e 100644 --- a/windows/deployment/volume-activation/volume-activation-windows-10.md +++ b/windows/deployment/volume-activation/volume-activation-windows-10.md @@ -1,69 +1,69 @@ ---- -title: Volume Activation for Windows 10 (Windows 10) -description: This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows. -ms.assetid: 6e8cffae-7322-4fd3-882a-cde68187aef2 -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: vamt, volume activation, activation, windows activation -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.localizationpriority: medium -ms.date: 07/27/2017 -ms.topic: article ---- - -# Volume Activation for Windows 10 - -**Applies to** -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2012 -- Windows Server 2008 R2 - -**Looking for volume licensing information?** -- [Download the Volume Licensing Reference Guide for Windows 10 Desktop Operating System](https://go.microsoft.com/fwlink/p/?LinkId=620104) - -**Looking for retail activation?** -- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) - -This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows. -*Volume activation* is the process that Microsoft volume licensing customers use to automate and manage the activation of Windows operating systems, Microsoft Office, and other Microsoft products across large organizations. Volume licensing is available to customers who purchase software under various volume programs (such as Open and Select) and to participants in programs such as the Microsoft Partner Program and MSDN Subscriptions. - -Volume activation is a configurable solution that helps automate and manage the product activation process on computers running Windows operating systems that have been licensed under a volume licensing program. Volume activation is also used with other software from Microsoft (most notably the Office suites) that are sold under volume licensing agreements and that support volume activation. - -This guide provides information and step-by-step guidance to help you choose a volume activation method that suits your environment, and then to configure that solution successfully. This guide describes the volume activation features that are available in Windows 10 and Windows Server 2012 R2 and the tools that are provided in these versions of Windows and Windows Server to manage volume activation. - -Because most organizations will not immediately switch all computers to Windows 10, practical volume activation strategies must also take in to account how to work with the Windows 8, Windows 7, Windows Server 2012, and Windows Server 2008 R2Windows Server 2008 R2 operating systems. This guide -discusses how the new volume activation tools can support earlier operating systems, but it does not discuss the tools that are provided with earlier operating system versions. - -Volume activation—and the need for activation itself—is not new, and this guide does not review all of its concepts and history. You can find additional background in the appendices of this guide. For more information, see [Volume Activation Overview](https://go.microsoft.com/fwlink/p/?LinkId=618209) in the TechNet Library. - -If you would like additional information about planning a volume activation deployment specifically for Windows 7 and Windows Server 2008 R2, please see the [Volume Activation Planning Guide for Windows 7](https://go.microsoft.com/fwlink/p/?LinkId=618210). - -To successfully plan and implement a volume activation strategy, you must: -- Learn about and understand product activation. -- Review and evaluate the available activation types or models. -- Consider the connectivity of the clients to be activated. -- Choose the method or methods to be used with each type of client. -- Determine the types and number of product keys you will need. -- Determine the monitoring and reporting needs in your organization. -- Install and configure the tools required to support the methods selected. - -Keep in mind that the method of activation does not change an organization’s responsibility to the licensing requirements. You must ensure that all software used in your organization is properly licensed and activated in accordance with the terms of the licensing agreements in place. - -**In this guide:** -- [Plan for volume activation](plan-for-volume-activation-client.md) -- [Activate using Key Management Service](activate-using-key-management-service-vamt.md) -- [Activate using Active Directory-based activation](activate-using-active-directory-based-activation-client.md) -- [Activate clients running Windows 10](activate-windows-10-clients-vamt.md) -- [Monitor activation](monitor-activation-client.md) -- [Use the Volume Activation Management Tool](use-the-volume-activation-management-tool-client.md) -- [Appendix: Information sent to Microsoft during activation](appendix-information-sent-to-microsoft-during-activation-client.md) -  +--- +title: Volume Activation for Windows 10 (Windows 10) +description: This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows. +ms.assetid: 6e8cffae-7322-4fd3-882a-cde68187aef2 +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: vamt, volume activation, activation, windows activation +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.date: 07/27/2017 +ms.topic: article +--- + +# Volume Activation for Windows 10 + +**Applies to** +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2012 +- Windows Server 2008 R2 + +**Looking for volume licensing information?** +- [Download the Volume Licensing Reference Guide for Windows 10 Desktop Operating System](https://go.microsoft.com/fwlink/p/?LinkId=620104) + +**Looking for retail activation?** +- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) + +This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows. +*Volume activation* is the process that Microsoft volume licensing customers use to automate and manage the activation of Windows operating systems, Microsoft Office, and other Microsoft products across large organizations. Volume licensing is available to customers who purchase software under various volume programs (such as Open and Select) and to participants in programs such as the Microsoft Partner Program and MSDN Subscriptions. + +Volume activation is a configurable solution that helps automate and manage the product activation process on computers running Windows operating systems that have been licensed under a volume licensing program. Volume activation is also used with other software from Microsoft (most notably the Office suites) that are sold under volume licensing agreements and that support volume activation. + +This guide provides information and step-by-step guidance to help you choose a volume activation method that suits your environment, and then to configure that solution successfully. This guide describes the volume activation features that are available in Windows 10 and Windows Server 2012 R2 and the tools that are provided in these versions of Windows and Windows Server to manage volume activation. + +Because most organizations will not immediately switch all computers to Windows 10, practical volume activation strategies must also take in to account how to work with the Windows 8, Windows 7, Windows Server 2012, and Windows Server 2008 R2Windows Server 2008 R2 operating systems. This guide +discusses how the new volume activation tools can support earlier operating systems, but it does not discuss the tools that are provided with earlier operating system versions. + +Volume activation—and the need for activation itself—is not new, and this guide does not review all of its concepts and history. You can find additional background in the appendices of this guide. For more information, see [Volume Activation Overview](https://go.microsoft.com/fwlink/p/?LinkId=618209) in the TechNet Library. + +If you would like additional information about planning a volume activation deployment specifically for Windows 7 and Windows Server 2008 R2, please see the [Volume Activation Planning Guide for Windows 7](https://go.microsoft.com/fwlink/p/?LinkId=618210). + +To successfully plan and implement a volume activation strategy, you must: +- Learn about and understand product activation. +- Review and evaluate the available activation types or models. +- Consider the connectivity of the clients to be activated. +- Choose the method or methods to be used with each type of client. +- Determine the types and number of product keys you will need. +- Determine the monitoring and reporting needs in your organization. +- Install and configure the tools required to support the methods selected. + +Keep in mind that the method of activation does not change an organization’s responsibility to the licensing requirements. You must ensure that all software used in your organization is properly licensed and activated in accordance with the terms of the licensing agreements in place. + +**In this guide:** +- [Plan for volume activation](plan-for-volume-activation-client.md) +- [Activate using Key Management Service](activate-using-key-management-service-vamt.md) +- [Activate using Active Directory-based activation](activate-using-active-directory-based-activation-client.md) +- [Activate clients running Windows 10](activate-windows-10-clients-vamt.md) +- [Monitor activation](monitor-activation-client.md) +- [Use the Volume Activation Management Tool](use-the-volume-activation-management-tool-client.md) +- [Appendix: Information sent to Microsoft during activation](appendix-information-sent-to-microsoft-during-activation-client.md) +  diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md index cf5dc081cf..26151664de 100644 --- a/windows/deployment/windows-10-deployment-scenarios.md +++ b/windows/deployment/windows-10-deployment-scenarios.md @@ -1,275 +1,275 @@ ---- -title: Windows 10 deployment scenarios (Windows 10) -description: To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. -ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5 -ms.reviewer: -manager: laurawi -ms.author: greg-lindsay -keywords: upgrade, in-place, configuration, deploy -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.date: 11/06/2018 -author: greg-lindsay -ms.topic: article ---- - -# Windows 10 deployment scenarios - -**Applies to** -- Windows 10 - -To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task. - -The following table summarizes various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories. -- Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home). -- Dynamic deployment methods enable you to configure applications and settings for specific use cases. -- Traditional deployment methods use existing tools to deploy operating system images.
            - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          CategoryScenarioDescriptionMore information
          Modern - -[Windows Autopilot](#windows-autopilot) - Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured. - -Overview of Windows Autopilot -
          - -[In-place upgrade](#in-place-upgrade) - - - Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old. - -Perform an in-place upgrade to Windows 10 with MDT
          Perform an in-place upgrade to Windows 10 using Configuration Manager -
          - Dynamic - - -[Subscription Activation](#windows-10-subscription-activation) - - Switch from Windows 10 Pro to Enterprise when a subscribed user signs in. - -Windows 10 Subscription Activation -
          - - [AAD / MDM](#dynamic-provisioning) - - The device is automatically joined to AAD and configured by MDM. - -Azure Active Directory integration with MDM -
          - - [Provisioning packages](#dynamic-provisioning) - - Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices. - -Configure devices without MDM -
          - Traditional - - - [Bare metal](#new-computer) - - Deploy a new device, or wipe an existing device and deploy with a fresh image. - - Deploy a Windows 10 image using MDT
          Install a new version of Windows on a new computer with System Center Configuration Manager -
          - - [Refresh](#computer-refresh) - - Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. - - Refresh a Windows 7 computer with Windows 10
          Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager -
          - - [Replace](#computer-replace) - - Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device. - - Replace a Windows 7 computer with a Windows 10 computer
          Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager -
          - -
            - - ->[!IMPORTANT] ->The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.
          ->Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS. - -## Modern deployment methods - -Modern deployment methods embrace both traditional on-prem and cloud services to deliver a simple, streamlined, cost effective deployment experience. - -### Windows Autopilot - -Windows Autopilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows Autopilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device after just a few clicks. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator. - -For more information about Windows Autopilot, see [Overview of Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows Autopilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/). - -### In-place upgrade - -For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 leverages the Windows installation program (Setup.exe) to perform an in-place upgrade, which automatically preserves all data, settings, applications, and drivers from the existing operating system version. This requires the least IT effort, because there is no need for any complex deployment infrastructure. - -Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. This is accomplished by leveraging tools like System Center Configuration Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences. - -The in-place upgrade process is designed to be extremely reliable, with the ability to automatically roll back to the previous operating system if any issues are encountered during the deployment process, without any IT staff involvement. Rolling back manually can also be done by leveraging the automatically-created recovery information (stored in the Windows.old folder), in case any issues are encountered after the upgrade is finished. The upgrade process is also typically faster than traditional deployments, because applications do not need to be reinstalled as part of the process. - -Because existing applications are preserved through the process, the upgrade process uses the standard Windows installation media image (Install.wim); custom images are not needed and cannot be used because the upgrade process is unable to deal with conflicts between apps in the old and new operating system. (For example, Contoso Timecard 1.0 in Windows 7 and Contoso Timecard 3.0 in the Windows 10 image.) - -Scenarios that support in-place upgrade with some additional procedures include changing from BIOS to UEFI boot mode and upgrade of devices that use non-Microsoft disk encryption software. - -- **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 does not require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode. - -- **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting: - - [Windows Setup Automation Overview](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-automation-overview) - - [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options) - -There are some situations where you cannot use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include: - -- Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process cannot change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers. -- Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed. -- Updating existing images. While it might be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image, this is not supported – preparing an upgraded OS for imaging (using Sysprep.exe) is not supported and will not work when it detects the upgraded OS. -- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS; if using dual-boot or multi-boot systems with multiple operating systems (not leveraging virtual machines for the second and subsequent operating systems), additional care should be taken. - - -## Dynamic provisioning - -For new PCs, organizations have historically replaced the version of Windows included on the device with their own custom Windows image, because this was often faster and easier than leveraging the preinstalled version. But this is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows 10, it is now possible to avoid this. - -The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include: - -### Windows 10 Subscription Activation - -Windows 10 Subscription Activation is a modern deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation). - - -### Azure Active Directory (AAD) join with automatic mobile device management (MDM) enrollment - -In this scenario, the organization member just needs to provide their work or school user ID and password; the device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no additional user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Azure Active Directory integration with MDM](https://docs.microsoft.com/windows/client-management/mdm/azure-active-directory-integration-with-mdm). - -### Provisioning package configuration - -Using the [Windows Imaging and Configuration Designer (ICD)](https://go.microsoft.com/fwlink/p/?LinkId=619358), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through a variety of means, typically by IT professionals. For more information, see [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm). - -These scenarios can be used to enable “choose your own device” (CYOD) programs where the organization’s users can pick their own PC and not be restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios). - -While the initial Windows 10 release includes a variety of provisioning settings and deployment mechanisms, these will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for additional features through the Windows Feedback app or through their Microsoft Support contacts. - -## Traditional deployment: - -New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md), and [System Center Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md). - -With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important and will continue to be available to organizations that need them. - -The traditional deployment scenario can be divided into different sub-scenarios. These are explained in detail in the following sections, but the following provides a brief summary: - -- **New computer.** A bare-metal deployment of a new machine. - -- **Computer refresh.** A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup). - -- **Computer replace.** A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup). - -### New computer - -Also called a "bare metal" deployment. This scenario occurs when you have a blank machine you need to deploy, or an existing machine you want to wipe and redeploy without needing to preserve any existing data. The setup starts from a boot media, using CD, USB, ISO, or Pre-Boot Execution Environment (PXE). You can also generate a full offline media that includes all the files needed for a client deployment, allowing you to deploy without having to connect to a central deployment share. The target can be a physical computer, a virtual machine, or a Virtual Hard Disk (VHD) running on a physical computer (boot from VHD). - -The deployment process for the new machine scenario is as follows: - -1. Start the setup from boot media (CD, USB, ISO, or PXE). - -2. Wipe the hard disk clean and create new volume(s). - -3. Install the operating system image. - -4. Install other applications (as part of the task sequence). - -After taking these steps, the computer is ready for use. - -### Computer refresh - -A refresh is sometimes called wipe-and-load. The process is normally initiated in the running operating system. User data and settings are backed up and restored later as part of the deployment process. The target can be the same as for the new computer scenario. - -The deployment process for the wipe-and-load scenario is as follows: - -1. Start the setup on a running operating system. - -2. Save the user state locally. - -3. Wipe the hard disk clean (except for the folder containing the backup). - -4. Install the operating system image. - -5. Install other applications. - -6. Restore the user state. - -After taking these steps, the machine is ready for use. - -### Computer replace - -A computer replace is similar to the refresh scenario. However, since we are replacing the machine, we divide this scenario into two main tasks: backup of the old client and bare-metal deployment of the new client. As with the refresh scenario, user data and settings are backed up and restored. - -The deployment process for the replace scenario is as follows: - -1. Save the user state (data and settings) on the server through a backup job on the running operating system. - -2. Deploy the new computer as a bare-metal deployment. - - **Note**
          In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk. - -## Related topics - -- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) -- [Upgrade to Windows 10 with System Center Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md) -- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=620230) -- [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) -- [Windows setup technical reference](https://go.microsoft.com/fwlink/p/?LinkId=619357) -- [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=619358) -- [UEFI firmware](https://go.microsoft.com/fwlink/p/?LinkId=619359) +--- +title: Windows 10 deployment scenarios (Windows 10) +description: To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. +ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5 +ms.reviewer: +manager: laurawi +ms.audience: itpro author: greg-lindsay +keywords: upgrade, in-place, configuration, deploy +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.date: 11/06/2018 +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Windows 10 deployment scenarios + +**Applies to** +- Windows 10 + +To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task. + +The following table summarizes various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories. +- Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home). +- Dynamic deployment methods enable you to configure applications and settings for specific use cases. +- Traditional deployment methods use existing tools to deploy operating system images.
            + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          CategoryScenarioDescriptionMore information
          Modern + +[Windows Autopilot](#windows-autopilot) + Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured. + +Overview of Windows Autopilot +
          + +[In-place upgrade](#in-place-upgrade) + + + Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old. + +Perform an in-place upgrade to Windows 10 with MDT
          Perform an in-place upgrade to Windows 10 using Configuration Manager +
          + Dynamic + + +[Subscription Activation](#windows-10-subscription-activation) + + Switch from Windows 10 Pro to Enterprise when a subscribed user signs in. + +Windows 10 Subscription Activation +
          + + [AAD / MDM](#dynamic-provisioning) + + The device is automatically joined to AAD and configured by MDM. + +Azure Active Directory integration with MDM +
          + + [Provisioning packages](#dynamic-provisioning) + + Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices. + +Configure devices without MDM +
          + Traditional + + + [Bare metal](#new-computer) + + Deploy a new device, or wipe an existing device and deploy with a fresh image. + + Deploy a Windows 10 image using MDT
          Install a new version of Windows on a new computer with System Center Configuration Manager +
          + + [Refresh](#computer-refresh) + + Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. + + Refresh a Windows 7 computer with Windows 10
          Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager +
          + + [Replace](#computer-replace) + + Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device. + + Replace a Windows 7 computer with a Windows 10 computer
          Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager +
          + +
            + + +>[!IMPORTANT] +>The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.
          +>Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS. + +## Modern deployment methods + +Modern deployment methods embrace both traditional on-prem and cloud services to deliver a simple, streamlined, cost effective deployment experience. + +### Windows Autopilot + +Windows Autopilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows Autopilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device after just a few clicks. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator. + +For more information about Windows Autopilot, see [Overview of Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows Autopilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/). + +### In-place upgrade + +For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 leverages the Windows installation program (Setup.exe) to perform an in-place upgrade, which automatically preserves all data, settings, applications, and drivers from the existing operating system version. This requires the least IT effort, because there is no need for any complex deployment infrastructure. + +Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. This is accomplished by leveraging tools like System Center Configuration Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences. + +The in-place upgrade process is designed to be extremely reliable, with the ability to automatically roll back to the previous operating system if any issues are encountered during the deployment process, without any IT staff involvement. Rolling back manually can also be done by leveraging the automatically-created recovery information (stored in the Windows.old folder), in case any issues are encountered after the upgrade is finished. The upgrade process is also typically faster than traditional deployments, because applications do not need to be reinstalled as part of the process. + +Because existing applications are preserved through the process, the upgrade process uses the standard Windows installation media image (Install.wim); custom images are not needed and cannot be used because the upgrade process is unable to deal with conflicts between apps in the old and new operating system. (For example, Contoso Timecard 1.0 in Windows 7 and Contoso Timecard 3.0 in the Windows 10 image.) + +Scenarios that support in-place upgrade with some additional procedures include changing from BIOS to UEFI boot mode and upgrade of devices that use non-Microsoft disk encryption software. + +- **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 does not require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode. + +- **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting: + - [Windows Setup Automation Overview](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-automation-overview) + - [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options) + +There are some situations where you cannot use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include: + +- Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process cannot change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers. +- Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed. +- Updating existing images. While it might be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image, this is not supported – preparing an upgraded OS for imaging (using Sysprep.exe) is not supported and will not work when it detects the upgraded OS. +- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS; if using dual-boot or multi-boot systems with multiple operating systems (not leveraging virtual machines for the second and subsequent operating systems), additional care should be taken. + + +## Dynamic provisioning + +For new PCs, organizations have historically replaced the version of Windows included on the device with their own custom Windows image, because this was often faster and easier than leveraging the preinstalled version. But this is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows 10, it is now possible to avoid this. + +The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include: + +### Windows 10 Subscription Activation + +Windows 10 Subscription Activation is a modern deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation). + + +### Azure Active Directory (AAD) join with automatic mobile device management (MDM) enrollment + +In this scenario, the organization member just needs to provide their work or school user ID and password; the device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no additional user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Azure Active Directory integration with MDM](https://docs.microsoft.com/windows/client-management/mdm/azure-active-directory-integration-with-mdm). + +### Provisioning package configuration + +Using the [Windows Imaging and Configuration Designer (ICD)](https://go.microsoft.com/fwlink/p/?LinkId=619358), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through a variety of means, typically by IT professionals. For more information, see [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm). + +These scenarios can be used to enable “choose your own device” (CYOD) programs where the organization’s users can pick their own PC and not be restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios). + +While the initial Windows 10 release includes a variety of provisioning settings and deployment mechanisms, these will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for additional features through the Windows Feedback app or through their Microsoft Support contacts. + +## Traditional deployment: + +New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md), and [System Center Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md). + +With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important and will continue to be available to organizations that need them. + +The traditional deployment scenario can be divided into different sub-scenarios. These are explained in detail in the following sections, but the following provides a brief summary: + +- **New computer.** A bare-metal deployment of a new machine. + +- **Computer refresh.** A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup). + +- **Computer replace.** A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup). + +### New computer + +Also called a "bare metal" deployment. This scenario occurs when you have a blank machine you need to deploy, or an existing machine you want to wipe and redeploy without needing to preserve any existing data. The setup starts from a boot media, using CD, USB, ISO, or Pre-Boot Execution Environment (PXE). You can also generate a full offline media that includes all the files needed for a client deployment, allowing you to deploy without having to connect to a central deployment share. The target can be a physical computer, a virtual machine, or a Virtual Hard Disk (VHD) running on a physical computer (boot from VHD). + +The deployment process for the new machine scenario is as follows: + +1. Start the setup from boot media (CD, USB, ISO, or PXE). + +2. Wipe the hard disk clean and create new volume(s). + +3. Install the operating system image. + +4. Install other applications (as part of the task sequence). + +After taking these steps, the computer is ready for use. + +### Computer refresh + +A refresh is sometimes called wipe-and-load. The process is normally initiated in the running operating system. User data and settings are backed up and restored later as part of the deployment process. The target can be the same as for the new computer scenario. + +The deployment process for the wipe-and-load scenario is as follows: + +1. Start the setup on a running operating system. + +2. Save the user state locally. + +3. Wipe the hard disk clean (except for the folder containing the backup). + +4. Install the operating system image. + +5. Install other applications. + +6. Restore the user state. + +After taking these steps, the machine is ready for use. + +### Computer replace + +A computer replace is similar to the refresh scenario. However, since we are replacing the machine, we divide this scenario into two main tasks: backup of the old client and bare-metal deployment of the new client. As with the refresh scenario, user data and settings are backed up and restored. + +The deployment process for the replace scenario is as follows: + +1. Save the user state (data and settings) on the server through a backup job on the running operating system. + +2. Deploy the new computer as a bare-metal deployment. + + **Note**
          In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk. + +## Related topics + +- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) +- [Upgrade to Windows 10 with System Center Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md) +- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=620230) +- [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) +- [Windows setup technical reference](https://go.microsoft.com/fwlink/p/?LinkId=619357) +- [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=619358) +- [UEFI firmware](https://go.microsoft.com/fwlink/p/?LinkId=619359) diff --git a/windows/deployment/windows-10-deployment-tools-reference.md b/windows/deployment/windows-10-deployment-tools-reference.md index 42bf08e5b8..46feb45c03 100644 --- a/windows/deployment/windows-10-deployment-tools-reference.md +++ b/windows/deployment/windows-10-deployment-tools-reference.md @@ -1,28 +1,28 @@ ---- -title: Windows 10 deployment tools (Windows 10) -description: Learn about the tools available to deploy Windows 10. -ms.assetid: 5C4B0AE3-B2D0-4628-9E73-606F3FAA17BB -ms.reviewer: -manager: laurawi -ms.author: greg-lindsay -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 07/12/2017 -ms.topic: article ---- - -# Windows 10 deployment tools - -Learn about the tools available to deploy Windows 10. - -|Topic |Description | -|------|------------| -|[Windows 10 deployment scenarios and tools](windows-deployment-scenarios-and-tools.md) |To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment. | -|[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. | -|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. | -|[Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) |The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. | -|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. | -|[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. | -|[User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) |The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals | +--- +title: Windows 10 deployment tools (Windows 10) +description: Learn about the tools available to deploy Windows 10. +ms.assetid: 5C4B0AE3-B2D0-4628-9E73-606F3FAA17BB +ms.reviewer: +manager: laurawi +ms.audience: itpro author: greg-lindsay +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 07/12/2017 +ms.topic: article +--- + +# Windows 10 deployment tools + +Learn about the tools available to deploy Windows 10. + +|Topic |Description | +|------|------------| +|[Windows 10 deployment scenarios and tools](windows-deployment-scenarios-and-tools.md) |To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment. | +|[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. | +|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. | +|[Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) |The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. | +|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. | +|[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. | +|[User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) |The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals | diff --git a/windows/deployment/windows-10-deployment-tools.md b/windows/deployment/windows-10-deployment-tools.md index e8473e6ea0..43fe3a68c7 100644 --- a/windows/deployment/windows-10-deployment-tools.md +++ b/windows/deployment/windows-10-deployment-tools.md @@ -1,28 +1,28 @@ ---- -title: Windows 10 deployment tools (Windows 10) -description: Learn about the tools available to deploy Windows 10. -ms.assetid: 5C4B0AE3-B2D0-4628-9E73-606F3FAA17BB -ms.reviewer: -manager: laurawi -ms.author: greg-lindsay -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 10/16/2017 -ms.topic: article ---- - -# Windows 10 deployment tools - -Learn about the tools available to deploy Windows 10. - -|Topic |Description | -|------|------------| -|[Windows 10 deployment scenarios and tools](windows-deployment-scenarios-and-tools.md) |To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment. | -|[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. | -|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. | -|[Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) |The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. | -|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. | -|[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. | -|[User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) |The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals | +--- +title: Windows 10 deployment tools (Windows 10) +description: Learn about the tools available to deploy Windows 10. +ms.assetid: 5C4B0AE3-B2D0-4628-9E73-606F3FAA17BB +ms.reviewer: +manager: laurawi +ms.audience: itpro author: greg-lindsay +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 10/16/2017 +ms.topic: article +--- + +# Windows 10 deployment tools + +Learn about the tools available to deploy Windows 10. + +|Topic |Description | +|------|------------| +|[Windows 10 deployment scenarios and tools](windows-deployment-scenarios-and-tools.md) |To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment. | +|[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. | +|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. | +|[Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) |The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. | +|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. | +|[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. | +|[User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) |The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals | diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md index f5421a4ffd..6b45127282 100644 --- a/windows/deployment/windows-10-enterprise-e3-overview.md +++ b/windows/deployment/windows-10-enterprise-e3-overview.md @@ -1,258 +1,258 @@ ---- -title: Windows 10 Enterprise E3 in CSP -description: Describes Windows 10 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10 Enterprise edition. -keywords: upgrade, update, task sequence, deploy -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -ms.date: 08/24/2017 -ms.reviewer: -manager: laurawi -ms.author: greg-lindsay -author: greg-lindsay -ms.collection: M365-modern-desktop -ms.topic: article ---- - -# Windows 10 Enterprise E3 in CSP - -Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Windows 10 Enterprise E3 in CSP is a new offering that delivers, by subscription, exclusive features reserved for Windows 10 Enterprise edition. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10 Enterprise E3 in CSP provides a flexible, per-user subscription for small- and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following: - -- Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later, installed and activated, on the devices to be upgraded -- Azure Active Directory (Azure AD) available for identity management - -Starting with Windows 10, version 1607 (Windows 10 Anniversary Update), you can move from Windows 10 Pro to Windows 10 Enterprise more easily than ever before—no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise and all the appropriate Windows 10 Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Windows 10 Enterprise device seamlessly steps back down to Windows 10 Pro. - -Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise to their users. Now, with Windows 10 Enterprise E3 in CSP, small- and medium-sized organizations can more easily take advantage of Windows 10 Enterprise features. - -When you purchase Windows 10 Enterprise E3 via a partner, you get the following benefits: - -- **Windows 10 Enterprise edition**. Devices currently running Windows 10 Pro, version 1607 can get Windows 10 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit does not include Long Term Service Branch (LTSB). - -- **Support from one to hundreds of users**. Although the Windows 10 Enterprise E3 in CSP program does not have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations. - -- **Deploy on up to five devices**. For each user covered by the license, you can deploy Windows 10 Enterprise edition on up to five devices. - -- **Roll back to Windows 10 Pro at any time**. When a user’s subscription expires or is transferred to another user, the Windows 10 Enterprise device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 90 days). - -- **Monthly, per-user pricing model**. This makes Windows 10 Enterprise E3 affordable for any organization. - -- **Move licenses between users**. Licenses can be quickly and easily reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs. - -How does the Windows 10 Enterprise E3 in CSP program compare with Microsoft Volume Licensing Agreements and Software Assurance? - -- [Microsoft Volume Licensing](https://www.microsoft.com/en-us/licensing/default.aspx) programs are broader in scope, providing organizations with access to licensing for all Microsoft products. - -- [Software Assurance](https://www.microsoft.com/en-us/Licensing/licensing-programs/software-assurance-default.aspx) provides organizations with the following categories of benefits: - - - **Deployment and management**. These benefits include planning services, Microsoft Desktop Optimization (MDOP), Windows Virtual Desktop Access Rights, Windows-To-Go Rights, Windows Roaming Use Rights, Windows Thin PC, Windows RT Companion VDA Rights, and other benefits. - - - **Training**. These benefits include training vouchers, online e-learning, and a home use program. - - - **Support**. These benefits include 24x7 problem resolution support, backup capabilities for disaster recovery, System Center Global Service Monitor, and a passive secondary instance of SQL Server. - - - **Specialized**. These benefits include step-up licensing availability (which enables you to migrate software from an earlier edition to a higher-level edition) and to spread license and Software Assurance payments across three equal, annual sums. - - In addition, in Windows 10 Enterprise E3 in CSP, a partner can manage your licenses for you. With Software Assurance, you, the customer, manage your own licenses. - -In summary, the Windows 10 Enterprise E3 in CSP program is an upgrade offering that provides small- and medium-sized organizations easier, more flexible access to the benefits of Windows 10 Enterprise edition, whereas Microsoft Volume Licensing programs and Software Assurance are broader in scope and provide benefits beyond access to Windows 10 Enterprise edition. - -## Compare Windows 10 Pro and Enterprise editions - -Windows 10 Enterprise edition has a number of features that are unavailable in Windows 10 Pro. Table 1 lists the Windows 10 Enterprise features not found in Windows 10 Pro. Many of these features are security-related, whereas others enable finer-grained device management. - -*Table 1. Windows 10 Enterprise features not found in Windows 10 Pro* - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          FeatureDescription

          Credential Guard

          This feature uses virtualization-based security to help protect security secrets (for example, NTLM password hashes, Kerberos Ticket Granting Tickets) so that only privileged system software can access them. This helps prevent Pass-the-Hash or Pass-the-Ticket attacks.

          -

          Credential Guard has the following features:

          -
            -

          • Hardware-level security.  Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.

            • -

          • Virtualization-based security.  Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.

            • -

          • Improved protection against persistent threats.  Credential Guard works with other technologies (e.g., Device Guard) to help provide further protection against attacks, no matter how persistent.

            • -

          • Improved manageability.  Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.

            • -
          -

          For more information, see Protect derived domain credentials with Credential Guard.

          -

          Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)

          Device Guard

          This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows 10 Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.

          -

          Device Guard does the following:

          -
            -

          • Helps protect against malware

            • -

          • Helps protect the Windows system core from vulnerability and zero-day exploits

            • -

          • Allows only trusted apps to run

            • -
          -

          For more information, see Introduction to Device Guard.

          AppLocker management

          This feature helps IT pros determine which applications and files users can run on a device (also known as “whitelisting”). The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.

          -

          For more information, see AppLocker.

          Application Virtualization (App-V)

          This feature makes applications available to end users without installing the applications directly on users’ devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.

          -

          For more information, see Getting Started with App-V for Windows 10.

          User Experience Virtualization (UE-V)

          With this feature, you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.

          -

          UE-V provides the ability to do the following:

          -
            -

          • Specify which application and Windows settings synchronize across user devices

            • -

          • Deliver the settings anytime and anywhere users work throughout the enterprise

            • -

          • Create custom templates for your third-party or line-of-business applications

            • -

          • Recover settings after hardware replacement or upgrade, or after re-imaging a virtual machine to its initial state

            • -
          -

          For more information, see User Experience Virtualization (UE-V) for Windows 10 overview.

          Managed User Experience

          This feature helps customize and lock down a Windows device’s user interface to restrict it to a specific task. For example, you can configure a device for a controlled scenario such as a kiosk or classroom device. The user experience would be automatically reset once a user signs off. You can also restrict access to services including Cortana or the Windows Store, and manage Start layout options, such as:

          -
            -

          • Removing and preventing access to the Shut Down, Restart, Sleep, and Hibernate commands

            • -

          • Removing Log Off (the User tile) from the Start menu

            • -

          • Removing frequent programs from the Start menu

            • -

          • Removing the All Programs list from the Start menu

            • -

          • Preventing users from customizing their Start screen

            • -

          • Forcing Start menu to be either full-screen size or menu size

            • -

          • Preventing changes to Taskbar and Start menu settings

            • -
          -
          - -## Deployment of Windows 10 Enterprise E3 licenses - -See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md). - -## Deploy Windows 10 Enterprise features - -Now that you have Windows 10 Enterprise edition running on devices, how do you take advantage of the Enterprise edition features and capabilities? What are the next steps that need to be taken for each of the features discussed in [Table 1](#compare-windows10-pro-and-enterprise-editions)? - -The following sections provide you with the high-level tasks that need to be performed in your environment to help users take advantage of the Windows 10 Enterprise edition features. - -### Credential Guard\* - -You can implement Credential Guard on Windows 10 Enterprise devices by turning on Credential Guard on these devices. Credential Guard uses Windows 10 virtualization-based security features (Hyper-V features) that must be enabled on each device before you can turn on Credential Guard. You can turn on Credential Guard by using one of the following methods: - -- **Automated**. You can automatically turn on Credential Guard for one or more devices by using Group Policy. The Group Policy settings automatically add the virtualization-based security features and configure the Credential Guard registry settings on managed devices. - -- **Manual**. You can manually turn on Credential Guard by doing the following: - - - Add the virtualization-based security features by using Programs and Features or Deployment Image Servicing and Management (DISM). - - - Configure Credential Guard registry settings by using the Registry Editor or the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). - - You can automate these manual steps by using a management tool such as System Center Configuration Manager. - -For more information about implementing Credential Guard, see the following resources: - -- [Protect derived domain credentials with Credential Guard](https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard) -- [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514(v=vs.85).aspx) -- [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337) - -\* *Requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)* - -### Device Guard - -Now that the devices have Windows 10 Enterprise, you can implement Device Guard on the Windows 10 Enterprise devices by performing the following steps: - -1. **Optionally, create a signing certificate for code integrity policies**. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To do this, you will either need a publicly issued code signing certificate (that you purchase) or an internal certificate authority (CA). If you choose to use an internal CA, you will need to create a code signing certificate. - -2. **Create code integrity policies from “golden” computers**. When you have identified departments or roles that use distinctive or partly distinctive sets of hardware and software, you can set up “golden” computers containing that software and hardware. In this respect, creating and managing code integrity policies to align with the needs of roles or departments can be similar to managing corporate images. From each “golden” computer, you can create a code integrity policy and decide how to manage that policy. You can merge code integrity policies to create a broader policy or a master policy, or you can manage and deploy each policy individually. - -3. **Audit the code integrity policy and capture information about applications that are outside the policy**. We recommend that you use “audit mode” to carefully test each code integrity policy before you enforce it. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. Later, you can expand the policy to allow these applications, as needed. - -4. **Create a “catalog file” for unsigned line-of-business (LOB) applications**. Use the Package Inspector tool to create and sign a catalog file for your unsigned LOB applications. In later steps, you can merge the catalog file's signature into your code integrity policy so that applications in the catalog will be allowed by the policy. - -5. **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a code integrity policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log, and then merge that information into the existing policy. You can merge code integrity policies from other sources also, for flexibility in how you create your final code integrity policies. - -6. **Deploy code integrity policies and catalog files**. After you confirm that you have completed all the preceding steps, you can begin deploying catalog files and taking code integrity policies out of audit mode. We strongly recommend that you begin this process with a test group of users. This provides a final quality-control validation before you deploy the catalog files and code integrity policies more broadly. - -7. **Enable desired hardware security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies. - -For more information about implementing Device Guard, see: - -- [Planning and getting started on the Device Guard deployment process](https://technet.microsoft.com/itpro/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process) -- [Device Guard deployment guide](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide) - -### AppLocker management - -You can manage AppLocker in Windows 10 Enterprise by using Group Policy. Group Policy requires that the you have AD DS and that the Windows 10 Enterprise devices are joined to the your AD DS domain. You can create AppLocker rules by using Group Policy, and then target those rules to the appropriate devices. - -For more information about AppLocker management by using Group Policy, see [AppLocker deployment guide](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-policies-deployment-guide). - -### App-V - -App-V requires an App-V server infrastructure to support App-V clients. The primary App-V components that the you must have are as follows: - -- **App-V server**. The App-V server provides App-V management, virtualized app publishing, app streaming, and reporting services. Each of these services can be run on one server or can be run individually on multiple servers. For example, you could have multiple streaming servers. App-V clients contact App-V servers to determine which apps are published to the user or device, and then run the virtualized app from the server. - -- **App-V sequencer**. The App-V sequencer is a typical client device that is used to sequence (capture) apps and prepare them for hosting from the App-V server. You install apps on the App-V sequencer, and the App-V sequencer software determines the files and registry settings that are changed during app installation. Then the sequencer captures these settings to create a virtualized app. - -- **App-V client**. The App-V client must be enabled on any client device on which apps will be run from the App-V server. These will be the Windows 10 Enterprise E3 devices. - -For more information about implementing the App-V server, App-V sequencer, and App-V client, see the following resources: - -- [Getting Started with App-V for Windows 10](https://technet.microsoft.com/itpro/windows/manage/appv-getting-started) -- [Deploying the App-V server](https://technet.microsoft.com/itpro/windows/manage/appv-deploying-the-appv-server) -- [Deploying the App-V Sequencer and Configuring the Client](https://technet.microsoft.com/itpro/windows/manage/appv-deploying-the-appv-sequencer-and-client) - -### UE-V -UE-V requires server- and client-side components that you you’ll need to download, activate, and install. These components include: - -- **UE-V service**. The UE-V service (when enabled on devices) monitors registered applications and Windows for any settings changes, then synchronizes those settings between devices. - -- **Settings packages**. Settings packages created by the UE-V service store application settings and Windows settings. Settings packages are built, locally stored, and copied to the settings storage location. - -- **Settings storage location**. This location is a standard network share that your users can access. The UE-V service verifies the location and creates a hidden system folder in which to store and retrieve user settings. - -- **Settings location templates**. Settings location templates are XML files that UE-V uses to monitor and synchronize desktop application settings and Windows desktop settings between user computers. By default, some settings location templates are included in UE-V. You can also create, edit, or validate custom settings location templates by using the UE-V template generator. Settings location templates are not required for Windows applications. - -- **Universal Windows applications list**. UE-V determines which Windows applications are enabled for settings synchronization using a managed list of applications. By default, this list includes most Windows applications. - -For more information about deploying UE-V, see the following resources: - -- [User Experience Virtualization (UE-V) for Windows 10 overview](https://technet.microsoft.com/itpro/windows/manage/uev-for-windows) -- [Get Started with UE-V](https://technet.microsoft.com/itpro/windows/manage/uev-getting-started) -- [Prepare a UE-V Deployment](https://technet.microsoft.com/itpro/windows/manage/uev-prepare-for-deployment) - -### Managed User Experience - -The Managed User Experience feature is a set of Windows 10 Enterprise edition features and corresponding settings that you can use to manage user experience. Table 2 describes the Managed User Experience settings (by category), which are only available in Windows 10 Enterprise edition. The management methods used to configure each feature depend on the feature. Some features are configured by using Group Policy, while others are configured by using Windows PowerShell, Deployment Image Servicing and Management (DISM), or other command-line tools. For the Group Policy settings, you must have AD DS with the Windows 10 Enterprise devices joined to your AD DS domain. - -*Table 2. Managed User Experience features* - -| Feature | Description | -|------------------|-----------------| -| Start layout customization | You can deploy a customized Start layout to users in a domain. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
          For more information on these settings, see [Customize Windows 10 Start and taskbar with Group Policy](https://technet.microsoft.com/itpro/windows/manage/customize-windows-10-start-screens-by-using-group-policy). | -| Unbranded boot | You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error from which it cannot recover.
          For more information on these settings, see [Unbranded Boot](https://msdn.microsoft.com/library/windows/hardware/mt571997(v=vs.85).aspx). | -| Custom logon | You can use the Custom Logon feature to suppress Windows 10 UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown.
          For more information on these settings, see [Custom Logon](https://msdn.microsoft.com/library/windows/hardware/mt571990(v=vs.85).aspx). | -| Shell launcher | Enables Assigned Access to run only a classic Windows app via Shell Launcher to replace the shell.
          For more information on these settings, see [Shell Launcher](https://msdn.microsoft.com/library/windows/hardware/mt571994(v=vs.85).aspx). | -| Keyboard filter | You can use Keyboard Filter to suppress undesirable key presses or key combinations. Normally, users can use certain Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to control a device by locking the screen or using Task Manager to close a running application. This is not desirable on devices intended for a dedicated purpose.
          For more information on these settings, see [Keyboard Filter](https://msdn.microsoft.com/library/windows/hardware/mt587088(v=vs.85).aspx). | -| Unified write filter | You can use Unified Write Filter (UWF) on your device to help protect your physical storage media, including most standard writable storage types that are supported by Windows, such as physical hard disks, solid-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writable volume.
          For more information on these settings, see [Unified Write Filter](https://msdn.microsoft.com/library/windows/hardware/mt572001(v=vs.85).aspx). | - -## Related topics - -[Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md) -
          [Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-devices-group-policy/) -
          [Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare) -
          [Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx) +--- +title: Windows 10 Enterprise E3 in CSP +description: Describes Windows 10 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10 Enterprise edition. +keywords: upgrade, update, task sequence, deploy +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: mdt +ms.date: 08/24/2017 +ms.reviewer: +manager: laurawi +ms.audience: itpro author: greg-lindsay +audience: itpro author: greg-lindsay +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Windows 10 Enterprise E3 in CSP + +Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Windows 10 Enterprise E3 in CSP is a new offering that delivers, by subscription, exclusive features reserved for Windows 10 Enterprise edition. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10 Enterprise E3 in CSP provides a flexible, per-user subscription for small- and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following: + +- Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later, installed and activated, on the devices to be upgraded +- Azure Active Directory (Azure AD) available for identity management + +Starting with Windows 10, version 1607 (Windows 10 Anniversary Update), you can move from Windows 10 Pro to Windows 10 Enterprise more easily than ever before—no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise and all the appropriate Windows 10 Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Windows 10 Enterprise device seamlessly steps back down to Windows 10 Pro. + +Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise to their users. Now, with Windows 10 Enterprise E3 in CSP, small- and medium-sized organizations can more easily take advantage of Windows 10 Enterprise features. + +When you purchase Windows 10 Enterprise E3 via a partner, you get the following benefits: + +- **Windows 10 Enterprise edition**. Devices currently running Windows 10 Pro, version 1607 can get Windows 10 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit does not include Long Term Service Branch (LTSB). + +- **Support from one to hundreds of users**. Although the Windows 10 Enterprise E3 in CSP program does not have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations. + +- **Deploy on up to five devices**. For each user covered by the license, you can deploy Windows 10 Enterprise edition on up to five devices. + +- **Roll back to Windows 10 Pro at any time**. When a user’s subscription expires or is transferred to another user, the Windows 10 Enterprise device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 90 days). + +- **Monthly, per-user pricing model**. This makes Windows 10 Enterprise E3 affordable for any organization. + +- **Move licenses between users**. Licenses can be quickly and easily reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs. + +How does the Windows 10 Enterprise E3 in CSP program compare with Microsoft Volume Licensing Agreements and Software Assurance? + +- [Microsoft Volume Licensing](https://www.microsoft.com/en-us/licensing/default.aspx) programs are broader in scope, providing organizations with access to licensing for all Microsoft products. + +- [Software Assurance](https://www.microsoft.com/en-us/Licensing/licensing-programs/software-assurance-default.aspx) provides organizations with the following categories of benefits: + + - **Deployment and management**. These benefits include planning services, Microsoft Desktop Optimization (MDOP), Windows Virtual Desktop Access Rights, Windows-To-Go Rights, Windows Roaming Use Rights, Windows Thin PC, Windows RT Companion VDA Rights, and other benefits. + + - **Training**. These benefits include training vouchers, online e-learning, and a home use program. + + - **Support**. These benefits include 24x7 problem resolution support, backup capabilities for disaster recovery, System Center Global Service Monitor, and a passive secondary instance of SQL Server. + + - **Specialized**. These benefits include step-up licensing availability (which enables you to migrate software from an earlier edition to a higher-level edition) and to spread license and Software Assurance payments across three equal, annual sums. + + In addition, in Windows 10 Enterprise E3 in CSP, a partner can manage your licenses for you. With Software Assurance, you, the customer, manage your own licenses. + +In summary, the Windows 10 Enterprise E3 in CSP program is an upgrade offering that provides small- and medium-sized organizations easier, more flexible access to the benefits of Windows 10 Enterprise edition, whereas Microsoft Volume Licensing programs and Software Assurance are broader in scope and provide benefits beyond access to Windows 10 Enterprise edition. + +## Compare Windows 10 Pro and Enterprise editions + +Windows 10 Enterprise edition has a number of features that are unavailable in Windows 10 Pro. Table 1 lists the Windows 10 Enterprise features not found in Windows 10 Pro. Many of these features are security-related, whereas others enable finer-grained device management. + +*Table 1. Windows 10 Enterprise features not found in Windows 10 Pro* + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          FeatureDescription

          Credential Guard

          This feature uses virtualization-based security to help protect security secrets (for example, NTLM password hashes, Kerberos Ticket Granting Tickets) so that only privileged system software can access them. This helps prevent Pass-the-Hash or Pass-the-Ticket attacks.

          +

          Credential Guard has the following features:

          +
            +

          • Hardware-level security.  Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.

            • +

          • Virtualization-based security.  Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.

            • +

          • Improved protection against persistent threats.  Credential Guard works with other technologies (e.g., Device Guard) to help provide further protection against attacks, no matter how persistent.

            • +

          • Improved manageability.  Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.

            • +
          +

          For more information, see Protect derived domain credentials with Credential Guard.

          +

          Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)

          Device Guard

          This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows 10 Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.

          +

          Device Guard does the following:

          +
            +

          • Helps protect against malware

            • +

          • Helps protect the Windows system core from vulnerability and zero-day exploits

            • +

          • Allows only trusted apps to run

            • +
          +

          For more information, see Introduction to Device Guard.

          AppLocker management

          This feature helps IT pros determine which applications and files users can run on a device (also known as “whitelisting”). The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.

          +

          For more information, see AppLocker.

          Application Virtualization (App-V)

          This feature makes applications available to end users without installing the applications directly on users’ devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.

          +

          For more information, see Getting Started with App-V for Windows 10.

          User Experience Virtualization (UE-V)

          With this feature, you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.

          +

          UE-V provides the ability to do the following:

          +
            +

          • Specify which application and Windows settings synchronize across user devices

            • +

          • Deliver the settings anytime and anywhere users work throughout the enterprise

            • +

          • Create custom templates for your third-party or line-of-business applications

            • +

          • Recover settings after hardware replacement or upgrade, or after re-imaging a virtual machine to its initial state

            • +
          +

          For more information, see User Experience Virtualization (UE-V) for Windows 10 overview.

          Managed User Experience

          This feature helps customize and lock down a Windows device’s user interface to restrict it to a specific task. For example, you can configure a device for a controlled scenario such as a kiosk or classroom device. The user experience would be automatically reset once a user signs off. You can also restrict access to services including Cortana or the Windows Store, and manage Start layout options, such as:

          +
            +

          • Removing and preventing access to the Shut Down, Restart, Sleep, and Hibernate commands

            • +

          • Removing Log Off (the User tile) from the Start menu

            • +

          • Removing frequent programs from the Start menu

            • +

          • Removing the All Programs list from the Start menu

            • +

          • Preventing users from customizing their Start screen

            • +

          • Forcing Start menu to be either full-screen size or menu size

            • +

          • Preventing changes to Taskbar and Start menu settings

            • +
          +
          + +## Deployment of Windows 10 Enterprise E3 licenses + +See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md). + +## Deploy Windows 10 Enterprise features + +Now that you have Windows 10 Enterprise edition running on devices, how do you take advantage of the Enterprise edition features and capabilities? What are the next steps that need to be taken for each of the features discussed in [Table 1](#compare-windows10-pro-and-enterprise-editions)? + +The following sections provide you with the high-level tasks that need to be performed in your environment to help users take advantage of the Windows 10 Enterprise edition features. + +### Credential Guard\* + +You can implement Credential Guard on Windows 10 Enterprise devices by turning on Credential Guard on these devices. Credential Guard uses Windows 10 virtualization-based security features (Hyper-V features) that must be enabled on each device before you can turn on Credential Guard. You can turn on Credential Guard by using one of the following methods: + +- **Automated**. You can automatically turn on Credential Guard for one or more devices by using Group Policy. The Group Policy settings automatically add the virtualization-based security features and configure the Credential Guard registry settings on managed devices. + +- **Manual**. You can manually turn on Credential Guard by doing the following: + + - Add the virtualization-based security features by using Programs and Features or Deployment Image Servicing and Management (DISM). + + - Configure Credential Guard registry settings by using the Registry Editor or the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). + + You can automate these manual steps by using a management tool such as System Center Configuration Manager. + +For more information about implementing Credential Guard, see the following resources: + +- [Protect derived domain credentials with Credential Guard](https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard) +- [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514(v=vs.85).aspx) +- [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337) + +\* *Requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)* + +### Device Guard + +Now that the devices have Windows 10 Enterprise, you can implement Device Guard on the Windows 10 Enterprise devices by performing the following steps: + +1. **Optionally, create a signing certificate for code integrity policies**. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To do this, you will either need a publicly issued code signing certificate (that you purchase) or an internal certificate authority (CA). If you choose to use an internal CA, you will need to create a code signing certificate. + +2. **Create code integrity policies from “golden” computers**. When you have identified departments or roles that use distinctive or partly distinctive sets of hardware and software, you can set up “golden” computers containing that software and hardware. In this respect, creating and managing code integrity policies to align with the needs of roles or departments can be similar to managing corporate images. From each “golden” computer, you can create a code integrity policy and decide how to manage that policy. You can merge code integrity policies to create a broader policy or a master policy, or you can manage and deploy each policy individually. + +3. **Audit the code integrity policy and capture information about applications that are outside the policy**. We recommend that you use “audit mode” to carefully test each code integrity policy before you enforce it. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. Later, you can expand the policy to allow these applications, as needed. + +4. **Create a “catalog file” for unsigned line-of-business (LOB) applications**. Use the Package Inspector tool to create and sign a catalog file for your unsigned LOB applications. In later steps, you can merge the catalog file's signature into your code integrity policy so that applications in the catalog will be allowed by the policy. + +5. **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a code integrity policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log, and then merge that information into the existing policy. You can merge code integrity policies from other sources also, for flexibility in how you create your final code integrity policies. + +6. **Deploy code integrity policies and catalog files**. After you confirm that you have completed all the preceding steps, you can begin deploying catalog files and taking code integrity policies out of audit mode. We strongly recommend that you begin this process with a test group of users. This provides a final quality-control validation before you deploy the catalog files and code integrity policies more broadly. + +7. **Enable desired hardware security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies. + +For more information about implementing Device Guard, see: + +- [Planning and getting started on the Device Guard deployment process](https://technet.microsoft.com/itpro/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process) +- [Device Guard deployment guide](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide) + +### AppLocker management + +You can manage AppLocker in Windows 10 Enterprise by using Group Policy. Group Policy requires that the you have AD DS and that the Windows 10 Enterprise devices are joined to the your AD DS domain. You can create AppLocker rules by using Group Policy, and then target those rules to the appropriate devices. + +For more information about AppLocker management by using Group Policy, see [AppLocker deployment guide](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-policies-deployment-guide). + +### App-V + +App-V requires an App-V server infrastructure to support App-V clients. The primary App-V components that the you must have are as follows: + +- **App-V server**. The App-V server provides App-V management, virtualized app publishing, app streaming, and reporting services. Each of these services can be run on one server or can be run individually on multiple servers. For example, you could have multiple streaming servers. App-V clients contact App-V servers to determine which apps are published to the user or device, and then run the virtualized app from the server. + +- **App-V sequencer**. The App-V sequencer is a typical client device that is used to sequence (capture) apps and prepare them for hosting from the App-V server. You install apps on the App-V sequencer, and the App-V sequencer software determines the files and registry settings that are changed during app installation. Then the sequencer captures these settings to create a virtualized app. + +- **App-V client**. The App-V client must be enabled on any client device on which apps will be run from the App-V server. These will be the Windows 10 Enterprise E3 devices. + +For more information about implementing the App-V server, App-V sequencer, and App-V client, see the following resources: + +- [Getting Started with App-V for Windows 10](https://technet.microsoft.com/itpro/windows/manage/appv-getting-started) +- [Deploying the App-V server](https://technet.microsoft.com/itpro/windows/manage/appv-deploying-the-appv-server) +- [Deploying the App-V Sequencer and Configuring the Client](https://technet.microsoft.com/itpro/windows/manage/appv-deploying-the-appv-sequencer-and-client) + +### UE-V +UE-V requires server- and client-side components that you you’ll need to download, activate, and install. These components include: + +- **UE-V service**. The UE-V service (when enabled on devices) monitors registered applications and Windows for any settings changes, then synchronizes those settings between devices. + +- **Settings packages**. Settings packages created by the UE-V service store application settings and Windows settings. Settings packages are built, locally stored, and copied to the settings storage location. + +- **Settings storage location**. This location is a standard network share that your users can access. The UE-V service verifies the location and creates a hidden system folder in which to store and retrieve user settings. + +- **Settings location templates**. Settings location templates are XML files that UE-V uses to monitor and synchronize desktop application settings and Windows desktop settings between user computers. By default, some settings location templates are included in UE-V. You can also create, edit, or validate custom settings location templates by using the UE-V template generator. Settings location templates are not required for Windows applications. + +- **Universal Windows applications list**. UE-V determines which Windows applications are enabled for settings synchronization using a managed list of applications. By default, this list includes most Windows applications. + +For more information about deploying UE-V, see the following resources: + +- [User Experience Virtualization (UE-V) for Windows 10 overview](https://technet.microsoft.com/itpro/windows/manage/uev-for-windows) +- [Get Started with UE-V](https://technet.microsoft.com/itpro/windows/manage/uev-getting-started) +- [Prepare a UE-V Deployment](https://technet.microsoft.com/itpro/windows/manage/uev-prepare-for-deployment) + +### Managed User Experience + +The Managed User Experience feature is a set of Windows 10 Enterprise edition features and corresponding settings that you can use to manage user experience. Table 2 describes the Managed User Experience settings (by category), which are only available in Windows 10 Enterprise edition. The management methods used to configure each feature depend on the feature. Some features are configured by using Group Policy, while others are configured by using Windows PowerShell, Deployment Image Servicing and Management (DISM), or other command-line tools. For the Group Policy settings, you must have AD DS with the Windows 10 Enterprise devices joined to your AD DS domain. + +*Table 2. Managed User Experience features* + +| Feature | Description | +|------------------|-----------------| +| Start layout customization | You can deploy a customized Start layout to users in a domain. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
          For more information on these settings, see [Customize Windows 10 Start and taskbar with Group Policy](https://technet.microsoft.com/itpro/windows/manage/customize-windows-10-start-screens-by-using-group-policy). | +| Unbranded boot | You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error from which it cannot recover.
          For more information on these settings, see [Unbranded Boot](https://msdn.microsoft.com/library/windows/hardware/mt571997(v=vs.85).aspx). | +| Custom logon | You can use the Custom Logon feature to suppress Windows 10 UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown.
          For more information on these settings, see [Custom Logon](https://msdn.microsoft.com/library/windows/hardware/mt571990(v=vs.85).aspx). | +| Shell launcher | Enables Assigned Access to run only a classic Windows app via Shell Launcher to replace the shell.
          For more information on these settings, see [Shell Launcher](https://msdn.microsoft.com/library/windows/hardware/mt571994(v=vs.85).aspx). | +| Keyboard filter | You can use Keyboard Filter to suppress undesirable key presses or key combinations. Normally, users can use certain Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to control a device by locking the screen or using Task Manager to close a running application. This is not desirable on devices intended for a dedicated purpose.
          For more information on these settings, see [Keyboard Filter](https://msdn.microsoft.com/library/windows/hardware/mt587088(v=vs.85).aspx). | +| Unified write filter | You can use Unified Write Filter (UWF) on your device to help protect your physical storage media, including most standard writable storage types that are supported by Windows, such as physical hard disks, solid-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writable volume.
          For more information on these settings, see [Unified Write Filter](https://msdn.microsoft.com/library/windows/hardware/mt572001(v=vs.85).aspx). | + +## Related topics + +[Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md) +
          [Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-devices-group-policy/) +
          [Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare) +
          [Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx) diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md index e7cb52cc30..66d5049d31 100644 --- a/windows/deployment/windows-10-media.md +++ b/windows/deployment/windows-10-media.md @@ -1,94 +1,94 @@ ---- -title: Windows 10 volume license media -description: There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. -keywords: deploy, upgrade, update, software, media -ms.prod: w10 -ms.mktglfcycl: plan -ms.localizationpriority: medium -ms.date: 10/20/2017 -ms.reviewer: -manager: laurawi -ms.author: greg-lindsay -ms.sitesec: library -author: greg-lindsay -ms.topic: article ---- - -# Windows 10 volume license media - - -**Applies to** - -- Windows 10 - -With each release of Windows 10, volume license media is made available on the [Volume Licensing Service Center](https://www.microsoft.com/vlsc) (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. This topic provides a description of volume license media, and describes some of the changes that have been implemented with the current release of Windows 10. - -## Windows 10 media - -To download Windows 10 installation media from the VLSC, use the product search filter to find “Windows 10.”  A list of products will be displayed. The page then allows you to use your search results to download products, view keys, and view product and key descriptions. - -When you select a product, for example “Windows 10 Enterprise” or “Windows 10 Education”, you can then choose the specific release by clicking **Download** and choosing the **Download Method**, **Language**, and **Operating system Type** (bitness). - ->If you do not see a Windows 10 release available in the list of downloads, verify the [release date](https://technet.microsoft.com/windows/release-info.aspx). - -In Windows 10, version 1709 the packaging of volume licensing media and upgrade packages is different than it has been for previous releases. Instead of having separate media and packages for Windows 10 Pro (volume licensing version), Windows 10 Enterprise, and Windows 10 Education, all three are bundled together. The following section explains this change. - -### Windows 10, version 1709 - -Windows 10, version 1709 is available starting on 10/17/2017 in all relevant distribution channels. Note: An updated [Windows ADK for Windows 10](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) is also available. - -For ISOs that you download from the VLSC or Visual Studio Subscriptions, you can still search for the individual Windows editions. However, each of these editions (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education) will point to the same ISO file, so you only need to download the ISO once. A single Windows image (WIM) file is included in the ISO that contains all the volume licensing images: - -![Images](images/table01.png) - -When using the contents of these ISOs with tools such as the Microsoft Deployment Toolkit or System Center Configuration Manager, make sure you select the appropriate image index in any task sequences that you create or update. - -For packages published to Windows Server Update Services (WSUS), you’ll also notice the change because, instead of having separate packages for each Windows edition, there will be just one package: - -
          - -| Title | Classification | Description | -| --- | --- | --- | -| Feature update to Windows 10, version 1709, \ | Upgrades | Package to upgrade Windows 10 Pro (VL), Windows 10 Enterprise, or Windows 10 Education to version 1709 | -| Windows 7 and 8.1 upgrade to Windows 10, version 1709, \ | Upgrades | Package to upgrade Windows 7 Professional (VL), Windows 7 Enterprise, Windows 8.1 Professional (VL), or Windows 8.1 Enterprise to Windows 10 1709 | - -
          - -When you approve one of these packages, it applies to all of the editions. - -This Semi-Annual Channel release of Windows 10 continues the Windows as a service methodology.  For more information about implementing Windows as a service in your organization in order to stay up to date with Windows, see [Update Windows 10 in the enterprise](https://aka.ms/waas). - - -### Language packs - -- **Windows 10 versions 1507 and 1511**: you can select **Windows 10 Enterprise Language Pack**, click **Download** and then select **English** and **64-bit** to see these downloads.  -- **Windows 10 1607 and later**: you must select **Multilanguage** from the drop-down list of languages. - -See the following example for Windows 10, version 1709: - -![Windows 10, version 1709 lang pack](images/lang-pack-1709.png) - -### Features on demand - -[Features on demand](https://blogs.technet.microsoft.com/mniehaus/2015/08/31/adding-features-including-net-3-5-to-windows-10/) can be downloaded by searching for "**Windows 10 Enterprise Features on Demand**" and then following the same download process that is described above. - -Features on demand is a method for adding features to your Windows 10 image that aren’t included in the base operating system image. - - -## Related topics - -[Microsoft Volume Licensing Service Center (VLSC) User Guide](https://www.microsoft.com/en-us/download/details.aspx?id=10585) -
          [Volume Activation for Windows 10](https://docs.microsoft.com/windows/deployment/volume-activation/volume-activation-windows-10) -
          [Plan for volume activation](https://docs.microsoft.com/windows/deployment/volume-activation/plan-for-volume-activation-client) -
          [VLSC downloads FAQ](https://www.microsoft.com/Licensing/servicecenter/Help/FAQDetails.aspx?id=150) -
          [Download and burn an ISO file on the volume licensing site (VLSC)](https://support.microsoft.com/help/2472143/download-and-burn-an-iso-file-on-the-volume-licensing-site-vlsc) - - -  - -  - - - - - +--- +title: Windows 10 volume license media +description: There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. +keywords: deploy, upgrade, update, software, media +ms.prod: w10 +ms.mktglfcycl: plan +ms.localizationpriority: medium +ms.date: 10/20/2017 +ms.reviewer: +manager: laurawi +ms.audience: itpro author: greg-lindsay +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Windows 10 volume license media + + +**Applies to** + +- Windows 10 + +With each release of Windows 10, volume license media is made available on the [Volume Licensing Service Center](https://www.microsoft.com/vlsc) (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. This topic provides a description of volume license media, and describes some of the changes that have been implemented with the current release of Windows 10. + +## Windows 10 media + +To download Windows 10 installation media from the VLSC, use the product search filter to find “Windows 10.”  A list of products will be displayed. The page then allows you to use your search results to download products, view keys, and view product and key descriptions. + +When you select a product, for example “Windows 10 Enterprise” or “Windows 10 Education”, you can then choose the specific release by clicking **Download** and choosing the **Download Method**, **Language**, and **Operating system Type** (bitness). + +>If you do not see a Windows 10 release available in the list of downloads, verify the [release date](https://technet.microsoft.com/windows/release-info.aspx). + +In Windows 10, version 1709 the packaging of volume licensing media and upgrade packages is different than it has been for previous releases. Instead of having separate media and packages for Windows 10 Pro (volume licensing version), Windows 10 Enterprise, and Windows 10 Education, all three are bundled together. The following section explains this change. + +### Windows 10, version 1709 + +Windows 10, version 1709 is available starting on 10/17/2017 in all relevant distribution channels. Note: An updated [Windows ADK for Windows 10](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) is also available. + +For ISOs that you download from the VLSC or Visual Studio Subscriptions, you can still search for the individual Windows editions. However, each of these editions (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education) will point to the same ISO file, so you only need to download the ISO once. A single Windows image (WIM) file is included in the ISO that contains all the volume licensing images: + +![Images](images/table01.png) + +When using the contents of these ISOs with tools such as the Microsoft Deployment Toolkit or System Center Configuration Manager, make sure you select the appropriate image index in any task sequences that you create or update. + +For packages published to Windows Server Update Services (WSUS), you’ll also notice the change because, instead of having separate packages for each Windows edition, there will be just one package: + +
          + +| Title | Classification | Description | +| --- | --- | --- | +| Feature update to Windows 10, version 1709, \ | Upgrades | Package to upgrade Windows 10 Pro (VL), Windows 10 Enterprise, or Windows 10 Education to version 1709 | +| Windows 7 and 8.1 upgrade to Windows 10, version 1709, \ | Upgrades | Package to upgrade Windows 7 Professional (VL), Windows 7 Enterprise, Windows 8.1 Professional (VL), or Windows 8.1 Enterprise to Windows 10 1709 | + +
          + +When you approve one of these packages, it applies to all of the editions. + +This Semi-Annual Channel release of Windows 10 continues the Windows as a service methodology.  For more information about implementing Windows as a service in your organization in order to stay up to date with Windows, see [Update Windows 10 in the enterprise](https://aka.ms/waas). + + +### Language packs + +- **Windows 10 versions 1507 and 1511**: you can select **Windows 10 Enterprise Language Pack**, click **Download** and then select **English** and **64-bit** to see these downloads.  +- **Windows 10 1607 and later**: you must select **Multilanguage** from the drop-down list of languages. + +See the following example for Windows 10, version 1709: + +![Windows 10, version 1709 lang pack](images/lang-pack-1709.png) + +### Features on demand + +[Features on demand](https://blogs.technet.microsoft.com/mniehaus/2015/08/31/adding-features-including-net-3-5-to-windows-10/) can be downloaded by searching for "**Windows 10 Enterprise Features on Demand**" and then following the same download process that is described above. + +Features on demand is a method for adding features to your Windows 10 image that aren’t included in the base operating system image. + + +## Related topics + +[Microsoft Volume Licensing Service Center (VLSC) User Guide](https://www.microsoft.com/en-us/download/details.aspx?id=10585) +
          [Volume Activation for Windows 10](https://docs.microsoft.com/windows/deployment/volume-activation/volume-activation-windows-10) +
          [Plan for volume activation](https://docs.microsoft.com/windows/deployment/volume-activation/plan-for-volume-activation-client) +
          [VLSC downloads FAQ](https://www.microsoft.com/Licensing/servicecenter/Help/FAQDetails.aspx?id=150) +
          [Download and burn an ISO file on the volume licensing site (VLSC)](https://support.microsoft.com/help/2472143/download-and-burn-an-iso-file-on-the-volume-licensing-site-vlsc) + + +  + +  + + + + + diff --git a/windows/deployment/windows-10-missing-fonts.md b/windows/deployment/windows-10-missing-fonts.md index 6844500378..dfa95cf6e1 100644 --- a/windows/deployment/windows-10-missing-fonts.md +++ b/windows/deployment/windows-10-missing-fonts.md @@ -1,103 +1,103 @@ ---- -title: How to install fonts missing after upgrading to Windows 10 -description: Some of the fonts are missing from the system after you upgrade to Windows 10. -keywords: deploy, upgrade, FoD, optional feature -ms.prod: w10 -ms.mktglfcycl: plan -ms.sitesec: library -ms.localizationpriority: medium -author: greg-lindsay -ms.author: greg-lindsay -ms.date: 10/31/2017 -ms.reviewer: -manager: laurawi -ms.topic: article ---- -# How to install fonts that are missing after upgrading to Windows 10 - -> Applies to: Windows 10 - -When you upgrade from the Windows 7, Windows 8, or Windows 8.1 operating system to Windows 10, certain fonts are no longer available by default post-upgrade. To reduce the operating system footprint, improve performance, and optimize disk space usage, we moved many of the fonts that were previously shipped with prior versions of Windows to the optional features of Windows 10. If you install a fresh instance of Windows 10, or upgrade an older version of Windows to Windows 10, these optional features are not enabled by default. As a result, these fonts appear to be missing from the system. - -If you have documents created using the missing fonts, these documents might display differently on Windows 10. - -For example, if you have an English (or French, German, or Spanish) version of Windows 10 installed, you might notice that fonts such as the following are appear to be missing: - -- Gautami -- Meiryo -- Narkism/Batang -- BatangChe -- Dotum -- DotumChe -- Gulim -- GulimChe -- Gungsuh -- GungsuhChe - -If you want to use these fonts, you can enable the optional feature to add these back to your system. Be aware that this is a permanent change in behavior for Windows 10, and it will remain this way in future releases. - -## Installing language-associated features via language settings: - -If you want to use the fonts from the optional feature and you know that you will want to view Web pages, edit documents, or use apps in the language associated with that feature, add that language into your user profile. You do this the Settings app. - -For example, here are the steps to install the fonts associated with the Hebrew language: - -1. Click **Start > Settings**. -2. In Settings, click **Time & language**, and then click **Region & language**. -3. If Hebrew is not included in the list of languages, click the plus sign (**+**) to add a language. -4. Find Hebrew, and then click it to add it to your language list. - -Once you have added Hebrew to your language list, then the optional Hebrew font feature and other optional features for Hebrew language support are installed. This should only take a few minutes. - -> Note: The optional features are installed by Windows Update. This means you need to be online for the Windows Update service to work. - -## Install optional fonts manually without changing language settings: - -If you want to use fonts in an optional feature but don't need to search web pages, edit documents, or use apps in the associated language, you can install the optional font features manually without changing your language settings. - -For example, here are the steps to install the fonts associated with the Hebrew language without adding the Hebrew language itself to your language preferences: - -1. Click **Start > Settings**. -2. In Settings, click **Apps**, click **Apps & features**, and then click **Manage optional features**. - -3. If you don't see **Hebrew Supplemental Fonts** in the list of installed features, click the plus sign (**+**) to add a feature. -4. Select **Hebrew Supplemental Fonts** in the list, and then click **Install**. - -> Note: The optional features are installed by Windows Update. You need to be online for the Windows Update service to work. - -## Fonts included in optional font features - -Here is a comprehensive list of the font families in each of the optional features. Some font families might include multiple fonts for different weights and styles. - -- Arabic Script Supplemental Fonts: Aldhabi, Andalus, Arabic Typesetting, Microsoft Uighur, Sakkal Majalla, Simplified Arabic, Traditional Arabic, Urdu Typesetting -- Bangla Script Supplemental Fonts: Shonar Bangla, Vrinda -- Canadian Aboriginal Syllabics Supplemental Fonts: Euphemia -- Cherokee Supplemental Fonts: Plantagenet Cherokee -- Chinese (Simplified) Supplemental Fonts: DengXian, FangSong, KaiTi, SimHei -- Chinese (Traditional) Supplemental Fonts: DFKai-SB, MingLiU, MingLiU_HKSCS, PMingLiU -- Devanagari Supplemental Fonts: Aparajita, Kokila, Mangal, Sanskrit Text, Utsaah -- Ethiopic Supplemental Fonts: Nyala -- Gujarati Supplemental Fonts: Shruti -- Gurmukhi Supplemental Fonts: Raavi -- Hebrew Supplemental Fonts: Aharoni Bold, David, FrankRuehl, Gisha, Levanim MT, Miriam, Miriam Fixed, Narkism, Rod -- Japanese Supplemental Fonts: Meiryo, Meiryo UI, MS Gothic, MS PGothic, MS UI Gothic, MS Mincho, MS PMincho, Yu Mincho -- Kannada Supplemental Fonts: Tunga -- Khmer Supplemental Fonts: DaunPenh, Khmer UI, MoolBoran -- Korean Supplemental Fonts: Batang, BatangChe, Dotum, DotumChe, Gulim, GulimChe, Gungsuh, GungsuhChe -- Lao Supplemental Fonts: DokChampa, Lao UI -- Malayalam Supplemental Fonts: Karthika -- Odia Supplemental Fonts: Kalinga -- Pan-European Supplemental Fonts: Arial Nova, Georgia Pro, Gill Sans Nova, Neue Haas Grotesk, Rockwell Nova, Verdana Pro -- Sinhala Supplemental Fonts: Iskoola Pota -- Syriac Supplemental Fonts: Estrangelo Edessa -- Tamil Supplemental Fonts: Latha, Vijaya -- Telugu Supplemental Fonts: Gautami, Vani -- Thai Supplemental Fonts: Angsana New, AngsanaUPC, Browallia New, BrowalliaUPC, Cordia New, CordiaUPC, DilleniaUPC, EucrosiaUPC, FreesiaUPC, IrisUPC, JasmineUPC, KodchiangUPC, Leelawadee, LilyUPC - -## Related Topics - -[Download the list of all available language FODs](https://download.microsoft.com/download/0/A/A/0AA4342D-3933-4216-A90D-3BA8392FB1D1/Windows%2010%201703%20FOD%20to%20LP%20Mapping%20Table.xlsx) - -[Features On Demand V2 (Capabilities)](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities#span-idrelatedtopicsspanrelated-topics) - -[Add Language Packs to Windows](/windows-hardware/manufacture/desktop/add-language-packs-to-windows) +--- +title: How to install fonts missing after upgrading to Windows 10 +description: Some of the fonts are missing from the system after you upgrade to Windows 10. +keywords: deploy, upgrade, FoD, optional feature +ms.prod: w10 +ms.mktglfcycl: plan +ms.sitesec: library +ms.localizationpriority: medium +audience: itpro author: greg-lindsay +ms.audience: itpro author: greg-lindsay +ms.date: 10/31/2017 +ms.reviewer: +manager: laurawi +ms.topic: article +--- +# How to install fonts that are missing after upgrading to Windows 10 + +> Applies to: Windows 10 + +When you upgrade from the Windows 7, Windows 8, or Windows 8.1 operating system to Windows 10, certain fonts are no longer available by default post-upgrade. To reduce the operating system footprint, improve performance, and optimize disk space usage, we moved many of the fonts that were previously shipped with prior versions of Windows to the optional features of Windows 10. If you install a fresh instance of Windows 10, or upgrade an older version of Windows to Windows 10, these optional features are not enabled by default. As a result, these fonts appear to be missing from the system. + +If you have documents created using the missing fonts, these documents might display differently on Windows 10. + +For example, if you have an English (or French, German, or Spanish) version of Windows 10 installed, you might notice that fonts such as the following are appear to be missing: + +- Gautami +- Meiryo +- Narkism/Batang +- BatangChe +- Dotum +- DotumChe +- Gulim +- GulimChe +- Gungsuh +- GungsuhChe + +If you want to use these fonts, you can enable the optional feature to add these back to your system. Be aware that this is a permanent change in behavior for Windows 10, and it will remain this way in future releases. + +## Installing language-associated features via language settings: + +If you want to use the fonts from the optional feature and you know that you will want to view Web pages, edit documents, or use apps in the language associated with that feature, add that language into your user profile. You do this the Settings app. + +For example, here are the steps to install the fonts associated with the Hebrew language: + +1. Click **Start > Settings**. +2. In Settings, click **Time & language**, and then click **Region & language**. +3. If Hebrew is not included in the list of languages, click the plus sign (**+**) to add a language. +4. Find Hebrew, and then click it to add it to your language list. + +Once you have added Hebrew to your language list, then the optional Hebrew font feature and other optional features for Hebrew language support are installed. This should only take a few minutes. + +> Note: The optional features are installed by Windows Update. This means you need to be online for the Windows Update service to work. + +## Install optional fonts manually without changing language settings: + +If you want to use fonts in an optional feature but don't need to search web pages, edit documents, or use apps in the associated language, you can install the optional font features manually without changing your language settings. + +For example, here are the steps to install the fonts associated with the Hebrew language without adding the Hebrew language itself to your language preferences: + +1. Click **Start > Settings**. +2. In Settings, click **Apps**, click **Apps & features**, and then click **Manage optional features**. + +3. If you don't see **Hebrew Supplemental Fonts** in the list of installed features, click the plus sign (**+**) to add a feature. +4. Select **Hebrew Supplemental Fonts** in the list, and then click **Install**. + +> Note: The optional features are installed by Windows Update. You need to be online for the Windows Update service to work. + +## Fonts included in optional font features + +Here is a comprehensive list of the font families in each of the optional features. Some font families might include multiple fonts for different weights and styles. + +- Arabic Script Supplemental Fonts: Aldhabi, Andalus, Arabic Typesetting, Microsoft Uighur, Sakkal Majalla, Simplified Arabic, Traditional Arabic, Urdu Typesetting +- Bangla Script Supplemental Fonts: Shonar Bangla, Vrinda +- Canadian Aboriginal Syllabics Supplemental Fonts: Euphemia +- Cherokee Supplemental Fonts: Plantagenet Cherokee +- Chinese (Simplified) Supplemental Fonts: DengXian, FangSong, KaiTi, SimHei +- Chinese (Traditional) Supplemental Fonts: DFKai-SB, MingLiU, MingLiU_HKSCS, PMingLiU +- Devanagari Supplemental Fonts: Aparajita, Kokila, Mangal, Sanskrit Text, Utsaah +- Ethiopic Supplemental Fonts: Nyala +- Gujarati Supplemental Fonts: Shruti +- Gurmukhi Supplemental Fonts: Raavi +- Hebrew Supplemental Fonts: Aharoni Bold, David, FrankRuehl, Gisha, Levanim MT, Miriam, Miriam Fixed, Narkism, Rod +- Japanese Supplemental Fonts: Meiryo, Meiryo UI, MS Gothic, MS PGothic, MS UI Gothic, MS Mincho, MS PMincho, Yu Mincho +- Kannada Supplemental Fonts: Tunga +- Khmer Supplemental Fonts: DaunPenh, Khmer UI, MoolBoran +- Korean Supplemental Fonts: Batang, BatangChe, Dotum, DotumChe, Gulim, GulimChe, Gungsuh, GungsuhChe +- Lao Supplemental Fonts: DokChampa, Lao UI +- Malayalam Supplemental Fonts: Karthika +- Odia Supplemental Fonts: Kalinga +- Pan-European Supplemental Fonts: Arial Nova, Georgia Pro, Gill Sans Nova, Neue Haas Grotesk, Rockwell Nova, Verdana Pro +- Sinhala Supplemental Fonts: Iskoola Pota +- Syriac Supplemental Fonts: Estrangelo Edessa +- Tamil Supplemental Fonts: Latha, Vijaya +- Telugu Supplemental Fonts: Gautami, Vani +- Thai Supplemental Fonts: Angsana New, AngsanaUPC, Browallia New, BrowalliaUPC, Cordia New, CordiaUPC, DilleniaUPC, EucrosiaUPC, FreesiaUPC, IrisUPC, JasmineUPC, KodchiangUPC, Leelawadee, LilyUPC + +## Related Topics + +[Download the list of all available language FODs](https://download.microsoft.com/download/0/A/A/0AA4342D-3933-4216-A90D-3BA8392FB1D1/Windows%2010%201703%20FOD%20to%20LP%20Mapping%20Table.xlsx) + +[Features On Demand V2 (Capabilities)](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities#span-idrelatedtopicsspanrelated-topics) + +[Add Language Packs to Windows](/windows-hardware/manufacture/desktop/add-language-packs-to-windows) diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md index 9a04b8b7af..ddb22cbbbb 100644 --- a/windows/deployment/windows-10-poc-mdt.md +++ b/windows/deployment/windows-10-poc-mdt.md @@ -1,655 +1,655 @@ ---- -title: Step by step - Deploy Windows 10 in a test lab using MDT -description: Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit (MDT) -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -keywords: deployment, automate, tools, configure, mdt -ms.localizationpriority: medium -ms.date: 10/11/2017 -ms.reviewer: -manager: laurawi -ms.author: greg-lindsay -author: greg-lindsay -ms.topic: article ---- - - -# Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit - -**Applies to** - -- Windows 10 - -**Important**: This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide: -- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) - -Please complete all steps in the prerequisite guide before starting this guide. This guide requires about 5 hours to complete, but can require less time or more time depending on the speed of the Hyper-V host. After completing the current guide, also see the companion guide: -- [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) - -The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs): -- **DC1**: A contoso.com domain controller, DNS server, and DHCP server. -- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network. -- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been shadow-copied from a physical computer on your corporate network. - ->This guide uses the Hyper-V server role. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work. - -## In this guide - -This guide provides instructions to install and configure the Microsoft Deployment Toolkit (MDT) to deploy a Windows 10 image. - -Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed. - -
          - -
          - - -
          TopicDescriptionTime - -
          About MDTA high-level overview of the Microsoft Deployment Toolkit (MDT).Informational -
          Install MDTDownload and install MDT.40 minutes -
          Create a deployment share and reference imageA reference image is created to serve as the template for deploying new images.90 minutes -
          Deploy a Windows 10 image using MDTThe reference image is deployed in the PoC environment.60 minutes -
          Refresh a computer with Windows 10Export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings.60 minutes -
          Replace a computer with Windows 10Back up an existing client computer, then restore this backup to a new computer.60 minutes -
          Troubleshooting logs, events, and utilitiesLog locations and troubleshooting hints.Informational -
          - -
          - -## About MDT - -MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch Installation (ZTI), and User-Driven Installation (UDI) deployment methods. -- LTI is the deployment method used in the current guide, requiring only MDT and performed with a minimum amount of user interaction. -- ZTI is fully automated, requiring no user interaction and is performed using MDT and System Center Configuration Manager. After completing the steps in the current guide, see [Step by step: Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) to use the ZTI deployment method in the PoC environment. -- UDI requires manual intervention to respond to installation prompts such as machine name, password and language settings. UDI requires MDT and System Center Configuration Manager. - -## Install MDT - -1. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt: - - ``` - $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" - Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0 - Stop-Process -Name Explorer - ``` -2. Download and install the 64-bit version of [Microsoft Deployment Toolkit (MDT)](https://www.microsoft.com/en-us/download/details.aspx?id=54259) on SRV1 using the default options. As of the writing of this guide, the latest version of MDT was 8443. - -3. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1703. Installation might require several minutes to acquire all components. - -3. If desired, re-enable IE Enhanced Security Configuration: - - ``` - Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1 - Stop-Process -Name Explorer - ``` - -## Create a deployment share and reference image - -A reference image serves as the foundation for Windows 10 devices in your organization. - -1. In [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md), the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command: - - ``` - Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso - ``` -2. On SRV1, verify that the Windows Enterprise installation DVD is mounted as drive letter D. - -3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**. - -4. To enable quick access to the application, right-click **Deployment Workbench** on the taskbar and then click **Pin this program to the taskbar**. - -5. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. - -6. Use the following settings for the New Deployment Share Wizard: - - Deployment share path: **C:\MDTBuildLab**
          - - Share name: **MDTBuildLab$**
          - - Deployment share description: **MDT build lab**
          - - Options: click **Next** to accept the default
          - - Summary: click **Next**
          - - Progress: settings will be applied
          - - Confirmation: click **Finish** - - -7. Expand the **Deployment Shares** node, and then expand **MDT build lab**. - -8. Right-click the **Operating Systems** node, and then click **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and click **Finish**. - -9. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**. - -10. Use the following settings for the Import Operating System Wizard: - - OS Type: **Full set of source files**
          - - Source: **D:\\**
          - - Destination: **W10Ent_x64**
          - - Summary: click **Next** - - Progress: wait for files to be copied - - Confirmation: click **Finish** - - >For purposes of this test lab, we will only add the prerequisite .NET Framework feature. Commerical applications (ex: Microsoft Office) will not be added to the deployment share. For information about adding applications, see the [Add applications](https://technet.microsoft.com/itpro/windows/deploy/create-a-windows-10-reference-image#sec03) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library. - -11. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - - Task sequence ID: **REFW10X64-001**
          - - Task sequence name: **Windows 10 Enterprise x64 Default Image**
          - - Task sequence comments: **Reference Build**
          - - Template: **Standard Client Task Sequence** - - Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim** - - Specify Product Key: **Do not specify a product key at this time** - - Full Name: **Contoso** - - Organization: **Contoso** - - Internet Explorer home page: **http://www.contoso.com** - - Admin Password: **Do not specify an Administrator password at this time** - - Summary: click **Next** - - Confirmation: click **Finish** - - -12. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step. - -13. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**. - -14. On the Properties tab of the group that was created in the previous step, change the Name from **New Group** to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. Click another location in the window to see the name change. - -15. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**. - -16. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**. - -17. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox. - - >Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications. - -18. Click **OK** to complete editing the task sequence. - -19. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click **MDT build lab (C:\MDTBuildLab)** and click **Properties**, and then click the **Rules** tab. - -20. Replace the default rules with the following text: - - ``` - [Settings] - Priority=Default - - [Default] - _SMSTSORGNAME=Contoso - UserDataLocation=NONE - DoCapture=YES - OSInstall=Y - AdminPassword=pass@word1 - TimeZoneName=Pacific Standard Time - OSDComputername=#Left("PC-%SerialNumber%",7)# - JoinWorkgroup=WORKGROUP - HideShell=YES - FinishAction=SHUTDOWN - DoNotCreateExtraPartition=YES - ApplyGPOPack=NO - SkipAdminPassword=YES - SkipProductKey=YES - SkipComputerName=YES - SkipDomainMembership=YES - SkipUserData=YES - SkipLocaleSelection=YES - SkipTaskSequence=NO - SkipTimeZone=YES - SkipApplications=YES - SkipBitLocker=YES - SkipSummary=YES - SkipRoles=YES - SkipCapture=NO - SkipFinalSummary=NO - ``` - -21. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file: - - ``` - [Settings] - Priority=Default - - [Default] - DeployRoot=\\SRV1\MDTBuildLab$ - UserDomain=CONTOSO - UserID=MDT_BA - UserPassword=pass@word1 - SkipBDDWelcome=YES - ``` - -22. Click **OK** to complete the configuration of the deployment share. - -23. Right-click **MDT build lab (C:\MDTBuildLab)** and then click **Update Deployment Share**. - -24. Accept all default values in the Update Deployment Share Wizard by clicking **Next** twice. The update process will take 5 to 10 minutes. When it has completed, click **Finish**. - -25. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI). - - >Hint: To copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**. - -26. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands: - -
          - 
          -
-    New-VM REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB
-    Set-VMMemory REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20
-    Set-VMDvdDrive REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso
-    Start-VM REFW10X64-001
-    vmconnect localhost REFW10X64-001
-
          -
          - - The VM will require a few minutes to prepare devices and boot from the LiteTouchPE_x86.iso file. - -27. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then click **Next**. - -28. Accept the default values on the Capture Image page, and click **Next**. Operating system installation will complete after 5 to 10 minutes, and then the VM will reboot automatically. Allow the system to boot normally (do not press a key). The process is fully automated. - - Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures: - - - Install the Windows 10 Enterprise operating system. - - Install added applications, roles, and features. - - Update the operating system using Windows Update (or WSUS if optionally specified). - - Stage Windows PE on the local disk. - - Run System Preparation (Sysprep) and reboot into Windows PE. - - Capture the installation to a Windows Imaging (WIM) file. - - Turn off the virtual machine.

          - - This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on your deployment server (SRV1). The file name is **REFW10X64-001.wim**. - -## Deploy a Windows 10 image using MDT - -This procedure will demonstrate how to deploy the reference image to the PoC environment using MDT. - -1. On SRV1, open the MDT Deployment Workbench console, right-click **Deployment Shares**, and then click **New Deployment Share**. Use the following values in the New Deployment Share Wizard: - - **Deployment share path**: C:\MDTProd - - **Share name**: MDTProd$ - - **Deployment share description**: MDT Production - - **Options**: accept the default - - -2. Click **Next**, verify the new deployment share was added successfully, then click **Finish**. - -3. In the Deployment Workbench console, expand the MDT Production deployment share, right-click **Operating Systems**, and then click **New Folder**. Name the new folder **Windows 10** and complete the wizard using default values. - -4. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**. - -5. On the **OS Type** page, choose **Custom image file** and then click **Next**. - -6. On the Image page, browse to the **C:\MDTBuildLab\Captures\REFW10X64-001.wim** file created in the previous procedure, click **Open**, and then click **Next**. - -7. On the Setup page, select **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path**. - -8. Under **Setup source directory**, browse to **C:\MDTBuildLab\Operating Systems\W10Ent_x64** click **OK** and then click **Next**. - -9. On the Destination page, accept the default Destination directory name of **REFW10X64-001**, click **Next** twice, wait for the import process to complete, and then click **Finish**. - -10. In the **Operating Systems** > **Windows 10** node, double-click the operating system that was added to view its properties. Change the operating system name to **Windows 10 Enterprise x64 Custom Image** and then click **OK**. See the following example: - - ![custom image](images/image.png) - - -### Create the deployment task sequence - -1. Using the Deployment Workbench, right-click **Task Sequences** under the **MDT Production** node, click **New Folder** and create a folder with the name: **Windows 10**. - -2. Right-click the **Windows 10** folder created in the previous step, and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - - Task sequence ID: W10-X64-001 - - Task sequence name: Windows 10 Enterprise x64 Custom Image - - Task sequence comments: Production Image - - Select Template: Standard Client Task Sequence - - Select OS: Windows 10 Enterprise x64 Custom Image - - Specify Product Key: Do not specify a product key at this time - - Full Name: Contoso - - Organization: Contoso - - Internet Explorer home page: http://www.contoso.com - - Admin Password: pass@word1 - -### Configure the MDT production deployment share - -1. On SRV1, open an elevated Windows PowerShell prompt and type the following commands: - - ``` - copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\Bootstrap.ini" C:\MDTProd\Control\Bootstrap.ini -Force - copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\CustomSettings.ini" C:\MDTProd\Control\CustomSettings.ini -Force - ``` -2. In the Deployment Workbench console on SRV1, right-click the **MDT Production** deployment share and then click **Properties**. - -3. Click the **Rules** tab and replace the rules with the following text (don't click OK yet): - - ``` - [Settings] - Priority=Default - - [Default] - _SMSTSORGNAME=Contoso - OSInstall=YES - UserDataLocation=AUTO - TimeZoneName=Pacific Standard Time - OSDComputername=#Left("PC-%SerialNumber%",7)# - AdminPassword=pass@word1 - JoinDomain=contoso.com - DomainAdmin=administrator - DomainAdminDomain=CONTOSO - DomainAdminPassword=pass@word1 - ScanStateArgs=/ue:*\* /ui:CONTOSO\* - USMTMigFiles001=MigApp.xml - USMTMigFiles002=MigUser.xml - HideShell=YES - ApplyGPOPack=NO - SkipAppsOnUpgrade=NO - SkipAdminPassword=YES - SkipProductKey=YES - SkipComputerName=YES - SkipDomainMembership=YES - SkipUserData=YES - SkipLocaleSelection=YES - SkipTaskSequence=NO - SkipTimeZone=YES - SkipApplications=NO - SkipBitLocker=YES - SkipSummary=YES - SkipCapture=YES - SkipFinalSummary=NO - EventService=http://SRV1:9800 - ``` - **Note**: The contents of the Rules tab are added to c:\MDTProd\Control\CustomSettings.ini. - - >In this example a **MachineObjectOU** entry is not provided. Normally this entry describes the specific OU where new client computer objects are created in Active Directory. However, for the purposes of this test lab clients are added to the default computers OU, which requires that this parameter be unspecified. - - If desired, edit the follow line to include or exclude other users when migrating settings. Currently, the command is set to user exclude (ue) all users except for CONTOSO users specified by the user include option (ui): - - ``` - ScanStateArgs=/ue:*\* /ui:CONTOSO\* - ``` - - For example, to migrate **all** users on the computer, replace this line with the following: - - ``` - ScanStateArgs=/all - ``` - - For more information, see [ScanState Syntax](https://technet.microsoft.com/library/cc749015.aspx). - -4. Click **Edit Bootstap.ini** and replace text in the file with the following text: - - ``` - [Settings] - Priority=Default - - [Default] - DeployRoot=\\SRV1\MDTProd$ - UserDomain=CONTOSO - UserID=MDT_BA - UserPassword=pass@word1 - SkipBDDWelcome=YES - ``` -5. Click **OK** when finished. - -### Update the deployment share - -1. Right-click the **MDT Production** deployment share and then click **Update Deployment Share**. - -2. Use the default options for the Update Deployment Share Wizard. The update process requires 5 to 10 minutes to complete. - -3. Click **Finish** when the update is complete. - -### Enable deployment monitoring - -1. In the Deployment Workbench console, right-click **MDT Production** and then click **Properties**. - -2. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**. - -3. Verify the monitoring service is working as expected by opening the following link on SRV1 in Internet Explorer: [http://localhost:9800/MDTMonitorEvent/](http://localhost:9800/MDTMonitorEvent/). If you do not see "**You have created a service**" at the top of the page, see [Troubleshooting MDT 2012 Monitoring](https://blogs.technet.microsoft.com/mniehaus/2012/05/10/troubleshooting-mdt-2012-monitoring/). - -4. Close Internet Explorer. - -### Configure Windows Deployment Services - -1. Initialize Windows Deployment Services (WDS) by typing the following command at an elevated Windows PowerShell prompt on SRV1: - - ``` - WDSUTIL /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall" - WDSUTIL /Set-Server /AnswerClients:All - ``` - -2. Click **Start**, type **Windows Deployment**, and then click **Windows Deployment Services**. - -3. In the Windows Deployment Services console, expand **Servers**, expand **SRV1.contoso.com**, right-click **Boot Images**, and then click **Add Boot Image**. - -4. Browse to the **C:\MDTProd\Boot\LiteTouchPE_x64.wim** file, click **Open**, click **Next**, and accept the defaults in the Add Image Wizard. Click **Finish** to complete adding a boot image. - -### Deploy the client image - -1. Before using WDS to deploy a client image, you must temporarily disable the external network adapter on SRV1. This is just an artifact of the lab environment. In a typical deployment environment WDS would not be installed on the default gateway. - - >**Note**: Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, type **Get-NetIPAddress | ft interfacealias, ipaddress** - - Assuming the external interface is named "Ethernet 2", to disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and type the following command: - - ``` - Disable-NetAdapter "Ethernet 2" -Confirm:$false - ``` - - >Wait until the disable-netadapter command completes before proceeding. - - -2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, type the following commands at an elevated Windows PowerShell prompt: - - ``` - New-VM –Name "PC2" –NewVHDPath "c:\vhd\pc2.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 - Set-VMMemory -VMName "PC2" -DynamicMemoryEnabled $true -MinimumBytes 720MB -MaximumBytes 2048MB -Buffer 20 - ``` - - >Dynamic memory is configured on the VM to conserve resources. However, this can cause memory allocation to be reduced past what is required to install an operating system. If this happens, reset the VM and begin the OS installation task sequence immediately. This ensures the VM memory allocation is not decreased too much while it is idle. - -3. Start the new VM and connect to it: - - ``` - Start-VM PC2 - vmconnect localhost PC2 - ``` -4. When prompted, hit ENTER to start the network boot process. - -5. In the Windows Deployment Wizard, choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**. - -6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. This is needed so the client can use Windows Update after operating system installation is complete.To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and type the following command: - - ``` - Enable-NetAdapter "Ethernet 2" - ``` -7. On SRV1, in the Deployment Workbench console, click on **Monitoring** and view the status of installation. Right-click **Monitoring** and click **Refresh** if no data is displayed. -8. OS installation requires about 10 minutes. When the installation is complete, the system will reboot automatically, configure devices, and install updates, requiring another 10-20 minutes. When the new client computer is finished updating, click **Finish**. You will be automatically signed in to the local computer as administrator. - - ![finish](images/deploy-finish.png) - - -This completes the demonstration of how to deploy a reference image to the network. To conserve resources, turn off the PC2 VM before starting the next section. - -## Refresh a computer with Windows 10 - -This section will demonstrate how to export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. The scenario will use PC1, a computer that was cloned from a physical device to a VM, as described in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md). - -1. If the PC1 VM is not already running, then start and connect to it: - - ``` - Start-VM PC1 - vmconnect localhost PC1 - ``` - -2. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and to perform additional scenarios. Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - Checkpoint-VM -Name PC1 -SnapshotName BeginState - ``` - -3. Sign on to PC1 using the CONTOSO\Administrator account. - - >Specify **contoso\administrator** as the user name to ensure you do not sign on using the local administrator account. You must sign in with this account so that you have access to the deployment share. - -4. Open an elevated command prompt on PC1 and type the following: - - ``` - cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs - ``` - - **Note**: Litetouch.vbs must be able to create the C:\MININT directory on the local computer. - -5. Choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**. - -6. Choose **Do not back up the existing computer** and click **Next**. - - **Note**: The USMT will still back up the computer. - -7. Lite Touch Installation will perform the following actions: - - Back up user settings and data using USMT. - - Install the Windows 10 Enterprise X64 operating system. - - Update the operating system via Windows Update. - - Restore user settings and data using USMT. - - You can review the progress of installation on SRV1 by clicking on the **Monitoring** node in the deployment workbench. When OS installation is complete, the computer will restart, set up devices, and configure settings. - -8. Sign in with the CONTOSO\Administrator account and verify that all CONTOSO domain user accounts and data have been migrated to the new operating system, or other user accounts as specified [previously](#configure-the-mdt-production-deployment-share). - -9. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - Checkpoint-VM -Name PC1 -SnapshotName RefreshState - ``` - -10. Restore the PC1 VM to it's previous state in preparation for the replace procedure. To restore a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - Restore-VMSnapshot -VMName PC1 -Name BeginState -Confirm:$false - Start-VM PC1 - vmconnect localhost PC1 - ``` - -11. Sign in to PC1 using the contoso\administrator account. - -## Replace a computer with Windows 10 - -At a high level, the computer replace process consists of:
          -- A special replace task sequence that runs the USMT backup and an optional full Window Imaging (WIM) backup.
          -- A standard OS deployment on a new computer. At the end of the deployment, the USMT backup from the old computer is restored. - -### Create a backup-only task sequence - -1. On SRV1, in the deployment workbench console, right-click the MDT Production deployment share, click **Properties**, click the **Rules** tab, and change the line **SkipUserData=YES** to **SkipUserData=NO**. -2. Click **OK**, right-click **MDT Production**, click **Update Deployment Share** and accept the default options in the wizard to update the share. -3. Type the following commands at an elevated Windows PowerShell prompt on SRV1: - - ``` - New-Item -Path C:\MigData -ItemType directory - New-SmbShare -Name MigData$ -Path C:\MigData -ChangeAccess EVERYONE - icacls C:\MigData /grant '"contoso\administrator":(OI)(CI)(M)' - ``` -4. On SRV1 in the deployment workbench, under **MDT Production**, right-click the **Task Sequences** node, and click **New Folder**. -5. Name the new folder **Other**, and complete the wizard using default options. -6. Right-click the **Other** folder and then click **New Task Sequence**. Use the following values in the wizard: - - **Task sequence ID**: REPLACE-001 - - **Task sequence name**: Backup Only Task Sequence - - **Task sequence comments**: Run USMT to back up user data and settings - - **Template**: Standard Client Replace Task Sequence (note: this is not the default template) -7. Accept defaults for the rest of the wizard and then click **Finish**. The replace task sequence will skip OS selection and settings. -8. Open the new task sequence that was created and review it. Note the type of capture and backup tasks that are present. Click **OK** when you are finished reviewing the task sequence. - -### Run the backup-only task sequence - -1. If you are not already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, type the following command at an elevated command prompt: - - ``` - whoami - ``` -2. To ensure a clean environment before running the backup task sequence, type the following at an elevated Windows PowerShell prompt on PC1: - - ``` - Remove-Item c:\minint -recurse - Remove-Item c:\_SMSTaskSequence -recurse - Restart-Computer - ``` -3. Sign in to PC1 using the contoso\administrator account, and then type the following at an elevated command prompt: - - ``` - cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs - ``` -4. Complete the deployment wizard using the following: - - **Task Sequence**: Backup Only Task Sequence - - **User Data**: Specify a location: **\\\\SRV1\MigData$\PC1** - - **Computer Backup**: Do not back up the existing computer. -5. While the task sequence is running on PC1, open the deployment workbench console on SRV1 and click the **Monitoring* node. Press F5 to refresh the console, and view the status of current tasks. -6. On PC1, verify that **The user state capture was completed successfully** is displayed, and click **Finish** when the capture is complete. -7. On SRV1, verify that the file **USMT.MIG** was created in the **C:\MigData\PC1\USMT** directory. See the following example: - - ``` - PS C:\> dir C:\MigData\PC1\USMT - - Directory: C:\MigData\PC1\USMT - - Mode LastWriteTime Length Name - ---- ------------- ------ ---- - -a--- 9/6/2016 11:34 AM 14248685 USMT.MIG - ``` - ### Deploy PC3 - -8. On the Hyper-V host, type the following commands at an elevated Windows PowerShell prompt: - - ``` - New-VM –Name "PC3" –NewVHDPath "c:\vhd\pc3.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 - Set-VMMemory -VMName "PC3" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20 - ``` -9. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, type the following command at an elevated Windows PowerShell prompt on SRV1: - - ``` - Disable-NetAdapter "Ethernet 2" -Confirm:$false - ``` - - >As mentioned previously, ensure that you disable the **external** network adapter, and wait for the command to complete before proceeding. - - -10. Start and connect to PC3 by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - Start-VM PC3 - vmconnect localhost PC3 - ``` - -11. When prompted, press ENTER for network boot. - -12. On PC3, use the following settings for the Windows Deployment Wizard: - - **Task Sequence**: Windows 10 Enterprise x64 Custom Image - - **Move Data and Settings**: Do not move user data and settings - - **User Data (Restore)**: Specify a location: **\\\\SRV1\MigData$\PC1** - -13. When OS installation has started on PC1, re-enable the external network adapter on SRV1 by typing the following command on SRV1: - - ``` - Enable-NetAdapter "Ethernet 2" - ``` -14. Setup will install the Windows 10 Enterprise operating system, update via Windows Update, and restore the user settings and data from PC1. - -15. When PC3 has completed installing the OS, sign in to PC3 using the contoso\administrator account. When the PC completes updating, click **Finish**. - -16. Verify that settings have been migrated from PC1. This completes demonstration of the replace procedure. - -17. Shut down PC3 in preparation for the [next](windows-10-poc-sc-config-mgr.md) procedure. - -## Troubleshooting logs, events, and utilities - -Deployment logs are available on the client computer in the following locations: -- Before the image is applied: X:\MININT\SMSOSD\OSDLOGS -- After the system drive has been formatted: C:\MININT\SMSOSD\OSDLOGS -- After deployment: %WINDIR%\TEMP\DeploymentLogs - -You can review WDS events in Event Viewer at: **Applications and Services Logs > Microsoft > Windows > Deployment-Services-Diagnostics**. By default, only the **Admin** and **Operational** logs are enabled. To enable other logs, right-click the log and then click **Enable Log**. - -Tools for viewing log files, and to assist with troubleshooting are available in the [System Center 2012 R2 Configuration Manager Toolkit](https://www.microsoft.com/en-us/download/details.aspx?id=50012) - -Also see [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) for detailed troubleshooting information. - -## Related Topics - -[Microsoft Deployment Toolkit](https://technet.microsoft.com/windows/dn475741)
          -[Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) - - - - - - - +--- +title: Step by step - Deploy Windows 10 in a test lab using MDT +description: Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit (MDT) +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +keywords: deployment, automate, tools, configure, mdt +ms.localizationpriority: medium +ms.date: 10/11/2017 +ms.reviewer: +manager: laurawi +ms.audience: itpro author: greg-lindsay +audience: itpro author: greg-lindsay +ms.topic: article +--- + + +# Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit + +**Applies to** + +- Windows 10 + +**Important**: This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide: +- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) + +Please complete all steps in the prerequisite guide before starting this guide. This guide requires about 5 hours to complete, but can require less time or more time depending on the speed of the Hyper-V host. After completing the current guide, also see the companion guide: +- [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) + +The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs): +- **DC1**: A contoso.com domain controller, DNS server, and DHCP server. +- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network. +- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been shadow-copied from a physical computer on your corporate network. + +>This guide uses the Hyper-V server role. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work. + +## In this guide + +This guide provides instructions to install and configure the Microsoft Deployment Toolkit (MDT) to deploy a Windows 10 image. + +Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed. + +
          + +
          + + +
          TopicDescriptionTime + +
          About MDTA high-level overview of the Microsoft Deployment Toolkit (MDT).Informational +
          Install MDTDownload and install MDT.40 minutes +
          Create a deployment share and reference imageA reference image is created to serve as the template for deploying new images.90 minutes +
          Deploy a Windows 10 image using MDTThe reference image is deployed in the PoC environment.60 minutes +
          Refresh a computer with Windows 10Export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings.60 minutes +
          Replace a computer with Windows 10Back up an existing client computer, then restore this backup to a new computer.60 minutes +
          Troubleshooting logs, events, and utilitiesLog locations and troubleshooting hints.Informational +
          + +
          + +## About MDT + +MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch Installation (ZTI), and User-Driven Installation (UDI) deployment methods. +- LTI is the deployment method used in the current guide, requiring only MDT and performed with a minimum amount of user interaction. +- ZTI is fully automated, requiring no user interaction and is performed using MDT and System Center Configuration Manager. After completing the steps in the current guide, see [Step by step: Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) to use the ZTI deployment method in the PoC environment. +- UDI requires manual intervention to respond to installation prompts such as machine name, password and language settings. UDI requires MDT and System Center Configuration Manager. + +## Install MDT + +1. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt: + + ``` + $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" + Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0 + Stop-Process -Name Explorer + ``` +2. Download and install the 64-bit version of [Microsoft Deployment Toolkit (MDT)](https://www.microsoft.com/en-us/download/details.aspx?id=54259) on SRV1 using the default options. As of the writing of this guide, the latest version of MDT was 8443. + +3. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1703. Installation might require several minutes to acquire all components. + +3. If desired, re-enable IE Enhanced Security Configuration: + + ``` + Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1 + Stop-Process -Name Explorer + ``` + +## Create a deployment share and reference image + +A reference image serves as the foundation for Windows 10 devices in your organization. + +1. In [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md), the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command: + + ``` + Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso + ``` +2. On SRV1, verify that the Windows Enterprise installation DVD is mounted as drive letter D. + +3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**. + +4. To enable quick access to the application, right-click **Deployment Workbench** on the taskbar and then click **Pin this program to the taskbar**. + +5. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. + +6. Use the following settings for the New Deployment Share Wizard: + - Deployment share path: **C:\MDTBuildLab**
          + - Share name: **MDTBuildLab$**
          + - Deployment share description: **MDT build lab**
          + - Options: click **Next** to accept the default
          + - Summary: click **Next**
          + - Progress: settings will be applied
          + - Confirmation: click **Finish** + + +7. Expand the **Deployment Shares** node, and then expand **MDT build lab**. + +8. Right-click the **Operating Systems** node, and then click **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and click **Finish**. + +9. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**. + +10. Use the following settings for the Import Operating System Wizard: + - OS Type: **Full set of source files**
          + - Source: **D:\\**
          + - Destination: **W10Ent_x64**
          + - Summary: click **Next** + - Progress: wait for files to be copied + - Confirmation: click **Finish** + + >For purposes of this test lab, we will only add the prerequisite .NET Framework feature. Commerical applications (ex: Microsoft Office) will not be added to the deployment share. For information about adding applications, see the [Add applications](https://technet.microsoft.com/itpro/windows/deploy/create-a-windows-10-reference-image#sec03) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library. + +11. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + - Task sequence ID: **REFW10X64-001**
          + - Task sequence name: **Windows 10 Enterprise x64 Default Image**
          + - Task sequence comments: **Reference Build**
          + - Template: **Standard Client Task Sequence** + - Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim** + - Specify Product Key: **Do not specify a product key at this time** + - Full Name: **Contoso** + - Organization: **Contoso** + - Internet Explorer home page: **http://www.contoso.com** + - Admin Password: **Do not specify an Administrator password at this time** + - Summary: click **Next** + - Confirmation: click **Finish** + + +12. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step. + +13. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**. + +14. On the Properties tab of the group that was created in the previous step, change the Name from **New Group** to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. Click another location in the window to see the name change. + +15. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**. + +16. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**. + +17. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox. + + >Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications. + +18. Click **OK** to complete editing the task sequence. + +19. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click **MDT build lab (C:\MDTBuildLab)** and click **Properties**, and then click the **Rules** tab. + +20. Replace the default rules with the following text: + + ``` + [Settings] + Priority=Default + + [Default] + _SMSTSORGNAME=Contoso + UserDataLocation=NONE + DoCapture=YES + OSInstall=Y + AdminPassword=pass@word1 + TimeZoneName=Pacific Standard Time + OSDComputername=#Left("PC-%SerialNumber%",7)# + JoinWorkgroup=WORKGROUP + HideShell=YES + FinishAction=SHUTDOWN + DoNotCreateExtraPartition=YES + ApplyGPOPack=NO + SkipAdminPassword=YES + SkipProductKey=YES + SkipComputerName=YES + SkipDomainMembership=YES + SkipUserData=YES + SkipLocaleSelection=YES + SkipTaskSequence=NO + SkipTimeZone=YES + SkipApplications=YES + SkipBitLocker=YES + SkipSummary=YES + SkipRoles=YES + SkipCapture=NO + SkipFinalSummary=NO + ``` + +21. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file: + + ``` + [Settings] + Priority=Default + + [Default] + DeployRoot=\\SRV1\MDTBuildLab$ + UserDomain=CONTOSO + UserID=MDT_BA + UserPassword=pass@word1 + SkipBDDWelcome=YES + ``` + +22. Click **OK** to complete the configuration of the deployment share. + +23. Right-click **MDT build lab (C:\MDTBuildLab)** and then click **Update Deployment Share**. + +24. Accept all default values in the Update Deployment Share Wizard by clicking **Next** twice. The update process will take 5 to 10 minutes. When it has completed, click **Finish**. + +25. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI). + + >Hint: To copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**. + +26. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands: + +
          + 
          +
+    New-VM REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB
+    Set-VMMemory REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20
+    Set-VMDvdDrive REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso
+    Start-VM REFW10X64-001
+    vmconnect localhost REFW10X64-001
+
          +
          + + The VM will require a few minutes to prepare devices and boot from the LiteTouchPE_x86.iso file. + +27. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then click **Next**. + +28. Accept the default values on the Capture Image page, and click **Next**. Operating system installation will complete after 5 to 10 minutes, and then the VM will reboot automatically. Allow the system to boot normally (do not press a key). The process is fully automated. + + Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures: + + - Install the Windows 10 Enterprise operating system. + - Install added applications, roles, and features. + - Update the operating system using Windows Update (or WSUS if optionally specified). + - Stage Windows PE on the local disk. + - Run System Preparation (Sysprep) and reboot into Windows PE. + - Capture the installation to a Windows Imaging (WIM) file. + - Turn off the virtual machine.

          + + This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on your deployment server (SRV1). The file name is **REFW10X64-001.wim**. + +## Deploy a Windows 10 image using MDT + +This procedure will demonstrate how to deploy the reference image to the PoC environment using MDT. + +1. On SRV1, open the MDT Deployment Workbench console, right-click **Deployment Shares**, and then click **New Deployment Share**. Use the following values in the New Deployment Share Wizard: + - **Deployment share path**: C:\MDTProd + - **Share name**: MDTProd$ + - **Deployment share description**: MDT Production + - **Options**: accept the default + + +2. Click **Next**, verify the new deployment share was added successfully, then click **Finish**. + +3. In the Deployment Workbench console, expand the MDT Production deployment share, right-click **Operating Systems**, and then click **New Folder**. Name the new folder **Windows 10** and complete the wizard using default values. + +4. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**. + +5. On the **OS Type** page, choose **Custom image file** and then click **Next**. + +6. On the Image page, browse to the **C:\MDTBuildLab\Captures\REFW10X64-001.wim** file created in the previous procedure, click **Open**, and then click **Next**. + +7. On the Setup page, select **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path**. + +8. Under **Setup source directory**, browse to **C:\MDTBuildLab\Operating Systems\W10Ent_x64** click **OK** and then click **Next**. + +9. On the Destination page, accept the default Destination directory name of **REFW10X64-001**, click **Next** twice, wait for the import process to complete, and then click **Finish**. + +10. In the **Operating Systems** > **Windows 10** node, double-click the operating system that was added to view its properties. Change the operating system name to **Windows 10 Enterprise x64 Custom Image** and then click **OK**. See the following example: + + ![custom image](images/image.png) + + +### Create the deployment task sequence + +1. Using the Deployment Workbench, right-click **Task Sequences** under the **MDT Production** node, click **New Folder** and create a folder with the name: **Windows 10**. + +2. Right-click the **Windows 10** folder created in the previous step, and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + - Task sequence ID: W10-X64-001 + - Task sequence name: Windows 10 Enterprise x64 Custom Image + - Task sequence comments: Production Image + - Select Template: Standard Client Task Sequence + - Select OS: Windows 10 Enterprise x64 Custom Image + - Specify Product Key: Do not specify a product key at this time + - Full Name: Contoso + - Organization: Contoso + - Internet Explorer home page: http://www.contoso.com + - Admin Password: pass@word1 + +### Configure the MDT production deployment share + +1. On SRV1, open an elevated Windows PowerShell prompt and type the following commands: + + ``` + copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\Bootstrap.ini" C:\MDTProd\Control\Bootstrap.ini -Force + copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\CustomSettings.ini" C:\MDTProd\Control\CustomSettings.ini -Force + ``` +2. In the Deployment Workbench console on SRV1, right-click the **MDT Production** deployment share and then click **Properties**. + +3. Click the **Rules** tab and replace the rules with the following text (don't click OK yet): + + ``` + [Settings] + Priority=Default + + [Default] + _SMSTSORGNAME=Contoso + OSInstall=YES + UserDataLocation=AUTO + TimeZoneName=Pacific Standard Time + OSDComputername=#Left("PC-%SerialNumber%",7)# + AdminPassword=pass@word1 + JoinDomain=contoso.com + DomainAdmin=administrator + DomainAdminDomain=CONTOSO + DomainAdminPassword=pass@word1 + ScanStateArgs=/ue:*\* /ui:CONTOSO\* + USMTMigFiles001=MigApp.xml + USMTMigFiles002=MigUser.xml + HideShell=YES + ApplyGPOPack=NO + SkipAppsOnUpgrade=NO + SkipAdminPassword=YES + SkipProductKey=YES + SkipComputerName=YES + SkipDomainMembership=YES + SkipUserData=YES + SkipLocaleSelection=YES + SkipTaskSequence=NO + SkipTimeZone=YES + SkipApplications=NO + SkipBitLocker=YES + SkipSummary=YES + SkipCapture=YES + SkipFinalSummary=NO + EventService=http://SRV1:9800 + ``` + **Note**: The contents of the Rules tab are added to c:\MDTProd\Control\CustomSettings.ini. + + >In this example a **MachineObjectOU** entry is not provided. Normally this entry describes the specific OU where new client computer objects are created in Active Directory. However, for the purposes of this test lab clients are added to the default computers OU, which requires that this parameter be unspecified. + + If desired, edit the follow line to include or exclude other users when migrating settings. Currently, the command is set to user exclude (ue) all users except for CONTOSO users specified by the user include option (ui): + + ``` + ScanStateArgs=/ue:*\* /ui:CONTOSO\* + ``` + + For example, to migrate **all** users on the computer, replace this line with the following: + + ``` + ScanStateArgs=/all + ``` + + For more information, see [ScanState Syntax](https://technet.microsoft.com/library/cc749015.aspx). + +4. Click **Edit Bootstap.ini** and replace text in the file with the following text: + + ``` + [Settings] + Priority=Default + + [Default] + DeployRoot=\\SRV1\MDTProd$ + UserDomain=CONTOSO + UserID=MDT_BA + UserPassword=pass@word1 + SkipBDDWelcome=YES + ``` +5. Click **OK** when finished. + +### Update the deployment share + +1. Right-click the **MDT Production** deployment share and then click **Update Deployment Share**. + +2. Use the default options for the Update Deployment Share Wizard. The update process requires 5 to 10 minutes to complete. + +3. Click **Finish** when the update is complete. + +### Enable deployment monitoring + +1. In the Deployment Workbench console, right-click **MDT Production** and then click **Properties**. + +2. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**. + +3. Verify the monitoring service is working as expected by opening the following link on SRV1 in Internet Explorer: [http://localhost:9800/MDTMonitorEvent/](http://localhost:9800/MDTMonitorEvent/). If you do not see "**You have created a service**" at the top of the page, see [Troubleshooting MDT 2012 Monitoring](https://blogs.technet.microsoft.com/mniehaus/2012/05/10/troubleshooting-mdt-2012-monitoring/). + +4. Close Internet Explorer. + +### Configure Windows Deployment Services + +1. Initialize Windows Deployment Services (WDS) by typing the following command at an elevated Windows PowerShell prompt on SRV1: + + ``` + WDSUTIL /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall" + WDSUTIL /Set-Server /AnswerClients:All + ``` + +2. Click **Start**, type **Windows Deployment**, and then click **Windows Deployment Services**. + +3. In the Windows Deployment Services console, expand **Servers**, expand **SRV1.contoso.com**, right-click **Boot Images**, and then click **Add Boot Image**. + +4. Browse to the **C:\MDTProd\Boot\LiteTouchPE_x64.wim** file, click **Open**, click **Next**, and accept the defaults in the Add Image Wizard. Click **Finish** to complete adding a boot image. + +### Deploy the client image + +1. Before using WDS to deploy a client image, you must temporarily disable the external network adapter on SRV1. This is just an artifact of the lab environment. In a typical deployment environment WDS would not be installed on the default gateway. + + >**Note**: Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, type **Get-NetIPAddress | ft interfacealias, ipaddress** + + Assuming the external interface is named "Ethernet 2", to disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and type the following command: + + ``` + Disable-NetAdapter "Ethernet 2" -Confirm:$false + ``` + + >Wait until the disable-netadapter command completes before proceeding. + + +2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, type the following commands at an elevated Windows PowerShell prompt: + + ``` + New-VM –Name "PC2" –NewVHDPath "c:\vhd\pc2.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 + Set-VMMemory -VMName "PC2" -DynamicMemoryEnabled $true -MinimumBytes 720MB -MaximumBytes 2048MB -Buffer 20 + ``` + + >Dynamic memory is configured on the VM to conserve resources. However, this can cause memory allocation to be reduced past what is required to install an operating system. If this happens, reset the VM and begin the OS installation task sequence immediately. This ensures the VM memory allocation is not decreased too much while it is idle. + +3. Start the new VM and connect to it: + + ``` + Start-VM PC2 + vmconnect localhost PC2 + ``` +4. When prompted, hit ENTER to start the network boot process. + +5. In the Windows Deployment Wizard, choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**. + +6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. This is needed so the client can use Windows Update after operating system installation is complete.To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and type the following command: + + ``` + Enable-NetAdapter "Ethernet 2" + ``` +7. On SRV1, in the Deployment Workbench console, click on **Monitoring** and view the status of installation. Right-click **Monitoring** and click **Refresh** if no data is displayed. +8. OS installation requires about 10 minutes. When the installation is complete, the system will reboot automatically, configure devices, and install updates, requiring another 10-20 minutes. When the new client computer is finished updating, click **Finish**. You will be automatically signed in to the local computer as administrator. + + ![finish](images/deploy-finish.png) + + +This completes the demonstration of how to deploy a reference image to the network. To conserve resources, turn off the PC2 VM before starting the next section. + +## Refresh a computer with Windows 10 + +This section will demonstrate how to export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. The scenario will use PC1, a computer that was cloned from a physical device to a VM, as described in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md). + +1. If the PC1 VM is not already running, then start and connect to it: + + ``` + Start-VM PC1 + vmconnect localhost PC1 + ``` + +2. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and to perform additional scenarios. Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Checkpoint-VM -Name PC1 -SnapshotName BeginState + ``` + +3. Sign on to PC1 using the CONTOSO\Administrator account. + + >Specify **contoso\administrator** as the user name to ensure you do not sign on using the local administrator account. You must sign in with this account so that you have access to the deployment share. + +4. Open an elevated command prompt on PC1 and type the following: + + ``` + cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs + ``` + + **Note**: Litetouch.vbs must be able to create the C:\MININT directory on the local computer. + +5. Choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**. + +6. Choose **Do not back up the existing computer** and click **Next**. + + **Note**: The USMT will still back up the computer. + +7. Lite Touch Installation will perform the following actions: + - Back up user settings and data using USMT. + - Install the Windows 10 Enterprise X64 operating system. + - Update the operating system via Windows Update. + - Restore user settings and data using USMT. + + You can review the progress of installation on SRV1 by clicking on the **Monitoring** node in the deployment workbench. When OS installation is complete, the computer will restart, set up devices, and configure settings. + +8. Sign in with the CONTOSO\Administrator account and verify that all CONTOSO domain user accounts and data have been migrated to the new operating system, or other user accounts as specified [previously](#configure-the-mdt-production-deployment-share). + +9. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Checkpoint-VM -Name PC1 -SnapshotName RefreshState + ``` + +10. Restore the PC1 VM to it's previous state in preparation for the replace procedure. To restore a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Restore-VMSnapshot -VMName PC1 -Name BeginState -Confirm:$false + Start-VM PC1 + vmconnect localhost PC1 + ``` + +11. Sign in to PC1 using the contoso\administrator account. + +## Replace a computer with Windows 10 + +At a high level, the computer replace process consists of:
          +- A special replace task sequence that runs the USMT backup and an optional full Window Imaging (WIM) backup.
          +- A standard OS deployment on a new computer. At the end of the deployment, the USMT backup from the old computer is restored. + +### Create a backup-only task sequence + +1. On SRV1, in the deployment workbench console, right-click the MDT Production deployment share, click **Properties**, click the **Rules** tab, and change the line **SkipUserData=YES** to **SkipUserData=NO**. +2. Click **OK**, right-click **MDT Production**, click **Update Deployment Share** and accept the default options in the wizard to update the share. +3. Type the following commands at an elevated Windows PowerShell prompt on SRV1: + + ``` + New-Item -Path C:\MigData -ItemType directory + New-SmbShare -Name MigData$ -Path C:\MigData -ChangeAccess EVERYONE + icacls C:\MigData /grant '"contoso\administrator":(OI)(CI)(M)' + ``` +4. On SRV1 in the deployment workbench, under **MDT Production**, right-click the **Task Sequences** node, and click **New Folder**. +5. Name the new folder **Other**, and complete the wizard using default options. +6. Right-click the **Other** folder and then click **New Task Sequence**. Use the following values in the wizard: + - **Task sequence ID**: REPLACE-001 + - **Task sequence name**: Backup Only Task Sequence + - **Task sequence comments**: Run USMT to back up user data and settings + - **Template**: Standard Client Replace Task Sequence (note: this is not the default template) +7. Accept defaults for the rest of the wizard and then click **Finish**. The replace task sequence will skip OS selection and settings. +8. Open the new task sequence that was created and review it. Note the type of capture and backup tasks that are present. Click **OK** when you are finished reviewing the task sequence. + +### Run the backup-only task sequence + +1. If you are not already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, type the following command at an elevated command prompt: + + ``` + whoami + ``` +2. To ensure a clean environment before running the backup task sequence, type the following at an elevated Windows PowerShell prompt on PC1: + + ``` + Remove-Item c:\minint -recurse + Remove-Item c:\_SMSTaskSequence -recurse + Restart-Computer + ``` +3. Sign in to PC1 using the contoso\administrator account, and then type the following at an elevated command prompt: + + ``` + cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs + ``` +4. Complete the deployment wizard using the following: + - **Task Sequence**: Backup Only Task Sequence + - **User Data**: Specify a location: **\\\\SRV1\MigData$\PC1** + - **Computer Backup**: Do not back up the existing computer. +5. While the task sequence is running on PC1, open the deployment workbench console on SRV1 and click the **Monitoring* node. Press F5 to refresh the console, and view the status of current tasks. +6. On PC1, verify that **The user state capture was completed successfully** is displayed, and click **Finish** when the capture is complete. +7. On SRV1, verify that the file **USMT.MIG** was created in the **C:\MigData\PC1\USMT** directory. See the following example: + + ``` + PS C:\> dir C:\MigData\PC1\USMT + + Directory: C:\MigData\PC1\USMT + + Mode LastWriteTime Length Name + ---- ------------- ------ ---- + -a--- 9/6/2016 11:34 AM 14248685 USMT.MIG + ``` + ### Deploy PC3 + +8. On the Hyper-V host, type the following commands at an elevated Windows PowerShell prompt: + + ``` + New-VM –Name "PC3" –NewVHDPath "c:\vhd\pc3.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 + Set-VMMemory -VMName "PC3" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20 + ``` +9. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, type the following command at an elevated Windows PowerShell prompt on SRV1: + + ``` + Disable-NetAdapter "Ethernet 2" -Confirm:$false + ``` + + >As mentioned previously, ensure that you disable the **external** network adapter, and wait for the command to complete before proceeding. + + +10. Start and connect to PC3 by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Start-VM PC3 + vmconnect localhost PC3 + ``` + +11. When prompted, press ENTER for network boot. + +12. On PC3, use the following settings for the Windows Deployment Wizard: + - **Task Sequence**: Windows 10 Enterprise x64 Custom Image + - **Move Data and Settings**: Do not move user data and settings + - **User Data (Restore)**: Specify a location: **\\\\SRV1\MigData$\PC1** + +13. When OS installation has started on PC1, re-enable the external network adapter on SRV1 by typing the following command on SRV1: + + ``` + Enable-NetAdapter "Ethernet 2" + ``` +14. Setup will install the Windows 10 Enterprise operating system, update via Windows Update, and restore the user settings and data from PC1. + +15. When PC3 has completed installing the OS, sign in to PC3 using the contoso\administrator account. When the PC completes updating, click **Finish**. + +16. Verify that settings have been migrated from PC1. This completes demonstration of the replace procedure. + +17. Shut down PC3 in preparation for the [next](windows-10-poc-sc-config-mgr.md) procedure. + +## Troubleshooting logs, events, and utilities + +Deployment logs are available on the client computer in the following locations: +- Before the image is applied: X:\MININT\SMSOSD\OSDLOGS +- After the system drive has been formatted: C:\MININT\SMSOSD\OSDLOGS +- After deployment: %WINDIR%\TEMP\DeploymentLogs + +You can review WDS events in Event Viewer at: **Applications and Services Logs > Microsoft > Windows > Deployment-Services-Diagnostics**. By default, only the **Admin** and **Operational** logs are enabled. To enable other logs, right-click the log and then click **Enable Log**. + +Tools for viewing log files, and to assist with troubleshooting are available in the [System Center 2012 R2 Configuration Manager Toolkit](https://www.microsoft.com/en-us/download/details.aspx?id=50012) + +Also see [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) for detailed troubleshooting information. + +## Related Topics + +[Microsoft Deployment Toolkit](https://technet.microsoft.com/windows/dn475741)
          +[Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) + + + + + + + diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md index 1473adef20..d9a32a74be 100644 --- a/windows/deployment/windows-10-poc-sc-config-mgr.md +++ b/windows/deployment/windows-10-poc-sc-config-mgr.md @@ -1,1081 +1,1081 @@ ---- -title: Step by step - Deploy Windows 10 using System Center Configuration Manager -description: Deploy Windows 10 in a test lab using System Center Configuration Manager -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -keywords: deployment, automate, tools, configure, sccm -ms.localizationpriority: medium -ms.date: 10/11/2017 -ms.reviewer: -manager: laurawi -ms.author: greg-lindsay -author: greg-lindsay -ms.topic: article ---- - -# Deploy Windows 10 in a test lab using System Center Configuration Manager - -**Applies to** - -- Windows 10 - -**Important**: This guide leverages the proof of concept (PoC) environment, and some settings that are configured in the following guides: -- [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) -- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) - -Please complete all steps in these guides before attempting the procedures in this guide. If you wish to skip the Windows 10 deployment procedures in the MDT guide and move directly to this guide, you must at least install MDT and the Windows ADK before performing procedures in this guide. All steps in the first guide are required before attempting the procedures in this guide. - -The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs): -- **DC1**: A contoso.com domain controller, DNS server, and DHCP server. -- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network. -- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been cloned from a physical computer on your corporate network for testing purposes. -This guide leverages the Hyper-V server role to perform procedures. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work. - ->Multiple features and services are installed on SRV1 in this guide. This is not a typical installation, and is only done to set up a lab environment with a bare minimum of resources. However, if less than 4 GB of RAM is allocated to SRV1 in the Hyper-V console, some procedures will be extremely slow to complete. If resources are limited on the Hyper-V host, consider reducing RAM allocation on DC1 and PC1, and then increasing the RAM allocation on SRV1. You can adjust RAM allocation for a VM by right-clicking the VM in the Hyper-V Manager console, clicking **Settings**, clicking **Memory**, and modifying the value next to **Maximum RAM**. - -## In this guide - -This guide provides end-to-end instructions to install and configure System Center Configuration Manager, and use it to deploy a Windows 10 image. Depending on the speed of your Hyper-V host, the procedures in this guide will require 6-10 hours to complete. - -Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed. - -
          - -
          - -
          TopicDescriptionTime - -
          Install prerequisitesInstall prerequisite Windows Server roles and features, download, install and configure SQL Server, configure firewall rules, and install the Windows ADK.60 minutes -
          Install System Center Configuration ManagerDownload System Center Configuration Manager, configure prerequisites, and install the package.45 minutes -
          Download MDOP and install DaRTDownload the Microsoft Desktop Optimization Pack 2015 and install DaRT 10.15 minutes -
          Prepare for Zero Touch installationPrerequisite procedures to support Zero Touch installation.60 minutes -
          Create a boot image for Configuration ManagerUse the MDT wizard to create the boot image in Configuration Manager.20 minutes -
          Create a Windows 10 reference imageThis procedure can be skipped if it was done previously, otherwise instructions are provided to create a reference image.0-60 minutes -
          Add a Windows 10 operating system imageAdd a Windows 10 operating system image and distribute it.10 minutes
          Create a task sequenceCreate a Configuration Manager task sequence with MDT integration using the MDT wizard15 minutes -
          Finalize the operating system configurationEnable monitoring, configure rules, and distribute content.30 minutes -
          Deploy Windows 10 using PXE and Configuration ManagerDeploy Windows 10 using Configuration Manager deployment packages and task sequences.60 minutes -
          Replace a client with Windows 10 using Configuration ManagerReplace a client computer with Windows 10 using Configuration Manager.90 minutes -
          Refresh a client with Windows 10 using Configuration ManagerUse a task sequence to refresh a client with Windows 10 using Configuration Manager and MDT90 minutes - -
          - -
          - -## Install prerequisites -1. Before installing System Center Configuration Manager, we must install prerequisite services and features. Type the following command at an elevated Windows PowerShell prompt on SRV1: - - ``` - Install-WindowsFeature Web-Windows-Auth,Web-ISAPI-Ext,Web-Metabase,Web-WMI,BITS,RDC,NET-Framework-Features,Web-Asp-Net,Web-Asp-Net45,NET-HTTP-Activation,NET-Non-HTTP-Activ - ``` - - >If the request to add features fails, retry the installation by typing the command again. - -2. Download [SQL Server 2014 SP2](https://www.microsoft.com/en-us/evalcenter/evaluate-sql-server-2014-sp2) from the Microsoft Evaluation Center as an .ISO file on the Hyper-V host computer. Save the file to the **C:\VHD** directory. -3. When you have downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\SQLServer2014SP2-FullSlipstream-x64-ENU.iso - ``` - - This command mounts the .ISO file to drive D on SRV1. - -4. Type the following command at an elevated Windows PowerShell prompt on SRV1 to install SQL Server: - - ``` - D:\setup.exe /q /ACTION=Install /ERRORREPORTING="False" /FEATURES=SQLENGINE,RS,IS,SSMS,TOOLS,ADV_SSMS,CONN /INSTANCENAME=MSSQLSERVER /INSTANCEDIR="C:\Program Files\Microsoft SQL Server" /SQLSVCACCOUNT="NT AUTHORITY\System" /SQLSYSADMINACCOUNTS="BUILTIN\ADMINISTRATORS" /SQLSVCSTARTUPTYPE=Automatic /AGTSVCACCOUNT="NT AUTHORITY\SYSTEM" /AGTSVCSTARTUPTYPE=Automatic /RSSVCACCOUNT="NT AUTHORITY\System" /RSSVCSTARTUPTYPE=Automatic /ISSVCACCOUNT="NT AUTHORITY\System" /ISSVCSTARTUPTYPE=Disabled /ASCOLLATION="Latin1_General_CI_AS" /SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS" /TCPENABLED="1" /NPENABLED="1" /IAcceptSQLServerLicenseTerms - ``` - Installation will take several minutes. When installation is complete, the following output will be displayed: - - ``` - Microsoft (R) SQL Server 2014 12.00.5000.00 - Copyright (c) Microsoft Corporation. All rights reserved. - - Microsoft (R) .NET Framework CasPol 2.0.50727.7905 - Copyright (c) Microsoft Corporation. All rights reserved. - - Success - Microsoft (R) .NET Framework CasPol 2.0.50727.7905 - Copyright (c) Microsoft Corporation. All rights reserved. - - Success - One or more affected files have operations pending. - You should restart your computer to complete this process. - PS C:\> - ``` -5. Type the following commands at an elevated Windows PowerShell prompt on SRV1: - - ``` - New-NetFirewallRule -DisplayName “SQL Server” -Direction Inbound –Protocol TCP –LocalPort 1433 -Action allow - New-NetFirewallRule -DisplayName “SQL Admin Connection” -Direction Inbound –Protocol TCP –LocalPort 1434 -Action allow - New-NetFirewallRule -DisplayName “SQL Database Management” -Direction Inbound –Protocol UDP –LocalPort 1434 -Action allow - New-NetFirewallRule -DisplayName “SQL Service Broker” -Direction Inbound –Protocol TCP –LocalPort 4022 -Action allow - New-NetFirewallRule -DisplayName “SQL Debugger/RPC” -Direction Inbound –Protocol TCP –LocalPort 135 -Action allow - ``` - -7. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1703. Installation might require several minutes to acquire all components. - -## Install System Center Configuration Manager - -1. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt: - - ``` - $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" - Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0 - Stop-Process -Name Explorer - ``` - -2. Download [System Center Configuration Manager and Endpoint Protection](https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) on SRV1 (download the executable file anywhere on SRV1), double-click the file, enter **C:\configmgr** for **Unzip to folder**, and click **Unzip**. The C:\configmgr directory will be automatically created. Click **OK** and then close the **WinZip Self-Extractor** dialog box when finished. - -3. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**: - - ``` - Get-Service Winmgmt - - Status Name DisplayName - ------ ---- ----------- - Running Winmgmt Windows Management Instrumentation - - Test-NetConnection -ComputerName 192.168.0.2 -Port 135 -InformationLevel Detailed - - ComputerName : 192.168.0.2 - RemoteAddress : 192.168.0.2 - RemotePort : 135 - AllNameResolutionResults : - MatchingIPsecRules : - NetworkIsolationContext : Internet - InterfaceAlias : Ethernet - SourceAddress : 192.168.0.2 - NetRoute (NextHop) : 0.0.0.0 - PingSucceeded : True - PingReplyDetails (RTT) : 0 ms - TcpTestSucceeded : True - ``` - You can also verify WMI using the WMI console by typing **wmimgmt.msc**, right-clicking **WMI Control (Local)** in the console tree, and then clicking **Properties**. - - If the WMI service is not started, attempt to start it or reboot the computer. If WMI is running but errors are present, see [WMIDiag](https://blogs.technet.microsoft.com/askperf/2015/05/12/wmidiag-2-2-is-here/) for troubleshooting information. - -4. To extend the Active Directory schema, type the following command at an elevated Windows PowerShell prompt: - - ``` - cmd /c C:\configmgr\SMSSETUP\BIN\X64\extadsch.exe - ``` - -5. Temporarily switch to the DC1 VM, and type the following command at an elevated command prompt on DC1: - - ``` - adsiedit.msc - ``` - -6. Right-click **ADSI Edit**, click **Connect to**, select **Default (Domain or server that you logged in to)** under **Computer** and then click **OK**. -7. Expand **Default naming context**>**DC=contoso,DC=com**, and then in the console tree right-click **CN=System**, point to **New**, and then click **Object**. -8. Click **container** and then click **Next**. -9. Next to **Value**, type **System Management**, click **Next**, and then click **Finish**. -10. Right-click **CN=system Management** and then click **Properties**. -11. On the **Security** tab, click **Add**, click **Object Types**, select **Computers**, and click **OK**. -12. Under **Enter the object names to select**, type **SRV1** and click **OK**. -13. The **SRV1** computer account will be highlighted, select **Allow** next to **Full control**. -14. Click **Advanced**, click **SRV1 (CONTOSO\SRV1$)** and click **Edit**. -15. Next to **Applies to**, choose **This object and all descendant objects**, and then click **OK** three times. -16. Close the ADSI Edit console and switch back to SRV1. -17. To start Configuration Manager installation, type the following command at an elevated Windows PowerShell prompt on SRV1: - - ``` - cmd /c C:\configmgr\SMSSETUP\BIN\X64\Setup.exe - ``` -18. Provide the following in the System Center Configuration Manager Setup Wizard: - - **Before You Begin**: Read the text and click *Next*. - - **Getting Started**: Choose **Install a Configuration Manager primary site** and select the **Use typical installation options for a stand-alone primary site** checkbox. - - Click **Yes** in response to the popup window. - - **Product Key**: Choose **Install the evaluation edition of this Product**. - - **Microsoft Software License Terms**: Read the terms and then select the **I accept these license terms** checkbox. - - **Prerequisite Licenses**: Review license terms and select all three checkboxes on the page. - - **Prerequisite Downloads**: Choose **Download required files** and enter **c:\windows\temp** next to **Path**. - - **Site and Installation Settings**: Site code: **PS1**, Site name: **Contoso**. - - use default settings for all other options - - **Usage Data**: Read the text and click **Next**. - - **Service Connection Point Setup**: Accept the default settings (SRV1.contoso.com is automatically added under Select a server to use). - - **Settings Summary**: Review settings and click **Next**. - - **Prerequisite Check**: No failures should be listed. Ignore any warnings and click **Begin Install**. - - >There should be at most three warnings present: WSUS on site server, configuration for SQL Server memory usage, and SQL Server process memory allocation. These warnings can safely be ignored in this test environment. - - Depending on the speed of the Hyper-V host and resources allocated to SRV1, installation can require approximately one hour. Click **Close** when installation is complete. - -19. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1: - - ``` - Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1 - Stop-Process -Name Explorer - ``` - -## Download MDOP and install DaRT - ->[!IMPORTANT] ->This step requires an MSDN subscription or volume licence agreement. For more information, see [Ready for Windows 10: MDOP 2015 and more tools are now available](https://blogs.technet.microsoft.com/windowsitpro/2015/08/17/ready-for-windows-10-mdop-2015-and-more-tools-are-now-available/). ->If your organization qualifies and does not already have an MSDN subscription, you can obtain a [free MSDN subscription with BizSpark](https://blogs.msdn.microsoft.com/zainnab/2011/03/14/bizspark-free-msdn-subscription-for-start-up-companies/). - -1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso, 2.79 GB) to the C:\VHD directory on the Hyper-V host. - -2. Type the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1: - - ``` - Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso - ``` -3. Type the following command at an elevated Windows PowerShell prompt on SRV1: - - ``` - cmd /c "D:\DaRT\DaRT 10\Installers\en-us\x64\MSDaRT100.msi" - ``` -4. Install DaRT 10 using default settings. -5. Type the following commands at an elevated Windows PowerShell prompt on SRV1: - - ``` - Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx64.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64" - Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx86.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x86" - ``` - -## Prepare for Zero Touch installation - -This section contains several procedures to support Zero Touch installation with System Center Configuration Manager. - -### Create a folder structure - -1. Type the following commands at a Windows PowerShell prompt on SRV1: - - ``` - New-Item -ItemType Directory -Path "C:\Sources\OSD\Boot" - New-Item -ItemType Directory -Path "C:\Sources\OSD\OS" - New-Item -ItemType Directory -Path "C:\Sources\OSD\Settings" - New-Item -ItemType Directory -Path "C:\Sources\OSD\Branding" - New-Item -ItemType Directory -Path "C:\Sources\OSD\MDT" - New-Item -ItemType Directory -Path "C:\Logs" - New-SmbShare -Name Sources$ -Path C:\Sources -ChangeAccess EVERYONE - New-SmbShare -Name Logs$ -Path C:\Logs -ChangeAccess EVERYONE - ``` - -### Enable MDT ConfigMgr integration - -1. On SRV1, click **Start**, type **configmgr**, and then click **Configure ConfigMgr Integration**. -2. Type **PS1** next to **Site code**, and then click **Next**. -3. Verify **The process completed successfully** is displayed, and then click **Finish**. - -### Configure client settings - -1. On SRV1, click **Start**, type **configuration manager**, right-click **Configuration Manager Console**, and then click **Pin to Taskbar**. -2. Click **Desktop**, and then launch the Configuration Manager console from the taskbar. -3. If the console notifies you that an update is available, click **OK**. It is not necessary to install updates to complete this lab. -4. In the console tree, open the **Administration** workspace (in the lower left corner) and click **Client Settings**. -5. In the display pane, double-click **Default Client Settings**. -6. Click **Computer Agent**, next to **Organization name displayed in Software Center** type **Contoso**, and then click **OK**. - -### Configure the network access account - -1. In the Administration workspace, expand **Site Configuration** and click **Sites**. -2. On the **Home** ribbon at the top of the console window, click **Configure Site Components** and then click **Software Distribution**. -3. On the **Network Access Account** tab, choose **Specify the account that accesses network locations**. -4. Click the yellow starburst and then click **New Account**. -5. Click **Browse** and then under **Enter the object name to select**, type **CM_NAA** and click **OK**. -6. Next to **Password** and **Confirm Password**, type pass@word1, and then click **OK** twice. - -### Configure a boundary group - -1. In the Administration workspace, expand **Hierarchy Configuration**, right-click **Boundaries** and then click **Create Boundary**. -2. Next to **Description**, type **PS1**, next to **Type** choose **Active Directory Site**, and then click **Browse**. -3. Choose **Default-First-Site-Name** and then click **OK** twice. -4. In the Administration workspace, right-click **Boundary Groups** and then click **Create Boundary Group**. -5. Next to **Name**, type **PS1 Site Assignment and Content Location**, click **Add**, select the **Default-First-Site-Name** boundary and then click **OK**. -6. On the **References** tab in the **Create Boundary Group** window select the **Use this boundary group for site assignment** checkbox. -7. Click **Add**, select the **\\\SRV1.contoso.com** checkbox, and then click **OK** twice. - -### Add the state migration point role - -1. In the Administration workspace, expand **Site Configuration**, click **Sites**, and then in on the **Home** ribbon at the top of the console click **Add Site System Roles**. -2. In the Add site System Roles Wizard, click **Next** twice and then on the Specify roles for this server page, select the **State migration point** checkbox. -3. Click **Next**, click the yellow starburst, type **C:\MigData** for the **Storage folder**, and click **OK**. -4. Click **Next**, and then verify under **Boundary groups** that **PS1 Site Assignment and Content Location** is displayed. -5. Click **Next** twice and then click **Close**. - -### Enable PXE on the distribution point - ->[!IMPORTANT] ->Before enabling PXE in Configuration Manager, ensure that any previous installation of WDS does not cause conflicts. Configuration Manager will automatically configure the WDS service to manage PXE requests. To disable a previous installation, if it exists, type the following commands at an elevated Windows PowerShell prompt on SRV1: - -``` -WDSUTIL /Set-Server /AnswerClients:None -``` - -1. Determine the MAC address of the internal network adapter on SRV1. To determine this, type the following command at an elevated Windows PowerShell prompt on SRV1: - - ``` - (Get-NetAdapter "Ethernet").MacAddress - ``` - >If the internal network adapter, assigned an IP address of 192.168.0.2, is not named "Ethernet" then replace the name "Ethernet" in the previous command with the name of this network adapter. You can review the names of network adapters and the IP addresses assigned to them by typing **ipconfig**. - -2. In the System Center Configuration Manager console, in the **Administration** workspace, click **Distribution Points**. -3. In the display pane, right-click **SRV1.CONTOSO.COM** and then click **Properties**. -4. On the PXE tab, select the following settings: - - **Enable PXE support for clients**. Click **Yes** in the popup that appears. - - **Allow this distribution point to respond to incoming PXE requests** - - **Enable unknown computer support**. Click **OK** in the popup that appears. - - **Require a password when computers use PXE** - - **Password** and **Confirm password**: pass@word1 - - **Respond to PXE requests on specific network interfaces**: Click the yellow starburst and then enter the MAC address determined in the first step of this procedure. - - See the following example: - - Config Mgr PXE - -5. Click **OK**. -6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present: - - ``` - cmd /c dir /b C:\RemoteInstall\SMSBoot\x64 - - abortpxe.com - bootmgfw.efi - bootmgr.exe - pxeboot.com - pxeboot.n12 - wdsmgfw.efi - wdsnbp.com - ``` - >If these files are not present in the C:\RemoteInstall directory, verify that the REMINST share is configured as C:\RemoteInstall. You can view the properties of this share by typing "net share REMINST" at a command prompt. If the share path is set to a different value, then replace C:\RemoteInstall with your REMINST share path. - >You can also type the following command at an elevated Windows PowerShell prompt to open the Configuration Manager Trace Log Tool. In the tool, click **File**, click **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red: - - ``` - Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe' - ``` - - The log file will updated continuously while Configuration Manager is running. Wait for Configuration Manager to repair any issues that are present, and periodically re-check that the files are present in the REMINST share location. Close the Configuration Manager Trace Log Tool when done. You will see the following line in distmgr.log that indicates the REMINST share is being populated with necessary files: - - Running: WDSUTIL.exe /Initialize-Server /REMINST:"C:\RemoteInstall" - - Once the files are present in the REMINST share location, you can close the cmtrace tool. - -### Create a branding image file - -1. If you have a bitmap (.BMP) image for suitable use as a branding image, copy it to the C:\Sources\OSD\Branding folder on SRV1. Otherwise, use the following step to copy a simple branding image. -2. Type the following command at an elevated Windows PowerShell prompt: - - ``` - copy "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" "C:\Sources\OSD\Branding\contoso.bmp" - ``` - >You can open C:\Sources\OSD\Branding\contoso.bmp in MSPaint.exe if desired to customize this image. - - -### Create a boot image for Configuration Manager - -1. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and then click **Create Boot Image using MDT**. -2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then click **Next**. - - The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later. -3. On the General Settings page, type **Zero Touch WinPE x64** next to **Name**, and click **Next**. -4. On the Options page, under **Platform** choose **x64**, and click **Next**. -5. On the Components page, in addition to the default selection of **Microsoft Data Access Components (MDAC/ADO) support**, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox, and click **Next**. -6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, type or browse to **\\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then click **Next** twice. It will take a few minutes to generate the boot image. -7. Click **Finish**. -8. In the console display pane, right-click the **Zero Touch WinPE x64** boot image, and then click **Distribute Content**. -9. In the Distribute Content Wizard, click **Next**, click **Add** and select **Distribution Point**, select the **SRV1.CONTOSO.COM** checkbox, click **OK**, click **Next** twice, and then click **Close**. -10. Use the CMTrace application to view the **distmgr.log** file again and verify that the boot image has been distributed. To open CMTrace, type the following command at an elevated Windows PowerShell prompt on SRV1: - - ``` - Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe' - ``` - - In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example: - - ``` - STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=924 TID=1424 GMTDATE=Tue Oct 09 22:36:30.986 2018 ISTR0="Zero Touch WinPE x64" ISTR1="PS10000A" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS10000A" SMS_DISTRIBUTION_MANAGER 10/9/2018 3:36:30 PM 1424 (0x0590) - ``` - -11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Double-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab. -12. Next, in the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then click the **Data Source** tab. -13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and click **OK**. -14. Review the distmgr.log file again for "**STATMSG: ID=2301**" and verify that there are three folders under **C:\RemoteInstall\SMSImages** with boot images. See the following example: - - ``` - cmd /c dir /s /b C:\RemoteInstall\SMSImages - - C:\RemoteInstall\SMSImages\PS100004 - C:\RemoteInstall\SMSImages\PS100005 - C:\RemoteInstall\SMSImages\PS100006 - C:\RemoteInstall\SMSImages\PS100004\boot.PS100004.wim - C:\RemoteInstall\SMSImages\PS100005\boot.PS100005.wim - C:\RemoteInstall\SMSImages\PS100006\WinPE.PS100006.wim - ``` - - >The first two images (*.wim files) are default boot images. The third is the new boot image with DaRT. - -### Create a Windows 10 reference image - -If you have already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you have already created a Windows 10 reference image. In this case, skip to the next procedure in this guide: [Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image). If you have not yet created a Windows 10 reference image, complete the steps in this section. - -1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command: - - ``` - Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso - ``` -2. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D. - -3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**. - -4. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. - -5. Use the following settings for the New Deployment Share Wizard: - - Deployment share path: **C:\MDTBuildLab**
          - - Share name: **MDTBuildLab$**
          - - Deployment share description: **MDT build lab**
          - - Options: click **Next** to accept the default
          - - Summary: click **Next**
          - - Progress: settings will be applied
          - - Confirmation: click **Finish** - -6. Expand the **Deployment Shares** node, and then expand **MDT build lab**. - -7. Right-click the **Operating Systems** node, and then click **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and click **Finish**. - -7. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**. - -8. Use the following settings for the Import Operating System Wizard: - - OS Type: **Full set of source files**
          - - Source: **D:\\**
          - - Destination: **W10Ent_x64**
          - - Summary: click **Next** - - Confirmation: click **Finish** - -9. For purposes of this test lab, we will not add applications, such as Microsoft Office, to the deployment share. For information about adding applications, see the [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#sec03) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library. - -10. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - - Task sequence ID: **REFW10X64-001**
          - - Task sequence name: **Windows 10 Enterprise x64 Default Image**
          - - Task sequence comments: **Reference Build**
          - - Template: **Standard Client Task Sequence** - - Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim** - - Specify Product Key: **Do not specify a product key at this time** - - Full Name: **Contoso** - - Organization: **Contoso** - - Internet Explorer home page: **http://www.contoso.com** - - Admin Password: **Do not specify an Administrator password at this time** - - Summary: click **Next** - - Confirmation: click **Finish** - -11. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step. - -12. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**. A new group will be added under Tattoo. - -13. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. To see the name change, click **Tattoo**, then click the new group again. - -14. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**. - -15. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**. - -16. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox. - >Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications. - -17. Click **OK** to complete editing the task sequence. - -18. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and click **Properties**, and then click the **Rules** tab. - -19. Replace the default rules with the following text: - - ``` - [Settings] - Priority=Default - - [Default] - _SMSTSORGNAME=Contoso - UserDataLocation=NONE - DoCapture=YES - OSInstall=Y - AdminPassword=pass@word1 - TimeZoneName=Pacific Standard TimeZoneName - OSDComputername=#Left("PC-%SerialNumber%",7)# - JoinWorkgroup=WORKGROUP - HideShell=YES - FinishAction=SHUTDOWN - DoNotCreateExtraPartition=YES - ApplyGPOPack=NO - SkipAdminPassword=YES - SkipProductKey=YES - SkipComputerName=YES - SkipDomainMembership=YES - SkipUserData=YES - SkipLocaleSelection=YES - SkipTaskSequence=NO - SkipTimeZone=YES - SkipApplications=YES - SkipBitLocker=YES - SkipSummary=YES - SkipRoles=YES - SkipCapture=NO - SkipFinalSummary=NO - ``` - -20. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file: - - ``` - [Settings] - Priority=Default - - [Default] - DeployRoot=\\SRV1\MDTBuildLab$ - UserDomain=CONTOSO - UserID=MDT_BA - UserPassword=pass@word1 - SkipBDDWelcome=YES - ``` - -21. Click **OK** to complete the configuration of the deployment share. - -22. Right-click **MDT build lab (C:\MDTBuildLab)** and then click **Update Deployment Share**. - -23. Accept all default values in the Update Deployment Share Wizard by clicking **Next**. The update process will take 5 to 10 minutes. When it has completed, click **Finish**. - -24. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI). - - >Hint: Top copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**. - -25. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands: - - ``` - New-VM –Name REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB - Set-VMMemory -VMName REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20 - Set-VMDvdDrive -VMName REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso - Start-VM REFW10X64-001 - vmconnect localhost REFW10X64-001 - ``` -26. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then click **Next**. - -27. Accept the default values on the Capture Image page, and click **Next**. Operating system installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally (do not press a key). The process is fully automated. - - Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures: - - - Install the Windows 10 Enterprise operating system. - - Install added applications, roles, and features. - - Update the operating system using Windows Update (or WSUS if optionally specified). - - Stage Windows PE on the local disk. - - Run System Preparation (Sysprep) and reboot into Windows PE. - - Capture the installation to a Windows Imaging (WIM) file. - - Turn off the virtual machine. - - This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host and your network's download speed. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on SRV1. The file name is **REFW10X64-001.wim**. - -### Add a Windows 10 operating system image - -1. Type the following commands at an elevated Windows PowerShell prompt on SRV1: - - ``` - New-Item -ItemType Directory -Path "C:\Sources\OSD\OS\Windows 10 Enterprise x64" - cmd /c copy /z "C:\MDTBuildLab\Captures\REFW10X64-001.wim" "C:\Sources\OSD\OS\Windows 10 Enterprise x64" - ``` - -2. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Operating System Images**, and then click **Add Operating System Image**. - -3. On the Data Source page, under **Path:**, type or browse to **\\\SRV1\Sources$\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim**, and click **Next**. - -4. On the General page, next to **Name:**, type **Windows 10 Enterprise x64**, click **Next** twice, and then click **Close**. - -5. Distribute the operating system image to the SRV1 distribution point by right-clicking the **Windows 10 Enterprise x64** operating system image and then clicking **Distribute Content**. - -6. In the Distribute Content Wizard, click **Next**, click **Add**, click **Distribution Point**, add the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**. - -7. Enter **\Monitoring\Overview\Distribution Status\Content Status** on the location bar (be sure there is no space at the end of the location or you will get an error), click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. Processing of the image on the site server can take several minutes. - - >If content distribution is not successful, verify that sufficient disk space is available. - -### Create a task sequence - ->Complete this section slowly. There are a large number of similar settings from which to choose. - -1. In the Configuration Manager console, in the **Software Library** workspace expand **Operating Systems**, right-click **Task Sequences**, and then click **Create MDT Task Sequence**. - -2. On the Choose Template page, select the **Client Task Sequence** template and click **Next**. - -3. On the General page, type **Windows 10 Enterprise x64** under **Task sequence name:** and then click **Next**. - -4. On the Details page, enter the following settings: - - Join a domain: **contoso.com** - - Account: click **Set** - - User name: **contoso\CM_JD** - - Password: pass@word1 - - Confirm password: pass@word1 - - Click **OK** - - Windows Settings - - User name: **Contoso** - - Organization name: **Contoso** - - Product key: \ - - Administrator Account: **Enable the account and specify the local administrator password** - - Password: pass@word1 - - Confirm password: pass@word1 - - Click **Next** - -5. On the Capture Settings page, accept the default settings and click **Next**. - -6. On the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package, click **OK**, and then click **Next**. - -7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\MDT\MDT** (MDT is repeated here, not a typo), and then click **Next**. - -8. On the MDT Details page, next to **Name:** type **MDT** and then click **Next**. - -9. On the OS Image page, browse and select the **Windows 10 Enterprise x64** package, click **OK**, and then click **Next**. - -10. On the Deployment Method page, accept the default settings for **Zero Touch Installation** and click **Next**. - -11. On the Client Package page, browse and select the **Microsoft Corporation Configuration Manager Client package**, click **OK**, and then click **Next**. - -12. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows 10.0.14393.0** package, click **OK**, and then click **Next**. - -13. On the Settings Package page, select **Create a new settings package**, and under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Settings\Windows 10 x64 Settings**, and then click **Next**. - -14. On the Settings Details page, next to **Name:**, type **Windows 10 x64 Settings**, and click **Next**. - -15. On the Sysprep Package page, click **Next** twice. - -16. On the Confirmation page, click **Finish**. - -### Edit the task sequence - -1. In the Configuration Manager console, in the **Software Library** workspace, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Edit**. - -2. Scroll down to the **Install** group and click the **Set Variable for Drive Letter** action. - -3. Change the Value under **OSDPreserveDriveLetter** from **False** to **True**, and then click **Apply**. - -4. In the **State Restore** group, click the **Set Status 5** action, click **Add** in the upper left corner, point to **User State**, and click **Request State Store**. This adds a new action immediately after **Set Status 5**. - -5. Configure the **Request State Store** action that was just added with the following settings:
          - - Request state storage location to: **Restore state from another computer**
          - - Select the **If computer account fails to connect to state store, use the Network Access account** checkbox.
          - - Options tab: Select the **Continue on error** checkbox.
          - - Add Condition: **Task Sequence Variable**:
          - - Variable: **USMTLOCAL**
          - - Condition: **not equals**
          - - Value: **True**
          - - Click **OK**.
          - - Click **Apply**
          . - -6. In the **State Restore** group, click **Restore User State**, click **Add**, point to **User State**, and click **Release State Store**. - -7. Configure the **Release State Store** action that was just added with the following settings:
          - - Options tab: Select the **Continue on error** checkbox.
          - - Add Condition: **Task Sequence Variable**:
          - - Variable: **USMTLOCAL**
          - - Condition: **not equals**
          - - Value: **True**
          - - Click **OK**.
          - - Click **OK**
          . - - -### Finalize the operating system configuration - ->If you completed all procedures in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then the MDT deployment share is already present on SRV1. In this case, skip the first four steps below and begin with step 5 to edit CustomSettings.ini. - -1. In the MDT deployment workbench on SRV1, right-click **Deployment Shares** and then click **New Deployment Share**. - -2. Use the following settings for the New Deployment Share Wizard: - - Deployment share path: **C:\MDTProduction**
          - - Share name: **MDTProduction$**
          - - Deployment share description: **MDT Production**
          - - Options: click **Next** to accept the default
          - - Summary: click **Next**
          - - Progress: settings will be applied
          - - Confirmation: click **Finish** - -3. Right-click the **MDT Production** deployment share, and click **Properties**. - -4. Click the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**. - -5. Type the following command at an elevated Windows PowerShell prompt on SRV1: - - ``` - notepad "C:\Sources\OSD\Settings\Windows 10 x64 Settings\CustomSettings.ini" - ``` -6. Replace the contents of the file with the following text, and then save the file: - - ``` - [Settings] - Priority=Default - Properties=OSDMigrateConfigFiles,OSDMigrateMode - - [Default] - DoCapture=NO - ComputerBackupLocation=NONE - OSDMigrateMode=Advanced - OSDMigrateAdditionalCaptureOptions=/ue:*\* /ui:CONTOSO\* - OSDMigrateConfigFiles=Miguser.xml,Migapp.xml - SLSHARE=\\SRV1\Logs$ - EventService=http://SRV1:9800 - ApplyGPOPack=NO - ``` - - >As noted previously, if you wish to migrate accounts other than those in the Contoso domain, then change the OSDMigrateAdditionalCaptureOptions option. For example, the following option will capture settings from all user accounts: - - ``` - OSDMigrateAdditionalCaptureOptions=/all - ``` - - -7. Return to the Configuration Manager console, and in the Software Library workspace, expand **Application Management**, click **Packages**, right-click **Windows 10 x64 Settings**, and then click **Update Distribution Points**. Click **OK** in the popup that appears. - -8. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Distribute Content**. - -9. In the Distribute Content Wizard, click **Next** twice, click **Add**, click **Distribution Point**, select the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**. - -10. Enter **\Monitoring\Overview\Distribution Status\Content Status\Windows 10 Enterprise x64** on the location bar, double-click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. - -### Create a deployment for the task sequence - -1. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Deploy**. - -2. On the General page, next to **Collection**, click **Browse**, select the **All Unknown Computers** collection, click **OK**, and then click **Next**. - -3. On the Deployment Settings page, use the following settings:
          - - Purpose: **Available**
          - - Make available to the following: **Only media and PXE**
          - - Click **Next**.
          -4. Click **Next** five times to accept defaults on the Scheduling, User Experience, Alerts, and Distribution Points pages. - -5. Click **Close**. - -## Deploy Windows 10 using PXE and Configuration Manager - -In this first deployment scenario, we will deploy Windows 10 using PXE. This scenario creates a new computer that does not have any migrated users or settings. - -1. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - New-VM –Name "PC4" –NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 40GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 - Set-VMMemory -VMName "PC4" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20 - Start-VM PC4 - vmconnect localhost PC4 - ``` - -2. Press ENTER when prompted to start the network boot service. - -3. In the Task Sequence Wizard, provide the password: pass@word1, and then click **Next**. - -4. Before you click **Next** in the Task Sequence Wizard, press the **F8** key. A command prompt will open. - -5. At the command prompt, type **explorer.exe** and review the Windows PE file structure. - -6. The smsts.log file is critical for troubleshooting any installation problems that might be encountered. Depending on the deployment phase, the smsts.log file is created in different locations: - - X:\windows\temp\SMSTSLog\smsts.log before disks are formatted. - - x:\smstslog\smsts.log after disks are formatted. - - c:\_SMSTaskSequence\Logs\Smstslog\smsts.log before the System Center Configuration Manager client is installed. - - c:\windows\ccm\logs\Smstslog\smsts.log after the System Center Configuration Manager client is installed. - - c:\windows\ccm\logs\smsts.log when the task sequence is complete. - - Note: If a reboot is pending on the client, the reboot will be blocked as long as the command window is open. - -7. In the explorer window, click **Tools** and then click **Map Network Drive**. - -8. Do not map a network drive at this time. If you need to save the smsts.log file, you can use this method to save the file to a location on SRV1. - -9. Close the Map Network Drive window, the Explorer window, and the command prompt. - -10. The **Windows 10 Enterprise x64** task sequence is selected in the Task Sequenc Wizard. Click **Next** to continue with the deployment. - -11. The task sequence will require several minutes to complete. You can monitor progress of the task sequence using the MDT Deployment Workbench under Deployment Shares > MDTProduction > Monitoring. The task sequence will: - - Install Windows 10 - - Install the Configuration Manager client and hotfix - - Join the computer to the contoso.com domain - - Install any applications that were specified in the reference image - - -12. When Windows 10 installation has completed, sign in to PC4 using the **contoso\administrator** account. - -13. Right-click **Start**, click **Run**, type **control appwiz.cpl**, press ENTER, click **Turn Windows features on or off**, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This is a feature included in the reference image. - -14. Shut down the PC4 VM. - ->Note: The following two procedures 1) Replace a client with Windows 10 and 2) Refresh a client with Windows 10 have been exchanged in their order in this guide compared to the previous version. This is to avoid having to restore Hyper-V checkpoints to have access to PC1 before the OS is upgraded. If this is your first time going through this guide, you won't notice any change, but if you have tried the guide previously then this change should make it simpler to complete. - -## Replace a client with Windows 10 using Configuration Manager - ->Before starting this section, you can delete computer objects from Active Directory that were created as part of previous deployment procedures. Use the Active Directory Users and Computers console on DC1 to remove stale entries under contoso.com\Computers, but do not delete the computer account (hostname) for PC1. There should be at least two computer accounts present in the contoso.com\Computers container: one for SRV1, and one for the hostname of PC1. It is not required to delete the stale entries, this is only done to remove clutter. - -![contoso.com\Computers](images/poc-computers.png) - -In the replace procedure, PC1 will not be migrated to a new operating system. It is simplest to perform this procedure before performing the refresh procedure. After refreshing PC1, the operating system will be new. The next (replace) procedure does not install a new operating system on PC1 but rather performs a side-by-side migration of PC1 and another computer (PC4), to copy users and settings from PC1 to the new computer. - -### Create a replace task sequence - -1. On SRV1, in the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and then click **Create MDT Task Sequence**. - -2. On the Choose Template page, select **Client Replace Task Sequence** and click **Next**. - -3. On the General page, type the following: - - Task sequence name: **Replace Task Sequence** - - Task sequence comments: **USMT backup only** - -4. Click **Next**, and on the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package. Click **OK** and then click **Next** to continue. -5. On the MDT Package page, browse and select the **MDT** package. Click **OK** and then click **Next** to continue. -6. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package. Click **OK** and then click **Next** to continue. -7. On the Settings Package page, browse and select the **Windows 10 x64 Settings** package. Click **OK** and then click **Next** to continue. -8. On the Summary page, review the details and then click **Next**. -9. On the Confirmation page, click **Finish**. - ->If an error is displayed at this stage it can be caused by a corrupt MDT integration. To repair it, close the Configuration Manager console, remove MDT integration, and then restore MDT integration. - -### Deploy PC4 - -Create a VM named PC4 to receive the applications and settings from PC1. This VM represents a new computer that will replace PC1. To create this VM, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: - -``` -New-VM –Name "PC4" –NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 -Set-VMMemory -VMName "PC4" -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 2048MB -Buffer 20 -Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF -``` - ->Hyper-V enables us to define a static MAC address on PC4. In a real-world scenario you must determine the MAC address of the new computer. - -### Install the Configuration Manager client on PC1 - -1. Verify that the PC1 VM is running and in its original state, which was saved as a checkpoint and then restored in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md). - -2. If a PC1 checkpoint has not already been saved, then save a checkpoint by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - Checkpoint-VM -Name PC1 -SnapshotName BeginState - ``` - -3. On SRV1, in the Configuration Manager console, in the Administration workspace, expand **Hierarchy Configuration** and click on **Discovery Methods**. -4. Double-click **Active Directory System Discovery** and on the **General** tab select the **Enable Active Directory System Discovery** checkbox. -5. Click the yellow starburst, click **Browse**, select **contoso\Computers**, and then click **OK** three times. -6. When a popup dialog box asks if you want to run full discovery, click **Yes**. -7. In the Assets and Compliance workspace, click **Devices** and verify that the computer account names for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the computer account name of PC1 in this example): - - ![assets](images/sccm-assets.png) - - >If you do not see the computer account for PC1, try clicking the **Refresh** button in the upper right corner of the console. - - The **Client** column indicates that the Configuration Manager client is not currently installed. This procedure will be carried out next. - -8. Sign in to PC1 using the contoso\administrator account and type the following at an elevated command prompt to remove any pre-existing client configuration, if it exists. Note: this command requires an elevated command prompt not an elevated Windows PowerShell prompt: - - ``` - sc stop ccmsetup - "\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /Uninstall - ``` - >If PC1 still has Configuration Manager registry settings that were applied by Group Policy, startup scripts, or other policies in its previous domain, these might not all be removed by CCMSetup /Uninstall and can cause problems with installation or registration of the client in its new environment. It might be necessary to manually remove these settings if they are present. For more information, see [Manual removal of the SCCM client](https://blogs.technet.microsoft.com/michaelgriswold/2013/01/02/manual-removal-of-the-sccm-client/). - -9. On PC1, temporarily stop Windows Update from queuing items for download and clear all BITS jobs from the queue: - - ``` - net stop wuauserv - net stop BITS - ``` - - Verify that both services were stopped successfully, then type the following at an elevated command prompt: - - ``` - del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat" - net start BITS - bitsadmin /list /allusers - ``` - - Verify that BITSAdmin displays 0 jobs. - -10. To install the Configuration Manager client as a standalone process, type the following at an elevated command prompt: - - ``` - "\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /mp:SRV1.contoso.com /logon SMSSITECODE=PS1 - ``` -11. On PC1, using file explorer, open the **C:\Windows\ccmsetup** directory. During client installation, files will be downloaded here. -12. Installation progress will be captured in the file: **c:\windows\ccmsetup\logs\ccmsetup.log**. You can periodically open this file in notepad, or you can type the following command at an elevated Windows PowerShell prompt to monitor installation progress: - - ``` - Get-Content -Path c:\windows\ccmsetup\logs\ccmsetup.log -Wait - ``` - - Installation might require several minutes, and display of the log file will appear to hang while some applications are installed. This is normal. When setup is complete, verify that **CcmSetup is existing with return code 0** is displayed on the last line of the ccmsetup.log file and then press **CTRL-C** to break out of the Get-Content operation (if you are viewing the log in Windows PowerShell the last line will be wrapped). A return code of 0 indicates that installation was successful and you should now see a directory created at **C:\Windows\CCM** that contains files used in registration of the client with its site. - -13. On PC1, open the Configuration Manager control panel applet by typing the following command: - - ``` - control smscfgrc - ``` - -14. Click the **Site** tab, click **Configure Settings**, and click **Find Site**. The client will report that it has found the PS1 site. See the following example: - - ![site](images/sccm-site.png) - - If the client is not able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. A common reason the site code is not located is because a previous configuration exists. For example, if a previous site code is configured at **HKLM\SOFTWARE\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode** this must be deleted or updated. - -15. On SRV1, in the Assets and Compliance workspace, click **Device Collections** and then double-click **All Desktop and Server Clients**. This node will be added under **Devices**. - -16. Click **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example: - - ![client](images/sccm-client.png) - - >It might take several minutes for the client to fully register with the site and complete a client check. When it is complete you will see a green check mark over the client icon as shown above. To refresh the client, click it and then press **F5** or right-click the client and click **Refresh**. - -### Create a device collection and deployment - -1. On SRV1, in the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections** and then click **Create Device Collection**. - -2. Use the following settings in the **Create Device Collection Wizard**: - - General > Name: **Install Windows 10 Enterprise x64**
          - - General > Limiting collection: **All Systems**
          - - Membership Rules > Add Rule: **Direct Rule**
          - - The **Create Direct Membership Rule Wizard** opens, click **Next**
          - - Search for Resources > Resource class: **System Resource**
          - - Search for Resources > Attribute name: **Name**
          - - Search for Resources > Value: **%**
          - - Select Resources > Value: Select the computername associated with the PC1 VM
          - - Click **Next** twice and then click **Close** in both windows (Next, Next, Close, then Next, Next, Close) - -3. Double-click the Install Windows 10 Enterprise x64 device collection and verify that the PC1 computer account is displayed. - -4. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64** and then click **Deploy**. - -5. Use the following settings in the Deploy Software wizard: - - General > Collection: Click Browse and select **Install Windows 10 Enterprise x64**
          - - Deployment Settings > Purpose: **Available**
          - - Deployment Settings > Make available to the following: **Configuration Manager clients, media and PXE**
          - - Scheduling > Click **Next**
          - - User Experience > Click **Next**
          - - Alerts > Click **Next**
          - - Distribution Points > Click **Next**
          - - Summary > Click **Next**
          - - Verify that the wizard completed successfully and then click **Close** - - -### Associate PC4 with PC1 - -1. On SRV1 in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices** and then click **Import Computer Information**. - -2. On the Select Source page, choose **Import single computer** and click **Next**. - -3. On the Single Computer page, use the following settings: - - Computer Name: **PC4** - - MAC Address: **00:15:5D:83:26:FF** - - Source Computer: \ - -4. Click **Next**, and on the User Accounts page choose **Capture and restore specified user accounts**, then click the yellow starburst next to **User accounts to migrate**. - -5. Click **Browse** and then under Enter the object name to select type **user1** and click OK twice. - -6. Click the yellow starburst again and repeat the previous step to add the **contoso\administrator** account. - -7. Click **Next** twice, and on the Choose Target Collection page, choose **Add computers to the following collection**, click **Browse**, choose **Install Windows 10 Enterprise x64**, click **OK**, click **Next** twice, and then click **Close**. - -8. In the Assets and Compliance workspace, click **User State Migration** and review the computer association in the display pane. The source computer will be the computername of PC1 (GREGLIN-PC1 in this example), the destination computer will be **PC4**, and the migration type will be **side-by-side**. - -9. Right-click the association in the display pane and then click **Specify User Accounts**. You can add or remove user account here. Click **OK**. - -10. Right-click the association in the display pane and then click **View Recovery Information**. Note that a recovery key has been assigned, but a user state store location has not. Click **Close**. - -11. Click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. Verify that **PC4** is displayed in the collection. You might have to update and refresh the collection, or wait a few minutes, but do not proceed until PC4 is available. See the following example: - - ![collection](images/sccm-collection.png) - -### Create a device collection for PC1 - -1. On SRV1, in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Device Collections** and then click **Create Device Collection**. - -2. Use the following settings in the **Create Device Collection Wizard**: - - General > Name: **USMT Backup (Replace)**
          - - General > Limiting collection: **All Systems**
          - - Membership Rules > Add Rule: **Direct Rule**
          - - The **Create Direct Membership Rule Wizard** opens, click **Next**
          - - Search for Resources > Resource class: **System Resource**
          - - Search for Resources > Attribute name: **Name**
          - - Search for Resources > Value: **%**
          - - Select Resources > Value: Select the computername associated with the PC1 VM (GREGLIN-PC1 in this example).
          - - Click **Next** twice and then click **Close** in both windows. - -3. Click **Device Collections** and then double-click **USMT Backup (Replace)**. Verify that the computer name/hostname associated with PC1 is displayed in the collection. Do not proceed until this name is displayed. - -### Create a new deployment - -In the Configuration Manager console, in the Software Library workspace under Operating Systems, click **Task Sequences**, right-click **Replace Task Sequence**, click **Deploy**, and use the following settings: -- General > Collection: **USMT Backup (Replace)**
          -- Deployment Settings > Purpose: **Available**
          -- Deployment Settings > Make available to the following: **Only Configuration Manager Clients**
          -- Scheduling: Click **Next**
          -- User Experience: Click **Next**
          -- Alerts: Click **Next**
          -- Distribution Points: Click **Next**
          -- Click **Next** and then click **Close**. - -### Verify the backup - -1. On PC1, open the Configuration Manager control panel applet by typing the following command: - - ``` - control smscfgrc - ``` -2. On the **Actions** tab, click **Machine Policy Retrieval & Evaluation Cycle**, click **Run Now**, click **OK**, and then click **OK** again. This is one method that can be used to run a task sequence in addition to the Client Notification method that will be demonstrated in the computer refresh procedure. - -3. Type the following at an elevated command prompt to open the Software Center: - - ``` - C:\Windows\CCM\SCClient.exe - ``` - -4. In the Software Center , click **Available Software** and then select the **Replace Task Sequence** checkbox. See the following example: - - ![software](images/sccm-software-cntr.png) - - >If you do not see any available software, try running step #2 again to start the Machine Policy Retrieval & Evaluation Cycle. You should see an alert that new software is available. - -5. Click **INSTALL SELECTED** and then click **INSTALL OPERATING SYSTEM**. -6. Allow the **Replace Task Sequence** to complete, then verify that the C:\MigData folder on SRV1 contains the USMT backup. - -### Deploy the new computer - -1. Start PC4 and press ENTER for a network boot when prompted. To start PC4, type the following commands at an elevated Windows Powershell prompt on the Hyper-V host: - - ``` - Start-VM PC4 - vmconnect localhost PC4 - ``` -2. In the **Welcome to the Task Sequence Wizard**, enter pass@word1 and click **Next**. -3. Choose the **Windows 10 Enterprise X64** image. -4. Setup will install the operating system using the Windows 10 Enterprise x64 reference image, install the configuration manager client, join PC4 to the domain, and restore users and settings from PC1. -5. Save checkpoints for all VMs if you wish to review their status at a later date. This is not required (checkpoints do take up space on the Hyper-V host). Note: the next procedure will install a new OS on PC1 update its status in Configuration Manager and in Active Directory as a Windows 10 device, so you cannot return to a previous checkpoint only on the PC1 VM without a conflict. Therefore, if you do create a checkpoint, you should do this for all VMs. - - To save a checkpoint for all VMs, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - Checkpoint-VM -Name DC1 -SnapshotName cm-refresh - Checkpoint-VM -Name SRV1 -SnapshotName cm-refresh - Checkpoint-VM -Name PC1 -SnapshotName cm-refresh - ``` - -## Refresh a client with Windows 10 using Configuration Manager - - -### Initiate the computer refresh - -1. On SRV1, in the Assets and Compliance workspace, click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. -2. Right-click the computer account for PC1, point to **Client Notification**, click **Download Computer Policy**, and click **OK** in the popup dialog box. -3. On PC1, in the notification area, click **New software is available** and then click **Open Software Center**. -4. In the Software Center, click **Operating Systems**, click **Windows 10 Enterprise x64**, click **Install** and then click **INSTALL OPERATING SYSTEM**. See the following example: - - ![installOS](images/sccm-install-os.png) - - The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the Monitoring workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then click **More Details**. Click the **Status** tab to see a list of tasks that have been performed. See the following example: - - ![asset](images/sccm-asset.png) - - You can also monitor progress of the installation by using the MDT deployment workbench and viewing the **Monitoring** node under **Deployment Shares\MDT Production**. - - When installation has completed, sign in using the contoso\administrator account or the contoso\user1 account and verify that applications and settings have been successfully backed up and restored to your new Windows 10 Enterprise operating system. - - ![post-refresh](images/sccm-post-refresh.png) - - - -## Related Topics - -[System Center 2012 Configuration Manager Survival Guide](https://social.technet.microsoft.com/wiki/contents/articles/7075.system-center-2012-configuration-manager-survival-guide.aspx#Step-by-Step_Guides) - - - - - - - +--- +title: Step by step - Deploy Windows 10 using System Center Configuration Manager +description: Deploy Windows 10 in a test lab using System Center Configuration Manager +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +keywords: deployment, automate, tools, configure, sccm +ms.localizationpriority: medium +ms.date: 10/11/2017 +ms.reviewer: +manager: laurawi +ms.audience: itpro author: greg-lindsay +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Deploy Windows 10 in a test lab using System Center Configuration Manager + +**Applies to** + +- Windows 10 + +**Important**: This guide leverages the proof of concept (PoC) environment, and some settings that are configured in the following guides: +- [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) +- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) + +Please complete all steps in these guides before attempting the procedures in this guide. If you wish to skip the Windows 10 deployment procedures in the MDT guide and move directly to this guide, you must at least install MDT and the Windows ADK before performing procedures in this guide. All steps in the first guide are required before attempting the procedures in this guide. + +The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs): +- **DC1**: A contoso.com domain controller, DNS server, and DHCP server. +- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network. +- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been cloned from a physical computer on your corporate network for testing purposes. +This guide leverages the Hyper-V server role to perform procedures. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work. + +>Multiple features and services are installed on SRV1 in this guide. This is not a typical installation, and is only done to set up a lab environment with a bare minimum of resources. However, if less than 4 GB of RAM is allocated to SRV1 in the Hyper-V console, some procedures will be extremely slow to complete. If resources are limited on the Hyper-V host, consider reducing RAM allocation on DC1 and PC1, and then increasing the RAM allocation on SRV1. You can adjust RAM allocation for a VM by right-clicking the VM in the Hyper-V Manager console, clicking **Settings**, clicking **Memory**, and modifying the value next to **Maximum RAM**. + +## In this guide + +This guide provides end-to-end instructions to install and configure System Center Configuration Manager, and use it to deploy a Windows 10 image. Depending on the speed of your Hyper-V host, the procedures in this guide will require 6-10 hours to complete. + +Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed. + +
          + +
          + +
          TopicDescriptionTime + +
          Install prerequisitesInstall prerequisite Windows Server roles and features, download, install and configure SQL Server, configure firewall rules, and install the Windows ADK.60 minutes +
          Install System Center Configuration ManagerDownload System Center Configuration Manager, configure prerequisites, and install the package.45 minutes +
          Download MDOP and install DaRTDownload the Microsoft Desktop Optimization Pack 2015 and install DaRT 10.15 minutes +
          Prepare for Zero Touch installationPrerequisite procedures to support Zero Touch installation.60 minutes +
          Create a boot image for Configuration ManagerUse the MDT wizard to create the boot image in Configuration Manager.20 minutes +
          Create a Windows 10 reference imageThis procedure can be skipped if it was done previously, otherwise instructions are provided to create a reference image.0-60 minutes +
          Add a Windows 10 operating system imageAdd a Windows 10 operating system image and distribute it.10 minutes
          Create a task sequenceCreate a Configuration Manager task sequence with MDT integration using the MDT wizard15 minutes +
          Finalize the operating system configurationEnable monitoring, configure rules, and distribute content.30 minutes +
          Deploy Windows 10 using PXE and Configuration ManagerDeploy Windows 10 using Configuration Manager deployment packages and task sequences.60 minutes +
          Replace a client with Windows 10 using Configuration ManagerReplace a client computer with Windows 10 using Configuration Manager.90 minutes +
          Refresh a client with Windows 10 using Configuration ManagerUse a task sequence to refresh a client with Windows 10 using Configuration Manager and MDT90 minutes + +
          + +
          + +## Install prerequisites +1. Before installing System Center Configuration Manager, we must install prerequisite services and features. Type the following command at an elevated Windows PowerShell prompt on SRV1: + + ``` + Install-WindowsFeature Web-Windows-Auth,Web-ISAPI-Ext,Web-Metabase,Web-WMI,BITS,RDC,NET-Framework-Features,Web-Asp-Net,Web-Asp-Net45,NET-HTTP-Activation,NET-Non-HTTP-Activ + ``` + + >If the request to add features fails, retry the installation by typing the command again. + +2. Download [SQL Server 2014 SP2](https://www.microsoft.com/en-us/evalcenter/evaluate-sql-server-2014-sp2) from the Microsoft Evaluation Center as an .ISO file on the Hyper-V host computer. Save the file to the **C:\VHD** directory. +3. When you have downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\SQLServer2014SP2-FullSlipstream-x64-ENU.iso + ``` + + This command mounts the .ISO file to drive D on SRV1. + +4. Type the following command at an elevated Windows PowerShell prompt on SRV1 to install SQL Server: + + ``` + D:\setup.exe /q /ACTION=Install /ERRORREPORTING="False" /FEATURES=SQLENGINE,RS,IS,SSMS,TOOLS,ADV_SSMS,CONN /INSTANCENAME=MSSQLSERVER /INSTANCEDIR="C:\Program Files\Microsoft SQL Server" /SQLSVCACCOUNT="NT AUTHORITY\System" /SQLSYSADMINACCOUNTS="BUILTIN\ADMINISTRATORS" /SQLSVCSTARTUPTYPE=Automatic /AGTSVCACCOUNT="NT AUTHORITY\SYSTEM" /AGTSVCSTARTUPTYPE=Automatic /RSSVCACCOUNT="NT AUTHORITY\System" /RSSVCSTARTUPTYPE=Automatic /ISSVCACCOUNT="NT AUTHORITY\System" /ISSVCSTARTUPTYPE=Disabled /ASCOLLATION="Latin1_General_CI_AS" /SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS" /TCPENABLED="1" /NPENABLED="1" /IAcceptSQLServerLicenseTerms + ``` + Installation will take several minutes. When installation is complete, the following output will be displayed: + + ``` + Microsoft (R) SQL Server 2014 12.00.5000.00 + Copyright (c) Microsoft Corporation. All rights reserved. + + Microsoft (R) .NET Framework CasPol 2.0.50727.7905 + Copyright (c) Microsoft Corporation. All rights reserved. + + Success + Microsoft (R) .NET Framework CasPol 2.0.50727.7905 + Copyright (c) Microsoft Corporation. All rights reserved. + + Success + One or more affected files have operations pending. + You should restart your computer to complete this process. + PS C:\> + ``` +5. Type the following commands at an elevated Windows PowerShell prompt on SRV1: + + ``` + New-NetFirewallRule -DisplayName “SQL Server” -Direction Inbound –Protocol TCP –LocalPort 1433 -Action allow + New-NetFirewallRule -DisplayName “SQL Admin Connection” -Direction Inbound –Protocol TCP –LocalPort 1434 -Action allow + New-NetFirewallRule -DisplayName “SQL Database Management” -Direction Inbound –Protocol UDP –LocalPort 1434 -Action allow + New-NetFirewallRule -DisplayName “SQL Service Broker” -Direction Inbound –Protocol TCP –LocalPort 4022 -Action allow + New-NetFirewallRule -DisplayName “SQL Debugger/RPC” -Direction Inbound –Protocol TCP –LocalPort 135 -Action allow + ``` + +7. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1703. Installation might require several minutes to acquire all components. + +## Install System Center Configuration Manager + +1. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt: + + ``` + $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" + Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0 + Stop-Process -Name Explorer + ``` + +2. Download [System Center Configuration Manager and Endpoint Protection](https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) on SRV1 (download the executable file anywhere on SRV1), double-click the file, enter **C:\configmgr** for **Unzip to folder**, and click **Unzip**. The C:\configmgr directory will be automatically created. Click **OK** and then close the **WinZip Self-Extractor** dialog box when finished. + +3. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**: + + ``` + Get-Service Winmgmt + + Status Name DisplayName + ------ ---- ----------- + Running Winmgmt Windows Management Instrumentation + + Test-NetConnection -ComputerName 192.168.0.2 -Port 135 -InformationLevel Detailed + + ComputerName : 192.168.0.2 + RemoteAddress : 192.168.0.2 + RemotePort : 135 + AllNameResolutionResults : + MatchingIPsecRules : + NetworkIsolationContext : Internet + InterfaceAlias : Ethernet + SourceAddress : 192.168.0.2 + NetRoute (NextHop) : 0.0.0.0 + PingSucceeded : True + PingReplyDetails (RTT) : 0 ms + TcpTestSucceeded : True + ``` + You can also verify WMI using the WMI console by typing **wmimgmt.msc**, right-clicking **WMI Control (Local)** in the console tree, and then clicking **Properties**. + + If the WMI service is not started, attempt to start it or reboot the computer. If WMI is running but errors are present, see [WMIDiag](https://blogs.technet.microsoft.com/askperf/2015/05/12/wmidiag-2-2-is-here/) for troubleshooting information. + +4. To extend the Active Directory schema, type the following command at an elevated Windows PowerShell prompt: + + ``` + cmd /c C:\configmgr\SMSSETUP\BIN\X64\extadsch.exe + ``` + +5. Temporarily switch to the DC1 VM, and type the following command at an elevated command prompt on DC1: + + ``` + adsiedit.msc + ``` + +6. Right-click **ADSI Edit**, click **Connect to**, select **Default (Domain or server that you logged in to)** under **Computer** and then click **OK**. +7. Expand **Default naming context**>**DC=contoso,DC=com**, and then in the console tree right-click **CN=System**, point to **New**, and then click **Object**. +8. Click **container** and then click **Next**. +9. Next to **Value**, type **System Management**, click **Next**, and then click **Finish**. +10. Right-click **CN=system Management** and then click **Properties**. +11. On the **Security** tab, click **Add**, click **Object Types**, select **Computers**, and click **OK**. +12. Under **Enter the object names to select**, type **SRV1** and click **OK**. +13. The **SRV1** computer account will be highlighted, select **Allow** next to **Full control**. +14. Click **Advanced**, click **SRV1 (CONTOSO\SRV1$)** and click **Edit**. +15. Next to **Applies to**, choose **This object and all descendant objects**, and then click **OK** three times. +16. Close the ADSI Edit console and switch back to SRV1. +17. To start Configuration Manager installation, type the following command at an elevated Windows PowerShell prompt on SRV1: + + ``` + cmd /c C:\configmgr\SMSSETUP\BIN\X64\Setup.exe + ``` +18. Provide the following in the System Center Configuration Manager Setup Wizard: + - **Before You Begin**: Read the text and click *Next*. + - **Getting Started**: Choose **Install a Configuration Manager primary site** and select the **Use typical installation options for a stand-alone primary site** checkbox. + - Click **Yes** in response to the popup window. + - **Product Key**: Choose **Install the evaluation edition of this Product**. + - **Microsoft Software License Terms**: Read the terms and then select the **I accept these license terms** checkbox. + - **Prerequisite Licenses**: Review license terms and select all three checkboxes on the page. + - **Prerequisite Downloads**: Choose **Download required files** and enter **c:\windows\temp** next to **Path**. + - **Site and Installation Settings**: Site code: **PS1**, Site name: **Contoso**. + - use default settings for all other options + - **Usage Data**: Read the text and click **Next**. + - **Service Connection Point Setup**: Accept the default settings (SRV1.contoso.com is automatically added under Select a server to use). + - **Settings Summary**: Review settings and click **Next**. + - **Prerequisite Check**: No failures should be listed. Ignore any warnings and click **Begin Install**. + + >There should be at most three warnings present: WSUS on site server, configuration for SQL Server memory usage, and SQL Server process memory allocation. These warnings can safely be ignored in this test environment. + + Depending on the speed of the Hyper-V host and resources allocated to SRV1, installation can require approximately one hour. Click **Close** when installation is complete. + +19. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1: + + ``` + Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1 + Stop-Process -Name Explorer + ``` + +## Download MDOP and install DaRT + +>[!IMPORTANT] +>This step requires an MSDN subscription or volume licence agreement. For more information, see [Ready for Windows 10: MDOP 2015 and more tools are now available](https://blogs.technet.microsoft.com/windowsitpro/2015/08/17/ready-for-windows-10-mdop-2015-and-more-tools-are-now-available/). +>If your organization qualifies and does not already have an MSDN subscription, you can obtain a [free MSDN subscription with BizSpark](https://blogs.msdn.microsoft.com/zainnab/2011/03/14/bizspark-free-msdn-subscription-for-start-up-companies/). + +1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso, 2.79 GB) to the C:\VHD directory on the Hyper-V host. + +2. Type the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1: + + ``` + Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso + ``` +3. Type the following command at an elevated Windows PowerShell prompt on SRV1: + + ``` + cmd /c "D:\DaRT\DaRT 10\Installers\en-us\x64\MSDaRT100.msi" + ``` +4. Install DaRT 10 using default settings. +5. Type the following commands at an elevated Windows PowerShell prompt on SRV1: + + ``` + Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx64.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64" + Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx86.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x86" + ``` + +## Prepare for Zero Touch installation + +This section contains several procedures to support Zero Touch installation with System Center Configuration Manager. + +### Create a folder structure + +1. Type the following commands at a Windows PowerShell prompt on SRV1: + + ``` + New-Item -ItemType Directory -Path "C:\Sources\OSD\Boot" + New-Item -ItemType Directory -Path "C:\Sources\OSD\OS" + New-Item -ItemType Directory -Path "C:\Sources\OSD\Settings" + New-Item -ItemType Directory -Path "C:\Sources\OSD\Branding" + New-Item -ItemType Directory -Path "C:\Sources\OSD\MDT" + New-Item -ItemType Directory -Path "C:\Logs" + New-SmbShare -Name Sources$ -Path C:\Sources -ChangeAccess EVERYONE + New-SmbShare -Name Logs$ -Path C:\Logs -ChangeAccess EVERYONE + ``` + +### Enable MDT ConfigMgr integration + +1. On SRV1, click **Start**, type **configmgr**, and then click **Configure ConfigMgr Integration**. +2. Type **PS1** next to **Site code**, and then click **Next**. +3. Verify **The process completed successfully** is displayed, and then click **Finish**. + +### Configure client settings + +1. On SRV1, click **Start**, type **configuration manager**, right-click **Configuration Manager Console**, and then click **Pin to Taskbar**. +2. Click **Desktop**, and then launch the Configuration Manager console from the taskbar. +3. If the console notifies you that an update is available, click **OK**. It is not necessary to install updates to complete this lab. +4. In the console tree, open the **Administration** workspace (in the lower left corner) and click **Client Settings**. +5. In the display pane, double-click **Default Client Settings**. +6. Click **Computer Agent**, next to **Organization name displayed in Software Center** type **Contoso**, and then click **OK**. + +### Configure the network access account + +1. In the Administration workspace, expand **Site Configuration** and click **Sites**. +2. On the **Home** ribbon at the top of the console window, click **Configure Site Components** and then click **Software Distribution**. +3. On the **Network Access Account** tab, choose **Specify the account that accesses network locations**. +4. Click the yellow starburst and then click **New Account**. +5. Click **Browse** and then under **Enter the object name to select**, type **CM_NAA** and click **OK**. +6. Next to **Password** and **Confirm Password**, type pass@word1, and then click **OK** twice. + +### Configure a boundary group + +1. In the Administration workspace, expand **Hierarchy Configuration**, right-click **Boundaries** and then click **Create Boundary**. +2. Next to **Description**, type **PS1**, next to **Type** choose **Active Directory Site**, and then click **Browse**. +3. Choose **Default-First-Site-Name** and then click **OK** twice. +4. In the Administration workspace, right-click **Boundary Groups** and then click **Create Boundary Group**. +5. Next to **Name**, type **PS1 Site Assignment and Content Location**, click **Add**, select the **Default-First-Site-Name** boundary and then click **OK**. +6. On the **References** tab in the **Create Boundary Group** window select the **Use this boundary group for site assignment** checkbox. +7. Click **Add**, select the **\\\SRV1.contoso.com** checkbox, and then click **OK** twice. + +### Add the state migration point role + +1. In the Administration workspace, expand **Site Configuration**, click **Sites**, and then in on the **Home** ribbon at the top of the console click **Add Site System Roles**. +2. In the Add site System Roles Wizard, click **Next** twice and then on the Specify roles for this server page, select the **State migration point** checkbox. +3. Click **Next**, click the yellow starburst, type **C:\MigData** for the **Storage folder**, and click **OK**. +4. Click **Next**, and then verify under **Boundary groups** that **PS1 Site Assignment and Content Location** is displayed. +5. Click **Next** twice and then click **Close**. + +### Enable PXE on the distribution point + +>[!IMPORTANT] +>Before enabling PXE in Configuration Manager, ensure that any previous installation of WDS does not cause conflicts. Configuration Manager will automatically configure the WDS service to manage PXE requests. To disable a previous installation, if it exists, type the following commands at an elevated Windows PowerShell prompt on SRV1: + +``` +WDSUTIL /Set-Server /AnswerClients:None +``` + +1. Determine the MAC address of the internal network adapter on SRV1. To determine this, type the following command at an elevated Windows PowerShell prompt on SRV1: + + ``` + (Get-NetAdapter "Ethernet").MacAddress + ``` + >If the internal network adapter, assigned an IP address of 192.168.0.2, is not named "Ethernet" then replace the name "Ethernet" in the previous command with the name of this network adapter. You can review the names of network adapters and the IP addresses assigned to them by typing **ipconfig**. + +2. In the System Center Configuration Manager console, in the **Administration** workspace, click **Distribution Points**. +3. In the display pane, right-click **SRV1.CONTOSO.COM** and then click **Properties**. +4. On the PXE tab, select the following settings: + - **Enable PXE support for clients**. Click **Yes** in the popup that appears. + - **Allow this distribution point to respond to incoming PXE requests** + - **Enable unknown computer support**. Click **OK** in the popup that appears. + - **Require a password when computers use PXE** + - **Password** and **Confirm password**: pass@word1 + - **Respond to PXE requests on specific network interfaces**: Click the yellow starburst and then enter the MAC address determined in the first step of this procedure. + + See the following example: + + Config Mgr PXE + +5. Click **OK**. +6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present: + + ``` + cmd /c dir /b C:\RemoteInstall\SMSBoot\x64 + + abortpxe.com + bootmgfw.efi + bootmgr.exe + pxeboot.com + pxeboot.n12 + wdsmgfw.efi + wdsnbp.com + ``` + >If these files are not present in the C:\RemoteInstall directory, verify that the REMINST share is configured as C:\RemoteInstall. You can view the properties of this share by typing "net share REMINST" at a command prompt. If the share path is set to a different value, then replace C:\RemoteInstall with your REMINST share path. + >You can also type the following command at an elevated Windows PowerShell prompt to open the Configuration Manager Trace Log Tool. In the tool, click **File**, click **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red: + + ``` + Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe' + ``` + + The log file will updated continuously while Configuration Manager is running. Wait for Configuration Manager to repair any issues that are present, and periodically re-check that the files are present in the REMINST share location. Close the Configuration Manager Trace Log Tool when done. You will see the following line in distmgr.log that indicates the REMINST share is being populated with necessary files: + + Running: WDSUTIL.exe /Initialize-Server /REMINST:"C:\RemoteInstall" + + Once the files are present in the REMINST share location, you can close the cmtrace tool. + +### Create a branding image file + +1. If you have a bitmap (.BMP) image for suitable use as a branding image, copy it to the C:\Sources\OSD\Branding folder on SRV1. Otherwise, use the following step to copy a simple branding image. +2. Type the following command at an elevated Windows PowerShell prompt: + + ``` + copy "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" "C:\Sources\OSD\Branding\contoso.bmp" + ``` + >You can open C:\Sources\OSD\Branding\contoso.bmp in MSPaint.exe if desired to customize this image. + + +### Create a boot image for Configuration Manager + +1. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and then click **Create Boot Image using MDT**. +2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then click **Next**. + - The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later. +3. On the General Settings page, type **Zero Touch WinPE x64** next to **Name**, and click **Next**. +4. On the Options page, under **Platform** choose **x64**, and click **Next**. +5. On the Components page, in addition to the default selection of **Microsoft Data Access Components (MDAC/ADO) support**, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox, and click **Next**. +6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, type or browse to **\\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then click **Next** twice. It will take a few minutes to generate the boot image. +7. Click **Finish**. +8. In the console display pane, right-click the **Zero Touch WinPE x64** boot image, and then click **Distribute Content**. +9. In the Distribute Content Wizard, click **Next**, click **Add** and select **Distribution Point**, select the **SRV1.CONTOSO.COM** checkbox, click **OK**, click **Next** twice, and then click **Close**. +10. Use the CMTrace application to view the **distmgr.log** file again and verify that the boot image has been distributed. To open CMTrace, type the following command at an elevated Windows PowerShell prompt on SRV1: + + ``` + Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe' + ``` + + In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example: + + ``` + STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=924 TID=1424 GMTDATE=Tue Oct 09 22:36:30.986 2018 ISTR0="Zero Touch WinPE x64" ISTR1="PS10000A" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS10000A" SMS_DISTRIBUTION_MANAGER 10/9/2018 3:36:30 PM 1424 (0x0590) + ``` + +11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Double-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab. +12. Next, in the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then click the **Data Source** tab. +13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and click **OK**. +14. Review the distmgr.log file again for "**STATMSG: ID=2301**" and verify that there are three folders under **C:\RemoteInstall\SMSImages** with boot images. See the following example: + + ``` + cmd /c dir /s /b C:\RemoteInstall\SMSImages + + C:\RemoteInstall\SMSImages\PS100004 + C:\RemoteInstall\SMSImages\PS100005 + C:\RemoteInstall\SMSImages\PS100006 + C:\RemoteInstall\SMSImages\PS100004\boot.PS100004.wim + C:\RemoteInstall\SMSImages\PS100005\boot.PS100005.wim + C:\RemoteInstall\SMSImages\PS100006\WinPE.PS100006.wim + ``` + + >The first two images (*.wim files) are default boot images. The third is the new boot image with DaRT. + +### Create a Windows 10 reference image + +If you have already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you have already created a Windows 10 reference image. In this case, skip to the next procedure in this guide: [Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image). If you have not yet created a Windows 10 reference image, complete the steps in this section. + +1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command: + + ``` + Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso + ``` +2. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D. + +3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**. + +4. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. + +5. Use the following settings for the New Deployment Share Wizard: + - Deployment share path: **C:\MDTBuildLab**
          + - Share name: **MDTBuildLab$**
          + - Deployment share description: **MDT build lab**
          + - Options: click **Next** to accept the default
          + - Summary: click **Next**
          + - Progress: settings will be applied
          + - Confirmation: click **Finish** + +6. Expand the **Deployment Shares** node, and then expand **MDT build lab**. + +7. Right-click the **Operating Systems** node, and then click **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and click **Finish**. + +7. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**. + +8. Use the following settings for the Import Operating System Wizard: + - OS Type: **Full set of source files**
          + - Source: **D:\\**
          + - Destination: **W10Ent_x64**
          + - Summary: click **Next** + - Confirmation: click **Finish** + +9. For purposes of this test lab, we will not add applications, such as Microsoft Office, to the deployment share. For information about adding applications, see the [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#sec03) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library. + +10. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + - Task sequence ID: **REFW10X64-001**
          + - Task sequence name: **Windows 10 Enterprise x64 Default Image**
          + - Task sequence comments: **Reference Build**
          + - Template: **Standard Client Task Sequence** + - Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim** + - Specify Product Key: **Do not specify a product key at this time** + - Full Name: **Contoso** + - Organization: **Contoso** + - Internet Explorer home page: **http://www.contoso.com** + - Admin Password: **Do not specify an Administrator password at this time** + - Summary: click **Next** + - Confirmation: click **Finish** + +11. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step. + +12. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**. A new group will be added under Tattoo. + +13. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. To see the name change, click **Tattoo**, then click the new group again. + +14. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**. + +15. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**. + +16. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox. + >Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications. + +17. Click **OK** to complete editing the task sequence. + +18. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and click **Properties**, and then click the **Rules** tab. + +19. Replace the default rules with the following text: + + ``` + [Settings] + Priority=Default + + [Default] + _SMSTSORGNAME=Contoso + UserDataLocation=NONE + DoCapture=YES + OSInstall=Y + AdminPassword=pass@word1 + TimeZoneName=Pacific Standard TimeZoneName + OSDComputername=#Left("PC-%SerialNumber%",7)# + JoinWorkgroup=WORKGROUP + HideShell=YES + FinishAction=SHUTDOWN + DoNotCreateExtraPartition=YES + ApplyGPOPack=NO + SkipAdminPassword=YES + SkipProductKey=YES + SkipComputerName=YES + SkipDomainMembership=YES + SkipUserData=YES + SkipLocaleSelection=YES + SkipTaskSequence=NO + SkipTimeZone=YES + SkipApplications=YES + SkipBitLocker=YES + SkipSummary=YES + SkipRoles=YES + SkipCapture=NO + SkipFinalSummary=NO + ``` + +20. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file: + + ``` + [Settings] + Priority=Default + + [Default] + DeployRoot=\\SRV1\MDTBuildLab$ + UserDomain=CONTOSO + UserID=MDT_BA + UserPassword=pass@word1 + SkipBDDWelcome=YES + ``` + +21. Click **OK** to complete the configuration of the deployment share. + +22. Right-click **MDT build lab (C:\MDTBuildLab)** and then click **Update Deployment Share**. + +23. Accept all default values in the Update Deployment Share Wizard by clicking **Next**. The update process will take 5 to 10 minutes. When it has completed, click **Finish**. + +24. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI). + + >Hint: Top copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**. + +25. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands: + + ``` + New-VM –Name REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB + Set-VMMemory -VMName REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20 + Set-VMDvdDrive -VMName REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso + Start-VM REFW10X64-001 + vmconnect localhost REFW10X64-001 + ``` +26. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then click **Next**. + +27. Accept the default values on the Capture Image page, and click **Next**. Operating system installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally (do not press a key). The process is fully automated. + + Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures: + + - Install the Windows 10 Enterprise operating system. + - Install added applications, roles, and features. + - Update the operating system using Windows Update (or WSUS if optionally specified). + - Stage Windows PE on the local disk. + - Run System Preparation (Sysprep) and reboot into Windows PE. + - Capture the installation to a Windows Imaging (WIM) file. + - Turn off the virtual machine. + + This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host and your network's download speed. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on SRV1. The file name is **REFW10X64-001.wim**. + +### Add a Windows 10 operating system image + +1. Type the following commands at an elevated Windows PowerShell prompt on SRV1: + + ``` + New-Item -ItemType Directory -Path "C:\Sources\OSD\OS\Windows 10 Enterprise x64" + cmd /c copy /z "C:\MDTBuildLab\Captures\REFW10X64-001.wim" "C:\Sources\OSD\OS\Windows 10 Enterprise x64" + ``` + +2. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Operating System Images**, and then click **Add Operating System Image**. + +3. On the Data Source page, under **Path:**, type or browse to **\\\SRV1\Sources$\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim**, and click **Next**. + +4. On the General page, next to **Name:**, type **Windows 10 Enterprise x64**, click **Next** twice, and then click **Close**. + +5. Distribute the operating system image to the SRV1 distribution point by right-clicking the **Windows 10 Enterprise x64** operating system image and then clicking **Distribute Content**. + +6. In the Distribute Content Wizard, click **Next**, click **Add**, click **Distribution Point**, add the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**. + +7. Enter **\Monitoring\Overview\Distribution Status\Content Status** on the location bar (be sure there is no space at the end of the location or you will get an error), click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. Processing of the image on the site server can take several minutes. + + >If content distribution is not successful, verify that sufficient disk space is available. + +### Create a task sequence + +>Complete this section slowly. There are a large number of similar settings from which to choose. + +1. In the Configuration Manager console, in the **Software Library** workspace expand **Operating Systems**, right-click **Task Sequences**, and then click **Create MDT Task Sequence**. + +2. On the Choose Template page, select the **Client Task Sequence** template and click **Next**. + +3. On the General page, type **Windows 10 Enterprise x64** under **Task sequence name:** and then click **Next**. + +4. On the Details page, enter the following settings: + - Join a domain: **contoso.com** + - Account: click **Set** + - User name: **contoso\CM_JD** + - Password: pass@word1 + - Confirm password: pass@word1 + - Click **OK** + - Windows Settings + - User name: **Contoso** + - Organization name: **Contoso** + - Product key: \ + - Administrator Account: **Enable the account and specify the local administrator password** + - Password: pass@word1 + - Confirm password: pass@word1 + - Click **Next** + +5. On the Capture Settings page, accept the default settings and click **Next**. + +6. On the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package, click **OK**, and then click **Next**. + +7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\MDT\MDT** (MDT is repeated here, not a typo), and then click **Next**. + +8. On the MDT Details page, next to **Name:** type **MDT** and then click **Next**. + +9. On the OS Image page, browse and select the **Windows 10 Enterprise x64** package, click **OK**, and then click **Next**. + +10. On the Deployment Method page, accept the default settings for **Zero Touch Installation** and click **Next**. + +11. On the Client Package page, browse and select the **Microsoft Corporation Configuration Manager Client package**, click **OK**, and then click **Next**. + +12. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows 10.0.14393.0** package, click **OK**, and then click **Next**. + +13. On the Settings Package page, select **Create a new settings package**, and under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Settings\Windows 10 x64 Settings**, and then click **Next**. + +14. On the Settings Details page, next to **Name:**, type **Windows 10 x64 Settings**, and click **Next**. + +15. On the Sysprep Package page, click **Next** twice. + +16. On the Confirmation page, click **Finish**. + +### Edit the task sequence + +1. In the Configuration Manager console, in the **Software Library** workspace, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Edit**. + +2. Scroll down to the **Install** group and click the **Set Variable for Drive Letter** action. + +3. Change the Value under **OSDPreserveDriveLetter** from **False** to **True**, and then click **Apply**. + +4. In the **State Restore** group, click the **Set Status 5** action, click **Add** in the upper left corner, point to **User State**, and click **Request State Store**. This adds a new action immediately after **Set Status 5**. + +5. Configure the **Request State Store** action that was just added with the following settings:
          + - Request state storage location to: **Restore state from another computer**
          + - Select the **If computer account fails to connect to state store, use the Network Access account** checkbox.
          + - Options tab: Select the **Continue on error** checkbox.
          + - Add Condition: **Task Sequence Variable**:
          + - Variable: **USMTLOCAL**
          + - Condition: **not equals**
          + - Value: **True**
          + - Click **OK**.
          + - Click **Apply**
          . + +6. In the **State Restore** group, click **Restore User State**, click **Add**, point to **User State**, and click **Release State Store**. + +7. Configure the **Release State Store** action that was just added with the following settings:
          + - Options tab: Select the **Continue on error** checkbox.
          + - Add Condition: **Task Sequence Variable**:
          + - Variable: **USMTLOCAL**
          + - Condition: **not equals**
          + - Value: **True**
          + - Click **OK**.
          + - Click **OK**
          . + + +### Finalize the operating system configuration + +>If you completed all procedures in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then the MDT deployment share is already present on SRV1. In this case, skip the first four steps below and begin with step 5 to edit CustomSettings.ini. + +1. In the MDT deployment workbench on SRV1, right-click **Deployment Shares** and then click **New Deployment Share**. + +2. Use the following settings for the New Deployment Share Wizard: + - Deployment share path: **C:\MDTProduction**
          + - Share name: **MDTProduction$**
          + - Deployment share description: **MDT Production**
          + - Options: click **Next** to accept the default
          + - Summary: click **Next**
          + - Progress: settings will be applied
          + - Confirmation: click **Finish** + +3. Right-click the **MDT Production** deployment share, and click **Properties**. + +4. Click the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**. + +5. Type the following command at an elevated Windows PowerShell prompt on SRV1: + + ``` + notepad "C:\Sources\OSD\Settings\Windows 10 x64 Settings\CustomSettings.ini" + ``` +6. Replace the contents of the file with the following text, and then save the file: + + ``` + [Settings] + Priority=Default + Properties=OSDMigrateConfigFiles,OSDMigrateMode + + [Default] + DoCapture=NO + ComputerBackupLocation=NONE + OSDMigrateMode=Advanced + OSDMigrateAdditionalCaptureOptions=/ue:*\* /ui:CONTOSO\* + OSDMigrateConfigFiles=Miguser.xml,Migapp.xml + SLSHARE=\\SRV1\Logs$ + EventService=http://SRV1:9800 + ApplyGPOPack=NO + ``` + + >As noted previously, if you wish to migrate accounts other than those in the Contoso domain, then change the OSDMigrateAdditionalCaptureOptions option. For example, the following option will capture settings from all user accounts: + + ``` + OSDMigrateAdditionalCaptureOptions=/all + ``` + + +7. Return to the Configuration Manager console, and in the Software Library workspace, expand **Application Management**, click **Packages**, right-click **Windows 10 x64 Settings**, and then click **Update Distribution Points**. Click **OK** in the popup that appears. + +8. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Distribute Content**. + +9. In the Distribute Content Wizard, click **Next** twice, click **Add**, click **Distribution Point**, select the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**. + +10. Enter **\Monitoring\Overview\Distribution Status\Content Status\Windows 10 Enterprise x64** on the location bar, double-click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. + +### Create a deployment for the task sequence + +1. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Deploy**. + +2. On the General page, next to **Collection**, click **Browse**, select the **All Unknown Computers** collection, click **OK**, and then click **Next**. + +3. On the Deployment Settings page, use the following settings:
          + - Purpose: **Available**
          + - Make available to the following: **Only media and PXE**
          + - Click **Next**.
          +4. Click **Next** five times to accept defaults on the Scheduling, User Experience, Alerts, and Distribution Points pages. + +5. Click **Close**. + +## Deploy Windows 10 using PXE and Configuration Manager + +In this first deployment scenario, we will deploy Windows 10 using PXE. This scenario creates a new computer that does not have any migrated users or settings. + +1. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + New-VM –Name "PC4" –NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 40GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 + Set-VMMemory -VMName "PC4" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20 + Start-VM PC4 + vmconnect localhost PC4 + ``` + +2. Press ENTER when prompted to start the network boot service. + +3. In the Task Sequence Wizard, provide the password: pass@word1, and then click **Next**. + +4. Before you click **Next** in the Task Sequence Wizard, press the **F8** key. A command prompt will open. + +5. At the command prompt, type **explorer.exe** and review the Windows PE file structure. + +6. The smsts.log file is critical for troubleshooting any installation problems that might be encountered. Depending on the deployment phase, the smsts.log file is created in different locations: + - X:\windows\temp\SMSTSLog\smsts.log before disks are formatted. + - x:\smstslog\smsts.log after disks are formatted. + - c:\_SMSTaskSequence\Logs\Smstslog\smsts.log before the System Center Configuration Manager client is installed. + - c:\windows\ccm\logs\Smstslog\smsts.log after the System Center Configuration Manager client is installed. + - c:\windows\ccm\logs\smsts.log when the task sequence is complete. + + Note: If a reboot is pending on the client, the reboot will be blocked as long as the command window is open. + +7. In the explorer window, click **Tools** and then click **Map Network Drive**. + +8. Do not map a network drive at this time. If you need to save the smsts.log file, you can use this method to save the file to a location on SRV1. + +9. Close the Map Network Drive window, the Explorer window, and the command prompt. + +10. The **Windows 10 Enterprise x64** task sequence is selected in the Task Sequenc Wizard. Click **Next** to continue with the deployment. + +11. The task sequence will require several minutes to complete. You can monitor progress of the task sequence using the MDT Deployment Workbench under Deployment Shares > MDTProduction > Monitoring. The task sequence will: + - Install Windows 10 + - Install the Configuration Manager client and hotfix + - Join the computer to the contoso.com domain + - Install any applications that were specified in the reference image + + +12. When Windows 10 installation has completed, sign in to PC4 using the **contoso\administrator** account. + +13. Right-click **Start**, click **Run**, type **control appwiz.cpl**, press ENTER, click **Turn Windows features on or off**, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This is a feature included in the reference image. + +14. Shut down the PC4 VM. + +>Note: The following two procedures 1) Replace a client with Windows 10 and 2) Refresh a client with Windows 10 have been exchanged in their order in this guide compared to the previous version. This is to avoid having to restore Hyper-V checkpoints to have access to PC1 before the OS is upgraded. If this is your first time going through this guide, you won't notice any change, but if you have tried the guide previously then this change should make it simpler to complete. + +## Replace a client with Windows 10 using Configuration Manager + +>Before starting this section, you can delete computer objects from Active Directory that were created as part of previous deployment procedures. Use the Active Directory Users and Computers console on DC1 to remove stale entries under contoso.com\Computers, but do not delete the computer account (hostname) for PC1. There should be at least two computer accounts present in the contoso.com\Computers container: one for SRV1, and one for the hostname of PC1. It is not required to delete the stale entries, this is only done to remove clutter. + +![contoso.com\Computers](images/poc-computers.png) + +In the replace procedure, PC1 will not be migrated to a new operating system. It is simplest to perform this procedure before performing the refresh procedure. After refreshing PC1, the operating system will be new. The next (replace) procedure does not install a new operating system on PC1 but rather performs a side-by-side migration of PC1 and another computer (PC4), to copy users and settings from PC1 to the new computer. + +### Create a replace task sequence + +1. On SRV1, in the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and then click **Create MDT Task Sequence**. + +2. On the Choose Template page, select **Client Replace Task Sequence** and click **Next**. + +3. On the General page, type the following: + - Task sequence name: **Replace Task Sequence** + - Task sequence comments: **USMT backup only** + +4. Click **Next**, and on the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package. Click **OK** and then click **Next** to continue. +5. On the MDT Package page, browse and select the **MDT** package. Click **OK** and then click **Next** to continue. +6. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package. Click **OK** and then click **Next** to continue. +7. On the Settings Package page, browse and select the **Windows 10 x64 Settings** package. Click **OK** and then click **Next** to continue. +8. On the Summary page, review the details and then click **Next**. +9. On the Confirmation page, click **Finish**. + +>If an error is displayed at this stage it can be caused by a corrupt MDT integration. To repair it, close the Configuration Manager console, remove MDT integration, and then restore MDT integration. + +### Deploy PC4 + +Create a VM named PC4 to receive the applications and settings from PC1. This VM represents a new computer that will replace PC1. To create this VM, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + +``` +New-VM –Name "PC4" –NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 +Set-VMMemory -VMName "PC4" -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 2048MB -Buffer 20 +Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF +``` + +>Hyper-V enables us to define a static MAC address on PC4. In a real-world scenario you must determine the MAC address of the new computer. + +### Install the Configuration Manager client on PC1 + +1. Verify that the PC1 VM is running and in its original state, which was saved as a checkpoint and then restored in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md). + +2. If a PC1 checkpoint has not already been saved, then save a checkpoint by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Checkpoint-VM -Name PC1 -SnapshotName BeginState + ``` + +3. On SRV1, in the Configuration Manager console, in the Administration workspace, expand **Hierarchy Configuration** and click on **Discovery Methods**. +4. Double-click **Active Directory System Discovery** and on the **General** tab select the **Enable Active Directory System Discovery** checkbox. +5. Click the yellow starburst, click **Browse**, select **contoso\Computers**, and then click **OK** three times. +6. When a popup dialog box asks if you want to run full discovery, click **Yes**. +7. In the Assets and Compliance workspace, click **Devices** and verify that the computer account names for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the computer account name of PC1 in this example): + + ![assets](images/sccm-assets.png) + + >If you do not see the computer account for PC1, try clicking the **Refresh** button in the upper right corner of the console. + + The **Client** column indicates that the Configuration Manager client is not currently installed. This procedure will be carried out next. + +8. Sign in to PC1 using the contoso\administrator account and type the following at an elevated command prompt to remove any pre-existing client configuration, if it exists. Note: this command requires an elevated command prompt not an elevated Windows PowerShell prompt: + + ``` + sc stop ccmsetup + "\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /Uninstall + ``` + >If PC1 still has Configuration Manager registry settings that were applied by Group Policy, startup scripts, or other policies in its previous domain, these might not all be removed by CCMSetup /Uninstall and can cause problems with installation or registration of the client in its new environment. It might be necessary to manually remove these settings if they are present. For more information, see [Manual removal of the SCCM client](https://blogs.technet.microsoft.com/michaelgriswold/2013/01/02/manual-removal-of-the-sccm-client/). + +9. On PC1, temporarily stop Windows Update from queuing items for download and clear all BITS jobs from the queue: + + ``` + net stop wuauserv + net stop BITS + ``` + + Verify that both services were stopped successfully, then type the following at an elevated command prompt: + + ``` + del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat" + net start BITS + bitsadmin /list /allusers + ``` + + Verify that BITSAdmin displays 0 jobs. + +10. To install the Configuration Manager client as a standalone process, type the following at an elevated command prompt: + + ``` + "\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /mp:SRV1.contoso.com /logon SMSSITECODE=PS1 + ``` +11. On PC1, using file explorer, open the **C:\Windows\ccmsetup** directory. During client installation, files will be downloaded here. +12. Installation progress will be captured in the file: **c:\windows\ccmsetup\logs\ccmsetup.log**. You can periodically open this file in notepad, or you can type the following command at an elevated Windows PowerShell prompt to monitor installation progress: + + ``` + Get-Content -Path c:\windows\ccmsetup\logs\ccmsetup.log -Wait + ``` + + Installation might require several minutes, and display of the log file will appear to hang while some applications are installed. This is normal. When setup is complete, verify that **CcmSetup is existing with return code 0** is displayed on the last line of the ccmsetup.log file and then press **CTRL-C** to break out of the Get-Content operation (if you are viewing the log in Windows PowerShell the last line will be wrapped). A return code of 0 indicates that installation was successful and you should now see a directory created at **C:\Windows\CCM** that contains files used in registration of the client with its site. + +13. On PC1, open the Configuration Manager control panel applet by typing the following command: + + ``` + control smscfgrc + ``` + +14. Click the **Site** tab, click **Configure Settings**, and click **Find Site**. The client will report that it has found the PS1 site. See the following example: + + ![site](images/sccm-site.png) + + If the client is not able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. A common reason the site code is not located is because a previous configuration exists. For example, if a previous site code is configured at **HKLM\SOFTWARE\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode** this must be deleted or updated. + +15. On SRV1, in the Assets and Compliance workspace, click **Device Collections** and then double-click **All Desktop and Server Clients**. This node will be added under **Devices**. + +16. Click **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example: + + ![client](images/sccm-client.png) + + >It might take several minutes for the client to fully register with the site and complete a client check. When it is complete you will see a green check mark over the client icon as shown above. To refresh the client, click it and then press **F5** or right-click the client and click **Refresh**. + +### Create a device collection and deployment + +1. On SRV1, in the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections** and then click **Create Device Collection**. + +2. Use the following settings in the **Create Device Collection Wizard**: + - General > Name: **Install Windows 10 Enterprise x64**
          + - General > Limiting collection: **All Systems**
          + - Membership Rules > Add Rule: **Direct Rule**
          + - The **Create Direct Membership Rule Wizard** opens, click **Next**
          + - Search for Resources > Resource class: **System Resource**
          + - Search for Resources > Attribute name: **Name**
          + - Search for Resources > Value: **%**
          + - Select Resources > Value: Select the computername associated with the PC1 VM
          + - Click **Next** twice and then click **Close** in both windows (Next, Next, Close, then Next, Next, Close) + +3. Double-click the Install Windows 10 Enterprise x64 device collection and verify that the PC1 computer account is displayed. + +4. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64** and then click **Deploy**. + +5. Use the following settings in the Deploy Software wizard: + - General > Collection: Click Browse and select **Install Windows 10 Enterprise x64**
          + - Deployment Settings > Purpose: **Available**
          + - Deployment Settings > Make available to the following: **Configuration Manager clients, media and PXE**
          + - Scheduling > Click **Next**
          + - User Experience > Click **Next**
          + - Alerts > Click **Next**
          + - Distribution Points > Click **Next**
          + - Summary > Click **Next**
          + - Verify that the wizard completed successfully and then click **Close** + + +### Associate PC4 with PC1 + +1. On SRV1 in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices** and then click **Import Computer Information**. + +2. On the Select Source page, choose **Import single computer** and click **Next**. + +3. On the Single Computer page, use the following settings: + - Computer Name: **PC4** + - MAC Address: **00:15:5D:83:26:FF** + - Source Computer: \ + +4. Click **Next**, and on the User Accounts page choose **Capture and restore specified user accounts**, then click the yellow starburst next to **User accounts to migrate**. + +5. Click **Browse** and then under Enter the object name to select type **user1** and click OK twice. + +6. Click the yellow starburst again and repeat the previous step to add the **contoso\administrator** account. + +7. Click **Next** twice, and on the Choose Target Collection page, choose **Add computers to the following collection**, click **Browse**, choose **Install Windows 10 Enterprise x64**, click **OK**, click **Next** twice, and then click **Close**. + +8. In the Assets and Compliance workspace, click **User State Migration** and review the computer association in the display pane. The source computer will be the computername of PC1 (GREGLIN-PC1 in this example), the destination computer will be **PC4**, and the migration type will be **side-by-side**. + +9. Right-click the association in the display pane and then click **Specify User Accounts**. You can add or remove user account here. Click **OK**. + +10. Right-click the association in the display pane and then click **View Recovery Information**. Note that a recovery key has been assigned, but a user state store location has not. Click **Close**. + +11. Click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. Verify that **PC4** is displayed in the collection. You might have to update and refresh the collection, or wait a few minutes, but do not proceed until PC4 is available. See the following example: + + ![collection](images/sccm-collection.png) + +### Create a device collection for PC1 + +1. On SRV1, in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Device Collections** and then click **Create Device Collection**. + +2. Use the following settings in the **Create Device Collection Wizard**: + - General > Name: **USMT Backup (Replace)**
          + - General > Limiting collection: **All Systems**
          + - Membership Rules > Add Rule: **Direct Rule**
          + - The **Create Direct Membership Rule Wizard** opens, click **Next**
          + - Search for Resources > Resource class: **System Resource**
          + - Search for Resources > Attribute name: **Name**
          + - Search for Resources > Value: **%**
          + - Select Resources > Value: Select the computername associated with the PC1 VM (GREGLIN-PC1 in this example).
          + - Click **Next** twice and then click **Close** in both windows. + +3. Click **Device Collections** and then double-click **USMT Backup (Replace)**. Verify that the computer name/hostname associated with PC1 is displayed in the collection. Do not proceed until this name is displayed. + +### Create a new deployment + +In the Configuration Manager console, in the Software Library workspace under Operating Systems, click **Task Sequences**, right-click **Replace Task Sequence**, click **Deploy**, and use the following settings: +- General > Collection: **USMT Backup (Replace)**
          +- Deployment Settings > Purpose: **Available**
          +- Deployment Settings > Make available to the following: **Only Configuration Manager Clients**
          +- Scheduling: Click **Next**
          +- User Experience: Click **Next**
          +- Alerts: Click **Next**
          +- Distribution Points: Click **Next**
          +- Click **Next** and then click **Close**. + +### Verify the backup + +1. On PC1, open the Configuration Manager control panel applet by typing the following command: + + ``` + control smscfgrc + ``` +2. On the **Actions** tab, click **Machine Policy Retrieval & Evaluation Cycle**, click **Run Now**, click **OK**, and then click **OK** again. This is one method that can be used to run a task sequence in addition to the Client Notification method that will be demonstrated in the computer refresh procedure. + +3. Type the following at an elevated command prompt to open the Software Center: + + ``` + C:\Windows\CCM\SCClient.exe + ``` + +4. In the Software Center , click **Available Software** and then select the **Replace Task Sequence** checkbox. See the following example: + + ![software](images/sccm-software-cntr.png) + + >If you do not see any available software, try running step #2 again to start the Machine Policy Retrieval & Evaluation Cycle. You should see an alert that new software is available. + +5. Click **INSTALL SELECTED** and then click **INSTALL OPERATING SYSTEM**. +6. Allow the **Replace Task Sequence** to complete, then verify that the C:\MigData folder on SRV1 contains the USMT backup. + +### Deploy the new computer + +1. Start PC4 and press ENTER for a network boot when prompted. To start PC4, type the following commands at an elevated Windows Powershell prompt on the Hyper-V host: + + ``` + Start-VM PC4 + vmconnect localhost PC4 + ``` +2. In the **Welcome to the Task Sequence Wizard**, enter pass@word1 and click **Next**. +3. Choose the **Windows 10 Enterprise X64** image. +4. Setup will install the operating system using the Windows 10 Enterprise x64 reference image, install the configuration manager client, join PC4 to the domain, and restore users and settings from PC1. +5. Save checkpoints for all VMs if you wish to review their status at a later date. This is not required (checkpoints do take up space on the Hyper-V host). Note: the next procedure will install a new OS on PC1 update its status in Configuration Manager and in Active Directory as a Windows 10 device, so you cannot return to a previous checkpoint only on the PC1 VM without a conflict. Therefore, if you do create a checkpoint, you should do this for all VMs. + + To save a checkpoint for all VMs, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Checkpoint-VM -Name DC1 -SnapshotName cm-refresh + Checkpoint-VM -Name SRV1 -SnapshotName cm-refresh + Checkpoint-VM -Name PC1 -SnapshotName cm-refresh + ``` + +## Refresh a client with Windows 10 using Configuration Manager + + +### Initiate the computer refresh + +1. On SRV1, in the Assets and Compliance workspace, click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. +2. Right-click the computer account for PC1, point to **Client Notification**, click **Download Computer Policy**, and click **OK** in the popup dialog box. +3. On PC1, in the notification area, click **New software is available** and then click **Open Software Center**. +4. In the Software Center, click **Operating Systems**, click **Windows 10 Enterprise x64**, click **Install** and then click **INSTALL OPERATING SYSTEM**. See the following example: + + ![installOS](images/sccm-install-os.png) + + The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the Monitoring workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then click **More Details**. Click the **Status** tab to see a list of tasks that have been performed. See the following example: + + ![asset](images/sccm-asset.png) + + You can also monitor progress of the installation by using the MDT deployment workbench and viewing the **Monitoring** node under **Deployment Shares\MDT Production**. + + When installation has completed, sign in using the contoso\administrator account or the contoso\user1 account and verify that applications and settings have been successfully backed up and restored to your new Windows 10 Enterprise operating system. + + ![post-refresh](images/sccm-post-refresh.png) + + + +## Related Topics + +[System Center 2012 Configuration Manager Survival Guide](https://social.technet.microsoft.com/wiki/contents/articles/7075.system-center-2012-configuration-manager-survival-guide.aspx#Step-by-Step_Guides) + + + + + + + diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md index 422cae51ba..b12b80110d 100644 --- a/windows/deployment/windows-10-poc.md +++ b/windows/deployment/windows-10-poc.md @@ -1,1106 +1,1106 @@ ---- -title: Configure a test lab to deploy Windows 10 -ms.reviewer: -manager: laurawi -ms.author: greg-lindsay -description: Concepts and procedures for deploying Windows 10 in a proof of concept lab environment. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -keywords: deployment, automate, tools, configure, mdt, sccm -ms.localizationpriority: medium -author: greg-lindsay -ms.topic: article ---- - -# Step by step guide: Configure a test lab to deploy Windows 10 - -**Applies to** - -- Windows 10 - -This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides: - -- [Step by step: Deploy Windows 10 in a test lab using MDT](windows-10-poc-mdt.md)
          -- [Step by step: Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
          - -The PoC deployment guides are intended to provide a demonstration of Windows 10 deployment tools and processes for IT professionals that are not familiar with these tools, and those that are interested in setting up a proof of concept environment. The instructions in this guide should not be used in a production setting, and are not meant to replace the instructions found in production deployment guidance. - -Approximately 3 hours are required to configure the PoC environment. You will need a Hyper-V capable computer running Windows 8.1 or later with at least 16GB of RAM. Detailed [requirements](#hardware-and-software-requirements) are provided below. You will also need to have a [Microsoft account](https://www.microsoft.com/account) to use for downloading evaluation software. - -Windows PowerShell commands are provided to set up the PoC environment quickly. You do not need to be an expert in Windows PowerShell to complete the steps in the guide, however you are required to customize some commands to your environment. - -> Instructions to "type" Windows PowerShell commands provided in this guide can be followed literally by typing the commands, but the preferred method is to copy and paste these commands. -> -> A Windows PowerShell window can be used to run all commands in this guide. However, when commands are specified for a command prompt, you must either type CMD at the Windows PowerShell prompt to enter the command prompt, or preface the command with "cmd /c", or if desired you can escape special characters in the command using the back-tick character (`). In most cases, the simplest thing is to type cmd and enter a command prompt, type the necessary commands, then type "exit" to return to Windows PowerShell. - -Hyper-V is installed, configured and used extensively in this guide. If you are not familiar with Hyper-V, review the [terminology](#appendix-b-terminology-used-in-this-guide) used in this guide before starting. - -## In this guide - -This guide contains instructions for three general procedures: Install Hyper-V, configure Hyper-V, and configure VMs. If you already have a computer running Hyper-V, you can use this computer and skip the first procedure. In this case, your virtual switch settings must be modified to match those used in this guide, or the steps in this guide can be modified to use your existing Hyper-V settings. - -After completing the instructions in this guide, you will have a PoC environment that enables you to test Windows 10 deployment procedures by following instructions in companion guides that are written to use the PoC environment. Links are provided to download trial versions of Windows Server 2012, Windows 10 Enterprise, and all deployment tools necessary to complete the lab. - -Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed. - -
          - -
          - - - -
          TopicDescriptionTime
          Hardware and software requirementsPrerequisites to complete this guide.Informational -
          Lab setupA description and diagram of the PoC environment.Informational -
          Configure the PoC environmentParent topic for procedures.Informational -
          Verify support and install Hyper-VVerify that installation of Hyper-V is supported, and install the Hyper-V server role.10 minutes -
          Download VHD and ISO filesDownload evaluation versions of Windows Server 2012 R2 and Windows 10 and prepare these files to be used on the Hyper-V host.30 minutes -
          Convert PC to VMConvert a physical computer on your network to a VM hosted in Hyper-V.30 minutes -
          Resize VHDIncrease the storage capacity for one of the Windows Server VMs.5 minutes -
          Configure Hyper-VCreate virtual switches, determine available RAM for virtual machines, and add virtual machines.15 minutes -
          Configure service and user accountsStart virtual machines and configure all services and settings.60 minutes -
          Configure VMsStart virtual machines and configure all services and settings.60 minutes -
          Appendix A: Verify the configurationVerify and troubleshoot network connectivity and services in the PoC environment.30 minutes -
          Appendix B: Terminology in this guideTerms used in this guide.Informational -
          -
          - -## Hardware and software requirements - -One computer that meets the hardware and software specifications below is required to complete the guide; A second computer is recommended to validate the upgrade process. - -- **Computer 1**: the computer you will use to run Hyper-V and host virtual machines. This computer should have 16 GB or more of installed RAM and a multi-core processor. -- **Computer 2**: a client computer from your corporate network. It is shadow-copied to create a VM that can be added to the PoC environment, enabling you to test a mirror image of a computer on your network. If you do not have a computer to use for this simulation, you can download an evaluation VHD and use it to represent this computer. Subsequent guides use this computer to simulate Windows 10 replace and refresh scenarios, so the VM is required even if you cannot create this VM using computer 2. - -Harware requirements are displayed below: - -
          - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Computer 1 (required)Computer 2 (recommended)
          RoleHyper-V hostClient computer
          DescriptionThis computer will run Hyper-V, the Hyper-V management tools, and the Hyper-V Windows PowerShell module.This computer is a Windows 7 or Windows 8/8.1 client on your corporate network that will be converted to a VM to demonstrate the upgrade process.
          OSWindows 8.1/10 or Windows Server 2012/2012 R2/2016*Windows 7 or a later
          EditionEnterprise, Professional, or EducationAny
          Architecture64-bitAny
          Note: Retaining applications and settings requires that architecture (32 or 64-bit) is the same before and after the upgrade.
          RAM8 GB RAM (16 GB recommended) to test Windows 10 deployment with MDT. -
          16 GB RAM to test Windows 10 deployment with System Center Configuration Manager.          		Any
          Disk200 GB available hard disk space, any format.Any size, MBR formatted.
          CPUSLAT-Capable CPUAny
          NetworkInternet connectionAny
          - - -\*The Hyper-V server role can also be installed on a computer running Windows Server 2008 R2. However, the Windows PowerShell module for Hyper-V is not available on Windows Server 2008 R2, therefore you cannot use many of the steps provided in this guide to configure Hyper-V. To manage Hyper-V on Windows Server 2008 R2, you can use Hyper-V WMI, or you can use the Hyper-V Manager console. Providing all steps in this guide as Hyper-V WMI or as 2008 R2 Hyper-V Manager procedures is beyond the scope of the guide. -
          -
          The Hyper-V role cannot be installed on Windows 7 or earlier versions of Windows. - -
          - -## Lab setup - -The lab architecture is summarized in the following diagram: - -![PoC](images/poc.png) - -- Computer 1 is configured to host four VMs on a private, PoC network. - - Two VMs are running Windows Server 2012 R2 with required network services and tools installed. - - Two VMs are client systems: One VM is intended to mirror a host on your corporate network (computer 2) and one VM is running Windows 10 Enterprise to demonstrate the hardware replacement scenario. - ->If you have an existing Hyper-V host, you can use this host and skip the Hyper-V installation section in this guide. - -The two Windows Server VMs can be combined into a single VM to conserve RAM and disk space if required. However, instructions in this guide assume two server systems are used. Using two servers enables Active Directory Domain Services and DHCP to be installed on a server that is not directly connected to the corporate network. This mitigates the risk of clients on the corporate network receiving DHCP leases from the PoC network (i.e. "rogue" DHCP), and limits NETBIOS service broadcasts. - -## Configure the PoC environment - ->**Hint**: Before you begin, ensure that Windows PowerShell is pinned to the taskbar for easy access. If the Hyper-V host is running Windows Server then Windows PowerShell is automatically pinned to the taskbar. To pin Windows PowerShell to the taskbar on Windows 8.1 or Windows 10: Click **Start**, type **power**, right click **Windows PowerShell**, and then click **Pin to taskbar**. After Windows PowerShell is pinned to the taskbar, you can open an elevated Windows PowerShell prompt by right-clicking the icon on the taskbar and then clicking **Run as Administrator**. - -### Procedures in this section - -[Verify support and install Hyper-V](#verify-support-and-install-hyper-v)
          -[Download VHD and ISO files](#download-vhd-and-iso-files)
          -[Convert PC to VM](#convert-pc-to-vm)
          -[Resize VHD](#resize-vhd)
          -[Configure Hyper-V](#configure-hyper-v)
          -[Configure VMs](#configure-vms)
          - -### Verify support and install Hyper-V - -Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information. - -1. To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example: - - 
          -    C:\>systeminfo
-
-    ...
-    Hyper-V Requirements:      VM Monitor Mode Extensions: Yes
-                               Virtualization Enabled In Firmware: Yes
-                               Second Level Address Translation: Yes
-                               Data Execution Prevention Available: Yes
-
          - - In this example, the computer supports SLAT and Hyper-V. - - If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings. - - You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example: - - 
          -    C:\>coreinfo -v
-
-    Coreinfo v3.31 - Dump information on system CPU and memory topology
-    Copyright (C) 2008-2014 Mark Russinovich
-    Sysinternals - www.sysinternals.com
-
-    Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz
-    Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
-    Microcode signature: 0000001B
-    HYPERVISOR      -       Hypervisor is present
-    VMX             *       Supports Intel hardware-assisted virtualization
-    EPT             *       Supports Intel extended page tables (SLAT)
-
          - - Note: A 64-bit operating system is required to run Hyper-V. - -2. The Hyper-V feature is not installed by default. To install it, open an elevated Windows PowerShell window and type the following command: - - 
          Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V –All
          - - This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. This command will also install Hyper-V if it isn't already installed, so if desired you can just type the following command on Windows Server 2012 or 2016 instead of using the Enable-WindowsOptionalFeature command: - - 
          Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
          - - When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once. After installation is complete, you can open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt. - - >Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below: - - ![hyper-v feature](images/hyper-v-feature.png) - - ![hyper-v](images/svr_mgr2.png) - -

          If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools. - -### Download VHD and ISO files - -When you have completed installation of Hyper-V on the host computer, begin configuration of Hyper-V by downloading VHD and ISO files to the Hyper-V host. These files will be used to create the VMs used in the lab. Before you can download VHD and ISO files, you will need to register and sign in to the [TechNet Evaluation Center](https://www.microsoft.com/en-us/evalcenter/) using your Microsoft account. - -1. Create a directory on your Hyper-V host named **C:\VHD** and download a single [Windows Server 2012 R2 VHD](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2012-r2) from the TechNet Evaluation Center to the **C:\VHD** directory. - - **Important**: This guide assumes that VHDs are stored in the **C:\VHD** directory on the Hyper-V host. If you use a different directory to store VHDs, you must adjust steps in this guide appropriately. - - After completing registration you will be able to download the 7.47 GB Windows Server 2012 R2 evaluation VHD. An example of the download offering is shown below. - - - -
          VHD
          - -2. Download the file to the **C:\VHD** directory. When the download is complete, rename the VHD file that you downloaded to **2012R2-poc-1.vhd**. This is done to make the filename simple to recognize and type. -3. Copy the VHD to a second file also in the **C:\VHD** directory and name this VHD **2012R2-poc-2.vhd**. -4. Download the [Windows 10 Enterprise ISO](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise) from the TechNet Evaluation Center to the **C:\VHD** directory on your Hyper-V host. - - >During registration, you must specify the type, version, and language of installation media to download. In this example, a Windows 10 Enterprise, 64 bit, English ISO is chosen. You can choose a different version if desired. **Note: The evaluation version of Windows 10 does not support in-place upgrade**. - -5. Rename the ISO file that you downloaded to **w10-enterprise.iso**. Again, this is done so that the filename is simple to type and recognize. After completing registration you will be able to download the 3.63 GB Windows 10 Enterprise evaluation ISO. - -After completing these steps, you will have three files in the **C:\VHD** directory: **2012R2-poc-1.vhd**, **2012R2-poc-2.vhd**, **w10-enterprise.iso**. - -The following displays the procedures described in this section, both before and after downloading files: - -

          -C:>mkdir VHD
-C:>cd VHD
-C:\VHD>ren 9600*.vhd 2012R2-poc-1.vhd
-C:\VHD>copy 2012R2-poc-1.vhd 2012R2-poc-2.vhd
-   1 file(s) copied.
-C:\VHD ren *.iso w10-enterprise.iso
-C:\VHD>dir /B
-2012R2-poc-1.vhd
-2012R2-poc-2.vhd
-w10-enterprise.iso
-
          - -### Convert PC to VM - ->Important: Do not attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, do not start the VM outside the PoC network. - -
          -If you do not have a PC available to convert to VM, perform the following steps to download an evaluation VM: -
          -
            -
          1. Open the Download virtual machines page. -
          2. Under Virtual machine, choose IE11 on Win7. -
          3. Under Select platform choose HyperV (Windows). -
          4. Click Download .zip. The download is 3.31 GB. -
          5. Extract the zip file. Three directories are created. -
          6. Open the Virtual Hard Disks directory and then copy IE11 - Win7.vhd to the C:\VHD directory. -
          7. Rename IE11 - Win7.vhd to w7.vhd (do not rename the file to w7.vhdx). -
          8. In step 5 of the Configure Hyper-V section, replace the VHD file name w7.vhdx with w7.vhd. -
          -
          - -If you have a PC available to convert to VM (computer 2): - -1. Sign in on computer 2 using an account with Administrator privileges. - ->Important: the account used in this step must have local administrator privileges. You can use a local computer account, or a domain account with administrative rights if domain policy allows the use of cached credentials. After converting the computer to a VM, you must be able to sign in on this VM with administrator rights while the VM is disconnected from the corporate network. - -2. [Determine the VM generation and partition type](#determine-the-vm-generation-and-partition-type) that is required. -3. Based on the VM generation and partition type, perform one of the following procedures: [Prepare a generation 1 VM](#prepare-a-generation-1-vm), [Prepare a generation 2 VM](#prepare-a-generation-2-vm), or [prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk). - -#### Determine the VM generation and partition type - -When creating a VM in Hyper-V, you must specify either generation 1 or generation 2. The following table describes requirements for these two types of VMs. - -
          - - - - - - - - - - - - - - - - - - - - -
          ArchitectureOperating systemPartition style
          Generation 132-bit or 64-bitWindows 7 or laterMBR
          Generation 264-bitWindows 8 or laterMBR or GPT
          - -
          - -If the PC is running a 32-bit OS or the OS is Windows 7, it must be converted to a generation 1 VM. Otherwise, it can be converted to a generation 2 VM. - -- To determine the OS and architecture of a PC, type **systeminfo** at a command prompt and review the output next to **OS Name** and **System Type**. -- To determine the partition style, open a Windows PowerShell prompt on the PC and type the following command: - -
          -Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
-
          - -If the **Type** column does not indicate GPT, then the disk partition format is MBR ("Installable File System" = MBR). In the following example, the disk is GPT: - -
          -PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
-
-SystemName                           Caption                                 Type
-----------                           -------                                 ----
-USER-PC1                             Disk #0, Partition #0                   GPT: System
-USER-PC1                             Disk #0, Partition #1                   GPT: Basic Data
-
          - -On a computer running Windows 8 or later, you can also type **Get-Disk** at a Windows PowerShell prompt to discover the partition style. The default output of this cmdlet displays the partition style for all attached disks. Both commands are displayed below. In this example, the client computer is running Windows 8.1 and uses a GPT style partition format: - -
          -PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
-
-SystemName                            Caption                               Type
-----------                            -------                               ----
-PC-X1                                 Disk #0, Partition #0                 GPT: Unknown
-PC-X1                                 Disk #0, Partition #1                 GPT: System
-PC-X1                                 Disk #0, Partition #2                 GPT: Basic Data
-PC-X1                                 Disk #0, Partition #3                 GPT: Basic Data
-PC-X1                                 Disk #0, Partition #4                 GPT: Basic Data
-
-PS C:> Get-Disk
-
-Number Friendly Name                  OperationalStatus                     Total Size Partition Style
------- -------------                  -----------------                     ---------- ---------------
-0      INTEL SSDSCMMW240A3L           Online                                223.57 GB GPT
-
          - - - -**Choosing a VM generation** - -The following table displays the Hyper-V VM generation to choose based on the OS, architecture, and partition style. Links to procedures to create the corresponding VMs are included. - -
          - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          OSPartition styleArchitectureVM generationProcedure
          Windows 7MBR321Prepare a generation 1 VM
          641Prepare a generation 1 VM
          GPT32N/AN/A
          641Prepare a generation 1 VM from a GPT disk
          Windows 8 or laterMBR321Prepare a generation 1 VM
          641, 2Prepare a generation 1 VM
          GPT321Prepare a generation 1 VM from a GPT disk
          642Prepare a generation 2 VM
          - -
          - -Notes:
          -
            -
          • If the PC is running Windows 7, it can only be converted and hosted in Hyper-V as a generation 1 VM. This Hyper-V requirement means that if the Windows 7 PC is also using a GPT partition style, the OS disk can be shadow copied, but a new system partition must be created. In this case, see Prepare a generation 1 VM from a GPT disk. -
          • If the PC is running Windows 8 or later and uses the GPT partition style, you can capture the disk image and create a generation 2 VM. To do this, you must temporarily mount the EFI system partition which is accomplished using the mountvol command. In this case, see Prepare a generation 2 VM. -
          • If the PC is using an MBR partition style, you can convert the disk to VHD and use it to create a generation 1 VM. If you use the Disk2VHD tool described in this guide, it is not necessary to mount the MBR system partition, but it is still necessary to capture it. In this case, see Prepare a generation 1 VM. -
          - -#### Prepare a generation 1 VM - -1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert. - - >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive. - -2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. -3. Select the checkboxes next to the **C:\\** and the **system reserved** (BIOS/MBR) volumes. The system volume is not assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to **\\?\Volume{**. See the following example. **Important**: You must include the system volume in order to create a bootable VHD. If this volume is not displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation). -4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and click **Create**. See the following example: - - ![disk2vhd](images/disk2vhd.png) - - >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. - -5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (w7.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory: - - 
          -    C:\vhd>dir /B
-    2012R2-poc-1.vhd
-    2012R2-poc-2.vhd
-    w10-enterprise.iso
-    w7.VHDX
-
          - -#### Prepare a generation 2 VM - -1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert. - - >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive. - -2. On the computer you wish to convert, open an elevated command prompt and type the following command: - - 
          mountvol s: /s
          - - This command temporarily assigns a drive letter of S to the system volume and mounts it. If the letter S is already assigned to a different volume on the computer, then choose one that is available (ex: mountvol z: /s). - -3. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. -4. Select the checkboxes next to the **C:\\** and the **S:\\** volumes, and clear the **Use Volume Shadow Copy checkbox**. Volume shadow copy will not work if the EFI system partition is selected. - - **Important**: You must include the EFI system partition in order to create a bootable VHD. The Windows RE tools partition (shown below) is not required, but it can also be converted if desired. - -5. Specify a location to save the resulting VHD or VHDX file (F:\VHD\PC1.vhdx in the following example) and click **Create**. See the following example: - - ![disk2vhd](images/disk2vhd-gen2.png) - - >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. - -6. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (PC1.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory: - - 
          -    C:\vhd>dir /B
-    2012R2-poc-1.vhd
-    2012R2-poc-2.vhd
-    w10-enterprise.iso
-    PC1.VHDX
-
          - -#### Prepare a generation 1 VM from a GPT disk - -1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert. - - >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive. - -2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. -3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**. Note: the system volume is not copied in this scenario, it will be added later. -4. Specify a location to save the resulting VHD file (F:\VHD\w7.vhd in the following example) and click **Create**. See the following example: - - ![disk2vhd](images/disk2vhd4.png) - - >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. - -5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHD file (w7.vhd) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory: - - 
          -    C:\vhd>dir /B
-    2012R2-poc-1.vhd
-    2012R2-poc-2.vhd
-    w10-enterprise.iso
-    w7.VHD
-
          - - >In its current state, the w7.VHD file is not bootable. The VHD will be used to create a bootable VM later in the [Configure Hyper-V](#configure-hyper-v) section. - -### Resize VHD - -
          -Enhanced session mode - -**Important**: Before proceeding, verify that you can take advantage of [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer. - -To ensure that enhanced session mode is enabled on the Hyper-V host, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: - -
          Set-VMhost -EnableEnhancedSessionMode $TRUE
          - ->If enhanced session mode was not previously enabled, close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex. - -
          - -The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 100GB to support installing imaging tools and storing OS images. - -1. To add available space for the partition, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: - - 
          -    Resize-VHD –Path c:\VHD\2012R2-poc-2.vhd –SizeBytes 100GB
-    $x = (Mount-VHD –Path c:\VHD\2012R2-poc-2.vhd -passthru | Get-Disk | Get-Partition | Get-Volume).DriveLetter
-    Resize-Partition -DriveLetter $x -Size (Get-PartitionSupportedSize -DriveLetter $x).SizeMax
-
          - -2. Verify that the mounted VHD drive is resized to 100 GB, and then dismount the drive: - - 
          -    Get-Volume -DriveLetter $x
-    Dismount-VHD –Path c:\VHD\2012R2-poc-2.vhd
          - -### Configure Hyper-V - -1. Open an elevated Windows PowerShell window and type the following command to create two virtual switches named "poc-internal" and "poc-external": - - >If the Hyper-V host already has an external virtual switch bound to a physical NIC, do not attempt to add a second external virtual switch. Attempting to add a second external switch will result in an error indicating that the NIC is **already bound to the Microsoft Virtual Switch protocol.** In this case, choose one of the following options:
          -    A) Remove the existing external virtual switch, then add the poc-external switch
          -    B) Rename the existing external switch to "poc-external"
          -    C) Replace each instance of "poc-external" used in this guide with the name of your existing external virtual switch
          - If you choose B) or C), then do not run the second command below. - - 
          -    New-VMSwitch -Name poc-internal -SwitchType Internal -Notes "PoC Network"
-    New-VMSwitch -Name poc-external -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name -Notes "PoC External"
-
          - - **Note**: The second command above will temporarily interrupt network connectivity on the Hyper-V host. - - >Since an external virtual switch is associated to a physical network adapter on the Hyper-V host, this adapter must be specified when adding the virtual switch. The previous commands automate this by filtering for active non-virtual ethernet adapters using the Get-NetAdapter cmdlet ($_.Status -eq "Up" -and !$_.Virtual). If your Hyper-V host is dual-homed with multiple active ethernet adapters, this automation will not work, and the second command above will fail. In this case, you must edit the command used to add the "poc-external" virtual switch by inserting the appropriate NetAdapterName. The NetAdapterName value corresponds to the name of the network interface you wish to use. For example, if the network interface you use on the Hyper-V host to connect to the Internet is named "Ethernet 2" then type the following command to create an external virtual switch: New-VMSwitch -Name poc-external -NetAdapterName "Ethernet 2" -Notes "PoC External" - -2. At the elevated Windows PowerShell prompt, type the following command to determine the megabytes of RAM that are currently available on the Hyper-V host: - - 
          -    (Get-VMHostNumaNode).MemoryAvailable
-
          - - This command will display the megabytes of RAM available for VMs. On a Hyper-V host computer with 16 GB of physical RAM installed, 10,000 MB of RAM or greater should be available if the computer is not also running other applications. On a computer with 8 GB of physical RAM installed, at least 4000 MB should be available. If the computer has less RAM available than this, try closing applications to free up more memory. - -3. Determine the available memory for VMs by dividing the available RAM by 4. For example: - - 
          -    (Get-VMHostNumaNode).MemoryAvailable/4
-    2775.5
-
          - - In this example, VMs can use a maximum of 2700 MB of RAM each, to run four VMs simultaneously. - -4. At the elevated Windows PowerShell prompt, type the following command to create two new VMs. Other VMs will be added later. - >**Important**: Replace the value of 2700MB for $maxRAM in the first command below with the RAM value that you calculated in the previous step. - - 
          -    $maxRAM = 2700MB
-    New-VM -Name "DC1" -VHDPath c:\vhd\2012R2-poc-1.vhd -SwitchName poc-internal
-    Set-VMMemory -VMName "DC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
-    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName DC1
-    New-VM -Name "SRV1" -VHDPath c:\vhd\2012R2-poc-2.vhd -SwitchName poc-internal
-    Add-VMNetworkAdapter -VMName "SRV1" -SwitchName "poc-external"
-    Set-VMMemory -VMName "SRV1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 80
-    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName SRV1
-
          - - **Note**: The RAM values assigned to VMs in this step are not permanent, and can be easily increased or decreased later if needed to address performance issues. - -5. Using the same elevated Windows PowerShell prompt that was used in the previous step, type one of the following sets of commands, depending on the type of VM that was prepared in the [Determine VM generation](#determine-vm-generation) section, either generation 1, generation 2, or generation 1 with GPT. - - To create a generation 1 VM (using c:\vhd\w7.vhdx): - - 
          -    New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhdx -SwitchName poc-internal
-    Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
-    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
-
          - - To create a generation 2 VM (using c:\vhd\PC1.vhdx): - - 
          -    New-VM -Name "PC1" -Generation 2 -VHDPath c:\vhd\PC1.vhdx -SwitchName poc-internal
-    Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
-    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
-
          - - To create a generation 1 VM from a GPT disk (using c:\vhd\w7.vhd): - - >Note: The following procedure is more complex because it includes steps to convert the OS partition from GPT to MBR format. Steps are included to create a temporary VHD and attach it to the VM, the OS image is saved to this drive, the OS drive is then reformatted to MBR, the OS image restored, and the temporary drive is removed. - - First, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to create a temporary VHD that will be used to save the OS image. Do not forget to include a pipe (|) at the end of the first five commands: - - 
          -    New-VHD -Path c:\vhd\d.vhd -SizeBytes 1TB |
-    Mount-VHD -Passthru |
-    Get-Disk -Number {$_.DiskNumber} |
-    Initialize-Disk -PartitionStyle MBR -PassThru |
-    New-Partition -UseMaximumSize |
-    Format-Volume -Confirm:$false -FileSystem NTFS -force
-    Dismount-VHD -Path c:\vhd\d.vhd
-
          - - Next, create the PC1 VM with two attached VHDs, and boot to DVD ($maxram must be defined previously using the same Windows PowerShell promt): - - 
          -    New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhd -SwitchName poc-internal
-    Add-VMHardDiskDrive -VMName PC1 -Path c:\vhd\d.vhd
-    Set-VMDvdDrive -VMName PC1 -Path c:\vhd\w10-enterprise.iso
-    Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
-    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
-    Start-VM PC1
-    vmconnect localhost PC1
-
          - - The VM will automatically boot into Windows Setup. In the PC1 window: - - 1. Click **Next**. - 2. Click **Repair your computer**. - 3. Click **Troubleshoot**. - 4. Click **Command Prompt**. - 5. Type the following command to save an image of the OS drive: - - 
          -      dism /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C
-
          - - 6. Wait for the OS image to complete saving, and then type the following commands to convert the C: drive to MBR: - - 
          -      diskpart
-      select disk 0
-      clean
-      convert MBR
-      create partition primary size=100
-      format fs=ntfs quick
-      active
-      create partition primary
-      format fs=ntfs quick label=OS
-      assign letter=c
-      exit
-
          - - 7. Type the following commands to restore the OS image and boot files: - - 
          -      dism /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\
-      bcdboot c:\windows
-      exit
-
          - - 8. Click **Continue** and verify the VM boots successfully (do not boot from DVD). - 9. Click **Ctrl+Alt+Del**, and then in the bottom right corner, click **Shut down**. - 10. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to remove the temporary disks and drives from PC1: - - 
          -       Remove-VMHardDiskDrive -VMName PC1 -ControllerType IDE -ControllerNumber 0 -ControllerLocation 1
-       Set-VMDvdDrive -VMName PC1 -Path $null
-
          - -### Configure VMs - -1. At an elevated Windows PowerShell prompt on the Hyper-V host, start the first Windows Server VM and connect to it by typing the following commands: - - 
          -    Start-VM DC1
-    vmconnect localhost DC1
-
          - -2. Click **Next** to accept the default settings, read the license terms and click **I accept**, provide an administrator password of pass@word1, and click **Finish**. -3. Click **Ctrl+Alt+Del** in the upper left corner of the virtual machine connection window, and then sign in to DC1 using the Administrator account. -4. Right-click **Start**, point to **Shut down or sign out**, and click **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, click **Connect** and sign in again with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It is only necessary to do this the first time you sign in to a new VM. -5. If DC1 is configured as described in this guide, it will currently be assigned an APIPA address, have a randomly generated hostname, and a single network adapter named "Ethernet." Open an elevated Windows PowerShell prompt on DC1 and type or paste the following commands to provide a new hostname and configure a static IP address and gateway: - - 
          -    Rename-Computer DC1
-    New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.1 –PrefixLength 24 -DefaultGateway 192.168.0.2
-    Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
-
          - - > The default gateway at 192.168.0.2 will be configured later in this guide. - > - > Note: A list of available tasks for an app will be populated the first time you run it on the taskbar. Because these tasks aren't available until the App has been run, you will not see the **Run as Administrator** task until you have left-clicked Windows PowerShell for the first time. In this newly created VM, you will need to left-click Windows PowerShell one time, and then you can right-click and choose Run as Administrator to open an elevated Windows PowerShell prompt. - -6. Install the Active Directory Domain Services role by typing the following command at an elevated Windows PowerShell prompt: - - 
          -    Install-WindowsFeature -Name AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools
-
          - -7. Before promoting DC1 to a Domain Controller, you must reboot so that the name change in step 3 above takes effect. To restart the computer, type the following command at an elevated Windows PowerShell prompt: - - 
          -    Restart-Computer
-
          - -8. When DC1 has rebooted, sign in again and open an elevated Windows PowerShell prompt. Now you can promote the server to be a domain controller. The directory services restore mode password must be entered as a secure string. Type the following commands at the elevated Windows PowerShell prompt: - - 
          -    $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
-    Install-ADDSForest -DomainName contoso.com -InstallDns -SafeModeAdministratorPassword $pass -Force
-
          - - Ignore any warnings that are displayed. The computer will automatically reboot upon completion. - -9. When the reboot has completed, reconnect to DC1, sign in using the CONTOSO\Administrator account, open an elevated Windows PowerShell prompt, and use the following commands to add a reverse lookup zone for the PoC network, add the DHCP Server role, authorize DHCP in Active Directory, and suppress the post-DHCP-install alert: - - 
          -    Add-DnsServerPrimaryZone -NetworkID "192.168.0.0/24" -ReplicationScope Forest
-    Add-WindowsFeature -Name DHCP -IncludeManagementTools
-    netsh dhcp add securitygroups
-    Restart-Service DHCPServer
-    Add-DhcpServerInDC  dc1.contoso.com  192.168.0.1
-    Set-ItemProperty –Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 –Name ConfigurationState –Value 2
-
          - -10. Next, add a DHCP scope and set option values: - - 
          -    Add-DhcpServerv4Scope -Name "PoC Scope" -StartRange 192.168.0.100 -EndRange 192.168.0.199 -SubnetMask 255.255.255.0 -Description "Windows 10 PoC" -State Active
-    Set-DhcpServerv4OptionValue -ScopeId 192.168.0.0 -DnsDomain contoso.com -Router 192.168.0.2 -DnsServer 192.168.0.1,192.168.0.2 -Force
-
          - - >The -Force option is necessary when adding scope options to skip validation of 192.168.0.2 as a DNS server because we have not configured it yet. The scope should immediately begin issuing leases on the PoC network. The first DHCP lease that will be issued is to vEthernet interface on the Hyper-V host, which is a member of the internal network. You can verify this by using the command: Get-DhcpServerv4Lease -ScopeId 192.168.0.0. - -11. The DNS server role will also be installed on the member server, SRV1, at 192.168.0.2 so that we can forward DNS queries from DC1 to SRV1 to resolve Internet names without having to configure a forwarder outside the PoC network. Since the IP address of SRV1 already exists on DC1's network adapter, it will be automatically added during the DCPROMO process. To verify this server-level DNS forwarder on DC1, type the following command at an elevated Windows PowerShell prompt on DC1: - - 
          -    Get-DnsServerForwarder
-
          - - The following output should be displayed: - - 
          -    UseRootHint        : True
-    Timeout(s)         : 3
-    EnableReordering   : True
-    IPAddress          : 192.168.0.2
-    ReorderedIPAddress : 192.168.0.2
-
          - - If this output is not displayed, you can use the following command to add SRV1 as a forwarder: - - 
          -    Add-DnsServerForwarder -IPAddress 192.168.0.2
-
          - - **Configure service and user accounts** - - Windows 10 deployment with MDT and System Center Configuration Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire. - - >To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) - - On DC1, open an elevated Windows PowerShell prompt and type the following commands: - - 
          -    New-ADUser -Name User1 -UserPrincipalName user1 -Description "User account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
-    New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
-    New-ADUser -Name CM_JD -UserPrincipalName CM_JD -Description "Configuration Manager Join Domain Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
-    New-ADUser -Name CM_NAA -UserPrincipalName CM_NAA -Description "Configuration Manager Network Access Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
-    Add-ADGroupMember "Domain Admins" MDT_BA,CM_JD,CM_NAA
-    Set-ADUser -Identity user1 -PasswordNeverExpires $true
-    Set-ADUser -Identity administrator -PasswordNeverExpires $true
-    Set-ADUser -Identity MDT_BA -PasswordNeverExpires $true
-    Set-ADUser -Identity CM_JD -PasswordNeverExpires $true
-    Set-ADUser -Identity CM_NAA -PasswordNeverExpires $true
-
          - -12. Minimize the DC1 VM window but **do not stop** the VM. - - Next, the client VM will be started and joined to the contoso.com domain. This is done before adding a gateway to the PoC network so that there is no danger of duplicate DNS registrations for the physical client and its cloned VM in the corporate domain. - -13. If the PC1 VM is not started yet, using an elevated Windows PowerShell prompt on the Hyper-V host, start the client VM (PC1), and connect to it: - - 
          -    Start-VM PC1
-    vmconnect localhost PC1
-
          - -14. Sign in to PC1 using an account that has local administrator rights. - - >PC1 will be disconnected from its current domain, so you cannot use a domain account to sign on unless these credentials are cached and the use of cached credentials is permitted by Group Policy. If cached credentials are available and permitted, you can use these credentials to sign in. Otherwise, use an existing local administrator account. - -15. After signing in, the operating system detects that it is running in a new environment. New drivers will be automatically installed, including the network adapter driver. The network adapter driver must be updated before you can proceed, so that you will be able to join the contoso.com domain. Depending on the resources allocated to PC1, installing the network adapter driver might take a few minutes. You can monitor device driver installation by clicking **Show hidden icons** in the notification area. - - ![PoC](images/installing-drivers.png) - - >If the client was configured with a static address, you must change this to a dynamic one so that it can obtain a DHCP lease. - -16. When the new network adapter driver has completed installation, you will receive an alert to set a network location for the contoso.com network. Select **Work network** and then click **Close**. When you receive an alert that a restart is required, click **Restart Later**. - -17. Open an elevated Windows PowerShell prompt on PC1 and verify that the client VM has received a DHCP lease and can communicate with the consoto.com domain controller. - - To open Windows PowerShell on Windows 7, click **Start**, and search for "**power**." Right-click **Windows PowerShell** and then click **Pin to Taskbar** so that it is simpler to use Windows Powershell during this lab. Click **Windows PowerShell** on the taskbar, and then type **ipconfig** at the prompt to see the client's current IP address. Also type **ping dc1.contoso.com** and **nltest /dsgetdc:contoso.com** to verify that it can reach the domain controller. See the following examples of a successful network connection: - - ``` - ipconfig - - Windows IP Configuration - - Ethernet adapter Local Area Connection 3: - Connection-specific DNS Suffix . : contoso.com - Link-local IPv6 Address . . . . . : fe80::64c2:4d2a:7403:6e02%18 - Ipv4 Address. . . . . . . . . . . : 192.168.0.101 - Subnet Mask . . . . . . . . . . . : 255.255.255.0 - Default Gateway . . . . . . . . . : 192.168.0.2 - - ping dc1.contoso.com - - Pinging dc1.contoso.com [192.168.0.1] with 32 bytes of data: - Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 - Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 - Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 - Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 - - nltest /dsgetdc:contoso.com - DC: \\DC1 - Address: \\192.168.0.1 - Dom Guid: fdbd0643-d664-411b-aea0-fe343d7670a8 - Dom Name: CONTOSO - Forest Name: contoso.com - Dc Site Name: Default-First-Site-Name - Our Site Name: Default-First-Site-Name - Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_FOREST CLOSE_SITE FULL_SECRET WS 0xC000 - ``` - - >If PC1 is running Windows 7, enhanced session mode might not be available, which means that you cannot copy and paste commands from the Hyper-V host to a Windows PowerShell prompt on PC1. However, it is possible to use integration services to copy a file from the Hyper-V host to a VM. The next procedure demonstrates this. If the Copy-VMFile command fails, then type the commands below at an elevated Windows PowerShell prompt on PC1 instead of saving them to a script to run remotely. If PC1 is running Windows 8 or a later operating system, you can use enhanced session mode to copy and paste these commands instead of typing them. - -18. Minimize the PC1 window and switch to the Hyper-V host computer. Open an elevated Windows PowerShell ISE window on the Hyper-V host (right-click Windows PowerShell and then click **Run ISE as Administrator**) and type the following commands in the (upper) script editor pane: - - 
          -    (Get-WmiObject Win32_ComputerSystem).UnjoinDomainOrWorkgroup($null,$null,0)
-    $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
-    $user = "contoso\administrator"
-    $cred = New-Object System.Management.Automation.PSCredential($user,$pass)
-    Add-Computer -DomainName contoso.com -Credential $cred
-    Restart-Computer
-
          - - >If you do not see the script pane, click **View** and verify **Show Script Pane Top** is enabled. Click **File** and then click **New**. - - See the following example: - - ![ISE](images/ISE.png) - -19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host. -20. In the (lower) terminal input window, type the following commands to enable Guest Service Interface on PC1 and then use this service to copy the script to PC1: - - 
          -    Enable-VMIntegrationService -VMName PC1 -Name "Guest Service Interface"
-    Copy-VMFile "PC1" –SourcePath "C:\VHD\pc1.ps1"  –DestinationPath "C:\pc1.ps1" –CreateFullPath –FileSource Host
-
          - - >In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service. - - If the copy-vmfile command does not work and you cannot properly enable or upgrade integration services on PC1, then create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. The copy-vmfile command is only used in this procedure as a demonstration of automation methods that can be used in a Hyper-V environment when enhanced session mode is not available. After typing the script file manually, be sure to save the file as a Windows PowerShell script file with the .ps1 extension and not as a text (.txt) file. - -21. On PC1, type the following commands at an elevated Windows PowerShell prompt: - - 
          -    Get-Content c:\pc1.ps1 | powershell.exe -noprofile -
-
          - - >The commands in this script might take a few moments to complete. If an error is displayed, check that you typed the command correctly, paying close attention to spaces. PC1 is removed from its domain in this step while not connected to the corporate network so as to ensure the computer object in the corporate domain is unaffected. PC1 is also not renamed to "PC1" in system properties so that it maintains some of its mirrored identity. However, if desired you can also rename the computer. - -22. Upon completion of the script, PC1 will automatically restart. When it has restarted, sign in to the contoso.com domain using the **Switch User** option, with the **user1** account you created in step 11 of this section. - >**Important**: The settings that will be used later to migrate user data specifically select only accounts that belong to the CONTOSO domain. However, this can be changed to migrate all user accounts, or only other specified accounts. If you wish to test migration of user data and settings with accounts other than those in the CONTOSO domain, you must specify these accounts or domains when you configure the value of **ScanStateArgs** in the MDT test lab guide. This value is specifically called out when you get to that step. If you wish to only migrate CONTOSO accounts, then you can log in with the user1 account or the administrator account at this time and modify some of the files and settings for later use in migration testing. -23. Minimize the PC1 window but do not turn it off while the second Windows Server 2012 R2 VM (SRV1) is configured. This verifies that the Hyper-V host has enough resources to run all VMs simultaneously. Next, SRV1 will be started, joined to the contoso.com domain, and configured with RRAS and DNS services. -24. On the Hyper-V host computer, at an elevated Windows PowerShell prompt, type the following commands: - - 
          -    Start-VM SRV1
-    vmconnect localhost SRV1
-
          - -25. Accept the default settings, read license terms and accept them, provide an administrator password of pass@word1, and click **Finish**. When you are prompted about finding PCs, devices, and content on the network, click **Yes**. -26. Sign in to SRV1 using the local administrator account. In the same way that was done on DC1, sign out of SRV1 and then sign in again to enable enhanced session mode. This will enable you to copy and paste Windows PowerShell commands from the Hyper-V host to the VM. -27. Open an elevated Windows PowerShell prompt on SRV1 and type the following commands: - - 
          -    Rename-Computer SRV1
-    New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.2 –PrefixLength 24
-    Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
-    Restart-Computer
-
          - - >[!IMPORTANT] - >Verify that you are configuring the correct interface in this step. The commands in this step assume that the poc-internal interface on SRV1 is named "Ethernet." If you are unsure how to check the interface, see step #30 below for instructions and tips on how to verify and modify the interface name. - -28. Wait for the computer to restart, sign in again, then type the following commands at an elevated Windows PowerShell prompt: - - 
          -    $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
-    $user = "contoso\administrator"
-    $cred = New-Object System.Management.Automation.PSCredential($user,$pass)
-    Add-Computer -DomainName contoso.com -Credential $cred
-    Restart-Computer
-
          - -29. Sign in to the contoso.com domain on SRV1 using the domain administrator account (enter contoso\administrator as the user), open an elevated Windows PowerShell prompt, and type the following commands: - - 
          -    Install-WindowsFeature -Name DNS -IncludeManagementTools
-    Install-WindowsFeature -Name WDS -IncludeManagementTools
-    Install-WindowsFeature -Name Routing -IncludeManagementTools
-
          - -30. Before configuring the routing service that was just installed, verify that network interfaces were added to SRV1 in the right order, resulting in an interface alias of "Ethernet" for the private interface, and an interface alias of "Ethernet 2" for the public interface. Also verify that the external interface has a valid external DHCP IP address lease. - - To view a list of interfaces, associated interface aliases, and IP addresses on SRV1, type the following Windows PowerShell command. Example output of the command is also shown below: - - 
          -    Get-NetAdapter | ? status -eq ‘up’ | Get-NetIPAddress -AddressFamily IPv4 | ft IPAddress, InterfaceAlias
-
-    IPAddress                                                                  InterfaceAlias
-    ---------                                                                  --------------
-    10.137.130.118                                                             Ethernet 2
-    192.168.0.2                                                                Ethernet
-
          - - In this example, the poc-internal network interface at 192.168.0.2 is associated with the "Ethernet" interface and the Internet-facing poc-external interface is associated with the "Ethernet 2" interface. If your interfaces are different, you must adjust the commands provided in the next step appropriately to configure routing services. Also note that if the "Ethernet 2" interface has an IP address in the 192.168.0.100-105 range then it likely is getting a DHCP lease from DC1 instead of your corporate network. If this is the case, you can try removing and re-adding the second network interface from the SRV1 VM through its Hyper-V settings. - - >[!TIP] - >Sometimes a computer will have hidden, disconnected interfaces that prevent you from naming a network adapter. When you attempt to rename an adapter, you will receive an error that the adapter name already exists. These disconnected devices can be viewed in device manager by clicking **View** and then clicking **Show hidden devices**. The disconnected device can then be uninstalled, enabling you to reuse the adapter name. - - -31. To configure SRV1 with routing capability for the PoC network, type or paste the following commands at an elevated Windows PowerShell prompt on SRV1: - - 
          -    Install-RemoteAccess -VpnType Vpn
-    cmd /c netsh routing ip nat install
-    cmd /c netsh routing ip nat add interface name="Ethernet 2" mode=FULL
-    cmd /c netsh routing ip nat add interface name="Ethernet" mode=PRIVATE
-    cmd /c netsh routing ip nat add interface name="Internal" mode=PRIVATE
-
          - -32. The DNS service on SRV1 also needs to resolve hosts in the contoso.com domain. This can be accomplished with a conditional forwarder. Open an elevated Windows PowerShell prompt on SRV1 and type the following command: - - 
          -    Add-DnsServerConditionalForwarderZone -Name contoso.com -MasterServers 192.168.0.1
-
          - -33. In most cases, this completes configuration of the PoC network. However, if your corporate network has a firewall that filters queries from local DNS servers, you will also need to configure a server-level DNS forwarder on SRV1 to resolve Internet names. To test whether or not DNS is working without this forwarder, try to reach a name on the Internet from DC1 or PC1, which are only using DNS services on the PoC network. You can test DNS with the ping command, for example: - - 
          -    ping www.microsoft.com
-
          - - If you see "Ping request could not find host www.microsoft.com" on PC1 and DC1, but not on SRV1, then you will need to configure a server-level DNS forwarder on SRV1. To do this, open an elevated Windows PowerShell prompt on SRV1 and type the following command. - - **Note**: This command also assumes that "Ethernet 2" is the external-facing network adapter on SRV1. If the external adapter has a different name, replace "Ethernet 2" in the command below with that name: - - 
          -    Add-DnsServerForwarder -IPAddress (Get-DnsClientServerAddress -InterfaceAlias "Ethernet 2").ServerAddresses
-
          - -34. If DNS and routing are both working correctly, you will see the following on DC1 and PC1 (the IP address might be different, but that is OK): - - 
          -    PS C:\> ping www.microsoft.com
-
-    Pinging e2847.dspb.akamaiedge.net [23.222.146.170] with 32 bytes of data:
-    Reply from 23.222.146.170: bytes=32 time=3ms TTL=51
-    Reply from 23.222.146.170: bytes=32 time=2ms TTL=51
-    Reply from 23.222.146.170: bytes=32 time=2ms TTL=51
-    Reply from 23.222.146.170: bytes=32 time=1ms TTL=51
-
-    Ping statistics for 23.222.146.170:
-        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
-    Approximate round trip times in milli-seconds:
-        Minimum = 1ms, Maximum = 3ms, Average = 2ms
-
          - -35. Verify that all three VMs can reach each other, and the Internet. See [Appendix A: Verify the configuration](#appendix-a-verify-the-configuration) for more information. -36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in 3 days. To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1: - - 
          -    runas /noprofile /env /user:administrator@contoso.com "cmd /c slmgr -rearm"
-    Restart-Computer
-
          - -This completes configuration of the starting PoC environment. Additional services and tools are installed in subsequent guides. - -## Appendix A: Verify the configuration - -Use the following procedures to verify that the PoC environment is configured properly and working as expected. - -1. On DC1, open an elevated Windows PowerShell prompt and type the following commands: - - 
          -    Get-Service NTDS,DNS,DHCP
-    DCDiag -a
-    Get-DnsServerResourceRecord -ZoneName contoso.com -RRType A
-    Get-DnsServerForwarder
-    Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
-    Get-DhcpServerInDC
-    Get-DhcpServerv4Statistics
-    ipconfig /all
-
          - - **Get-Service** displays a status of "Running" for all three services.
          - **DCDiag** displays "passed test" for all tests.
          - **Get-DnsServerResourceRecord** displays the correct DNS address records for DC1, SRV1, and the computername of PC1. Additional address records for the zone apex (@), DomainDnsZones, and ForestDnsZones will also be registered.
          - **Get-DnsServerForwarder** displays a single forwarder of 192.168.0.2.
          - **Resolve-DnsName** displays public IP address results for www.microsoft.com.
          - **Get-DhcpServerInDC** displays 192.168.0.1, dc1.contoso.com.
          - **Get-DhcpServerv4Statistics** displays 1 scope with 2 addresses in use (these belong to PC1 and the Hyper-V host).
          - **ipconfig** displays a primary DNS suffix and suffix search list of contoso.com, IP address of 192.168.0.1, subnet mask of 255.255.255.0, default gateway of 192.168.0.2, and DNS server addresses of 192.168.0.1 and 192.168.0.2. - -2. On SRV1, open an elevated Windows PowerShell prompt and type the following commands: - - 
          -    Get-Service DNS,RemoteAccess
-    Get-DnsServerForwarder
-    Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
-    ipconfig /all
-    netsh int ipv4 show address
-
          - - **Get-Service** displays a status of "Running" for both services.
          - **Get-DnsServerForwarder** either displays no forwarders, or displays a list of forwarders you are required to use so that SRV1 can resolve Internet names.
          - **Resolve-DnsName** displays public IP address results for www.microsoft.com.
          - **ipconfig** displays a primary DNS suffix of contoso.com. The suffix search list contains contoso.com and your corporate domain. Two ethernet adapters are shown: Ethernet adapter "Ethernet" has an IP addresses of 192.168.0.2, subnet mask of 255.255.255.0, no default gateway, and DNS server addresses of 192.168.0.1 and 192.168.0.2. Ethernet adapter "Ethernet 2" has an IP address, subnet mask, and default gateway configured by DHCP on your corporate network.
          - **netsh** displays three interfaces on the computer: interface "Ethernet 2" with DHCP enabled = Yes and IP address assigned by your corporate network, interface "Ethernet" with DHCP enabled = No and IP address of 192.168.0.2, and interface "Loopback Pseudo-Interface 1" with IP address of 127.0.0.1. - -3. On PC1, open an elevated Windows PowerShell prompt and type the following commands: - - 
          -    whoami
-    hostname
-    nslookup www.microsoft.com
-    ping -n 1 dc1.contoso.com
-    tracert www.microsoft.com
-
          - - **whoami** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed.
          - **hostname** displays the name of the local computer, for example W7PC-001.
          - **nslookup** displays the DNS server used for the query, and the results of the query. For example, server dc1.contoso.com, address 192.168.0.1, Name e2847.dspb.akamaiedge.net.
          - **ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it cannot be resolved, "..could not find host" will be diplayed and if the target is found and also responds to ICMP, you will see "Reply from" and the IP address of the target.
          - **tracert** displays the path to reach the destination, for example srv1.contoso.com [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination. - - -## Appendix B: Terminology used in this guide - -

            - -

          - - -
          TermDefinition -
          GPTGUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. -
          Hyper-VHyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8. -
          Hyper-V hostThe computer where Hyper-V is installed. -
          Hyper-V ManagerThe user-interface console used to view and configure Hyper-V. -
          MBRMaster Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format. -
          Proof of concept (PoC)Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process. -
          Shadow copyA copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes. -
          Virtual machine (VM)A VM is a virtual computer with its own operating system, running on the Hyper-V host. -
          Virtual switchA virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host. -
          VM snapshotA point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken. -
          - -
          - -## Related Topics - - -[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) - - - - - - - - +--- +title: Configure a test lab to deploy Windows 10 +ms.reviewer: +manager: laurawi +ms.audience: itpro author: greg-lindsay +description: Concepts and procedures for deploying Windows 10 in a proof of concept lab environment. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +keywords: deployment, automate, tools, configure, mdt, sccm +ms.localizationpriority: medium +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Step by step guide: Configure a test lab to deploy Windows 10 + +**Applies to** + +- Windows 10 + +This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides: + +- [Step by step: Deploy Windows 10 in a test lab using MDT](windows-10-poc-mdt.md)
          +- [Step by step: Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
          + +The PoC deployment guides are intended to provide a demonstration of Windows 10 deployment tools and processes for IT professionals that are not familiar with these tools, and those that are interested in setting up a proof of concept environment. The instructions in this guide should not be used in a production setting, and are not meant to replace the instructions found in production deployment guidance. + +Approximately 3 hours are required to configure the PoC environment. You will need a Hyper-V capable computer running Windows 8.1 or later with at least 16GB of RAM. Detailed [requirements](#hardware-and-software-requirements) are provided below. You will also need to have a [Microsoft account](https://www.microsoft.com/account) to use for downloading evaluation software. + +Windows PowerShell commands are provided to set up the PoC environment quickly. You do not need to be an expert in Windows PowerShell to complete the steps in the guide, however you are required to customize some commands to your environment. + +> Instructions to "type" Windows PowerShell commands provided in this guide can be followed literally by typing the commands, but the preferred method is to copy and paste these commands. +> +> A Windows PowerShell window can be used to run all commands in this guide. However, when commands are specified for a command prompt, you must either type CMD at the Windows PowerShell prompt to enter the command prompt, or preface the command with "cmd /c", or if desired you can escape special characters in the command using the back-tick character (`). In most cases, the simplest thing is to type cmd and enter a command prompt, type the necessary commands, then type "exit" to return to Windows PowerShell. + +Hyper-V is installed, configured and used extensively in this guide. If you are not familiar with Hyper-V, review the [terminology](#appendix-b-terminology-used-in-this-guide) used in this guide before starting. + +## In this guide + +This guide contains instructions for three general procedures: Install Hyper-V, configure Hyper-V, and configure VMs. If you already have a computer running Hyper-V, you can use this computer and skip the first procedure. In this case, your virtual switch settings must be modified to match those used in this guide, or the steps in this guide can be modified to use your existing Hyper-V settings. + +After completing the instructions in this guide, you will have a PoC environment that enables you to test Windows 10 deployment procedures by following instructions in companion guides that are written to use the PoC environment. Links are provided to download trial versions of Windows Server 2012, Windows 10 Enterprise, and all deployment tools necessary to complete the lab. + +Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed. + +
          + +
          + + + +
          TopicDescriptionTime
          Hardware and software requirementsPrerequisites to complete this guide.Informational +
          Lab setupA description and diagram of the PoC environment.Informational +
          Configure the PoC environmentParent topic for procedures.Informational +
          Verify support and install Hyper-VVerify that installation of Hyper-V is supported, and install the Hyper-V server role.10 minutes +
          Download VHD and ISO filesDownload evaluation versions of Windows Server 2012 R2 and Windows 10 and prepare these files to be used on the Hyper-V host.30 minutes +
          Convert PC to VMConvert a physical computer on your network to a VM hosted in Hyper-V.30 minutes +
          Resize VHDIncrease the storage capacity for one of the Windows Server VMs.5 minutes +
          Configure Hyper-VCreate virtual switches, determine available RAM for virtual machines, and add virtual machines.15 minutes +
          Configure service and user accountsStart virtual machines and configure all services and settings.60 minutes +
          Configure VMsStart virtual machines and configure all services and settings.60 minutes +
          Appendix A: Verify the configurationVerify and troubleshoot network connectivity and services in the PoC environment.30 minutes +
          Appendix B: Terminology in this guideTerms used in this guide.Informational +
          +
          + +## Hardware and software requirements + +One computer that meets the hardware and software specifications below is required to complete the guide; A second computer is recommended to validate the upgrade process. + +- **Computer 1**: the computer you will use to run Hyper-V and host virtual machines. This computer should have 16 GB or more of installed RAM and a multi-core processor. +- **Computer 2**: a client computer from your corporate network. It is shadow-copied to create a VM that can be added to the PoC environment, enabling you to test a mirror image of a computer on your network. If you do not have a computer to use for this simulation, you can download an evaluation VHD and use it to represent this computer. Subsequent guides use this computer to simulate Windows 10 replace and refresh scenarios, so the VM is required even if you cannot create this VM using computer 2. + +Harware requirements are displayed below: + +
          + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Computer 1 (required)Computer 2 (recommended)
          RoleHyper-V hostClient computer
          DescriptionThis computer will run Hyper-V, the Hyper-V management tools, and the Hyper-V Windows PowerShell module.This computer is a Windows 7 or Windows 8/8.1 client on your corporate network that will be converted to a VM to demonstrate the upgrade process.
          OSWindows 8.1/10 or Windows Server 2012/2012 R2/2016*Windows 7 or a later
          EditionEnterprise, Professional, or EducationAny
          Architecture64-bitAny
          Note: Retaining applications and settings requires that architecture (32 or 64-bit) is the same before and after the upgrade.
          RAM8 GB RAM (16 GB recommended) to test Windows 10 deployment with MDT. +
          16 GB RAM to test Windows 10 deployment with System Center Configuration Manager.          		Any
          Disk200 GB available hard disk space, any format.Any size, MBR formatted.
          CPUSLAT-Capable CPUAny
          NetworkInternet connectionAny
          + + +\*The Hyper-V server role can also be installed on a computer running Windows Server 2008 R2. However, the Windows PowerShell module for Hyper-V is not available on Windows Server 2008 R2, therefore you cannot use many of the steps provided in this guide to configure Hyper-V. To manage Hyper-V on Windows Server 2008 R2, you can use Hyper-V WMI, or you can use the Hyper-V Manager console. Providing all steps in this guide as Hyper-V WMI or as 2008 R2 Hyper-V Manager procedures is beyond the scope of the guide. +
          +
          The Hyper-V role cannot be installed on Windows 7 or earlier versions of Windows. + +
          + +## Lab setup + +The lab architecture is summarized in the following diagram: + +![PoC](images/poc.png) + +- Computer 1 is configured to host four VMs on a private, PoC network. + - Two VMs are running Windows Server 2012 R2 with required network services and tools installed. + - Two VMs are client systems: One VM is intended to mirror a host on your corporate network (computer 2) and one VM is running Windows 10 Enterprise to demonstrate the hardware replacement scenario. + +>If you have an existing Hyper-V host, you can use this host and skip the Hyper-V installation section in this guide. + +The two Windows Server VMs can be combined into a single VM to conserve RAM and disk space if required. However, instructions in this guide assume two server systems are used. Using two servers enables Active Directory Domain Services and DHCP to be installed on a server that is not directly connected to the corporate network. This mitigates the risk of clients on the corporate network receiving DHCP leases from the PoC network (i.e. "rogue" DHCP), and limits NETBIOS service broadcasts. + +## Configure the PoC environment + +>**Hint**: Before you begin, ensure that Windows PowerShell is pinned to the taskbar for easy access. If the Hyper-V host is running Windows Server then Windows PowerShell is automatically pinned to the taskbar. To pin Windows PowerShell to the taskbar on Windows 8.1 or Windows 10: Click **Start**, type **power**, right click **Windows PowerShell**, and then click **Pin to taskbar**. After Windows PowerShell is pinned to the taskbar, you can open an elevated Windows PowerShell prompt by right-clicking the icon on the taskbar and then clicking **Run as Administrator**. + +### Procedures in this section + +[Verify support and install Hyper-V](#verify-support-and-install-hyper-v)
          +[Download VHD and ISO files](#download-vhd-and-iso-files)
          +[Convert PC to VM](#convert-pc-to-vm)
          +[Resize VHD](#resize-vhd)
          +[Configure Hyper-V](#configure-hyper-v)
          +[Configure VMs](#configure-vms)
          + +### Verify support and install Hyper-V + +Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information. + +1. To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example: + + 
          +    C:\>systeminfo
+
+    ...
+    Hyper-V Requirements:      VM Monitor Mode Extensions: Yes
+                               Virtualization Enabled In Firmware: Yes
+                               Second Level Address Translation: Yes
+                               Data Execution Prevention Available: Yes
+
          + + In this example, the computer supports SLAT and Hyper-V. + + If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings. + + You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example: + + 
          +    C:\>coreinfo -v
+
+    Coreinfo v3.31 - Dump information on system CPU and memory topology
+    Copyright (C) 2008-2014 Mark Russinovich
+    Sysinternals - www.sysinternals.com
+
+    Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz
+    Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
+    Microcode signature: 0000001B
+    HYPERVISOR      -       Hypervisor is present
+    VMX             *       Supports Intel hardware-assisted virtualization
+    EPT             *       Supports Intel extended page tables (SLAT)
+
          + + Note: A 64-bit operating system is required to run Hyper-V. + +2. The Hyper-V feature is not installed by default. To install it, open an elevated Windows PowerShell window and type the following command: + + 
          Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V –All
          + + This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. This command will also install Hyper-V if it isn't already installed, so if desired you can just type the following command on Windows Server 2012 or 2016 instead of using the Enable-WindowsOptionalFeature command: + + 
          Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
          + + When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once. After installation is complete, you can open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt. + + >Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below: + + ![hyper-v feature](images/hyper-v-feature.png) + + ![hyper-v](images/svr_mgr2.png) + +

          If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools. + +### Download VHD and ISO files + +When you have completed installation of Hyper-V on the host computer, begin configuration of Hyper-V by downloading VHD and ISO files to the Hyper-V host. These files will be used to create the VMs used in the lab. Before you can download VHD and ISO files, you will need to register and sign in to the [TechNet Evaluation Center](https://www.microsoft.com/en-us/evalcenter/) using your Microsoft account. + +1. Create a directory on your Hyper-V host named **C:\VHD** and download a single [Windows Server 2012 R2 VHD](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2012-r2) from the TechNet Evaluation Center to the **C:\VHD** directory. + + **Important**: This guide assumes that VHDs are stored in the **C:\VHD** directory on the Hyper-V host. If you use a different directory to store VHDs, you must adjust steps in this guide appropriately. + + After completing registration you will be able to download the 7.47 GB Windows Server 2012 R2 evaluation VHD. An example of the download offering is shown below. + + + +
          VHD
          + +2. Download the file to the **C:\VHD** directory. When the download is complete, rename the VHD file that you downloaded to **2012R2-poc-1.vhd**. This is done to make the filename simple to recognize and type. +3. Copy the VHD to a second file also in the **C:\VHD** directory and name this VHD **2012R2-poc-2.vhd**. +4. Download the [Windows 10 Enterprise ISO](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise) from the TechNet Evaluation Center to the **C:\VHD** directory on your Hyper-V host. + + >During registration, you must specify the type, version, and language of installation media to download. In this example, a Windows 10 Enterprise, 64 bit, English ISO is chosen. You can choose a different version if desired. **Note: The evaluation version of Windows 10 does not support in-place upgrade**. + +5. Rename the ISO file that you downloaded to **w10-enterprise.iso**. Again, this is done so that the filename is simple to type and recognize. After completing registration you will be able to download the 3.63 GB Windows 10 Enterprise evaluation ISO. + +After completing these steps, you will have three files in the **C:\VHD** directory: **2012R2-poc-1.vhd**, **2012R2-poc-2.vhd**, **w10-enterprise.iso**. + +The following displays the procedures described in this section, both before and after downloading files: + +

          +C:>mkdir VHD
+C:>cd VHD
+C:\VHD>ren 9600*.vhd 2012R2-poc-1.vhd
+C:\VHD>copy 2012R2-poc-1.vhd 2012R2-poc-2.vhd
+   1 file(s) copied.
+C:\VHD ren *.iso w10-enterprise.iso
+C:\VHD>dir /B
+2012R2-poc-1.vhd
+2012R2-poc-2.vhd
+w10-enterprise.iso
+
          + +### Convert PC to VM + +>Important: Do not attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, do not start the VM outside the PoC network. + +
          +If you do not have a PC available to convert to VM, perform the following steps to download an evaluation VM: +
          +
            +
          1. Open the Download virtual machines page. +
          2. Under Virtual machine, choose IE11 on Win7. +
          3. Under Select platform choose HyperV (Windows). +
          4. Click Download .zip. The download is 3.31 GB. +
          5. Extract the zip file. Three directories are created. +
          6. Open the Virtual Hard Disks directory and then copy IE11 - Win7.vhd to the C:\VHD directory. +
          7. Rename IE11 - Win7.vhd to w7.vhd (do not rename the file to w7.vhdx). +
          8. In step 5 of the Configure Hyper-V section, replace the VHD file name w7.vhdx with w7.vhd. +
          +
          + +If you have a PC available to convert to VM (computer 2): + +1. Sign in on computer 2 using an account with Administrator privileges. + +>Important: the account used in this step must have local administrator privileges. You can use a local computer account, or a domain account with administrative rights if domain policy allows the use of cached credentials. After converting the computer to a VM, you must be able to sign in on this VM with administrator rights while the VM is disconnected from the corporate network. + +2. [Determine the VM generation and partition type](#determine-the-vm-generation-and-partition-type) that is required. +3. Based on the VM generation and partition type, perform one of the following procedures: [Prepare a generation 1 VM](#prepare-a-generation-1-vm), [Prepare a generation 2 VM](#prepare-a-generation-2-vm), or [prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk). + +#### Determine the VM generation and partition type + +When creating a VM in Hyper-V, you must specify either generation 1 or generation 2. The following table describes requirements for these two types of VMs. + +
          + + + + + + + + + + + + + + + + + + + + +
          ArchitectureOperating systemPartition style
          Generation 132-bit or 64-bitWindows 7 or laterMBR
          Generation 264-bitWindows 8 or laterMBR or GPT
          + +
          + +If the PC is running a 32-bit OS or the OS is Windows 7, it must be converted to a generation 1 VM. Otherwise, it can be converted to a generation 2 VM. + +- To determine the OS and architecture of a PC, type **systeminfo** at a command prompt and review the output next to **OS Name** and **System Type**. +- To determine the partition style, open a Windows PowerShell prompt on the PC and type the following command: + +
          +Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
+
          + +If the **Type** column does not indicate GPT, then the disk partition format is MBR ("Installable File System" = MBR). In the following example, the disk is GPT: + +
          +PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
+
+SystemName                           Caption                                 Type
+----------                           -------                                 ----
+USER-PC1                             Disk #0, Partition #0                   GPT: System
+USER-PC1                             Disk #0, Partition #1                   GPT: Basic Data
+
          + +On a computer running Windows 8 or later, you can also type **Get-Disk** at a Windows PowerShell prompt to discover the partition style. The default output of this cmdlet displays the partition style for all attached disks. Both commands are displayed below. In this example, the client computer is running Windows 8.1 and uses a GPT style partition format: + +
          +PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
+
+SystemName                            Caption                               Type
+----------                            -------                               ----
+PC-X1                                 Disk #0, Partition #0                 GPT: Unknown
+PC-X1                                 Disk #0, Partition #1                 GPT: System
+PC-X1                                 Disk #0, Partition #2                 GPT: Basic Data
+PC-X1                                 Disk #0, Partition #3                 GPT: Basic Data
+PC-X1                                 Disk #0, Partition #4                 GPT: Basic Data
+
+PS C:> Get-Disk
+
+Number Friendly Name                  OperationalStatus                     Total Size Partition Style
+------ -------------                  -----------------                     ---------- ---------------
+0      INTEL SSDSCMMW240A3L           Online                                223.57 GB GPT
+
          + + + +**Choosing a VM generation** + +The following table displays the Hyper-V VM generation to choose based on the OS, architecture, and partition style. Links to procedures to create the corresponding VMs are included. + +
          + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          OSPartition styleArchitectureVM generationProcedure
          Windows 7MBR321Prepare a generation 1 VM
          641Prepare a generation 1 VM
          GPT32N/AN/A
          641Prepare a generation 1 VM from a GPT disk
          Windows 8 or laterMBR321Prepare a generation 1 VM
          641, 2Prepare a generation 1 VM
          GPT321Prepare a generation 1 VM from a GPT disk
          642Prepare a generation 2 VM
          + +
          + +Notes:
          +
            +
          • If the PC is running Windows 7, it can only be converted and hosted in Hyper-V as a generation 1 VM. This Hyper-V requirement means that if the Windows 7 PC is also using a GPT partition style, the OS disk can be shadow copied, but a new system partition must be created. In this case, see Prepare a generation 1 VM from a GPT disk. +
          • If the PC is running Windows 8 or later and uses the GPT partition style, you can capture the disk image and create a generation 2 VM. To do this, you must temporarily mount the EFI system partition which is accomplished using the mountvol command. In this case, see Prepare a generation 2 VM. +
          • If the PC is using an MBR partition style, you can convert the disk to VHD and use it to create a generation 1 VM. If you use the Disk2VHD tool described in this guide, it is not necessary to mount the MBR system partition, but it is still necessary to capture it. In this case, see Prepare a generation 1 VM. +
          + +#### Prepare a generation 1 VM + +1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert. + + >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive. + +2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. +3. Select the checkboxes next to the **C:\\** and the **system reserved** (BIOS/MBR) volumes. The system volume is not assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to **\\?\Volume{**. See the following example. **Important**: You must include the system volume in order to create a bootable VHD. If this volume is not displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation). +4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and click **Create**. See the following example: + + ![disk2vhd](images/disk2vhd.png) + + >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. + +5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (w7.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory: + + 
          +    C:\vhd>dir /B
+    2012R2-poc-1.vhd
+    2012R2-poc-2.vhd
+    w10-enterprise.iso
+    w7.VHDX
+
          + +#### Prepare a generation 2 VM + +1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert. + + >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive. + +2. On the computer you wish to convert, open an elevated command prompt and type the following command: + + 
          mountvol s: /s
          + + This command temporarily assigns a drive letter of S to the system volume and mounts it. If the letter S is already assigned to a different volume on the computer, then choose one that is available (ex: mountvol z: /s). + +3. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. +4. Select the checkboxes next to the **C:\\** and the **S:\\** volumes, and clear the **Use Volume Shadow Copy checkbox**. Volume shadow copy will not work if the EFI system partition is selected. + + **Important**: You must include the EFI system partition in order to create a bootable VHD. The Windows RE tools partition (shown below) is not required, but it can also be converted if desired. + +5. Specify a location to save the resulting VHD or VHDX file (F:\VHD\PC1.vhdx in the following example) and click **Create**. See the following example: + + ![disk2vhd](images/disk2vhd-gen2.png) + + >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. + +6. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (PC1.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory: + + 
          +    C:\vhd>dir /B
+    2012R2-poc-1.vhd
+    2012R2-poc-2.vhd
+    w10-enterprise.iso
+    PC1.VHDX
+
          + +#### Prepare a generation 1 VM from a GPT disk + +1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert. + + >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive. + +2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. +3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**. Note: the system volume is not copied in this scenario, it will be added later. +4. Specify a location to save the resulting VHD file (F:\VHD\w7.vhd in the following example) and click **Create**. See the following example: + + ![disk2vhd](images/disk2vhd4.png) + + >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. + +5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHD file (w7.vhd) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory: + + 
          +    C:\vhd>dir /B
+    2012R2-poc-1.vhd
+    2012R2-poc-2.vhd
+    w10-enterprise.iso
+    w7.VHD
+
          + + >In its current state, the w7.VHD file is not bootable. The VHD will be used to create a bootable VM later in the [Configure Hyper-V](#configure-hyper-v) section. + +### Resize VHD + +
          +Enhanced session mode + +**Important**: Before proceeding, verify that you can take advantage of [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer. + +To ensure that enhanced session mode is enabled on the Hyper-V host, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: + +
          Set-VMhost -EnableEnhancedSessionMode $TRUE
          + +>If enhanced session mode was not previously enabled, close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex. + +
          + +The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 100GB to support installing imaging tools and storing OS images. + +1. To add available space for the partition, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + + 
          +    Resize-VHD –Path c:\VHD\2012R2-poc-2.vhd –SizeBytes 100GB
+    $x = (Mount-VHD –Path c:\VHD\2012R2-poc-2.vhd -passthru | Get-Disk | Get-Partition | Get-Volume).DriveLetter
+    Resize-Partition -DriveLetter $x -Size (Get-PartitionSupportedSize -DriveLetter $x).SizeMax
+
          + +2. Verify that the mounted VHD drive is resized to 100 GB, and then dismount the drive: + + 
          +    Get-Volume -DriveLetter $x
+    Dismount-VHD –Path c:\VHD\2012R2-poc-2.vhd
          + +### Configure Hyper-V + +1. Open an elevated Windows PowerShell window and type the following command to create two virtual switches named "poc-internal" and "poc-external": + + >If the Hyper-V host already has an external virtual switch bound to a physical NIC, do not attempt to add a second external virtual switch. Attempting to add a second external switch will result in an error indicating that the NIC is **already bound to the Microsoft Virtual Switch protocol.** In this case, choose one of the following options:
          +    A) Remove the existing external virtual switch, then add the poc-external switch
          +    B) Rename the existing external switch to "poc-external"
          +    C) Replace each instance of "poc-external" used in this guide with the name of your existing external virtual switch
          + If you choose B) or C), then do not run the second command below. + + 
          +    New-VMSwitch -Name poc-internal -SwitchType Internal -Notes "PoC Network"
+    New-VMSwitch -Name poc-external -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name -Notes "PoC External"
+
          + + **Note**: The second command above will temporarily interrupt network connectivity on the Hyper-V host. + + >Since an external virtual switch is associated to a physical network adapter on the Hyper-V host, this adapter must be specified when adding the virtual switch. The previous commands automate this by filtering for active non-virtual ethernet adapters using the Get-NetAdapter cmdlet ($_.Status -eq "Up" -and !$_.Virtual). If your Hyper-V host is dual-homed with multiple active ethernet adapters, this automation will not work, and the second command above will fail. In this case, you must edit the command used to add the "poc-external" virtual switch by inserting the appropriate NetAdapterName. The NetAdapterName value corresponds to the name of the network interface you wish to use. For example, if the network interface you use on the Hyper-V host to connect to the Internet is named "Ethernet 2" then type the following command to create an external virtual switch: New-VMSwitch -Name poc-external -NetAdapterName "Ethernet 2" -Notes "PoC External" + +2. At the elevated Windows PowerShell prompt, type the following command to determine the megabytes of RAM that are currently available on the Hyper-V host: + + 
          +    (Get-VMHostNumaNode).MemoryAvailable
+
          + + This command will display the megabytes of RAM available for VMs. On a Hyper-V host computer with 16 GB of physical RAM installed, 10,000 MB of RAM or greater should be available if the computer is not also running other applications. On a computer with 8 GB of physical RAM installed, at least 4000 MB should be available. If the computer has less RAM available than this, try closing applications to free up more memory. + +3. Determine the available memory for VMs by dividing the available RAM by 4. For example: + + 
          +    (Get-VMHostNumaNode).MemoryAvailable/4
+    2775.5
+
          + + In this example, VMs can use a maximum of 2700 MB of RAM each, to run four VMs simultaneously. + +4. At the elevated Windows PowerShell prompt, type the following command to create two new VMs. Other VMs will be added later. + >**Important**: Replace the value of 2700MB for $maxRAM in the first command below with the RAM value that you calculated in the previous step. + + 
          +    $maxRAM = 2700MB
+    New-VM -Name "DC1" -VHDPath c:\vhd\2012R2-poc-1.vhd -SwitchName poc-internal
+    Set-VMMemory -VMName "DC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
+    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName DC1
+    New-VM -Name "SRV1" -VHDPath c:\vhd\2012R2-poc-2.vhd -SwitchName poc-internal
+    Add-VMNetworkAdapter -VMName "SRV1" -SwitchName "poc-external"
+    Set-VMMemory -VMName "SRV1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 80
+    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName SRV1
+
          + + **Note**: The RAM values assigned to VMs in this step are not permanent, and can be easily increased or decreased later if needed to address performance issues. + +5. Using the same elevated Windows PowerShell prompt that was used in the previous step, type one of the following sets of commands, depending on the type of VM that was prepared in the [Determine VM generation](#determine-vm-generation) section, either generation 1, generation 2, or generation 1 with GPT. + + To create a generation 1 VM (using c:\vhd\w7.vhdx): + + 
          +    New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhdx -SwitchName poc-internal
+    Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
+    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
+
          + + To create a generation 2 VM (using c:\vhd\PC1.vhdx): + + 
          +    New-VM -Name "PC1" -Generation 2 -VHDPath c:\vhd\PC1.vhdx -SwitchName poc-internal
+    Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
+    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
+
          + + To create a generation 1 VM from a GPT disk (using c:\vhd\w7.vhd): + + >Note: The following procedure is more complex because it includes steps to convert the OS partition from GPT to MBR format. Steps are included to create a temporary VHD and attach it to the VM, the OS image is saved to this drive, the OS drive is then reformatted to MBR, the OS image restored, and the temporary drive is removed. + + First, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to create a temporary VHD that will be used to save the OS image. Do not forget to include a pipe (|) at the end of the first five commands: + + 
          +    New-VHD -Path c:\vhd\d.vhd -SizeBytes 1TB |
+    Mount-VHD -Passthru |
+    Get-Disk -Number {$_.DiskNumber} |
+    Initialize-Disk -PartitionStyle MBR -PassThru |
+    New-Partition -UseMaximumSize |
+    Format-Volume -Confirm:$false -FileSystem NTFS -force
+    Dismount-VHD -Path c:\vhd\d.vhd
+
          + + Next, create the PC1 VM with two attached VHDs, and boot to DVD ($maxram must be defined previously using the same Windows PowerShell promt): + + 
          +    New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhd -SwitchName poc-internal
+    Add-VMHardDiskDrive -VMName PC1 -Path c:\vhd\d.vhd
+    Set-VMDvdDrive -VMName PC1 -Path c:\vhd\w10-enterprise.iso
+    Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
+    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
+    Start-VM PC1
+    vmconnect localhost PC1
+
          + + The VM will automatically boot into Windows Setup. In the PC1 window: + + 1. Click **Next**. + 2. Click **Repair your computer**. + 3. Click **Troubleshoot**. + 4. Click **Command Prompt**. + 5. Type the following command to save an image of the OS drive: + + 
          +      dism /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C
+
          + + 6. Wait for the OS image to complete saving, and then type the following commands to convert the C: drive to MBR: + + 
          +      diskpart
+      select disk 0
+      clean
+      convert MBR
+      create partition primary size=100
+      format fs=ntfs quick
+      active
+      create partition primary
+      format fs=ntfs quick label=OS
+      assign letter=c
+      exit
+
          + + 7. Type the following commands to restore the OS image and boot files: + + 
          +      dism /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\
+      bcdboot c:\windows
+      exit
+
          + + 8. Click **Continue** and verify the VM boots successfully (do not boot from DVD). + 9. Click **Ctrl+Alt+Del**, and then in the bottom right corner, click **Shut down**. + 10. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to remove the temporary disks and drives from PC1: + + 
          +       Remove-VMHardDiskDrive -VMName PC1 -ControllerType IDE -ControllerNumber 0 -ControllerLocation 1
+       Set-VMDvdDrive -VMName PC1 -Path $null
+
          + +### Configure VMs + +1. At an elevated Windows PowerShell prompt on the Hyper-V host, start the first Windows Server VM and connect to it by typing the following commands: + + 
          +    Start-VM DC1
+    vmconnect localhost DC1
+
          + +2. Click **Next** to accept the default settings, read the license terms and click **I accept**, provide an administrator password of pass@word1, and click **Finish**. +3. Click **Ctrl+Alt+Del** in the upper left corner of the virtual machine connection window, and then sign in to DC1 using the Administrator account. +4. Right-click **Start**, point to **Shut down or sign out**, and click **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, click **Connect** and sign in again with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It is only necessary to do this the first time you sign in to a new VM. +5. If DC1 is configured as described in this guide, it will currently be assigned an APIPA address, have a randomly generated hostname, and a single network adapter named "Ethernet." Open an elevated Windows PowerShell prompt on DC1 and type or paste the following commands to provide a new hostname and configure a static IP address and gateway: + + 
          +    Rename-Computer DC1
+    New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.1 –PrefixLength 24 -DefaultGateway 192.168.0.2
+    Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
+
          + + > The default gateway at 192.168.0.2 will be configured later in this guide. + > + > Note: A list of available tasks for an app will be populated the first time you run it on the taskbar. Because these tasks aren't available until the App has been run, you will not see the **Run as Administrator** task until you have left-clicked Windows PowerShell for the first time. In this newly created VM, you will need to left-click Windows PowerShell one time, and then you can right-click and choose Run as Administrator to open an elevated Windows PowerShell prompt. + +6. Install the Active Directory Domain Services role by typing the following command at an elevated Windows PowerShell prompt: + + 
          +    Install-WindowsFeature -Name AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools
+
          + +7. Before promoting DC1 to a Domain Controller, you must reboot so that the name change in step 3 above takes effect. To restart the computer, type the following command at an elevated Windows PowerShell prompt: + + 
          +    Restart-Computer
+
          + +8. When DC1 has rebooted, sign in again and open an elevated Windows PowerShell prompt. Now you can promote the server to be a domain controller. The directory services restore mode password must be entered as a secure string. Type the following commands at the elevated Windows PowerShell prompt: + + 
          +    $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
+    Install-ADDSForest -DomainName contoso.com -InstallDns -SafeModeAdministratorPassword $pass -Force
+
          + + Ignore any warnings that are displayed. The computer will automatically reboot upon completion. + +9. When the reboot has completed, reconnect to DC1, sign in using the CONTOSO\Administrator account, open an elevated Windows PowerShell prompt, and use the following commands to add a reverse lookup zone for the PoC network, add the DHCP Server role, authorize DHCP in Active Directory, and suppress the post-DHCP-install alert: + + 
          +    Add-DnsServerPrimaryZone -NetworkID "192.168.0.0/24" -ReplicationScope Forest
+    Add-WindowsFeature -Name DHCP -IncludeManagementTools
+    netsh dhcp add securitygroups
+    Restart-Service DHCPServer
+    Add-DhcpServerInDC  dc1.contoso.com  192.168.0.1
+    Set-ItemProperty –Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 –Name ConfigurationState –Value 2
+
          + +10. Next, add a DHCP scope and set option values: + + 
          +    Add-DhcpServerv4Scope -Name "PoC Scope" -StartRange 192.168.0.100 -EndRange 192.168.0.199 -SubnetMask 255.255.255.0 -Description "Windows 10 PoC" -State Active
+    Set-DhcpServerv4OptionValue -ScopeId 192.168.0.0 -DnsDomain contoso.com -Router 192.168.0.2 -DnsServer 192.168.0.1,192.168.0.2 -Force
+
          + + >The -Force option is necessary when adding scope options to skip validation of 192.168.0.2 as a DNS server because we have not configured it yet. The scope should immediately begin issuing leases on the PoC network. The first DHCP lease that will be issued is to vEthernet interface on the Hyper-V host, which is a member of the internal network. You can verify this by using the command: Get-DhcpServerv4Lease -ScopeId 192.168.0.0. + +11. The DNS server role will also be installed on the member server, SRV1, at 192.168.0.2 so that we can forward DNS queries from DC1 to SRV1 to resolve Internet names without having to configure a forwarder outside the PoC network. Since the IP address of SRV1 already exists on DC1's network adapter, it will be automatically added during the DCPROMO process. To verify this server-level DNS forwarder on DC1, type the following command at an elevated Windows PowerShell prompt on DC1: + + 
          +    Get-DnsServerForwarder
+
          + + The following output should be displayed: + + 
          +    UseRootHint        : True
+    Timeout(s)         : 3
+    EnableReordering   : True
+    IPAddress          : 192.168.0.2
+    ReorderedIPAddress : 192.168.0.2
+
          + + If this output is not displayed, you can use the following command to add SRV1 as a forwarder: + + 
          +    Add-DnsServerForwarder -IPAddress 192.168.0.2
+
          + + **Configure service and user accounts** + + Windows 10 deployment with MDT and System Center Configuration Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire. + + >To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) + + On DC1, open an elevated Windows PowerShell prompt and type the following commands: + + 
          +    New-ADUser -Name User1 -UserPrincipalName user1 -Description "User account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+    New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+    New-ADUser -Name CM_JD -UserPrincipalName CM_JD -Description "Configuration Manager Join Domain Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+    New-ADUser -Name CM_NAA -UserPrincipalName CM_NAA -Description "Configuration Manager Network Access Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+    Add-ADGroupMember "Domain Admins" MDT_BA,CM_JD,CM_NAA
+    Set-ADUser -Identity user1 -PasswordNeverExpires $true
+    Set-ADUser -Identity administrator -PasswordNeverExpires $true
+    Set-ADUser -Identity MDT_BA -PasswordNeverExpires $true
+    Set-ADUser -Identity CM_JD -PasswordNeverExpires $true
+    Set-ADUser -Identity CM_NAA -PasswordNeverExpires $true
+
          + +12. Minimize the DC1 VM window but **do not stop** the VM. + + Next, the client VM will be started and joined to the contoso.com domain. This is done before adding a gateway to the PoC network so that there is no danger of duplicate DNS registrations for the physical client and its cloned VM in the corporate domain. + +13. If the PC1 VM is not started yet, using an elevated Windows PowerShell prompt on the Hyper-V host, start the client VM (PC1), and connect to it: + + 
          +    Start-VM PC1
+    vmconnect localhost PC1
+
          + +14. Sign in to PC1 using an account that has local administrator rights. + + >PC1 will be disconnected from its current domain, so you cannot use a domain account to sign on unless these credentials are cached and the use of cached credentials is permitted by Group Policy. If cached credentials are available and permitted, you can use these credentials to sign in. Otherwise, use an existing local administrator account. + +15. After signing in, the operating system detects that it is running in a new environment. New drivers will be automatically installed, including the network adapter driver. The network adapter driver must be updated before you can proceed, so that you will be able to join the contoso.com domain. Depending on the resources allocated to PC1, installing the network adapter driver might take a few minutes. You can monitor device driver installation by clicking **Show hidden icons** in the notification area. + + ![PoC](images/installing-drivers.png) + + >If the client was configured with a static address, you must change this to a dynamic one so that it can obtain a DHCP lease. + +16. When the new network adapter driver has completed installation, you will receive an alert to set a network location for the contoso.com network. Select **Work network** and then click **Close**. When you receive an alert that a restart is required, click **Restart Later**. + +17. Open an elevated Windows PowerShell prompt on PC1 and verify that the client VM has received a DHCP lease and can communicate with the consoto.com domain controller. + + To open Windows PowerShell on Windows 7, click **Start**, and search for "**power**." Right-click **Windows PowerShell** and then click **Pin to Taskbar** so that it is simpler to use Windows Powershell during this lab. Click **Windows PowerShell** on the taskbar, and then type **ipconfig** at the prompt to see the client's current IP address. Also type **ping dc1.contoso.com** and **nltest /dsgetdc:contoso.com** to verify that it can reach the domain controller. See the following examples of a successful network connection: + + ``` + ipconfig + + Windows IP Configuration + + Ethernet adapter Local Area Connection 3: + Connection-specific DNS Suffix . : contoso.com + Link-local IPv6 Address . . . . . : fe80::64c2:4d2a:7403:6e02%18 + Ipv4 Address. . . . . . . . . . . : 192.168.0.101 + Subnet Mask . . . . . . . . . . . : 255.255.255.0 + Default Gateway . . . . . . . . . : 192.168.0.2 + + ping dc1.contoso.com + + Pinging dc1.contoso.com [192.168.0.1] with 32 bytes of data: + Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 + Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 + Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 + Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 + + nltest /dsgetdc:contoso.com + DC: \\DC1 + Address: \\192.168.0.1 + Dom Guid: fdbd0643-d664-411b-aea0-fe343d7670a8 + Dom Name: CONTOSO + Forest Name: contoso.com + Dc Site Name: Default-First-Site-Name + Our Site Name: Default-First-Site-Name + Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_FOREST CLOSE_SITE FULL_SECRET WS 0xC000 + ``` + + >If PC1 is running Windows 7, enhanced session mode might not be available, which means that you cannot copy and paste commands from the Hyper-V host to a Windows PowerShell prompt on PC1. However, it is possible to use integration services to copy a file from the Hyper-V host to a VM. The next procedure demonstrates this. If the Copy-VMFile command fails, then type the commands below at an elevated Windows PowerShell prompt on PC1 instead of saving them to a script to run remotely. If PC1 is running Windows 8 or a later operating system, you can use enhanced session mode to copy and paste these commands instead of typing them. + +18. Minimize the PC1 window and switch to the Hyper-V host computer. Open an elevated Windows PowerShell ISE window on the Hyper-V host (right-click Windows PowerShell and then click **Run ISE as Administrator**) and type the following commands in the (upper) script editor pane: + + 
          +    (Get-WmiObject Win32_ComputerSystem).UnjoinDomainOrWorkgroup($null,$null,0)
+    $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
+    $user = "contoso\administrator"
+    $cred = New-Object System.Management.Automation.PSCredential($user,$pass)
+    Add-Computer -DomainName contoso.com -Credential $cred
+    Restart-Computer
+
          + + >If you do not see the script pane, click **View** and verify **Show Script Pane Top** is enabled. Click **File** and then click **New**. + + See the following example: + + ![ISE](images/ISE.png) + +19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host. +20. In the (lower) terminal input window, type the following commands to enable Guest Service Interface on PC1 and then use this service to copy the script to PC1: + + 
          +    Enable-VMIntegrationService -VMName PC1 -Name "Guest Service Interface"
+    Copy-VMFile "PC1" –SourcePath "C:\VHD\pc1.ps1"  –DestinationPath "C:\pc1.ps1" –CreateFullPath –FileSource Host
+
          + + >In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service. + + If the copy-vmfile command does not work and you cannot properly enable or upgrade integration services on PC1, then create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. The copy-vmfile command is only used in this procedure as a demonstration of automation methods that can be used in a Hyper-V environment when enhanced session mode is not available. After typing the script file manually, be sure to save the file as a Windows PowerShell script file with the .ps1 extension and not as a text (.txt) file. + +21. On PC1, type the following commands at an elevated Windows PowerShell prompt: + + 
          +    Get-Content c:\pc1.ps1 | powershell.exe -noprofile -
+
          + + >The commands in this script might take a few moments to complete. If an error is displayed, check that you typed the command correctly, paying close attention to spaces. PC1 is removed from its domain in this step while not connected to the corporate network so as to ensure the computer object in the corporate domain is unaffected. PC1 is also not renamed to "PC1" in system properties so that it maintains some of its mirrored identity. However, if desired you can also rename the computer. + +22. Upon completion of the script, PC1 will automatically restart. When it has restarted, sign in to the contoso.com domain using the **Switch User** option, with the **user1** account you created in step 11 of this section. + >**Important**: The settings that will be used later to migrate user data specifically select only accounts that belong to the CONTOSO domain. However, this can be changed to migrate all user accounts, or only other specified accounts. If you wish to test migration of user data and settings with accounts other than those in the CONTOSO domain, you must specify these accounts or domains when you configure the value of **ScanStateArgs** in the MDT test lab guide. This value is specifically called out when you get to that step. If you wish to only migrate CONTOSO accounts, then you can log in with the user1 account or the administrator account at this time and modify some of the files and settings for later use in migration testing. +23. Minimize the PC1 window but do not turn it off while the second Windows Server 2012 R2 VM (SRV1) is configured. This verifies that the Hyper-V host has enough resources to run all VMs simultaneously. Next, SRV1 will be started, joined to the contoso.com domain, and configured with RRAS and DNS services. +24. On the Hyper-V host computer, at an elevated Windows PowerShell prompt, type the following commands: + + 
          +    Start-VM SRV1
+    vmconnect localhost SRV1
+
          + +25. Accept the default settings, read license terms and accept them, provide an administrator password of pass@word1, and click **Finish**. When you are prompted about finding PCs, devices, and content on the network, click **Yes**. +26. Sign in to SRV1 using the local administrator account. In the same way that was done on DC1, sign out of SRV1 and then sign in again to enable enhanced session mode. This will enable you to copy and paste Windows PowerShell commands from the Hyper-V host to the VM. +27. Open an elevated Windows PowerShell prompt on SRV1 and type the following commands: + + 
          +    Rename-Computer SRV1
+    New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.2 –PrefixLength 24
+    Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
+    Restart-Computer
+
          + + >[!IMPORTANT] + >Verify that you are configuring the correct interface in this step. The commands in this step assume that the poc-internal interface on SRV1 is named "Ethernet." If you are unsure how to check the interface, see step #30 below for instructions and tips on how to verify and modify the interface name. + +28. Wait for the computer to restart, sign in again, then type the following commands at an elevated Windows PowerShell prompt: + + 
          +    $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
+    $user = "contoso\administrator"
+    $cred = New-Object System.Management.Automation.PSCredential($user,$pass)
+    Add-Computer -DomainName contoso.com -Credential $cred
+    Restart-Computer
+
          + +29. Sign in to the contoso.com domain on SRV1 using the domain administrator account (enter contoso\administrator as the user), open an elevated Windows PowerShell prompt, and type the following commands: + + 
          +    Install-WindowsFeature -Name DNS -IncludeManagementTools
+    Install-WindowsFeature -Name WDS -IncludeManagementTools
+    Install-WindowsFeature -Name Routing -IncludeManagementTools
+
          + +30. Before configuring the routing service that was just installed, verify that network interfaces were added to SRV1 in the right order, resulting in an interface alias of "Ethernet" for the private interface, and an interface alias of "Ethernet 2" for the public interface. Also verify that the external interface has a valid external DHCP IP address lease. + + To view a list of interfaces, associated interface aliases, and IP addresses on SRV1, type the following Windows PowerShell command. Example output of the command is also shown below: + + 
          +    Get-NetAdapter | ? status -eq ‘up’ | Get-NetIPAddress -AddressFamily IPv4 | ft IPAddress, InterfaceAlias
+
+    IPAddress                                                                  InterfaceAlias
+    ---------                                                                  --------------
+    10.137.130.118                                                             Ethernet 2
+    192.168.0.2                                                                Ethernet
+
          + + In this example, the poc-internal network interface at 192.168.0.2 is associated with the "Ethernet" interface and the Internet-facing poc-external interface is associated with the "Ethernet 2" interface. If your interfaces are different, you must adjust the commands provided in the next step appropriately to configure routing services. Also note that if the "Ethernet 2" interface has an IP address in the 192.168.0.100-105 range then it likely is getting a DHCP lease from DC1 instead of your corporate network. If this is the case, you can try removing and re-adding the second network interface from the SRV1 VM through its Hyper-V settings. + + >[!TIP] + >Sometimes a computer will have hidden, disconnected interfaces that prevent you from naming a network adapter. When you attempt to rename an adapter, you will receive an error that the adapter name already exists. These disconnected devices can be viewed in device manager by clicking **View** and then clicking **Show hidden devices**. The disconnected device can then be uninstalled, enabling you to reuse the adapter name. + + +31. To configure SRV1 with routing capability for the PoC network, type or paste the following commands at an elevated Windows PowerShell prompt on SRV1: + + 
          +    Install-RemoteAccess -VpnType Vpn
+    cmd /c netsh routing ip nat install
+    cmd /c netsh routing ip nat add interface name="Ethernet 2" mode=FULL
+    cmd /c netsh routing ip nat add interface name="Ethernet" mode=PRIVATE
+    cmd /c netsh routing ip nat add interface name="Internal" mode=PRIVATE
+
          + +32. The DNS service on SRV1 also needs to resolve hosts in the contoso.com domain. This can be accomplished with a conditional forwarder. Open an elevated Windows PowerShell prompt on SRV1 and type the following command: + + 
          +    Add-DnsServerConditionalForwarderZone -Name contoso.com -MasterServers 192.168.0.1
+
          + +33. In most cases, this completes configuration of the PoC network. However, if your corporate network has a firewall that filters queries from local DNS servers, you will also need to configure a server-level DNS forwarder on SRV1 to resolve Internet names. To test whether or not DNS is working without this forwarder, try to reach a name on the Internet from DC1 or PC1, which are only using DNS services on the PoC network. You can test DNS with the ping command, for example: + + 
          +    ping www.microsoft.com
+
          + + If you see "Ping request could not find host www.microsoft.com" on PC1 and DC1, but not on SRV1, then you will need to configure a server-level DNS forwarder on SRV1. To do this, open an elevated Windows PowerShell prompt on SRV1 and type the following command. + + **Note**: This command also assumes that "Ethernet 2" is the external-facing network adapter on SRV1. If the external adapter has a different name, replace "Ethernet 2" in the command below with that name: + + 
          +    Add-DnsServerForwarder -IPAddress (Get-DnsClientServerAddress -InterfaceAlias "Ethernet 2").ServerAddresses
+
          + +34. If DNS and routing are both working correctly, you will see the following on DC1 and PC1 (the IP address might be different, but that is OK): + + 
          +    PS C:\> ping www.microsoft.com
+
+    Pinging e2847.dspb.akamaiedge.net [23.222.146.170] with 32 bytes of data:
+    Reply from 23.222.146.170: bytes=32 time=3ms TTL=51
+    Reply from 23.222.146.170: bytes=32 time=2ms TTL=51
+    Reply from 23.222.146.170: bytes=32 time=2ms TTL=51
+    Reply from 23.222.146.170: bytes=32 time=1ms TTL=51
+
+    Ping statistics for 23.222.146.170:
+        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
+    Approximate round trip times in milli-seconds:
+        Minimum = 1ms, Maximum = 3ms, Average = 2ms
+
          + +35. Verify that all three VMs can reach each other, and the Internet. See [Appendix A: Verify the configuration](#appendix-a-verify-the-configuration) for more information. +36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in 3 days. To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1: + + 
          +    runas /noprofile /env /user:administrator@contoso.com "cmd /c slmgr -rearm"
+    Restart-Computer
+
          + +This completes configuration of the starting PoC environment. Additional services and tools are installed in subsequent guides. + +## Appendix A: Verify the configuration + +Use the following procedures to verify that the PoC environment is configured properly and working as expected. + +1. On DC1, open an elevated Windows PowerShell prompt and type the following commands: + + 
          +    Get-Service NTDS,DNS,DHCP
+    DCDiag -a
+    Get-DnsServerResourceRecord -ZoneName contoso.com -RRType A
+    Get-DnsServerForwarder
+    Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
+    Get-DhcpServerInDC
+    Get-DhcpServerv4Statistics
+    ipconfig /all
+
          + + **Get-Service** displays a status of "Running" for all three services.
          + **DCDiag** displays "passed test" for all tests.
          + **Get-DnsServerResourceRecord** displays the correct DNS address records for DC1, SRV1, and the computername of PC1. Additional address records for the zone apex (@), DomainDnsZones, and ForestDnsZones will also be registered.
          + **Get-DnsServerForwarder** displays a single forwarder of 192.168.0.2.
          + **Resolve-DnsName** displays public IP address results for www.microsoft.com.
          + **Get-DhcpServerInDC** displays 192.168.0.1, dc1.contoso.com.
          + **Get-DhcpServerv4Statistics** displays 1 scope with 2 addresses in use (these belong to PC1 and the Hyper-V host).
          + **ipconfig** displays a primary DNS suffix and suffix search list of contoso.com, IP address of 192.168.0.1, subnet mask of 255.255.255.0, default gateway of 192.168.0.2, and DNS server addresses of 192.168.0.1 and 192.168.0.2. + +2. On SRV1, open an elevated Windows PowerShell prompt and type the following commands: + + 
          +    Get-Service DNS,RemoteAccess
+    Get-DnsServerForwarder
+    Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
+    ipconfig /all
+    netsh int ipv4 show address
+
          + + **Get-Service** displays a status of "Running" for both services.
          + **Get-DnsServerForwarder** either displays no forwarders, or displays a list of forwarders you are required to use so that SRV1 can resolve Internet names.
          + **Resolve-DnsName** displays public IP address results for www.microsoft.com.
          + **ipconfig** displays a primary DNS suffix of contoso.com. The suffix search list contains contoso.com and your corporate domain. Two ethernet adapters are shown: Ethernet adapter "Ethernet" has an IP addresses of 192.168.0.2, subnet mask of 255.255.255.0, no default gateway, and DNS server addresses of 192.168.0.1 and 192.168.0.2. Ethernet adapter "Ethernet 2" has an IP address, subnet mask, and default gateway configured by DHCP on your corporate network.
          + **netsh** displays three interfaces on the computer: interface "Ethernet 2" with DHCP enabled = Yes and IP address assigned by your corporate network, interface "Ethernet" with DHCP enabled = No and IP address of 192.168.0.2, and interface "Loopback Pseudo-Interface 1" with IP address of 127.0.0.1. + +3. On PC1, open an elevated Windows PowerShell prompt and type the following commands: + + 
          +    whoami
+    hostname
+    nslookup www.microsoft.com
+    ping -n 1 dc1.contoso.com
+    tracert www.microsoft.com
+
          + + **whoami** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed.
          + **hostname** displays the name of the local computer, for example W7PC-001.
          + **nslookup** displays the DNS server used for the query, and the results of the query. For example, server dc1.contoso.com, address 192.168.0.1, Name e2847.dspb.akamaiedge.net.
          + **ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it cannot be resolved, "..could not find host" will be diplayed and if the target is found and also responds to ICMP, you will see "Reply from" and the IP address of the target.
          + **tracert** displays the path to reach the destination, for example srv1.contoso.com [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination. + + +## Appendix B: Terminology used in this guide + +

            + +

          + + +
          TermDefinition +
          GPTGUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. +
          Hyper-VHyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8. +
          Hyper-V hostThe computer where Hyper-V is installed. +
          Hyper-V ManagerThe user-interface console used to view and configure Hyper-V. +
          MBRMaster Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format. +
          Proof of concept (PoC)Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process. +
          Shadow copyA copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes. +
          Virtual machine (VM)A VM is a virtual computer with its own operating system, running on the Hyper-V host. +
          Virtual switchA virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host. +
          VM snapshotA point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken. +
          + +
          + +## Related Topics + + +[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) + + + + + + + + diff --git a/windows/deployment/windows-10-pro-in-s-mode.md b/windows/deployment/windows-10-pro-in-s-mode.md index e38607bd29..412dceea4f 100644 --- a/windows/deployment/windows-10-pro-in-s-mode.md +++ b/windows/deployment/windows-10-pro-in-s-mode.md @@ -1,90 +1,90 @@ ---- -title: Switch to Windows 10 Pro/Enterprise from S mode -ms.reviewer: -manager: laurawi -ms.author: greg-lindsay -description: Overview of Windows 10 Pro/Enterprise in S mode. S mode switch options are also outlined in this document. Switching out of S mode is optional. -keywords: Windows 10 S switch, S mode Switch, Switch in S mode, s mode switch, Windows 10 S, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Pro in S mode -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.prod: w10 -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.collection: M365-modern-desktop -ms.topic: article ---- - -# Switch to Windows 10 Pro or Enterprise from S mode - -We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro, Home, or Enterprise (not in S mode). You can switch devices running Windows 10, version 1709 or later. - - -A number of other transformations are possible depending on which version and edition of Windows 10 you are starting with. Depending on the details, you might *switch* between S mode and the ordinary version or *convert* between different editions while staying in or out of S mode. The following quick reference table summarizes all of the switches or conversions that are supported by various means: - - - - -| If a device is running this version of Windows 10 | and this edition of Windows 10 | then you can switch or convert it to this edition of Windows 10 by these methods: | | | -|-------------|---------------------|-----------------------------------|-------------------------------|--------------------------------------------| -| | | **Store for Education** (switch/convert all devices in your tenant) | **Microsoft Store** (switch/convert one device at a time) | **Intune** (switch/convert any number of devices selected by admin) | -| **Windows 10, version 1709** | Pro in S mode | Pro EDU | Pro | Not by this method | -| | Pro | Pro EDU | Not by any method | Not by any method | -| | Home | Not by any method | Not by any method | Not by any method | -| | | | | | -| **Windows 10, version 1803** | Pro in S mode | Pro EDU in S mode | Pro | Not by this method | -| | Pro | Pro EDU | Not by any method | Not by any method | -| | Home in S mode | Not by any method | Home | Not by this method | -| | Home | Not by any method | Not by any method | Not by any method | -| | | | | | -| **Windows 10, version 1809** | Pro in S mode | Pro EDU in S mode | Pro | Pro | -| | Pro | Pro EDU | Not by any method | Not by any method | -| | Home in S mode | Not by any method | Home | Home | -| | Home | Not by any method | Not by any method | Not by any method | - - -Use the following information to switch to Windows 10 Pro through the Microsoft Store. -> [!IMPORTANT] -> While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to rollback this kind of switch is through a [bare-metal recovery (BMR)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset. - -## Switch one device through the Microsoft Store -Use the following information to switch to Windows 10 Pro through the Microsoft Store or by navigating to **Settings** and then **Activation** on the device. - -Note these differences affecting switching modes in various releases of Windows 10: - -- In Windows 10, version 1709, you can switch devices one at a time from Windows 10 Pro in S mode to Windows 10 Pro by using the Microsoft Store or **Settings**. No other switches are possible. -- In Windows 10, version 1803, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store or **Settings**. -- Windows 10, version 1809, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store, **Settings**, or you can switch multiple devices in bulk by using Intune. You can also block users from switching devices themselves. - - -1. Sign into the Microsoft Store using your Microsoft account. -2. Search for "S mode". -3. In the offer, select **Buy**, **Get**, or **Learn more.** - -You'll be prompted to save your files before the switch starts. Follow the prompts to switch to Windows 10 Pro. - -## Switch one or more devices by using Microsoft Intune - -Starting with Windows 10, version 1809, if you need to switch multiple devices in your environment from Windows 10 Pro in S mode to Windows 10 Pro, you can use Microsoft Intune or any other supported mobile device management software. You can configure devices to switch out of S mode during OOBE or post-OOBE - this gives you flexibility to manage Windows 10 in S mode devices at any point during the device lifecycle. - -1. Start Microsoft Intune. -2. Navigate to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch**. -3. Follow the instructions to complete the switch. - - -## Block users from switching - -You can control which devices or users can use the Microsoft Store to switch out of S mode in Windows 10. -To set this, go to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch in Microsoft Intune**, and then choose **Keep in S mode**. - -## S mode management with CSPs - -In addition to using Microsoft Intune or another modern device management tool to manage S mode, you can also use the [WindowsLicensing](https://docs.microsoft.com/windows/client-management/mdm/windowslicensing-csp) configuration service provider (CSP). In Windows 10, version 1809, we added S mode functionality that lets you switch devices, block devices from switching, and check the status (whether a device is in S mode). - - -## Related topics - -[FAQs](https://support.microsoft.com/help/4020089/windows-10-in-s-mode-faq)
          -[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
          -[Windows 10 Pro Education](https://docs.microsoft.com/education/windows/test-windows10s-for-edu)
          -[Introduction to Microsoft Intune in the Azure portal](https://docs.microsoft.com/intune/what-is-intune) +--- +title: Switch to Windows 10 Pro/Enterprise from S mode +ms.reviewer: +manager: laurawi +ms.audience: itpro author: greg-lindsay +description: Overview of Windows 10 Pro/Enterprise in S mode. S mode switch options are also outlined in this document. Switching out of S mode is optional. +keywords: Windows 10 S switch, S mode Switch, Switch in S mode, s mode switch, Windows 10 S, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Pro in S mode +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.prod: w10 +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Switch to Windows 10 Pro or Enterprise from S mode + +We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro, Home, or Enterprise (not in S mode). You can switch devices running Windows 10, version 1709 or later. + + +A number of other transformations are possible depending on which version and edition of Windows 10 you are starting with. Depending on the details, you might *switch* between S mode and the ordinary version or *convert* between different editions while staying in or out of S mode. The following quick reference table summarizes all of the switches or conversions that are supported by various means: + + + + +| If a device is running this version of Windows 10 | and this edition of Windows 10 | then you can switch or convert it to this edition of Windows 10 by these methods: | | | +|-------------|---------------------|-----------------------------------|-------------------------------|--------------------------------------------| +| | | **Store for Education** (switch/convert all devices in your tenant) | **Microsoft Store** (switch/convert one device at a time) | **Intune** (switch/convert any number of devices selected by admin) | +| **Windows 10, version 1709** | Pro in S mode | Pro EDU | Pro | Not by this method | +| | Pro | Pro EDU | Not by any method | Not by any method | +| | Home | Not by any method | Not by any method | Not by any method | +| | | | | | +| **Windows 10, version 1803** | Pro in S mode | Pro EDU in S mode | Pro | Not by this method | +| | Pro | Pro EDU | Not by any method | Not by any method | +| | Home in S mode | Not by any method | Home | Not by this method | +| | Home | Not by any method | Not by any method | Not by any method | +| | | | | | +| **Windows 10, version 1809** | Pro in S mode | Pro EDU in S mode | Pro | Pro | +| | Pro | Pro EDU | Not by any method | Not by any method | +| | Home in S mode | Not by any method | Home | Home | +| | Home | Not by any method | Not by any method | Not by any method | + + +Use the following information to switch to Windows 10 Pro through the Microsoft Store. +> [!IMPORTANT] +> While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to rollback this kind of switch is through a [bare-metal recovery (BMR)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset. + +## Switch one device through the Microsoft Store +Use the following information to switch to Windows 10 Pro through the Microsoft Store or by navigating to **Settings** and then **Activation** on the device. + +Note these differences affecting switching modes in various releases of Windows 10: + +- In Windows 10, version 1709, you can switch devices one at a time from Windows 10 Pro in S mode to Windows 10 Pro by using the Microsoft Store or **Settings**. No other switches are possible. +- In Windows 10, version 1803, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store or **Settings**. +- Windows 10, version 1809, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store, **Settings**, or you can switch multiple devices in bulk by using Intune. You can also block users from switching devices themselves. + + +1. Sign into the Microsoft Store using your Microsoft account. +2. Search for "S mode". +3. In the offer, select **Buy**, **Get**, or **Learn more.** + +You'll be prompted to save your files before the switch starts. Follow the prompts to switch to Windows 10 Pro. + +## Switch one or more devices by using Microsoft Intune + +Starting with Windows 10, version 1809, if you need to switch multiple devices in your environment from Windows 10 Pro in S mode to Windows 10 Pro, you can use Microsoft Intune or any other supported mobile device management software. You can configure devices to switch out of S mode during OOBE or post-OOBE - this gives you flexibility to manage Windows 10 in S mode devices at any point during the device lifecycle. + +1. Start Microsoft Intune. +2. Navigate to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch**. +3. Follow the instructions to complete the switch. + + +## Block users from switching + +You can control which devices or users can use the Microsoft Store to switch out of S mode in Windows 10. +To set this, go to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch in Microsoft Intune**, and then choose **Keep in S mode**. + +## S mode management with CSPs + +In addition to using Microsoft Intune or another modern device management tool to manage S mode, you can also use the [WindowsLicensing](https://docs.microsoft.com/windows/client-management/mdm/windowslicensing-csp) configuration service provider (CSP). In Windows 10, version 1809, we added S mode functionality that lets you switch devices, block devices from switching, and check the status (whether a device is in S mode). + + +## Related topics + +[FAQs](https://support.microsoft.com/help/4020089/windows-10-in-s-mode-faq)
          +[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
          +[Windows 10 Pro Education](https://docs.microsoft.com/education/windows/test-windows10s-for-edu)
          +[Introduction to Microsoft Intune in the Azure portal](https://docs.microsoft.com/intune/what-is-intune) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index cb36507a31..198a7e9aa2 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -1,226 +1,226 @@ ---- -title: Windows 10 Subscription Activation -description: How to dynamically enable Windows 10 Enterprise or Educations subscriptions -keywords: upgrade, update, task sequence, deploy -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -author: greg-lindsay -manager: laurawi -ms.collection: M365-modern-desktop -search.appverid: -- MET150 -ms.topic: article ---- - -# Windows 10 Subscription Activation - -Starting with Windows 10, version 1703 Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro to **Windows 10 Enterprise** automatically if they are subscribed to Windows 10 Enterprise E3 or E5. - -With Windows 10, version 1903 the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education to the Enterprise grade edition for educational institutions – **Windows 10 Education**. - -The Subscription Activation feature eliminates the need to manually deploy Windows 10 Enterprise or Education images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering GVLKs, and subsequently rebooting client devices. - -## Subscription Activation for Windows 10 Enterprise - -With Windows 10, version 1703 both Windows 10 Enterprise E3 and Windows 10 Enterprise E5 are available as online services via subscription. Deploying [Windows 10 Enterprise](planning/windows-10-enterprise-faq-itpro.md) in your organization can now be accomplished with no keys and no reboots. - - If you are running Windows 10, version 1703 or later: - -- Devices with a current Windows 10 Pro license can be seamlessly upgraded to Windows 10 Enterprise. -- Product key-based Windows 10 Enterprise software licenses can be transitioned to Windows 10 Enterprise subscriptions. - -Organizations that have an Enterprise agreement can also benefit from the new service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Azure AD using [Azure AD Connect Sync](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-whatis). - -## Subscription Activation for Windows 10 Education - -Subscription Activation for Education works the same as the Enterprise version, but in order to use Subscription Activation for Education, you must have a device running Windows 10 Pro Education, version 1903 or later and an active subscription plan with a Windows 10 Enterprise license. For more information, see the [requirements](#windows-10-education-requirements) section. - -## In this article - -- [Inherited Activation](#inherited-activation): Description of a new feature available in Windows 10, version 1803 and later. -- [The evolution of Windows 10 deployment](#the-evolution-of-deployment): A short history of Windows deployment. -- [Requirements](#requirements): Prerequisites to use the Windows 10 Subscription Activation model. -- [Benefits](#benefits): Advantages of Windows 10 subscription-based licensing. -- [How it works](#how-it-works): A summary of the subscription-based licensing option. -- [Virtual Desktop Access (VDA)](#virtual-desktop-access-vda): Enable Windows 10 Subscription Activation for VMs in the cloud. - -For information on how to deploy Windows 10 Enterprise licenses, see [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md). - -## Inherited Activation - -Inherited Activation is a new feature available in Windows 10, version 1803 that allows Windows 10 virtual machines to inherit activation state from their Windows 10 host. - -When a user with Windows 10 E3/E5 or A3/A5 license assigned creates a new Windows 10 virtual machine (VM) using a Windows 10 local host, the VM inherits the activation state from a host machine independent of whether user signs on with a local account or using an Azure Active Directory (AAD) account on a VM. - -To support Inherited Activation, both the host computer and the VM must be running Windows 10, version 1803 or later. - -## The evolution of deployment - ->The original version of this section can be found at [Changing between Windows SKUs](https://blogs.technet.microsoft.com/mniehaus/2017/10/09/changing-between-windows-skus/). - -The following figure illustrates how deploying Windows 10 has evolved with each release. With this release, deployment is automatic. - -![Illustration of how Windows 10 deployment has evolved](images/sa-evolution.png) - -- **Windows 7** required you to redeploy the operating system using a full wipe-and-load process if you wanted to change from Windows 7 Professional to Windows 10 Enterprise.
          -- **Windows 8.1** added support for a Windows 8.1 Pro to Windows 8.1 Enterprise in-place upgrade (considered a “repair upgrade” because the OS version was the same before and after).  This was a lot easier than wipe-and-load, but it was still time-consuming.
          -- **Windows 10, version 1507** added the ability to install a new product key using a provisioning package or using MDM to change the SKU.  This required a reboot, which would install the new OS components, and took several minutes to complete. However, it was a lot quicker than in-place upgrade.
          -- **Windows 10, version 1607** made a big leap forward. Now you can just change the product key and the SKU instantly changes from Windows 10 Pro to Windows 10 Enterprise.  In addition to provisioning packages and MDM, you can just inject a key using SLMGR.VBS (which injects the key into WMI), so it became trivial to do this using a command line.
          -- **Windows 10, version 1703** made this “step-up” from Windows 10 Pro to Windows 10 Enterprise automatic for those that subscribed to Windows 10 Enterprise E3 or E5 via the CSP program.
          -- **Windows 10, version 1709** adds support for Windows 10 Subscription Activation, very similar to the CSP support but for large enterprises, enabling the use of Azure AD for assigning licenses to users. When those users sign in on an AD or Azure AD-joined machine, it automatically steps up from Windows 10 Pro to Windows 10 Enterprise.
          -- **Windows 10, version 1803** updates Windows 10 Subscription Activation to enable pulling activation keys directly from firmware for devices that support firmware-embedded keys. It is no longer necessary to run a script to perform the activation step on Windows 10 Pro prior to activating Enterprise. For virtual machines and hosts running Windows 10, version 1803 [Inherited Activation](#inherited-activation) is also enabled.
          -- **Windows 10, version 1903** updates Windows 10 Subscription Activation to enable step up from Windows 10 Pro Education to Windows 10 Education for those with a qualifying Windows 10 or Microsoft 365 subscription. - -## Requirements - -### Windows 10 Enterprise requirements - -For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following: - -- Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded. -- Azure Active Directory (Azure AD) available for identity management. -- Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported. - - >[!NOTE] - >An issue has been identified with Hybrid Azure AD joined devices that have enabled [multi-factor authentication](https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted) (MFA). If a user signs into a device using their Active Directory account and MFA is enabled, the device will not successfully upgrade to their Windows Enterprise subscription. To resolve this issue, the user must either sign in with an Azure Active Directory account, or you must disable MFA for this user during the 30-day polling period and renewal. - -For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 Enterprise E3/E5 or A3/A5 through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses, with the exception that Windows 10 Enterprise E3 is also available through CSP to devices running Windows 10, version 1607. For more information about obtaining Windows 10 Enterprise E3 through your CSP, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md). - -If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://blogs.windows.com/business/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/) - -### Windows 10 Education requirements - -1. Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded. -2. A device with a Windows 10 Pro Education digital license. You can confirm this information in Settings > Update & Security> Activation. -3. The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription. -4. Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported. - ->If Windows 10 Pro is converted to Windows 10 Pro Education [using benefits available in Store for Education](https://docs.microsoft.com/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition. - - -## Benefits - -With Windows 10 Enterprise or Windows 10 Education, businesses and institutions can benefit from enterprise-level security and control. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Education or Windows 10 Enterprise to their users. Now, with Windows 10 Enterprise E3 or A3 and E5 or A5 being available as a true online service, it is available in select channels thus allowing all organizations to take advantage of enterprise-grade Windows 10 features. To compare Windows 10 editions and review pricing, see the following: - -- [Compare Windows 10 editions](https://www.microsoft.com/en-us/windowsforbusiness/compare) -- [Enterprise Mobility + Security Pricing Options](https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security-pricing) - -You can benefit by moving to Windows as an online service in the following ways: - -1. Licenses for Windows 10 Enterprise and Education are checked based on Azure Active Directory (Azure AD) credentials, so now businesses have a systematic way to assign licenses to end users and groups in their organization. -2. User logon triggers a silent edition upgrade, with no reboot required -3. Support for mobile worker/BYOD activation; transition away from on-prem KMS and MAK keys. -4. Compliance support via seat assignment. -5. Licenses can be updated to different users dynamically, enabling you to optimize your licensing investment against changing needs. - -## How it works - -The device is AAD joined from Settings > Accounts > Access work or school. - -The IT administrator assigns Windows 10 Enterprise to a user. See the following figure. - -![Windows 10 Enterprise](images/ent.png) - -When a licensed user signs in to a device that meets requirements using their Azure AD credentials, the operating system steps up from Windows 10 Pro to Windows 10 Enterprise (or Windows 10 Pro Education to Windows 10 Education) and all the appropriate Windows 10 Enterprise/Education features are unlocked. When a user’s subscription expires or is transferred to another user, the device reverts seamlessly to Windows 10 Pro / Windows 10 Pro Education edition, once current subscription validity expires. - -Devices running Windows 10 Pro, version 1703 or Windows 10 Pro Education, version 1903 or later can get Windows 10 Enterprise or Education Semi-Annual Channel on up to five devices for each user covered by the license. This benefit does not include Long Term Servicing Channel. - -The following figures summarize how the Subscription Activation model works: - -Before Windows 10, version 1903:
          -![1703](images/before.png) - -After Windows 10, version 1903:
          -![1903](images/after.png) - -Note: -1. A Windows 10 Pro Education device will only step up to Windows 10 Education edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019). -2. A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019). - -### Scenarios - -**Scenario #1**:  You are using Windows 10, version 1803 or above, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise). - -All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise, and devices that are already running Windows 10 Enterprise will migrate from KMS or MAK activated Enterprise edition to Subscription activated Enterprise edition when a Subscription Activation-enabled user signs in to the device. - -**Scenario #2**:  You are using Windows 10, version 1607, 1703, or 1709 with KMS for activation, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise). - -To change all of your Windows 10 Pro devices to Windows 10 Enterprise, run the following command on each computer: - -
          -cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43
          - -The command causes the OS to change to Windows 10 Enterprise and then seek out the KMS server to reactivate.  This key comes from [Appendix A: KMS Client Setup Keys](https://technet.microsoft.com/library/jj612867.aspx) in the Volume Activation guide.  It is also possible to inject the Windows 10 Pro key from this article if you wish to step back down from Enterprise to Pro. - -**Scenario #3**:  Using Azure AD-joined devices or Active Directory-joined devices running Windows 10 1709 or later, and with Azure AD synchronization configured, just follow the steps in [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) to acquire a $0 SKU and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. Then, assign that license to all of your Azure AD users. These can be AD-synced accounts.  The device will automatically change from Windows 10 Pro to Windows 10 Enterprise when that user signs in. - -In summary, if you have a Windows 10 Enterprise E3 or E5 subscription, but are still running Windows 10 Pro, it’s really simple (and quick) to move to Windows 10 Enterprise using one of the scenarios above. - -If you’re running Windows 7, it can be more work.  A wipe-and-load approach works, but it is likely to be easier to upgrade from Windows 7 Pro directly to Windows 10 Enterprise. This is a supported path, and completes the move in one step.  This method also works if you are running Windows 8.1 Pro. - -### Licenses - -The following policies apply to acquisition and renewal of licenses on devices: -- Devices that have been upgraded will attempt to renew licenses about every 30 days, and must be connected to the Internet to successfully acquire or renew a license. -- If a device is disconnected from the Internet until its current subscription expires, the operating system will revert to Windows 10 Pro or Windows 10 Pro Education. As soon as the device is connected to the Internet again, the license will automatically renew. -- Up to five devices can be upgraded for each user license. -- If a device the meets requirements and a licensed user signs in on that device, it will be upgraded. - -Licenses can be reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs. - -When you have the required Azure AD subscription, group-based licensing is the preferred method to assign Enterprise E3 and E5 licenses to users. For more information, see [Group-based licensing basics in Azure AD](https://docs.microsoft.com/azure/active-directory/active-directory-licensing-whatis-azure-portal). - -### Existing Enterprise deployments - -If you are running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate the underlying Pro License. The license will then step-up to Windows 10 Enterprise using Subscription Activation. This automatically migrates your devices from KMS or MAK activated Enterprise to Subscription activated Enterprise. - -If you are using Windows 10, version 1607, 1703, or 1709 and have already deployed Windows 10 Enterprise, but you want to move away from depending on KMS servers and MAK keys for Windows client machines, you can seamlessly transition as long as the computer has been activated with a firmware-embedded Windows 10 Pro product key. - -If the computer has never been activated with a Pro key, run the following script. Copy the text below into a .cmd file and run the file from an elevated command prompt: - -
          -@echo off
-FOR /F "skip=1" %%A IN ('wmic path SoftwareLicensingService get OA3xOriginalProductKey') DO  ( 
-SET "ProductKey=%%A"
-goto InstallKey
-)
-
-:InstallKey
-IF [%ProductKey%]==[] (
-echo No key present
-) ELSE (
-echo Installing %ProductKey%
-changepk.exe /ProductKey %ProductKey%
-)
-
          - -### Obtaining an Azure AD license - -Enterprise Agreement/Software Assurance (EA/SA): -- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD (ideally to groups using the new Azure AD Premium feature for group assignment). For more information, see [Enabling Subscription Activation with an existing EA](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses#enabling-subscription-activation-with-an-existing-ea). -- The license administrator can assign seats to Azure AD users with the same process that is used for O365. -- New EA/SA Windows Enterprise customers can acquire both an SA subscription and an associated $0 cloud subscription. - -Microsoft Products & Services Agreements (MPSA): -- Organizations with MPSA are automatically emailed the details of the new service. They must take steps to process the instructions. -- Existing MPSA customers will receive service activation emails that allow their customer administrator to assign users to the service. -- New MPSA customers who purchase the Software Subscription Windows Enterprise E3 and E5 will be enabled for both the traditional key-based and new subscriptions activation method. - -### Deploying licenses - -See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md). - -## Virtual Desktop Access (VDA) - -Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx). - -Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md). - -## Related topics - -[Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-devices-group-policy/)
          -[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
          -[Windows for business](https://www.microsoft.com/en-us/windowsforbusiness/default.aspx)
          +--- +title: Windows 10 Subscription Activation +description: How to dynamically enable Windows 10 Enterprise or Educations subscriptions +keywords: upgrade, update, task sequence, deploy +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: mdt +audience: itpro author: greg-lindsay +manager: laurawi +ms.collection: M365-modern-desktop +search.appverid: +- MET150 +ms.topic: article +--- + +# Windows 10 Subscription Activation + +Starting with Windows 10, version 1703 Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro to **Windows 10 Enterprise** automatically if they are subscribed to Windows 10 Enterprise E3 or E5. + +With Windows 10, version 1903 the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education to the Enterprise grade edition for educational institutions – **Windows 10 Education**. + +The Subscription Activation feature eliminates the need to manually deploy Windows 10 Enterprise or Education images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering GVLKs, and subsequently rebooting client devices. + +## Subscription Activation for Windows 10 Enterprise + +With Windows 10, version 1703 both Windows 10 Enterprise E3 and Windows 10 Enterprise E5 are available as online services via subscription. Deploying [Windows 10 Enterprise](planning/windows-10-enterprise-faq-itpro.md) in your organization can now be accomplished with no keys and no reboots. + + If you are running Windows 10, version 1703 or later: + +- Devices with a current Windows 10 Pro license can be seamlessly upgraded to Windows 10 Enterprise. +- Product key-based Windows 10 Enterprise software licenses can be transitioned to Windows 10 Enterprise subscriptions. + +Organizations that have an Enterprise agreement can also benefit from the new service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Azure AD using [Azure AD Connect Sync](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-whatis). + +## Subscription Activation for Windows 10 Education + +Subscription Activation for Education works the same as the Enterprise version, but in order to use Subscription Activation for Education, you must have a device running Windows 10 Pro Education, version 1903 or later and an active subscription plan with a Windows 10 Enterprise license. For more information, see the [requirements](#windows-10-education-requirements) section. + +## In this article + +- [Inherited Activation](#inherited-activation): Description of a new feature available in Windows 10, version 1803 and later. +- [The evolution of Windows 10 deployment](#the-evolution-of-deployment): A short history of Windows deployment. +- [Requirements](#requirements): Prerequisites to use the Windows 10 Subscription Activation model. +- [Benefits](#benefits): Advantages of Windows 10 subscription-based licensing. +- [How it works](#how-it-works): A summary of the subscription-based licensing option. +- [Virtual Desktop Access (VDA)](#virtual-desktop-access-vda): Enable Windows 10 Subscription Activation for VMs in the cloud. + +For information on how to deploy Windows 10 Enterprise licenses, see [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md). + +## Inherited Activation + +Inherited Activation is a new feature available in Windows 10, version 1803 that allows Windows 10 virtual machines to inherit activation state from their Windows 10 host. + +When a user with Windows 10 E3/E5 or A3/A5 license assigned creates a new Windows 10 virtual machine (VM) using a Windows 10 local host, the VM inherits the activation state from a host machine independent of whether user signs on with a local account or using an Azure Active Directory (AAD) account on a VM. + +To support Inherited Activation, both the host computer and the VM must be running Windows 10, version 1803 or later. + +## The evolution of deployment + +>The original version of this section can be found at [Changing between Windows SKUs](https://blogs.technet.microsoft.com/mniehaus/2017/10/09/changing-between-windows-skus/). + +The following figure illustrates how deploying Windows 10 has evolved with each release. With this release, deployment is automatic. + +![Illustration of how Windows 10 deployment has evolved](images/sa-evolution.png) + +- **Windows 7** required you to redeploy the operating system using a full wipe-and-load process if you wanted to change from Windows 7 Professional to Windows 10 Enterprise.
          +- **Windows 8.1** added support for a Windows 8.1 Pro to Windows 8.1 Enterprise in-place upgrade (considered a “repair upgrade” because the OS version was the same before and after).  This was a lot easier than wipe-and-load, but it was still time-consuming.
          +- **Windows 10, version 1507** added the ability to install a new product key using a provisioning package or using MDM to change the SKU.  This required a reboot, which would install the new OS components, and took several minutes to complete. However, it was a lot quicker than in-place upgrade.
          +- **Windows 10, version 1607** made a big leap forward. Now you can just change the product key and the SKU instantly changes from Windows 10 Pro to Windows 10 Enterprise.  In addition to provisioning packages and MDM, you can just inject a key using SLMGR.VBS (which injects the key into WMI), so it became trivial to do this using a command line.
          +- **Windows 10, version 1703** made this “step-up” from Windows 10 Pro to Windows 10 Enterprise automatic for those that subscribed to Windows 10 Enterprise E3 or E5 via the CSP program.
          +- **Windows 10, version 1709** adds support for Windows 10 Subscription Activation, very similar to the CSP support but for large enterprises, enabling the use of Azure AD for assigning licenses to users. When those users sign in on an AD or Azure AD-joined machine, it automatically steps up from Windows 10 Pro to Windows 10 Enterprise.
          +- **Windows 10, version 1803** updates Windows 10 Subscription Activation to enable pulling activation keys directly from firmware for devices that support firmware-embedded keys. It is no longer necessary to run a script to perform the activation step on Windows 10 Pro prior to activating Enterprise. For virtual machines and hosts running Windows 10, version 1803 [Inherited Activation](#inherited-activation) is also enabled.
          +- **Windows 10, version 1903** updates Windows 10 Subscription Activation to enable step up from Windows 10 Pro Education to Windows 10 Education for those with a qualifying Windows 10 or Microsoft 365 subscription. + +## Requirements + +### Windows 10 Enterprise requirements + +For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following: + +- Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded. +- Azure Active Directory (Azure AD) available for identity management. +- Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported. + + >[!NOTE] + >An issue has been identified with Hybrid Azure AD joined devices that have enabled [multi-factor authentication](https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted) (MFA). If a user signs into a device using their Active Directory account and MFA is enabled, the device will not successfully upgrade to their Windows Enterprise subscription. To resolve this issue, the user must either sign in with an Azure Active Directory account, or you must disable MFA for this user during the 30-day polling period and renewal. + +For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 Enterprise E3/E5 or A3/A5 through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses, with the exception that Windows 10 Enterprise E3 is also available through CSP to devices running Windows 10, version 1607. For more information about obtaining Windows 10 Enterprise E3 through your CSP, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md). + +If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://blogs.windows.com/business/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/) + +### Windows 10 Education requirements + +1. Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded. +2. A device with a Windows 10 Pro Education digital license. You can confirm this information in Settings > Update & Security> Activation. +3. The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription. +4. Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported. + +>If Windows 10 Pro is converted to Windows 10 Pro Education [using benefits available in Store for Education](https://docs.microsoft.com/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition. + + +## Benefits + +With Windows 10 Enterprise or Windows 10 Education, businesses and institutions can benefit from enterprise-level security and control. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Education or Windows 10 Enterprise to their users. Now, with Windows 10 Enterprise E3 or A3 and E5 or A5 being available as a true online service, it is available in select channels thus allowing all organizations to take advantage of enterprise-grade Windows 10 features. To compare Windows 10 editions and review pricing, see the following: + +- [Compare Windows 10 editions](https://www.microsoft.com/en-us/windowsforbusiness/compare) +- [Enterprise Mobility + Security Pricing Options](https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security-pricing) + +You can benefit by moving to Windows as an online service in the following ways: + +1. Licenses for Windows 10 Enterprise and Education are checked based on Azure Active Directory (Azure AD) credentials, so now businesses have a systematic way to assign licenses to end users and groups in their organization. +2. User logon triggers a silent edition upgrade, with no reboot required +3. Support for mobile worker/BYOD activation; transition away from on-prem KMS and MAK keys. +4. Compliance support via seat assignment. +5. Licenses can be updated to different users dynamically, enabling you to optimize your licensing investment against changing needs. + +## How it works + +The device is AAD joined from Settings > Accounts > Access work or school. + +The IT administrator assigns Windows 10 Enterprise to a user. See the following figure. + +![Windows 10 Enterprise](images/ent.png) + +When a licensed user signs in to a device that meets requirements using their Azure AD credentials, the operating system steps up from Windows 10 Pro to Windows 10 Enterprise (or Windows 10 Pro Education to Windows 10 Education) and all the appropriate Windows 10 Enterprise/Education features are unlocked. When a user’s subscription expires or is transferred to another user, the device reverts seamlessly to Windows 10 Pro / Windows 10 Pro Education edition, once current subscription validity expires. + +Devices running Windows 10 Pro, version 1703 or Windows 10 Pro Education, version 1903 or later can get Windows 10 Enterprise or Education Semi-Annual Channel on up to five devices for each user covered by the license. This benefit does not include Long Term Servicing Channel. + +The following figures summarize how the Subscription Activation model works: + +Before Windows 10, version 1903:
          +![1703](images/before.png) + +After Windows 10, version 1903:
          +![1903](images/after.png) + +Note: +1. A Windows 10 Pro Education device will only step up to Windows 10 Education edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019). +2. A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019). + +### Scenarios + +**Scenario #1**:  You are using Windows 10, version 1803 or above, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise). + +All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise, and devices that are already running Windows 10 Enterprise will migrate from KMS or MAK activated Enterprise edition to Subscription activated Enterprise edition when a Subscription Activation-enabled user signs in to the device. + +**Scenario #2**:  You are using Windows 10, version 1607, 1703, or 1709 with KMS for activation, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise). + +To change all of your Windows 10 Pro devices to Windows 10 Enterprise, run the following command on each computer: + +
          +cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43
          + +The command causes the OS to change to Windows 10 Enterprise and then seek out the KMS server to reactivate.  This key comes from [Appendix A: KMS Client Setup Keys](https://technet.microsoft.com/library/jj612867.aspx) in the Volume Activation guide.  It is also possible to inject the Windows 10 Pro key from this article if you wish to step back down from Enterprise to Pro. + +**Scenario #3**:  Using Azure AD-joined devices or Active Directory-joined devices running Windows 10 1709 or later, and with Azure AD synchronization configured, just follow the steps in [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) to acquire a $0 SKU and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. Then, assign that license to all of your Azure AD users. These can be AD-synced accounts.  The device will automatically change from Windows 10 Pro to Windows 10 Enterprise when that user signs in. + +In summary, if you have a Windows 10 Enterprise E3 or E5 subscription, but are still running Windows 10 Pro, it’s really simple (and quick) to move to Windows 10 Enterprise using one of the scenarios above. + +If you’re running Windows 7, it can be more work.  A wipe-and-load approach works, but it is likely to be easier to upgrade from Windows 7 Pro directly to Windows 10 Enterprise. This is a supported path, and completes the move in one step.  This method also works if you are running Windows 8.1 Pro. + +### Licenses + +The following policies apply to acquisition and renewal of licenses on devices: +- Devices that have been upgraded will attempt to renew licenses about every 30 days, and must be connected to the Internet to successfully acquire or renew a license. +- If a device is disconnected from the Internet until its current subscription expires, the operating system will revert to Windows 10 Pro or Windows 10 Pro Education. As soon as the device is connected to the Internet again, the license will automatically renew. +- Up to five devices can be upgraded for each user license. +- If a device the meets requirements and a licensed user signs in on that device, it will be upgraded. + +Licenses can be reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs. + +When you have the required Azure AD subscription, group-based licensing is the preferred method to assign Enterprise E3 and E5 licenses to users. For more information, see [Group-based licensing basics in Azure AD](https://docs.microsoft.com/azure/active-directory/active-directory-licensing-whatis-azure-portal). + +### Existing Enterprise deployments + +If you are running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate the underlying Pro License. The license will then step-up to Windows 10 Enterprise using Subscription Activation. This automatically migrates your devices from KMS or MAK activated Enterprise to Subscription activated Enterprise. + +If you are using Windows 10, version 1607, 1703, or 1709 and have already deployed Windows 10 Enterprise, but you want to move away from depending on KMS servers and MAK keys for Windows client machines, you can seamlessly transition as long as the computer has been activated with a firmware-embedded Windows 10 Pro product key. + +If the computer has never been activated with a Pro key, run the following script. Copy the text below into a .cmd file and run the file from an elevated command prompt: + +
          +@echo off
+FOR /F "skip=1" %%A IN ('wmic path SoftwareLicensingService get OA3xOriginalProductKey') DO  ( 
+SET "ProductKey=%%A"
+goto InstallKey
+)
+
+:InstallKey
+IF [%ProductKey%]==[] (
+echo No key present
+) ELSE (
+echo Installing %ProductKey%
+changepk.exe /ProductKey %ProductKey%
+)
+
          + +### Obtaining an Azure AD license + +Enterprise Agreement/Software Assurance (EA/SA): +- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD (ideally to groups using the new Azure AD Premium feature for group assignment). For more information, see [Enabling Subscription Activation with an existing EA](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses#enabling-subscription-activation-with-an-existing-ea). +- The license administrator can assign seats to Azure AD users with the same process that is used for O365. +- New EA/SA Windows Enterprise customers can acquire both an SA subscription and an associated $0 cloud subscription. + +Microsoft Products & Services Agreements (MPSA): +- Organizations with MPSA are automatically emailed the details of the new service. They must take steps to process the instructions. +- Existing MPSA customers will receive service activation emails that allow their customer administrator to assign users to the service. +- New MPSA customers who purchase the Software Subscription Windows Enterprise E3 and E5 will be enabled for both the traditional key-based and new subscriptions activation method. + +### Deploying licenses + +See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md). + +## Virtual Desktop Access (VDA) + +Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx). + +Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md). + +## Related topics + +[Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-devices-group-policy/)
          +[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
          +[Windows for business](https://www.microsoft.com/en-us/windowsforbusiness/default.aspx)
          diff --git a/windows/deployment/windows-adk-scenarios-for-it-pros.md b/windows/deployment/windows-adk-scenarios-for-it-pros.md index 01d42ef15d..861ef1b1ad 100644 --- a/windows/deployment/windows-adk-scenarios-for-it-pros.md +++ b/windows/deployment/windows-adk-scenarios-for-it-pros.md @@ -1,97 +1,97 @@ ---- -title: Windows ADK for Windows 10 scenarios for IT Pros (Windows 10) -description: The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. -ms.assetid: FC4EB39B-29BA-4920-87C2-A00D711AE48B -ms.reviewer: -manager: laurawi -ms.author: greg-lindsay -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -author: greg-lindsay -ms.date: 07/27/2017 -ms.topic: article ---- - -# Windows ADK for Windows 10 scenarios for IT Pros - - -The [Windows Assessment and Deployment Kit](https://go.microsoft.com/fwlink/p/?LinkId=526803) (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. For an overview of what's new in the Windows ADK for Windows 10, see [What's new in kits and tools](https://msdn.microsoft.com/library/windows/hardware/dn927348.aspx). - -In previous releases of Windows, the Windows ADK docs were published on both TechNet and the MSDN Hardware Dev Center. Starting with the Windows 10 release, Windows ADK documentation is available on the MSDN Hardware Dev Center. For the Windows 10 ADK reference content, see [Desktop manufacturing](https://msdn.microsoft.com/library/windows/hardware/dn938361.aspx). - -Here are some key scenarios that will help you find the content on the MSDN Hardware Dev Center. - -### Create a Windows image using command-line tools - -[DISM](https://msdn.microsoft.com/library/windows/hardware/dn898558.aspx) is used to mount and service Windows images. - -Here are some things you can do with DISM: - -- [Mount an offline image](https://msdn.microsoft.com/library/windows/hardware/dn938321.aspx) -- [Add drivers to an offline image](https://msdn.microsoft.com/library/windows/hardware/dn898469.aspx) -- [Enable or disable Windows features](https://msdn.microsoft.com/library/windows/hardware/dn898567.aspx) -- [Add or remove packages](https://msdn.microsoft.com/library/windows/hardware/dn898481.aspx) -- [Add language packs](https://msdn.microsoft.com/library/windows/hardware/dn898470.aspx) -- [Add Universal Windows apps](https://msdn.microsoft.com/library/windows/hardware/dn898600.aspx) -- [Upgrade the Windows edition](https://msdn.microsoft.com/library/windows/hardware/dn898500.aspx) - -[Sysprep](https://msdn.microsoft.com/library/windows/hardware/dn938335.aspx) prepares a Windows installation for imaging and allows you to capture a customized installation. - -Here are some things you can do with Sysprep: - -- [Generalize a Windows installation](https://msdn.microsoft.com/library/windows/hardware/dn938334.aspx) -- [Customize the default user profile](https://msdn.microsoft.com/library/windows/hardware/dn898521.aspx) -- [Use answer files](https://msdn.microsoft.com/library/windows/hardware/dn938346.aspx) - -[Windows PE (WinPE)](https://msdn.microsoft.com/library/windows/hardware/dn938389.aspx) is a small operating system used to boot a computer that does not have an operating system. You can boot to Windows PE and then install a new operating system, recover data, or repair an existing operating system. - -Here are ways you can create a WinPE image: - -- [Create a bootable USB drive](https://msdn.microsoft.com/library/windows/hardware/dn938386.aspx) -- [Create a Boot CD, DVD, ISO, or VHD](https://msdn.microsoft.com/library/windows/hardware/dn938385.aspx) - -[Windows Recovery Environment (Windows RE)](https://msdn.microsoft.com/library/windows/hardware/dn938364.aspx) is a recovery environment that can repair common operating system problems. - -Here are some things you can do with Windows RE: - -- [Customize Windows RE](https://msdn.microsoft.com/library/windows/hardware/dn898523.aspx) -- [Push-button reset](https://msdn.microsoft.com/library/windows/hardware/dn938307.aspx) - -[Windows System Image Manager (Windows SIM)](https://msdn.microsoft.com/library/windows/hardware/dn922445.aspx) helps you create answer files that change Windows settings and run scripts during installation. - -Here are some things you can do with Windows SIM: - -- [Create answer file](https://msdn.microsoft.com/library/windows/hardware/dn915085.aspx) -- [Add a driver path to an answer file](https://msdn.microsoft.com/library/windows/hardware/dn915062.aspx) -- [Add a package to an answer file](https://msdn.microsoft.com/library/windows/hardware/dn915066.aspx) -- [Add a custom command to an answer file](https://msdn.microsoft.com/library/windows/hardware/dn915058.aspx) - -For a list of settings you can change, see [Unattended Windows Setup Reference](https://msdn.microsoft.com/library/windows/hardware/dn923277.aspx) on the MSDN Hardware Dev Center. - -### Create a Windows image using Windows ICD - -Introduced in Windows 10, [Windows Imaging and Configuration Designer (ICD)](https://msdn.microsoft.com/library/windows/hardware/dn916113.aspx) streamlines the customizing and provisioning of a Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), Windows 10 Mobile, or Windows 10 IoT Core (IoT Core) image. - -Here are some things you can do with Windows ICD: - -- [Build and apply a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916107.aspx) -- [Export a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916110.aspx) -- [Build and deploy an image for Windows 10 for desktop editions](https://msdn.microsoft.com/library/windows/hardware/dn916105.aspx) - -### IT Pro Windows deployment tools - -There are also a few tools included in the Windows ADK that are specific to IT Pros and this documentation is available on TechNet: - -- [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) -- [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) - -  - -  - - - - - +--- +title: Windows ADK for Windows 10 scenarios for IT Pros (Windows 10) +description: The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. +ms.assetid: FC4EB39B-29BA-4920-87C2-A00D711AE48B +ms.reviewer: +manager: laurawi +ms.audience: itpro author: greg-lindsay +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 07/27/2017 +ms.topic: article +--- + +# Windows ADK for Windows 10 scenarios for IT Pros + + +The [Windows Assessment and Deployment Kit](https://go.microsoft.com/fwlink/p/?LinkId=526803) (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. For an overview of what's new in the Windows ADK for Windows 10, see [What's new in kits and tools](https://msdn.microsoft.com/library/windows/hardware/dn927348.aspx). + +In previous releases of Windows, the Windows ADK docs were published on both TechNet and the MSDN Hardware Dev Center. Starting with the Windows 10 release, Windows ADK documentation is available on the MSDN Hardware Dev Center. For the Windows 10 ADK reference content, see [Desktop manufacturing](https://msdn.microsoft.com/library/windows/hardware/dn938361.aspx). + +Here are some key scenarios that will help you find the content on the MSDN Hardware Dev Center. + +### Create a Windows image using command-line tools + +[DISM](https://msdn.microsoft.com/library/windows/hardware/dn898558.aspx) is used to mount and service Windows images. + +Here are some things you can do with DISM: + +- [Mount an offline image](https://msdn.microsoft.com/library/windows/hardware/dn938321.aspx) +- [Add drivers to an offline image](https://msdn.microsoft.com/library/windows/hardware/dn898469.aspx) +- [Enable or disable Windows features](https://msdn.microsoft.com/library/windows/hardware/dn898567.aspx) +- [Add or remove packages](https://msdn.microsoft.com/library/windows/hardware/dn898481.aspx) +- [Add language packs](https://msdn.microsoft.com/library/windows/hardware/dn898470.aspx) +- [Add Universal Windows apps](https://msdn.microsoft.com/library/windows/hardware/dn898600.aspx) +- [Upgrade the Windows edition](https://msdn.microsoft.com/library/windows/hardware/dn898500.aspx) + +[Sysprep](https://msdn.microsoft.com/library/windows/hardware/dn938335.aspx) prepares a Windows installation for imaging and allows you to capture a customized installation. + +Here are some things you can do with Sysprep: + +- [Generalize a Windows installation](https://msdn.microsoft.com/library/windows/hardware/dn938334.aspx) +- [Customize the default user profile](https://msdn.microsoft.com/library/windows/hardware/dn898521.aspx) +- [Use answer files](https://msdn.microsoft.com/library/windows/hardware/dn938346.aspx) + +[Windows PE (WinPE)](https://msdn.microsoft.com/library/windows/hardware/dn938389.aspx) is a small operating system used to boot a computer that does not have an operating system. You can boot to Windows PE and then install a new operating system, recover data, or repair an existing operating system. + +Here are ways you can create a WinPE image: + +- [Create a bootable USB drive](https://msdn.microsoft.com/library/windows/hardware/dn938386.aspx) +- [Create a Boot CD, DVD, ISO, or VHD](https://msdn.microsoft.com/library/windows/hardware/dn938385.aspx) + +[Windows Recovery Environment (Windows RE)](https://msdn.microsoft.com/library/windows/hardware/dn938364.aspx) is a recovery environment that can repair common operating system problems. + +Here are some things you can do with Windows RE: + +- [Customize Windows RE](https://msdn.microsoft.com/library/windows/hardware/dn898523.aspx) +- [Push-button reset](https://msdn.microsoft.com/library/windows/hardware/dn938307.aspx) + +[Windows System Image Manager (Windows SIM)](https://msdn.microsoft.com/library/windows/hardware/dn922445.aspx) helps you create answer files that change Windows settings and run scripts during installation. + +Here are some things you can do with Windows SIM: + +- [Create answer file](https://msdn.microsoft.com/library/windows/hardware/dn915085.aspx) +- [Add a driver path to an answer file](https://msdn.microsoft.com/library/windows/hardware/dn915062.aspx) +- [Add a package to an answer file](https://msdn.microsoft.com/library/windows/hardware/dn915066.aspx) +- [Add a custom command to an answer file](https://msdn.microsoft.com/library/windows/hardware/dn915058.aspx) + +For a list of settings you can change, see [Unattended Windows Setup Reference](https://msdn.microsoft.com/library/windows/hardware/dn923277.aspx) on the MSDN Hardware Dev Center. + +### Create a Windows image using Windows ICD + +Introduced in Windows 10, [Windows Imaging and Configuration Designer (ICD)](https://msdn.microsoft.com/library/windows/hardware/dn916113.aspx) streamlines the customizing and provisioning of a Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), Windows 10 Mobile, or Windows 10 IoT Core (IoT Core) image. + +Here are some things you can do with Windows ICD: + +- [Build and apply a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916107.aspx) +- [Export a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916110.aspx) +- [Build and deploy an image for Windows 10 for desktop editions](https://msdn.microsoft.com/library/windows/hardware/dn916105.aspx) + +### IT Pro Windows deployment tools + +There are also a few tools included in the Windows ADK that are specific to IT Pros and this documentation is available on TechNet: + +- [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) +- [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) + +  + +  + + + + + diff --git a/windows/deployment/windows-autopilot/TOC.md b/windows/deployment/windows-autopilot/TOC.md index 5d487c958c..73b9410bf7 100644 --- a/windows/deployment/windows-autopilot/TOC.md +++ b/windows/deployment/windows-autopilot/TOC.md @@ -26,4 +26,4 @@ ## [Contacts](autopilot-support.md) ## [Registration authorization](registration-auth.md) ## [Device guidelines](autopilot-device-guidelines.md) -## [Motherboard replacement](autopilot-mbr.md) \ No newline at end of file +## [Motherboard replacement](autopilot-mbr.md) diff --git a/windows/deployment/windows-autopilot/add-devices.md b/windows/deployment/windows-autopilot/add-devices.md index 73f7445a6c..a8090d1812 100644 --- a/windows/deployment/windows-autopilot/add-devices.md +++ b/windows/deployment/windows-autopilot/add-devices.md @@ -1,162 +1,162 @@ ---- -title: Adding devices -ms.reviewer: -manager: laurawi -description: How to add devices to Windows Autopilot -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Adding devices to Windows Autopilot - -**Applies to** - -- Windows 10 - -Before deploying a device using Windows Autopilot, the device must be registered with the Windows Autopilot deployment service. Ideally, this would be performed by the OEM, reseller, or distributor from which the devices were purchased, but this can also be done by the organization by collecting the hardware identity and uploading it manually. - -## OEM registration - -When you purchase devices directly from an OEM, that OEM can automatically register the devices with the Windows Autopilot deployment service. For the list of OEMs that currently support this, see the "Participant device manufacturers" section of the [Windows Autopilot information page](https://www.microsoft.com/en-us/windowsforbusiness/windows-autopilot). - -Before an OEM can register devices on behalf of an organization, the organization must grant the OEM permission to do so. This process is initiated by the OEM, with approval granted by an Azure AD global administrator from the organization. See the "Customer Consent" section of the [Customer consent page](https://docs.microsoft.com/windows/deployment/windows-autopilot/registration-auth#oem-authorization). - -## Reseller, distributor, or partner registration - -Customers may purchase devices from resellers, distributors, or other partners. As long as these resellers, distributors, and partners are part of the [Cloud Solution Partners (CSP) program](https://partner.microsoft.com/en-us/cloud-solution-provider), they too can register devices on behalf of the customer. - -As with OEMs, CSP parnters must be granted permission to register devices on behalf of an organization. This follows the process described on the [Customer consent page](https://docs.microsoft.com/windows/deployment/windows-autopilot/registration-auth#csp-authorization). The CSP partner initiates a request to establish a relationship with the organization, with approval granted by a global administrator from the organization. Once approved, CSP partners add devices using [Partner Center](https://partner.microsoft.com/en-us/pcv/dashboard/overview), either directly through the web site or via available APIs that can automate the same tasks. - -Windows Autopilot does not require delegated administrator permissions when establishing the relationship between the CSP partner and the organization. As part of the approval process performed by the global administrator, the global administrator can choose to uncheck the "Include delegated administration permissions" checkbox. - -## Automatic registration of existing devices - -If an existing device is already running Windows 10 version 1703 or later and enrolled in an MDM service such an Intune, that MDM service can ask the device for the hardware ID (also known as a hardware hash). Once it has that, it can automatically register the device with Windows Autopilot. - -For instructions on how to do this with Microsoft Intune, see [Create an Autopilot deployment profile](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-deployment-profile) documentation describing the "Convert all targeted devices to Autopilot" setting. - -Also note that when using the [Windows Autopilot for existing devices](https://docs.microsoft.com/windows/deployment/windows-autopilot/existing-devices) scenario, it is not necessary to pre-register the devices with Windows Autopilot. Instead, a configuration file (AutopilotConfigurationFile.json) containing all the Windows Autopilot profile settings is used; the device can be registered with Windows Autopilot after the fact using the same "Convert all targeted devices to Autopilot" setting. - -## Manual registration - -To perform manual registration of a device, you must first capture its hardware ID (also known as a hardware hash). Once this process has completed, the resulting hardware ID can be uploaded to the Windows Autopilot service. Because this process requires booting the device into Windows 10 in order to obtain the hardware ID, this is intended primarily for testing and evaluation scenarios. - -## Device identification - -To define a device to the Windows Autopilot deployment service, a unique hardware ID for the device needs to be captured and uploaded to the service. While this step is ideally done by the hardware vendor (OEM, reseller, or distributor), automatically associating the device with an organization, it is also possible to do this through a harvesting process that collects the device from within a running Windows 10 version 1703 or later installation. - -The hardware ID, also commonly referred to as a hardware hash, contains several details about the device, including its manufacturer, model, device serial number, hard drive serial number, and many other attributes that can be used to uniquely identify that device. - -Note that the hardware hash also contains details about when it was generated, so it will change each time it is generated. When the Windows Autopilot deployment service attempts to match a device, it considers changes like that, as well as more substantial changes such as a new hard drive, and is still able to match successfully. But substantial changes to the hardware, such as a motherboard replacement, would not match, so a new hash would need to be generated and uploaded. - -### Collecting the hardware ID from existing devices using System Center Configuration Manager - -Starting with System Center Configuration Manager current branch version 1802, the hardware hashes for existing Windows 10 version 1703 and higher devices are automatically collected by Configuration Manager. See the [What’s new in version 1802](https://docs.microsoft.com/sccm/core/plan-design/changes/whats-new-in-version-1802#report-on-windows-autopilot-device-information) documentation for more details. The hash information can be extracted from Configuration Manager into a CSV file. - -### Collecting the hardware ID from existing devices using PowerShell - -The hardware ID, or hardware hash, for an existing device is available through Windows Management Instrumentation (WMI), as long as that device is running Windows 10 version 1703 or later. To help gather this information, as well as the serial number of the device (useful to see at a glance the machine to which it belongs), a PowerShell script called [Get-WindowsAutoPilotInfo.ps1 has been published to the PowerShell Gallery website](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo). - -To use this script, you can download it from the PowerShell Gallery and run it on each computer, or you can install it directly from the PowerShell Gallery. To install it directly and capture the hardware hash from the local computer, use the following commands from an elevated Windows PowerShell prompt: - -```powershell -md c:\\HWID -Set-Location c:\\HWID -Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Install-Script -Name Get-WindowsAutoPilotInfo -Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv -``` - -The commands can also be run remotely, as long as WMI permissions are in place and WMI is accessible through the Windows Firewall on that remote computer. See the [Get-WindowsAutoPilotInfo](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) script’s help (using “Get-Help Get-WindowsAutoPilotInfo.ps1”) for more information about running the script. - ->[!IMPORTANT] ->Do not connect devices to the Internet prior to capturing the hardware ID and creating an Autopilot device profile. This includes collecting the hardware ID, uploading the .CSV into MSfB or Intune, assigning the profile, and confirming the profile assignment. Connecting the device to the Internet before this process is complete will result in the device downloading a blank profile that is stored on the device until it is explicity removed. In Windows 10 version 1809, you can clear the cached profile by restarting OOBE. In previous versions, the only way to clear the stored profile is to re-install the OS, reimage the PC, or run **sysprep /generalize /oobe**.
          ->After Intune reports the profile ready to go, only then should the device be connected to the Internet. - ->[!NOTE] ->If OOBE is restarted too many times it can enter a recovery mode and fail to run the Autopilot configuration. You can identify this scenario if OOBE displays multiple configuration options on the same page, including language, region, and keyboard layout. The normal OOBE displays each of these on a separate page. The following value key tracks the count of OOBE retries:
          ->**HKCU\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UserOOBE**
          ->To ensure OOBE has not been restarted too many times, you can change this value to 1. - -## Registering devices - - - - -Once the hardware IDs have been captured from existing devices, they can be uploaded through a variety of means. See the detailed documentation for each available mechanism. - -- [Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot). This is the preferred mechanism for all customers. -- [Partner Center](https://msdn.microsoft.com/partner-center/autopilot). This is used by CSP partners to register devices on behalf of customers. -- [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-AutoPilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa). This is typically used by small and medium businesses (SMBs) who manage their devices using Microsoft 365 Business. -- [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles). You might already be using MSfB to manage your apps and settings. - -A summary of each platform's capabilities is provided below. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Platform/Portal -Register devices? -Create/Assign profile -Acceptable DeviceID -
          OEM Direct APIYES - 1000 at a time maxNOTuple or PKID
          Partner CenterYES - 1000 at a time maxYESTuple or PKID or 4K HH
          IntuneYES - 500 at a time max\*YES\*4K HH
          Microsoft Store for BusinessYES - 1000 at a time maxYES4K HH
          Microsoft Business 365YES - 1000 at a time maxYES4K HH
          - ->*Microsoft recommended platform to use - -## Summary - -When deploying new devices using Windows Autopilot, the following steps are required: - -1. [Register devices](#registering-devices). Ideally, this step is performed by the OEM, reseller, or distributor from which the devices were purchased, but this can also be done by the organization by collecting the hardware identity and uploading it manually. -2. [Configure device profiles](profiles.md), specifying how the device should be deployed and what user experience should be presented. -3. Boot the device. When the device is connected to a network with internet access, it will contact the Windows Autopilot deployment service to see if the device is registered, and if it is, it will download profile settings such as the [Enrollment Status page](enrollment-status.md), which are used to customize the end user experience. - -## Other configuration settings - -- [Bitlocker encryption settings](bitlocker.md): You can configure the BitLocker encryption settings to be applied before automatic encryption is started. - +--- +title: Adding devices +ms.reviewer: +manager: laurawi +description: How to add devices to Windows Autopilot +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Adding devices to Windows Autopilot + +**Applies to** + +- Windows 10 + +Before deploying a device using Windows Autopilot, the device must be registered with the Windows Autopilot deployment service. Ideally, this would be performed by the OEM, reseller, or distributor from which the devices were purchased, but this can also be done by the organization by collecting the hardware identity and uploading it manually. + +## OEM registration + +When you purchase devices directly from an OEM, that OEM can automatically register the devices with the Windows Autopilot deployment service. For the list of OEMs that currently support this, see the "Participant device manufacturers" section of the [Windows Autopilot information page](https://www.microsoft.com/en-us/windowsforbusiness/windows-autopilot). + +Before an OEM can register devices on behalf of an organization, the organization must grant the OEM permission to do so. This process is initiated by the OEM, with approval granted by an Azure AD global administrator from the organization. See the "Customer Consent" section of the [Customer consent page](https://docs.microsoft.com/windows/deployment/windows-autopilot/registration-auth#oem-authorization). + +## Reseller, distributor, or partner registration + +Customers may purchase devices from resellers, distributors, or other partners. As long as these resellers, distributors, and partners are part of the [Cloud Solution Partners (CSP) program](https://partner.microsoft.com/en-us/cloud-solution-provider), they too can register devices on behalf of the customer. + +As with OEMs, CSP parnters must be granted permission to register devices on behalf of an organization. This follows the process described on the [Customer consent page](https://docs.microsoft.com/windows/deployment/windows-autopilot/registration-auth#csp-authorization). The CSP partner initiates a request to establish a relationship with the organization, with approval granted by a global administrator from the organization. Once approved, CSP partners add devices using [Partner Center](https://partner.microsoft.com/en-us/pcv/dashboard/overview), either directly through the web site or via available APIs that can automate the same tasks. + +Windows Autopilot does not require delegated administrator permissions when establishing the relationship between the CSP partner and the organization. As part of the approval process performed by the global administrator, the global administrator can choose to uncheck the "Include delegated administration permissions" checkbox. + +## Automatic registration of existing devices + +If an existing device is already running Windows 10 version 1703 or later and enrolled in an MDM service such an Intune, that MDM service can ask the device for the hardware ID (also known as a hardware hash). Once it has that, it can automatically register the device with Windows Autopilot. + +For instructions on how to do this with Microsoft Intune, see [Create an Autopilot deployment profile](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-deployment-profile) documentation describing the "Convert all targeted devices to Autopilot" setting. + +Also note that when using the [Windows Autopilot for existing devices](https://docs.microsoft.com/windows/deployment/windows-autopilot/existing-devices) scenario, it is not necessary to pre-register the devices with Windows Autopilot. Instead, a configuration file (AutopilotConfigurationFile.json) containing all the Windows Autopilot profile settings is used; the device can be registered with Windows Autopilot after the fact using the same "Convert all targeted devices to Autopilot" setting. + +## Manual registration + +To perform manual registration of a device, you must first capture its hardware ID (also known as a hardware hash). Once this process has completed, the resulting hardware ID can be uploaded to the Windows Autopilot service. Because this process requires booting the device into Windows 10 in order to obtain the hardware ID, this is intended primarily for testing and evaluation scenarios. + +## Device identification + +To define a device to the Windows Autopilot deployment service, a unique hardware ID for the device needs to be captured and uploaded to the service. While this step is ideally done by the hardware vendor (OEM, reseller, or distributor), automatically associating the device with an organization, it is also possible to do this through a harvesting process that collects the device from within a running Windows 10 version 1703 or later installation. + +The hardware ID, also commonly referred to as a hardware hash, contains several details about the device, including its manufacturer, model, device serial number, hard drive serial number, and many other attributes that can be used to uniquely identify that device. + +Note that the hardware hash also contains details about when it was generated, so it will change each time it is generated. When the Windows Autopilot deployment service attempts to match a device, it considers changes like that, as well as more substantial changes such as a new hard drive, and is still able to match successfully. But substantial changes to the hardware, such as a motherboard replacement, would not match, so a new hash would need to be generated and uploaded. + +### Collecting the hardware ID from existing devices using System Center Configuration Manager + +Starting with System Center Configuration Manager current branch version 1802, the hardware hashes for existing Windows 10 version 1703 and higher devices are automatically collected by Configuration Manager. See the [What’s new in version 1802](https://docs.microsoft.com/sccm/core/plan-design/changes/whats-new-in-version-1802#report-on-windows-autopilot-device-information) documentation for more details. The hash information can be extracted from Configuration Manager into a CSV file. + +### Collecting the hardware ID from existing devices using PowerShell + +The hardware ID, or hardware hash, for an existing device is available through Windows Management Instrumentation (WMI), as long as that device is running Windows 10 version 1703 or later. To help gather this information, as well as the serial number of the device (useful to see at a glance the machine to which it belongs), a PowerShell script called [Get-WindowsAutoPilotInfo.ps1 has been published to the PowerShell Gallery website](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo). + +To use this script, you can download it from the PowerShell Gallery and run it on each computer, or you can install it directly from the PowerShell Gallery. To install it directly and capture the hardware hash from the local computer, use the following commands from an elevated Windows PowerShell prompt: + +```powershell +md c:\\HWID +Set-Location c:\\HWID +Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted +Install-Script -Name Get-WindowsAutoPilotInfo +Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv +``` + +The commands can also be run remotely, as long as WMI permissions are in place and WMI is accessible through the Windows Firewall on that remote computer. See the [Get-WindowsAutoPilotInfo](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) script’s help (using “Get-Help Get-WindowsAutoPilotInfo.ps1”) for more information about running the script. + +>[!IMPORTANT] +>Do not connect devices to the Internet prior to capturing the hardware ID and creating an Autopilot device profile. This includes collecting the hardware ID, uploading the .CSV into MSfB or Intune, assigning the profile, and confirming the profile assignment. Connecting the device to the Internet before this process is complete will result in the device downloading a blank profile that is stored on the device until it is explicity removed. In Windows 10 version 1809, you can clear the cached profile by restarting OOBE. In previous versions, the only way to clear the stored profile is to re-install the OS, reimage the PC, or run **sysprep /generalize /oobe**.
          +>After Intune reports the profile ready to go, only then should the device be connected to the Internet. + +>[!NOTE] +>If OOBE is restarted too many times it can enter a recovery mode and fail to run the Autopilot configuration. You can identify this scenario if OOBE displays multiple configuration options on the same page, including language, region, and keyboard layout. The normal OOBE displays each of these on a separate page. The following value key tracks the count of OOBE retries:
          +>**HKCU\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UserOOBE**
          +>To ensure OOBE has not been restarted too many times, you can change this value to 1. + +## Registering devices + + + + +Once the hardware IDs have been captured from existing devices, they can be uploaded through a variety of means. See the detailed documentation for each available mechanism. + +- [Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot). This is the preferred mechanism for all customers. +- [Partner Center](https://msdn.microsoft.com/partner-center/autopilot). This is used by CSP partners to register devices on behalf of customers. +- [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-AutoPilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa). This is typically used by small and medium businesses (SMBs) who manage their devices using Microsoft 365 Business. +- [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles). You might already be using MSfB to manage your apps and settings. + +A summary of each platform's capabilities is provided below. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Platform/Portal +Register devices? +Create/Assign profile +Acceptable DeviceID +
          OEM Direct APIYES - 1000 at a time maxNOTuple or PKID
          Partner CenterYES - 1000 at a time maxYESTuple or PKID or 4K HH
          IntuneYES - 500 at a time max\*YES\*4K HH
          Microsoft Store for BusinessYES - 1000 at a time maxYES4K HH
          Microsoft Business 365YES - 1000 at a time maxYES4K HH
          + +>*Microsoft recommended platform to use + +## Summary + +When deploying new devices using Windows Autopilot, the following steps are required: + +1. [Register devices](#registering-devices). Ideally, this step is performed by the OEM, reseller, or distributor from which the devices were purchased, but this can also be done by the organization by collecting the hardware identity and uploading it manually. +2. [Configure device profiles](profiles.md), specifying how the device should be deployed and what user experience should be presented. +3. Boot the device. When the device is connected to a network with internet access, it will contact the Windows Autopilot deployment service to see if the device is registered, and if it is, it will download profile settings such as the [Enrollment Status page](enrollment-status.md), which are used to customize the end user experience. + +## Other configuration settings + +- [Bitlocker encryption settings](bitlocker.md): You can configure the BitLocker encryption settings to be applied before automatic encryption is started. + diff --git a/windows/deployment/windows-autopilot/autopilot-device-guidelines.md b/windows/deployment/windows-autopilot/autopilot-device-guidelines.md index 773b0b9110..563e086966 100644 --- a/windows/deployment/windows-autopilot/autopilot-device-guidelines.md +++ b/windows/deployment/windows-autopilot/autopilot-device-guidelines.md @@ -4,12 +4,12 @@ ms.reviewer: manager: laurawi description: Windows Autopilot deployment keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -audience: itpro ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy +audience: itpro author: greg-lindsay ms.author: greglin ms.collection: M365-modern-desktop @@ -29,8 +29,8 @@ All devices used with Windows Autopilot should meet the [minimum hardware requir The following additional best practices ensure that devices can easily be provisioned by organizations as part of the Windows Autopilot deployment process: - Ensure that the TPM 2.0 is enabled and in a good state (not in Reduced Functionality Mode) by default on devices intended for Windows Autopilot self-deploying mode. -- The OEM provisions unique tuple info (SmbiosSystemManufacturer, SmbiosSystemProductName, SmbiosSystemSerialNumber) into the [SMBIOS fields](https://docs.microsoft.com/windows-hardware/drivers/bringup/smbios) per Microsoft specification (Manufacturer, Product Name and Serial Number stored in SMBIOS Type 1 04h, Type 1 05h and Type 1 07h). -- The OEM uploads 4K Hardware Hashes that include the Product Key IDs (PKIDs) obtained using OA3 Tool RS3+ run in Audit mode on full OS to Microsoft via CBR report prior to shipping devices to an Autopilot customer or channel partner. +- The OEM provisions unique tuple info (SmbiosSystemManufacturer, SmbiosSystemProductName, SmbiosSystemSerialNumber) or PKID + SmbiosSystemSerialNumber into the [SMBIOS fields](https://docs.microsoft.com/windows-hardware/drivers/bringup/smbios) per Microsoft specification (Manufacturer, Product Name and Serial Number stored in SMBIOS Type 1 04h, Type 1 05h and Type 1 07h). +- The OEM uploads 4K Hardware Hashes obtained using OA3 Tool RS3+ run in Audit mode on full OS to Microsoft via CBR report prior to shipping devices to an Autopilot customer or channel partner. - As a best practice, Microsoft requires that OEM shipping drivers are published to Windows Update within 30 days of the CBR being submitted, and system firmware and driver updates are published to Windows Update within 14 days - The OEM ensures that the PKID provisioned in the SMBIOS is passed on to the channel. diff --git a/windows/deployment/windows-autopilot/autopilot-faq.md b/windows/deployment/windows-autopilot/autopilot-faq.md index 935565887e..01cdb3ef63 100644 --- a/windows/deployment/windows-autopilot/autopilot-faq.md +++ b/windows/deployment/windows-autopilot/autopilot-faq.md @@ -1,164 +1,164 @@ ---- -title: Windows Autopilot support -ms.reviewer: -manager: laurawi -description: Support information for Windows Autopilot -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: low -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Windows Autopilot FAQ - -**Applies to: Windows 10** - -This topic provides OEMs, partners, administrators, and end-users with answers to some frequently asked questions about deploying Windows 10 with Windows Autopilot. - -A [glossary](#glossary) of abbreviations used in this topic is provided at the end. - - -## Microsoft Partner Center - -| Question | Answer | -| --- | --- | -| In the Partner Center, does the Tenant ID need to be provided with every device file upload? Is this needed to allow the business customer to access their devices in MSfB? | No. Providing the Tenant ID is a one-time entry in the Partner Center that can be re-used with future device uploads. | -| How does the customer or tenant know that their devices are ready to be claimed in MSfB? | After the device file upload is completed in the Partner Center, the tenant can see the devices available for Windows Autopilot setup in MSfB. The OEM would need to advise the tenant to access MSfB. Auto-notification from MSfB to the tenant is being developed. | -| How does a customer authorize an OEM or Channel Partner to register Autopilot devices on the customer’s behalf? | Before an OEM or Channel Partner can register a device for Autopilot on behalf of a customer, the customer must first give them consent. The consent process begins with the OEM or Channel Partner sending a link to the customer, which directs the customer to a consent page in Microsoft Store for Business. The steps explaining this process are [here](registration-auth.md). | -| Are there any restrictions if a business customer has registered devices in MSfB and later wants those devices to be managed by a CSP via the Partner Center? | The devices will need to be deleted in MSfB by the business customer before the CSP can upload and manage them in the Partner Center. | -| Does Windows Autopilot support removing the option to enable a local administrator account? | Windows Autopilot doesn’t support removing the local admin account. However, it does support restricting the user performing AAD domain join in OOBE to a standard account (versus admin account by default).| -| How can I test the Windows Autopilot CSV file in the Partner Center? | Only CSP Partners have access to the Partner Center portal. If you are a CSP, you can create a Sales agent user account which has access to “Devices” for testing the file. This can be done today in the Partner Center.

          Go [here](https://msdn.microsoft.com/partner-center/create-user-accounts-and-set-permissions) for more information. | -| Must I become a Cloud Solution Provider (CSP) to participate in Windows Autopilot? | Top volume OEMs do not, as they can use the OEM Direct API. All others who choose to use MPC to register devices must become CSPs in order to access MPC. | -| Do the different CSP levels have all the same capabilities when it comes to Windows Autopilot? | For purposes of Windows Autopilot, there are three different types of CSPs, each with different levels of authority an access:

          1. Direct CSP: Gets direct authorization from the customer to register devices.

          2. Indirect CSP Provider: Gets implicit permission to register devices through the relationship their CSP Reseller partner has with the customer. Indirect CSP Providers register devices through Microsoft Partner Center.

          3. Indirect CSP Reseller: Gets direct authorization from the customer to register devices. At the same time, their indirect CSP Provider partner also gets authorization, which mean that either the Indirect Provider or the Indirect Reseller can register devices for the customer. However, the Indirect CSP Reseller must register devices through the MPC UI (manually uploading CSV file), whereas the Indirect CSP Provider has the option to register devices using the MPC APIs. | - -## Manufacturing - -| Question | Answer | -| --- | --- | -| What changes need to be made in the factory OS image for customer configuration settings? |No changes are required on the factory floor to enable Windows Autopilot deployment. | -| What version of the OA3 tool meets Windows Autopilot deployment requirements? | Windows Autopilot can work with any version of the OA3 tool. We recommend using Windows 10, version 1703 and above to generate the 4K Hardware Hash. | -| At the time of placing an order, do customers need to be state whether they want it with or without Windows Autopilot options? | Yes, if they want Windows Autopilot, they will want Windows 10, version 1703 or later versions. Also, they will want to receive the CSV file or have the file upload (i.e., registration) completed on their behalf. | -| Does the OEM need to manage or collect any custom imaging files from customers and perform any image uploads to Microsoft? | No change, OEMs just send the CBRs as usual to Microsoft. No images are sent to Microsoft to enable Windows Autopilot. Windows Autopilot only customizes OOBE and allows policy configurations (disables admin account, for example). | -| Are there any customer impacts to upgrading from Windows 8 to Windows 10? | The devices must have Windows 10, version 1703 or later to enroll in Windows Autopilot deployment, otherwise no impacts. | -| Will there be any change to the existing CBR with 4k Hardware Hash? | No. | -| What new information needs to be sent from the OEM to Microsoft? | Nothing, unless the OEM opts to register the device on the customer’s behalf, in which case they would upload the device ID via a CSV file into Microsoft Partner Center, or use the OEM Direct API. | -| Is there a contract or amendment for an OEM to participate in Windows Autopilot Deployment? | No. | - -## CSV schema - -| Question | Answer | -| --- | --- | -| Can a comma be used in the CSV file? | No. | -| What error messages can a user expect to see in the Partner Center or MSfB when uploading a file? | See the “In Microsoft Store for Business” section of this guide. | -| Is there a limit to the number of devices that can be listed in the CSV file? | Yes, the CSV file can only contain 1,000 devices to apply to a single profile. If more than 1,000 devices need to be applied to a profile, the devices need to be uploaded through multiple CSV files. | -| Does Microsoft have any recommendations on how an OEM should provide the CSV file to their customers? | Microsoft recommends encrypting the CSV file when sending to the business customer to self-register their Windows Autopilot devices (either through MPC, MSfB, or Intune). | - - -## Hardware hash - -| Question | Answer | -| --- | --- | -| Must every Hardware Hash submitted by the OEM contain the SMBIOS UUID (universally unique identifier), MAC (media access control) address and unique disk serial number (if using Windows 10, version 1703 and above OEM Activation 3.0 tool)? | Yes. Since Windows Autopilot is based on the ability to uniquely identify devices applying for cloud configuration, it is critical to submit Hardware Hashes which meet the outlined requirement. | -| What is the reason for needing the SMBIOS UUID, MAC Address and Disk Serial Number in the Hardware Hash details? | For creating the Hardware Hash, these are the fields that are needed to identify a device, as parts of the device are added/removed. Since we don’t have a unique identifier for Windows devices, this is the best logic to identify a device. | -| What is difference between OA3 Hardware Hash, 4K Hardware Hash, and Windows Autopilot Hardware Hash? | None. They’re different names for the same thing. The Windows 10, 1703 version of the OA3 tool output is called the OA3 Hash, which is 4K in size, which is usable for the Windows Autopilot deployment scenario. Note: When using a non-1703 version OA3Tool, you get a different sized Hash, which may not be used for Windows Autopilot deployment. | -| What is the thought around parts replacement and/or repair for the NIC (network interface controller) and/or Disk? Will the Hardware Hash become invalid? | Yes. If you replace parts, you need to gather the new Hardware Hash, though it depends on what is replaced, and the characteristics of the parts. For example, if you replace the TPM or motherboard, it’s a new device – you MUST have new Hardware Hash. If you replace one network card, it’s probably not a new device, and the device will function with the old Hardware Hash. However, as a best practice, you should assume the old Hardware Hash is invalid and get a new Hardware Hash after any hardware changes – this is Microsoft’s strong recommendation any time you replace parts. | - -## Motherboard replacement - -| Question | Answer | -| --- | --- | -| How does Autopilot handle motherboard replacement scenarios?” | Motherboard replacement is out for scope for Autopilot. Any device that is repaired or serviced in a way that alters the ability to identify the device for Windows Autopilot must go through the normal OOBE process, and manually select the right settings or apply a custom image - as is the case today.

          To reuse the same device for Windows Autopilot after a motherboard replacement, the device would need to be de-registered from Autopilot, the motherboard replaced, a new 4K HH harvested, and then re-registered using the new 4K HH (or device ID).

          **Note**: An OEM will not be able to use the OEM Direct API to re-register the device, since the OEM Direct API only accepts a tuple or PKID. In this case, the OEM would either have to send the new 4K HH info via a CSV file to customer, and let customer reregister the device via MSfB or Intune.| - -## SMBIOS - -| Question | Answer | -| --- | --- | -| Any specific requirement to SMBIOS UUID? | It must be unique as specified in the Windows 10 hardware requirements. | -| What is the requirement on the SMBIOS table to meet the Windows Autopilot Hardware Hash need? | It must meet all the Windows 10 hardware requirements. Additional details may be found [here](https://msdn.microsoft.com/library/jj128256(v=vs.85).aspx). | -| If the SMBIOS supports UUID and Serial Number, is it enough for the OA3 tool to generate the Hardware Hash? | No. At a minimum, the following SMBIOS fields need to be populated with unique values: ProductKeyID SmbiosSystemManufacturer SmbiosSystemProductName SmbiosSystemSerialNumber SmbiosSkuNumber SmbiosSystemFamily MacAddress SmbiosUuid DiskSerialNumber TPM EkPub | - -## Technical interface - -| Question | Answer | -| --- | --- | -| What is the interface to get the MAC Address and Disk Serial Number? How does the OA tool get MAC and Disk Serial #? | Disk serial number is found from IOCTL_STORAGE_QUERY_PROPERTY with StorageDeviceProperty/PropertyStandardQuery. Network MAC address is IOCTL_NDIS_QUERY_GLOBAL_STATS from OID_802_3_PERMANENT_ADDRESS. However the exact mechanisms/”interface” for doing this operation varies depending on the exact scenario being discussed. | -| Follow up clarification: If we have 2-3 MACs on the system, how does OA Tool choose which MAC Address and Disk Serial Number on the system since there are multiple instances of each? If a platform has LAN And WLAN, which MAC is chosen? | In short, all available values are used. In detail, there may be extra specific usage rules. The System disk serial number is more important than any other disks available. Network interfaces that are removable should not be used if detected as they are removable. LAN vs WLAN should not matter, both will be used. | - -## The end user experience - -|Question|Answer| -|----|-----| -|How do I know that I received Autopilot?|You can tell that you received Windows Autopilot (as in the device received a configuration but has not yet applied it) when you skip the selection page (as seen below), and are immediately taken to a generic or customized sign-in page.| -|Windows Autopilot didn’t work, what do I do now?| Questions and actions to assist in troubleshooting: Did a screen not get skipped? Did a user end up as an admin when configured not to? Remember that AAD Admins will be local admins regardless of whether Windows Autopilot is configured to disable local admin Collection information – run licensingdiag.exe and send the .cab (Cabinet file) file that is generated to AutopilotHelp@microsoft.com. If possible, collect an ETL from WPR. Often in these cases, users are not signing into the right AAD tenant, or are creating local user accounts. For a complete list of support options, refer to [Windows Autopilot support](autopilot-support.md). | -| If an Administrator makes changes to an existing profile, will the changes take effect on devices that have that profile assigned to them that have already been deployed? |No. Windows Autopilot profiles are not resident on the device. They are downloaded during OOBE, the settings defined at the time are applied. Then, the profile is discarded on the device. If the device is re-imaged or reset, the new profile settings will take effect the next time the device goes through OOBE.| -|What is the experience if a device isn’t registered or if an IT Admin doesn’t configure Windows Autopilot prior to an end user attempting to self-deploy? |If the device isn’t registered, it will not receive the Windows Autopilot experience and the end user will go through normal OOBE. The Windows Autopilot configurations will NOT be applied until the user runs through OOBE again, after registration. If a device is started before an MDM profile is created, the device will go through standard OOBE experience. The IT Admin would then have to manually enrol that device into the MDM, after which—the next time that device is “reset”—it will go through the Windows Autopilot OOBE experience.| -|What may be a reason why I did not receive a customized sign-in screen during Autopilot? |Tenant branding must be configured in portal.azure.com to receive a customized sign-in experience.| -|What happens if a device is registered with Azure AD but does not have an Windows Autopilot profile assigned? |The regular AAD OOBE will occur since no Windows Autopilot profile was assigned to the device.| -|How can I collect logs on Autopilot?|The best way to collect logs on Windows Autopilot performance is to collect a Windows Performance Recorder (WPR) trace during OOBE. The XML file (WPRP extension) for this trace may be provided upon request.| - -## MDM - -| Question | Answer | -| --- | --- | -| Must we use Intune for our MDM? | No. No, any MDM will work with Autopilot, but others probably won’t have the same full suite of Windows Autopilot features as Intune. You’ll get the best experience from Intune. | -| Can Intune support Win32 app preinstalls? | Yes. Starting with the Windows 10 October Update (version 1809), Intune supports Win32 apps using .msi (and .msix) wrappers. | -| What is co-management? | Co-management is when you use a combination of a cloud MDM tool (Intune) and an on-premise configuration tool like System Center Configuration Manager (SCCM). You only need to use SCCM if Intune can’t support what you want to do with your profile. If you choose to co-manage using Intune + SCCM, you do it by including an SCCM agent in your Intune profile. When that profile is pushed to the device, the device will see the SCCM agent and go out to SCCM to pull down any additional profile settings. | -| Must we use System Center Configuration Manager (SCCM) for Windows Autopilot | No. Co-management (described above) is optional. | - - -## Features - -| Question | Answer | -| --- | --- | -| Self-deploying mode | A new version of Windows Autopilot where the user only turns on the device, and nothing else. It’s useful for scenarios where a standard user account isn’t needed (e.g., shared devices, or KIOSK devices). | -| Hybrid Azure Active Directory join | Allows Windows Autopilot devices to connect to an on-premise Active Directory domain controller (in addition to being Azure AD joined). | -| Windows Autopilot reset | Removes user apps and settings from a device, but maintains AAD domain join and MDM enrollment. Useful for when transferring a device from one user to another. | -| Personalization | Adds the following to the OOBE experience: A personalized welcome message can be created A username hint can be added Sign-in page text can be personalized The company’s logo can be included | -| [Autopilot for existing devices](existing-devices.md) | Offers an upgrade path to Windows Autopilot for all existing Win 7/8 devices. | - - - -## General - -|Question|Answer -|------------------|-----------------| -|If I wipe the machine and restart, will I still receive Windows Autopilot?|Yes, if the device is still registered for Windows Autopilot and is running Windows 10, version 1703 7B and above releases, it will receive the Windows Autopilot experience.| -|Can I harvest the device fingerprint on existing machines?|Yes, if the device is running Windows 10, version 1703 and above, you can harvest device fingerprints for registration. There are no plans to backport the functionality to previous releases and no way to harvest them on pre-Windows 10 Windows 10, version 1703 devices that have not been updated to Windows 10, version 1703.| -|What is Windows 10, version 1703 7B and why does it matter?| Windows 10, version 1703 7B is a Windows 10, version 1703 image bundled with cumulative updates. To receive Autopilot, clients **must** run Windows 10, version 1703 7B or later. These cumulative updates contain a critical fix for Autopilot. Consider the following:

          Windows Autopilot will not apply its profiles to the machine unless AAD credentials match the expected AAD tenant. For the Windows 10, version 1703 release, it was assumed that would be determined by the domain name, so the domain name used to register (for example contoso.com) should match the domain name used to sign in (for example user@contoso.com). But what happens if your tenant has multiple domains (for example us.contoso.com, or fr.contoso.com)? Since these domain names do not match, the device will not be configured for Autopilot. However, both domains are part of the same AAD tenant, and as such it was determined the matching scheme was not useful. This was improved upon by making use of the tenant ID. By using the tenant ID, we can determine that if the user signs into a domain with a tenant matching the one they registered with, we can safely consider this to be a match. The fix for this problem already exists in Windows 10, version 1709 and was backported into the Windows 10, version 1703 7B release.

          **Key Take-Aways**: When using pre-Windows 10, version 1703 7B clients the user’s domain **must** match the domain they registered with. This functionality is found in Windows 10 version 1709 clients using build >= 16215, and Windows 10, version 1703 clients >= 7B. | -|What is the impact of not updating to 7B?|See the detailed scenario described directly above.| -|Is Windows Autopilot supported on other SKUs, e.g. Surface Hub, HoloLens, Windows Mobile.|No, Windows Autopilot isn’t supported on other SKUs.| -|Does Windows Autopilot work after MBR or image re-installation?|Yes.| -| Can machines that have reimaged a few times go through Autopilot? What does the error message "This user is not authorized to enroll" mean? Error code 801c0003. |There are limits to the number of devices a particular AAD user can enroll in AAD, as well as the number of devices that are supported per user in Intune. (These are somewhat configurable but not “infinite.”) You’ll run into this frequently if you reuse the devices, or even if you roll back to previous virtual machine snapshots.| -|What happens if a device is registered to a malicious agent? |By design, Windows Autopilot does not apply a profile until the user signs in with the matching tenant for the configured profile via the AAD sign-in process. What occurs is illustrated below. If badguys.com registers a device owned by contoso.com, at worst, the user would be directed to sign into badguys.com. When the user enters their email/password, the sign-in information is redirected through AAD to the proper AAD authentication and the user is prompted to then sign into contoso.com. Since contoso.com does not match badguys.com as the tenant, the Windows Autopilot profile will not be applied and the regular AAD OOBE will occur.| -|Where is the Windows Autopilot data stored? |Windows Autopilot data is stored in the United States (US), not in a sovereign cloud, even when the AAD tenant is registered in a sovereign cloud. This is applicable to all Windows Autopilot data, regardless of the portal leveraged to deploy Autopilot.| -|Why is Windows Autopilot data stored in the US and not in a sovereign cloud?|It is not customer data that we store, but business data which enables Microsoft to provide a service, therefore it is okay for the data to reside in the US. Customers can stop subscribing to the service any time, and, in that event, the business data is removed by Microsoft.| -|How many ways are there to register a device for Windows Autopilot|There are six ways to register a device, depending on who is doing the registering:

          1. OEM Direct API (only available to TVOs)
          2. MPC via the MPC API (must be a CSP)
          3. MPC via manual upload of CSV file in the UI (must be a CSP)
          4. MSfB via CSV file upload
          5. Intune via CSV file upload
          6. Microsoft 365 Business portal via CSV file upload| -|How many ways are there to create a Windows Autopilot profile?|There are four ways to create & assign an Windows Autopilot profile:

          1. Through MPC (must be a CSP)
          2. Through MSfB
          3. Through Intune (or another MDM)
          4. Microsoft 365 Business portal

          Microsoft recommends creation and assignment of profiles through Intune. | -| What are some common causes of registration failures? |1. Bad or missing Hardware hash entries can lead to faulty registration attempts
          2. Hidden special characters in CSV files.

          To avoid this issue, after creating your CSV file, open it in Notepad to look for hidden characters or trailing spaces or other corruptions.| -| Is Autopilot supported on IoT devices? | Autopilot is not supported on IoT Core devices, and there are currently no plans to add this support. Autopilot is supported on Windows 10 IoT Enterprise SAC devices. Autopilot is supported on Windows 10 Enterprise LTSC 2019 and above; it is not supported on earlier versions of LTSC.| -| Is Autopilot supported in all regions/countries? | Autopilot only supports customers using public Azure. Public Azure does not include the three entities listed below:
          - Azure Germany
          - Azure China
          - Azure Government
          So, if a customer is set up in global Azure, there are no region restrictions. For example, if Contoso uses global Azure but has employees working in China, the Contoso employees working in China would be able to use Autopilot to deploy devices. If Contoso uses Azure China, the Contoso employees would not be able to use Autopilot.| - -## Glossary - -| Term | Meaning | -| --- | --- | -| CSV | Comma Separated Values (File type similar to Excel spreadsheet) | -| MPC | Microsoft Partner Center | -| MDM | Mobile Device Management | -| OEM | Original Equipment Manufacturer | -| CSP | Cloud Solution Provider | -| MSfB | Microsoft Store for Business | -| AAD | Azure Active Directory | -| 4K HH | 4K Hardware Hash | -| CBR | Computer Build Report | -| EC | Enterprise Commerce | -| DDS | Device Directory Service | -| OOBE | Out of the Box Experience | -| UUID | Universally Unique Identifier | +--- +title: Windows Autopilot support +ms.reviewer: +manager: laurawi +description: Support information for Windows Autopilot +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: low +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Windows Autopilot FAQ + +**Applies to: Windows 10** + +This topic provides OEMs, partners, administrators, and end-users with answers to some frequently asked questions about deploying Windows 10 with Windows Autopilot. + +A [glossary](#glossary) of abbreviations used in this topic is provided at the end. + + +## Microsoft Partner Center + +| Question | Answer | +| --- | --- | +| In the Partner Center, does the Tenant ID need to be provided with every device file upload? Is this needed to allow the business customer to access their devices in MSfB? | No. Providing the Tenant ID is a one-time entry in the Partner Center that can be re-used with future device uploads. | +| How does the customer or tenant know that their devices are ready to be claimed in MSfB? | After the device file upload is completed in the Partner Center, the tenant can see the devices available for Windows Autopilot setup in MSfB. The OEM would need to advise the tenant to access MSfB. Auto-notification from MSfB to the tenant is being developed. | +| How does a customer authorize an OEM or Channel Partner to register Autopilot devices on the customer’s behalf? | Before an OEM or Channel Partner can register a device for Autopilot on behalf of a customer, the customer must first give them consent. The consent process begins with the OEM or Channel Partner sending a link to the customer, which directs the customer to a consent page in Microsoft Store for Business. The steps explaining this process are [here](registration-auth.md). | +| Are there any restrictions if a business customer has registered devices in MSfB and later wants those devices to be managed by a CSP via the Partner Center? | The devices will need to be deleted in MSfB by the business customer before the CSP can upload and manage them in the Partner Center. | +| Does Windows Autopilot support removing the option to enable a local administrator account? | Windows Autopilot doesn’t support removing the local admin account. However, it does support restricting the user performing AAD domain join in OOBE to a standard account (versus admin account by default).| +| How can I test the Windows Autopilot CSV file in the Partner Center? | Only CSP Partners have access to the Partner Center portal. If you are a CSP, you can create a Sales agent user account which has access to “Devices” for testing the file. This can be done today in the Partner Center.

          Go [here](https://msdn.microsoft.com/partner-center/create-user-accounts-and-set-permissions) for more information. | +| Must I become a Cloud Solution Provider (CSP) to participate in Windows Autopilot? | Top volume OEMs do not, as they can use the OEM Direct API. All others who choose to use MPC to register devices must become CSPs in order to access MPC. | +| Do the different CSP levels have all the same capabilities when it comes to Windows Autopilot? | For purposes of Windows Autopilot, there are three different types of CSPs, each with different levels of authority an access:

          1. Direct CSP: Gets direct authorization from the customer to register devices.

          2. Indirect CSP Provider: Gets implicit permission to register devices through the relationship their CSP Reseller partner has with the customer. Indirect CSP Providers register devices through Microsoft Partner Center.

          3. Indirect CSP Reseller: Gets direct authorization from the customer to register devices. At the same time, their indirect CSP Provider partner also gets authorization, which mean that either the Indirect Provider or the Indirect Reseller can register devices for the customer. However, the Indirect CSP Reseller must register devices through the MPC UI (manually uploading CSV file), whereas the Indirect CSP Provider has the option to register devices using the MPC APIs. | + +## Manufacturing + +| Question | Answer | +| --- | --- | +| What changes need to be made in the factory OS image for customer configuration settings? |No changes are required on the factory floor to enable Windows Autopilot deployment. | +| What version of the OA3 tool meets Windows Autopilot deployment requirements? | Windows Autopilot can work with any version of the OA3 tool. We recommend using Windows 10, version 1703 and above to generate the 4K Hardware Hash. | +| At the time of placing an order, do customers need to be state whether they want it with or without Windows Autopilot options? | Yes, if they want Windows Autopilot, they will want Windows 10, version 1703 or later versions. Also, they will want to receive the CSV file or have the file upload (i.e., registration) completed on their behalf. | +| Does the OEM need to manage or collect any custom imaging files from customers and perform any image uploads to Microsoft? | No change, OEMs just send the CBRs as usual to Microsoft. No images are sent to Microsoft to enable Windows Autopilot. Windows Autopilot only customizes OOBE and allows policy configurations (disables admin account, for example). | +| Are there any customer impacts to upgrading from Windows 8 to Windows 10? | The devices must have Windows 10, version 1703 or later to enroll in Windows Autopilot deployment, otherwise no impacts. | +| Will there be any change to the existing CBR with 4k Hardware Hash? | No. | +| What new information needs to be sent from the OEM to Microsoft? | Nothing, unless the OEM opts to register the device on the customer’s behalf, in which case they would upload the device ID via a CSV file into Microsoft Partner Center, or use the OEM Direct API. | +| Is there a contract or amendment for an OEM to participate in Windows Autopilot Deployment? | No. | + +## CSV schema + +| Question | Answer | +| --- | --- | +| Can a comma be used in the CSV file? | No. | +| What error messages can a user expect to see in the Partner Center or MSfB when uploading a file? | See the “In Microsoft Store for Business” section of this guide. | +| Is there a limit to the number of devices that can be listed in the CSV file? | Yes, the CSV file can only contain 1,000 devices to apply to a single profile. If more than 1,000 devices need to be applied to a profile, the devices need to be uploaded through multiple CSV files. | +| Does Microsoft have any recommendations on how an OEM should provide the CSV file to their customers? | Microsoft recommends encrypting the CSV file when sending to the business customer to self-register their Windows Autopilot devices (either through MPC, MSfB, or Intune). | + + +## Hardware hash + +| Question | Answer | +| --- | --- | +| Must every Hardware Hash submitted by the OEM contain the SMBIOS UUID (universally unique identifier), MAC (media access control) address and unique disk serial number (if using Windows 10, version 1703 and above OEM Activation 3.0 tool)? | Yes. Since Windows Autopilot is based on the ability to uniquely identify devices applying for cloud configuration, it is critical to submit Hardware Hashes which meet the outlined requirement. | +| What is the reason for needing the SMBIOS UUID, MAC Address and Disk Serial Number in the Hardware Hash details? | For creating the Hardware Hash, these are the fields that are needed to identify a device, as parts of the device are added/removed. Since we don’t have a unique identifier for Windows devices, this is the best logic to identify a device. | +| What is difference between OA3 Hardware Hash, 4K Hardware Hash, and Windows Autopilot Hardware Hash? | None. They’re different names for the same thing. The Windows 10, 1703 version of the OA3 tool output is called the OA3 Hash, which is 4K in size, which is usable for the Windows Autopilot deployment scenario. Note: When using a non-1703 version OA3Tool, you get a different sized Hash, which may not be used for Windows Autopilot deployment. | +| What is the thought around parts replacement and/or repair for the NIC (network interface controller) and/or Disk? Will the Hardware Hash become invalid? | Yes. If you replace parts, you need to gather the new Hardware Hash, though it depends on what is replaced, and the characteristics of the parts. For example, if you replace the TPM or motherboard, it’s a new device – you MUST have new Hardware Hash. If you replace one network card, it’s probably not a new device, and the device will function with the old Hardware Hash. However, as a best practice, you should assume the old Hardware Hash is invalid and get a new Hardware Hash after any hardware changes – this is Microsoft’s strong recommendation any time you replace parts. | + +## Motherboard replacement + +| Question | Answer | +| --- | --- | +| How does Autopilot handle motherboard replacement scenarios?” | Motherboard replacement is out for scope for Autopilot. Any device that is repaired or serviced in a way that alters the ability to identify the device for Windows Autopilot must go through the normal OOBE process, and manually select the right settings or apply a custom image - as is the case today.

          To reuse the same device for Windows Autopilot after a motherboard replacement, the device would need to be de-registered from Autopilot, the motherboard replaced, a new 4K HH harvested, and then re-registered using the new 4K HH (or device ID).

          **Note**: An OEM will not be able to use the OEM Direct API to re-register the device, since the OEM Direct API only accepts a tuple or PKID. In this case, the OEM would either have to send the new 4K HH info via a CSV file to customer, and let customer reregister the device via MSfB or Intune.| + +## SMBIOS + +| Question | Answer | +| --- | --- | +| Any specific requirement to SMBIOS UUID? | It must be unique as specified in the Windows 10 hardware requirements. | +| What is the requirement on the SMBIOS table to meet the Windows Autopilot Hardware Hash need? | It must meet all the Windows 10 hardware requirements. Additional details may be found [here](https://msdn.microsoft.com/library/jj128256(v=vs.85).aspx). | +| If the SMBIOS supports UUID and Serial Number, is it enough for the OA3 tool to generate the Hardware Hash? | No. At a minimum, the following SMBIOS fields need to be populated with unique values: ProductKeyID SmbiosSystemManufacturer SmbiosSystemProductName SmbiosSystemSerialNumber SmbiosSkuNumber SmbiosSystemFamily MacAddress SmbiosUuid DiskSerialNumber TPM EkPub | + +## Technical interface + +| Question | Answer | +| --- | --- | +| What is the interface to get the MAC Address and Disk Serial Number? How does the OA tool get MAC and Disk Serial #? | Disk serial number is found from IOCTL_STORAGE_QUERY_PROPERTY with StorageDeviceProperty/PropertyStandardQuery. Network MAC address is IOCTL_NDIS_QUERY_GLOBAL_STATS from OID_802_3_PERMANENT_ADDRESS. However the exact mechanisms/”interface” for doing this operation varies depending on the exact scenario being discussed. | +| Follow up clarification: If we have 2-3 MACs on the system, how does OA Tool choose which MAC Address and Disk Serial Number on the system since there are multiple instances of each? If a platform has LAN And WLAN, which MAC is chosen? | In short, all available values are used. In detail, there may be extra specific usage rules. The System disk serial number is more important than any other disks available. Network interfaces that are removable should not be used if detected as they are removable. LAN vs WLAN should not matter, both will be used. | + +## The end user experience + +|Question|Answer| +|----|-----| +|How do I know that I received Autopilot?|You can tell that you received Windows Autopilot (as in the device received a configuration but has not yet applied it) when you skip the selection page (as seen below), and are immediately taken to a generic or customized sign-in page.| +|Windows Autopilot didn’t work, what do I do now?| Questions and actions to assist in troubleshooting: Did a screen not get skipped? Did a user end up as an admin when configured not to? Remember that AAD Admins will be local admins regardless of whether Windows Autopilot is configured to disable local admin Collection information – run licensingdiag.exe and send the .cab (Cabinet file) file that is generated to AutopilotHelp@microsoft.com. If possible, collect an ETL from WPR. Often in these cases, users are not signing into the right AAD tenant, or are creating local user accounts. For a complete list of support options, refer to [Windows Autopilot support](autopilot-support.md). | +| If an Administrator makes changes to an existing profile, will the changes take effect on devices that have that profile assigned to them that have already been deployed? |No. Windows Autopilot profiles are not resident on the device. They are downloaded during OOBE, the settings defined at the time are applied. Then, the profile is discarded on the device. If the device is re-imaged or reset, the new profile settings will take effect the next time the device goes through OOBE.| +|What is the experience if a device isn’t registered or if an IT Admin doesn’t configure Windows Autopilot prior to an end user attempting to self-deploy? |If the device isn’t registered, it will not receive the Windows Autopilot experience and the end user will go through normal OOBE. The Windows Autopilot configurations will NOT be applied until the user runs through OOBE again, after registration. If a device is started before an MDM profile is created, the device will go through standard OOBE experience. The IT Admin would then have to manually enrol that device into the MDM, after which—the next time that device is “reset”—it will go through the Windows Autopilot OOBE experience.| +|What may be a reason why I did not receive a customized sign-in screen during Autopilot? |Tenant branding must be configured in portal.azure.com to receive a customized sign-in experience.| +|What happens if a device is registered with Azure AD but does not have an Windows Autopilot profile assigned? |The regular AAD OOBE will occur since no Windows Autopilot profile was assigned to the device.| +|How can I collect logs on Autopilot?|The best way to collect logs on Windows Autopilot performance is to collect a Windows Performance Recorder (WPR) trace during OOBE. The XML file (WPRP extension) for this trace may be provided upon request.| + +## MDM + +| Question | Answer | +| --- | --- | +| Must we use Intune for our MDM? | No. No, any MDM will work with Autopilot, but others probably won’t have the same full suite of Windows Autopilot features as Intune. You’ll get the best experience from Intune. | +| Can Intune support Win32 app preinstalls? | Yes. Starting with the Windows 10 October Update (version 1809), Intune supports Win32 apps using .msi (and .msix) wrappers. | +| What is co-management? | Co-management is when you use a combination of a cloud MDM tool (Intune) and an on-premise configuration tool like System Center Configuration Manager (SCCM). You only need to use SCCM if Intune can’t support what you want to do with your profile. If you choose to co-manage using Intune + SCCM, you do it by including an SCCM agent in your Intune profile. When that profile is pushed to the device, the device will see the SCCM agent and go out to SCCM to pull down any additional profile settings. | +| Must we use System Center Configuration Manager (SCCM) for Windows Autopilot | No. Co-management (described above) is optional. | + + +## Features + +| Question | Answer | +| --- | --- | +| Self-deploying mode | A new version of Windows Autopilot where the user only turns on the device, and nothing else. It’s useful for scenarios where a standard user account isn’t needed (e.g., shared devices, or KIOSK devices). | +| Hybrid Azure Active Directory join | Allows Windows Autopilot devices to connect to an on-premise Active Directory domain controller (in addition to being Azure AD joined). | +| Windows Autopilot reset | Removes user apps and settings from a device, but maintains AAD domain join and MDM enrollment. Useful for when transferring a device from one user to another. | +| Personalization | Adds the following to the OOBE experience: A personalized welcome message can be created A username hint can be added Sign-in page text can be personalized The company’s logo can be included | +| [Autopilot for existing devices](existing-devices.md) | Offers an upgrade path to Windows Autopilot for all existing Win 7/8 devices. | + + + +## General + +|Question|Answer +|------------------|-----------------| +|If I wipe the machine and restart, will I still receive Windows Autopilot?|Yes, if the device is still registered for Windows Autopilot and is running Windows 10, version 1703 7B and above releases, it will receive the Windows Autopilot experience.| +|Can I harvest the device fingerprint on existing machines?|Yes, if the device is running Windows 10, version 1703 and above, you can harvest device fingerprints for registration. There are no plans to backport the functionality to previous releases and no way to harvest them on pre-Windows 10 Windows 10, version 1703 devices that have not been updated to Windows 10, version 1703.| +|What is Windows 10, version 1703 7B and why does it matter?| Windows 10, version 1703 7B is a Windows 10, version 1703 image bundled with cumulative updates. To receive Autopilot, clients **must** run Windows 10, version 1703 7B or later. These cumulative updates contain a critical fix for Autopilot. Consider the following:

          Windows Autopilot will not apply its profiles to the machine unless AAD credentials match the expected AAD tenant. For the Windows 10, version 1703 release, it was assumed that would be determined by the domain name, so the domain name used to register (for example contoso.com) should match the domain name used to sign in (for example user@contoso.com). But what happens if your tenant has multiple domains (for example us.contoso.com, or fr.contoso.com)? Since these domain names do not match, the device will not be configured for Autopilot. However, both domains are part of the same AAD tenant, and as such it was determined the matching scheme was not useful. This was improved upon by making use of the tenant ID. By using the tenant ID, we can determine that if the user signs into a domain with a tenant matching the one they registered with, we can safely consider this to be a match. The fix for this problem already exists in Windows 10, version 1709 and was backported into the Windows 10, version 1703 7B release.

          **Key Take-Aways**: When using pre-Windows 10, version 1703 7B clients the user’s domain **must** match the domain they registered with. This functionality is found in Windows 10 version 1709 clients using build >= 16215, and Windows 10, version 1703 clients >= 7B. | +|What is the impact of not updating to 7B?|See the detailed scenario described directly above.| +|Is Windows Autopilot supported on other SKUs, e.g. Surface Hub, HoloLens, Windows Mobile.|No, Windows Autopilot isn’t supported on other SKUs.| +|Does Windows Autopilot work after MBR or image re-installation?|Yes.| +| Can machines that have reimaged a few times go through Autopilot? What does the error message "This user is not authorized to enroll" mean? Error code 801c0003. |There are limits to the number of devices a particular AAD user can enroll in AAD, as well as the number of devices that are supported per user in Intune. (These are somewhat configurable but not “infinite.”) You’ll run into this frequently if you reuse the devices, or even if you roll back to previous virtual machine snapshots.| +|What happens if a device is registered to a malicious agent? |By design, Windows Autopilot does not apply a profile until the user signs in with the matching tenant for the configured profile via the AAD sign-in process. What occurs is illustrated below. If badguys.com registers a device owned by contoso.com, at worst, the user would be directed to sign into badguys.com. When the user enters their email/password, the sign-in information is redirected through AAD to the proper AAD authentication and the user is prompted to then sign into contoso.com. Since contoso.com does not match badguys.com as the tenant, the Windows Autopilot profile will not be applied and the regular AAD OOBE will occur.| +|Where is the Windows Autopilot data stored? |Windows Autopilot data is stored in the United States (US), not in a sovereign cloud, even when the AAD tenant is registered in a sovereign cloud. This is applicable to all Windows Autopilot data, regardless of the portal leveraged to deploy Autopilot.| +|Why is Windows Autopilot data stored in the US and not in a sovereign cloud?|It is not customer data that we store, but business data which enables Microsoft to provide a service, therefore it is okay for the data to reside in the US. Customers can stop subscribing to the service any time, and, in that event, the business data is removed by Microsoft.| +|How many ways are there to register a device for Windows Autopilot|There are six ways to register a device, depending on who is doing the registering:

          1. OEM Direct API (only available to TVOs)
          2. MPC via the MPC API (must be a CSP)
          3. MPC via manual upload of CSV file in the UI (must be a CSP)
          4. MSfB via CSV file upload
          5. Intune via CSV file upload
          6. Microsoft 365 Business portal via CSV file upload| +|How many ways are there to create a Windows Autopilot profile?|There are four ways to create & assign an Windows Autopilot profile:

          1. Through MPC (must be a CSP)
          2. Through MSfB
          3. Through Intune (or another MDM)
          4. Microsoft 365 Business portal

          Microsoft recommends creation and assignment of profiles through Intune. | +| What are some common causes of registration failures? |1. Bad or missing Hardware hash entries can lead to faulty registration attempts
          2. Hidden special characters in CSV files.

          To avoid this issue, after creating your CSV file, open it in Notepad to look for hidden characters or trailing spaces or other corruptions.| +| Is Autopilot supported on IoT devices? | Autopilot is not supported on IoT Core devices, and there are currently no plans to add this support. Autopilot is supported on Windows 10 IoT Enterprise SAC devices. Autopilot is supported on Windows 10 Enterprise LTSC 2019 and above; it is not supported on earlier versions of LTSC.| +| Is Autopilot supported in all regions/countries? | Autopilot only supports customers using public Azure. Public Azure does not include the three entities listed below:
          - Azure Germany
          - Azure China
          - Azure Government
          So, if a customer is set up in global Azure, there are no region restrictions. For example, if Contoso uses global Azure but has employees working in China, the Contoso employees working in China would be able to use Autopilot to deploy devices. If Contoso uses Azure China, the Contoso employees would not be able to use Autopilot.| + +## Glossary + +| Term | Meaning | +| --- | --- | +| CSV | Comma Separated Values (File type similar to Excel spreadsheet) | +| MPC | Microsoft Partner Center | +| MDM | Mobile Device Management | +| OEM | Original Equipment Manufacturer | +| CSP | Cloud Solution Provider | +| MSfB | Microsoft Store for Business | +| AAD | Azure Active Directory | +| 4K HH | 4K Hardware Hash | +| CBR | Computer Build Report | +| EC | Enterprise Commerce | +| DDS | Device Directory Service | +| OOBE | Out of the Box Experience | +| UUID | Universally Unique Identifier | diff --git a/windows/deployment/windows-autopilot/autopilot-mbr.md b/windows/deployment/windows-autopilot/autopilot-mbr.md index d83600279e..f103766d0d 100644 --- a/windows/deployment/windows-autopilot/autopilot-mbr.md +++ b/windows/deployment/windows-autopilot/autopilot-mbr.md @@ -1,421 +1,420 @@ ---- -title: Windows Autopilot motherboard replacement -ms.reviewer: -manager: laurawi -description: Windows Autopilot deployment MBR scenarios -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -audience: itpro -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Windows Autopilot motherboard replacement scenario guidance - -**Applies to** - -- Windows 10 - -This document offers guidance for Windows Autopilot device repair scenarios that Microsoft partners can use in Motherboard Replacement (MBR) situations, and other servicing scenarios. - -Repairing Autopilot enrolled devices is complex, as it tries to balance OEM requirements with Windows Autopilot requirements. Specifically, OEM’s require strict uniqueness across motherboards, MAC addresses, etc., while Windows Autopilot requires strict uniqueness at the Hardware ID level for each device to enable successful registration. The Hardware ID does not always accommodate all the OEM hardware component requirements, thus these requirements are sometimes at odds, causing issues with some repair scenarios. - -**Motherboard Replacement (MBR)** - -If a motherboard replacement is needed on a Windows Autopilot device, the following process is recommended: - -1. [Deregister the device](#deregister-the-autopilot-device-from-the-autopilot-program) from Windows Autopilot -2. [Replace the motherboard](#replace-the-motherboard) -3. [Capture a new device ID (4K HH)](#capture-a-new-autopilot-device-id-4k-hh-from-the-device) -4. [Reregister the device](#reregister-the-repaired-device-using-the-new-device-id) with Windows Autopilot -5. [Reset the device](#reset-the-device) -6. [Return the device](#return-the-repaired-device-to-the-customer) - -Each of these steps is described below. - -## Deregister the Autopilot device from the Autopilot program - -Before the device arrives at the repair facility, it must be deregistered by the entity that registered it. Only the entity that registered the device can deregister it. This might be the customer IT Admin, the OEM, or the CSP partner. If the IT Admin registered the device, they likely did so via Intune (or possibly the Microsoft Store for Business). In that case, they should deregister the device from Intune (or MSfB). This is necessary because devices registered in Intune will not show up in MPC. However, if the OEM or CSP partner registered the device, they likely did so via the Microsoft Partner Center (MPC). In that case, they should deregister the device from MPC, which will also remove it from the customer IT Admin’s Intune account. Below, we describe the steps an IT Admin would go through to deregister a device from Intune, and the steps an OEM or CSP would go through to deregister a device from MPC. - -**NOTE**: When possible, an OEM or CSP should register Autopilot devices, rather than having the customer do it. This will avoid problems where OEMs or CSPs may not be able to deregister a device if, for example, a customer leasing a device goes out of business before deregistering it themselves. - -**EXCEPTION**: If a customer grants an OEM permission to register devices on their behalf via the automated consent process, then an OEM can use the API to deregister devices they didn’t register themselves (instead, the customer registered the devices). But keep in mind that this would only remove those devices from the Autopilot program, it would not disenroll them from Intune or disjoin them from AAD. The customer must do those steps, if desired, through Intune. - -### Deregister from Intune - -To deregister an Autopilot device from Intune, an IT Admin would: - -1. Sign in to their Intune account -2. Navigate to Intune > Groups > All groups -3. Remove the desired device from its group -4. Navigate to Intune > Devices > All devices -5. Select the checkbox next to the device you want to delete, then click the Delete button on the top menu -6. Navigate to Intune > Devices > Azure AD devices -7. Select the checkbox next to the device you want to delete, then click the Delete button along the top menu -8. Navigate to Intune > Device enrollment > Windows enrollment > Devices -9. Select the checkbox next to the device you want to deregister -10. Click the extended menu icon (“…”) on the far right end of the line containing the device you want to deregister in order to expose an additional menu with the option to “unassign user” -11. Click “Unassign user” if the device was previously assigned to a user; if not, this option will be grayed-out and can be ignored -12. With the unassigned device still selected, click the Delete button along the top menu to remove this device - -**NOTE**: These steps deregister the device from Autopilot, but also unenroll the device from Intune, and disjoin the device from AAD. While it may appear that only deregistering the device from Autopilot is needed, there are certain barriers in place within Intune that necessitate all the steps above be done, which is best practice anyway in case the device gets lost or becomes unrecoverable, to eliminate the possibility of orphaned devices existing in the Autopilot database, or Intune, or AAD. If a device gets into an unrecoverable state, you can contact the appropriate [Microsoft support alias](autopilot-support.md) for assistance. - -The deregistration process will take about 15 minutes. You can accelerate the process by clicking the “Sync” button, then “Refresh” the display until the device is no longer present. - -More details on deregistering devices from Intune can be found [here](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group). - -### Deregister from MPC - -To deregister an Autopilot device from the Microsoft Partner Center (MPC), a CSP would: - -1. Log into MPC -2. Navigate to Customer > Devices -3. Select the device to be deregistered and click the “Delete device” button - -![devices](images/devices.png) - -**NOTE**: Deregistering a device from Autopilot in MPC does only that; it does not also unenroll the device from the MDM (Intune), nor does it disjoin the device from AAD. Therefore, if possible, the OEM/CSP ideally should work with the customer IT Admin to have the device fully removed per the Intune steps in the previous section. - -Alternatively, an OEM partner that has integrated the OEM Direct APIs can deregister a device by calling the AutopilotDeviceRegistration API with the TenantID and TenantDomain fields left blank in the request call. - -Because the repair facility will not have access to the user’s login credentials, the repair facility will have to reimage the device as part of the repair process. This means that the customer should do three things before sending the device off for repair: -1. Copy all important data off the device. -2. Let the repair facility know which version of Windows they should reinstall after the repair. -3. If applicable, let the repair facility know which version of Office they should reinstall after the repair. - -## Replace the motherboard - -Technicians replace the motherboard (or other hardware) on the broken device. A replacement DPK is injected. - -Repair and key replacement processes vary between facilities. Sometimes repair facilities receive motherboard spare parts from OEMs that have replacement DPKs already injected, but sometimes not. Sometimes repair facilities receive fully-functional BIOS tools from OEMs, but sometimes not. This means that the quality of the data in the BIOS after a MBR varies. To ensure the repaired device will still be Autopilot-capable following its repair, the new (post-repair) BIOS should be able to successfully gather and populate the following information at a minimum: - -- DiskSerialNumber -- SmbiosSystemSerialNumber -- SmbiosSystemManufacturer -- SmbiosSystemProductName -- SmbiosUuid -- TPM EKPub -- MacAddress -- ProductKeyID -- OSType - -**NOTE**: For simplicity, and because processes vary between repair facilities, we have excluded many of the additional steps often used in a MBR, such as: -- Verify that the device is still functional -- Disable BitLocker* -- Repair the Boot Configuration Data (BCD) -- Repair and verify the network driver operation - -*BitLocker can be suspended rather than disbled if the technician has the ability to resume it after the repair. - -## Capture a new Autopilot device ID (4K HH) from the device - -Repair technicians must sign in to the repaired device to capture the new device ID. Assuming the repair technician does NOT have access to the customer’s login credentials, they will have to reimage the device in order to gain access, per the following steps: - -1. The repair technician creates a [WinPE bootable USB drive](https://docs.microsoft.com/windows-hardware/manufacture/desktop/oem-deployment-of-windows-10-for-desktop-editions#create-a-bootable-windows-pe-winpe-partition). -2. The repair technician boots the device to WinPE. -3. The repair technician [applies a new Windows image to the device](https://docs.microsoft.com/windows-hardware/manufacture/desktop/work-with-windows-images). - - **NOTE**: Ideally, the same version of Windows should be reimaged onto the device that was originally on the device, so some coordination will be required between the repair facility and customer to capture this information at the time the device arrives for repair. This might include the customer sending the repair facility a customized image (.ppk file) via a USB stick, for example. - -4. The repair technician boots the device into the new Windows image. -5. Once on the desktop, the repair technician captures the new device ID (4K HH) off the device using either the OA3 Tool or the PowerShell script, as described below. - -Those repair facilities with access to the OA3 Tool (which is part of the ADK) can use the tool to capture the 4K Hardware Hash (4K HH). - -Alternatively, the [WindowsAutoPilotInfo Powershell script](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) can be used to capture the 4K HH by following these steps: - -1. Install the script from the [PowerShell Gallery](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) or from the command line (command line installation is shown below). -2. Navigate to the script directory and run it on the device when the device is either in Full OS or Audit Mode. See the following example. - - ```powershell - md c:\HWID - Set-Location c:\HWID - Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force - Install-Script -Name Get-WindowsAutopilotInfo -Force - Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv - ``` - ->If you are prompted to install the NuGet package, choose **Yes**.
          ->If, after installing the script you get an error that Get-WindowsAutopilotInfo.ps1 is not found, verify that C:\Program Files\WindowsPowerShell\Scripts is present in your PATH variable.
          ->If the Install-Script cmdlet fails, verify that you have the default PowerShell repository registered (**Get-PSRepository**) or register the default repository with **Register-PSRepository -Default -Verbose**. - -The script creates a .csv file that contains the device information, including the complete 4K HH. Save this file so that you can access it later. The service facility will use this 4K HH to reregister device as described below. Be sure to use the -OutputFile parameter when saving the file, which ensures that file formatting is correct. Do not attempt to pipe the command output to a file manually. - -**NOTE**: If the repair facility does not have the ability to run the OA3 tool or PowerShell script to capture the new 4K HH, then the CSP (or OEM) partners must do this for them. Without some entity capturing the new 4K HH, there is no way to reregister this device as an Autopilot device. - - -## Reregister the repaired device using the new device ID - -If an OEM is not able to reregister the device, then the repair facility or CSP should reregister the device using MPC, or the customer IT Admin should be advised to reregister the device via Intune (or MSfB). Both ways of reregistering a device are shown below. - -### Reregister from Intune - -To reregister an Autopilot device from Intune, an IT Admin would: -1. Sign in to Intune. -2. Navigate to Device enrollment > Windows enrollment > Devices > Import. -3. Click the **Import** button to upload a csv file containing the device ID of the device to be reregistered (the device ID was the 4K HH captured by the PowerShell script or OA3 tool described previously in this document). - -The following video provides a good overview of how to (re)register devices via MSfB.
          - -> [!VIDEO https://www.youtube.com/embed/IpLIZU_j7Z0] - -### Reregister from MPC - -To reregister an Autopilot device from MPC, an OEM or CSP would: - -1. Sign in to MPC. -2. Navigate to the Customer > Devices page and click the **Add devices** button to upload the csv file. - -![device](images/device2.png)
          -![device](images/device3.png) - -In the case of reregistering a repaired device through MPC, the uploaded csv file must contain the 4K HH for the device, and not just the PKID or Tuple (SerialNumber + OEMName + ModelName). If only the PKID or Tuple were used, the Autopilot service would be unable to find a match in the Autopilot database, since no 4K HH info was ever previously submitted for this essentially “new” device, and the upload will fail, likely returning a ZtdDeviceNotFound error. So, again, only upload the 4K HH, not the Tuple or PKID. - -**NOTE**: When including the 4K HH in the csv file, you do NOT also need to include the PKID or Tuple. Those columns may be left blank, as shown below: - -![hash](images/hh.png) - -## Reset the device - -Since the device was required to be in Full OS or Audit Mode to capture the 4K HH, the repair facility must reset the image back to a pre-OOBE state before returning it to the customer. One way this can be accomplished is by using the built-in reset feature in Windows, as follows: - -On the device, go to Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Finally, click on Reset. - -![reset](images/reset.png) - -However, it’s likely the repair facility won’t have access to Windows because they lack the user credentials to login, in which case they need to use other means to reimage the device, such as the [Deployment Image Servicing and Management tool](https://docs.microsoft.com/windows-hardware/manufacture/desktop/oem-deployment-of-windows-10-for-desktop-editions#use-a-deployment-script-to-apply-your-image). - -## Return the repaired device to the customer - -After completing the previous steps, the repaired device can now be returned to the customer, and will be auto-enrolled into the Autopilot program on first boot-up during OOBE. - -**NOTE**: If the repair facility did NOT reimage the device, they could be sending it back in a potentially broken state (e.g., there’s no way to log into the device because it’s been dissociated from the only known user account), in which case they should tell the organization that they need to fix the registration and OS themselves. - -**IMPORTANT**: A device can be “registered” for Autopilot prior to being powered-on, but the device isn’t actually “deployed” to Autopilot (i.e., enabled as an Autopilot device) until it goes through OOBE, which is why resetting the device back to a pre-OOBE state is a required step. - -## Specific repair scenarios - -This section covers the most common repair scenarios, and their impact on Autopilot enablement. - -NOTES ON TEST RESULTS: - -- Scenarios below were tested using Intune only (no other MDMs were tested). -- In most test scenarios below, the repaired and reregistered device needed to go through OOBE again for Autopilot to be enabled. -- Motherboard replacement scenarios often result in lost data, so repair centers or customers should be reminded to backup data (if possible) prior to repair. -- In the cases where a repair facility does not have the ability to write device info into the BIOS of the repaired device, new processes need to be created to successfully enable Autopilot. -- Repaired device should have the Product Key (DPK) preinjected in the BIOS before capturing the new 4K HH (device ID) - -In the following table:
          -- Supported = **Yes**: the device can be reenabled for Autopilot -- Supported = **No**: the device cannot be reenabled for Autopilot - - -
          ScenarioSupportedMicrosoft Recommendation -
          Motherboard Replacement (MBR) in generalYesThe recommended course of action for MBR scenarios is: - -1. Autopilot device is deregistered from the Autopilot program -2. The motherboard is replace -3. The device is reimaged (with BIOS info and DPK reinjected)* -4. A new Autopilot device ID (4K HH) is captured off the device -5. The repaired device is reregistered for the Autopilot program using the new device ID -6. The repaired device is reset to boot to OOBE -7. The repaired device is shipped back to the customer - -*It’s not necessary to reimage the device if the repair technician has access to the customer’s login credentials. It’s technically possible to do a successful MBR and Autopilot re-enablement without keys or certain BIOS info (e.g., serial #, model name, etc.), but doing so is only recommended for testing/educational purposes. - -
          MBR when motherboard has a TPM chip (enabled) and only one onboard network card (that also gets replaced)Yes - -1. Deregister damaged device -2. Replace motherboard -3. Reimage device (to gain access), unless have access to customers’ login credentials -4. Write device info into BIOS -5. Capture new 4K HH -6. Reregister repaired device -7. Reset device back to OOBE -8. Go through Autopilot OOBE (customer) -9. Autopilot successfully enabled - -
          MBR when motherboard has a TPM chip (enabled) and a second network card (or network interface) that is not replaced along with the motherboardNoThis scenario is not recommended, as it breaks the Autopilot experience, because the resulting Device ID will not be stable until after TPM attestation has completed, and even then registration may give incorrect results because of ambiguity with MAC Address resolution. -
          MBR where the NIC card, HDD, and WLAN all remain the same after the repairYes - -1. Deregister damaged device -2. Replace motherboard (with new RDPK preinjected in BIOS) -3. Reimage device (to gain access), unless have access to customers’ login credentials -4. Write old device info into BIOS (same s/n, model, etc.)* -5. Capture new 4K HH -6. Reregister repaired device -7. Reset device back to OOBE -8. Go through Autopilot OOBE (customer) -9. Autopilot successfully enabled - -*Note that for this and subsequent scenarios, rewriting old device info would not include the TPM 2.0 endorsement key, as the associated private key is locked to the TPM device - -
          MBR where the NIC card remains the same, but the HDD and WLAN are replacedYes - -1. Deregister damaged device -2. Replace motherboard (with new RDPK preinjected in BIOS) -3. Insert new HDD and WLAN -4. Write old device info into BIOS (same s/n, model, etc.) -5. Capture new 4K HH -6. Reregister repaired device -7. Reset device back to OOBE -8. Go through Autopilot OOBE (customer) -9. Autopilot successfully enabled - -
          MBR where the NIC card and WLAN remains the same, but the HDD is replacedYes - -1. Deregister damaged device -2. Replace motherboard (with new RDPK preinjected in BIOS) -3. Insert new HDD -4. Write old device info into BIOS (same s/n, model, etc.) -5. Capture new 4K HH -6. Reregister repaired device -7. Reset device back to OOBE -8. Go through Autopilot OOBE (customer) -9. Autopilot successfully enabled - -
          MBR where only the MB is replaced (all other parts remain same) but new MB was taken from a previously used device that had NOT been Autopilot-enabled before.Yes - -1. Deregister damaged device -2. Replace motherboard (with new RDPK preinjected in BIOS) -3. Reimage device (to gain access), unless have access to customers’ login credentials -4. Write old device info into BIOS (same s/n, model, etc.) -5. Capture new 4K HH -6. Reregister repaired device -7. Reset device back to OOBE -8. Go through Autopilot OOBE (customer) -9. Autopilot successfully enabled - -
          MBR where only the MB is replaced (all other parts remain same) but new MB was taken from a previously used device that HAD been Autopilot-enabled before.Yes - -1. Deregister old device from which MB will be taken -2. Deregister damaged device (that you want to repair) -3. Replace motherboard in repair device with MB from other Autopilot device (with new RDPK preinjected in BIOS) -4. Reimage device (to gain access), unless have access to customers’ login credentials -5. Write old device info into BIOS (same s/n, model, etc.) -6. Capture new 4K HH -7. Reregister repaired device -8. Reset device back to OOBE -9. Go through Autopilot OOBE (customer) -10. Autopilot successfully enabled - -NOTE: The repaired device can also be used successfully as a normal, non-Autopilot device. - -
          BIOS info excluded from MBR deviceNoRepair facility does not have BIOS tool to write device info into BIOS after MBR. - -1. Deregister damaged device -2. Replace motherboard (BIOS does NOT contain device info) -3. Reimage and write DPK into image -4. Capture new 4K HH -5. Reregister repaired device -6. Create Autopilot profile for device -7. Go through Autopilot OOBE (customer) -8. Autopilot FAILS to recognize repaired device - -
          MBR when there is no TPM chipYesThough we do not recommend enabling an Autopilot devices without a TPM chip (which is recommended for BitLocker encryption), it is possible to enable an Autopilot devices in “standard user” mode (but NOT Self-deploying mode) that does not have a TPM chip. In this case, you would: - -1. Deregister damaged device -2. Replace motherboard -3. Reimage device (to gain access), unless have access to customers’ login credentials -4. Write old device info into BIOS (same s/n, model, etc.) -5. Capture new 4K HH -6. Reregister repaired device -7. Reset device back to OOBE -8. Go through Autopilot OOBE (customer) -9. Autopilot successfully enabled - -
          New DPK written into image on repaired Autopilot device with a new MBYesRepair facility replaces normal MB on damaged device. MB does not contain any DPK in the BIOS. Repair facility writes DPK into image after MBR. - -1. Deregister damaged device -2. Replace motherboard – BIOS does NOT contain DPK info -3. Reimage device (to gain access), unless have access to customers’ login credentials -4. Write device info into BIOS (same s/n, model, etc.) -5. Capture new 4K HH -6. Reset or reimage device to pre-OOBE and write DPK into image -7. Reregister repaired device -8. Go through Autopilot OOBE -9. Autopilot successfully enabled - -
          New Repair Product Key (RDPK)YesUsing a MB with a new RDPK preinjected results in a successful Autopilot refurbishment scenario. - -1. Deregister damaged device -2. Replace motherboard (with new RDPK preinjected in BIOS) -3. Reimage or rest image to pre-OOBE -4. Write device info into BIOS -5. Capture new 4K HH -6. Reregister repaired device -7. Reimage or reset image to pre-OOBE -8. Go through Autopilot OOBE -9. Autopilot successfully enabled - -
          No Repair Product Key (RDPK) injectedNoThis scenario violates Microsoft policy and breaks the Windows Autopilot experience. -
          Reimage damaged Autopilot device that was not deregistered prior to repairYes, but the device will still be associated with previous tenant ID, so should only be returned to same customer - -1. Reimage damaged device -2. Write DPK into image -3. Go through Autopilot OOBE -4. Autopilot successfully enabled (to previous tenant ID) - -
          Disk replacement from a non-Autopilot device to an Autopilot deviceYes - -1. Do not deregister damaged device prior to repair -2. Replace HDD on damaged device -3. Reimage or reset image back to OOBE -4. Go through Autopilot OOBE (customer) -5. Autopilot successfully enabled (repaired device recognized as its previous self) - -
          Disk replacement from one Autopilot device to another Autopilot deviceMaybeIf the device from which the HDD is taken was itself previously deregistered from Autopilot, then that HDD can be used in a repair device. But if the HDD was never previously deregistered from Autopilot before being used in a repaired device, the newly repaired device will not have the proper Autopilot experience. - -Assuming the used HDD was previously deregistered (before being used in this repair): - -1. Deregister damaged device -2. Replace HDD on damaged device using a HDD from another deregistered Autopilot device -3. Reimage or rest the repaired device back to a pre-OOBE state -4. Go through Autopilot OOBE (customer) -5. Autopilot successfully enabled - -
          Third party network card replacement NoWhether from a non-Autopilot device to an Autopilot device, from one Autopilot device to another Autopilot device, or from an Autopilot device to a non-Autopilot device, any scenario where a 3rd party (not onboard) Network card is replaced will break the Autopilot experience, and is not recommended. -
          A device repaired more than 3 timesNoAutopilot is not supported when a device is repeatedly repaired, so that whatever parts NOT replaced become associated with too many parts that have been replaced, which would make it difficult to uniquely identify that device in the future. -
          Memory replacementYesReplacing the memory on a damaged device does not negatively affect the Autopilot experience on that device. No de/reregistration is needed. The repair technician simply needs to replace the memory. -
          GPU replacementYesReplacing the GPU(s) on a damaged device does not negatively affect the Autopilot experience on that device. No de/reregistration is needed. The repair technician simply needs to replace the GPU. -
          - ->When scavenging parts from another Autopilot device, we recommend unregistering the scavenged device from Autopilot, scavenging it, and then NEVER REGISTERING THE SCAVENGED DEVICE (AGAIN) FOR AUTOPILOT, because reusing parts this way may cause two active devices to end up with the same ID, with no possibility of distinguishing between the two. - -**NOTE**: The following parts may be replaced without compromising Autopilot enablement or requiring special additional repair steps: -- Memory (RAM or ROM) -- Power Supply -- Video Card -- Card Reader -- Sound card -- Expansion card -- Microphone -- Webcam -- Fan -- Heat sink -- CMOS battery - -Other repair scenarios not yet tested and verified include: -- Daughterboard replacement -- CPU replacement -- Wifi replacement -- Ethernet replacement - -## FAQ - -| Question | Answer | -| --- | --- | -| If we have a tool that programs product information into the BIOS after the MBR, do we still need to submit a CBR report for the device to be Autopilot-capable? | No. Not if the in-house tool writes the minimum necessary information into the BIOS that the Autopilot program looks for to identify the device, as described earlier in this document. | -| What if only some components are replaced rather than the full motherboard? | While it’s true that some limited repairs do not prevent the Autopilot algorithm from successfully matching the post-repair device with the pre-repair device, it is best to ensure 100% success by going through the MBR steps above even for devices that only needed limited repairs. | -| How does a repair technician gain access to a broken device if they don’t have the customer’s login credentials? | The technician will have to reimage the device and use their own credentials during the repair process. | - -## Related topics - -[Device guidelines](autopilot-device-guidelines.md)
          +--- +title: Windows Autopilot motherboard replacement +ms.reviewer: +manager: laurawi +description: Windows Autopilot deployment MBR scenarios +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Windows Autopilot motherboard replacement scenario guidance + +**Applies to** + +- Windows 10 + +This document offers guidance for Windows Autopilot device repair scenarios that Microsoft partners can use in Motherboard Replacement (MBR) situations, and other servicing scenarios. + +Repairing Autopilot enrolled devices is complex, as it tries to balance OEM requirements with Windows Autopilot requirements. Specifically, OEM’s require strict uniqueness across motherboards, MAC addresses, etc., while Windows Autopilot requires strict uniqueness at the Hardware ID level for each device to enable successful registration. The Hardware ID does not always accommodate all the OEM hardware component requirements, thus these requirements are sometimes at odds, causing issues with some repair scenarios. + +**Motherboard Replacement (MBR)** + +If a motherboard replacement is needed on a Windows Autopilot device, the following process is recommended: + +1. [Deregister the device](#deregister-the-autopilot-device-from-the-autopilot-program) from Windows Autopilot +2. [Replace the motherboard](#replace-the-motherboard) +3. [Capture a new device ID (4K HH)](#capture-a-new-autopilot-device-id-4k-hh-from-the-device) +4. [Reregister the device](#reregister-the-repaired-device-using-the-new-device-id) with Windows Autopilot +5. [Reset the device](#reset-the-device) +6. [Return the device](#return-the-repaired-device-to-the-customer) + +Each of these steps is described below. + +## Deregister the Autopilot device from the Autopilot program + +Before the device arrives at the repair facility, it must be deregistered by the entity that registered it. Only the entity that registered the device can deregister it. This might be the customer IT Admin, the OEM, or the CSP partner. If the IT Admin registered the device, they likely did so via Intune (or possibly the Microsoft Store for Business). In that case, they should deregister the device from Intune (or MSfB). This is necessary because devices registered in Intune will not show up in MPC. However, if the OEM or CSP partner registered the device, they likely did so via the Microsoft Partner Center (MPC). In that case, they should deregister the device from MPC, which will also remove it from the customer IT Admin’s Intune account. Below, we describe the steps an IT Admin would go through to deregister a device from Intune, and the steps an OEM or CSP would go through to deregister a device from MPC. + +**NOTE**: When possible, an OEM or CSP should register Autopilot devices, rather than having the customer do it. This will avoid problems where OEMs or CSPs may not be able to deregister a device if, for example, a customer leasing a device goes out of business before deregistering it themselves. + +**EXCEPTION**: If a customer grants an OEM permission to register devices on their behalf via the automated consent process, then an OEM can use the API to deregister devices they didn’t register themselves (instead, the customer registered the devices). But keep in mind that this would only remove those devices from the Autopilot program, it would not disenroll them from Intune or disjoin them from AAD. The customer must do those steps, if desired, through Intune. + +### Deregister from Intune + +To deregister an Autopilot device from Intune, an IT Admin would: + +1. Sign in to their Intune account +2. Navigate to Intune > Groups > All groups +3. Remove the desired device from its group +4. Navigate to Intune > Devices > All devices +5. Select the checkbox next to the device you want to delete, then click the Delete button on the top menu +6. Navigate to Intune > Devices > Azure AD devices +7. Select the checkbox next to the device you want to delete, then click the Delete button along the top menu +8. Navigate to Intune > Device enrollment > Windows enrollment > Devices +9. Select the checkbox next to the device you want to deregister +10. Click the extended menu icon (“…”) on the far right end of the line containing the device you want to deregister in order to expose an additional menu with the option to “unassign user” +11. Click “Unassign user” if the device was previously assigned to a user; if not, this option will be grayed-out and can be ignored +12. With the unassigned device still selected, click the Delete button along the top menu to remove this device + +**NOTE**: These steps deregister the device from Autopilot, but also unenroll the device from Intune, and disjoin the device from AAD. While it may appear that only deregistering the device from Autopilot is needed, there are certain barriers in place within Intune that necessitate all the steps above be done, which is best practice anyway in case the device gets lost or becomes unrecoverable, to eliminate the possibility of orphaned devices existing in the Autopilot database, or Intune, or AAD. If a device gets into an unrecoverable state, you can contact the appropriate [Microsoft support alias](autopilot-support.md) for assistance. + +The deregistration process will take about 15 minutes. You can accelerate the process by clicking the “Sync” button, then “Refresh” the display until the device is no longer present. + +More details on deregistering devices from Intune can be found [here](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group). + +### Deregister from MPC + +To deregister an Autopilot device from the Microsoft Partner Center (MPC), a CSP would: + +1. Log into MPC +2. Navigate to Customer > Devices +3. Select the device to be deregistered and click the “Delete device” button + +![devices](images/devices.png) + +**NOTE**: Deregistering a device from Autopilot in MPC does only that; it does not also unenroll the device from the MDM (Intune), nor does it disjoin the device from AAD. Therefore, if possible, the OEM/CSP ideally should work with the customer IT Admin to have the device fully removed per the Intune steps in the previous section. + +Alternatively, an OEM partner that has integrated the OEM Direct APIs can deregister a device by calling the AutopilotDeviceRegistration API with the TenantID and TenantDomain fields left blank in the request call. + +Because the repair facility will not have access to the user’s login credentials, the repair facility will have to reimage the device as part of the repair process. This means that the customer should do three things before sending the device off for repair: +1. Copy all important data off the device. +2. Let the repair facility know which version of Windows they should reinstall after the repair. +3. If applicable, let the repair facility know which version of Office they should reinstall after the repair. + +## Replace the motherboard + +Technicians replace the motherboard (or other hardware) on the broken device. A replacement DPK is injected. + +Repair and key replacement processes vary between facilities. Sometimes repair facilities receive motherboard spare parts from OEMs that have replacement DPKs already injected, but sometimes not. Sometimes repair facilities receive fully-functional BIOS tools from OEMs, but sometimes not. This means that the quality of the data in the BIOS after a MBR varies. To ensure the repaired device will still be Autopilot-capable following its repair, the new (post-repair) BIOS should be able to successfully gather and populate the following information at a minimum: + +- DiskSerialNumber +- SmbiosSystemSerialNumber +- SmbiosSystemManufacturer +- SmbiosSystemProductName +- SmbiosUuid +- TPM EKPub +- MacAddress +- ProductKeyID +- OSType + +**NOTE**: For simplicity, and because processes vary between repair facilities, we have excluded many of the additional steps often used in a MBR, such as: +- Verify that the device is still functional +- Disable BitLocker* +- Repair the Boot Configuration Data (BCD) +- Repair and verify the network driver operation + +*BitLocker can be suspended rather than disbled if the technician has the ability to resume it after the repair. + +## Capture a new Autopilot device ID (4K HH) from the device + +Repair technicians must sign in to the repaired device to capture the new device ID. Assuming the repair technician does NOT have access to the customer’s login credentials, they will have to reimage the device in order to gain access, per the following steps: + +1. The repair technician creates a [WinPE bootable USB drive](https://docs.microsoft.com/windows-hardware/manufacture/desktop/oem-deployment-of-windows-10-for-desktop-editions#create-a-bootable-windows-pe-winpe-partition). +2. The repair technician boots the device to WinPE. +3. The repair technician [applies a new Windows image to the device](https://docs.microsoft.com/windows-hardware/manufacture/desktop/work-with-windows-images). + + **NOTE**: Ideally, the same version of Windows should be reimaged onto the device that was originally on the device, so some coordination will be required between the repair facility and customer to capture this information at the time the device arrives for repair. This might include the customer sending the repair facility a customized image (.ppk file) via a USB stick, for example. + +4. The repair technician boots the device into the new Windows image. +5. Once on the desktop, the repair technician captures the new device ID (4K HH) off the device using either the OA3 Tool or the PowerShell script, as described below. + +Those repair facilities with access to the OA3 Tool (which is part of the ADK) can use the tool to capture the 4K Hardware Hash (4K HH). + +Alternatively, the [WindowsAutoPilotInfo Powershell script](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) can be used to capture the 4K HH by following these steps: + +1. Install the script from the [PowerShell Gallery](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) or from the command line (command line installation is shown below). +2. Navigate to the script directory and run it on the device when the device is either in Full OS or Audit Mode. See the following example. + + ```powershell + md c:\HWID + Set-Location c:\HWID + Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force + Install-Script -Name Get-WindowsAutopilotInfo -Force + Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv + ``` + +>If you are prompted to install the NuGet package, choose **Yes**.
          +>If, after installing the script you get an error that Get-WindowsAutopilotInfo.ps1 is not found, verify that C:\Program Files\WindowsPowerShell\Scripts is present in your PATH variable.
          +>If the Install-Script cmdlet fails, verify that you have the default PowerShell repository registered (**Get-PSRepository**) or register the default repository with **Register-PSRepository -Default -Verbose**. + +The script creates a .csv file that contains the device information, including the complete 4K HH. Save this file so that you can access it later. The service facility will use this 4K HH to reregister device as described below. Be sure to use the -OutputFile parameter when saving the file, which ensures that file formatting is correct. Do not attempt to pipe the command output to a file manually. + +**NOTE**: If the repair facility does not have the ability to run the OA3 tool or PowerShell script to capture the new 4K HH, then the CSP (or OEM) partners must do this for them. Without some entity capturing the new 4K HH, there is no way to reregister this device as an Autopilot device. + + +## Reregister the repaired device using the new device ID + +If an OEM is not able to reregister the device, then the repair facility or CSP should reregister the device using MPC, or the customer IT Admin should be advised to reregister the device via Intune (or MSfB). Both ways of reregistering a device are shown below. + +### Reregister from Intune + +To reregister an Autopilot device from Intune, an IT Admin would: +1. Sign in to Intune. +2. Navigate to Device enrollment > Windows enrollment > Devices > Import. +3. Click the **Import** button to upload a csv file containing the device ID of the device to be reregistered (the device ID was the 4K HH captured by the PowerShell script or OA3 tool described previously in this document). + +The following video provides a good overview of how to (re)register devices via MSfB.
          + +> [!VIDEO https://www.youtube.com/embed/IpLIZU_j7Z0] + +### Reregister from MPC + +To reregister an Autopilot device from MPC, an OEM or CSP would: + +1. Sign in to MPC. +2. Navigate to the Customer > Devices page and click the **Add devices** button to upload the csv file. + +![device](images/device2.png)
          +![device](images/device3.png) + +In the case of reregistering a repaired device through MPC, the uploaded csv file must contain the 4K HH for the device, and not just the PKID or Tuple (SerialNumber + OEMName + ModelName). If only the PKID or Tuple were used, the Autopilot service would be unable to find a match in the Autopilot database, since no 4K HH info was ever previously submitted for this essentially “new” device, and the upload will fail, likely returning a ZtdDeviceNotFound error. So, again, only upload the 4K HH, not the Tuple or PKID. + +**NOTE**: When including the 4K HH in the csv file, you do NOT also need to include the PKID or Tuple. Those columns may be left blank, as shown below: + +![hash](images/hh.png) + +## Reset the device + +Since the device was required to be in Full OS or Audit Mode to capture the 4K HH, the repair facility must reset the image back to a pre-OOBE state before returning it to the customer. One way this can be accomplished is by using the built-in reset feature in Windows, as follows: + +On the device, go to Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Finally, click on Reset. + +![reset](images/reset.png) + +However, it’s likely the repair facility won’t have access to Windows because they lack the user credentials to login, in which case they need to use other means to reimage the device, such as the [Deployment Image Servicing and Management tool](https://docs.microsoft.com/windows-hardware/manufacture/desktop/oem-deployment-of-windows-10-for-desktop-editions#use-a-deployment-script-to-apply-your-image). + +## Return the repaired device to the customer + +After completing the previous steps, the repaired device can now be returned to the customer, and will be auto-enrolled into the Autopilot program on first boot-up during OOBE. + +**NOTE**: If the repair facility did NOT reimage the device, they could be sending it back in a potentially broken state (e.g., there’s no way to log into the device because it’s been dissociated from the only known user account), in which case they should tell the organization that they need to fix the registration and OS themselves. + +**IMPORTANT**: A device can be “registered” for Autopilot prior to being powered-on, but the device isn’t actually “deployed” to Autopilot (i.e., enabled as an Autopilot device) until it goes through OOBE, which is why resetting the device back to a pre-OOBE state is a required step. + +## Specific repair scenarios + +This section covers the most common repair scenarios, and their impact on Autopilot enablement. + +NOTES ON TEST RESULTS: + +- Scenarios below were tested using Intune only (no other MDMs were tested). +- In most test scenarios below, the repaired and reregistered device needed to go through OOBE again for Autopilot to be enabled. +- Motherboard replacement scenarios often result in lost data, so repair centers or customers should be reminded to backup data (if possible) prior to repair. +- In the cases where a repair facility does not have the ability to write device info into the BIOS of the repaired device, new processes need to be created to successfully enable Autopilot. +- Repaired device should have the Product Key (DPK) preinjected in the BIOS before capturing the new 4K HH (device ID) + +In the following table:
          +- Supported = **Yes**: the device can be reenabled for Autopilot +- Supported = **No**: the device cannot be reenabled for Autopilot + + +
          ScenarioSupportedMicrosoft Recommendation +
          Motherboard Replacement (MBR) in generalYesThe recommended course of action for MBR scenarios is: + +1. Autopilot device is deregistered from the Autopilot program +2. The motherboard is replace +3. The device is reimaged (with BIOS info and DPK reinjected)* +4. A new Autopilot device ID (4K HH) is captured off the device +5. The repaired device is reregistered for the Autopilot program using the new device ID +6. The repaired device is reset to boot to OOBE +7. The repaired device is shipped back to the customer + +*It’s not necessary to reimage the device if the repair technician has access to the customer’s login credentials. It’s technically possible to do a successful MBR and Autopilot re-enablement without keys or certain BIOS info (e.g., serial #, model name, etc.), but doing so is only recommended for testing/educational purposes. + +
          MBR when motherboard has a TPM chip (enabled) and only one onboard network card (that also gets replaced)Yes + +1. Deregister damaged device +2. Replace motherboard +3. Reimage device (to gain access), unless have access to customers’ login credentials +4. Write device info into BIOS +5. Capture new 4K HH +6. Reregister repaired device +7. Reset device back to OOBE +8. Go through Autopilot OOBE (customer) +9. Autopilot successfully enabled + +
          MBR when motherboard has a TPM chip (enabled) and a second network card (or network interface) that is not replaced along with the motherboardNoThis scenario is not recommended, as it breaks the Autopilot experience, because the resulting Device ID will not be stable until after TPM attestation has completed, and even then registration may give incorrect results because of ambiguity with MAC Address resolution. +
          MBR where the NIC card, HDD, and WLAN all remain the same after the repairYes + +1. Deregister damaged device +2. Replace motherboard (with new RDPK preinjected in BIOS) +3. Reimage device (to gain access), unless have access to customers’ login credentials +4. Write old device info into BIOS (same s/n, model, etc.)* +5. Capture new 4K HH +6. Reregister repaired device +7. Reset device back to OOBE +8. Go through Autopilot OOBE (customer) +9. Autopilot successfully enabled + +*Note that for this and subsequent scenarios, rewriting old device info would not include the TPM 2.0 endorsement key, as the associated private key is locked to the TPM device + +
          MBR where the NIC card remains the same, but the HDD and WLAN are replacedYes + +1. Deregister damaged device +2. Replace motherboard (with new RDPK preinjected in BIOS) +3. Insert new HDD and WLAN +4. Write old device info into BIOS (same s/n, model, etc.) +5. Capture new 4K HH +6. Reregister repaired device +7. Reset device back to OOBE +8. Go through Autopilot OOBE (customer) +9. Autopilot successfully enabled + +
          MBR where the NIC card and WLAN remains the same, but the HDD is replacedYes + +1. Deregister damaged device +2. Replace motherboard (with new RDPK preinjected in BIOS) +3. Insert new HDD +4. Write old device info into BIOS (same s/n, model, etc.) +5. Capture new 4K HH +6. Reregister repaired device +7. Reset device back to OOBE +8. Go through Autopilot OOBE (customer) +9. Autopilot successfully enabled + +
          MBR where only the MB is replaced (all other parts remain same) but new MB was taken from a previously used device that had NOT been Autopilot-enabled before.Yes + +1. Deregister damaged device +2. Replace motherboard (with new RDPK preinjected in BIOS) +3. Reimage device (to gain access), unless have access to customers’ login credentials +4. Write old device info into BIOS (same s/n, model, etc.) +5. Capture new 4K HH +6. Reregister repaired device +7. Reset device back to OOBE +8. Go through Autopilot OOBE (customer) +9. Autopilot successfully enabled + +
          MBR where only the MB is replaced (all other parts remain same) but new MB was taken from a previously used device that HAD been Autopilot-enabled before.Yes + +1. Deregister old device from which MB will be taken +2. Deregister damaged device (that you want to repair) +3. Replace motherboard in repair device with MB from other Autopilot device (with new RDPK preinjected in BIOS) +4. Reimage device (to gain access), unless have access to customers’ login credentials +5. Write old device info into BIOS (same s/n, model, etc.) +6. Capture new 4K HH +7. Reregister repaired device +8. Reset device back to OOBE +9. Go through Autopilot OOBE (customer) +10. Autopilot successfully enabled + +NOTE: The repaired device can also be used successfully as a normal, non-Autopilot device. + +
          BIOS info excluded from MBR deviceNoRepair facility does not have BIOS tool to write device info into BIOS after MBR. + +1. Deregister damaged device +2. Replace motherboard (BIOS does NOT contain device info) +3. Reimage and write DPK into image +4. Capture new 4K HH +5. Reregister repaired device +6. Create Autopilot profile for device +7. Go through Autopilot OOBE (customer) +8. Autopilot FAILS to recognize repaired device + +
          MBR when there is no TPM chipYesThough we do not recommend enabling an Autopilot devices without a TPM chip (which is recommended for BitLocker encryption), it is possible to enable an Autopilot devices in “standard user” mode (but NOT Self-deploying mode) that does not have a TPM chip. In this case, you would: + +1. Deregister damaged device +2. Replace motherboard +3. Reimage device (to gain access), unless have access to customers’ login credentials +4. Write old device info into BIOS (same s/n, model, etc.) +5. Capture new 4K HH +6. Reregister repaired device +7. Reset device back to OOBE +8. Go through Autopilot OOBE (customer) +9. Autopilot successfully enabled + +
          New DPK written into image on repaired Autopilot device with a new MBYesRepair facility replaces normal MB on damaged device. MB does not contain any DPK in the BIOS. Repair facility writes DPK into image after MBR. + +1. Deregister damaged device +2. Replace motherboard – BIOS does NOT contain DPK info +3. Reimage device (to gain access), unless have access to customers’ login credentials +4. Write device info into BIOS (same s/n, model, etc.) +5. Capture new 4K HH +6. Reset or reimage device to pre-OOBE and write DPK into image +7. Reregister repaired device +8. Go through Autopilot OOBE +9. Autopilot successfully enabled + +
          New Repair Product Key (RDPK)YesUsing a MB with a new RDPK preinjected results in a successful Autopilot refurbishment scenario. + +1. Deregister damaged device +2. Replace motherboard (with new RDPK preinjected in BIOS) +3. Reimage or rest image to pre-OOBE +4. Write device info into BIOS +5. Capture new 4K HH +6. Reregister repaired device +7. Reimage or reset image to pre-OOBE +8. Go through Autopilot OOBE +9. Autopilot successfully enabled + +
          No Repair Product Key (RDPK) injectedNoThis scenario violates Microsoft policy and breaks the Windows Autopilot experience. +
          Reimage damaged Autopilot device that was not deregistered prior to repairYes, but the device will still be associated with previous tenant ID, so should only be returned to same customer + +1. Reimage damaged device +2. Write DPK into image +3. Go through Autopilot OOBE +4. Autopilot successfully enabled (to previous tenant ID) + +
          Disk replacement from a non-Autopilot device to an Autopilot deviceYes + +1. Do not deregister damaged device prior to repair +2. Replace HDD on damaged device +3. Reimage or reset image back to OOBE +4. Go through Autopilot OOBE (customer) +5. Autopilot successfully enabled (repaired device recognized as its previous self) + +
          Disk replacement from one Autopilot device to another Autopilot deviceMaybeIf the device from which the HDD is taken was itself previously deregistered from Autopilot, then that HDD can be used in a repair device. But if the HDD was never previously deregistered from Autopilot before being used in a repaired device, the newly repaired device will not have the proper Autopilot experience. + +Assuming the used HDD was previously deregistered (before being used in this repair): + +1. Deregister damaged device +2. Replace HDD on damaged device using a HDD from another deregistered Autopilot device +3. Reimage or rest the repaired device back to a pre-OOBE state +4. Go through Autopilot OOBE (customer) +5. Autopilot successfully enabled + +
          Third party network card replacement NoWhether from a non-Autopilot device to an Autopilot device, from one Autopilot device to another Autopilot device, or from an Autopilot device to a non-Autopilot device, any scenario where a 3rd party (not onboard) Network card is replaced will break the Autopilot experience, and is not recommended. +
          A device repaired more than 3 timesNoAutopilot is not supported when a device is repeatedly repaired, so that whatever parts NOT replaced become associated with too many parts that have been replaced, which would make it difficult to uniquely identify that device in the future. +
          Memory replacementYesReplacing the memory on a damaged device does not negatively affect the Autopilot experience on that device. No de/reregistration is needed. The repair technician simply needs to replace the memory. +
          GPU replacementYesReplacing the GPU(s) on a damaged device does not negatively affect the Autopilot experience on that device. No de/reregistration is needed. The repair technician simply needs to replace the GPU. +
          + +>When scavenging parts from another Autopilot device, we recommend unregistering the scavenged device from Autopilot, scavenging it, and then NEVER REGISTERING THE SCAVENGED DEVICE (AGAIN) FOR AUTOPILOT, because reusing parts this way may cause two active devices to end up with the same ID, with no possibility of distinguishing between the two. + +**NOTE**: The following parts may be replaced without compromising Autopilot enablement or requiring special additional repair steps: +- Memory (RAM or ROM) +- Power Supply +- Video Card +- Card Reader +- Sound card +- Expansion card +- Microphone +- Webcam +- Fan +- Heat sink +- CMOS battery + +Other repair scenarios not yet tested and verified include: +- Daughterboard replacement +- CPU replacement +- Wifi replacement +- Ethernet replacement + +## FAQ + +| Question | Answer | +| --- | --- | +| If we have a tool that programs product information into the BIOS after the MBR, do we still need to submit a CBR report for the device to be Autopilot-capable? | No. Not if the in-house tool writes the minimum necessary information into the BIOS that the Autopilot program looks for to identify the device, as described earlier in this document. | +| What if only some components are replaced rather than the full motherboard? | While it’s true that some limited repairs do not prevent the Autopilot algorithm from successfully matching the post-repair device with the pre-repair device, it is best to ensure 100% success by going through the MBR steps above even for devices that only needed limited repairs. | +| How does a repair technician gain access to a broken device if they don’t have the customer’s login credentials? | The technician will have to reimage the device and use their own credentials during the repair process. | + +## Related topics + +[Device guidelines](autopilot-device-guidelines.md)
          diff --git a/windows/deployment/windows-autopilot/autopilot-support.md b/windows/deployment/windows-autopilot/autopilot-support.md index d53325cfde..b3e02db65f 100644 --- a/windows/deployment/windows-autopilot/autopilot-support.md +++ b/windows/deployment/windows-autopilot/autopilot-support.md @@ -1,43 +1,43 @@ ---- -title: Windows Autopilot support -description: Support information for Windows Autopilot -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: low -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.date: 10/31/2018 -ms.reviewer: -manager: laurawi -ms.collection: M365-modern-desktop -ms.topic: article ---- - -# Windows Autopilot support information - -**Applies to: Windows 10** - -The following table displays support information for the Windows Autopilot program. - -Before contacting the resources listed below for Windows Autopilot-related issues, check the [Windows Autopilot FAQ](autopilot-faq.md). - - -| Audience | Support contact | -|---------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| OEM or Channel Partner registering devices as a CSP (via MPC) | Use the help resources available in MPC. Whether you are a named partner or a channel partner (distributor, reseller, SI, etc.), if you’re a CSP registering Autopilot devices through MPC (either manually or through the MPC API), your first-line of support should be the help resources within MPC. | -| OEM registering devices using OEM Direct API | Contact MSOEMOPS@microsoft.com. Response time depends on priority:
          Low – 120 hours
          Normal – 72 hours
          High – 24 hours
          Immediate – 4 hours | -| OEM with a PFE | Reach out to your PFE for support. | -| Partners with a Partner Technology Strategist (PTS) | If you have a PTS (whether you’re a CSP or not), you may first try working through your account’s specific Partner Technology Strategist (PTS). | -| Partners with an Ecosystem PM | If you have an Ecosystem PM (whether you’re a CSP or not), you may first try working through your account’s specific Ecosystem PM, especially for technical issues. | -| Enterprise customers | Contact your Technical Account Manager (TAM), or Account Technology Strategist (ATS), or Customer Service Support (CSS) representative. | -| End-user | Contact your IT administrator. | -| Microsoft Partner Center (MPC) users | Use the [help resources](https://partner.microsoft.com/support) available in MPC. | -| Microsoft Store for Business (MSfB) users | Use the help resources available in MSfB. | -| Intune users | From the Microsoft Azure portal, click [Help + support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview). | -| Microsoft 365 Business | Support is accessible directly through the Microsoft 365 Business portal when logged in: https://support.microsoft.com/en-us. | -| Queries relating to MDA testing | Contact MDAHelp@microsoft.com. | -| All other queries, or when unsure who to contact | Contact msoemops@microsoft.com. | - +--- +title: Windows Autopilot support +description: Support information for Windows Autopilot +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: low +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.date: 10/31/2018 +ms.reviewer: +manager: laurawi +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Windows Autopilot support information + +**Applies to: Windows 10** + +The following table displays support information for the Windows Autopilot program. + +Before contacting the resources listed below for Windows Autopilot-related issues, check the [Windows Autopilot FAQ](autopilot-faq.md). + + +| Audience | Support contact | +|---------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| OEM or Channel Partner registering devices as a CSP (via MPC) | Use the help resources available in MPC. Whether you are a named partner or a channel partner (distributor, reseller, SI, etc.), if you’re a CSP registering Autopilot devices through MPC (either manually or through the MPC API), your first-line of support should be the help resources within MPC. | +| OEM registering devices using OEM Direct API | Contact MSOEMOPS@microsoft.com. Response time depends on priority:
          Low – 120 hours
          Normal – 72 hours
          High – 24 hours
          Immediate – 4 hours | +| OEM with a PFE | Reach out to your PFE for support. | +| Partners with a Partner Technology Strategist (PTS) | If you have a PTS (whether you’re a CSP or not), you may first try working through your account’s specific Partner Technology Strategist (PTS). | +| Partners with an Ecosystem PM | If you have an Ecosystem PM (whether you’re a CSP or not), you may first try working through your account’s specific Ecosystem PM, especially for technical issues. | +| Enterprise customers | Contact your Technical Account Manager (TAM), or Account Technology Strategist (ATS), or Customer Service Support (CSS) representative. | +| End-user | Contact your IT administrator. | +| Microsoft Partner Center (MPC) users | Use the [help resources](https://partner.microsoft.com/support) available in MPC. | +| Microsoft Store for Business (MSfB) users | Use the help resources available in MSfB. | +| Intune users | From the Microsoft Azure portal, click [Help + support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview). | +| Microsoft 365 Business | Support is accessible directly through the Microsoft 365 Business portal when logged in: https://support.microsoft.com/en-us. | +| Queries relating to MDA testing | Contact MDAHelp@microsoft.com. | +| All other queries, or when unsure who to contact | Contact msoemops@microsoft.com. | + diff --git a/windows/deployment/windows-autopilot/bitlocker.md b/windows/deployment/windows-autopilot/bitlocker.md index 11d6e7b42f..7e85f7099d 100644 --- a/windows/deployment/windows-autopilot/bitlocker.md +++ b/windows/deployment/windows-autopilot/bitlocker.md @@ -1,54 +1,54 @@ ---- -title: Setting the BitLocker encryption algorithm for Autopilot devices -ms.reviewer: -manager: laurawi -description: Microsoft Intune provides a comprehensive set of configuration options to manage BitLocker on Windows 10 devices. -keywords: Autopilot, BitLocker, encryption, 256-bit, Windows 10 -ms.prod: w10 -ms.technology: Windows -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -ms.localizationpriority: medium -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Setting the BitLocker encryption algorithm for Autopilot devices - -**Applies to** - -- Windows 10 - -With Windows Autopilot, you can configure the BitLocker encryption settings to be applied before automatic encryption is started. This ensures that the default encrytion algorithm is not applied automatically when this is not the desired setting. Other BitLocker policies that must be applied prior to encryption can also be delivered before automatic BitLocker encryption begins. - -The BitLocker encryption algorithm is used when BitLocker is first enabled, and sets the strength to which full volume encryption should occur. Available encryption algorithms are: AES-CBC 128-bit, AES-CBC 256-bit, XTS-AES 128-bit or XTS-AES 256-bit encryption. The default value is XTS-AES 128-bit encryption. See [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) for information about the recommended encryption algorithms to use. - -To ensure the desired BitLocker encryption algorithm is set before automatic encryption occurs for Autopilot devices: - -1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm. -2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group. - - **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users. -3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. - - **IMPORTANT**: If the ESP is not enabled, the policy will not apply before encryption starts. - -An example of Microsoft Intune Windows Encryption settings is shown below. - - ![BitLocker encryption settings](images/bitlocker-encryption.png) - -Note that a device which is encrypted automatically will need to be decrypted prior to changing the encyption algorithm. - -The settings are available under Device Configuration -> Profiles -> Create profile -> Platform = Windows 10 and later, Profile type = Endpoint protection -> Configure -> Windows Encryption -> BitLocker base settings, Configure encryption methods = Enable. - -Note: It is also recommended to set Windows Encryption -> Windows Settings -> Encrypt = **Require**. - -## Requirements - -Windows 10, version 1809 or later. - -## See also - -[Bitlocker overview](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) +--- +title: Setting the BitLocker encryption algorithm for Autopilot devices +ms.reviewer: +manager: laurawi +description: Microsoft Intune provides a comprehensive set of configuration options to manage BitLocker on Windows 10 devices. +keywords: Autopilot, BitLocker, encryption, 256-bit, Windows 10 +ms.prod: w10 +ms.technology: Windows +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +ms.localizationpriority: medium +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Setting the BitLocker encryption algorithm for Autopilot devices + +**Applies to** + +- Windows 10 + +With Windows Autopilot, you can configure the BitLocker encryption settings to be applied before automatic encryption is started. This ensures that the default encrytion algorithm is not applied automatically when this is not the desired setting. Other BitLocker policies that must be applied prior to encryption can also be delivered before automatic BitLocker encryption begins. + +The BitLocker encryption algorithm is used when BitLocker is first enabled, and sets the strength to which full volume encryption should occur. Available encryption algorithms are: AES-CBC 128-bit, AES-CBC 256-bit, XTS-AES 128-bit or XTS-AES 256-bit encryption. The default value is XTS-AES 128-bit encryption. See [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) for information about the recommended encryption algorithms to use. + +To ensure the desired BitLocker encryption algorithm is set before automatic encryption occurs for Autopilot devices: + +1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm. +2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group. + - **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users. +3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. + - **IMPORTANT**: If the ESP is not enabled, the policy will not apply before encryption starts. + +An example of Microsoft Intune Windows Encryption settings is shown below. + + ![BitLocker encryption settings](images/bitlocker-encryption.png) + +Note that a device which is encrypted automatically will need to be decrypted prior to changing the encyption algorithm. + +The settings are available under Device Configuration -> Profiles -> Create profile -> Platform = Windows 10 and later, Profile type = Endpoint protection -> Configure -> Windows Encryption -> BitLocker base settings, Configure encryption methods = Enable. + +Note: It is also recommended to set Windows Encryption -> Windows Settings -> Encrypt = **Require**. + +## Requirements + +Windows 10, version 1809 or later. + +## See also + +[Bitlocker overview](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index 86812d946a..5b29de8d83 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -1,850 +1,850 @@ ---- -title: Demonstrate Autopilot deployment -ms.reviewer: -manager: laurawi -description: Step-by-step instructions on how to set-up a Virtual Machine with a Windows Autopilot deployment -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, upgrade -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article -ms.custom: autopilot ---- - - -# Demonstrate Autopilot deployment - -**Applies to** - -- Windows 10 - -To get started with Windows Autopilot, you should try it out with a virtual machine (VM) or you can use a physical device that will be wiped and then have a fresh install of Windows 10. - -In this topic you'll learn how to set-up a Windows Autopilot deployment for a VM using Hyper-V. Note: Although there are [multiple platforms](administer.md) available to enable Autopilot, this lab primarily uses Intune. - ->Hyper-V and a VM are not required for this lab. You can also use a physical device. However, the instructions assume that you are using a VM. To use a physical device, skip the instructions to install Hyper-V and create a VM. All references to 'device' in the guide refer to the client device, either physical or virtual. - -The following video provides an overview of the process: - -
          - - ->For a list of terms used in this guide, see the [Glossary](#glossary) section. - -## Prerequisites - -These are the things you'll need to complete this lab: - - - -
          Windows 10 installation mediaWindows 10 Professional or Enterprise (ISO file), version 1703 or later is required. If you do not already have an ISO to use, a link is provided to download an evaluation version of Windows 10 Enterprise.
          Internet accessIf you are behind a firewall, see the detailed networking requirements. Otherwise, just ensure that you have a connection to the Internet.
          Hyper-V or a physical device running Windows 10The guide assumes that you will use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V.
          A Premium Intune accountThis guide will describe how to obtain a free 30-day trial premium account that can be used to complete the lab.
          - -## Procedures - -A summary of the sections and procedures in the lab is provided below. Follow each section in the order it is presented, skipping the sections that do not apply to you. Optional procedures are provided in the appendix. - -[Verify support for Hyper-V](#verify-support-for-hyper-v) -
          [Enable Hyper-V](#enable-hyper-v) -
          [Create a demo VM](#create-a-demo-vm) -
              [Set ISO file location](#set-iso-file-location) -
              [Determine network adapter name](#determine-network-adapter-name) -
              [Use Windows PowerShell to create the demo VM](#use-windows-powershell-to-create-the-demo-vm) -
              [Install Windows 10](#install-windows-10) -
          [Capture the hardware ID](#capture-the-hardware-id) -
          [Reset the VM back to Out-Of-Box-Experience (OOBE)](#reset-the-vm-back-to-out-of-box-experience-oobe) -
          [Verify subscription level](#verify-subscription-level) -
          [Configure company branding](#configure-company-branding) -
          [Configure Microsoft Intune auto-enrollment](#configure-microsoft-intune-auto-enrollment) -
          [Register your VM](#register-your-vm) -
              [Autopilot registration using Intune](#autopilot-registration-using-intune) -
              [Autopilot registration using MSfB](#autopilot-registration-using-msfb) -
          [Create and assign a Windows Autopilot deployment profile](#create-and-assign-a-windows-autopilot-deployment-profile) -
              [Create a Windows Autopilot deployment profile using Intune](#create-a-windows-autopilot-deployment-profile-using-intune) -
                 [Assign the profile](#assign-the-profile) -
              [Create a Windows Autopilot deployment profile using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb) -
          [See Windows Autopilot in action](#see-windows-autopilot-in-action) -
          [Remove devices from Autopilot](#remove-devices-from-autopilot) -
              [Delete (deregister) Autopilot device](#delete-deregister-autopilot-device) -
          [Appendix A: Verify support for Hyper-V](#appendix-a-verify-support-for-hyper-v) -
          [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile) -
              [Add a Win32 app](#add-a-win32-app) -
                 [Prepare the app for Intune](#prepare-the-app-for-intune) -
                 [Create app in Intune](#create-app-in-intune) -
                 [Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile) -
              [Add Office 365](#add-office-365) -
                 [Create app in Intune](#create-app-in-intune) -
                 [Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile) -
          [Glossary](#glossary) - -## Verify support for Hyper-V - -If you don't already have Hyper-V, we must first enable this on a computer running Windows 10 or Windows Server (2012 R2 or later). - ->If you already have Hyper-V enabled, skip to the [create a demo VM](#create-a-demo-vm) step. If you are using a physical device instead of a VM, skip to [Install Windows 10](#install-windows-10). - -If you are not sure that your device supports Hyper-V, or you have problems installing Hyper-V, see [appendix A](#appendix-a-verify-support-for-hyper-v) below for details on verifying that Hyper-V can be successfully installed. - -## Enable Hyper-V - -To enable Hyper-V, open an elevated Windows PowerShell prompt and run the following command: - -```powershell -Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All -``` - -This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command (below) to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. The following command will also install Hyper-V if it isn't already installed, so if you're using Windows Server, you can just type the following command instead of using the Enable-WindowsOptionalFeature command: - -```powershell -Install-WindowsFeature -Name Hyper-V -IncludeManagementTools -``` - -When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once. - ->Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below: - - ![hyper-v feature](../images/hyper-v-feature.png) - - ![hyper-v](../images/svr_mgr2.png) - -

          If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools. - -After installation is complete, open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt, or by typing **Hyper-V** in the Start menu search box. - -To read more about Hyper-V, see [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/virtualization/hyper-v-on-windows/about/) and [Hyper-V on Windows Server](https://docs.microsoft.com/windows-server/virtualization/hyper-v/hyper-v-on-windows-server). - -## Create a demo VM - -Now that Hyper-V is enabled, we need to create a VM running Windows 10. We can [create a VM](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/create-virtual-machine) and [virtual network](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/connect-to-network) using Hyper-V Manager, but it is simpler to use Windows PowerShell. - -To use Windows Powershell we just need to know two things: - -1. The location of the Windows 10 ISO file. - - In the example, we assume the location is **c:\iso\win10-eval.iso**. -2. The name of the network interface that connects to the Internet. - - In the example, we use a Windows PowerShell command to determine this automatically. - -After we have set the ISO file location and determined the name of the appropriate network interface, we can install Windows 10. - -### Set ISO file location - -You can download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise [here](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise). -- When asked to select a platform, choose **64 bit**. - -After you download this file, the name will be extremely long (ex: 17763.107.101029-1455.rs5_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso). - -1. So that it is easier to type and remember, rename the file to **win10-eval.iso**. -2. Create a directory on your computer named **c:\iso** and move the **win10-eval.iso** file there, so the path to the file is **c:\iso\win10-eval.iso**. -3. If you wish to use a different name and location for the file, you must modify the Windows PowerShell commands below to use your custom name and directory. - -### Determine network adapter name - -The Get-NetAdaper cmdlet is used below to automatically find the network adapter that is most likely to be the one you use to connect to the Internet. You should test this command first by running the following at an elevated Windows PowerShell prompt: - -```powershell -(Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name -``` - -The output of this command should be the name of the network interface you use to connect to the Internet. Verify that this is the correct interface name. If it is not the correct interface name, you'll need to edit the first command below to use your network interface name. - -For example, if the command above displays Ethernet but you wish to use Ethernet2, then the first command below would be New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName **Ethernet2**. - -### Use Windows PowerShell to create the demo VM - -All VM data will be created under the current path in your PowerShell prompt. Consider navigating into a new folder before running the following commands. - ->[!IMPORTANT] ->**VM switch**: a VM switch is how Hyper-V connects VMs to a network.

          If you have previously enabled Hyper-V and your Internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."

          If you have never created an external VM switch before, then just run the commands below. - -```powershell -New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name -New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal -Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot -Start-VM -VMName WindowsAutopilot -``` - -After entering these commands, connect to the VM that you just created and wait for a prompt to press a key and boot from the DVD. You can connect to the VM by double-clicking it in Hyper-V Manager. - -See the sample output below. In this sample, the VM is created under the **c:\autopilot** directory and the vmconnect.exe command is used (which is only available on Windows Server). If you installed Hyper-V on Windows 10, use Hyper-V Manager to connect to your VM. - -

          -PS C:\autopilot> dir c:\iso
-
-
-    Directory: C:\iso
-
-
-Mode                LastWriteTime         Length Name
-----                -------------         ------ ----
--a----        3/12/2019   2:46 PM     4627343360 win10-eval.iso
-
-PS C:\autopilot> (Get-NetAdapter |?{$.Status -eq "Up" -and !$.Virtual}).Name
-Ethernet
-PS C:\autopilot> New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$.Status -eq "Up" -and !$.Virtual}).Name
-
-Name              SwitchType NetAdapterInterfaceDescription
-----              ---------- ------------------------------
-AutopilotExternal External   Intel(R) Ethernet Connection (2) I218-LM
-
-PS C:\autopilot> New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
-
-Name             State CPUUsage(%) MemoryAssigned(M) Uptime   Status             Version
-----             ----- ----------- ----------------- ------   ------             -------
-WindowsAutopilot Off   0           0                 00:00:00 Operating normally 8.0
-
-PS C:\autopilot> Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot
-PS C:\autopilot> Start-VM -VMName WindowsAutopilot
-PS C:\autopilot> vmconnect.exe localhost WindowsAutopilot
-PS C:\autopilot> dir
-
-    Directory: C:\autopilot
-
-Mode                LastWriteTime         Length Name
-----                -------------         ------ ----
-d-----        3/12/2019   3:15 PM                VMData
-d-----        3/12/2019   3:42 PM                VMs
-
-PS C:\autopilot>
-
          - -### Install Windows 10 - -Ensure the VM booted from the installation ISO, click **Next** then click **Install now** and complete the Windows installation process. See the following examples: - - ![Windows setup](images/winsetup1.png) - ![Windows setup](images/winsetup2.png) - ![Windows setup](images/winsetup3.png) - ![Windows setup](images/winsetup4.png) - ![Windows setup](images/winsetup5.png) - ![Windows setup](images/winsetup6.png) - ->After the VM restarts, during OOBE, it’s fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This will offer the fastest way to the desktop. For example: - - ![Windows setup](images/winsetup7.png) - -Once the installation is complete, sign in and verify that you are at the Windows 10 desktop, then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state. You will create multiple checkpoints throughout this lab, which can be used later to go through the process again. - - ![Windows setup](images/winsetup8.png) - -To create your first checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM) and run the following: - -```powershell -Checkpoint-VM -Name WindowsAutopilot -SnapshotName "Finished Windows install" -``` - -Click on the **WindowsAutopilot** VM in Hyper-V Manager and verify that you see **Finished Windows Install** listed in the Checkpoints pane. - -## Capture the hardware ID - ->NOTE: Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but you’re not going to use the OA3 Tool to capture the full 4K HH for various reasons (you’d have to install the OA3 tool, your device couldn’t have a volume license version of Windows, it’s a more complicated process than using a PS script, etc.). Instead, you’ll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool. - -Follow these steps to run the PS script: - -1. Open an elevated Windows PowerShell prompt and run the following commands. These commands are the same regardless of whether you are using a VM or a physical device: - - ```powershell - md c:\HWID - Set-Location c:\HWID - Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force - Install-Script -Name Get-WindowsAutopilotInfo -Force - $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts" - Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv - ``` - -When you are prompted to install the NuGet package, choose **Yes**. - -See the sample output below. - -
          -PS C:\> md c:\HWID
-
-    Directory: C:\
-
-Mode                LastWriteTime         Length Name
-----                -------------         ------ ----
-d-----        3/14/2019  11:33 AM                HWID
-
-PS C:\> Set-Location c:\HWID
-PS C:\HWID> Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
-PS C:\HWID> Install-Script -Name Get-WindowsAutopilotInfo -Force
-
-NuGet provider is required to continue
-PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet
- provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or
-'C:\Users\user1\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running
- 'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install and
-import the NuGet provider now?
-[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): Y
-PS C:\HWID> $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
-PS C:\HWID> Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
-PS C:\HWID> dir
-
-    Directory: C:\HWID
-
-Mode                LastWriteTime         Length Name
-----                -------------         ------ ----
--a----        3/14/2019  11:33 AM           8184 AutopilotHWID.csv
-
-PS C:\HWID>
-
          - -Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory that is about 8 KB in size. This file contains the complete 4K HH. - -**Note**: Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below. - -![Serial number and hardware hash](images/hwid.png) - -You will need to upload this data into Intune to register your device for Autopilot, so it needs to be transferred to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM). - -If you have trouble copying and pasting the file, just view the contents in Notepad on the VM and copy the text into Notepad outside the VM. Do not use another text editor to do this. - ->[!NOTE] ->When copying and pasting to or from VMs, avoid clicking other things with your mouse cursor between the copy and paste process as this can empty or overwrite the clipboard and require that you start over. Go directly from copy to paste. - -## Reset the VM back to Out-Of-Box-Experience (OOBE) - -With the hardware ID captured in a file, prepare your Virtual Machine for Windows Autopilot deployment by resetting it back to OOBE. - -On the Virtual Machine, go to **Settings > Update & Security > Recovery** and click on **Get started** under **Reset this PC**. -Select **Remove everything** and **Just remove my files**. Finally, click on **Reset**. - -![Reset this PC final prompt](images/autopilot-reset-prompt.jpg) - -Resetting the VM or device can take a while. Proceed to the next step (verify subscription level) during the reset process. - -![Reset this PC screen capture](images/autopilot-reset-progress.jpg) - -## Verify subscription level - -For this lab, you need an AAD Premium subscription. You can tell if you have a Premium subscription by navigating to the [MDM enrollment configuration](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) blade. See the following example: - -**Azure Active Directory** > **Mobility (MDM and MAM)** > **Microsoft Intune** - -![MDM and Intune](images/mdm-intune2.png) - -If the configuration blade shown above does not appear, it’s likely that you don’t have a **Premium** subscription. Auto-enrollment is a feature only available in AAD Premium. - -To convert your Intune trial account to a free Premium trial account, navigate to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5. - -![Reset this PC final prompt](images/aad-lic1.png) - -## Configure company branding - -If you already have company branding configured in Azure Active Directory, you can skip this step. - ->[!IMPORTANT] ->Make sure to sign-in with a Global Administrator account. - -Navigate to [Company branding in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/LoginTenantBranding), click on **Configure** and configure any type of company branding you'd like to see during the OOBE. - -![Configure company branding](images/branding.png) - -When you are finished, click **Save**. - ->[!NOTE] ->Changes to company branding can take up to 30 minutes to apply. - -## Configure Microsoft Intune auto-enrollment - -If you already have MDM auto-enrollment configured in Azure Active Directory, you can skip this step. - -Open [Mobility (MDM and MAM) in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) and select **Microsoft Intune**. If you do not see Microsoft Intune, click **Add application** and choose **Intune**. - -For the purposes of this demo, select **All** under the **MDM user scope** and click **Save**. - -![MDM user scope in the Mobility blade](images/autopilot-aad-mdm.png) - -## Register your VM - -Your VM (or device) can be registered either via Intune or Microsoft Store for Business (MSfB). Both processes are shown here, but only pick one for purposes of this lab. We highly recommend using Intune rather than MSfB. - -### Autopilot registration using Intune - -1. In Intune in the Azure portal, choose **Device enrollment** > **Windows enrollment** > **Devices** > **Import**. - - ![Intune device import](images/device-import.png) - - >[!NOTE] - >If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI. You might need to provide Intune configuration privileges in a challenge window that appeared. - -2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). It’s okay if other fields (Windows Product ID) are left blank. - - ![HWID CSV](images/hwid-csv.png) - - You should receive confirmation that the file is formatted correctly before uploading it, as shown above. - -3. Click **Import** and wait until the import process completes. This can take up to 15 minutes. - -4. Click **Sync** to sync the device you just registered. Wait a few moments before refreshing to verify your VM or device has been added. See the following example. - - ![Import HWID](images/import-vm.png) - -### Autopilot registration using MSfB - ->[!IMPORTANT] ->If you've already registered your VM (or device) using Intune, then skip this step. - -Optional: see the following video for an overview of the process. - -  - -> [!video https://www.youtube.com/embed/IpLIZU_j7Z0] - -First, you need a MSfB account. You can use the same one you created above for Intune, or follow [these instructions](https://docs.microsoft.com/microsoft-store/windows-store-for-business-overview) to create a new one. - -Next, sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) using your test account by clicking **Sign in** in the upper-right-corner of the main page. - -Select **Manage** from the top menu, then click the **Windows Autopilot Deployment Program** link under the **Devices** card. See the following example: - -![Microsoft Store for Business](images/msfb.png) - -Click the **Add devices** link to upload your CSV file. A message will appear indicating your request is being processed. Wait a few moments before refreshing to see your new device has been added. - -![Devices](images/msfb-device.png) - -## Create and assign a Windows Autopilot deployment profile - ->[!IMPORTANT] ->Autopilot profiles can be created and assigned to your registered VM or device either through Intune or MSfB. Both processes are shown here, but only pick one for purposes of this lab: - -Pick one: -- [Create profiles using Intune](#create-a-windows-autopilot-deployment-profile-using-intune) -- [Create profiles using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb) - -### Create a Windows Autopilot deployment profile using Intune - ->[!NOTE] ->Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list first: - -![Devices](images/intune-devices.png) - ->The example above lists both a physical device and a VM. Your list should only include only one of these. - -To create a Windows Autopilot profile, select **Device enrollment** > **Windows enrollment** > **Deployment profiles** - -![Deployment profiles](images/deployment-profiles.png) - -Click on **Create profile**. - -![Create deployment profile](images/create-profile.png) - -On the **Create profile** blade, use the following values: - -| Setting | Value | -|---|---| -| Name | Autopilot Lab profile | -| Description | blank | -| Convert all targeted devices to Autopilot | No | -| Deployment mode | User-driven | -| Join to Azure AD as | Azure AD joined | - -Click on **Out-of-box experience (OOBE)** and configure the following settings: - -| Setting | Value | -|---|---| -| EULA | Hide | -| Privacy Settings | Hide | -| Hide change account options | Hide | -| User account type | Standard | -| Apply device name template | No | - -See the following example: - -![Deployment profile](images/profile.png) - -Click on **OK** and then click on **Create**. - ->If you want to add an app to your profile via Intune, the OPTIONAL steps for doing so can be found in [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile). - -#### Assign the profile - -Profiles can only be assigned to Groups, so first you must create a group that contains the devices to which the profile should be applied. This guide will provide simple instructions to assign a profile, for more detailed instructions, see [Create an Autopilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an Autopilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group), as optional reading. - -To create a Group, open the Azure Portal and select **Azure Active Directory** > **Groups** > **All groups**: - -![All groups](images/all-groups.png) - -Select New group from the Groups blade to open the new groups UI. Select the “Security” group type, name the group, and select the “Assigned” membership type: - -Before clicking **Create**, expand the **Members** panel, click your device's serial number (it will then appear under **Selected members**) and then click **Select** to add that device to this group. - -![New group](images/new-group.png) - -Now click **Create** to finish creating the new group. - -Click on **All groups** and click **Refresh** to verify that your new group has been successfully created. - -With a group created containing your device, you can now go back and assign your profile to that group. Navigate back to the Intune page in the Azure portal (one way is to type **Intune** in the top banner search bar and select **Intune** from the results). - -From Intune, select **Device enrollment** > **Windows enrollment** > **Deployment Profiles** to open the profile blade. Click on the name of the profile you previously created (Autopilot Lab profile) to open the details blade for that profile: - -![Lab profile](images/deployment-profiles2.png) - -Under **Manage**, click **Assignments**, and then with the **Include** tab highlighted, expand the **Select groups** blade and click **AP Lab Group 1** (the group will appear under **Selected members**). - -![Include group](images/include-group.png) - -Click **Select** and then click **Save**. - -![Include group](images/include-group2.png) - -It’s also possible to assign specific users to a profile, but we will not cover this scenario in the lab. For more detailed information, see [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot). - -### Create a Windows Autopilot deployment profile using MSfB - -If you have already created and assigned a profile via Intune by using the steps immediately above, then skip this section. - -A [video](https://www.youtube.com/watch?v=IpLIZU_j7Z0) is available that covers the steps required to create and assign profiles in MSfB. These steps are also summarized below. - -First, sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/manage/dashboard) using the Intune account you initially created for this lab. - -Click **Manage** from the top menu, then click **Devices** from the left navigation tree. - -![MSfB manage](images/msfb-manage.png) - -Click the **Windows Autopilot Deployment Program** link in the **Devices** tile. - -To CREATE the profile: - -Select your device from the **Devices** list: - -![MSfB create](images/msfb-create1.png) - -On the Autopilot deployment dropdown menu, select **Create new profile**: - -![MSfB create](images/msfb-create2.png) - -Name the profile, choose your desired settings, and then click **Create**: - -![MSfB create](images/msfb-create3.png) - -The new profile is added to the Autopilot deployment list. - -To ASSIGN the profile: - -To assign (or reassign) the profile to a device, select the checkboxes next to the device you registered for this lab, then select the profile you want to assign from the **Autopilot deployment** dropdown menu as shown: - -![MSfB assign](images/msfb-assign1.png) - -Confirm the profile was successfully assigned to the intended device by checking the contents of the **Profile** column: - -![MSfB assign](images/msfb-assign2.png) - ->[!IMPORTANT] ->The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device. - -## See Windows Autopilot in action - -If you shut down your VM after the last reset, it’s time to start it back up again, so it can progress through the Autopilot OOBE experience but do not attempt to start your device again until the **PROFILE STATUS** for your device in Intune has changed from **Not assigned** to **Assigning** and finally **Assigned**: - -![Device status](images/device-status.png) - -Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding), otherwise these changes might not show up. - ->[!TIP] ->If you reset your device previously after collecting the 4K HH info, and then let it restart back to the first OOBE screen, then you might need to restart the device again to ensure the device is recognized as an Autopilot device and displays the Autopilot OOBE experience you’re expecting. If you do not see the Autopilot OOBE experience, then reset the device again (Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Click on Reset). - -- Ensure your device has an internet connection. -- Turn on the device -- Verify that the appropriate OOBE screens (with appropriate Company Branding) appear. You should see the region selection screen, the keyboard selection screen, and the second keyboard selection screen (which you can skip). - -![OOBE sign-in page](images/autopilot-oobe.jpg) - -Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go into the Intune Azure portal, and select **Devices > All devices**, then **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated. - -![Device enabled](images/enabled-device.png) - -Once you select a language and a keyboard layout, your company branded sign-in screen should appear. Provide your Azure Active Directory credentials and you're all done. - -Windows Autopilot will now take over to automatically join your device into Azure Active Directory and enroll it to Microsoft Intune. Use the checkpoints you've created to go through this process again with different settings. - -## Remove devices from Autopilot - -To use the device (or VM) for other purposes after completion of this lab, you will need to remove (deregister) it from Autopilot via either Intune or MSfB, and then reset it. Instructions for deregistering devices can be found [here](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [here](https://docs.microsoft.com/intune/devices-wipe#delete-devices-from-the-azure-active-directory-portal) and below. - -### Delete (deregister) Autopilot device - -You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into your Intune Azure portal, then navigate to **Intune > Devices > All Devices**. Select the checkbox next to the device you want to delete, then click the Delete button along the top menu. - -![Delete device](images/delete-device1.png) - -Click **X** when challenged to complete the operation: - -![Delete device](images/delete-device2.png) - -This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**. - -![Delete device](images/delete-device3.png) - -The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores. The former (All devices) is the list of devices currently enrolled into Intune. Note: A device will only appear in the All devices list once it has booted. The latter (Windows Autopilot Deployment Program > Devices) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune. - -To remove the device from the Autopilot program, select the device and click Delete. - -![Delete device](images/delete-device4.png) - -A warning message appears reminding you to first remove the device from Intune, which we previously did. - -![Delete device](images/delete-device5.png) - -At this point, your device has been unenrolled from Intune and also deregistered from Autopilot. After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program: - -![Delete device](images/delete-device6.png) - -Once the device no longer appears, you are free to reuse it for other purposes. - -If you also (optionally) want to remove your device from AAD, navigate to **Azure Active Directory > Devices > All Devices**, select your device, and click the delete button: - -![Delete device](images/delete-device7.png) - -## Appendix A: Verify support for Hyper-V - -Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information. - -To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, scroll down, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example: - -
          -C:>systeminfo
-
-...
-Hyper-V Requirements:      VM Monitor Mode Extensions: Yes
-                           Virtualization Enabled In Firmware: Yes
-                           Second Level Address Translation: Yes
-                           Data Execution Prevention Available: Yes
-
          - -In this example, the computer supports SLAT and Hyper-V. - ->If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings. - -You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example: - -
          -C:>coreinfo -v
-
-Coreinfo v3.31 - Dump information on system CPU and memory topology
-Copyright (C) 2008-2014 Mark Russinovich
-Sysinternals - www.sysinternals.com
-
-Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz
-Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
-Microcode signature: 0000001B
-HYPERVISOR      -       Hypervisor is present
-VMX             *       Supports Intel hardware-assisted virtualization
-EPT             *       Supports Intel extended page tables (SLAT)
-
          - -Note: A 64-bit operating system is required to run Hyper-V. - -## Appendix B: Adding apps to your profile - -### Add a Win32 app - -#### Prepare the app for Intune - -Before we can pull an application into Intune to make it part of our AP profile, we need to “package” the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool). After downloading the tool, gather the following three bits of information to use the tool: - -1. The source folder for your application -2. The name of the setup executable file -3. The output folder for the new file - -For the purposes of this lab, we’ll use the Notepad++ tool as our Win32 app. - -Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available) and then opy the file to a known location, such as C:\Notepad++msi. - -Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example: - -![Add app](images/app01.png) - -After the tool finishes running, you should have an .intunewin file in the Output folder, which you can now upload into Intune using the following steps. - -#### Create app in Intune - -Log into the Azure portal and select **Intune**. - -Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package. - -![Add app](images/app02.png) - -Under **App Type**, select **Windows app (Win32)**: - -![Add app](images/app03.png) - -On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then click **OK**: - -![Add app](images/app04.png) - -On the **App Information Configure** blade, provide a friendly name, description, and publisher, such as: - -![Add app](images/app05.png) - -On the **Program Configuration** blade, supply the install and uninstall commands: - -Install: msiexec /i "npp.7.6.3.installer.x64.msi" /q -Uninstall: msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q - -NOTE: Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool) automatically generated them when it converted the .msi file into a .intunewin file. - -![Add app](images/app06.png) - -Simply using an install command like “notepad++.exe /S” will not actually install Notepad++; it will only launch the app. To actually install the program, we need to use the .msi file instead. Notepad++ doesn’t actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available). - -Click **OK** to save your input and activate the **Requirements** blade. - -On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**: - -![Add app](images/app07.png) - -Next, configure the **Detection rules**. For our purposes, we will select manual format: - -![Add app](images/app08.png) - -Click **Add** to define the rule properties. For **Rule type**, select **MSI**, which will automatically import the right MSI product code into the rule: - -![Add app](images/app09.png) - -Click **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration. - -**Return codes**: For our purposes, leave the return codes at their default values: - -![Add app](images/app10.png) - -Click **OK** to exit. - -You may skip configuring the final **Scope (Tags)** blade. - -Click the **Add** button to finalize and save your app package. - -Once the indicator message says the addition has completed. - -![Add app](images/app11.png) - -You will be able to find your app in your app list: - -![Add app](images/app12.png) - -#### Assign the app to your Intune profile - -**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here. - -In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade. Then click **Assignments** from the menu: - -![Add app](images/app13.png) - -Select **Add Group** to open the **Add group** pane that is related to the app. - -For our purposes, select *8Required** from the **Assignment type** dropdown menu: - ->**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website. - -Select **Included Groups** and assign the groups you previously created that will use this app: - -![Add app](images/app14.png) - -![Add app](images/app15.png) - -In the **Select groups** pane, click the **Select** button. - -In the **Assign group** pane, select **OK**. - -In the **Add group** pane, select **OK**. - -In the app **Assignments** pane, select **Save**. - -![Add app](images/app16.png) - -At this point, you have completed steps to add a Win32 app to Intune. - -For more information on adding adds to Intune, see [Intune Standalone - Win32 app management](https://docs.microsoft.com/intune/apps-win32-app-management). - -### Add Office 365 - -#### Create app in Intune - -Log into the Azure portal and select **Intune**. - -Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package. - -![Add app](images/app17.png) - -Under **App Type**, select **Office 365 Suite > Windows 10**: - -![Add app](images/app18.png) - -Under the **Configure App Suite** pane, select the Office apps you want to install. For the purposes of this labe we have only selected Excel: - -![Add app](images/app19.png) - -Click **OK**. - -In the **App Suite Information** pane, enter a unique suite name, and a suitable description. - ->Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal. - -![Add app](images/app20.png) - -Click **OK**. - -In the **App Suite Settings** pane, select **Monthly** for the **Update channel** (any selection would be fine for the purposes of this lab). Also select **Yes** for **Automatically accept the app end user license agreement**: - -![Add app](images/app21.png) - -Click **OK** and then click **Add**. - -#### Assign the app to your Intune profile - -**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here. - -In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade. Then click **Assignments** from the menu: - -![Add app](images/app22.png) - -Select **Add Group** to open the **Add group** pane that is related to the app. - -For our purposes, select **Required** from the **Assignment type** dropdown menu: - ->**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website. - -Select **Included Groups** and assign the groups you previously created that will use this app: - -![Add app](images/app23.png) - -![Add app](images/app24.png) - -In the **Select groups** pane, click the **Select** button. - -In the **Assign group** pane, select **OK**. - -In the **Add group** pane, select **OK**. - -In the app **Assignments** pane, select **Save**. - -![Add app](images/app25.png) - -At this point, you have completed steps to add Office to Intune. - -For more information on adding Office apps to Intune, see [Assign Office 365 apps to Windows 10 devices with Microsoft Intune](https://docs.microsoft.com/intune/apps-add-office365). - -If you installed both the win32 app (Notepad++) and Office (just Excel) per the instructions in this lab, your VM will show them in the apps list, although it could take several minutes to populate: - -![Add app](images/app26.png) - -## Glossary - - - - - - - - - - - - - - -
          OEMOriginal Equipment Manufacturer
          CSVComma Separated Values
          MPCMicrosoft Partner Center
          CSPCloud Solution Provider
          MSfBMicrosoft Store for Business
          AADAzure Active Directory
          4K HH4K Hardware Hash
          CBRComputer Build Report
          ECEnterprise Commerce (server)
          DDSDevice Directory Service
          OOBEOut of the Box Experience
          VMVirtual Machine
          +--- +title: Demonstrate Autopilot deployment +ms.reviewer: +manager: laurawi +description: Step-by-step instructions on how to set-up a Virtual Machine with a Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, upgrade +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +ms.custom: autopilot +--- + + +# Demonstrate Autopilot deployment + +**Applies to** + +- Windows 10 + +To get started with Windows Autopilot, you should try it out with a virtual machine (VM) or you can use a physical device that will be wiped and then have a fresh install of Windows 10. + +In this topic you'll learn how to set-up a Windows Autopilot deployment for a VM using Hyper-V. Note: Although there are [multiple platforms](administer.md) available to enable Autopilot, this lab primarily uses Intune. + +>Hyper-V and a VM are not required for this lab. You can also use a physical device. However, the instructions assume that you are using a VM. To use a physical device, skip the instructions to install Hyper-V and create a VM. All references to 'device' in the guide refer to the client device, either physical or virtual. + +The following video provides an overview of the process: + +
          + + +>For a list of terms used in this guide, see the [Glossary](#glossary) section. + +## Prerequisites + +These are the things you'll need to complete this lab: + + + +
          Windows 10 installation mediaWindows 10 Professional or Enterprise (ISO file), version 1703 or later is required. If you do not already have an ISO to use, a link is provided to download an evaluation version of Windows 10 Enterprise.
          Internet accessIf you are behind a firewall, see the detailed networking requirements. Otherwise, just ensure that you have a connection to the Internet.
          Hyper-V or a physical device running Windows 10The guide assumes that you will use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V.
          A Premium Intune accountThis guide will describe how to obtain a free 30-day trial premium account that can be used to complete the lab.
          + +## Procedures + +A summary of the sections and procedures in the lab is provided below. Follow each section in the order it is presented, skipping the sections that do not apply to you. Optional procedures are provided in the appendix. + +[Verify support for Hyper-V](#verify-support-for-hyper-v) +
          [Enable Hyper-V](#enable-hyper-v) +
          [Create a demo VM](#create-a-demo-vm) +
              [Set ISO file location](#set-iso-file-location) +
              [Determine network adapter name](#determine-network-adapter-name) +
              [Use Windows PowerShell to create the demo VM](#use-windows-powershell-to-create-the-demo-vm) +
              [Install Windows 10](#install-windows-10) +
          [Capture the hardware ID](#capture-the-hardware-id) +
          [Reset the VM back to Out-Of-Box-Experience (OOBE)](#reset-the-vm-back-to-out-of-box-experience-oobe) +
          [Verify subscription level](#verify-subscription-level) +
          [Configure company branding](#configure-company-branding) +
          [Configure Microsoft Intune auto-enrollment](#configure-microsoft-intune-auto-enrollment) +
          [Register your VM](#register-your-vm) +
              [Autopilot registration using Intune](#autopilot-registration-using-intune) +
              [Autopilot registration using MSfB](#autopilot-registration-using-msfb) +
          [Create and assign a Windows Autopilot deployment profile](#create-and-assign-a-windows-autopilot-deployment-profile) +
              [Create a Windows Autopilot deployment profile using Intune](#create-a-windows-autopilot-deployment-profile-using-intune) +
                 [Assign the profile](#assign-the-profile) +
              [Create a Windows Autopilot deployment profile using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb) +
          [See Windows Autopilot in action](#see-windows-autopilot-in-action) +
          [Remove devices from Autopilot](#remove-devices-from-autopilot) +
              [Delete (deregister) Autopilot device](#delete-deregister-autopilot-device) +
          [Appendix A: Verify support for Hyper-V](#appendix-a-verify-support-for-hyper-v) +
          [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile) +
              [Add a Win32 app](#add-a-win32-app) +
                 [Prepare the app for Intune](#prepare-the-app-for-intune) +
                 [Create app in Intune](#create-app-in-intune) +
                 [Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile) +
              [Add Office 365](#add-office-365) +
                 [Create app in Intune](#create-app-in-intune) +
                 [Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile) +
          [Glossary](#glossary) + +## Verify support for Hyper-V + +If you don't already have Hyper-V, we must first enable this on a computer running Windows 10 or Windows Server (2012 R2 or later). + +>If you already have Hyper-V enabled, skip to the [create a demo VM](#create-a-demo-vm) step. If you are using a physical device instead of a VM, skip to [Install Windows 10](#install-windows-10). + +If you are not sure that your device supports Hyper-V, or you have problems installing Hyper-V, see [appendix A](#appendix-a-verify-support-for-hyper-v) below for details on verifying that Hyper-V can be successfully installed. + +## Enable Hyper-V + +To enable Hyper-V, open an elevated Windows PowerShell prompt and run the following command: + +```powershell +Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All +``` + +This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command (below) to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. The following command will also install Hyper-V if it isn't already installed, so if you're using Windows Server, you can just type the following command instead of using the Enable-WindowsOptionalFeature command: + +```powershell +Install-WindowsFeature -Name Hyper-V -IncludeManagementTools +``` + +When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once. + +>Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below: + + ![hyper-v feature](../images/hyper-v-feature.png) + + ![hyper-v](../images/svr_mgr2.png) + +

          If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools. + +After installation is complete, open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt, or by typing **Hyper-V** in the Start menu search box. + +To read more about Hyper-V, see [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/virtualization/hyper-v-on-windows/about/) and [Hyper-V on Windows Server](https://docs.microsoft.com/windows-server/virtualization/hyper-v/hyper-v-on-windows-server). + +## Create a demo VM + +Now that Hyper-V is enabled, we need to create a VM running Windows 10. We can [create a VM](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/create-virtual-machine) and [virtual network](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/connect-to-network) using Hyper-V Manager, but it is simpler to use Windows PowerShell. + +To use Windows Powershell we just need to know two things: + +1. The location of the Windows 10 ISO file. + - In the example, we assume the location is **c:\iso\win10-eval.iso**. +2. The name of the network interface that connects to the Internet. + - In the example, we use a Windows PowerShell command to determine this automatically. + +After we have set the ISO file location and determined the name of the appropriate network interface, we can install Windows 10. + +### Set ISO file location + +You can download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise [here](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise). +- When asked to select a platform, choose **64 bit**. + +After you download this file, the name will be extremely long (ex: 17763.107.101029-1455.rs5_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso). + +1. So that it is easier to type and remember, rename the file to **win10-eval.iso**. +2. Create a directory on your computer named **c:\iso** and move the **win10-eval.iso** file there, so the path to the file is **c:\iso\win10-eval.iso**. +3. If you wish to use a different name and location for the file, you must modify the Windows PowerShell commands below to use your custom name and directory. + +### Determine network adapter name + +The Get-NetAdaper cmdlet is used below to automatically find the network adapter that is most likely to be the one you use to connect to the Internet. You should test this command first by running the following at an elevated Windows PowerShell prompt: + +```powershell +(Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name +``` + +The output of this command should be the name of the network interface you use to connect to the Internet. Verify that this is the correct interface name. If it is not the correct interface name, you'll need to edit the first command below to use your network interface name. + +For example, if the command above displays Ethernet but you wish to use Ethernet2, then the first command below would be New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName **Ethernet2**. + +### Use Windows PowerShell to create the demo VM + +All VM data will be created under the current path in your PowerShell prompt. Consider navigating into a new folder before running the following commands. + +>[!IMPORTANT] +>**VM switch**: a VM switch is how Hyper-V connects VMs to a network.

          If you have previously enabled Hyper-V and your Internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."

          If you have never created an external VM switch before, then just run the commands below. + +```powershell +New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name +New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal +Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot +Start-VM -VMName WindowsAutopilot +``` + +After entering these commands, connect to the VM that you just created and wait for a prompt to press a key and boot from the DVD. You can connect to the VM by double-clicking it in Hyper-V Manager. + +See the sample output below. In this sample, the VM is created under the **c:\autopilot** directory and the vmconnect.exe command is used (which is only available on Windows Server). If you installed Hyper-V on Windows 10, use Hyper-V Manager to connect to your VM. + +

          +PS C:\autopilot> dir c:\iso
+
+
+    Directory: C:\iso
+
+
+Mode                LastWriteTime         Length Name
+----                -------------         ------ ----
+-a----        3/12/2019   2:46 PM     4627343360 win10-eval.iso
+
+PS C:\autopilot> (Get-NetAdapter |?{$.Status -eq "Up" -and !$.Virtual}).Name
+Ethernet
+PS C:\autopilot> New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$.Status -eq "Up" -and !$.Virtual}).Name
+
+Name              SwitchType NetAdapterInterfaceDescription
+----              ---------- ------------------------------
+AutopilotExternal External   Intel(R) Ethernet Connection (2) I218-LM
+
+PS C:\autopilot> New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
+
+Name             State CPUUsage(%) MemoryAssigned(M) Uptime   Status             Version
+----             ----- ----------- ----------------- ------   ------             -------
+WindowsAutopilot Off   0           0                 00:00:00 Operating normally 8.0
+
+PS C:\autopilot> Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot
+PS C:\autopilot> Start-VM -VMName WindowsAutopilot
+PS C:\autopilot> vmconnect.exe localhost WindowsAutopilot
+PS C:\autopilot> dir
+
+    Directory: C:\autopilot
+
+Mode                LastWriteTime         Length Name
+----                -------------         ------ ----
+d-----        3/12/2019   3:15 PM                VMData
+d-----        3/12/2019   3:42 PM                VMs
+
+PS C:\autopilot>
+
          + +### Install Windows 10 + +Ensure the VM booted from the installation ISO, click **Next** then click **Install now** and complete the Windows installation process. See the following examples: + + ![Windows setup](images/winsetup1.png) + ![Windows setup](images/winsetup2.png) + ![Windows setup](images/winsetup3.png) + ![Windows setup](images/winsetup4.png) + ![Windows setup](images/winsetup5.png) + ![Windows setup](images/winsetup6.png) + +>After the VM restarts, during OOBE, it’s fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This will offer the fastest way to the desktop. For example: + + ![Windows setup](images/winsetup7.png) + +Once the installation is complete, sign in and verify that you are at the Windows 10 desktop, then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state. You will create multiple checkpoints throughout this lab, which can be used later to go through the process again. + + ![Windows setup](images/winsetup8.png) + +To create your first checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM) and run the following: + +```powershell +Checkpoint-VM -Name WindowsAutopilot -SnapshotName "Finished Windows install" +``` + +Click on the **WindowsAutopilot** VM in Hyper-V Manager and verify that you see **Finished Windows Install** listed in the Checkpoints pane. + +## Capture the hardware ID + +>NOTE: Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but you’re not going to use the OA3 Tool to capture the full 4K HH for various reasons (you’d have to install the OA3 tool, your device couldn’t have a volume license version of Windows, it’s a more complicated process than using a PS script, etc.). Instead, you’ll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool. + +Follow these steps to run the PS script: + +1. Open an elevated Windows PowerShell prompt and run the following commands. These commands are the same regardless of whether you are using a VM or a physical device: + + ```powershell + md c:\HWID + Set-Location c:\HWID + Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force + Install-Script -Name Get-WindowsAutopilotInfo -Force + $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts" + Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv + ``` + +When you are prompted to install the NuGet package, choose **Yes**. + +See the sample output below. + +
          +PS C:\> md c:\HWID
+
+    Directory: C:\
+
+Mode                LastWriteTime         Length Name
+----                -------------         ------ ----
+d-----        3/14/2019  11:33 AM                HWID
+
+PS C:\> Set-Location c:\HWID
+PS C:\HWID> Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
+PS C:\HWID> Install-Script -Name Get-WindowsAutopilotInfo -Force
+
+NuGet provider is required to continue
+PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet
+ provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or
+'C:\Users\user1\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running
+ 'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install and
+import the NuGet provider now?
+[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): Y
+PS C:\HWID> $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
+PS C:\HWID> Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
+PS C:\HWID> dir
+
+    Directory: C:\HWID
+
+Mode                LastWriteTime         Length Name
+----                -------------         ------ ----
+-a----        3/14/2019  11:33 AM           8184 AutopilotHWID.csv
+
+PS C:\HWID>
+
          + +Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory that is about 8 KB in size. This file contains the complete 4K HH. + +**Note**: Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below. + +![Serial number and hardware hash](images/hwid.png) + +You will need to upload this data into Intune to register your device for Autopilot, so it needs to be transferred to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM). + +If you have trouble copying and pasting the file, just view the contents in Notepad on the VM and copy the text into Notepad outside the VM. Do not use another text editor to do this. + +>[!NOTE] +>When copying and pasting to or from VMs, avoid clicking other things with your mouse cursor between the copy and paste process as this can empty or overwrite the clipboard and require that you start over. Go directly from copy to paste. + +## Reset the VM back to Out-Of-Box-Experience (OOBE) + +With the hardware ID captured in a file, prepare your Virtual Machine for Windows Autopilot deployment by resetting it back to OOBE. + +On the Virtual Machine, go to **Settings > Update & Security > Recovery** and click on **Get started** under **Reset this PC**. +Select **Remove everything** and **Just remove my files**. Finally, click on **Reset**. + +![Reset this PC final prompt](images/autopilot-reset-prompt.jpg) + +Resetting the VM or device can take a while. Proceed to the next step (verify subscription level) during the reset process. + +![Reset this PC screen capture](images/autopilot-reset-progress.jpg) + +## Verify subscription level + +For this lab, you need an AAD Premium subscription. You can tell if you have a Premium subscription by navigating to the [MDM enrollment configuration](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) blade. See the following example: + +**Azure Active Directory** > **Mobility (MDM and MAM)** > **Microsoft Intune** + +![MDM and Intune](images/mdm-intune2.png) + +If the configuration blade shown above does not appear, it’s likely that you don’t have a **Premium** subscription. Auto-enrollment is a feature only available in AAD Premium. + +To convert your Intune trial account to a free Premium trial account, navigate to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5. + +![Reset this PC final prompt](images/aad-lic1.png) + +## Configure company branding + +If you already have company branding configured in Azure Active Directory, you can skip this step. + +>[!IMPORTANT] +>Make sure to sign-in with a Global Administrator account. + +Navigate to [Company branding in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/LoginTenantBranding), click on **Configure** and configure any type of company branding you'd like to see during the OOBE. + +![Configure company branding](images/branding.png) + +When you are finished, click **Save**. + +>[!NOTE] +>Changes to company branding can take up to 30 minutes to apply. + +## Configure Microsoft Intune auto-enrollment + +If you already have MDM auto-enrollment configured in Azure Active Directory, you can skip this step. + +Open [Mobility (MDM and MAM) in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) and select **Microsoft Intune**. If you do not see Microsoft Intune, click **Add application** and choose **Intune**. + +For the purposes of this demo, select **All** under the **MDM user scope** and click **Save**. + +![MDM user scope in the Mobility blade](images/autopilot-aad-mdm.png) + +## Register your VM + +Your VM (or device) can be registered either via Intune or Microsoft Store for Business (MSfB). Both processes are shown here, but only pick one for purposes of this lab. We highly recommend using Intune rather than MSfB. + +### Autopilot registration using Intune + +1. In Intune in the Azure portal, choose **Device enrollment** > **Windows enrollment** > **Devices** > **Import**. + + ![Intune device import](images/device-import.png) + + >[!NOTE] + >If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI. You might need to provide Intune configuration privileges in a challenge window that appeared. + +2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). It’s okay if other fields (Windows Product ID) are left blank. + + ![HWID CSV](images/hwid-csv.png) + + You should receive confirmation that the file is formatted correctly before uploading it, as shown above. + +3. Click **Import** and wait until the import process completes. This can take up to 15 minutes. + +4. Click **Sync** to sync the device you just registered. Wait a few moments before refreshing to verify your VM or device has been added. See the following example. + + ![Import HWID](images/import-vm.png) + +### Autopilot registration using MSfB + +>[!IMPORTANT] +>If you've already registered your VM (or device) using Intune, then skip this step. + +Optional: see the following video for an overview of the process. + +  + +> [!video https://www.youtube.com/embed/IpLIZU_j7Z0] + +First, you need a MSfB account. You can use the same one you created above for Intune, or follow [these instructions](https://docs.microsoft.com/microsoft-store/windows-store-for-business-overview) to create a new one. + +Next, sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) using your test account by clicking **Sign in** in the upper-right-corner of the main page. + +Select **Manage** from the top menu, then click the **Windows Autopilot Deployment Program** link under the **Devices** card. See the following example: + +![Microsoft Store for Business](images/msfb.png) + +Click the **Add devices** link to upload your CSV file. A message will appear indicating your request is being processed. Wait a few moments before refreshing to see your new device has been added. + +![Devices](images/msfb-device.png) + +## Create and assign a Windows Autopilot deployment profile + +>[!IMPORTANT] +>Autopilot profiles can be created and assigned to your registered VM or device either through Intune or MSfB. Both processes are shown here, but only pick one for purposes of this lab: + +Pick one: +- [Create profiles using Intune](#create-a-windows-autopilot-deployment-profile-using-intune) +- [Create profiles using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb) + +### Create a Windows Autopilot deployment profile using Intune + +>[!NOTE] +>Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list first: + +![Devices](images/intune-devices.png) + +>The example above lists both a physical device and a VM. Your list should only include only one of these. + +To create a Windows Autopilot profile, select **Device enrollment** > **Windows enrollment** > **Deployment profiles** + +![Deployment profiles](images/deployment-profiles.png) + +Click on **Create profile**. + +![Create deployment profile](images/create-profile.png) + +On the **Create profile** blade, use the following values: + +| Setting | Value | +|---|---| +| Name | Autopilot Lab profile | +| Description | blank | +| Convert all targeted devices to Autopilot | No | +| Deployment mode | User-driven | +| Join to Azure AD as | Azure AD joined | + +Click on **Out-of-box experience (OOBE)** and configure the following settings: + +| Setting | Value | +|---|---| +| EULA | Hide | +| Privacy Settings | Hide | +| Hide change account options | Hide | +| User account type | Standard | +| Apply device name template | No | + +See the following example: + +![Deployment profile](images/profile.png) + +Click on **OK** and then click on **Create**. + +>If you want to add an app to your profile via Intune, the OPTIONAL steps for doing so can be found in [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile). + +#### Assign the profile + +Profiles can only be assigned to Groups, so first you must create a group that contains the devices to which the profile should be applied. This guide will provide simple instructions to assign a profile, for more detailed instructions, see [Create an Autopilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an Autopilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group), as optional reading. + +To create a Group, open the Azure Portal and select **Azure Active Directory** > **Groups** > **All groups**: + +![All groups](images/all-groups.png) + +Select New group from the Groups blade to open the new groups UI. Select the “Security” group type, name the group, and select the “Assigned” membership type: + +Before clicking **Create**, expand the **Members** panel, click your device's serial number (it will then appear under **Selected members**) and then click **Select** to add that device to this group. + +![New group](images/new-group.png) + +Now click **Create** to finish creating the new group. + +Click on **All groups** and click **Refresh** to verify that your new group has been successfully created. + +With a group created containing your device, you can now go back and assign your profile to that group. Navigate back to the Intune page in the Azure portal (one way is to type **Intune** in the top banner search bar and select **Intune** from the results). + +From Intune, select **Device enrollment** > **Windows enrollment** > **Deployment Profiles** to open the profile blade. Click on the name of the profile you previously created (Autopilot Lab profile) to open the details blade for that profile: + +![Lab profile](images/deployment-profiles2.png) + +Under **Manage**, click **Assignments**, and then with the **Include** tab highlighted, expand the **Select groups** blade and click **AP Lab Group 1** (the group will appear under **Selected members**). + +![Include group](images/include-group.png) + +Click **Select** and then click **Save**. + +![Include group](images/include-group2.png) + +It’s also possible to assign specific users to a profile, but we will not cover this scenario in the lab. For more detailed information, see [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot). + +### Create a Windows Autopilot deployment profile using MSfB + +If you have already created and assigned a profile via Intune by using the steps immediately above, then skip this section. + +A [video](https://www.youtube.com/watch?v=IpLIZU_j7Z0) is available that covers the steps required to create and assign profiles in MSfB. These steps are also summarized below. + +First, sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/manage/dashboard) using the Intune account you initially created for this lab. + +Click **Manage** from the top menu, then click **Devices** from the left navigation tree. + +![MSfB manage](images/msfb-manage.png) + +Click the **Windows Autopilot Deployment Program** link in the **Devices** tile. + +To CREATE the profile: + +Select your device from the **Devices** list: + +![MSfB create](images/msfb-create1.png) + +On the Autopilot deployment dropdown menu, select **Create new profile**: + +![MSfB create](images/msfb-create2.png) + +Name the profile, choose your desired settings, and then click **Create**: + +![MSfB create](images/msfb-create3.png) + +The new profile is added to the Autopilot deployment list. + +To ASSIGN the profile: + +To assign (or reassign) the profile to a device, select the checkboxes next to the device you registered for this lab, then select the profile you want to assign from the **Autopilot deployment** dropdown menu as shown: + +![MSfB assign](images/msfb-assign1.png) + +Confirm the profile was successfully assigned to the intended device by checking the contents of the **Profile** column: + +![MSfB assign](images/msfb-assign2.png) + +>[!IMPORTANT] +>The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device. + +## See Windows Autopilot in action + +If you shut down your VM after the last reset, it’s time to start it back up again, so it can progress through the Autopilot OOBE experience but do not attempt to start your device again until the **PROFILE STATUS** for your device in Intune has changed from **Not assigned** to **Assigning** and finally **Assigned**: + +![Device status](images/device-status.png) + +Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding), otherwise these changes might not show up. + +>[!TIP] +>If you reset your device previously after collecting the 4K HH info, and then let it restart back to the first OOBE screen, then you might need to restart the device again to ensure the device is recognized as an Autopilot device and displays the Autopilot OOBE experience you’re expecting. If you do not see the Autopilot OOBE experience, then reset the device again (Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Click on Reset). + +- Ensure your device has an internet connection. +- Turn on the device +- Verify that the appropriate OOBE screens (with appropriate Company Branding) appear. You should see the region selection screen, the keyboard selection screen, and the second keyboard selection screen (which you can skip). + +![OOBE sign-in page](images/autopilot-oobe.jpg) + +Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go into the Intune Azure portal, and select **Devices > All devices**, then **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated. + +![Device enabled](images/enabled-device.png) + +Once you select a language and a keyboard layout, your company branded sign-in screen should appear. Provide your Azure Active Directory credentials and you're all done. + +Windows Autopilot will now take over to automatically join your device into Azure Active Directory and enroll it to Microsoft Intune. Use the checkpoints you've created to go through this process again with different settings. + +## Remove devices from Autopilot + +To use the device (or VM) for other purposes after completion of this lab, you will need to remove (deregister) it from Autopilot via either Intune or MSfB, and then reset it. Instructions for deregistering devices can be found [here](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [here](https://docs.microsoft.com/intune/devices-wipe#delete-devices-from-the-azure-active-directory-portal) and below. + +### Delete (deregister) Autopilot device + +You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into your Intune Azure portal, then navigate to **Intune > Devices > All Devices**. Select the checkbox next to the device you want to delete, then click the Delete button along the top menu. + +![Delete device](images/delete-device1.png) + +Click **X** when challenged to complete the operation: + +![Delete device](images/delete-device2.png) + +This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**. + +![Delete device](images/delete-device3.png) + +The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores. The former (All devices) is the list of devices currently enrolled into Intune. Note: A device will only appear in the All devices list once it has booted. The latter (Windows Autopilot Deployment Program > Devices) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune. + +To remove the device from the Autopilot program, select the device and click Delete. + +![Delete device](images/delete-device4.png) + +A warning message appears reminding you to first remove the device from Intune, which we previously did. + +![Delete device](images/delete-device5.png) + +At this point, your device has been unenrolled from Intune and also deregistered from Autopilot. After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program: + +![Delete device](images/delete-device6.png) + +Once the device no longer appears, you are free to reuse it for other purposes. + +If you also (optionally) want to remove your device from AAD, navigate to **Azure Active Directory > Devices > All Devices**, select your device, and click the delete button: + +![Delete device](images/delete-device7.png) + +## Appendix A: Verify support for Hyper-V + +Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information. + +To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, scroll down, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example: + +
          +C:>systeminfo
+
+...
+Hyper-V Requirements:      VM Monitor Mode Extensions: Yes
+                           Virtualization Enabled In Firmware: Yes
+                           Second Level Address Translation: Yes
+                           Data Execution Prevention Available: Yes
+
          + +In this example, the computer supports SLAT and Hyper-V. + +>If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings. + +You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example: + +
          +C:>coreinfo -v
+
+Coreinfo v3.31 - Dump information on system CPU and memory topology
+Copyright (C) 2008-2014 Mark Russinovich
+Sysinternals - www.sysinternals.com
+
+Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz
+Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
+Microcode signature: 0000001B
+HYPERVISOR      -       Hypervisor is present
+VMX             *       Supports Intel hardware-assisted virtualization
+EPT             *       Supports Intel extended page tables (SLAT)
+
          + +Note: A 64-bit operating system is required to run Hyper-V. + +## Appendix B: Adding apps to your profile + +### Add a Win32 app + +#### Prepare the app for Intune + +Before we can pull an application into Intune to make it part of our AP profile, we need to “package” the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool). After downloading the tool, gather the following three bits of information to use the tool: + +1. The source folder for your application +2. The name of the setup executable file +3. The output folder for the new file + +For the purposes of this lab, we’ll use the Notepad++ tool as our Win32 app. + +Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available) and then opy the file to a known location, such as C:\Notepad++msi. + +Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example: + +![Add app](images/app01.png) + +After the tool finishes running, you should have an .intunewin file in the Output folder, which you can now upload into Intune using the following steps. + +#### Create app in Intune + +Log into the Azure portal and select **Intune**. + +Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package. + +![Add app](images/app02.png) + +Under **App Type**, select **Windows app (Win32)**: + +![Add app](images/app03.png) + +On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then click **OK**: + +![Add app](images/app04.png) + +On the **App Information Configure** blade, provide a friendly name, description, and publisher, such as: + +![Add app](images/app05.png) + +On the **Program Configuration** blade, supply the install and uninstall commands: + +Install: msiexec /i "npp.7.6.3.installer.x64.msi" /q +Uninstall: msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q + +NOTE: Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool) automatically generated them when it converted the .msi file into a .intunewin file. + +![Add app](images/app06.png) + +Simply using an install command like “notepad++.exe /S” will not actually install Notepad++; it will only launch the app. To actually install the program, we need to use the .msi file instead. Notepad++ doesn’t actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available). + +Click **OK** to save your input and activate the **Requirements** blade. + +On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**: + +![Add app](images/app07.png) + +Next, configure the **Detection rules**. For our purposes, we will select manual format: + +![Add app](images/app08.png) + +Click **Add** to define the rule properties. For **Rule type**, select **MSI**, which will automatically import the right MSI product code into the rule: + +![Add app](images/app09.png) + +Click **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration. + +**Return codes**: For our purposes, leave the return codes at their default values: + +![Add app](images/app10.png) + +Click **OK** to exit. + +You may skip configuring the final **Scope (Tags)** blade. + +Click the **Add** button to finalize and save your app package. + +Once the indicator message says the addition has completed. + +![Add app](images/app11.png) + +You will be able to find your app in your app list: + +![Add app](images/app12.png) + +#### Assign the app to your Intune profile + +**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here. + +In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade. Then click **Assignments** from the menu: + +![Add app](images/app13.png) + +Select **Add Group** to open the **Add group** pane that is related to the app. + +For our purposes, select *8Required** from the **Assignment type** dropdown menu: + +>**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website. + +Select **Included Groups** and assign the groups you previously created that will use this app: + +![Add app](images/app14.png) + +![Add app](images/app15.png) + +In the **Select groups** pane, click the **Select** button. + +In the **Assign group** pane, select **OK**. + +In the **Add group** pane, select **OK**. + +In the app **Assignments** pane, select **Save**. + +![Add app](images/app16.png) + +At this point, you have completed steps to add a Win32 app to Intune. + +For more information on adding adds to Intune, see [Intune Standalone - Win32 app management](https://docs.microsoft.com/intune/apps-win32-app-management). + +### Add Office 365 + +#### Create app in Intune + +Log into the Azure portal and select **Intune**. + +Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package. + +![Add app](images/app17.png) + +Under **App Type**, select **Office 365 Suite > Windows 10**: + +![Add app](images/app18.png) + +Under the **Configure App Suite** pane, select the Office apps you want to install. For the purposes of this labe we have only selected Excel: + +![Add app](images/app19.png) + +Click **OK**. + +In the **App Suite Information** pane, enter a unique suite name, and a suitable description. + +>Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal. + +![Add app](images/app20.png) + +Click **OK**. + +In the **App Suite Settings** pane, select **Monthly** for the **Update channel** (any selection would be fine for the purposes of this lab). Also select **Yes** for **Automatically accept the app end user license agreement**: + +![Add app](images/app21.png) + +Click **OK** and then click **Add**. + +#### Assign the app to your Intune profile + +**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here. + +In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade. Then click **Assignments** from the menu: + +![Add app](images/app22.png) + +Select **Add Group** to open the **Add group** pane that is related to the app. + +For our purposes, select **Required** from the **Assignment type** dropdown menu: + +>**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website. + +Select **Included Groups** and assign the groups you previously created that will use this app: + +![Add app](images/app23.png) + +![Add app](images/app24.png) + +In the **Select groups** pane, click the **Select** button. + +In the **Assign group** pane, select **OK**. + +In the **Add group** pane, select **OK**. + +In the app **Assignments** pane, select **Save**. + +![Add app](images/app25.png) + +At this point, you have completed steps to add Office to Intune. + +For more information on adding Office apps to Intune, see [Assign Office 365 apps to Windows 10 devices with Microsoft Intune](https://docs.microsoft.com/intune/apps-add-office365). + +If you installed both the win32 app (Notepad++) and Office (just Excel) per the instructions in this lab, your VM will show them in the apps list, although it could take several minutes to populate: + +![Add app](images/app26.png) + +## Glossary + + + + + + + + + + + + + + +
          OEMOriginal Equipment Manufacturer
          CSVComma Separated Values
          MPCMicrosoft Partner Center
          CSPCloud Solution Provider
          MSfBMicrosoft Store for Business
          AADAzure Active Directory
          4K HH4K Hardware Hash
          CBRComputer Build Report
          ECEnterprise Commerce (server)
          DDSDevice Directory Service
          OOBEOut of the Box Experience
          VMVirtual Machine
          diff --git a/windows/deployment/windows-autopilot/enrollment-status.md b/windows/deployment/windows-autopilot/enrollment-status.md index c08469ea87..6c5c118bec 100644 --- a/windows/deployment/windows-autopilot/enrollment-status.md +++ b/windows/deployment/windows-autopilot/enrollment-status.md @@ -1,39 +1,39 @@ ---- -title: Windows Autopilot Enrollment Status Page -ms.reviewer: -manager: laurawi -description: Gives an overview of the Enrollment Status Page capabilities, configuration -keywords: Autopilot Plug and Forget, Windows 10 -ms.prod: w10 -ms.technology: Windows -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -ms.localizationpriority: medium -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Windows Autopilot Enrollment Status Page - -**Applies to** - -- Windows 10, version 1803 and later - -The Enrollment Status Page (ESP) displays the status of the complete device configuration process when an MDM managed user signs into a device for the very first time. The ESP will help users understand the progress of device provisioning and ensures the device has met the organizations desired state before the user can access the desktop for the first time. - -The ESP will track the installation of applications, security policies, certificates and network connections. Within Intune, an administrator can deploy ESP profiles to a licensed Intune user and configure specific settings within the ESP profile; a few of these settings are: force the installation of specified applications, allow users to collect troubleshooting logs, specify what a user can do if device setup fails. For more information, see how to set up the [Enrollment Status Page in Intune](https://docs.microsoft.com/intune/windows-enrollment-status). - - ![Enrollment Status Page](images/enrollment-status-page.png) - - -## More information - -For more information on configuring the Enrollment Status Page, see the [Microsoft Intune documentation](https://docs.microsoft.com/intune/windows-enrollment-status).
          -For details about the underlying implementation, see the [FirstSyncStatus details in the DMClient CSP documentation](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp).
          -For more information about blocking for app installation: -- [Blocking for app installation using Enrollment Status Page](https://blogs.technet.microsoft.com/mniehaus/2018/12/06/blocking-for-app-installation-using-enrollment-status-page/). -- [Support Tip: Office C2R installation is now tracked during ESP](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Office-C2R-installation-is-now-tracked-during-ESP/ba-p/295514). +--- +title: Windows Autopilot Enrollment Status Page +ms.reviewer: +manager: laurawi +description: Gives an overview of the Enrollment Status Page capabilities, configuration +keywords: Autopilot Plug and Forget, Windows 10 +ms.prod: w10 +ms.technology: Windows +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +ms.localizationpriority: medium +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Windows Autopilot Enrollment Status Page + +**Applies to** + +- Windows 10, version 1803 and later + +The Enrollment Status Page (ESP) displays the status of the complete device configuration process when an MDM managed user signs into a device for the very first time. The ESP will help users understand the progress of device provisioning and ensures the device has met the organizations desired state before the user can access the desktop for the first time. + +The ESP will track the installation of applications, security policies, certificates and network connections. Within Intune, an administrator can deploy ESP profiles to a licensed Intune user and configure specific settings within the ESP profile; a few of these settings are: force the installation of specified applications, allow users to collect troubleshooting logs, specify what a user can do if device setup fails. For more information, see how to set up the [Enrollment Status Page in Intune](https://docs.microsoft.com/intune/windows-enrollment-status). + + ![Enrollment Status Page](images/enrollment-status-page.png) + + +## More information + +For more information on configuring the Enrollment Status Page, see the [Microsoft Intune documentation](https://docs.microsoft.com/intune/windows-enrollment-status).
          +For details about the underlying implementation, see the [FirstSyncStatus details in the DMClient CSP documentation](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp).
          +For more information about blocking for app installation: +- [Blocking for app installation using Enrollment Status Page](https://blogs.technet.microsoft.com/mniehaus/2018/12/06/blocking-for-app-installation-using-enrollment-status-page/). +- [Support Tip: Office C2R installation is now tracked during ESP](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Office-C2R-installation-is-now-tracked-during-ESP/ba-p/295514). diff --git a/windows/deployment/windows-autopilot/existing-devices.md b/windows/deployment/windows-autopilot/existing-devices.md index a053db3c32..f514184445 100644 --- a/windows/deployment/windows-autopilot/existing-devices.md +++ b/windows/deployment/windows-autopilot/existing-devices.md @@ -1,315 +1,315 @@ ---- -title: Windows Autopilot for existing devices -description: Windows Autopilot deployment -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.reviewer: mniehaus -manager: laurawi -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - -# Windows Autopilot for existing devices - -**Applies to: Windows 10** - -Modern desktop deployment with Windows Autopilot enables you to easily deploy the latest version of Windows 10 to your existing devices. The apps you need for work can be automatically installed. Your work profile is synchronized, so you can resume working right away. - -This topic describes how to convert Windows 7 or Windows 8.1 domain-joined computers to Windows 10 devices joined to either Azure Active Directory or Active Directory (Hybrid Azure AD Join) by using Windows Autopilot. - ->[!NOTE] ->Windows Autopilot for existing devices only supports user-driven Azure Active Directory and Hybrid Azure AD profiles. Self-deploying profiles are not supported. - -## Prerequisites - -- System Center Configuration Manager Current Branch (1806) OR System Center Configuration Manager Technical Preview (1808) -- The [Windows ADK](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) 1803 or later - - Note: Config Mgr 1806 or later is required to [support](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10#windows-10-adk) the Windows ADK 1809. -- Assigned Microsoft Intune Licenses -- Azure Active Directory Premium -- Windows 10 version 1809 or later imported into Config Mgr as an Operating System Image - -## Procedures - -### Configure the Enrollment Status Page (optional) - -If desired, you can set up an [enrollment status page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) for Autopilot using Intune. - -To enable and configure the enrollment and status page: - -1. Open [Intune in the Azure portal](https://aka.ms/intuneportal). -2. Access **Intune > Device enrollment > Windows enrollment** and [Set up an enrollment status page](https://docs.microsoft.com/intune/windows-enrollment-status). -3. Access **Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune** and [Configure automatic MDM enrollment](https://docs.microsoft.com/sccm/mdm/deploy-use/enroll-hybrid-windows#enable-windows-10-automatic-enrollment) and configure the MDM user scope for some or all users. - -See the following examples. - -![enrollment status page](images/esp-config.png)

          -![mdm](images/mdm-config.png) - -### Create the JSON file - ->[!TIP] ->To run the following commands on a computer running Windows Server 2012/2012 R2 or Windows 7/8.1, you must first download and install the [Windows Management Framework](https://www.microsoft.com/en-us/download/details.aspx?id=54616). - -1. On an Internet connected Windows PC or Server open an elevated Windows PowerShell command window -2. Enter the following lines to install the necessary modules - - #### Install required modules - - ```powershell - Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force - Install-Module AzureAD -Force - Install-Module WindowsAutopilotIntune -Force - ``` - -3. Enter the following lines and provide Intune administrative credentials - - In the following command, replace the example user principal name for Azure authentication (admin@M365x373186.onmicrosoft.com) with your user account. Be sure that the user account you specify has sufficient administrative rights. - - ```powershell - Connect-AutopilotIntune -user admin@M365x373186.onmicrosoft.com - ``` - The password for your account will be requested using a standard Azure AD form. Type your password and then click **Sign in**. -
          See the following example: - - ![Azure AD authentication](images/pwd.png) - - If this is the first time you’ve used the Intune Graph APIs, you’ll also be prompted to enable read and write permissions for Microsoft Intune PowerShell. To enable these permissions: - - Select **Consent on behalf or your organization** - - Click **Accept** - -4. Next, retrieve and display all the Autopilot profiles available in the specified Intune tenant in JSON format: - - #### Retrieve profiles in Autopilot for existing devices JSON format - - ```powershell - Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON - ``` - - See the following sample output: (use the horizontal scroll bar at the bottom to view long lines) - 
          -    PS C:\> Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON
-    {
-        "CloudAssignedTenantId":  "1537de22-988c-4e93-b8a5-83890f34a69b",
-        "CloudAssignedForcedEnrollment":  1,
-        "Version":  2049,
-        "Comment_File":  "Profile Autopilot Profile",
-        "CloudAssignedAadServerData":  "{\"ZeroTouchConfig\":{\"CloudAssignedTenantUpn\":\"\",\"ForcedEnrollment\":1,\"CloudAssignedTenantDomain\":\"M365x373186.onmicrosoft.com\"}}",
-        "CloudAssignedTenantDomain":  "M365x373186.onmicrosoft.com",
-        "CloudAssignedDomainJoinMethod":  0,
-        "CloudAssignedOobeConfig":  28,
-        "ZtdCorrelationId":  "7F9E6025-1E13-45F3-BF82-A3E8C5B59EAC"
-    }
          - - Each profile is encapsulated within braces **{ }**. In the previous example, a single profile is displayed. - - See the following table for a description of properties used in the JSON file. - - - | Property | Description | - |------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| - | Version (number, optional) | The version number that identifies the format of the JSON file. For Windows 10 1809, the version specified must be 2049. | - | CloudAssignedTenantId (guid, required) | The Azure Active Directory tenant ID that should be used. This is the GUID for the tenant, and can be found in properties of the tenant. The value should not include braces. | - | CloudAssignedTenantDomain (string, required) | The Azure Active Directory tenant name that should be used, e.g. tenant.onmicrosoft.com. | - | CloudAssignedOobeConfig (number, required) | This is a bitmap that shows which Autopilot settings were configured. Values include: SkipCortanaOptIn = 1, OobeUserNotLocalAdmin = 2, SkipExpressSettings = 4, SkipOemRegistration = 8, SkipEula = 16 | - | CloudAssignedDomainJoinMethod (number, required) | This property specifies whether the device should join Azure Active Directory or Active Directory (Hybrid Azure AD Join). Values include: Active AD Join = 0, Hybrid Azure AD Join = 1 | - | CloudAssignedForcedEnrollment (number, required) | Specifies that the device should require AAD Join and MDM enrollment.
          0 = not required, 1 = required. | - | ZtdCorrelationId (guid, required) | A unique GUID (without braces) that will be provided to Intune as part of the registration process. ZtdCorrelationId will be included in enrollment message as “OfflineAutoPilotEnrollmentCorrelator”. This attribute will be present only if the enrollment is taking place on a device registered with Zero Touch Provisioning via offline registration. | - | CloudAssignedAadServerData (encoded JSON string, required) | An embedded JSON string used for branding. It requires AAD corp branding enabled.
          Example value: "CloudAssignedAadServerData": "{\"ZeroTouchConfig\":{\"CloudAssignedTenantUpn\":\"\",\"CloudAssignedTenantDomain\":\"tenant.onmicrosoft.com\"}}" | - | CloudAssignedDeviceName (string, optional) | The name automatically assigned to the computer. This follows the naming pattern convention that can be configured in Intune as part of the Autopilot profile, or can specify an explicit name to use. | - - -5. The Autopilot profile must be saved as a JSON file in ASCII or ANSI format. Windows PowerShell defaults to Unicode format, so if you attempt to redirect output of the commands to a file, you must also specify the file format. For example, to save the file in ASCII format using Windows PowerShell, you can create a directory (ex: c:\Autopilot) and save the profile as shown below: (use the horizontal scroll bar at the bottom if needed to view the entire command string) - - ```powershell - Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON | Out-File c:\Autopilot\AutopilotConfigurationFile.json -Encoding ASCII - ``` - **IMPORTANT**: The file name must be named **AutopilotConfigurationFile.json** in addition to being encoded as ASCII/ANSI. - - If preferred, you can save the profile to a text file and edit in Notepad. In Notepad, when you choose **Save as** you must select Save as type: **All Files** and choose ANSI from the drop-down list next to **Encoding**. See the following example. - - ![Notepad JSON](images/notepad.png) - - After saving the file, move the file to a location suitable as an SCCM package source. - - >[!IMPORTANT] - >Multiple JSON profile files can be used, but each must be named **AutopilotConfigurationFile.json** in order for OOBE to follow the Autopilot experience. The file also must be encoded as ANSI.

          **Saving the file with Unicode or UTF-8 encoding or saving it with a different file name will cause Windows 10 OOBE to not follow the Autopilot experience**.
          - - -### Create a package containing the JSON file - -1. In Configuration Manager, navigate to **\Software Library\Overview\Application Management\Packages** -2. On the ribbon, click **Create Package** -3. In the **Create Package and Program Wizard** enter the following **Package** and **Program Type** details:
          - - Name: **Autopilot for existing devices config** - - Select the **This package contains source files** checkbox - - Source folder: Click **Browse** and specify a UNC path containing the AutopilotConfigurationFile.json file. - - Click **OK** and then click **Next**. - - Program Type: **Do not create a program** -4. Click **Next** twice and then click **Close**. - -**NOTE**: If you change user-driven Autopilot profile settings in Intune at a later date, you must also update the JSON file and redistribute the associated Config Mgr package. - -### Create a target collection - ->[!NOTE] ->You can also choose to reuse an existing collection - -1. Navigate to **\Assets and Compliance\Overview\Device Collections** -2. On the ribbon, click **Create** and then click **Create Device Collection** -3. In the **Create Device Collection Wizard** enter the following **General** details: - - Name: **Autopilot for existing devices collection** - - Comment: (optional) - - Limiting collection: Click **Browse** and select **All Systems** - - >[!NOTE] - >You can optionally choose to use an alternative collection for the limiting collection. The device to be upgraded must be running the ConfigMgr agent in the collection that you select. - -4. Click **Next**, then enter the following **Membership Rules** details: - - Click **Add Rule** and specify either a direct or query based collection rule to add the target test Windows 7 devices to the new collection. - - For example, if the hostname of the computer to be wiped and reloaded is PC-01 and you wish to use Name as the attribute, click **Add Rule > Direct Rule > (wizard opens) > Next** and then enter **PC-01** next to **Value**. Click **Next** and then choose **PC-01** under **Resources**. See the following examples. - - ![Named resource1](images/pc-01a.png) - ![Named resource2](images/pc-01b.png) - -5. Continue creating the device collection with the default settings: - - Use incremental updates for this collection: not selected - - Schedule a full update on this collection: default - - Click **Next** twice and then click **Close** - -### Create an Autopilot for existing devices Task Sequence - ->[!TIP] ->The next procedure requires a boot image for Windows 10 1803 or later. Review your available boot images in the Configuration Manager conole under **Software Library\Overview\Operating Systems\Boot images** and verify that the **OS Version** is 10.0.17134.1 (Windows 10 version 1803) or later. - -1. In the Configuration Manager console, navigate to **\Software Library\Overview\Operating Systems\Task Sequences** -2. On the Home ribbon, click **Create Task Sequence** -3. Select **Install an existing image package** and then click **Next** -4. In the Create Task Sequence Wizard enter the following details: - - Task sequence name: **Autopilot for existing devices** - - Boot Image: Click **Browse** and select a Windows 10 boot image (1803 or later) - - Click **Next**, and then on the Install Windows page click **Browse** and select a Windows 10 **Image package** and **Image Index**, version 1803 or later. - - Select the **Partition and format the target computer before installing the operating system** checkbox. - - Select or clear **Configure task sequence for use with Bitlocker** checkbox. This is optional. - - Product Key and Server licensing mode: Optionally enter a product key and server licencing mode. - - Randomly generate the local administrator password and disable the account on all support platforms (recommended): Optional. - - Enable the account and specify the local administrator password: Optional. - - Click **Next**, and then on the Configure Network page choose **Join a workgroup** and specify a name (ex: workgroup) next to **Workgroup**. - - >[!IMPORTANT] - >The Autopilot for existing devices task sequence will run the **Prepare Windows for capture** action which calls the System Preparation Tool (syeprep). This action will fail if the target machine is joined to a domain. - -5. Click **Next** and then click **Next** again to accept the default settings on the Install Configuration Manager page. -6. On the State Migration page, enter the following details: - - Clear the **Capture user settings and files** checkbox. - - Clear the **Capture network settings** checkbox. - - Clear the **Capture Microsoft Windows settings** checkbox. - - Click **Next**. - - >[!NOTE] - >The Autopilot for existing devices task sequence will result in an Azure Active Directory Domain (AAD) joined device. The User State Migration Toolkit (USMT) does not support AAD joined or hybrid AAD joined devices. - -7. On the Include Updates page, choose one of the three available options. This selection is optional. -8. On the Install applications page, add applications if desired. This is optional. -9. Click **Next**, confirm settings, click **Next** and then click **Close**. -10. Right click on the Autopilot for existing devices task sequence and click **Edit**. -11. In the Task Sequence Editor under the **Install Operating System** group, click the **Apply Windows Settings** action. -12. Click **Add** then click **New Group**. -13. Change the group **Name** from **New Group** to **Autopilot for existing devices config**. -14. Click **Add**, point to **General**, then click **Run Command Line**. -15. Verify that the **Run Command Line** step is nested under the **Autopilot for existing devices config** group. -16. Change the **Name** to **Apply Autopilot for existing devices config file** and paste the following into the **Command line** text box, and then click **Apply**: - ``` - cmd.exe /c xcopy AutopilotConfigurationFile.json %OSDTargetSystemDrive%\windows\provisioning\Autopilot\ /c - ``` - - **AutopilotConfigurationFile.json** must be the name of the JSON file present in the Autopilot for existing devices package created earlier. - -17. In the **Apply Autopilot for existing devices config file** step, select the **Package** checkbox and then click **Browse**. -18. Select the **Autopilot for existing devices config** package created earlier and click **OK**. An example is displayed at the end of this section. -19. Under the **Setup Operating System** group, click the **Setup Windows and Configuration Manager** task. -20. Click **Add** and then click **New Group**. -21. Change **Name** from **New Group** to **Prepare Device for Autopilot** -22. Verify that the **Prepare Device for Autopilot** group is the very last step in the task sequence. Use the **Move Down** button if necessary. -23. With the **Prepare device for Autopilot** group selected, click **Add**, point to **Images** and then click **Prepare ConfigMgr Client for Capture**. -24. Add a second step by clicking **Add**, pointing to **Images**, and clicking **Prepare Windows for Capture**. Use the following settings in this step: - - Automatically build mass storage driver list: **Not selected** - - Do not reset activation flag: **Not selected** - - Shutdown the computer after running this action: **Optional** - - ![Autopilot task sequence](images/ap-ts-1.png) - -25. Click **OK** to close the Task Sequence Editor. - -### Deploy Content to Distribution Points - -Next, ensure that all content required for the task sequence is deployed to distribution points. - -1. Right click on the **Autopilot for existing devices** task sequence and click **Distribute Content**. -2. Click **Next**, **Review the content to distribute** and then click **Next**. -3. On the Specify the content distribution page click **Add** to specify either a **Distribution Point** or **Distribution Point Group**. -4. On the a Add Distribution Points or Add Distribution Point Groups wizard specify content destinations that will allow the JSON file to be retrieved when the task sequence is run. -5. When you are finished specifying content distribution, click **Next** twice then click **Close**. - -### Deploy the OS with Autopilot Task Sequence - -1. Right click on the **Autopilot for existing devices** task sequence and then click **Deploy**. -2. In the Deploy Software Wizard enter the following **General** and **Deployment Settings** details: - - Task Sequence: **Autopilot for existing devices**. - - Collection: Click **Browse** and then select **Autopilot for existing devices collection** (or another collection you prefer). - - Click **Next** to specify **Deployment Settings**. - - Action: **Install**. - - Purpose: **Available**. You can optionally select **Required** instead of **Available**. This is not recommended during the test owing to the potential impact of inadvertent configurations. - - Make available to the following: **Only Configuration Manager Clients**. Note: Choose the option here that is relevant for the context of your test. If the target client does not have the Configuration Manager agent or Windows installed, you will need to select an option that includes PXE or Boot Media. - - Click **Next** to specify **Scheduling** details. - - Schedule when this deployment will become available: Optional - - Schedule when this deployment will expire: Optional - - Click **Next** to specify **User Experience** details. - - Show Task Sequence progress: Selected. - - Software Installation: Not selected. - - System restart (if required to complete the installation): Not selected. - - Commit changed at deadline or during a maintenance windows (requires restart): Optional. - - Allow task sequence to be run for client on the Internet: Optional - - Click **Next** to specify **Alerts** details. - - Create a deployment alert when the threshold is higher than the following: Optional. - - Click **Next** to specify **Distribution Points** details. - - Deployment options: **Download content locally when needed by the running task sequence**. - - When no local distribution point is available use a remote distribution point: Optional. - - Allow clients to use distribution points from the default site boundary group: Optional. - - Click **Next**, confirm settings, click **Next**, and then click **Close**. - -### Complete the client installation process - -1. Open the Software Center on the target Windows 7 or Windows 8.1 client computer. You can do this by clicking Start and then typing **software** in the search box, or by typing the following at a Windows PowerShell or command prompt: - - ``` - C:\Windows\CCM\SCClient.exe - ``` - -2. In the software library, select **Autopilot for existing devices** and click **Install**. See the following example: - - ![Named resource2](images/sc.png) - ![Named resource2](images/sc1.png) - -The Task Sequence will download content, reboot, format the drives and install Windows 10. The device will then proceed to be prepared for Autopilot. Once the task sequence has completed the device will boot into OOBE and provide an Autopilot experience. - -![refresh-1](images/up-1.png) -![refresh-2](images/up-2.png) -![refresh-3](images/up-3.png) - ->[!NOTE] ->If joining devices to Active Directory (Hybrid Azure AD Join), it is necessary to create a Domain Join device configuration profile that is targeted to "All Devices" (since there is no Azure Active Directory device object for the computer to do group-based targeting). See [User-driven mode for hybrid Azure Active Directory join](https://docs.microsoft.com/windows/deployment/windows-autopilot/user-driven#user-driven-mode-for-hybrid-azure-active-directory-join) for more information. - -### Register the device for Windows Autopilot - -Devices provisioned through Autopilot will only receive the guided OOBE Autopilot experience on first boot. Once updated to Windows 10, the device should be registered to ensure a continued Autopilot experience in the event of PC reset. You can enable automatic registration for an assigned group using the **Convert all targeted devices to Autopilot** setting. For more information, see [Create an Autopilot deployment profile](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-deployment-profile). - -Also see [Adding devices to Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/add-devices). - -## Speeding up the deployment process - -To remove around 20 minutes from the deployment process, see Michael Niehaus's blog with instructions for [Speeding up Windows Autopilot for existing devices](https://blogs.technet.microsoft.com/mniehaus/2018/10/25/speeding-up-windows-autopilot-for-existing-devices/). +--- +title: Windows Autopilot for existing devices +description: Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.reviewer: mniehaus +manager: laurawi +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Windows Autopilot for existing devices + +**Applies to: Windows 10** + +Modern desktop deployment with Windows Autopilot enables you to easily deploy the latest version of Windows 10 to your existing devices. The apps you need for work can be automatically installed. Your work profile is synchronized, so you can resume working right away. + +This topic describes how to convert Windows 7 or Windows 8.1 domain-joined computers to Windows 10 devices joined to either Azure Active Directory or Active Directory (Hybrid Azure AD Join) by using Windows Autopilot. + +>[!NOTE] +>Windows Autopilot for existing devices only supports user-driven Azure Active Directory and Hybrid Azure AD profiles. Self-deploying profiles are not supported. + +## Prerequisites + +- System Center Configuration Manager Current Branch (1806) OR System Center Configuration Manager Technical Preview (1808) +- The [Windows ADK](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) 1803 or later + - Note: Config Mgr 1806 or later is required to [support](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10#windows-10-adk) the Windows ADK 1809. +- Assigned Microsoft Intune Licenses +- Azure Active Directory Premium +- Windows 10 version 1809 or later imported into Config Mgr as an Operating System Image + +## Procedures + +### Configure the Enrollment Status Page (optional) + +If desired, you can set up an [enrollment status page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) for Autopilot using Intune. + +To enable and configure the enrollment and status page: + +1. Open [Intune in the Azure portal](https://aka.ms/intuneportal). +2. Access **Intune > Device enrollment > Windows enrollment** and [Set up an enrollment status page](https://docs.microsoft.com/intune/windows-enrollment-status). +3. Access **Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune** and [Configure automatic MDM enrollment](https://docs.microsoft.com/sccm/mdm/deploy-use/enroll-hybrid-windows#enable-windows-10-automatic-enrollment) and configure the MDM user scope for some or all users. + +See the following examples. + +![enrollment status page](images/esp-config.png)

          +![mdm](images/mdm-config.png) + +### Create the JSON file + +>[!TIP] +>To run the following commands on a computer running Windows Server 2012/2012 R2 or Windows 7/8.1, you must first download and install the [Windows Management Framework](https://www.microsoft.com/en-us/download/details.aspx?id=54616). + +1. On an Internet connected Windows PC or Server open an elevated Windows PowerShell command window +2. Enter the following lines to install the necessary modules + + #### Install required modules + + ```powershell + Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force + Install-Module AzureAD -Force + Install-Module WindowsAutopilotIntune -Force + ``` + +3. Enter the following lines and provide Intune administrative credentials + - In the following command, replace the example user principal name for Azure authentication (admin@M365x373186.onmicrosoft.com) with your user account. Be sure that the user account you specify has sufficient administrative rights. + + ```powershell + Connect-AutopilotIntune -user admin@M365x373186.onmicrosoft.com + ``` + The password for your account will be requested using a standard Azure AD form. Type your password and then click **Sign in**. +
          See the following example: + + ![Azure AD authentication](images/pwd.png) + + If this is the first time you’ve used the Intune Graph APIs, you’ll also be prompted to enable read and write permissions for Microsoft Intune PowerShell. To enable these permissions: + - Select **Consent on behalf or your organization** + - Click **Accept** + +4. Next, retrieve and display all the Autopilot profiles available in the specified Intune tenant in JSON format: + + #### Retrieve profiles in Autopilot for existing devices JSON format + + ```powershell + Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON + ``` + + See the following sample output: (use the horizontal scroll bar at the bottom to view long lines) + 
          +    PS C:\> Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON
+    {
+        "CloudAssignedTenantId":  "1537de22-988c-4e93-b8a5-83890f34a69b",
+        "CloudAssignedForcedEnrollment":  1,
+        "Version":  2049,
+        "Comment_File":  "Profile Autopilot Profile",
+        "CloudAssignedAadServerData":  "{\"ZeroTouchConfig\":{\"CloudAssignedTenantUpn\":\"\",\"ForcedEnrollment\":1,\"CloudAssignedTenantDomain\":\"M365x373186.onmicrosoft.com\"}}",
+        "CloudAssignedTenantDomain":  "M365x373186.onmicrosoft.com",
+        "CloudAssignedDomainJoinMethod":  0,
+        "CloudAssignedOobeConfig":  28,
+        "ZtdCorrelationId":  "7F9E6025-1E13-45F3-BF82-A3E8C5B59EAC"
+    }
          + + Each profile is encapsulated within braces **{ }**. In the previous example, a single profile is displayed. + + See the following table for a description of properties used in the JSON file. + + + | Property | Description | + |------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| + | Version (number, optional) | The version number that identifies the format of the JSON file. For Windows 10 1809, the version specified must be 2049. | + | CloudAssignedTenantId (guid, required) | The Azure Active Directory tenant ID that should be used. This is the GUID for the tenant, and can be found in properties of the tenant. The value should not include braces. | + | CloudAssignedTenantDomain (string, required) | The Azure Active Directory tenant name that should be used, e.g. tenant.onmicrosoft.com. | + | CloudAssignedOobeConfig (number, required) | This is a bitmap that shows which Autopilot settings were configured. Values include: SkipCortanaOptIn = 1, OobeUserNotLocalAdmin = 2, SkipExpressSettings = 4, SkipOemRegistration = 8, SkipEula = 16 | + | CloudAssignedDomainJoinMethod (number, required) | This property specifies whether the device should join Azure Active Directory or Active Directory (Hybrid Azure AD Join). Values include: Active AD Join = 0, Hybrid Azure AD Join = 1 | + | CloudAssignedForcedEnrollment (number, required) | Specifies that the device should require AAD Join and MDM enrollment.
          0 = not required, 1 = required. | + | ZtdCorrelationId (guid, required) | A unique GUID (without braces) that will be provided to Intune as part of the registration process. ZtdCorrelationId will be included in enrollment message as “OfflineAutoPilotEnrollmentCorrelator”. This attribute will be present only if the enrollment is taking place on a device registered with Zero Touch Provisioning via offline registration. | + | CloudAssignedAadServerData (encoded JSON string, required) | An embedded JSON string used for branding. It requires AAD corp branding enabled.
          Example value: "CloudAssignedAadServerData": "{\"ZeroTouchConfig\":{\"CloudAssignedTenantUpn\":\"\",\"CloudAssignedTenantDomain\":\"tenant.onmicrosoft.com\"}}" | + | CloudAssignedDeviceName (string, optional) | The name automatically assigned to the computer. This follows the naming pattern convention that can be configured in Intune as part of the Autopilot profile, or can specify an explicit name to use. | + + +5. The Autopilot profile must be saved as a JSON file in ASCII or ANSI format. Windows PowerShell defaults to Unicode format, so if you attempt to redirect output of the commands to a file, you must also specify the file format. For example, to save the file in ASCII format using Windows PowerShell, you can create a directory (ex: c:\Autopilot) and save the profile as shown below: (use the horizontal scroll bar at the bottom if needed to view the entire command string) + + ```powershell + Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON | Out-File c:\Autopilot\AutopilotConfigurationFile.json -Encoding ASCII + ``` + **IMPORTANT**: The file name must be named **AutopilotConfigurationFile.json** in addition to being encoded as ASCII/ANSI. + + If preferred, you can save the profile to a text file and edit in Notepad. In Notepad, when you choose **Save as** you must select Save as type: **All Files** and choose ANSI from the drop-down list next to **Encoding**. See the following example. + + ![Notepad JSON](images/notepad.png) + + After saving the file, move the file to a location suitable as an SCCM package source. + + >[!IMPORTANT] + >Multiple JSON profile files can be used, but each must be named **AutopilotConfigurationFile.json** in order for OOBE to follow the Autopilot experience. The file also must be encoded as ANSI.

          **Saving the file with Unicode or UTF-8 encoding or saving it with a different file name will cause Windows 10 OOBE to not follow the Autopilot experience**.
          + + +### Create a package containing the JSON file + +1. In Configuration Manager, navigate to **\Software Library\Overview\Application Management\Packages** +2. On the ribbon, click **Create Package** +3. In the **Create Package and Program Wizard** enter the following **Package** and **Program Type** details:
          + - Name: **Autopilot for existing devices config** + - Select the **This package contains source files** checkbox + - Source folder: Click **Browse** and specify a UNC path containing the AutopilotConfigurationFile.json file. + - Click **OK** and then click **Next**. + - Program Type: **Do not create a program** +4. Click **Next** twice and then click **Close**. + +**NOTE**: If you change user-driven Autopilot profile settings in Intune at a later date, you must also update the JSON file and redistribute the associated Config Mgr package. + +### Create a target collection + +>[!NOTE] +>You can also choose to reuse an existing collection + +1. Navigate to **\Assets and Compliance\Overview\Device Collections** +2. On the ribbon, click **Create** and then click **Create Device Collection** +3. In the **Create Device Collection Wizard** enter the following **General** details: + - Name: **Autopilot for existing devices collection** + - Comment: (optional) + - Limiting collection: Click **Browse** and select **All Systems** + + >[!NOTE] + >You can optionally choose to use an alternative collection for the limiting collection. The device to be upgraded must be running the ConfigMgr agent in the collection that you select. + +4. Click **Next**, then enter the following **Membership Rules** details: + - Click **Add Rule** and specify either a direct or query based collection rule to add the target test Windows 7 devices to the new collection. + - For example, if the hostname of the computer to be wiped and reloaded is PC-01 and you wish to use Name as the attribute, click **Add Rule > Direct Rule > (wizard opens) > Next** and then enter **PC-01** next to **Value**. Click **Next** and then choose **PC-01** under **Resources**. See the following examples. + + ![Named resource1](images/pc-01a.png) + ![Named resource2](images/pc-01b.png) + +5. Continue creating the device collection with the default settings: + - Use incremental updates for this collection: not selected + - Schedule a full update on this collection: default + - Click **Next** twice and then click **Close** + +### Create an Autopilot for existing devices Task Sequence + +>[!TIP] +>The next procedure requires a boot image for Windows 10 1803 or later. Review your available boot images in the Configuration Manager conole under **Software Library\Overview\Operating Systems\Boot images** and verify that the **OS Version** is 10.0.17134.1 (Windows 10 version 1803) or later. + +1. In the Configuration Manager console, navigate to **\Software Library\Overview\Operating Systems\Task Sequences** +2. On the Home ribbon, click **Create Task Sequence** +3. Select **Install an existing image package** and then click **Next** +4. In the Create Task Sequence Wizard enter the following details: + - Task sequence name: **Autopilot for existing devices** + - Boot Image: Click **Browse** and select a Windows 10 boot image (1803 or later) + - Click **Next**, and then on the Install Windows page click **Browse** and select a Windows 10 **Image package** and **Image Index**, version 1803 or later. + - Select the **Partition and format the target computer before installing the operating system** checkbox. + - Select or clear **Configure task sequence for use with Bitlocker** checkbox. This is optional. + - Product Key and Server licensing mode: Optionally enter a product key and server licencing mode. + - Randomly generate the local administrator password and disable the account on all support platforms (recommended): Optional. + - Enable the account and specify the local administrator password: Optional. + - Click **Next**, and then on the Configure Network page choose **Join a workgroup** and specify a name (ex: workgroup) next to **Workgroup**. + + >[!IMPORTANT] + >The Autopilot for existing devices task sequence will run the **Prepare Windows for capture** action which calls the System Preparation Tool (syeprep). This action will fail if the target machine is joined to a domain. + +5. Click **Next** and then click **Next** again to accept the default settings on the Install Configuration Manager page. +6. On the State Migration page, enter the following details: + - Clear the **Capture user settings and files** checkbox. + - Clear the **Capture network settings** checkbox. + - Clear the **Capture Microsoft Windows settings** checkbox. + - Click **Next**. + + >[!NOTE] + >The Autopilot for existing devices task sequence will result in an Azure Active Directory Domain (AAD) joined device. The User State Migration Toolkit (USMT) does not support AAD joined or hybrid AAD joined devices. + +7. On the Include Updates page, choose one of the three available options. This selection is optional. +8. On the Install applications page, add applications if desired. This is optional. +9. Click **Next**, confirm settings, click **Next** and then click **Close**. +10. Right click on the Autopilot for existing devices task sequence and click **Edit**. +11. In the Task Sequence Editor under the **Install Operating System** group, click the **Apply Windows Settings** action. +12. Click **Add** then click **New Group**. +13. Change the group **Name** from **New Group** to **Autopilot for existing devices config**. +14. Click **Add**, point to **General**, then click **Run Command Line**. +15. Verify that the **Run Command Line** step is nested under the **Autopilot for existing devices config** group. +16. Change the **Name** to **Apply Autopilot for existing devices config file** and paste the following into the **Command line** text box, and then click **Apply**: + ``` + cmd.exe /c xcopy AutopilotConfigurationFile.json %OSDTargetSystemDrive%\windows\provisioning\Autopilot\ /c + ``` + - **AutopilotConfigurationFile.json** must be the name of the JSON file present in the Autopilot for existing devices package created earlier. + +17. In the **Apply Autopilot for existing devices config file** step, select the **Package** checkbox and then click **Browse**. +18. Select the **Autopilot for existing devices config** package created earlier and click **OK**. An example is displayed at the end of this section. +19. Under the **Setup Operating System** group, click the **Setup Windows and Configuration Manager** task. +20. Click **Add** and then click **New Group**. +21. Change **Name** from **New Group** to **Prepare Device for Autopilot** +22. Verify that the **Prepare Device for Autopilot** group is the very last step in the task sequence. Use the **Move Down** button if necessary. +23. With the **Prepare device for Autopilot** group selected, click **Add**, point to **Images** and then click **Prepare ConfigMgr Client for Capture**. +24. Add a second step by clicking **Add**, pointing to **Images**, and clicking **Prepare Windows for Capture**. Use the following settings in this step: + - Automatically build mass storage driver list: **Not selected** + - Do not reset activation flag: **Not selected** + - Shutdown the computer after running this action: **Optional** + + ![Autopilot task sequence](images/ap-ts-1.png) + +25. Click **OK** to close the Task Sequence Editor. + +### Deploy Content to Distribution Points + +Next, ensure that all content required for the task sequence is deployed to distribution points. + +1. Right click on the **Autopilot for existing devices** task sequence and click **Distribute Content**. +2. Click **Next**, **Review the content to distribute** and then click **Next**. +3. On the Specify the content distribution page click **Add** to specify either a **Distribution Point** or **Distribution Point Group**. +4. On the a Add Distribution Points or Add Distribution Point Groups wizard specify content destinations that will allow the JSON file to be retrieved when the task sequence is run. +5. When you are finished specifying content distribution, click **Next** twice then click **Close**. + +### Deploy the OS with Autopilot Task Sequence + +1. Right click on the **Autopilot for existing devices** task sequence and then click **Deploy**. +2. In the Deploy Software Wizard enter the following **General** and **Deployment Settings** details: + - Task Sequence: **Autopilot for existing devices**. + - Collection: Click **Browse** and then select **Autopilot for existing devices collection** (or another collection you prefer). + - Click **Next** to specify **Deployment Settings**. + - Action: **Install**. + - Purpose: **Available**. You can optionally select **Required** instead of **Available**. This is not recommended during the test owing to the potential impact of inadvertent configurations. + - Make available to the following: **Only Configuration Manager Clients**. Note: Choose the option here that is relevant for the context of your test. If the target client does not have the Configuration Manager agent or Windows installed, you will need to select an option that includes PXE or Boot Media. + - Click **Next** to specify **Scheduling** details. + - Schedule when this deployment will become available: Optional + - Schedule when this deployment will expire: Optional + - Click **Next** to specify **User Experience** details. + - Show Task Sequence progress: Selected. + - Software Installation: Not selected. + - System restart (if required to complete the installation): Not selected. + - Commit changed at deadline or during a maintenance windows (requires restart): Optional. + - Allow task sequence to be run for client on the Internet: Optional + - Click **Next** to specify **Alerts** details. + - Create a deployment alert when the threshold is higher than the following: Optional. + - Click **Next** to specify **Distribution Points** details. + - Deployment options: **Download content locally when needed by the running task sequence**. + - When no local distribution point is available use a remote distribution point: Optional. + - Allow clients to use distribution points from the default site boundary group: Optional. + - Click **Next**, confirm settings, click **Next**, and then click **Close**. + +### Complete the client installation process + +1. Open the Software Center on the target Windows 7 or Windows 8.1 client computer. You can do this by clicking Start and then typing **software** in the search box, or by typing the following at a Windows PowerShell or command prompt: + + ``` + C:\Windows\CCM\SCClient.exe + ``` + +2. In the software library, select **Autopilot for existing devices** and click **Install**. See the following example: + + ![Named resource2](images/sc.png) + ![Named resource2](images/sc1.png) + +The Task Sequence will download content, reboot, format the drives and install Windows 10. The device will then proceed to be prepared for Autopilot. Once the task sequence has completed the device will boot into OOBE and provide an Autopilot experience. + +![refresh-1](images/up-1.png) +![refresh-2](images/up-2.png) +![refresh-3](images/up-3.png) + +>[!NOTE] +>If joining devices to Active Directory (Hybrid Azure AD Join), it is necessary to create a Domain Join device configuration profile that is targeted to "All Devices" (since there is no Azure Active Directory device object for the computer to do group-based targeting). See [User-driven mode for hybrid Azure Active Directory join](https://docs.microsoft.com/windows/deployment/windows-autopilot/user-driven#user-driven-mode-for-hybrid-azure-active-directory-join) for more information. + +### Register the device for Windows Autopilot + +Devices provisioned through Autopilot will only receive the guided OOBE Autopilot experience on first boot. Once updated to Windows 10, the device should be registered to ensure a continued Autopilot experience in the event of PC reset. You can enable automatic registration for an assigned group using the **Convert all targeted devices to Autopilot** setting. For more information, see [Create an Autopilot deployment profile](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-deployment-profile). + +Also see [Adding devices to Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/add-devices). + +## Speeding up the deployment process + +To remove around 20 minutes from the deployment process, see Michael Niehaus's blog with instructions for [Speeding up Windows Autopilot for existing devices](https://blogs.technet.microsoft.com/mniehaus/2018/10/25/speeding-up-windows-autopilot-for-existing-devices/). diff --git a/windows/deployment/windows-autopilot/index.md b/windows/deployment/windows-autopilot/index.md index d0f30fe153..efeffc2e04 100644 --- a/windows/deployment/windows-autopilot/index.md +++ b/windows/deployment/windows-autopilot/index.md @@ -9,6 +9,7 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy +audience: itpro author: greg-lindsay ms.author: greglin ms.collection: M365-modern-desktop diff --git a/windows/deployment/windows-autopilot/known-issues.md b/windows/deployment/windows-autopilot/known-issues.md index dae9f38910..d1f538dd46 100644 --- a/windows/deployment/windows-autopilot/known-issues.md +++ b/windows/deployment/windows-autopilot/known-issues.md @@ -1,47 +1,46 @@ ---- -title: Windows Autopilot known issues -ms.reviewer: -manager: laurawi -description: Windows Autopilot deployment -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -audience: itpro -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Windows Autopilot - known issues - -**Applies to** - -- Windows 10 - - -
          IssueMore information -
          The following known issues are resolved by installing the July 26, 2019 KB4505903 update (OS Build 18362.267): - -- Windows Autopilot white glove does not work for a non-English OS and you see a red screen that says "Success." -- Windows Autopilot reports an AUTOPILOTUPDATE error during OOBE after sysprep, reset or other variations. This typically happens if you reset the OS or used a custom sysprepped image. -- BitLocker encryption is not correctly configured. Ex: BitLocker didn’t get an expected notification after policies were applied to begin encryption. -- You are unable to install UWP apps from the Microsoft Store, causing failures during Windows Autopilot. If you are deploying Company Portal as a blocking app during Windows Autopilot ESP, you’ve probably seen this error. -- A user is not granted administrator rights in the Windows Autopilot user-driven Hybrid Azure AD join scenario. This is another non-English OS issue. -Download and install the KB4505903 update.

          See the section: How to get this update for information on specific release channels you can use to obtain the update. -
          White glove gives a red screen and the Microsoft-Windows-User Device Registration/Admin event log displays HResult error code 0x801C03F3This can happen if Azure AD can’t find an AAD device object for the device that you are trying to deploy. This will occur if you manually delete the object. To fix it, remove the device from AAD, Intune, and Autopilot, then re-register it with Autopilot, which will recreate the AAD device object.
          -
          To obtain troubleshooting logs use: Mdmdiagnosticstool.exe -area Autopilot;TPM -cab c:\autopilot.cab -
          White glove gives a red screenWhite glove is not supported on a VM. -
          Error importing Windows Autopilot devices from a .csv fileEnsure that you have not edited the .csv file in Microsoft Excel or an editor other than Notepad. Some of these editors can introduce extra characters causing the file format to be invalid. -
          Windows Autopilot for existing devices does not follow the Autopilot OOBE experience.Ensure that the JSON profile file is saved in ANSI/ASCII format, not Unicode or UTF-8. -
          Something went wrong is displayed page during OOBE.The client is likely unable to access all the required AAD/MSA-related URLs. For more information, see Networking requirements. -
          - -## Related topics - -[Diagnose MDM failures in Windows 10](https://docs.microsoft.com/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10)
          -[Troubleshooting Windows Autopilot](troubleshooting.md) \ No newline at end of file +--- +title: Windows Autopilot known issues +ms.reviewer: +manager: laurawi +description: Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Windows Autopilot - known issues + +**Applies to** + +- Windows 10 + + +
          IssueMore information +
          The following known issues are resolved by installing the July 26, 2019 KB4505903 update (OS Build 18362.267): + +- Windows Autopilot white glove does not work for a non-English OS and you see a red screen that says "Success." +- Windows Autopilot reports an AUTOPILOTUPDATE error during OOBE after sysprep, reset or other variations. This typically happens if you reset the OS or used a custom sysprepped image. +- BitLocker encryption is not correctly configured. Ex: BitLocker didn’t get an expected notification after policies were applied to begin encryption. +- You are unable to install UWP apps from the Microsoft Store, causing failures during Windows Autopilot. If you are deploying Company Portal as a blocking app during Windows Autopilot ESP, you’ve probably seen this error. +- A user is not granted administrator rights in the Windows Autopilot user-driven Hybrid Azure AD join scenario. This is another non-English OS issue. +Download and install the KB4505903 update.

          See the section: How to get this update for information on specific release channels you can use to obtain the update. +
          White glove gives a red screen and the Microsoft-Windows-User Device Registration/Admin event log displays HResult error code 0x801C03F3This can happen if Azure AD can’t find an AAD device object for the device that you are trying to deploy. This will occur if you manually delete the object. To fix it, remove the device from AAD, Intune, and Autopilot, then re-register it with Autopilot, which will recreate the AAD device object.
          +
          To obtain troubleshooting logs use: Mdmdiagnosticstool.exe -area Autopilot;TPM -cab c:\autopilot.cab +
          White glove gives a red screenWhite glove is not supported on a VM. +
          Error importing Windows Autopilot devices from a .csv fileEnsure that you have not edited the .csv file in Microsoft Excel or an editor other than Notepad. Some of these editors can introduce extra characters causing the file format to be invalid. +
          Windows Autopilot for existing devices does not follow the Autopilot OOBE experience.Ensure that the JSON profile file is saved in ANSI/ASCII format, not Unicode or UTF-8. +
          Something went wrong is displayed page during OOBE.The client is likely unable to access all the required AAD/MSA-related URLs. For more information, see Networking requirements. +
          + +## Related topics + +[Diagnose MDM failures in Windows 10](https://docs.microsoft.com/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10)
          +[Troubleshooting Windows Autopilot](troubleshooting.md) diff --git a/windows/deployment/windows-autopilot/profiles.md b/windows/deployment/windows-autopilot/profiles.md index 996999fc4f..6e54f66318 100644 --- a/windows/deployment/windows-autopilot/profiles.md +++ b/windows/deployment/windows-autopilot/profiles.md @@ -1,48 +1,48 @@ ---- -title: Configure Autopilot profiles -description: Windows Autopilot deployment -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.reviewer: mniehaus -manager: laurawi -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Configure Autopilot profiles - -**Applies to** - -- Windows 10 - -For each device that has been defined to the Windows Autopilot deployment service, a profile of settings needs to be applied that specifies the exact behavior of that device when it is deployed. For detailed procedures on how to configure profile settings and register devices, see [Registering devices](add-devices.md#registering-devices). - -## Profile settings - -The following profile settings are available: - -- **Skip Cortana, OneDrive and OEM registration setup pages**. All devices registered with Autopilot will automatically skip these pages during the out-of-box experience (OOBE) process. - -- **Automatically setup for work or school**. All devices registered with Autopilot will automatically be considered work or school devices, so this question will not be asked during the OOBE process. - -- **Sign in experience with company branding**. Instead of presenting a generic Azure Active Directory sign-in page, all devices registered with Autopilot will automatically present a customized sign-in page with the organization’s name, logon, and additional help text, as configured in Azure Active Directory. See [Add company branding to your directory](https://docs.microsoft.com/azure/active-directory/customize-branding#add-company-branding-to-your-directory) to customize these settings. - -- **Skip privacy settings**. This optional Autopilot profile setting enables organizations to not ask about privacy settings during the OOBE process. This is typically desirable so that the organization can configure these settings via Intune or other management tool. - -- **Disable local admin account creation on the device**. Organizations can decide whether the user setting up the device should have administrator access once the process is complete. - -- **Skip End User License Agreement (EULA)**. Starting in Windows 10 version 1709, organizations can decide to skip the EULA page presented during the OOBE process. This means that organizations accept the EULA terms on behalf of their users. - -- **Disable Windows consumer features**. Starting in Windows 10 version 1803, organizations can disable Windows consumer features so that the device does not automatically install any additional Microsoft Store apps when the user first signs into the device. See the [MDM documentation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsconsumerfeatures) for more details. - -## Related topics - -[Profile download](troubleshooting.md#profile-download) -[Registering devices](add-devices.md) +--- +title: Configure Autopilot profiles +description: Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.reviewer: mniehaus +manager: laurawi +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Configure Autopilot profiles + +**Applies to** + +- Windows 10 + +For each device that has been defined to the Windows Autopilot deployment service, a profile of settings needs to be applied that specifies the exact behavior of that device when it is deployed. For detailed procedures on how to configure profile settings and register devices, see [Registering devices](add-devices.md#registering-devices). + +## Profile settings + +The following profile settings are available: + +- **Skip Cortana, OneDrive and OEM registration setup pages**. All devices registered with Autopilot will automatically skip these pages during the out-of-box experience (OOBE) process. + +- **Automatically setup for work or school**. All devices registered with Autopilot will automatically be considered work or school devices, so this question will not be asked during the OOBE process. + +- **Sign in experience with company branding**. Instead of presenting a generic Azure Active Directory sign-in page, all devices registered with Autopilot will automatically present a customized sign-in page with the organization’s name, logon, and additional help text, as configured in Azure Active Directory. See [Add company branding to your directory](https://docs.microsoft.com/azure/active-directory/customize-branding#add-company-branding-to-your-directory) to customize these settings. + +- **Skip privacy settings**. This optional Autopilot profile setting enables organizations to not ask about privacy settings during the OOBE process. This is typically desirable so that the organization can configure these settings via Intune or other management tool. + +- **Disable local admin account creation on the device**. Organizations can decide whether the user setting up the device should have administrator access once the process is complete. + +- **Skip End User License Agreement (EULA)**. Starting in Windows 10 version 1709, organizations can decide to skip the EULA page presented during the OOBE process. This means that organizations accept the EULA terms on behalf of their users. + +- **Disable Windows consumer features**. Starting in Windows 10 version 1803, organizations can disable Windows consumer features so that the device does not automatically install any additional Microsoft Store apps when the user first signs into the device. See the [MDM documentation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsconsumerfeatures) for more details. + +## Related topics + +[Profile download](troubleshooting.md#profile-download) +[Registering devices](add-devices.md) diff --git a/windows/deployment/windows-autopilot/registration-auth.md b/windows/deployment/windows-autopilot/registration-auth.md index efa12958dc..9ae9105cbd 100644 --- a/windows/deployment/windows-autopilot/registration-auth.md +++ b/windows/deployment/windows-autopilot/registration-auth.md @@ -1,81 +1,81 @@ ---- -title: Windows Autopilot customer consent -description: Windows Autopilot deployment -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.reviewer: mniehaus -manager: laurawi -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Windows Autopilot customer consent - -**Applies to: Windows 10** - -This article describes how a cloud service provider (CSP) partner (direct bill, indirect provider, or indirect reseller) or an OEM can get customer authorization to register Windows Autopilot devices on the customer’s behalf. - -## CSP authorization - -CSP partners can get customer authorization to register Windows Autopilot devices on the customer’s behalf per the following restrictions: - - -
          Direct CSPGets direct authorization from the customer to register devices. -
          Indirect CSP ProviderGets implicit permission to register devices through the relationship their CSP Reseller partner has with the customer. Indirect CSP Providers register devices through Microsoft Partner Center. -
          Indirect CSP ResellerGets direct authorization from the customer to register devices. At the same time, their indirect CSP Provider partner also gets authorization, which mean that either the Indirect Provider or the Indirect Reseller can register devices for the customer. However, the Indirect CSP Reseller must register devices through the MPC UI (manually uploading CSV file), whereas the Indirect CSP Provider has the option to register devices using the MPC APIs. -
          - -### Steps - -For a CSP to register Windows Autopilot devices on behalf of a customer, the customer must first grant that CSP partner permission using the following process: - -1. CSP sends link to customer requesting authorization/consent to register/manage devices on their behalf. To do so: - - CSP logs into Microsoft Partner Center - - Click **Dashboard** on the top menu - - Click **Customer** on the side menu - - Click the **Request a reseller relationship** link: - ![Request a reseller relationship](images/csp1.png) - - Select the checkbox indicating whether or not you want delegated admin rights: - ![Delegated rights](images/csp2.png) - - NOTE: Depending on your partner, they might request Delegated Admin Permissions (DAP) when requesting this consent. You should ask them to use the newer DAP-free process (shown in this document) if possible. If not, you can easily remove their DAP status either from Microsoft Store for Business or the Office 365 admin portal: https://docs.microsoft.com/partner-center/customers_revoke_admin_privileges - - Send the template above to the customer via email. -2. Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link in the body of the email once they receive it from the CSP, which takes them directly to the following MSfB page: - - ![Global admin](images/csp3.png) - - NOTE: A user without global admin privileges who clicks the link will see a message similar to the following: - - ![Not global admin](images/csp4.png) - -3. Customer selects the **Yes** checkbox, followed by the **Accept** button. Authorization happens instantaneously. -4. The CSP will know that this consent/authorization request has been completed because the customer will show up in the CSP’s MPC account under their **customers** list, for example: - -![Customers](images/csp5.png) - -## OEM authorization - -Each OEM has a unique link to provide to their respective customers, which the OEM can request from Microsoft via msoemops@microsoft.com. - -1. OEM emails link to their customer. -2. Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link once they receive it from the OEM, which takes them directly to the following MSfB page: - - ![Global admin](images/csp6.png) - - NOTE: A user without global admin privileges who clicks the link will see a message similar to the following: - - ![Not global admin](images/csp7.png) -3. Customer selects the **Yes** checkbox, followed by the **Accept** button, and they’re done. Authorization happens instantaneously. - -4. The OEM can use the Validate Device Submission Data API to verify the consent has completed. This API is discussed in the latest version of the API Whitepaper, p. 14ff [https://devicepartner.microsoft.com/assets/detail/windows-autopilot-integration-with-oem-api-design-whitepaper-docx](https://devicepartner.microsoft.com/assets/detail/windows-autopilot-integration-with-oem-api-design-whitepaper-docx). **Note**: this link is only accessible by Microsoft Device Partners. As discussed in this whitepaper, it’s a best practice recommendation for OEM partners to run the API check to confirm they’ve received customer consent before attempting to register devices, thus avoiding errors in the registration process. - -## Summary - -At this stage of the process, Microsoft is no longer involved; the consent exchange happens directly between the OEM and the customer. And, it all happens instantaneously - as quickly as buttons are clicked. - +--- +title: Windows Autopilot customer consent +description: Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.reviewer: mniehaus +manager: laurawi +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Windows Autopilot customer consent + +**Applies to: Windows 10** + +This article describes how a cloud service provider (CSP) partner (direct bill, indirect provider, or indirect reseller) or an OEM can get customer authorization to register Windows Autopilot devices on the customer’s behalf. + +## CSP authorization + +CSP partners can get customer authorization to register Windows Autopilot devices on the customer’s behalf per the following restrictions: + + +
          Direct CSPGets direct authorization from the customer to register devices. +
          Indirect CSP ProviderGets implicit permission to register devices through the relationship their CSP Reseller partner has with the customer. Indirect CSP Providers register devices through Microsoft Partner Center. +
          Indirect CSP ResellerGets direct authorization from the customer to register devices. At the same time, their indirect CSP Provider partner also gets authorization, which mean that either the Indirect Provider or the Indirect Reseller can register devices for the customer. However, the Indirect CSP Reseller must register devices through the MPC UI (manually uploading CSV file), whereas the Indirect CSP Provider has the option to register devices using the MPC APIs. +
          + +### Steps + +For a CSP to register Windows Autopilot devices on behalf of a customer, the customer must first grant that CSP partner permission using the following process: + +1. CSP sends link to customer requesting authorization/consent to register/manage devices on their behalf. To do so: + - CSP logs into Microsoft Partner Center + - Click **Dashboard** on the top menu + - Click **Customer** on the side menu + - Click the **Request a reseller relationship** link: + ![Request a reseller relationship](images/csp1.png) + - Select the checkbox indicating whether or not you want delegated admin rights: + ![Delegated rights](images/csp2.png) + - NOTE: Depending on your partner, they might request Delegated Admin Permissions (DAP) when requesting this consent. You should ask them to use the newer DAP-free process (shown in this document) if possible. If not, you can easily remove their DAP status either from Microsoft Store for Business or the Office 365 admin portal: https://docs.microsoft.com/partner-center/customers_revoke_admin_privileges + - Send the template above to the customer via email. +2. Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link in the body of the email once they receive it from the CSP, which takes them directly to the following MSfB page: + + ![Global admin](images/csp3.png) + + NOTE: A user without global admin privileges who clicks the link will see a message similar to the following: + + ![Not global admin](images/csp4.png) + +3. Customer selects the **Yes** checkbox, followed by the **Accept** button. Authorization happens instantaneously. +4. The CSP will know that this consent/authorization request has been completed because the customer will show up in the CSP’s MPC account under their **customers** list, for example: + +![Customers](images/csp5.png) + +## OEM authorization + +Each OEM has a unique link to provide to their respective customers, which the OEM can request from Microsoft via msoemops@microsoft.com. + +1. OEM emails link to their customer. +2. Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link once they receive it from the OEM, which takes them directly to the following MSfB page: + + ![Global admin](images/csp6.png) + + NOTE: A user without global admin privileges who clicks the link will see a message similar to the following: + + ![Not global admin](images/csp7.png) +3. Customer selects the **Yes** checkbox, followed by the **Accept** button, and they’re done. Authorization happens instantaneously. + +4. The OEM can use the Validate Device Submission Data API to verify the consent has completed. This API is discussed in the latest version of the API Whitepaper, p. 14ff [https://devicepartner.microsoft.com/assets/detail/windows-autopilot-integration-with-oem-api-design-whitepaper-docx](https://devicepartner.microsoft.com/assets/detail/windows-autopilot-integration-with-oem-api-design-whitepaper-docx). **Note**: this link is only accessible by Microsoft Device Partners. As discussed in this whitepaper, it’s a best practice recommendation for OEM partners to run the API check to confirm they’ve received customer consent before attempting to register devices, thus avoiding errors in the registration process. + +## Summary + +At this stage of the process, Microsoft is no longer involved; the consent exchange happens directly between the OEM and the customer. And, it all happens instantaneously - as quickly as buttons are clicked. + diff --git a/windows/deployment/windows-autopilot/self-deploying.md b/windows/deployment/windows-autopilot/self-deploying.md index ea68663b28..939b4ac431 100644 --- a/windows/deployment/windows-autopilot/self-deploying.md +++ b/windows/deployment/windows-autopilot/self-deploying.md @@ -9,6 +9,7 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy +audience: itpro author: greg-lindsay ms.author: greglin ms.collection: M365-modern-desktop @@ -29,7 +30,7 @@ Self-deploying mode joins the device into Azure Active Directory, enrolls the de Self-deploying mode is designed to deploy Windows 10 as a kiosk, digital signage device, or a shared device. When setting up a kiosk, you can leverage the new Kiosk Browser, an app built on Microsoft Edge that can be used to create a tailored, MDM-managed browsing experience. When combined with MDM policies to create a local account and configure it to automatically log on, the complete configuration of the device can be automated. Find out more about these options by reading simplifying kiosk management for IT with Windows 10. See [Set up a kiosk or digital sign in Intune or other MDM service](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage#set-up-a-kiosk-or-digital-sign-in-intune-or-other-mdm-service) for additional details. >[!NOTE] ->Self-deploying mode does not presently associate a user with the device (since no user ID or password is specified as part of the process). As a result, some Azure AD and Intune capabilities (such as BitLocker recovery, installation of apps from the Company Portal, or Conditional Access) may not be available to a user that signs into the device. For more information see [Windows Autopilot scenarios and capabilities](windows-autopilot-scenarios.md) and [Setting the BitLocker encryption algorithm for Autopilot devices](bitlocker.md). +>Self-deploying mode does not presently associate a user with the device (since no user ID or password is specified as part of the process). As a result, some Azure AD and Intune capabilities (such as BitLocker recovery, installation of apps from the Company Portal, or Conditional Access) may not be available to a user that signs into the device. For more information see [Windows Autopilot scenarios and capabilities](windows-autopilot-scenarios.md) and [Setting the BitLocker encryption algorithm for Autopilot devices](bitlocker.md). ![The user experience with Windows Autopilot self-deploying mode](images/self-deploy-welcome.png) diff --git a/windows/deployment/windows-autopilot/troubleshooting.md b/windows/deployment/windows-autopilot/troubleshooting.md index dda5ad6943..2d857f5388 100644 --- a/windows/deployment/windows-autopilot/troubleshooting.md +++ b/windows/deployment/windows-autopilot/troubleshooting.md @@ -1,121 +1,121 @@ ---- -title: Troubleshooting Windows Autopilot -description: Windows Autopilot deployment -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.reviewer: mniehaus -manager: laurawi -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Troubleshooting Windows Autopilot - -**Applies to: Windows 10** - -Windows Autopilot is designed to simplify all parts of the Windows device lifecycle, but there are always situations where issues may arise, either due to configuration or other issues. To assist with troubleshooting efforts, review the following information. - -## Troubleshooting process - -Regardless of whether performing user-driven or self-deploying device deployments, the troubleshooting process is the mostly the same. It is useful to understand the flow for a specific device: - -- Network connection established. This can be a wireless (Wi-fi) or wired (Ethernet) connection. -- Windows Autopilot profile downloaded. Whether using a wired connection or manually establishing a wireless connection, the Windows Autopilot profile will be downloaded from the Autopilot deployment service as soon as the network connection is in place. -- User authentication. When performing a user-driven deployment, the user will enter their Azure Active Directory credentials, which will be validated. -- Azure Active Directory join. For user-driven deployments, the device will be joined to Azure AD using the specified user credentials. For self-deploying scenarios, the device will be joined without specifying any user credentials. -- Automatic MDM enrollment. As part of the Azure AD join process, the device will enroll in the MDM service configured in Azure AD (e.g. Microsoft Intune). -- Settings are applied. If the [enrollment status page](enrollment-status.md) is configured, most settings will be applied while the enrollment status page is displayed. If not configured or available, settings will be applied after the user is signed in. - -For troubleshooting, key activities to perform are: - -- Configuration. Has Azure Active Directory and Microsoft Intune (or an equivalent MDM service) been configured as specified in [Windows Autopilot configuration requirements](windows-autopilot-requirements.md)? -- Network connectivity. Can the device access the services described in [Windows Autopilot networking requirements](windows-autopilot-requirements.md)? -- Autopilot OOBE behavior. Were only the expected out-of-box experience screens displayed? Was the Azure AD credentials page customized with organization-specific details as expected? -- Azure AD join issues. Was the device able to join Azure Active Directory? -- MDM enrollment issues. Was the device able to enroll in Microsoft Intune (or an equivalent MDM service)? - -## Troubleshooting Autopilot OOBE issues - -If the expected Autopilot behavior does not occur during the out-of-box experience (OOBE), it is useful to see whether the device received an Autopilot profile and what settings that profile contained. Depending on the Windows 10 release, there are different mechanisms available to do that. - -### Windows 10 version 1803 and above - -To see details related to the Autopilot profile settings and OOBE flow, Windows 10 version 1803 and above adds event log entries. These can be viewed using Event Viewer, navigating to the log at **Application and Services Logs –> Microsoft –> Windows –> Provisioning-Diagnostics-Provider –> AutoPilot**. The following events may be recorded, depending on the scenario and profile configuration. - -| Event ID | Type | Description | -|----------|------|-------------| -| 100 | Warning | “AutoPilot policy [name] not found.” This is typically a temporary problem, while the device is waiting for an Autopilot profile to be downloaded. | -| 101 | Info | “AutoPilotGetPolicyDwordByName succeeded: policy name = [setting name]; policy value [value].” This shows Autopilot retrieving and processing numeric OOBE settings. | -| 103 | Info | “AutoPilotGetPolicyStringByName succeeded: policy name = [name]; value = [value].” This shows Autopilot retrieving and processing OOBE setting strings such as the Azure AD tenant name. | -| 109 | Info | “AutoPilotGetOobeSettingsOverride succeeded: OOBE setting [setting name]; state = [state].” This shows Autopilot retrieving and processing state-related OOBE settings. | -| 111 | Info | “AutoPilotRetrieveSettings succeeded.” This means that the settings stored in the Autopilot profile that control the OOBE behavior have been retrieved successfully. | -| 153 | Info | “AutoPilotManager reported the state changed from [original state] to [new state].” Typically this should say “ProfileState_Unknown” to “ProfileState_Available” to show that a profile was available for the device and downloaded, so the device is ready to be deployed using Autopilot. | -| 160 | Info | “AutoPilotRetrieveSettings beginning acquisition.” This shows that Autopilot is getting ready to download the needed Autopilot profile settings. | -| 161 | Info | “AutoPilotManager retrieve settings succeeded.” The Autopilot profile was successfully downloaded. | -| 163 | Info | “AutoPilotManager determined download is not required and the device is already provisioned. Clean or reset the device to change this.” This message indicates that an Autopilot profile is resident on the device; it typically would only be removed by the **Sysprep /Generalize** process. | -| 164 | Info | “AutoPilotManager determined Internet is available to attempt policy download.” | -| 171 | Error | “AutoPilotManager failed to set TPM identity confirmed. HRESULT=[error code].” This indicates an issue performing TPM attestation, needed to complete the self-deploying mode process. | -| 172 | Error | “AutoPilotManager failed to set AutoPilot profile as available. HRESULT=[error code].” This is typically related to event ID 171. | - -In addition to the event log entries, the registry and ETW trace options described below also work with Windows 10 version 1803 and above. - -### Windows 10 version 1709 and above - -On Windows 10 version 1709 and above, information about the Autopilot profile settings are stored in the registry on the device after they are received from the Autopilot deployment service. These can be found at **HKLM\SOFTWARE\Microsoft\Provisioning\Diagnostics\AutoPilot**. Available registry entries include: - -| Value | Description | -|-------|-------------| -| AadTenantId | The GUID of the Azure AD tenant the user signed into. This should match the tenant that the device was registered with; if it does not match the user will receive an error. | -| CloudAssignedTenantDomain | The Azure AD tenant the device has been registered with, e.g. “contosomn.onmicrosoft.com.” If the device is not registered with Autopilot, this value will be blank. | -| CloudAssignedTenantId | The GUID of the Azure AD tenant the device has been registered with (the GUID corresponds to the tenant domain from the CloudAssignedTenantDomain registry value). If the device isn’t registered with Autopilot, this value will be blank.| -| IsAutoPilotDisabled | If set to 1, this indicates that the device is not registered with Autopilot. This could also indicate that the Autopilot profile could not be downloaded due to network connectivity or firewall issues, or network timeouts. | -| TenantMatched | This will be set to 1 if the tenant ID of the user matches the tenant ID that the device was registered with. If this is 0, the user would be shown an error and forced to start over. | -| CloudAssignedOobeConfig | This is a bitmap that shows which Autopilot settings were configured. Values include: SkipCortanaOptIn = 1, OobeUserNotLocalAdmin = 2, SkipExpressSettings = 4, SkipOemRegistration = 8, SkipEula = 16 | - -### Windows 10 version 1703 and above - -On Windows 10 version 1703 and above, ETW tracing can be used to capture detailed information from Autopilot and related components. The resulting ETW trace files can then be viewed using the Windows Performance Analyzer or similar tools. See [the advanced troubleshooting blog](https://blogs.technet.microsoft.com/mniehaus/2017/12/13/troubleshooting-windows-autopilot-level-300400/) for more information. - -## Troubleshooting Azure AD Join issues - -The most common issue joining a device to Azure AD is related to Azure AD permissions. Ensure [the correct configuration is in place](windows-autopilot-requirements.md) to allow users to join devices to Azure AD. Errors can also happen if the user has exceeded the number of devices that they are allowed to join, as configured in Azure AD. - -Error code 801C0003 will typically be reported on an error page titled "Something went wrong". This error means that the Azure AD join failed. - -## Troubleshooting Intune enrollment issues - -See [this knowledge base article](https://support.microsoft.com/help/4089533/troubleshooting-windows-device-enrollment-problems-in-microsoft-intune) for assistance with Intune enrollment issues. Common issues include incorrect or missing licenses assigned to the user or too many devices enrolled for the user. - -Error code 80180018 will typically be reported on an error page titled "Something went wrong". This error means that the MDM enrollment failed. - -If Autopilot Reset fails immediately with an error "Ran into trouble. Please sign in with an administrator account to see why and reset manually," see [Troubleshoot Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset#troubleshoot-autopilot-reset) for more help. - -## Profile download - -When an Internet-connected Windows 10 device boots up, it will attempt to connect to the Autopilot service and download an Autopilot profile. Note: It is important that a profile exists at this stage so that a blank profile is not cached locally on the PC. To remove the currently cached local profile in Windows 10 version 1803 and earlier, it is necessary to re-generalize the OS using **sysprep /generalize /oobe**, reinstall the OS, or re-image the PC. In Windows 10 version 1809 and later, you can retrieve a new profile by rebooting the PC. - -When a profile is downloaded depends on the version of Windows 10 that is running on the PC. See the following table. - -| Windows 10 version | Profile download behavior | -| --- | --- | -| 1703 and 1709 | The profile is downloaded after the OOBE network connection page. This page is not displayed when using a wired connection. In this case, the profile is downloaded just prior to the EULA screen. | -| 1803 | The profile is downloaded as soon as possible. If wired, it is downloaded at the start of OOBE. If wireless, it is downloaded after the network connection page. | -| 1809 | The profile is downloaded as soon as possible (same as 1803), and again after each reboot. | - -If you need to reboot a computer during OOBE: -- Press Shift-F10 to open a command prompt. -- Enter **shutdown /r /t 0** to restart immediately, or **shutdown /s /t 0** to shutdown immediately. - -For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options). - -## Related topics - -[Windows Autopilot - known issues](known-issues.md)
          -[Diagnose MDM failures in Windows 10](https://docs.microsoft.com/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10)
          +--- +title: Troubleshooting Windows Autopilot +description: Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.reviewer: mniehaus +manager: laurawi +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Troubleshooting Windows Autopilot + +**Applies to: Windows 10** + +Windows Autopilot is designed to simplify all parts of the Windows device lifecycle, but there are always situations where issues may arise, either due to configuration or other issues. To assist with troubleshooting efforts, review the following information. + +## Troubleshooting process + +Regardless of whether performing user-driven or self-deploying device deployments, the troubleshooting process is the mostly the same. It is useful to understand the flow for a specific device: + +- Network connection established. This can be a wireless (Wi-fi) or wired (Ethernet) connection. +- Windows Autopilot profile downloaded. Whether using a wired connection or manually establishing a wireless connection, the Windows Autopilot profile will be downloaded from the Autopilot deployment service as soon as the network connection is in place. +- User authentication. When performing a user-driven deployment, the user will enter their Azure Active Directory credentials, which will be validated. +- Azure Active Directory join. For user-driven deployments, the device will be joined to Azure AD using the specified user credentials. For self-deploying scenarios, the device will be joined without specifying any user credentials. +- Automatic MDM enrollment. As part of the Azure AD join process, the device will enroll in the MDM service configured in Azure AD (e.g. Microsoft Intune). +- Settings are applied. If the [enrollment status page](enrollment-status.md) is configured, most settings will be applied while the enrollment status page is displayed. If not configured or available, settings will be applied after the user is signed in. + +For troubleshooting, key activities to perform are: + +- Configuration. Has Azure Active Directory and Microsoft Intune (or an equivalent MDM service) been configured as specified in [Windows Autopilot configuration requirements](windows-autopilot-requirements.md)? +- Network connectivity. Can the device access the services described in [Windows Autopilot networking requirements](windows-autopilot-requirements.md)? +- Autopilot OOBE behavior. Were only the expected out-of-box experience screens displayed? Was the Azure AD credentials page customized with organization-specific details as expected? +- Azure AD join issues. Was the device able to join Azure Active Directory? +- MDM enrollment issues. Was the device able to enroll in Microsoft Intune (or an equivalent MDM service)? + +## Troubleshooting Autopilot OOBE issues + +If the expected Autopilot behavior does not occur during the out-of-box experience (OOBE), it is useful to see whether the device received an Autopilot profile and what settings that profile contained. Depending on the Windows 10 release, there are different mechanisms available to do that. + +### Windows 10 version 1803 and above + +To see details related to the Autopilot profile settings and OOBE flow, Windows 10 version 1803 and above adds event log entries. These can be viewed using Event Viewer, navigating to the log at **Application and Services Logs –> Microsoft –> Windows –> Provisioning-Diagnostics-Provider –> AutoPilot**. The following events may be recorded, depending on the scenario and profile configuration. + +| Event ID | Type | Description | +|----------|------|-------------| +| 100 | Warning | “AutoPilot policy [name] not found.” This is typically a temporary problem, while the device is waiting for an Autopilot profile to be downloaded. | +| 101 | Info | “AutoPilotGetPolicyDwordByName succeeded: policy name = [setting name]; policy value [value].” This shows Autopilot retrieving and processing numeric OOBE settings. | +| 103 | Info | “AutoPilotGetPolicyStringByName succeeded: policy name = [name]; value = [value].” This shows Autopilot retrieving and processing OOBE setting strings such as the Azure AD tenant name. | +| 109 | Info | “AutoPilotGetOobeSettingsOverride succeeded: OOBE setting [setting name]; state = [state].” This shows Autopilot retrieving and processing state-related OOBE settings. | +| 111 | Info | “AutoPilotRetrieveSettings succeeded.” This means that the settings stored in the Autopilot profile that control the OOBE behavior have been retrieved successfully. | +| 153 | Info | “AutoPilotManager reported the state changed from [original state] to [new state].” Typically this should say “ProfileState_Unknown” to “ProfileState_Available” to show that a profile was available for the device and downloaded, so the device is ready to be deployed using Autopilot. | +| 160 | Info | “AutoPilotRetrieveSettings beginning acquisition.” This shows that Autopilot is getting ready to download the needed Autopilot profile settings. | +| 161 | Info | “AutoPilotManager retrieve settings succeeded.” The Autopilot profile was successfully downloaded. | +| 163 | Info | “AutoPilotManager determined download is not required and the device is already provisioned. Clean or reset the device to change this.” This message indicates that an Autopilot profile is resident on the device; it typically would only be removed by the **Sysprep /Generalize** process. | +| 164 | Info | “AutoPilotManager determined Internet is available to attempt policy download.” | +| 171 | Error | “AutoPilotManager failed to set TPM identity confirmed. HRESULT=[error code].” This indicates an issue performing TPM attestation, needed to complete the self-deploying mode process. | +| 172 | Error | “AutoPilotManager failed to set AutoPilot profile as available. HRESULT=[error code].” This is typically related to event ID 171. | + +In addition to the event log entries, the registry and ETW trace options described below also work with Windows 10 version 1803 and above. + +### Windows 10 version 1709 and above + +On Windows 10 version 1709 and above, information about the Autopilot profile settings are stored in the registry on the device after they are received from the Autopilot deployment service. These can be found at **HKLM\SOFTWARE\Microsoft\Provisioning\Diagnostics\AutoPilot**. Available registry entries include: + +| Value | Description | +|-------|-------------| +| AadTenantId | The GUID of the Azure AD tenant the user signed into. This should match the tenant that the device was registered with; if it does not match the user will receive an error. | +| CloudAssignedTenantDomain | The Azure AD tenant the device has been registered with, e.g. “contosomn.onmicrosoft.com.” If the device is not registered with Autopilot, this value will be blank. | +| CloudAssignedTenantId | The GUID of the Azure AD tenant the device has been registered with (the GUID corresponds to the tenant domain from the CloudAssignedTenantDomain registry value). If the device isn’t registered with Autopilot, this value will be blank.| +| IsAutoPilotDisabled | If set to 1, this indicates that the device is not registered with Autopilot. This could also indicate that the Autopilot profile could not be downloaded due to network connectivity or firewall issues, or network timeouts. | +| TenantMatched | This will be set to 1 if the tenant ID of the user matches the tenant ID that the device was registered with. If this is 0, the user would be shown an error and forced to start over. | +| CloudAssignedOobeConfig | This is a bitmap that shows which Autopilot settings were configured. Values include: SkipCortanaOptIn = 1, OobeUserNotLocalAdmin = 2, SkipExpressSettings = 4, SkipOemRegistration = 8, SkipEula = 16 | + +### Windows 10 version 1703 and above + +On Windows 10 version 1703 and above, ETW tracing can be used to capture detailed information from Autopilot and related components. The resulting ETW trace files can then be viewed using the Windows Performance Analyzer or similar tools. See [the advanced troubleshooting blog](https://blogs.technet.microsoft.com/mniehaus/2017/12/13/troubleshooting-windows-autopilot-level-300400/) for more information. + +## Troubleshooting Azure AD Join issues + +The most common issue joining a device to Azure AD is related to Azure AD permissions. Ensure [the correct configuration is in place](windows-autopilot-requirements.md) to allow users to join devices to Azure AD. Errors can also happen if the user has exceeded the number of devices that they are allowed to join, as configured in Azure AD. + +Error code 801C0003 will typically be reported on an error page titled "Something went wrong". This error means that the Azure AD join failed. + +## Troubleshooting Intune enrollment issues + +See [this knowledge base article](https://support.microsoft.com/help/4089533/troubleshooting-windows-device-enrollment-problems-in-microsoft-intune) for assistance with Intune enrollment issues. Common issues include incorrect or missing licenses assigned to the user or too many devices enrolled for the user. + +Error code 80180018 will typically be reported on an error page titled "Something went wrong". This error means that the MDM enrollment failed. + +If Autopilot Reset fails immediately with an error "Ran into trouble. Please sign in with an administrator account to see why and reset manually," see [Troubleshoot Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset#troubleshoot-autopilot-reset) for more help. + +## Profile download + +When an Internet-connected Windows 10 device boots up, it will attempt to connect to the Autopilot service and download an Autopilot profile. Note: It is important that a profile exists at this stage so that a blank profile is not cached locally on the PC. To remove the currently cached local profile in Windows 10 version 1803 and earlier, it is necessary to re-generalize the OS using **sysprep /generalize /oobe**, reinstall the OS, or re-image the PC. In Windows 10 version 1809 and later, you can retrieve a new profile by rebooting the PC. + +When a profile is downloaded depends on the version of Windows 10 that is running on the PC. See the following table. + +| Windows 10 version | Profile download behavior | +| --- | --- | +| 1703 and 1709 | The profile is downloaded after the OOBE network connection page. This page is not displayed when using a wired connection. In this case, the profile is downloaded just prior to the EULA screen. | +| 1803 | The profile is downloaded as soon as possible. If wired, it is downloaded at the start of OOBE. If wireless, it is downloaded after the network connection page. | +| 1809 | The profile is downloaded as soon as possible (same as 1803), and again after each reboot. | + +If you need to reboot a computer during OOBE: +- Press Shift-F10 to open a command prompt. +- Enter **shutdown /r /t 0** to restart immediately, or **shutdown /s /t 0** to shutdown immediately. + +For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options). + +## Related topics + +[Windows Autopilot - known issues](known-issues.md)
          +[Diagnose MDM failures in Windows 10](https://docs.microsoft.com/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10)
          diff --git a/windows/deployment/windows-autopilot/user-driven.md b/windows/deployment/windows-autopilot/user-driven.md index cce649aaf6..7629dc2ba8 100644 --- a/windows/deployment/windows-autopilot/user-driven.md +++ b/windows/deployment/windows-autopilot/user-driven.md @@ -1,99 +1,99 @@ ---- -title: Windows Autopilot User-Driven Mode -description: Windows Autopilot deployment -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.reviewer: mniehaus -manager: laurawi -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Windows Autopilot user-driven mode - -Windows Autopilot user-driven mode is designed to enable new Windows 10 devices to be transformed from their initial state, directly from the factory, into a ready-to-use state without requiring that IT personnel ever touch the device. The process is designed to be simple so that anyone can complete it, enabling devices to be shipped or distributed to the end user directly with simple instructions: - -- Unbox the device, plug it in, and turn it on. -- Choose a language, locale and keyboard. -- Connect it to a wireless or wired network with internet access. -- Specify your e-mail address and password for your organization account. - -After completing those simple steps, the remainder of the process is completely automated, with the device being joined to the organization, enrolled in Intune (or another MDM service), and fully configured as defined by the organization. Any additional prompts during the Out-of-Box Experience (OOBE) can be supressed; see [Configuring Autopilot Profiles](profiles.md) for options that are available. - -Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory. Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release. See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. - -## Available user-driven modes - -The following options are available for user-driven deployment: - -- [Azure Active Directory join](#user-driven-mode-for-azure-active-directory-join) is available if devices do not need to be joined to an on-prem Active Directory domain. -- [Hybrid Azure Active Directory join](#user-driven-mode-for-hybrid-azure-active-directory-join) is available for devices that must be joined to both Azure Active Directory and your on-prem Active Directory domain. - -### User-driven mode for Azure Active Directory join - -In order to perform a user-driven deployment using Windows Autopilot, the following preparation steps need to be completed: - -- Ensure that the users who will be performing user-driven mode deployments are able to join devices to Azure Active Directory. See [Configure device settings](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal#configure-device-settings) in the Azure Active Directory documentation for more information. -- Create an Autopilot profile for user-driven mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. With Microsoft Store for Business and Partner Center, user-driven mode is the default and does not need to be selected. -- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group. - -For each device that will be deployed using user-driven deployment, these additional steps are needed: - -- Ensure that the device has been added to Windows Autopilot. This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later. See [Adding devices to Windows Autopilot](add-devices.md) for more information. -- Ensure an Autopilot profile has been assigned to the device: - - If using Intune and Azure Active Directory dynamic device groups, this can be done automatically. - - If using Intune and Azure Active Directory static device groups, manually add the device to the device group. - - If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device. - -Also see the [Validation](#validation) section below. - -### User-driven mode for hybrid Azure Active Directory join - -Windows Autopilot requires that devices be Azure Active Directory joined. If you have an on-premises Active Directory environment and want to also join devices to your on-premises domain, you can accomplish this by configuring Autopilot devices to be [hybrid Azure Active Directory (AAD) joined](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan). - -#### Requirements - -To perform a user-driven hybrid AAD joined deployment using Windows Autopilot: - -- A Windows Autopilot profile for user-driven mode must be created and - - **Hybrid Azure AD joined** must be specified as the selected option under **Join to Azure AD as** in the Autopilot profile. -- If using Intune, a device group in Azure Active Directory must exist with the Windows Autopilot profile assigned to that group. -- The device must be running Windows 10, version 1809 or later. -- The device must be able to access an Active Directory domain controller, so it must be connected to the organization's network (where it can resolve the DNS records for the AD domain and the AD domain controller, and communicate with the domain controller to authenticate the user). -- The device must be able to access the Internet, following the [documented Windows Autopilot network requirements](windows-autopilot-requirements.md). -- The Intune Connector for Active Directory must be installed. - - Note: The Intune Connector will perform an on-prem AD join, therefore users do not need on-prem AD-join permission, assuming the Connector is [configured to perform this action](https://docs.microsoft.com/intune/windows-autopilot-hybrid#increase-the-computer-account-limit-in-the-organizational-unit) on the user's behalf. -- If using Proxy, WPAD Proxy settings option must be enabled and configured. - -**AAD device join**: The hybrid AAD join process uses the system context to perform device AAD join, therefore it is not affected by user based AAD join permission settings. In addition, all users are enabled to join devices to AAD by default. - -#### Step by step instructions - -See [Deploy hybrid Azure AD joined devices using Intune and Windows Autopilot](https://docs.microsoft.com/intune/windows-autopilot-hybrid). - -Also see the **Validation** section in the [Windows Autopilot user-driven mode](user-driven.md) topic. - -## Validation - -When performing a user-driven deployment using Windows Autopilot, the following end-user experience should be observed: - -- If multiple languages are preinstalled in Windows 10, the user must pick a language. -- The user must pick a locale and a keyboard layout, and optionally a second keyboard layout. -- If connected via Ethernet, no network prompt is expected. If no Ethernet connection is available and Wi-fi is built in, the user needs to connect to a wireless network. -- Once connected to a network, the Autopilot profile will be downloaded. -- Windows 10 will check for critical OOBE updates, and if any are available they will be automatically installed (rebooting if required). -- The user will be prompted for Azure Active Directory credentials, with a customized user experience showing the Azure AD tenant name, logo, and sign-in text. -- Once correct credentials have been entered, the device will join Azure Active Directory. -- After joining Azure Active Directory, the device will enroll in Intune (or other configured MDM services). -- If configured, the [enrollment status page](enrollment-status.md) will be displayed. -- Once the device configuration tasks have completed, the user will be signed into Windows 10 using the credentials they previously provided. -- Once signed in, the enrollment status page will again be displayed for user-targeted configuration tasks. - -In case the observed results do not match these expectations, consult the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation. +--- +title: Windows Autopilot User-Driven Mode +description: Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.reviewer: mniehaus +manager: laurawi +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Windows Autopilot user-driven mode + +Windows Autopilot user-driven mode is designed to enable new Windows 10 devices to be transformed from their initial state, directly from the factory, into a ready-to-use state without requiring that IT personnel ever touch the device. The process is designed to be simple so that anyone can complete it, enabling devices to be shipped or distributed to the end user directly with simple instructions: + +- Unbox the device, plug it in, and turn it on. +- Choose a language, locale and keyboard. +- Connect it to a wireless or wired network with internet access. +- Specify your e-mail address and password for your organization account. + +After completing those simple steps, the remainder of the process is completely automated, with the device being joined to the organization, enrolled in Intune (or another MDM service), and fully configured as defined by the organization. Any additional prompts during the Out-of-Box Experience (OOBE) can be supressed; see [Configuring Autopilot Profiles](profiles.md) for options that are available. + +Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory. Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release. See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. + +## Available user-driven modes + +The following options are available for user-driven deployment: + +- [Azure Active Directory join](#user-driven-mode-for-azure-active-directory-join) is available if devices do not need to be joined to an on-prem Active Directory domain. +- [Hybrid Azure Active Directory join](#user-driven-mode-for-hybrid-azure-active-directory-join) is available for devices that must be joined to both Azure Active Directory and your on-prem Active Directory domain. + +### User-driven mode for Azure Active Directory join + +In order to perform a user-driven deployment using Windows Autopilot, the following preparation steps need to be completed: + +- Ensure that the users who will be performing user-driven mode deployments are able to join devices to Azure Active Directory. See [Configure device settings](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal#configure-device-settings) in the Azure Active Directory documentation for more information. +- Create an Autopilot profile for user-driven mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. With Microsoft Store for Business and Partner Center, user-driven mode is the default and does not need to be selected. +- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group. + +For each device that will be deployed using user-driven deployment, these additional steps are needed: + +- Ensure that the device has been added to Windows Autopilot. This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later. See [Adding devices to Windows Autopilot](add-devices.md) for more information. +- Ensure an Autopilot profile has been assigned to the device: + - If using Intune and Azure Active Directory dynamic device groups, this can be done automatically. + - If using Intune and Azure Active Directory static device groups, manually add the device to the device group. + - If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device. + +Also see the [Validation](#validation) section below. + +### User-driven mode for hybrid Azure Active Directory join + +Windows Autopilot requires that devices be Azure Active Directory joined. If you have an on-premises Active Directory environment and want to also join devices to your on-premises domain, you can accomplish this by configuring Autopilot devices to be [hybrid Azure Active Directory (AAD) joined](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan). + +#### Requirements + +To perform a user-driven hybrid AAD joined deployment using Windows Autopilot: + +- A Windows Autopilot profile for user-driven mode must be created and + - **Hybrid Azure AD joined** must be specified as the selected option under **Join to Azure AD as** in the Autopilot profile. +- If using Intune, a device group in Azure Active Directory must exist with the Windows Autopilot profile assigned to that group. +- The device must be running Windows 10, version 1809 or later. +- The device must be able to access an Active Directory domain controller, so it must be connected to the organization's network (where it can resolve the DNS records for the AD domain and the AD domain controller, and communicate with the domain controller to authenticate the user). +- The device must be able to access the Internet, following the [documented Windows Autopilot network requirements](windows-autopilot-requirements.md). +- The Intune Connector for Active Directory must be installed. + - Note: The Intune Connector will perform an on-prem AD join, therefore users do not need on-prem AD-join permission, assuming the Connector is [configured to perform this action](https://docs.microsoft.com/intune/windows-autopilot-hybrid#increase-the-computer-account-limit-in-the-organizational-unit) on the user's behalf. +- If using Proxy, WPAD Proxy settings option must be enabled and configured. + +**AAD device join**: The hybrid AAD join process uses the system context to perform device AAD join, therefore it is not affected by user based AAD join permission settings. In addition, all users are enabled to join devices to AAD by default. + +#### Step by step instructions + +See [Deploy hybrid Azure AD joined devices using Intune and Windows Autopilot](https://docs.microsoft.com/intune/windows-autopilot-hybrid). + +Also see the **Validation** section in the [Windows Autopilot user-driven mode](user-driven.md) topic. + +## Validation + +When performing a user-driven deployment using Windows Autopilot, the following end-user experience should be observed: + +- If multiple languages are preinstalled in Windows 10, the user must pick a language. +- The user must pick a locale and a keyboard layout, and optionally a second keyboard layout. +- If connected via Ethernet, no network prompt is expected. If no Ethernet connection is available and Wi-fi is built in, the user needs to connect to a wireless network. +- Once connected to a network, the Autopilot profile will be downloaded. +- Windows 10 will check for critical OOBE updates, and if any are available they will be automatically installed (rebooting if required). +- The user will be prompted for Azure Active Directory credentials, with a customized user experience showing the Azure AD tenant name, logo, and sign-in text. +- Once correct credentials have been entered, the device will join Azure Active Directory. +- After joining Azure Active Directory, the device will enroll in Intune (or other configured MDM services). +- If configured, the [enrollment status page](enrollment-status.md) will be displayed. +- Once the device configuration tasks have completed, the user will be signed into Windows 10 using the credentials they previously provided. +- Once signed in, the enrollment status page will again be displayed for user-targeted configuration tasks. + +In case the observed results do not match these expectations, consult the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation. diff --git a/windows/deployment/windows-autopilot/white-glove.md b/windows/deployment/windows-autopilot/white-glove.md index 228a9cf358..75e7e3a334 100644 --- a/windows/deployment/windows-autopilot/white-glove.md +++ b/windows/deployment/windows-autopilot/white-glove.md @@ -7,9 +7,11 @@ ms.mktglfcycl: deploy ms.localizationpriority: low ms.sitesec: library ms.pagetype: deploy +audience: itpro author: greg-lindsay manager: laurawi -ms.author: greg-lindsay +ms.audience: itpro +author: greg-lindsay ms.collection: M365-modern-desktop ms.topic: article --- diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md index 7058bc777e..c216835569 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md @@ -1,121 +1,121 @@ ---- -title: Windows Autopilot requirements -ms.reviewer: -manager: laurawi -description: Windows Autopilot deployment -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Windows Autopilot requirements - -**Applies to: Windows 10** - -Windows Autopilot depends on specific capabilities available in Windows 10, Azure Active Directory, and MDM services such as Microsoft Intune. In order to use Windows Autopilot and leverage these capabilities, some requirements must be met. - -**Note**: For a list of OEMs that currently support Windows Autopilot, see the Participant device manufacturers section at [Windows Autopilot](https://aka.ms/windowsautopilot). - -## Software requirements - -- Windows 10 version 1703 (semi-annual channel) or higher is required. -- The following editions are supported: - - Windows 10 Pro - - Windows 10 Pro Education - - Windows 10 Pro for Workstations - - Windows 10 Enterprise - - Windows 10 Education - - Windows 10 Enterprise 2019 LTSC - -## Networking requirements - -Windows Autopilot depends on a variety of internet-based services. Access to these services must be provided for Autopilot to function properly. In the simplest case, enabling proper functionality can be achieved by ensuring the following: - -- Ensure DNS name resolution for internet DNS names -- Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP) - -In environments that have more restrictive Internet access, or for those that require authentication before internet access can be obtained, additional configuration may be required to whitelist access to the required services. For additional details about each of these services and their specific requirements, review the following details: - -
          ServiceInformation -
          Windows Autopilot Deployment Service and Windows ActivationAfter a network connection is in place, each Windows 10 device will contact the Windows Autopilot Deployment Service. With Windows 10 builds 18204 and above, the following URLs are used: https://ztd.dds.microsoft.com, https://cs.dds.microsoft.com.
          - -For all supported Windows 10 releases, Windows Autopilot also uses Windows Activation services. See Windows activation or validation fails with error code 0x8004FE33 for details about problems that might occur when you connect to the Internet through a proxy server. -
          Azure Active DirectoryUser credentials are validated by Azure Active Directory, and the device can also be joined to Azure Active Directory. See Office 365 IP Address and URL Web service for more information. -
          IntuneOnce authenticated, Azure Active Directory will trigger enrollment of the device into the Intune MDM service. See the following link for details about network communication requirements: Intune network configuration requirements and bandwidth. -
          Windows UpdateDuring the OOBE process, as well as after the Windows 10 OS is fully configured, the Windows Update service is leveraged to retrieve needed updates. If there are problems connecting to Windows Update, see How to solve connection problems concerning Windows Update or Microsoft Update.
          - -If Windows Update is inaccessible, the AutoPilot process will still continue but critical updates will not be available. - -
          Delivery OptimizationWhen downloading Windows Updates, Microsoft Store apps and app updates, Office Updates and Intune Win32 Apps, the Delivery Optimization service is contacted to enable peer-to-peer sharing of content so that only a few devices need to download it from the internet.
          - -If the Delivery Optimization Service is inaccessible, the AutoPilot process will still continue with Delivery Optimization downloads from the cloud (without peer-to-peer). - -
          Network Time Protocol (NTP) SyncWhen a Windows device starts up, it will talk to a network time server to ensure that the time on the device is accurate. Ensure that UDP port 123 to time.windows.com is accessible. -
          Domain Name Services (DNS)To resolve DNS names for all services, the device communicates with a DNS server, typically provided via DHCP.  This DNS server must be able to resolve internet names. -
          Diagnostics dataStarting in Windows 10, 1903, diagnostic data collection will be enabled by default. To disable Windows Analytics and related diagnostics capabilities, see Manage enterprise diagnostic data level.
          - -If diagnostic data cannot be sent, the Autopilot process will still continue, but services that depend on diagnostic data, such as Windows Analytics, will not work. -
          Network Connection Status Indicator (NCSI)Windows must be able to tell that the device is able to access the internet. For more information, see Network Connection Status Indicator (NCSI). - -www.msftconnecttest.com must be resolvable via DNS and accessible via HTTP. -
          Windows Notification Services (WNS)This service is used to enable Windows to receive notifications from apps and services. See Microsoft Store for more information.
          - -If the WNS services are not available, the Autopilot process will still continue without notifications. -
          Microsoft Store, Microsoft Store for BusinessApps in the Microsoft Store can be pushed to the device, triggered via Intune (MDM).  App updates and additional apps may also be needed when the user first logs in. For more information, see Prerequisites for Microsoft Store for Business and Education (also includes Azure AD and Windows Notification Services).
          - -If the Microsoft Store is not accessible, the AutoPilot process will still continue without Microsoft Store apps. - -
          Office 365As part of the Intune device configuration, installation of Office 365 ProPlus may be required. For more information, see Office 365 URLs and IP address ranges (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above). -
          Certificate revocation lists (CRLs)Some of these services will also need to check certificate revocation lists (CRLs) for certificates used in the services.  A full list of these is documented at Office 365 URLs and IP address ranges and Office 365 Certificate Chains. -
          Hybrid AAD joinHybrid AAD can be join, the machine should be on corporate network for hybrid AAD join to work. See details at Windows Autopilot user-driven mode -
          - -## Licensing requirements - -Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory. It also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs: - -To provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality, one of the following is required: - - [Microsoft 365 Business subscriptions](https://www.microsoft.com/en-us/microsoft-365/business) - - [Microsoft 365 F1 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise/firstline) - - [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/en-us/education/buy-license/microsoft365/default.aspx) - - [Microsoft 365 Enterprise E3 or E5 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise), which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune). - - [Enterprise Mobility + Security E3 or E5 subscriptions](https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security), which include all needed Azure AD and Intune features. - - [Intune for Education subscriptions](https://docs.microsoft.com/intune-education/what-is-intune-for-education), which include all needed Azure AD and Intune features. - - [Azure Active Directory Premium P1 or P2](https://azure.microsoft.com/services/active-directory/) and [Microsoft Intune subscriptions](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune) (or an alternative MDM service). - -Additionally, the following are also recommended (but not required): -- [Office 365 ProPlus](https://www.microsoft.com/en-us/p/office-365-proplus/CFQ7TTC0K8R0), which can be deployed easily via Intune (or other MDM services). -- [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation), to automatically step up devices from Windows 10 Pro to Windows 10 Enterprise. - -## Configuration requirements - -Before Windows Autopilot can be used, some configuration tasks are required to support the common Autopilot scenarios. - -- Configure Azure Active Directory automatic enrollment. For Microsoft Intune, see [Enable Windows 10 automatic enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment) for details. If using a different MDM service, contact the vendor for the specific URLs or configuration needed for those services. -- Configure Azure Active Directory custom branding. In order to display an organization-specific logon page during the Autopilot process, Azure Active Directory needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details. Note that the "square logo" and "sign-in page text" are the key elements for Autopilot, as well as the Azure Active Directory tenant name (configured separately in the Azure AD tenant properties). -- Enable [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) if desired, in order to automatically step up from Windows 10 Pro to Windows 10 Enterprise. - -Specific scenarios will then have additional requirements. Generally, there are two specific tasks: - -- Device registration. Devices need to be added to Windows Autopilot to support most Windows Autopilot scenarios. See [Adding devices to Windows Autopilot](add-devices.md) for more details. -- Profile configuration. Once devices have been added to Windows Autopilot, a profile of settings needs to be applied to each device. See [Configure Autopilot profiles](profiles.md) for details. Note that Microsoft Intune can automate this profile assignment; see [Create an AutoPilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an AutoPilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group) for more information. - -See [Windows Autopilot Scenarios](windows-autopilot-scenarios.md) for additional details. - -For a walkthrough for some of these and related steps, see this video: -
           
          - - -There are no additional hardware requirements to use Windows 10 Autopilot, beyond the [requirements to run Windows 10](https://www.microsoft.com/windows/windows-10-specifications). - -## Related topics - -[Configure Autopilot deployment](configure-autopilot.md) +--- +title: Windows Autopilot requirements +ms.reviewer: +manager: laurawi +description: Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Windows Autopilot requirements + +**Applies to: Windows 10** + +Windows Autopilot depends on specific capabilities available in Windows 10, Azure Active Directory, and MDM services such as Microsoft Intune. In order to use Windows Autopilot and leverage these capabilities, some requirements must be met. + +**Note**: For a list of OEMs that currently support Windows Autopilot, see the Participant device manufacturers section at [Windows Autopilot](https://aka.ms/windowsautopilot). + +## Software requirements + +- Windows 10 version 1703 (semi-annual channel) or higher is required. +- The following editions are supported: + - Windows 10 Pro + - Windows 10 Pro Education + - Windows 10 Pro for Workstations + - Windows 10 Enterprise + - Windows 10 Education + - Windows 10 Enterprise 2019 LTSC + +## Networking requirements + +Windows Autopilot depends on a variety of internet-based services. Access to these services must be provided for Autopilot to function properly. In the simplest case, enabling proper functionality can be achieved by ensuring the following: + +- Ensure DNS name resolution for internet DNS names +- Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP) + +In environments that have more restrictive Internet access, or for those that require authentication before internet access can be obtained, additional configuration may be required to whitelist access to the required services. For additional details about each of these services and their specific requirements, review the following details: + +
          ServiceInformation +
          Windows Autopilot Deployment Service and Windows ActivationAfter a network connection is in place, each Windows 10 device will contact the Windows Autopilot Deployment Service. With Windows 10 builds 18204 and above, the following URLs are used: https://ztd.dds.microsoft.com, https://cs.dds.microsoft.com.
          + +For all supported Windows 10 releases, Windows Autopilot also uses Windows Activation services. See Windows activation or validation fails with error code 0x8004FE33 for details about problems that might occur when you connect to the Internet through a proxy server. +
          Azure Active DirectoryUser credentials are validated by Azure Active Directory, and the device can also be joined to Azure Active Directory. See Office 365 IP Address and URL Web service for more information. +
          IntuneOnce authenticated, Azure Active Directory will trigger enrollment of the device into the Intune MDM service. See the following link for details about network communication requirements: Intune network configuration requirements and bandwidth. +
          Windows UpdateDuring the OOBE process, as well as after the Windows 10 OS is fully configured, the Windows Update service is leveraged to retrieve needed updates. If there are problems connecting to Windows Update, see How to solve connection problems concerning Windows Update or Microsoft Update.
          + +If Windows Update is inaccessible, the AutoPilot process will still continue but critical updates will not be available. + +
          Delivery OptimizationWhen downloading Windows Updates, Microsoft Store apps and app updates, Office Updates and Intune Win32 Apps, the Delivery Optimization service is contacted to enable peer-to-peer sharing of content so that only a few devices need to download it from the internet.
          + +If the Delivery Optimization Service is inaccessible, the AutoPilot process will still continue with Delivery Optimization downloads from the cloud (without peer-to-peer). + +
          Network Time Protocol (NTP) SyncWhen a Windows device starts up, it will talk to a network time server to ensure that the time on the device is accurate. Ensure that UDP port 123 to time.windows.com is accessible. +
          Domain Name Services (DNS)To resolve DNS names for all services, the device communicates with a DNS server, typically provided via DHCP.  This DNS server must be able to resolve internet names. +
          Diagnostics dataStarting in Windows 10, 1903, diagnostic data collection will be enabled by default. To disable Windows Analytics and related diagnostics capabilities, see Manage enterprise diagnostic data level.
          + +If diagnostic data cannot be sent, the Autopilot process will still continue, but services that depend on diagnostic data, such as Windows Analytics, will not work. +
          Network Connection Status Indicator (NCSI)Windows must be able to tell that the device is able to access the internet. For more information, see Network Connection Status Indicator (NCSI). + +www.msftconnecttest.com must be resolvable via DNS and accessible via HTTP. +
          Windows Notification Services (WNS)This service is used to enable Windows to receive notifications from apps and services. See Microsoft Store for more information.
          + +If the WNS services are not available, the Autopilot process will still continue without notifications. +
          Microsoft Store, Microsoft Store for BusinessApps in the Microsoft Store can be pushed to the device, triggered via Intune (MDM).  App updates and additional apps may also be needed when the user first logs in. For more information, see Prerequisites for Microsoft Store for Business and Education (also includes Azure AD and Windows Notification Services).
          + +If the Microsoft Store is not accessible, the AutoPilot process will still continue without Microsoft Store apps. + +
          Office 365As part of the Intune device configuration, installation of Office 365 ProPlus may be required. For more information, see Office 365 URLs and IP address ranges (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above). +
          Certificate revocation lists (CRLs)Some of these services will also need to check certificate revocation lists (CRLs) for certificates used in the services.  A full list of these is documented at Office 365 URLs and IP address ranges and Office 365 Certificate Chains. +
          Hybrid AAD joinHybrid AAD can be join, the machine should be on corporate network for hybrid AAD join to work. See details at Windows Autopilot user-driven mode +
          + +## Licensing requirements + +Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory. It also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs: + +To provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality, one of the following is required: + - [Microsoft 365 Business subscriptions](https://www.microsoft.com/en-us/microsoft-365/business) + - [Microsoft 365 F1 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise/firstline) + - [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/en-us/education/buy-license/microsoft365/default.aspx) + - [Microsoft 365 Enterprise E3 or E5 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise), which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune). + - [Enterprise Mobility + Security E3 or E5 subscriptions](https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security), which include all needed Azure AD and Intune features. + - [Intune for Education subscriptions](https://docs.microsoft.com/intune-education/what-is-intune-for-education), which include all needed Azure AD and Intune features. + - [Azure Active Directory Premium P1 or P2](https://azure.microsoft.com/services/active-directory/) and [Microsoft Intune subscriptions](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune) (or an alternative MDM service). + +Additionally, the following are also recommended (but not required): +- [Office 365 ProPlus](https://www.microsoft.com/en-us/p/office-365-proplus/CFQ7TTC0K8R0), which can be deployed easily via Intune (or other MDM services). +- [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation), to automatically step up devices from Windows 10 Pro to Windows 10 Enterprise. + +## Configuration requirements + +Before Windows Autopilot can be used, some configuration tasks are required to support the common Autopilot scenarios. + +- Configure Azure Active Directory automatic enrollment. For Microsoft Intune, see [Enable Windows 10 automatic enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment) for details. If using a different MDM service, contact the vendor for the specific URLs or configuration needed for those services. +- Configure Azure Active Directory custom branding. In order to display an organization-specific logon page during the Autopilot process, Azure Active Directory needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details. Note that the "square logo" and "sign-in page text" are the key elements for Autopilot, as well as the Azure Active Directory tenant name (configured separately in the Azure AD tenant properties). +- Enable [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) if desired, in order to automatically step up from Windows 10 Pro to Windows 10 Enterprise. + +Specific scenarios will then have additional requirements. Generally, there are two specific tasks: + +- Device registration. Devices need to be added to Windows Autopilot to support most Windows Autopilot scenarios. See [Adding devices to Windows Autopilot](add-devices.md) for more details. +- Profile configuration. Once devices have been added to Windows Autopilot, a profile of settings needs to be applied to each device. See [Configure Autopilot profiles](profiles.md) for details. Note that Microsoft Intune can automate this profile assignment; see [Create an AutoPilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an AutoPilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group) for more information. + +See [Windows Autopilot Scenarios](windows-autopilot-scenarios.md) for additional details. + +For a walkthrough for some of these and related steps, see this video: +
           
          + + +There are no additional hardware requirements to use Windows 10 Autopilot, beyond the [requirements to run Windows 10](https://www.microsoft.com/windows/windows-10-specifications). + +## Related topics + +[Configure Autopilot deployment](configure-autopilot.md) diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset.md b/windows/deployment/windows-autopilot/windows-autopilot-reset.md index d58d236a4f..d0424dce3f 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-reset.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-reset.md @@ -1,135 +1,135 @@ ---- -title: Windows Autopilot Reset -description: Windows Autopilot deployment -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.reviewer: mniehaus -manager: laurawi -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Windows Autopilot Reset - -- Applies to: Windows 10, version 1709 and later (local reset) -- Applies to: Windows 10, version 1809 and later (remote reset) - -Windows Autopilot Reset removes personal files, apps, and settings and reapplies a device’s original settings, maintaining its identity connection to Azure AD and its management connection to Intune so that the device is once again ready for use. Windows Autopilot Reset takes the device back to a business-ready state, allowing the next user to sign in and get productive quickly and simply. - -The Windows Autopilot Reset process automatically retains information from the existing device: - -- Set the region, language, and keyboard to the originally-configured values. -- Wi-Fi connection details. -- Provisioning packages previously applied to the device, as well as a provisioning package present on a USB drive when the reset process is initiated. -- Azure Active Directory device membership and MDM enrollment information. - -Windows Autopilot Reset will block the user from accessing the desktop until this information is restored, including re-applying any provisioning packages. For devices enrolled in an MDM service, Windows Autopilot Reset will also block until an MDM sync is completed. - ->[!NOTE] ->The Autopilot Reset does not support Hybrid Azure AD joined devices. - -## Scenarios - -Windows Autopilot Reset supports two scenarios: - -- [Local reset](#reset-devices-with-local-windows-autopilot-reset) initiated by IT personnel or other administrators from the organization. -- [Remote reset](#reset-devices-with-remote-windows-autopilot-reset) initiated remotely by IT personnel via an MDM service such as Microsoft Intune. - -Additional requirements and configuration details apply with each scenario; see the detailed links above for more information. - -## Reset devices with local Windows Autopilot Reset - -**Applies to: Windows 10, version 1709 and above** - -The Intune Service Administrator role is required to perform this task. For more information, see [Add users and grant administrative permission to Intune](https://docs.microsoft.com/intune/users-add). - -IT admins can perform a local Windows Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. With a local Autopilot Reset, devices are returned to a fully configured or known IT-approved state. - -To enable local Autopilot Reset in Windows 10: - -1. [Enable the policy for the feature](#enable-local-windows-autopilot-reset) -2. [Trigger a reset for each device](#trigger-local-windows-autopilot-reset) - -### Enable local Windows Autopilot Reset - -To enable a local Windows Autopilot Reset, the **DisableAutomaticReDeploymentCredentials** policy must be configured. This policy is documented in the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-credentialproviders), **CredentialProviders/DisableAutomaticReDeploymentCredentials**. By default, local Windows Autopilot is disabled. This ensures that a local Autopilot Reset is not triggered by accident. - -You can set the policy using one of these methods: - -- MDM provider - - - When using Intune, you can create a new device configuration profile, specifying "Windows 10 or later" for the platform, "Device restrictions" for the profile type, and "General" for the settings category. The **Automatic Redeployment** setting should be set to **Allow**. Deploy this setting to all devices where a local reset should be permitted. - - If you're using an MDM provider other than Intune, check your MDM provider documentation on how to set this policy. - -- Windows Configuration Designer - - You can [use Windows Configuration Designer](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-create-package) to set the **Runtime settings > Policies > CredentialProviders > DisableAutomaticReDeploymentCredentials** setting to 0 and then create a provisioning package. - -- Set up School PCs app - - The latest release of the Set up School PCs app supports enabling local Windows Autopilot Reset. - -### Trigger local Windows Autopilot Reset - -Performing a local Windows Autopilot Reset is a two-step process: trigger it and then authenticate. Once you've done these two steps, you can let the process execute and once it is done, the device is again ready for use. - -**To trigger a local Autopilot Reset** - -1. From the Windows device lock screen, enter the keystroke: **CTRL + ![Windows key](images/windows_glyph.png) + R**. - - ![Enter CTRL+Windows key+R on the Windows lockscreen](images/autopilot-reset-lockscreen.png) - - This will open up a custom login screen for the local Autopilot Reset. The screen serves two purposes: - 1. Confirm/verify that the end user has the right to trigger Local Autopilot Reset - 2. Notify the user in case a provisioning package, created using Windows Configuration Designer, will be used as part of the process. - - ![Custom login screen for local Autopilot Reset](images/autopilot-reset-customlogin.png) - -2. Sign in with the admin account credentials. If you created a provisioning package, plug in the USB drive and trigger the local Autopilot Reset. - - Once the local Autopilot Reset is triggered, the reset process starts. Once provisioning is complete, the device is again ready for use. - -## Reset devices with remote Windows Autopilot Reset - -**Applies to: Windows 10, version 1809 or later** - -When performing a remote Windows Autopilot Reset, an MDM service such an Microsoft Intune can be used to initiate the reset process, avoiding the need for IT staff or other administrators to visit each machine to initiate the process. - -To enable a device for a remote Windows Autopilot Reset, the device must be MDM managed and joined to Azure AD. This feature is not supported on devices that were enrolled using [Autopilot self deploying mode](self-deploying.md). - -### Triggering a remote Windows Autopilot Reset - -To trigger a remote Windows Autopilot Reset via Intune, follow these steps: - -- Navigate to **Devices** tab in the Intune console. -- In the **All devices** view, select the targeted reset devices and then click **More** to view device actions. -- Select **Autopilot Reset** to kick-off the reset task. - ->[!NOTE] ->The Autopilot Reset option will not be enabled in Microsoft Intune for devices not running Windows 10 build 17672 or higher. - ->[!IMPORTANT] ->The feature for Autopilot Reset will stay grayed out, **unless** you reset the device using Autopilot (either using Fresh Reset or manually sysprep the device). - -Once the reset is complete, the device is again ready for use. - - - -## Troubleshooting - -Windows Autopilot Reset requires that the [Windows Recovery Environment (WinRE)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) is correctly configured and enabled on the device. If it is not configured and enabled, an error such as `Error code: ERROR_NOT_SUPPORTED (0x80070032)` will be reported. - -To make sure WinRE is enabled, use the [REAgentC.exe tool](https://docs.microsoft.com/windows-hardware/manufacture/desktop/reagentc-command-line-options) to run the following command: - -``` -reagentc /enable -``` - -If Windows Autopilot Reset fails after enabling WinRE, or if you are unable to enable WinRE, please contact [Microsoft Support](https://support.microsoft.com) for assistance. +--- +title: Windows Autopilot Reset +description: Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.reviewer: mniehaus +manager: laurawi +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Windows Autopilot Reset + +- Applies to: Windows 10, version 1709 and later (local reset) +- Applies to: Windows 10, version 1809 and later (remote reset) + +Windows Autopilot Reset removes personal files, apps, and settings and reapplies a device’s original settings, maintaining its identity connection to Azure AD and its management connection to Intune so that the device is once again ready for use. Windows Autopilot Reset takes the device back to a business-ready state, allowing the next user to sign in and get productive quickly and simply. + +The Windows Autopilot Reset process automatically retains information from the existing device: + +- Set the region, language, and keyboard to the originally-configured values. +- Wi-Fi connection details. +- Provisioning packages previously applied to the device, as well as a provisioning package present on a USB drive when the reset process is initiated. +- Azure Active Directory device membership and MDM enrollment information. + +Windows Autopilot Reset will block the user from accessing the desktop until this information is restored, including re-applying any provisioning packages. For devices enrolled in an MDM service, Windows Autopilot Reset will also block until an MDM sync is completed. + +>[!NOTE] +>The Autopilot Reset does not support Hybrid Azure AD joined devices. + +## Scenarios + +Windows Autopilot Reset supports two scenarios: + +- [Local reset](#reset-devices-with-local-windows-autopilot-reset) initiated by IT personnel or other administrators from the organization. +- [Remote reset](#reset-devices-with-remote-windows-autopilot-reset) initiated remotely by IT personnel via an MDM service such as Microsoft Intune. + +Additional requirements and configuration details apply with each scenario; see the detailed links above for more information. + +## Reset devices with local Windows Autopilot Reset + +**Applies to: Windows 10, version 1709 and above** + +The Intune Service Administrator role is required to perform this task. For more information, see [Add users and grant administrative permission to Intune](https://docs.microsoft.com/intune/users-add). + +IT admins can perform a local Windows Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. With a local Autopilot Reset, devices are returned to a fully configured or known IT-approved state. + +To enable local Autopilot Reset in Windows 10: + +1. [Enable the policy for the feature](#enable-local-windows-autopilot-reset) +2. [Trigger a reset for each device](#trigger-local-windows-autopilot-reset) + +### Enable local Windows Autopilot Reset + +To enable a local Windows Autopilot Reset, the **DisableAutomaticReDeploymentCredentials** policy must be configured. This policy is documented in the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-credentialproviders), **CredentialProviders/DisableAutomaticReDeploymentCredentials**. By default, local Windows Autopilot is disabled. This ensures that a local Autopilot Reset is not triggered by accident. + +You can set the policy using one of these methods: + +- MDM provider + + - When using Intune, you can create a new device configuration profile, specifying "Windows 10 or later" for the platform, "Device restrictions" for the profile type, and "General" for the settings category. The **Automatic Redeployment** setting should be set to **Allow**. Deploy this setting to all devices where a local reset should be permitted. + - If you're using an MDM provider other than Intune, check your MDM provider documentation on how to set this policy. + +- Windows Configuration Designer + + You can [use Windows Configuration Designer](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-create-package) to set the **Runtime settings > Policies > CredentialProviders > DisableAutomaticReDeploymentCredentials** setting to 0 and then create a provisioning package. + +- Set up School PCs app + + The latest release of the Set up School PCs app supports enabling local Windows Autopilot Reset. + +### Trigger local Windows Autopilot Reset + +Performing a local Windows Autopilot Reset is a two-step process: trigger it and then authenticate. Once you've done these two steps, you can let the process execute and once it is done, the device is again ready for use. + +**To trigger a local Autopilot Reset** + +1. From the Windows device lock screen, enter the keystroke: **CTRL + ![Windows key](images/windows_glyph.png) + R**. + + ![Enter CTRL+Windows key+R on the Windows lockscreen](images/autopilot-reset-lockscreen.png) + + This will open up a custom login screen for the local Autopilot Reset. The screen serves two purposes: + 1. Confirm/verify that the end user has the right to trigger Local Autopilot Reset + 2. Notify the user in case a provisioning package, created using Windows Configuration Designer, will be used as part of the process. + + ![Custom login screen for local Autopilot Reset](images/autopilot-reset-customlogin.png) + +2. Sign in with the admin account credentials. If you created a provisioning package, plug in the USB drive and trigger the local Autopilot Reset. + + Once the local Autopilot Reset is triggered, the reset process starts. Once provisioning is complete, the device is again ready for use. + +## Reset devices with remote Windows Autopilot Reset + +**Applies to: Windows 10, version 1809 or later** + +When performing a remote Windows Autopilot Reset, an MDM service such an Microsoft Intune can be used to initiate the reset process, avoiding the need for IT staff or other administrators to visit each machine to initiate the process. + +To enable a device for a remote Windows Autopilot Reset, the device must be MDM managed and joined to Azure AD. This feature is not supported on devices that were enrolled using [Autopilot self deploying mode](self-deploying.md). + +### Triggering a remote Windows Autopilot Reset + +To trigger a remote Windows Autopilot Reset via Intune, follow these steps: + +- Navigate to **Devices** tab in the Intune console. +- In the **All devices** view, select the targeted reset devices and then click **More** to view device actions. +- Select **Autopilot Reset** to kick-off the reset task. + +>[!NOTE] +>The Autopilot Reset option will not be enabled in Microsoft Intune for devices not running Windows 10 build 17672 or higher. + +>[!IMPORTANT] +>The feature for Autopilot Reset will stay grayed out, **unless** you reset the device using Autopilot (either using Fresh Reset or manually sysprep the device). + +Once the reset is complete, the device is again ready for use. + + + +## Troubleshooting + +Windows Autopilot Reset requires that the [Windows Recovery Environment (WinRE)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) is correctly configured and enabled on the device. If it is not configured and enabled, an error such as `Error code: ERROR_NOT_SUPPORTED (0x80070032)` will be reported. + +To make sure WinRE is enabled, use the [REAgentC.exe tool](https://docs.microsoft.com/windows-hardware/manufacture/desktop/reagentc-command-line-options) to run the following command: + +``` +reagentc /enable +``` + +If Windows Autopilot Reset fails after enabling WinRE, or if you are unable to enable WinRE, please contact [Microsoft Support](https://support.microsoft.com) for assistance. diff --git a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md index 938d13c7dc..5ee0171987 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md @@ -1,67 +1,67 @@ ---- -title: Windows Autopilot scenarios and capabilities -description: Windows Autopilot deployment -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.reviewer: mniehaus -manager: laurawi -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Windows Autopilot scenarios and capabilities - -**Applies to: Windows 10** - -## Scenarios - -Windows Autopilot includes support for a growing list of scenarios, designed to support common organization needs which can vary based on the type of organization and their progress moving to Windows 10 and [transitioning to modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management). - -The following Windows Autopilot scenarios are described in this guide: - -| Scenario | More information | -| --- | --- | -| Deploy devices that will be set up by a member of the organization and configured for that person | [Windows Autopilot user-driven mode](user-driven.md) | -| Deploy devices that will be automatically configured for shared use, as a kiosk, or as a digital signage device.| [Windows Autopilot self-deploying mode](self-deploying.md) | -| Re-deploy a device in a business-ready state.| [Windows Autopilot Reset](windows-autopilot-reset.md) | -| Pre-provision a device with up-to-date applications, policies and settings.| [White glove](white-glove.md) | -| Deploy Windows 10 on an existing Windows 7 or 8.1 device | [Windows Autopilot for existing devices](existing-devices.md) | - -## Windows Autopilot capabilities - -### Windows Autopilot is self-updating during OOBE - -Starting with the Windows 10, version 1903, Autopilot functional and critical updates will begin downloading automatically during OOBE after a device gets connected to a network and the [critical driver and Windows zero-day patch (ZDP) updates](https://docs.microsoft.com/windows-hardware/customize/desktop/windows-updates-during-oobe) have completed. The user or IT admin cannot opt-out of these Autopilot updates; they are required for Windows Autopilot deployment to operate properly. Windows will alert the user that the device is checking for, downloading and installing the updates. - -### Cortana voiceover and speech recognition during OOBE - -In Windows 10, version 1903 and later Cortana voiceover and speech recognition during OOBE is DISABLED by default for all Windows 10 Pro, Education and Enterprise SKUs. - -If desired, you can enable Cortana voiceover and speech recognition during OOBE by creating the following registry key. This key does not exist by default. - -HKLM\Software\Microsoft\Windows\CurrentVersion\OOBE\EnableVoiceForAllEditions - -The key value is a DWORD with **0** = disabled and **1** = enabled. - -| Value | Description | -| --- | --- | -| 0 | Cortana voiceover is disabled | -| 1 | Cortana voiceover is enabled | -| No value | Device will fall back to default behavior of the edition | - -To change this key value, use WCD tool to create as PPKG as documented [here](https://docs.microsoft.com/windows/configuration/wcd/wcd-oobe#nforce). - -### Bitlocker encryption - -With Windows Autopilot, you can configure the BitLocker encryption settings to be applied before automatic encryption is started. For more information, see [Setting the BitLocker encryption algorithm for Autopilot devices](bitlocker.md) - -## Related topics - -[Windows Autopilot: What's new](windows-autopilot-whats-new.md) +--- +title: Windows Autopilot scenarios and capabilities +description: Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.reviewer: mniehaus +manager: laurawi +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Windows Autopilot scenarios and capabilities + +**Applies to: Windows 10** + +## Scenarios + +Windows Autopilot includes support for a growing list of scenarios, designed to support common organization needs which can vary based on the type of organization and their progress moving to Windows 10 and [transitioning to modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management). + +The following Windows Autopilot scenarios are described in this guide: + +| Scenario | More information | +| --- | --- | +| Deploy devices that will be set up by a member of the organization and configured for that person | [Windows Autopilot user-driven mode](user-driven.md) | +| Deploy devices that will be automatically configured for shared use, as a kiosk, or as a digital signage device.| [Windows Autopilot self-deploying mode](self-deploying.md) | +| Re-deploy a device in a business-ready state.| [Windows Autopilot Reset](windows-autopilot-reset.md) | +| Pre-provision a device with up-to-date applications, policies and settings.| [White glove](white-glove.md) | +| Deploy Windows 10 on an existing Windows 7 or 8.1 device | [Windows Autopilot for existing devices](existing-devices.md) | + +## Windows Autopilot capabilities + +### Windows Autopilot is self-updating during OOBE + +Starting with the Windows 10, version 1903, Autopilot functional and critical updates will begin downloading automatically during OOBE after a device gets connected to a network and the [critical driver and Windows zero-day patch (ZDP) updates](https://docs.microsoft.com/windows-hardware/customize/desktop/windows-updates-during-oobe) have completed. The user or IT admin cannot opt-out of these Autopilot updates; they are required for Windows Autopilot deployment to operate properly. Windows will alert the user that the device is checking for, downloading and installing the updates. + +### Cortana voiceover and speech recognition during OOBE + +In Windows 10, version 1903 and later Cortana voiceover and speech recognition during OOBE is DISABLED by default for all Windows 10 Pro, Education and Enterprise SKUs. + +If desired, you can enable Cortana voiceover and speech recognition during OOBE by creating the following registry key. This key does not exist by default. + +HKLM\Software\Microsoft\Windows\CurrentVersion\OOBE\EnableVoiceForAllEditions + +The key value is a DWORD with **0** = disabled and **1** = enabled. + +| Value | Description | +| --- | --- | +| 0 | Cortana voiceover is disabled | +| 1 | Cortana voiceover is enabled | +| No value | Device will fall back to default behavior of the edition | + +To change this key value, use WCD tool to create as PPKG as documented [here](https://docs.microsoft.com/windows/configuration/wcd/wcd-oobe#nforce). + +### Bitlocker encryption + +With Windows Autopilot, you can configure the BitLocker encryption settings to be applied before automatic encryption is started. For more information, see [Setting the BitLocker encryption algorithm for Autopilot devices](bitlocker.md) + +## Related topics + +[Windows Autopilot: What's new](windows-autopilot-whats-new.md) diff --git a/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md b/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md index 6f157802ae..36ee6c06ad 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md @@ -1,52 +1,51 @@ ---- -title: Windows Autopilot what's new -ms.reviewer: -manager: laurawi -description: Windows Autopilot deployment -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -audience: itpro -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Windows Autopilot: What's new - -**Applies to** - -- Windows 10 - -## New in Windows 10, version 1903 - -[Windows Autopilot for white glove deployment](white-glove.md) is new in Windows 10, version 1903. See the following video: - -
          - -> [!VIDEO https://www.youtube.com/embed/nE5XSOBV0rI] - -Also new in this version of Windows: -- The Intune enrollment status page (ESP) now tracks Intune Management Extensions. -- [Cortana voiceover and speech recognition during OOBE](windows-autopilot-scenarios.md#cortana-voiceover-and-speech-recognition-during-oobe) is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs. -- [Windows Autopilot is self-updating during OOBE](windows-autopilot-scenarios.md#windows-autopilot-is-self-updating-during-oobe). Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE. -- Windows Autopilot will set the diagnostics data level to Full on Windows 10 version 1903 and later during OOBE. - -## New in Windows 10, version 1809 - -Windows Autopilot [self-deploying mode](self-deploying.md) enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured by Windows Autopilot. This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process. - -You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization’s MDM provider, and provision policies and applications, all with no user authentication or user interaction required. - ->[!NOTE] ->Window 10, version 1903 or later is required to use self-deploying mode due to issues with TPM device attestation in Windows 10, version 1809. - -## Related topics - -[What's new in Microsoft Intune](https://docs.microsoft.com/intune/whats-new)
          -[What's new in Windows 10](https://docs.microsoft.com/windows/whats-new/) \ No newline at end of file +--- +title: Windows Autopilot what's new +ms.reviewer: +manager: laurawi +description: Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Windows Autopilot: What's new + +**Applies to** + +- Windows 10 + +## New in Windows 10, version 1903 + +[Windows Autopilot for white glove deployment](white-glove.md) is new in Windows 10, version 1903. See the following video: + +
          + +> [!VIDEO https://www.youtube.com/embed/nE5XSOBV0rI] + +Also new in this version of Windows: +- The Intune enrollment status page (ESP) now tracks Intune Management Extensions. +- [Cortana voiceover and speech recognition during OOBE](windows-autopilot-scenarios.md#cortana-voiceover-and-speech-recognition-during-oobe) is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs. +- [Windows Autopilot is self-updating during OOBE](windows-autopilot-scenarios.md#windows-autopilot-is-self-updating-during-oobe). Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE. +- Windows Autopilot will set the diagnostics data level to Full on Windows 10 version 1903 and later during OOBE. + +## New in Windows 10, version 1809 + +Windows Autopilot [self-deploying mode](self-deploying.md) enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured by Windows Autopilot. This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process. + +You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization’s MDM provider, and provision policies and applications, all with no user authentication or user interaction required. + +>[!NOTE] +>Window 10, version 1903 or later is required to use self-deploying mode due to issues with TPM device attestation in Windows 10, version 1809. + +## Related topics + +[What's new in Microsoft Intune](https://docs.microsoft.com/intune/whats-new)
          +[What's new in Windows 10](https://docs.microsoft.com/windows/whats-new/) diff --git a/windows/deployment/windows-autopilot/windows-autopilot.md b/windows/deployment/windows-autopilot/windows-autopilot.md index 7ad46ca665..f307fbf265 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot.md +++ b/windows/deployment/windows-autopilot/windows-autopilot.md @@ -1,65 +1,65 @@ ---- -title: Overview of Windows Autopilot -description: Windows Autopilot deployment -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.reviewer: mniehaus -manager: laurawi -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Overview of Windows Autopilot - -**Applies to** - -- Windows 10 - -Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. You can also use Windows Autopilot to reset, repurpose and recover devices. This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple. - -Windows Autopilot is designed to simplify all parts of the lifecycle of Windows devices, for both IT and end users, from initial deployment through the eventual end of life. Leveraging cloud-based services, it can reduce the overall costs for deploying, managing, and retiring devices by reducing the amount of time that IT needs to spend on these processes and the amount of infrastructure that they need to maintain, while ensuring ease of use for all types of end users. See the following diagram: - - ![Process overview](images/image1.png) - -When initially deploying new Windows devices, Windows Autopilot leverages the OEM-optimized version of Windows 10 that is preinstalled on the device, saving organizations the effort of having to maintain custom images and drivers for every model of device being used. Instead of re-imaging the device, your existing Windows 10 installation can be transformed into a “business-ready” state, applying settings and policies, installing apps, and even changing the edition of Windows 10 being used (e.g. from Windows 10 Pro to Windows 10 Enterprise) to support advanced features. - -Once deployed, Windows 10 devices can be managed by tools such as Microsoft Intune, Windows Update for Business, System Center Configuration Manager, and other similar tools. Windows Autopilot can also be used to re-purpose a device by leveraging Windows Autopilot Reset to quickly prepare a device for a new user, or in break/fix scenarios to enable a device to quickly be brought back to a business-ready state. - -Windows Autopilot enables you to: -* Automatically join devices to Azure Active Directory (Azure AD) or Active Directory (via Hybrid Azure AD Join). See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. -* Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription*](windows-autopilot-requirements-configuration.md)). -* Restrict the Administrator account creation. -* Create and auto-assign devices to configuration groups based on a device's profile. -* Customize OOBE content specific to the organization. - -## Windows Autopilot walkthrough - -The following video shows the process of setting up Windows Autopilot: - -
          - - - -## Benefits of Windows Autopilot - -Traditionally, IT pros spend a lot of time building and customizing images that will later be deployed to devices. Windows Autopilot introduces a new approach. - -From the user's perspective, it only takes a few simple operations to make their device ready to use. - -From the IT pro's perspective, the only interaction required from the end user is to connect to a network and to verify their credentials. Everything beyond that is automated. - -## Requirements - -Windows 10 version 1703 or higher is required to use Windows Autopilot. See [Windows Autopilot requirements](windows-autopilot-requirements.md) for detailed information on software, configuration, network, and licensing requirements. - -## Related topics - -[Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot)
          -[Windows Autopilot scenarios and capabilities](windows-autopilot-scenarios.md) \ No newline at end of file +--- +title: Overview of Windows Autopilot +description: Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.reviewer: mniehaus +manager: laurawi +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Overview of Windows Autopilot + +**Applies to** + +- Windows 10 + +Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. You can also use Windows Autopilot to reset, repurpose and recover devices. This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple. + +Windows Autopilot is designed to simplify all parts of the lifecycle of Windows devices, for both IT and end users, from initial deployment through the eventual end of life. Leveraging cloud-based services, it can reduce the overall costs for deploying, managing, and retiring devices by reducing the amount of time that IT needs to spend on these processes and the amount of infrastructure that they need to maintain, while ensuring ease of use for all types of end users. See the following diagram: + + ![Process overview](images/image1.png) + +When initially deploying new Windows devices, Windows Autopilot leverages the OEM-optimized version of Windows 10 that is preinstalled on the device, saving organizations the effort of having to maintain custom images and drivers for every model of device being used. Instead of re-imaging the device, your existing Windows 10 installation can be transformed into a “business-ready” state, applying settings and policies, installing apps, and even changing the edition of Windows 10 being used (e.g. from Windows 10 Pro to Windows 10 Enterprise) to support advanced features. + +Once deployed, Windows 10 devices can be managed by tools such as Microsoft Intune, Windows Update for Business, System Center Configuration Manager, and other similar tools. Windows Autopilot can also be used to re-purpose a device by leveraging Windows Autopilot Reset to quickly prepare a device for a new user, or in break/fix scenarios to enable a device to quickly be brought back to a business-ready state. + +Windows Autopilot enables you to: +* Automatically join devices to Azure Active Directory (Azure AD) or Active Directory (via Hybrid Azure AD Join). See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. +* Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription*](windows-autopilot-requirements-configuration.md)). +* Restrict the Administrator account creation. +* Create and auto-assign devices to configuration groups based on a device's profile. +* Customize OOBE content specific to the organization. + +## Windows Autopilot walkthrough + +The following video shows the process of setting up Windows Autopilot: + +
          + + + +## Benefits of Windows Autopilot + +Traditionally, IT pros spend a lot of time building and customizing images that will later be deployed to devices. Windows Autopilot introduces a new approach. + +From the user's perspective, it only takes a few simple operations to make their device ready to use. + +From the IT pro's perspective, the only interaction required from the end user is to connect to a network and to verify their credentials. Everything beyond that is automated. + +## Requirements + +Windows 10 version 1703 or higher is required to use Windows Autopilot. See [Windows Autopilot requirements](windows-autopilot-requirements.md) for detailed information on software, configuration, network, and licensing requirements. + +## Related topics + +[Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot)
          +[Windows Autopilot scenarios and capabilities](windows-autopilot-scenarios.md) diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md index 31a483c26e..742ae20f20 100644 --- a/windows/deployment/windows-deployment-scenarios-and-tools.md +++ b/windows/deployment/windows-deployment-scenarios-and-tools.md @@ -4,11 +4,13 @@ description: To successfully deploy the Windows 10 operating system and applica ms.assetid: 0d6cee1f-14c4-4b69-b29a-43b0b327b877 ms.reviewer: manager: laurawi -ms.author: greg-lindsay +ms.audience: itpro +author: greg-lindsay keywords: deploy, volume activation, BitLocker, recovery, install, installation, VAMT, MDT, USMT, WDS ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.topic: article --- @@ -43,7 +45,7 @@ Dism.exe /Online /Enable-Feature /FeatureName:NetFX3 /All /Source:D:\Sources\SxS In Windows 10, you can use Windows PowerShell for many of the functions performed by DISM.exe. The equivalent command in Windows 10 using PowerShell is: -```powershell +``` syntax Enable-WindowsOptionalFeature -Online -FeatureName NetFx3 -All -Source D:\Sources\SxS -LimitAccess ``` @@ -132,7 +134,7 @@ Figure 6. The updated Volume Activation Management Tool. VAMT also can be used to create reports, switch from MAK to KMS, manage Active Directory-based activation, and manage Office 2010 and Office 2013 volume activation. VAMT also supports PowerShell (instead of the old command-line tool). For example, if you want to get information from the VAMT database, you can type: -```powershell +``` syntax Get-VamtProduct ``` diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index f5a74dfff8..e2fa73f5c7 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -154,14 +154,14 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt |**Allowed traffic endpoints** | | --- | -|ctldl.windowsupdate.com| +|activation-v2.sls.microsoft.com/*| |cdn.onenote.net| +|client.wns.windows.com| +|crl.microsoft.com/pki/crl/*| +|ctldl.windowsupdate.com| +|dm3p.wns.windows.com| +|\*microsoft.com/pkiops/\*| +|ocsp.digicert.com/*| |r.manage.microsoft.com| |tile-service.weather.microsoft.com| |settings-win.data.microsoft.com| -|client.wns.windows.com| -|dm3p.wns.windows.com| -|crl.microsoft.com/pki/crl/*| -|*microsoft.com/pkiops/**| -|activation-v2.sls.microsoft.com/*| -|ocsp.digicert.com/*| diff --git a/windows/release-information/status-windows-10-1507.yml b/windows/release-information/status-windows-10-1507.yml index 9f116c65f8..88f03f07b7 100644 --- a/windows/release-information/status-windows-10-1507.yml +++ b/windows/release-information/status-windows-10-1507.yml @@ -60,7 +60,6 @@ sections: - type: markdown text: "
          This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

          -
          SummaryOriginating updateStatusLast updated
          Event Viewer may close or you may receive an error when using Custom Views
          When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

          See details >          		OS Build 10240.18244

          June 11, 2019
          KB4503291          		Resolved
          KB4507458          		July 09, 2019
          10:00 AM PT
          Certain operations performed on a Cluster Shared Volume may fail
          Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

          See details >          		OS Build 10240.18094

          January 08, 2019
          KB4480962          		Mitigated
          		April 25, 2019
          02:00 PM PT
          " @@ -72,15 +71,6 @@ sections:
          " -- title: June 2019 -- items: - - type: markdown - text: " - - -
          DetailsOriginating updateStatusHistory
          Event Viewer may close or you may receive an error when using Custom Views
          When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
          • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
          Resolution: This issue was resolved in KB4507458.

          Back to top          		OS Build 10240.18244

          June 11, 2019
          KB4503291          		Resolved
          KB4507458          		Resolved:
          July 09, 2019
          10:00 AM PT

          Opened:
          June 12, 2019
          11:11 AM PT
          - " - - title: January 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml index 4bfa74c40c..0f3ce76fc4 100644 --- a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml +++ b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml @@ -60,12 +60,12 @@ sections: - type: markdown text: "
          This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

          - + + - @@ -79,12 +79,22 @@ sections:
          " +- title: August 2019 +- items: + - type: markdown + text: " +
          SummaryOriginating updateStatusLast updated
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

          See details >          		OS Build 14393.3115

          July 16, 2019
          KB4507459          		Investigating
          		August 01, 2019
          06:12 PM PT
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

          See details >          		OS Build 14393.3115

          July 16, 2019
          KB4507459          		Investigating
          		August 08, 2019
          03:14 PM PT
          Apps and scripts using the NetQueryDisplayInformation API may fail with error
          Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data.

          See details >          		OS Build 14393.3053

          June 18, 2019
          KB4503294          		Investigating
          		August 01, 2019
          05:00 PM PT
          Internet Explorer 11 and apps using the WebBrowser control may fail to render
          JavaScript may fail to render as expected in Internet Explorer 11 and in apps using JavaScript or the WebBrowser control.

          See details >          		OS Build 14393.3085

          July 09, 2019
          KB4507460          		Mitigated
          		July 26, 2019
          04:58 PM PT
          SCVMM cannot enumerate and manage logical switches deployed on the host
          For hosts managed by System Center Virtual Machine Manager (VMM), VMM cannot enumerate and manage logical switches deployed on the host.

          See details >          		OS Build 14393.2639

          November 27, 2018
          KB4467684          		Resolved
          KB4507459          		July 16, 2019
          10:00 AM PT
          Some applications may fail to run as expected on clients of AD FS 2016
          Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016)

          See details >          		OS Build 14393.2941

          April 25, 2019
          KB4493473          		Resolved
          KB4507459          		July 16, 2019
          10:00 AM PT
          Devices starting using PXE from a WDS or SCCM servers may fail to start
          Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

          See details >          		OS Build 14393.3025

          June 11, 2019
          KB4503267          		Mitigated
          		July 10, 2019
          07:09 PM PT
          Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
          Some devices with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000.

          See details >          		OS Build 14393.2969

          May 14, 2019
          KB4494440          		Resolved
          KB4507460          		July 09, 2019
          10:00 AM PT
          Certain operations performed on a Cluster Shared Volume may fail
          Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

          See details >          		OS Build 14393.2724

          January 08, 2019
          KB4480961          		Mitigated
          		April 25, 2019
          02:00 PM PT
          Windows may not start on certain Lenovo and Fujitsu laptops with less than 8GB of RAM
          Windows may fail to start on certain Lenovo and Fujitsu laptops that have less than 8 GB of RAM.

          See details >          		OS Build 14393.2608

          November 13, 2018
          KB4467691          		Mitigated
          		February 19, 2019
          10:00 AM PT
          Cluster service may fail if the minimum password length is set to greater than 14
          The cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the Group Policy “Minimum Password Length” is configured with greater than 14 characters.

          See details >          		OS Build 14393.2639

          November 27, 2018
          KB4467684          		Mitigated
          		April 25, 2019
          02:00 PM PT
          + +
          DetailsOriginating updateStatusHistory
          Apps and scripts using the NetQueryDisplayInformation API may fail with error
           Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data, often 50 or 100 entries. When requesting additional pages you may receive the error, “1359: an internal error occurred.”

          Affected platforms:
          • Server: Windows Server 2019; Windows Server 2016
          Next steps: We are working on a resolution and will provide an update in an upcoming release.

          Back to top          		OS Build 14393.3053

          June 18, 2019
          KB4503294          		Investigating
          		Last updated:
          August 01, 2019
          05:00 PM PT

          Opened:
          August 01, 2019
          05:00 PM PT
          + " + - title: July 2019 - items: - type: markdown text: " - +
          DetailsOriginating updateStatusHistory
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507459. Devices that are domain controllers or domain members are both affected.

          To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

          Note If you are not sure if your device is affected, contact your administrator. Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos.

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
          Next steps: At this time, we suggest that devices in an affected environment do not install KB4507459. We are working on a resolution and estimate a solution will be available in mid-August.

          Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

          Back to top          		OS Build 14393.3115

          July 16, 2019
          KB4507459          		Investigating
          		Last updated:
          August 01, 2019
          06:12 PM PT

          Opened:
          July 25, 2019
          06:10 PM PT
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507459. Devices that are domain controllers or domain members are both affected.

          To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

          Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
          HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
+

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
          Next steps: At this time, we suggest that devices in an affected environment do not install KB4507459. We are working on a resolution and estimate a solution will be available in mid-August.

          Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

          Back to top          		OS Build 14393.3115

          July 16, 2019
          KB4507459          		Investigating
          		Last updated:
          August 08, 2019
          03:14 PM PT

          Opened:
          July 25, 2019
          06:10 PM PT
          Internet Explorer 11 and apps using the WebBrowser control may fail to render
          Internet Explorer 11 may fail to render some JavaScript after installing KB4507460. You may also have issues with apps using JavaScript or the WebBrowser control, such as the present PowerPoint feature of Skype Meeting Broadcast.

          Affected platforms:
          • Client: Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
          • Server: Windows Server 2016
          Workaround: To mitigate this issue, you need to Enable Script Debugging using one of the following ways.

          You can configure the below registry key:
          Registry setting: HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main
          Value: Disable Script Debugger
          Type: REG_SZ
          Data: no

          Or you can Enable Script Debugging in Internet Settings. You can open Internet Setting by either typing Internet Settings into the search box on Windows or by selecting Internet Options in Internet Explorer. Once open, select Advanced then Browsing and finally, select Enable Script Debugging.

          Next steps: We are working on a resolution and will provide an update in an upcoming release.

          Back to top          		OS Build 14393.3085

          July 09, 2019
          KB4507460          		Mitigated
          		Last updated:
          July 26, 2019
          04:58 PM PT

          Opened:
          July 26, 2019
          04:58 PM PT
          Devices starting using PXE from a WDS or SCCM servers may fail to start
          Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503267 on a WDS server.

          Affected platforms:
          • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
          Workaround:
          To mitigate this issue on an SCCM server:
          1. Verify Variable Window Extension is enabled.
          2. Set the values of TFTP block size to 4096 and TFTP window size to 1. For guidance on how to configure them, see Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points.
          Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.

          To mitigate this issue on a WDS server without SCCM:
          1. In WDS TFTP settings, verify Variable Window Extension is enabled.
          2. In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
          3. In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
          Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.

          Next steps: We are working on a resolution and will provide an update in an upcoming release.

          Back to top          		OS Build 14393.3025

          June 11, 2019
          KB4503267          		Mitigated
          		Last updated:
          July 10, 2019
          07:09 PM PT

          Opened:
          July 10, 2019
          02:51 PM PT
          @@ -99,15 +109,6 @@ sections: " -- title: May 2019 -- items: - - type: markdown - text: " - - -
          DetailsOriginating updateStatusHistory
          Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
          Some devices with Hyper-V enabled may enter BitLocker recovery mode and receive an error, \"0xC0210000\" after installing KB4494440 and restarting.

          Affected platforms:
          • Client: Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
          • Server: Windows Server 2016
          Resolution: This issue was resolved in KB4507460.

          Back to top          		OS Build 14393.2969

          May 14, 2019
          KB4494440          		Resolved
          KB4507460          		Resolved:
          July 09, 2019
          10:00 AM PT

          Opened:
          May 21, 2019
          08:50 AM PT
          - " - - title: January 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-10-1703.yml b/windows/release-information/status-windows-10-1703.yml index 4dbe8ada26..c8b0808465 100644 --- a/windows/release-information/status-windows-10-1703.yml +++ b/windows/release-information/status-windows-10-1703.yml @@ -60,8 +60,7 @@ sections: - type: markdown text: "
          This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

          - - +
          SummaryOriginating updateStatusLast updated
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

          See details >          		OS Build 15063.1955

          July 16, 2019
          KB4507467          		Investigating
          		August 01, 2019
          06:12 PM PT
          Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
          Some devices with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000.

          See details >          		OS Build 15063.1805

          May 14, 2019
          KB4499181          		Resolved
          KB4507450          		July 09, 2019
          10:00 AM PT
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

          See details >          		OS Build 15063.1955

          July 16, 2019
          KB4507467          		Investigating
          		August 08, 2019
          03:14 PM PT
          Certain operations performed on a Cluster Shared Volume may fail
          Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

          See details >          		OS Build 15063.1563

          January 08, 2019
          KB4480973          		Mitigated
          		April 25, 2019
          02:00 PM PT
          " @@ -78,16 +77,8 @@ sections: - type: markdown text: " - -
          DetailsOriginating updateStatusHistory
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507467. Devices that are domain controllers or domain members are both affected.

          To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

          Note If you are not sure if your device is affected, contact your administrator. Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos.

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
          Next steps: At this time, we suggest that devices in an affected environment do not install KB4507467. We are working on a resolution and estimate a solution will be available in mid-August.

          Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

          Back to top          		OS Build 15063.1955

          July 16, 2019
          KB4507467          		Investigating
          		Last updated:
          August 01, 2019
          06:12 PM PT

          Opened:
          July 25, 2019
          06:10 PM PT
          - " - -- title: May 2019 -- items: - - type: markdown - text: " - - +
          DetailsOriginating updateStatusHistory
          Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
          Some devices with Hyper-V enabled may enter BitLocker recovery mode and receive an error, \"0xC0210000\" after installing KB4499181 and restarting.

          Affected platforms:
          • Client: Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
          • Server: Windows Server 2016
          Resolution: This issue was resolved in KB4507450.

          Back to top          		OS Build 15063.1805

          May 14, 2019
          KB4499181          		Resolved
          KB4507450          		Resolved:
          July 09, 2019
          10:00 AM PT

          Opened:
          May 21, 2019
          08:50 AM PT
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507467. Devices that are domain controllers or domain members are both affected.

          To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

          Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
          HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
+

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
          Next steps: At this time, we suggest that devices in an affected environment do not install KB4507467. We are working on a resolution and estimate a solution will be available in mid-August.

          Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

          Back to top          		OS Build 15063.1955

          July 16, 2019
          KB4507467          		Investigating
          		Last updated:
          August 08, 2019
          03:14 PM PT

          Opened:
          July 25, 2019
          06:10 PM PT
          " diff --git a/windows/release-information/status-windows-10-1709.yml b/windows/release-information/status-windows-10-1709.yml index cee8270547..c251b85868 100644 --- a/windows/release-information/status-windows-10-1709.yml +++ b/windows/release-information/status-windows-10-1709.yml @@ -60,7 +60,7 @@ sections: - type: markdown text: "
          This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

          - +
          SummaryOriginating updateStatusLast updated
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

          See details >          		OS Build 16299.1296

          July 16, 2019
          KB4507465          		Investigating
          		August 01, 2019
          06:12 PM PT
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

          See details >          		OS Build 16299.1296

          July 16, 2019
          KB4507465          		Investigating
          		August 08, 2019
          03:14 PM PT
          Devices starting using PXE from a WDS or SCCM servers may fail to start
          Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

          See details >          		OS Build 16299.1217

          June 11, 2019
          KB4503284          		Mitigated
          		July 10, 2019
          07:09 PM PT
          Certain operations performed on a Cluster Shared Volume may fail
          Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

          See details >          		OS Build 16299.904

          January 08, 2019
          KB4480978          		Mitigated
          		April 25, 2019
          02:00 PM PT
          @@ -78,7 +78,8 @@ sections: - type: markdown text: " - +
          DetailsOriginating updateStatusHistory
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507465. Devices that are domain controllers or domain members are both affected.

          To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

          Note If you are not sure if your device is affected, contact your administrator. Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos.

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
          Next steps: At this time, we suggest that devices in an affected environment do not install KB4507465. We are working on a resolution and estimate a solution will be available in mid-August.

          Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

          Back to top          		OS Build 16299.1296

          July 16, 2019
          KB4507465          		Investigating
          		Last updated:
          August 01, 2019
          06:12 PM PT

          Opened:
          July 25, 2019
          06:10 PM PT
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507465. Devices that are domain controllers or domain members are both affected.

          To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

          Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
          HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
+

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
          Next steps: At this time, we suggest that devices in an affected environment do not install KB4507465. We are working on a resolution and estimate a solution will be available in mid-August.

          Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

          Back to top          		OS Build 16299.1296

          July 16, 2019
          KB4507465          		Investigating
          		Last updated:
          August 08, 2019
          03:14 PM PT

          Opened:
          July 25, 2019
          06:10 PM PT
          Devices starting using PXE from a WDS or SCCM servers may fail to start
          Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503284 on a WDS server.

          Affected platforms:
          • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
          Workaround:
          To mitigate this issue on an SCCM server:
          1. Verify Variable Window Extension is enabled.
          2. Set the values of TFTP block size to 4096 and TFTP window size to 1. For guidance on how to configure them, see Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points.
          Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.

          To mitigate this issue on a WDS server without SCCM:
          1. In WDS TFTP settings, verify Variable Window Extension is enabled.
          2. In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
          3. In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
          Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.

          Next steps: We are working on a resolution and will provide an update in an upcoming release.

          Back to top          		OS Build 16299.1217

          June 11, 2019
          KB4503284          		Mitigated
          		Last updated:
          July 10, 2019
          07:09 PM PT

          Opened:
          July 10, 2019
          02:51 PM PT
          " diff --git a/windows/release-information/status-windows-10-1803.yml b/windows/release-information/status-windows-10-1803.yml index fccb71eca1..0b63a46c96 100644 --- a/windows/release-information/status-windows-10-1803.yml +++ b/windows/release-information/status-windows-10-1803.yml @@ -20,6 +20,11 @@ sections: text: " Find information on known issues for Windows 10, version 1803. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s). + +
          Current status as of August 7, 2019:
          +
          Windows 10, version 1803 (the April 2018 Update) will reach end of service on November 12, 2019 for Home and Pro editions. We will begin updating devices running Windows 10, version 1803 to Windows 10, version 1903 (the May 2019 Update) starting July 16, 2019 to help ensure that these devices remain in a serviced and secure state. For more information, see the Windows 10, version 1903 section of the release information dashboard.
          +
          + " - items: @@ -60,7 +65,7 @@ sections: - type: markdown text: "
          This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

          - + @@ -79,7 +84,8 @@ sections: - type: markdown text: "
          SummaryOriginating updateStatusLast updated
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

          See details >          		OS Build 17134.915

          July 16, 2019
          KB4507466          		Investigating
          		August 01, 2019
          06:12 PM PT
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

          See details >          		OS Build 17134.915

          July 16, 2019
          KB4507466          		Investigating
          		August 08, 2019
          03:14 PM PT
          Devices starting using PXE from a WDS or SCCM servers may fail to start
          Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

          See details >          		OS Build 17134.829

          June 11, 2019
          KB4503286          		Mitigated
          		July 10, 2019
          07:09 PM PT
          Startup to a black screen after installing updates
          Your device may startup to a black screen during the first logon after installing updates.

          See details >          		OS Build 17134.829

          June 11, 2019
          KB4503286          		Mitigated
          		June 14, 2019
          04:41 PM PT
          Certain operations performed on a Cluster Shared Volume may fail
          Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

          See details >          		OS Build 17134.523

          January 08, 2019
          KB4480966          		Mitigated
          		April 25, 2019
          02:00 PM PT
          - +
          DetailsOriginating updateStatusHistory
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507466. Devices that are domain controllers or domain members are both affected.

          To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

          Note If you are not sure if your device is affected, contact your administrator. Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos.

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
          Next steps: At this time, we suggest that devices in an affected environment do not install KB4507466. We are working on a resolution and estimate a solution will be available in mid-August.

          Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

          Back to top          		OS Build 17134.915

          July 16, 2019
          KB4507466          		Investigating
          		Last updated:
          August 01, 2019
          06:12 PM PT

          Opened:
          July 25, 2019
          06:10 PM PT
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507466. Devices that are domain controllers or domain members are both affected.

          To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

          Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
          HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
+

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
          Next steps: At this time, we suggest that devices in an affected environment do not install KB4507466. We are working on a resolution and estimate a solution will be available in mid-August.

          Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

          Back to top          		OS Build 17134.915

          July 16, 2019
          KB4507466          		Investigating
          		Last updated:
          August 08, 2019
          03:14 PM PT

          Opened:
          July 25, 2019
          06:10 PM PT
          Devices starting using PXE from a WDS or SCCM servers may fail to start
          Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503286 on a WDS server.

          Affected platforms:
          • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
          Workaround:
          To mitigate this issue on an SCCM server:
          1. Verify Variable Window Extension is enabled.
          2. Set the values of TFTP block size to 4096 and TFTP window size to 1. For guidance on how to configure them, see Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points.
          Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.

          To mitigate this issue on a WDS server without SCCM:
          1. In WDS TFTP settings, verify Variable Window Extension is enabled.
          2. In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
          3. In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
          Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.

          Next steps: We are working on a resolution and will provide an update in an upcoming release.

          Back to top          		OS Build 17134.829

          June 11, 2019
          KB4503286          		Mitigated
          		Last updated:
          July 10, 2019
          07:09 PM PT

          Opened:
          July 10, 2019
          02:51 PM PT
          " diff --git a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml index de3ecd7333..7e07f5c970 100644 --- a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml +++ b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml @@ -18,7 +18,7 @@ sections: - items: - type: markdown text: " - Find information on known issues and the status of the rollout for Windows 10, version 1809 and Windows Server 2019. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s). + Find information on known issues for Windows 10, version 1809 and Windows Server 2019. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
          Current status:
          Windows 10, version 1809 is designated for broad deployment and available for any user who manually selects “Check for updates” via Windows Update. The recommended servicing status is Semi-Annual Channel. @@ -64,7 +64,8 @@ sections: - type: markdown text: "
          This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

          - + + @@ -79,12 +80,22 @@ sections:
          " +- title: August 2019 +- items: + - type: markdown + text: " +
          SummaryOriginating updateStatusLast updated
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

          See details >          		OS Build 17763.652

          July 22, 2019
          KB4505658          		Investigating
          		August 01, 2019
          06:12 PM PT
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

          See details >          		OS Build 17763.652

          July 22, 2019
          KB4505658          		Investigating
          		August 08, 2019
          03:14 PM PT
          Apps and scripts using the NetQueryDisplayInformation API may fail with error
          Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data.

          See details >          		OS Build 17763.55

          October 09, 2018
          KB4464330          		Investigating
          		August 01, 2019
          05:00 PM PT
          Devices starting using PXE from a WDS or SCCM servers may fail to start
          Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

          See details >          		OS Build 17763.557

          June 11, 2019
          KB4503327          		Mitigated
          		July 10, 2019
          07:09 PM PT
          Startup to a black screen after installing updates
          Your device may startup to a black screen during the first logon after installing updates.

          See details >          		OS Build 17763.557

          June 11, 2019
          KB4503327          		Mitigated
          		June 14, 2019
          04:41 PM PT
          Devices with some Asian language packs installed may receive an error
          After installing the KB4493509 devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_F

          See details >          		OS Build 17763.437

          April 09, 2019
          KB4493509          		Mitigated
          		May 03, 2019
          10:59 AM PT
          + +
          DetailsOriginating updateStatusHistory
          Apps and scripts using the NetQueryDisplayInformation API may fail with error
           Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data, often 50 or 100 entries. When requesting additional pages you may receive the error, “1359: an internal error occurred.”

          Affected platforms:
          • Server: Windows Server 2019; Windows Server 2016
          Next steps: We are working on a resolution and will provide an update in an upcoming release.

          Back to top          		OS Build 17763.55

          October 09, 2018
          KB4464330          		Investigating
          		Last updated:
          August 01, 2019
          05:00 PM PT

          Opened:
          August 01, 2019
          05:00 PM PT
          + " + - title: July 2019 - items: - type: markdown text: " - +
          DetailsOriginating updateStatusHistory
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4505658. Devices that are domain controllers or domain members are both affected.

          To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

          Note If you are not sure if your device is affected, contact your administrator. Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos.

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
          Next steps: At this time, we suggest that devices in an affected environment do not install KB4505658. We are working on a resolution and estimate a solution will be available in mid-August.

          Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

          Back to top          		OS Build 17763.652

          July 22, 2019
          KB4505658          		Investigating
          		Last updated:
          August 01, 2019
          06:12 PM PT

          Opened:
          July 25, 2019
          06:10 PM PT
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4505658. Devices that are domain controllers or domain members are both affected.

          To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

          Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
          HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
+

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
          Next steps: At this time, we suggest that devices in an affected environment do not install KB4505658. We are working on a resolution and estimate a solution will be available in mid-August.

          Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

          Back to top          		OS Build 17763.652

          July 22, 2019
          KB4505658          		Investigating
          		Last updated:
          August 08, 2019
          03:14 PM PT

          Opened:
          July 25, 2019
          06:10 PM PT
          Devices starting using PXE from a WDS or SCCM servers may fail to start
          Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503327 on a WDS server.

          Affected platforms:
          • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
          Workaround:
          To mitigate this issue on an SCCM server:
          1. Verify Variable Window Extension is enabled.
          2. Set the values of TFTP block size to 4096 and TFTP window size to 1. For guidance on how to configure them, see Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points.
          Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.

          To mitigate this issue on a WDS server without SCCM:
          1. In WDS TFTP settings, verify Variable Window Extension is enabled.
          2. In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
          3. In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
          Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.

          Next steps: We are working on a resolution and will provide an update in an upcoming release.

          Back to top          		OS Build 17763.557

          June 11, 2019
          KB4503327          		Mitigated
          		Last updated:
          July 10, 2019
          07:09 PM PT

          Opened:
          July 10, 2019
          02:51 PM PT
          " @@ -103,7 +114,7 @@ sections: - type: markdown text: " - +
          DetailsOriginating updateStatusHistory
          Devices with some Asian language packs installed may receive an error
          After installing the April 2019 Cumulative Update (KB4493509), devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"

          Affected platforms:
          • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
          • Server: Windows Server, version 1809; Windows Server 2019
          Workaround:
          1. Uninstall and reinstall any recently added language packs. For instructions, see \"Manage the input and display language settings in Windows 10\".
          2. Click Check for Updates and install the April 2019 Cumulative Update. For instructions, see \"Update Windows 10\".
          Note: If reinstalling the language pack does not mitigate the issue, reset your PC as follows:
          1. Go to Settings app -> Recovery.
          2. Click on Get Started under \"Reset this PC\" recovery option.
          3. Select \"Keep my Files\".
          Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

          Back to top          		OS Build 17763.437

          April 09, 2019
          KB4493509          		Mitigated
          		Last updated:
          May 03, 2019
          10:59 AM PT

          Opened:
          May 02, 2019
          04:36 PM PT
          Devices with some Asian language packs installed may receive an error
          After installing the April 2019 Cumulative Update (KB4493509), devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"

          Affected platforms:
          • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
          • Server: Windows Server, version 1809; Windows Server 2019
          Workaround:
          1. Uninstall and reinstall any recently added language packs. For instructions, see \"Manage the input and display language settings in Windows 10\".
          2. Click Check for Updates and install the April 2019 Cumulative Update. For instructions, see \"Update Windows 10\".
          Note: If reinstalling the language pack does not mitigate the issue, reset your PC as follows:
            1. Go to Settings app -> Recovery.
            2. Click on Get Started under \"Reset this PC\" recovery option.
            3. Select \"Keep my Files\".
          Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

          Back to top          		OS Build 17763.437

          April 09, 2019
          KB4493509          		Mitigated
          		Last updated:
          May 03, 2019
          10:59 AM PT

          Opened:
          May 02, 2019
          04:36 PM PT
          " diff --git a/windows/release-information/status-windows-10-1903.yml b/windows/release-information/status-windows-10-1903.yml index b2ca8f3142..270f97ec5b 100644 --- a/windows/release-information/status-windows-10-1903.yml +++ b/windows/release-information/status-windows-10-1903.yml @@ -18,7 +18,7 @@ sections: - items: - type: markdown text: " - Find information on known issues for Windows 10, version 1903 and Windows Server, version 1903. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s). + Find information on known issues and the status of the rollout for Windows 10, version 1903 and Windows Server, version 1903. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
          Current status as of July 16, 2019:
          @@ -65,10 +65,10 @@ sections: - type: markdown text: "
          This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

          + + - - @@ -96,8 +96,9 @@ sections: - type: markdown text: "
          SummaryOriginating updateStatusLast updated
          Issues updating when certain versions of Intel storage drivers are installed
          Certain versions of Intel Rapid Storage Technology (Intel RST) drivers may cause updating to Windows 10, version 1903 to fail.

          See details >          		OS Build 18362.145

          May 29, 2019
          KB4497935          		Mitigated External
          		August 08, 2019
          05:50 PM PT
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

          See details >          		OS Build 18362.145

          May 29, 2019
          KB4497935          		Investigating
          		August 08, 2019
          03:14 PM PT
          Intermittent loss of Wi-Fi connectivity
          Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver.

          See details >          		OS Build 18362.116

          May 21, 2019
          KB4505057          		Mitigated External
          		August 01, 2019
          08:44 PM PT
          Gamma ramps, color profiles, and night light settings do not apply in some cases
          Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

          See details >          		OS Build 18362.116

          May 21, 2019
          KB4505057          		Mitigated
          		August 01, 2019
          06:27 PM PT
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

          See details >          		OS Build 18362.145

          May 29, 2019
          KB4497935          		Investigating
          		August 01, 2019
          06:12 PM PT
          Issues updating when certain versions of Intel storage drivers are installed
          Certain versions of Intel Rapid Storage Technology (Intel RST) drivers may cause updating to Windows 10, version 1903 to fail.

          See details >          		OS Build 18362.145

          May 29, 2019
          KB4497935          		Mitigated External
          		August 01, 2019
          05:58 PM PT
          Display brightness may not respond to adjustments
          Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers.

          See details >          		OS Build 18362.116

          May 21, 2019
          KB4505057          		Resolved
          KB4505903          		July 26, 2019
          02:00 PM PT
          RASMAN service may stop working and result in the error “0xc0000005”
          The Remote Access Connection Manager (RASMAN) service may stop working and result in the error “0xc0000005” with VPN profiles configured as an Always On VPN connection.

          See details >          		OS Build 18362.145

          May 29, 2019
          KB4497935          		Resolved
          KB4505903          		July 26, 2019
          02:00 PM PT
          The dGPU may occasionally disappear from device manager on Surface Book 2 with dGPU
          Some apps or games that needs to perform graphics intensive operations may close or fail to open on Surface Book 2 devices with Nvidia dGPU.

          See details >          		OS Build 18362.145

          May 29, 2019
          KB4497935          		Investigating
          		July 16, 2019
          09:04 AM PT
          - - + + diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 08a7fe11e3..cf6a9871cb 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -394,7 +394,7 @@ ####### [Get domain related alerts](microsoft-defender-atp/get-domain-related-alerts.md) ####### [Get domain related machines](microsoft-defender-atp/get-domain-related-machines.md) ####### [Get domain statistics](microsoft-defender-atp/get-domain-statistics.md) -####### [Is domain seen in organization](microsoft-defender-atp/is-domain-seen-in-org.md) +####### [Is domain seen in organization (Deprecated)](microsoft-defender-atp/is-domain-seen-in-org.md) ###### [File]() ####### [File methods and properties](microsoft-defender-atp/files.md) @@ -405,9 +405,9 @@ ###### [IP]() ####### [Get IP related alerts](microsoft-defender-atp/get-ip-related-alerts.md) -####### [Get IP related machines](microsoft-defender-atp/get-ip-related-machines.md) +####### [Get IP related machines (Deprecated)](microsoft-defender-atp/get-ip-related-machines.md) ####### [Get IP statistics](microsoft-defender-atp/get-ip-statistics.md) -####### [Is IP seen in organization](microsoft-defender-atp/is-ip-seen-org.md) +####### [Is IP seen in organization (Deprecated)](microsoft-defender-atp/is-ip-seen-org.md) ###### [User]() ####### [User methods](microsoft-defender-atp/user.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md index a82f47f963..9180ed1db4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md @@ -59,6 +59,13 @@ For information on other tables in the Advanced hunting schema, see [the Advanc | InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event | | InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event | | InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started | +| RequestProtocol | string | Network protocol, if applicable, used to initiate the activity: Unknown, Local, SMB, or NFS | +| ShareName | string | Name of shared folder containing the file | +| RequestSourceIP | string | IPv4 or IPv6 address of the remote device that initiated the activity | +| RequestSourcePort | string | Source port on the remote device that initiated the activity | +| RequestAccountName | string | User name of account used to remotely initiate the activity | +| RequestAccountDomain | string | Domain of the account used to remotely initiate the activity | +| RequestAccountSid | string | Security Identifier (SID) of the account to remotely initiate the activity | | ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns | | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | | SensitivityLabel | string | Label applied to an email, file, or other content to classify it for information protection | diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md index 75b3616e1c..e07aee7cf0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md @@ -1,7 +1,7 @@ --- title: Configure and manage Microsoft Threat Experts capabilities ms.reviewer: -description: You need to register to Microsoft Threats Experts preview to configure, manage, and use it in your daily security operations and security administration work. +description: Register to Microsoft Threats Experts to configure, manage, and use it in your daily security operations and security administration work. keywords: Microsoft Threat Experts, managed threat hunting service, MTE, Microsoft managed hunting service search.product: Windows 10 search.appverid: met150 @@ -9,8 +9,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas -author: mjcaparas +ms.author: dolmont +author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -23,12 +23,12 @@ ms.topic: article - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prerelease information](prerelease.md)] +[!Include[Prerelease information](prerelease.md)] ## Before you begin -To experience the full Microsoft Threat Experts targeted attack notification capability in Microsoft Defender ATP, and preview the experts-on-demand capability, you need to have a valid Premier customer service and support account. Premier charges will not be incurred during for the capability in preview, but for the generally available capability, there will be charges. +To experience the full Microsoft Threat Experts targeted attack notification capability in Microsoft Defender ATP, and preview the experts-on-demand capability, you need to have a valid Premier customer service and support account. Premier charges are not incurred during for the capability in preview, but for the generally available capability, there will be charges. -You also need to ensure that you have Microsoft Defender ATP deployed in your environment with machines enrolled, and not just on a laboratory set-up. +Ensure that you have Microsoft Defender ATP deployed in your environment with machines enrolled, and not just on a laboratory set-up. ## Register to Microsoft Threat Experts managed threat hunting service If you're already a Microsoft Defender ATP customer, you can apply through the Microsoft Defender ATP portal. @@ -47,11 +47,11 @@ If you're already a Microsoft Defender ATP customer, you can apply through the M 6. From the navigation pane, go to **Settings** > **General** > **Advanced features** to turn the **Threat Experts** toggle on. Click **Save preferences**. ## Receive targeted attack notification from Microsoft Threat Experts -You can receive targeted attack notification from Microsoft Threat Experts through the following: +You can receive targeted attack notification from Microsoft Threat Experts through the following medium: - The Microsoft Defender ATP portal's **Alerts** dashboard - Your email, if you choose to configure it -To receive targeted attack notifications through email, you need to create an email notification rule. +To receive targeted attack notifications through email, create an email notification rule. ### Create an email notification rule You can create rules to send email notifications for notification recipients. See [Configure alert notifications](configure-email-notifications.md) to create, edit, delete, or troubleshoot email notification, for details. @@ -68,11 +68,14 @@ You'll start receiving targeted attack notification from Microsoft Threat Expert >[!NOTE] >The Microsoft Threat Experts' experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved. -You can partner with Microsoft Threat Experts who can be engaged directly from within the Windows Defender Security Center for timely and accurate response. Experts provide insights needed to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised machine, or a threat intelligence context that you see on your portal dashboard. +You can partner with Microsoft Threat Experts who can be engaged directly from within the Windows Defender Security Center for timely and accurate response. Experts provide insights to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised machine, or a threat intelligence context that you see on your portal dashboard. -1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or machine is in view before raising an inquiry. -2. From the upper right-hand menu, click **?**, then select **Ask a threat expert**. -3. Asking a threat expert is a two-step process: you need to provide the necessary information and open a support ticket. +>[!NOTE] +>Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your security operations or incident response team for details. + +1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or machine is in view before you send an inquiry. +2. From the upper right-hand menu, click **?**. Then, select **Ask a threat expert**. +3. Asking a threat expert is a two-step process: provide the necessary information and open a support ticket. **Step 1: Provide information** a. Provide enough information to give the Microsoft Threat Experts enough context to start the investigation. Select the inquiry category from the **Provide information > Inquiry** details drop-down menu.
          @@ -83,7 +86,7 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w **Step 2: Open a support ticket** >[!NOTE] - >To experience the full Microsoft Threat Experts preview capability in Microsoft Defender ATP, you need to have a Premier customer service and support account. However, you will not be charged for the Experts-on-demand service during the preview. + >To experience the full Microsoft Threat Experts preview capability in Microsoft Defender ATP, you need a Premier customer service and support account. However, you will not be charged for the Experts-on-demand service during the preview. a. In the **New support request** customer support page, select the following from the dropdown menu and then click **Next**:
          @@ -100,7 +103,7 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w e. Verify your contact details and add another if necessary. Then, click **Next**.
          - f. Review the summary of your support request, and update if necessary. Make sure that you read and understand the **Microsoft Services Agreement** and **Privacy Statement**. Then, click **Submit**. You will see the confirmation page indicating the response time and your support request number.
          + f. Review the summary of your support request, and update if necessary. Make sure that you read and understand the **Microsoft Services Agreement** and **Privacy Statement**. Then, click **Submit**. A confirmation page indicating the response time and your support request number shows.
          ## Sample questions to ask Microsoft Threat Experts @@ -111,12 +114,12 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w - Can you give more context or insights about this alert: “Suspicious behavior by a system utility was observed”. **Possible machine compromise** -- Can you please help answer why we see “Unknown process observed?” This is seen quite frequently on many machines and we would appreciate input on whether this is related to malicious activity. +- Can you help answer why we see “Unknown process observed?” This is seen quite frequently on many machines. We appreciate any input to clarify whether this is related to malicious activity. - Can you help validate a possible compromise on the following system on [date] with similar behaviors as the previous [malware name] malware detection on the same system in [month]? **Threat intelligence details** -- This morning, we detected a phishing email that delivered a malicious Word document to a user. This caused a series of suspicious events which triggered multiple Windows Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you please send me a link? -- I recently saw a [social media reference e.g. Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection Microsoft Defender ATP provides against this threat actor? +- This morning, we detected a phishing email that delivered a malicious Word document to a user. This caused a series of suspicious events which triggered multiple Windows Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you send me a link? +- I recently saw a [social media reference e.g., Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection Microsoft Defender ATP provides against this threat actor? **Microsoft Threat Experts’ alert communications** - Can your incident response team help us address the targeted attack notification that we got? @@ -129,7 +132,7 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w ## Scenario ### Receive a progress report about your managed hunting inquiry -Response from Microsoft Threat Experts varies according to your inquiry. They will email a progress report to you regarding the Ask a threat expert inquiry that you've submitted, within two days, to communicate the investigation status from the following categories: +Response from Microsoft Threat Experts varies according to your inquiry. They will email a progress report to you about the Ask a threat expert inquiry that you've submitted, within two days, to communicate the investigation status from the following categories: - More information is needed to continue with the investigation - A file or several file samples are needed to determine the technical context - Investigation requires more time diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index b9c6aceba6..6b24d02ebe 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -140,7 +140,7 @@ Agent Resource | Ports To onboard Windows Server, version 1803 or Windows Server 2019, please refer to the supported methods and versions below. >[!NOTE] ->The Onboarding package for Windows Server 2019 through System Center Configuration Manager currently ships a script. For more information on how to deploy scripts in System Center Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.comsccm/apps/deploy-use/packages-and-programs). +>The Onboarding package for Windows Server 2019 through System Center Configuration Manager currently ships a script. For more information on how to deploy scripts in System Center Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/packages-and-programs). Supported tools include: - Local script diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines.md index 2e00867ddd..c247c9aa81 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines.md @@ -16,7 +16,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Get IP related machines API +# Get IP related machines API (Deprecated) **Applies to:** diff --git a/windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org.md b/windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org.md index 408e800158..38debbe291 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org.md +++ b/windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org.md @@ -16,7 +16,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Was domain seen in org +# Was domain seen in org (Deprecated) **Applies to:** diff --git a/windows/security/threat-protection/microsoft-defender-atp/is-ip-seen-org.md b/windows/security/threat-protection/microsoft-defender-atp/is-ip-seen-org.md index 3239831649..f112796be2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/is-ip-seen-org.md +++ b/windows/security/threat-protection/microsoft-defender-atp/is-ip-seen-org.md @@ -16,7 +16,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Was IP seen in org +# Was IP seen in org (Deprecated) **Applies to:** diff --git a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.md b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.md index 35d03646ca..48dac8442f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.md +++ b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.md @@ -392,7 +392,7 @@ ####### [Get domain related alerts](get-domain-related-alerts.md) ####### [Get domain related machines](get-domain-related-machines.md) ####### [Get domain statistics](get-domain-statistics.md) -####### [Is domain seen in organization](is-domain-seen-in-org.md) +####### [Is domain seen in organization (Deprecated)](is-domain-seen-in-org.md) ###### [File]() ####### [Methods and properties](files.md) @@ -403,9 +403,9 @@ ###### [IP]() ####### [Get IP related alerts](get-ip-related-alerts.md) -####### [Get IP related machines](get-ip-related-machines.md) +####### [Get IP related machines (Deprecated)](get-ip-related-machines.md) ####### [Get IP statistics](get-ip-statistics.md) -####### [Is IP seen in organization](is-ip-seen-org.md) +####### [Is IP seen in organization (Deprecated)](is-ip-seen-org.md) ###### [User]() ####### [Methods](user.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md index 321211dc7a..dcaa31ea84 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md @@ -40,17 +40,17 @@ The **Secure score dashboard** displays a snapshot of: ![Secure score dashboard](images/new-secure-score-dashboard.png) ## Microsoft secure score -The Microsoft secure score tile is reflective of the sum of all the Microsoft Defender security controls that are configured according to the recommended baseline and Office 365 controls. It allows you to drill down into each portal for further analysis. You can also improve this score by taking the steps in configuring each of the security controls in the optimal settings. +The Microsoft secure score tile is reflective of the sum of all the security controls that are configured according to the recommended Windows baseline and Office 365 controls. It allows you to drill down into each portal for further analysis. You can also improve this score by taking the steps in configuring each of the security controls in the optimal settings. ![Image of Microsoft secure score tile](images/mss.png) -Each Windows Defender security control contributes 100 points to the score. The total number is reflective of the score potential and calculated by multiplying the number of supported security controls (Windows Defender security controls pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar). +Each Microsoft security control contributes 100 points to the score. The total number is reflective of the score potential and calculated by multiplying the number of supported Microsoft security controls (security controls pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar). The Office 365 Secure Score looks at your settings and activities and compares them to a baseline established by Microsoft. For more information, see [Introducing the Office 365 Secure Score](https://support.office.com/article/introducing-the-office-365-secure-score-c9e7160f-2c34-4bd0-a548-5ddcc862eaef#howtoaccess). -In the example image, the total points for the Windows security controls and Office 365 add up to 602 points. +In the example image, the total points for the security controls and Office 365 add up to 602 points. -You can set the baselines for calculating the score of Windows Defender security controls on the Secure score dashboard through the **Settings**. For more information, see [Enable Secure score security controls](enable-secure-score.md). +You can set the baselines for calculating the security control scores on the Secure score dashboard through the **Settings**. For more information, see [Enable Secure score security controls](enable-secure-score.md). ## Secure score over time You can track the progression of your organizational security posture over time using this tile. It displays the overall score in a historical trend line enabling you to see how taking the recommended actions increase your overall security posture. diff --git a/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md index b0ae432a26..1bef9658a6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md @@ -27,7 +27,7 @@ ms.topic: conceptual Each security control lists recommendations that you can take to increase the security posture of your organization. ### Endpoint detection and response (EDR) optimization -A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for your Endpoint detection and response tool. +A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for your Endpoint detection and response tool. >[!IMPORTANT] >This feature is available for machines on Windows 10, version 1607 or later. @@ -45,17 +45,17 @@ You can take the following actions to increase the overall security score of you For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md). -### Microsoft Defender Antivirus (Microsoft Defender AV) optimization -A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender AV. +### Windows Defender Antivirus (Windows Defender AV) optimization +A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender AV. >[!IMPORTANT] >This feature is available for machines on Windows 10, version 1607 or later. -#### Minimum baseline configuration setting for Microsoft Defender AV: -Machines are considered "well configured" for Microsoft Defender AV if the following requirements are met: +#### Minimum baseline configuration setting for Windows Defender AV: +A well-configured machine for Windows Defender AV meets the following requirements: -- Microsoft Defender AV is reporting correctly -- Microsoft Defender AV is turned on +- Windows Defender AV is reporting correctly +- Windows Defender AV is turned on - Security intelligence is up-to-date - Real-time protection is on - Potentially Unwanted Application (PUA) protection is enabled @@ -64,16 +64,16 @@ Machines are considered "well configured" for Microsoft Defender AV if the follo You can take the following actions to increase the overall security score of your organization: >[!NOTE] -> For the Microsoft Defender Antivirus properties to show, you'll need to ensure that the Microsoft Defender Antivirus Cloud-based protection is properly configured on the machine. +> For the Windows Defender Antivirus properties to show, you'll need to ensure that the Windows Defender Antivirus Cloud-based protection is properly configured on the machine. - Fix antivirus reporting - - This recommendation is displayed when the Microsoft Defender Antivirus is not properly configured to report its health state. For more information on fixing the reporting, see [Configure and validate network connections](../windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md). + - This recommendation is displayed when the Windows Defender Antivirus is not properly configured to report its health state. For more information on fixing the reporting, see [Configure and validate network connections](../windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md). - Turn on antivirus - Update antivirus Security intelligence - Turn on real-time protection - Turn on PUA protection -For more information, see [Configure Microsoft Defender Antivirus](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md). +For more information, see [Configure Windows Defender Antivirus](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md). ### OS security updates optimization @@ -90,15 +90,15 @@ You can take the following actions to increase the overall security score of you For more information, see [Windows Update Troubleshooter](https://support.microsoft.com/help/4027322/windows-windows-update-troubleshooter). -### Microsoft Defender Exploit Guard (Microsoft Defender EG) optimization -A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on machines to meet the minimum baseline configuration setting for Microsoft Defender EG. When endpoints are configured according to the baseline the Microsoft Defender EG events shows on the Microsoft Defender ATP Machine timeline. +### Windows Defender Exploit Guard (Windows Defender EG) optimization +A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on machines to meet the minimum baseline configuration setting for Windows Defender EG. When endpoints are configured according to the baseline, the Windows Defender EG events shows on the Microsoft Defender ATP Machine timeline. >[!IMPORTANT] >This security control is only applicable for machines with Windows 10, version 1709 or later. -#### Minimum baseline configuration setting for Microsoft Defender EG: -Machines are considered "well configured" for Microsoft Defender EG if the following requirements are met: +#### Minimum baseline configuration setting for Windows Defender EG: +A well-configured machine for Windows Defender EG meets the following requirements: - System level protection settings are configured correctly - Attack Surface Reduction rules are configured correctly @@ -148,48 +148,48 @@ You can take the following actions to increase the overall security score of you - Turn on all system-level Exploit Protection settings - Set all ASR rules to enabled or audit mode - Turn on Controlled Folder Access -- Turn on Microsoft Defender Antivirus on compatible machines +- Turn on Windows Defender Antivirus on compatible machines -For more information, see [Microsoft Defender Exploit Guard](../windows-defender-exploit-guard/windows-defender-exploit-guard.md). +For more information, see [Windows Defender Exploit Guard](../windows-defender-exploit-guard/windows-defender-exploit-guard.md). -### Microsoft Defender Application Guard (Microsoft Defender AG) optimization -A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender AG. When endpoints are configured according to the baseline, Microsoft Defender AG events shows on the Microsoft Defender ATP Machine timeline. +### Windows Defender Application Guard (Windows Defender AG) optimization +A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender AG. When endpoints are configured according to the baseline, Windows Defender AG events shows on the Microsoft Defender ATP Machine timeline. >[!IMPORTANT] >This security control is only applicable for machines with Windows 10, version 1709 or later. -#### Minimum baseline configuration setting for Microsoft Defender AG: -Machines are considered "well configured" for Microsoft Defender AG if the following requirements are met: +#### Minimum baseline configuration setting for Windows Defender AG: +A well-configured machine for Windows Defender AG meets the following requirements: - Hardware and software prerequisites are met -- Microsoft Defender AG is turned on compatible machines +- Windows Defender AG is turned on compatible machines - Managed mode is turned on ##### Recommended actions: You can take the following actions to increase the overall security score of your organization: -- Ensure hardware and software prerequisites are met +- Ensure that you meet the hardware and software prerequisites >[!NOTE] - >This improvement item does not contribute to the security score in itself because it's not a prerequisite for Microsoft Defender AG. It gives an indication of a potential reason why Microsoft Defender AG is not turned on. + >This improvement item does not contribute to the security score in itself because it's not a prerequisite for Windows Defender AG. It gives an indication of a potential reason why Windows Defender AG is not turned on. -- Turn on Microsoft Defender AG on compatible machines +- Turn on Windows Defender AG on compatible machines - Turn on managed mode -For more information, see [Microsoft Defender Application Guard overview](../windows-defender-application-guard/wd-app-guard-overview.md). +For more information, see [Windows Defender Application Guard overview](../windows-defender-application-guard/wd-app-guard-overview.md). -### Microsoft Defender SmartScreen optimization -A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender SmartScreen. +### Windows Defender SmartScreen optimization +A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender SmartScreen. >[!WARNING] -> Data collected by Microsoft Defender SmartScreen might be stored and processed outside of the storage location you have selected for your Microsoft Defender ATP data. +> Data collected by Windows Defender SmartScreen might be stored and processed outside of the storage location you have selected for your Microsoft Defender ATP data. >[!IMPORTANT] >This security control is only applicable for machines with Windows 10, version 1709 or later. -#### Minimum baseline configuration setting for Microsoft Defender SmartScreen: +#### Minimum baseline configuration setting for Windows Defender SmartScreen: The following settings must be configured with the following settings: - Check apps and files: **Warn** or **Block** - SmartScreen for Microsoft Edge: **Warn** or **Block** @@ -201,27 +201,27 @@ You can take the following actions to increase the overall security score of you - Set **SmartScreen for Microsoft Edge** to **Warn** or **Block** - Set **SmartScreen for Microsoft store apps** to **Warn** or **Off** -For more information, see [Microsoft Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md). +For more information, see [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md). -### Microsoft Defender Firewall optimization -A well-configured machine must have Microsoft Defender Firewall turned on and enabled for all profiles so that inbound connections are blocked by default. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender Firewall. +### Windows Defender Firewall optimization +A well-configured machine must have Windows Defender Firewall turned on and enabled for all profiles so that inbound connections are blocked by default. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender Firewall. >[!IMPORTANT] >This security control is only applicable for machines with Windows 10, version 1709 or later. -#### Minimum baseline configuration setting for Microsoft Defender Firewall +#### Minimum baseline configuration setting for Windows Defender Firewall -- Microsoft Defender Firewall is turned on for all network connections -- Secure domain profile by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked -- Secure private profile by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked -- Secure public profile is configured by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked +- Windows Defender Firewall is turned on for all network connections +- Secure domain profile by enabling Windows Defender Firewall and ensure that Inbound connections are set to Blocked +- Secure private profile by enabling Windows Defender Firewall and ensure that Inbound connections are set to Blocked +- Secure public profile is configured by enabling Windows Defender Firewall and ensure that Inbound connections are set to Blocked -For more information on Microsoft Defender Firewall settings, see [Planning settings for a basic firewall policy](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy). +For more information on Windows Defender Firewall settings, see [Planning settings for a basic firewall policy](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy). >[!NOTE] -> If Microsoft Defender Firewall is not your primary firewall, consider excluding it from the security score calculations and make sure that your third-party firewall is configured in a securely. +> If Windows Defender Firewall is not your primary firewall, consider excluding it from the security score calculations and make sure that your third-party firewall is configured in a securely. ##### Recommended actions: @@ -234,7 +234,7 @@ You can take the following actions to increase the overall security score of you - Fix sensor data collection - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md). -For more information, see [Microsoft Defender Firewall with Advanced Security](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security). +For more information, see [Windows Defender Firewall with Advanced Security](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security). ### BitLocker optimization A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for BitLocker. @@ -258,17 +258,17 @@ You can take the following actions to increase the overall security score of you For more information, see [Bitlocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview). -### Microsoft Defender Credential Guard optimization -A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender Credential Guard. +### Windows Defender Credential Guard optimization +A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender Credential Guard. >[!IMPORTANT] >This security control is only applicable for machines with Windows 10, version 1709 or later. -#### Minimum baseline configuration setting for Microsoft Defender Credential Guard: -Well-configured machines for Microsoft Defender Credential Guard meets the following requirements: +#### Minimum baseline configuration setting for Windows Defender Credential Guard: +Well-configured machines for Windows Defender Credential Guard meets the following requirements: - Hardware and software prerequisites are met -- Microsoft Defender Credential Guard is turned on compatible machines +- Windows Defender Credential Guard is turned on compatible machines ##### Recommended actions: @@ -279,7 +279,7 @@ You can take the following actions to increase the overall security score of you - Fix sensor data collection - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md). -For more information, see [Manage Microsoft Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-manage). +For more information, see [Manage Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-manage). >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md index e620a05684..a830dad9fe 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md @@ -51,6 +51,9 @@ Microsoft Cloud App Security leverages Microsoft Defender ATP endpoint signals t ## Office 365 Advanced Threat Protection (Office 365 ATP) [Office 365 ATP](https://docs.microsoft.com/office365/securitycompliance/office-365-atp) helps protect your organization from malware in email messages or files through ATP Safe Links, ATP Safe Attachments, advanced Anti-Phishing, and spoof intelligence capabilities. The integration between Office 365 ATP and Microsoft Defender ATP enables security analysts to go upstream to investigate the entry point of an attack. Through threat intelligence sharing, attacks can be contained and blocked. +>[!NOTE] +> Office 365 ATP data is displayed for events within the last 30 days. For alerts, Office 365 ATP data is displayed based on first activity time. After that, the data is no longer available in Office 365 ATP. + ## Skype for Business The Skype for Business integration provides s a way for analysts to communicate with a potentially compromised user or device owner through ao simple button from the portal. diff --git a/windows/whats-new/TOC.md b/windows/whats-new/TOC.md index 2991f9ac65..fa56ce48c7 100644 --- a/windows/whats-new/TOC.md +++ b/windows/whats-new/TOC.md @@ -5,4 +5,4 @@ ## [What's new in Windows 10, version 1709](whats-new-windows-10-version-1709.md) ## [What's new in Windows 10, version 1703](whats-new-windows-10-version-1703.md) ## [What's new in Windows 10, version 1607](whats-new-windows-10-version-1607.md) -## [What's new in Windows 10, versions 1507 and 1511](whats-new-windows-10-version-1507-and-1511.md) \ No newline at end of file +## [What's new in Windows 10, versions 1507 and 1511](whats-new-windows-10-version-1507-and-1511.md) diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md index 43bca2f54c..27d454fa86 100644 --- a/windows/whats-new/index.md +++ b/windows/whats-new/index.md @@ -1,38 +1,38 @@ ---- -title: What's new in Windows 10 (Windows 10) -description: Learn about new features in Windows 10 for IT professionals, such as Windows Information Protection, Windows Hello, Device Guard, and more. -ms.assetid: F1867017-76A1-4761-A200-7450B96AEF44 -keywords: ["What's new in Windows 10", "Windows 10"] -ms.prod: w10 -author: greg-lindsay -manager: laurawi -ms.localizationpriority: high -ms.topic: article ---- - -# What's new in Windows 10 - -Windows 10 provides IT professionals with advanced protection against modern security threats and comprehensive management and control over devices and apps, as well as flexible deployment, update, and support options. Learn about new features in Windows 10 for IT professionals, such as Windows Information Protection, Windows Hello, Device Guard, and more. - -## In this section - -- [What's new in Windows 10, version 1903](whats-new-windows-10-version-1903.md) -- [What's new in Windows 10, version 1809](whats-new-windows-10-version-1809.md) -- [What's new in Windows 10, version 1803](whats-new-windows-10-version-1803.md) -- [What's new in Windows 10, version 1709](whats-new-windows-10-version-1709.md) -- [What's new in Windows 10, version 1703](whats-new-windows-10-version-1703.md) -- [What's new in Windows 10, version 1607](whats-new-windows-10-version-1607.md) -- [What's new in Windows 10, versions 1507 and 1511](whats-new-windows-10-version-1507-and-1511.md) - -## Learn more - -- [Windows 10 release information](https://technet.microsoft.com/windows/release-info) -- [Windows 10 update history](https://support.microsoft.com/help/12387/windows-10-update-history) -- [Windows 10 content from Microsoft Ignite](https://go.microsoft.com/fwlink/p/?LinkId=613210) -- [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkId=690485) - -## See also - -[Windows 10 Enterprise LTSC](ltsc/index.md)
          -[Edit an existing topic using the Edit link](contribute-to-a-topic.md) - +--- +title: What's new in Windows 10 (Windows 10) +description: Learn about new features in Windows 10 for IT professionals, such as Windows Information Protection, Windows Hello, Device Guard, and more. +ms.assetid: F1867017-76A1-4761-A200-7450B96AEF44 +keywords: ["What's new in Windows 10", "Windows 10"] +ms.prod: w10 +audience: itpro author: greg-lindsay +manager: laurawi +ms.localizationpriority: high +ms.topic: article +--- + +# What's new in Windows 10 + +Windows 10 provides IT professionals with advanced protection against modern security threats and comprehensive management and control over devices and apps, as well as flexible deployment, update, and support options. Learn about new features in Windows 10 for IT professionals, such as Windows Information Protection, Windows Hello, Device Guard, and more. + +## In this section + +- [What's new in Windows 10, version 1903](whats-new-windows-10-version-1903.md) +- [What's new in Windows 10, version 1809](whats-new-windows-10-version-1809.md) +- [What's new in Windows 10, version 1803](whats-new-windows-10-version-1803.md) +- [What's new in Windows 10, version 1709](whats-new-windows-10-version-1709.md) +- [What's new in Windows 10, version 1703](whats-new-windows-10-version-1703.md) +- [What's new in Windows 10, version 1607](whats-new-windows-10-version-1607.md) +- [What's new in Windows 10, versions 1507 and 1511](whats-new-windows-10-version-1507-and-1511.md) + +## Learn more + +- [Windows 10 release information](https://technet.microsoft.com/windows/release-info) +- [Windows 10 update history](https://support.microsoft.com/help/12387/windows-10-update-history) +- [Windows 10 content from Microsoft Ignite](https://go.microsoft.com/fwlink/p/?LinkId=613210) +- [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkId=690485) + +## See also + +[Windows 10 Enterprise LTSC](ltsc/index.md)
          +[Edit an existing topic using the Edit link](contribute-to-a-topic.md) + diff --git a/windows/whats-new/ltsc/TOC.md b/windows/whats-new/ltsc/TOC.md index 6dfee34a97..e49aee21fc 100644 --- a/windows/whats-new/ltsc/TOC.md +++ b/windows/whats-new/ltsc/TOC.md @@ -1,4 +1,4 @@ # [Windows 10 Enterprise LTSC](index.md) ## [What's new in Windows 10 Enterprise 2019 LTSC](whats-new-windows-10-2019.md) ## [What's new in Windows 10 Enterprise 2016 LTSC](whats-new-windows-10-2016.md) -## [What's new in Windows 10 Enterprise 2015 LTSC](whats-new-windows-10-2015.md) \ No newline at end of file +## [What's new in Windows 10 Enterprise 2015 LTSC](whats-new-windows-10-2015.md) diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md index d90f6985d2..fa6b259b1c 100644 --- a/windows/whats-new/ltsc/index.md +++ b/windows/whats-new/ltsc/index.md @@ -1,50 +1,50 @@ ---- -title: Windows 10 Enterprise LTSC -description: New and updated IT Pro content about new features in Windows 10, LTSC (also known as Windows 10 LTSB). -keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 LTSC", "Windows 10 LTSB"] -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -manager: laurawi -ms.localizationpriority: low -ms.topic: article ---- - -# Windows 10 Enterprise LTSC - -**Applies to** -- Windows 10 Enterprise LTSC - -## In this topic - -This topic provides links to articles with information about what's new in each release of Windows 10 Enterprise LTSC, and includes a short description of this servicing channel. - -[What's New in Windows 10 Enterprise 2019 LTSC](whats-new-windows-10-2019.md)
          -[What's New in Windows 10 Enterprise 2016 LTSC](whats-new-windows-10-2016.md)
          -[What's New in Windows 10 Enterprise 2015 LTSC](whats-new-windows-10-2015.md) - -## The Long Term Servicing Channel (LTSC) - -The following table summarizes equivalent feature update versions of Windows 10 LTSC and semi-annual channel (SAC) releases. - -| LTSC release | Equivalent SAC release | Availability date | -| --- | --- | --- | -| Windows 10 Enterprise 2015 LTSC | Windows 10, Version 1507 | 7/29/2015 | -| Windows 10 Enterprise 2016 LTSC | Windows 10, Version 1607 | 8/2/2016 | -| Windows 10 Enterprise 2019 LTSC | Windows 10, Version 1809 | 11/13/2018 | - ->[!NOTE] ->The Long Term Servicing Channel was previously called the Long Term Servicing Branch (LTSB). All references to LTSB are changed in this article to LTSC for consistency, even though the name of previous versions might still be displayed as LTSB. - -With the LTSC servicing model, customers can delay receiving feature updates and instead only receive monthly quality updates on devices. Features from Windows 10 that could be updated with new functionality, including Cortana, Edge, and all in-box Universal Windows apps, are also not included. Feature updates are offered in new LTSC releases every 2–3 years instead of every 6 months, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle. Microsoft is committed to providing bug fixes and security patches for each LTSC release during this 10 year period. - ->[!IMPORTANT] ->The Long Term Servicing Channel is not intended for deployment on most or all the PCs in an organization. The LTSC edition of Windows 10 provides customers with access to a deployment option for their special-purpose devices and environments. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. These devices are also typically not heavily dependent on support from external apps and tools. Since the feature set for LTSC does not change for the lifetime of the release, over time there might be some external tools that do not continue to provide legacy support. See [LTSC: What is it, and when it should be used](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). - -For detailed information about Windows 10 servicing, see [Overview of Windows as a service](/windows/deployment/update/waas-overview). - -## See Also - -[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
          -[Windows 10 - Release information](https://docs.microsoft.com/windows/windows-10/release-information): Windows 10 current versions by servicing option. +--- +title: Windows 10 Enterprise LTSC +description: New and updated IT Pro content about new features in Windows 10, LTSC (also known as Windows 10 LTSB). +keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 LTSC", "Windows 10 LTSB"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +manager: laurawi +ms.localizationpriority: low +ms.topic: article +--- + +# Windows 10 Enterprise LTSC + +**Applies to** +- Windows 10 Enterprise LTSC + +## In this topic + +This topic provides links to articles with information about what's new in each release of Windows 10 Enterprise LTSC, and includes a short description of this servicing channel. + +[What's New in Windows 10 Enterprise 2019 LTSC](whats-new-windows-10-2019.md)
          +[What's New in Windows 10 Enterprise 2016 LTSC](whats-new-windows-10-2016.md)
          +[What's New in Windows 10 Enterprise 2015 LTSC](whats-new-windows-10-2015.md) + +## The Long Term Servicing Channel (LTSC) + +The following table summarizes equivalent feature update versions of Windows 10 LTSC and semi-annual channel (SAC) releases. + +| LTSC release | Equivalent SAC release | Availability date | +| --- | --- | --- | +| Windows 10 Enterprise 2015 LTSC | Windows 10, Version 1507 | 7/29/2015 | +| Windows 10 Enterprise 2016 LTSC | Windows 10, Version 1607 | 8/2/2016 | +| Windows 10 Enterprise 2019 LTSC | Windows 10, Version 1809 | 11/13/2018 | + +>[!NOTE] +>The Long Term Servicing Channel was previously called the Long Term Servicing Branch (LTSB). All references to LTSB are changed in this article to LTSC for consistency, even though the name of previous versions might still be displayed as LTSB. + +With the LTSC servicing model, customers can delay receiving feature updates and instead only receive monthly quality updates on devices. Features from Windows 10 that could be updated with new functionality, including Cortana, Edge, and all in-box Universal Windows apps, are also not included. Feature updates are offered in new LTSC releases every 2–3 years instead of every 6 months, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle. Microsoft is committed to providing bug fixes and security patches for each LTSC release during this 10 year period. + +>[!IMPORTANT] +>The Long Term Servicing Channel is not intended for deployment on most or all the PCs in an organization. The LTSC edition of Windows 10 provides customers with access to a deployment option for their special-purpose devices and environments. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. These devices are also typically not heavily dependent on support from external apps and tools. Since the feature set for LTSC does not change for the lifetime of the release, over time there might be some external tools that do not continue to provide legacy support. See [LTSC: What is it, and when it should be used](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). + +For detailed information about Windows 10 servicing, see [Overview of Windows as a service](/windows/deployment/update/waas-overview). + +## See Also + +[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
          +[Windows 10 - Release information](https://docs.microsoft.com/windows/windows-10/release-information): Windows 10 current versions by servicing option. diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md index 581fc39b20..b2e5edb37f 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md @@ -1,298 +1,298 @@ ---- -title: What's new in Windows 10 Enterprise 2015 LTSC -ms.reviewer: -manager: laurawi -ms.author: greglin -description: New and updated IT Pro content about new features in Windows 10 Enterprise 2015 LTSC (also known as Windows 10 Enterprise 2015 LTSB). -keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2015 LTSC"] -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: low -ms.topic: article ---- - -# What's new in Windows 10 Enterprise 2015 LTSC - -**Applies to** -- Windows 10 Enterprise 2015 LTSC - -This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2015 LTSC (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md). - ->[!NOTE] ->Features in Windows 10 Enterprise 2015 LTSC are equivalent to [Windows 10, version 1507](../whats-new-windows-10-version-1507-and-1511.md). - -## Deployment - -### Provisioning devices using Windows Imaging and Configuration Designer (ICD) - -With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Using Windows Provisioning, an IT administrator can easily specify the configuration and settings required to enroll devices into management using a wizard-driven user interface, and then apply this configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. - -[Learn more about provisioning in Windows 10](/windows/configuration/provisioning-packages/provisioning-packages) - -## Security - -### Applocker - -Applocker was available for Windows 8.1, and is improved with Windows 10. See [Requirements to use AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md) for a list of operating system requirements. - -Enhancements to Applocker in Windows 10 include: - -- A new parameter was added to the [New-AppLockerPolicy](https://technet.microsoft.com/library/hh847211.aspx) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**. -- A new [AppLocker](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) configuration service provider was add to allow you to enable AppLocker rules by using an MDM server. -- You can manage Windows 10 Mobile devices by using the new [AppLocker CSP](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx). - -[Learn how to manage AppLocker within your organization](/windows/device-security/applocker/applocker-overview). - -### Bitlocker - -Enhancements to Applocker in Windows 10 include: - -- **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](https://technet.microsoft.com/itpro/windows/keep-secure/windows-10-security-guide#device-encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This will make it easier to recover your BitLocker key online. -- **DMA port protection**. You can use the [DataProtection/AllowDirectMemoryAccess](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#dataprotection-allowdirectmemoryaccess) MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on. -- **New Group Policy for configuring pre-boot recovery**. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more info, see the [Configure pre-boot recovery message and URL](https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-group-policy-settings#bkmk-configurepreboot) section in "BitLocker Group Policy settings." - -[Learn how to deploy and manage BitLocker within your organization](/windows/device-security/bitlocker/bitlocker-overview). - -### Certificate management - -For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. As in Windows Phone 8.1, you can use the [Certificates app](https://go.microsoft.com/fwlink/p/?LinkId=615824) to review the details of certificates on your device. [Learn how to install digital certificates on Windows 10 Mobile.](/windows/access-protection/installing-digital-certificates-on-windows-10-mobile) - -### Microsoft Passport - -In Windows 10, [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN. - -Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports Fast ID Online (FIDO) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services. - -### Security auditing - -In Windows 10, security auditing has added some improvements: -- [New audit subcategories](#bkmk-auditsubcat) -- [More info added to existing audit events](#bkmk-moreinfo) - -#### New audit subcategories - -In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events: -- [Audit Group Membership](/windows/device-security/auditing/audit-group-membership) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource. - When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information cannot fit in a single security audit event. -- [Audit PNP Activity](/windows/device-security/auditing/audit-pnp-activity) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device. - Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play. - A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs are included in the event. - -#### More info added to existing audit events - -With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events: -- [Changed the kernel default audit policy](#bkmk-kdal) -- [Added a default process SACL to LSASS.exe](#bkmk-lsass) -- [Added new fields in the logon event](#bkmk-logon) -- [Added new fields in the process creation event](#bkmk-logon) -- [Added new Security Account Manager events](#bkmk-sam) -- [Added new BCD events](#bkmk-bcd) -- [Added new PNP events](#bkmk-pnp) - -#### Changed the kernel default audit policy - -In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts. - -#### Added a default process SACL to LSASS.exe - -In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**. -This can help identify attacks that steal credentials from the memory of a process. - -#### New fields in the logon event - -The logon event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624: -1. **MachineLogon** String: yes or no - If the account that logged into the PC is a computer account, this field will be yes. Otherwise, the field is no. -2. **ElevatedToken** String: yes or no - If the account that logged into the PC is an administrative logon, this field will be yes. Otherwise, the field is no. Additionally, if this is part of a split token, the linked login ID (LSAP\_LOGON\_SESSION) will also be shown. -3. **TargetOutboundUserName** String - **TargetOutboundUserDomain** String - The username and domain of the identity that was created by the LogonUser method for outbound traffic. -4. **VirtualAccount** String: yes or no - If the account that logged into the PC is a virtual account, this field will be yes. Otherwise, the field is no. -5. **GroupMembership** String - A list of all of the groups in the user's token. -6. **RestrictedAdminMode** String: yes or no - If the user logs into the PC in restricted admin mode with Remote Desktop, this field will be yes. - For more info on restricted admin mode, see [Restricted Admin mode for RDP](http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx). - -#### New fields in the process creation event - -The logon event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688: -1. **TargetUserSid** String - The SID of the target principal. -2. **TargetUserName** String - The account name of the target user. -3. **TargetDomainName** String - The domain of the target user.. -4. **TargetLogonId** String - The logon ID of the target user. -5. **ParentProcessName** String - The name of the creator process. -6. **ParentProcessId** String - A pointer to the actual parent process if it's different from the creator process. - -#### New Security Account Manager events - -In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited: -- SamrEnumerateGroupsInDomain -- SamrEnumerateUsersInDomain -- SamrEnumerateAliasesInDomain -- SamrGetAliasMembership -- SamrLookupNamesInDomain -- SamrLookupIdsInDomain -- SamrQueryInformationUser -- SamrQueryInformationGroup -- SamrQueryInformationUserAlias -- SamrGetMembersInGroup -- SamrGetMembersInAlias -- SamrGetUserDomainPasswordInformation - -#### New BCD events - -Event ID 4826 has been added to track the following changes to the Boot Configuration Database (BCD): -- DEP/NEX settings -- Test signing -- PCAT SB simulation -- Debug -- Boot debug -- Integrity Services -- Disable Winload debugging menu - -#### New PNP events - -Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller. - -[Learn how to manage your security audit policies within your organization](/windows/device-security/auditing/security-auditing-overview). - -### Trusted Platform Module - -#### New TPM features in Windows 10 - -The following sections describe the new and changed functionality in the TPM for Windows 10: -- [Device health attestation](#bkmk-dha) -- [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) support -- [Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) support -- [Credential Guard](/windows/access-protection/credential-guard/credential-guard) support - -### Device health attestation - -Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device health attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource. -Some things that you can check on the device are: -- Is Data Execution Prevention supported and enabled? -- Is BitLocker Drive Encryption supported and enabled? -- Is SecureBoot supported and enabled? - -> **Note**  The device must be running Windows 10 and it must support at least TPM 2.0. - -[Learn how to deploy and manage TPM within your organization](/windows/device-security/tpm//trusted-platform-module-overview). - -### User Account Control - -User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment. - -You should not turn off UAC because this is not a supported scenario for devices running Windows 10. If you do turn off UAC, all Univeral Windows Platform apps stop working. You must always set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This is not recommended for devices running Windows 10. - -For more info about how manage UAC, see [UAC Group Policy Settings and Registry Key Settings](/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings). - -In Windows 10, User Account Control has added some improvements: - -- **Integration with the Antimalware Scan Interface (AMSI)**. The [AMSI](https://msdn.microsoft.com/library/windows/desktop/dn889587.aspx) scans all UAC elevation requests for malware. If malware is detected, the admin privilege is blocked. - -[Learn how to manage User Account Control within your organization](/windows/access-protection/user-account-control/user-account-control-overview). - -### VPN profile options - -Windows 10 provides a set of VPN features that both increase enterprise security and provide an improved user experience, including: - -- Always-on auto connection behavior -- App=triggered VPN -- VPN traffic filters -- Lock down VPN -- Integration with Microsoft Passport for Work - -[Learn more about the VPN options in Windows 10.](/windows/access-protection/vpn/vpn-profile-options) - - -## Management - -Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices. - -### MDM support - -MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Microsoft Store, VPN configuration, and more. - -MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](https://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification. - -Corporate-owned devices can be enrolled automatically for enterprises using Azure AD. [Reference for Mobile device management for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=533172) - -### Unenrollment - -When a person leaves your organization and you unenroll the user account or device from management, the enterprise-controlled configurations and apps are removed from the device. You can unenroll the device remotely or the person can unenroll by manually removing the account from the device. - -When a personal device is unenrolled, the user's data and apps are untouched, while enterprise information such as certificates, VPN profiles, and enterprise apps are removed. - -### Infrastructure - -Enterprises have the following identity and management choices. - -| Area | Choices | -|---|---| -| Identity | Active Directory; Azure AD | -| Grouping | Domain join; Workgroup; Azure AD join | -| Device management | Group Policy; System Center Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) | - - > **Note**   -With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](https://go.microsoft.com/fwlink/p/?LinkID=613512). - - -### Device lockdown - - -Do you need a computer that can only do one thing? For example: - -- A device in the lobby that customers can use to view your product catalog. -- A portable device that drivers can use to check a route on a map. -- A device that a temporary worker uses to enter data. - -You can configure a persistent locked down state to [create a kiosk-type device](https://technet.microsoft.com/itpro/windows/manage/set-up-a-device-for-anyone-to-use). When the locked-down account is logged on, the device displays only the app that you select. - -You can also [configure a lockdown state](https://technet.microsoft.com/itpro/windows/manage/lock-down-windows-10-to-specific-apps) that takes effect when a given user account logs on. The lockdown restricts the user to only the apps that you specify. - -Lockdown settings can also be configured for device look and feel, such as a theme or a [custom layout on the Start screen](https://technet.microsoft.com/itpro/windows/manage/windows-10-start-layout-options-and-policies). - -### Customized Start layout - -A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Starting in Windows 10, version 1511, administrators can configure a *partial* Start layout, which applies specified tile groups while allowing users to create and customize their own tile groups. Learn how to [customize and export Start layout](/windows/configuration/customize-and-export-start-layout). - -Administrators can also use mobile device management (MDM) or Group Policy to disable the use of [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight). - -## Updates - -Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service. - -By using [Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=699279), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing: - -- **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met). - -- **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient. - -- **Use with existing tools** such as System Center Configuration Manager and the [Enterprise Mobility Suite](https://go.microsoft.com/fwlink/p/?LinkId=699281). - -Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) and [System Center Configuration Manager](https://technet.microsoft.com/library/gg682129.aspx). - - -Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb). - -For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/waas-servicing-strategy-windows-10-updates). - -## Microsoft Edge - -Microsoft Edge is not available in the LTSC release of Windows 10. - -## See Also - -[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release. - +--- +title: What's new in Windows 10 Enterprise 2015 LTSC +ms.reviewer: +manager: laurawi +ms.author: greglin +description: New and updated IT Pro content about new features in Windows 10 Enterprise 2015 LTSC (also known as Windows 10 Enterprise 2015 LTSB). +keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2015 LTSC"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: low +ms.topic: article +--- + +# What's new in Windows 10 Enterprise 2015 LTSC + +**Applies to** +- Windows 10 Enterprise 2015 LTSC + +This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2015 LTSC (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md). + +>[!NOTE] +>Features in Windows 10 Enterprise 2015 LTSC are equivalent to [Windows 10, version 1507](../whats-new-windows-10-version-1507-and-1511.md). + +## Deployment + +### Provisioning devices using Windows Imaging and Configuration Designer (ICD) + +With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Using Windows Provisioning, an IT administrator can easily specify the configuration and settings required to enroll devices into management using a wizard-driven user interface, and then apply this configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. + +[Learn more about provisioning in Windows 10](/windows/configuration/provisioning-packages/provisioning-packages) + +## Security + +### Applocker + +Applocker was available for Windows 8.1, and is improved with Windows 10. See [Requirements to use AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md) for a list of operating system requirements. + +Enhancements to Applocker in Windows 10 include: + +- A new parameter was added to the [New-AppLockerPolicy](https://technet.microsoft.com/library/hh847211.aspx) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**. +- A new [AppLocker](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) configuration service provider was add to allow you to enable AppLocker rules by using an MDM server. +- You can manage Windows 10 Mobile devices by using the new [AppLocker CSP](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx). + +[Learn how to manage AppLocker within your organization](/windows/device-security/applocker/applocker-overview). + +### Bitlocker + +Enhancements to Applocker in Windows 10 include: + +- **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](https://technet.microsoft.com/itpro/windows/keep-secure/windows-10-security-guide#device-encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This will make it easier to recover your BitLocker key online. +- **DMA port protection**. You can use the [DataProtection/AllowDirectMemoryAccess](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#dataprotection-allowdirectmemoryaccess) MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on. +- **New Group Policy for configuring pre-boot recovery**. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more info, see the [Configure pre-boot recovery message and URL](https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-group-policy-settings#bkmk-configurepreboot) section in "BitLocker Group Policy settings." + +[Learn how to deploy and manage BitLocker within your organization](/windows/device-security/bitlocker/bitlocker-overview). + +### Certificate management + +For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. As in Windows Phone 8.1, you can use the [Certificates app](https://go.microsoft.com/fwlink/p/?LinkId=615824) to review the details of certificates on your device. [Learn how to install digital certificates on Windows 10 Mobile.](/windows/access-protection/installing-digital-certificates-on-windows-10-mobile) + +### Microsoft Passport + +In Windows 10, [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN. + +Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports Fast ID Online (FIDO) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services. + +### Security auditing + +In Windows 10, security auditing has added some improvements: +- [New audit subcategories](#bkmk-auditsubcat) +- [More info added to existing audit events](#bkmk-moreinfo) + +#### New audit subcategories + +In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events: +- [Audit Group Membership](/windows/device-security/auditing/audit-group-membership) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource. + When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information cannot fit in a single security audit event. +- [Audit PNP Activity](/windows/device-security/auditing/audit-pnp-activity) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device. + Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play. + A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs are included in the event. + +#### More info added to existing audit events + +With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events: +- [Changed the kernel default audit policy](#bkmk-kdal) +- [Added a default process SACL to LSASS.exe](#bkmk-lsass) +- [Added new fields in the logon event](#bkmk-logon) +- [Added new fields in the process creation event](#bkmk-logon) +- [Added new Security Account Manager events](#bkmk-sam) +- [Added new BCD events](#bkmk-bcd) +- [Added new PNP events](#bkmk-pnp) + +#### Changed the kernel default audit policy + +In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts. + +#### Added a default process SACL to LSASS.exe + +In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**. +This can help identify attacks that steal credentials from the memory of a process. + +#### New fields in the logon event + +The logon event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624: +1. **MachineLogon** String: yes or no + If the account that logged into the PC is a computer account, this field will be yes. Otherwise, the field is no. +2. **ElevatedToken** String: yes or no + If the account that logged into the PC is an administrative logon, this field will be yes. Otherwise, the field is no. Additionally, if this is part of a split token, the linked login ID (LSAP\_LOGON\_SESSION) will also be shown. +3. **TargetOutboundUserName** String + **TargetOutboundUserDomain** String + The username and domain of the identity that was created by the LogonUser method for outbound traffic. +4. **VirtualAccount** String: yes or no + If the account that logged into the PC is a virtual account, this field will be yes. Otherwise, the field is no. +5. **GroupMembership** String + A list of all of the groups in the user's token. +6. **RestrictedAdminMode** String: yes or no + If the user logs into the PC in restricted admin mode with Remote Desktop, this field will be yes. + For more info on restricted admin mode, see [Restricted Admin mode for RDP](http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx). + +#### New fields in the process creation event + +The logon event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688: +1. **TargetUserSid** String + The SID of the target principal. +2. **TargetUserName** String + The account name of the target user. +3. **TargetDomainName** String + The domain of the target user.. +4. **TargetLogonId** String + The logon ID of the target user. +5. **ParentProcessName** String + The name of the creator process. +6. **ParentProcessId** String + A pointer to the actual parent process if it's different from the creator process. + +#### New Security Account Manager events + +In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited: +- SamrEnumerateGroupsInDomain +- SamrEnumerateUsersInDomain +- SamrEnumerateAliasesInDomain +- SamrGetAliasMembership +- SamrLookupNamesInDomain +- SamrLookupIdsInDomain +- SamrQueryInformationUser +- SamrQueryInformationGroup +- SamrQueryInformationUserAlias +- SamrGetMembersInGroup +- SamrGetMembersInAlias +- SamrGetUserDomainPasswordInformation + +#### New BCD events + +Event ID 4826 has been added to track the following changes to the Boot Configuration Database (BCD): +- DEP/NEX settings +- Test signing +- PCAT SB simulation +- Debug +- Boot debug +- Integrity Services +- Disable Winload debugging menu + +#### New PNP events + +Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller. + +[Learn how to manage your security audit policies within your organization](/windows/device-security/auditing/security-auditing-overview). + +### Trusted Platform Module + +#### New TPM features in Windows 10 + +The following sections describe the new and changed functionality in the TPM for Windows 10: +- [Device health attestation](#bkmk-dha) +- [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) support +- [Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) support +- [Credential Guard](/windows/access-protection/credential-guard/credential-guard) support + +### Device health attestation + +Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device health attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource. +Some things that you can check on the device are: +- Is Data Execution Prevention supported and enabled? +- Is BitLocker Drive Encryption supported and enabled? +- Is SecureBoot supported and enabled? + +> **Note**  The device must be running Windows 10 and it must support at least TPM 2.0. + +[Learn how to deploy and manage TPM within your organization](/windows/device-security/tpm//trusted-platform-module-overview). + +### User Account Control + +User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment. + +You should not turn off UAC because this is not a supported scenario for devices running Windows 10. If you do turn off UAC, all Univeral Windows Platform apps stop working. You must always set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This is not recommended for devices running Windows 10. + +For more info about how manage UAC, see [UAC Group Policy Settings and Registry Key Settings](/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings). + +In Windows 10, User Account Control has added some improvements: + +- **Integration with the Antimalware Scan Interface (AMSI)**. The [AMSI](https://msdn.microsoft.com/library/windows/desktop/dn889587.aspx) scans all UAC elevation requests for malware. If malware is detected, the admin privilege is blocked. + +[Learn how to manage User Account Control within your organization](/windows/access-protection/user-account-control/user-account-control-overview). + +### VPN profile options + +Windows 10 provides a set of VPN features that both increase enterprise security and provide an improved user experience, including: + +- Always-on auto connection behavior +- App=triggered VPN +- VPN traffic filters +- Lock down VPN +- Integration with Microsoft Passport for Work + +[Learn more about the VPN options in Windows 10.](/windows/access-protection/vpn/vpn-profile-options) + + +## Management + +Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices. + +### MDM support + +MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Microsoft Store, VPN configuration, and more. + +MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](https://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification. + +Corporate-owned devices can be enrolled automatically for enterprises using Azure AD. [Reference for Mobile device management for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=533172) + +### Unenrollment + +When a person leaves your organization and you unenroll the user account or device from management, the enterprise-controlled configurations and apps are removed from the device. You can unenroll the device remotely or the person can unenroll by manually removing the account from the device. + +When a personal device is unenrolled, the user's data and apps are untouched, while enterprise information such as certificates, VPN profiles, and enterprise apps are removed. + +### Infrastructure + +Enterprises have the following identity and management choices. + +| Area | Choices | +|---|---| +| Identity | Active Directory; Azure AD | +| Grouping | Domain join; Workgroup; Azure AD join | +| Device management | Group Policy; System Center Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) | + + > **Note**   +With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](https://go.microsoft.com/fwlink/p/?LinkID=613512). + + +### Device lockdown + + +Do you need a computer that can only do one thing? For example: + +- A device in the lobby that customers can use to view your product catalog. +- A portable device that drivers can use to check a route on a map. +- A device that a temporary worker uses to enter data. + +You can configure a persistent locked down state to [create a kiosk-type device](https://technet.microsoft.com/itpro/windows/manage/set-up-a-device-for-anyone-to-use). When the locked-down account is logged on, the device displays only the app that you select. + +You can also [configure a lockdown state](https://technet.microsoft.com/itpro/windows/manage/lock-down-windows-10-to-specific-apps) that takes effect when a given user account logs on. The lockdown restricts the user to only the apps that you specify. + +Lockdown settings can also be configured for device look and feel, such as a theme or a [custom layout on the Start screen](https://technet.microsoft.com/itpro/windows/manage/windows-10-start-layout-options-and-policies). + +### Customized Start layout + +A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Starting in Windows 10, version 1511, administrators can configure a *partial* Start layout, which applies specified tile groups while allowing users to create and customize their own tile groups. Learn how to [customize and export Start layout](/windows/configuration/customize-and-export-start-layout). + +Administrators can also use mobile device management (MDM) or Group Policy to disable the use of [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight). + +## Updates + +Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service. + +By using [Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=699279), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing: + +- **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met). + +- **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient. + +- **Use with existing tools** such as System Center Configuration Manager and the [Enterprise Mobility Suite](https://go.microsoft.com/fwlink/p/?LinkId=699281). + +Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) and [System Center Configuration Manager](https://technet.microsoft.com/library/gg682129.aspx). + + +Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb). + +For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/waas-servicing-strategy-windows-10-updates). + +## Microsoft Edge + +Microsoft Edge is not available in the LTSC release of Windows 10. + +## See Also + +[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release. + diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md index ebf6fb48d9..683b980e8f 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md @@ -1,178 +1,178 @@ ---- -title: What's new in Windows 10 Enterprise 2016 LTSC -ms.reviewer: -manager: laurawi -ms.author: greglin -description: New and updated IT Pro content about new features in Windows 10 Enterprise 2016 LTSC (also known as Windows 10 Enterprise 2016 LTSB). -keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2016 LTSC"] -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: low -ms.topic: article ---- - -# What's new in Windows 10 Enterprise 2016 LTSC - -**Applies to** -- Windows 10 Enterprise 2016 LTSC - -This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2016 LTSC (LTSB), compared to Windows 10 Enterprise 2015 LTSC (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md). - ->[!NOTE] ->Features in Windows 10 Enterprise 2016 LTSC are equivalent to Windows 10, version 1607. - -## Deployment - -### Windows Imaging and Configuration Designer (ICD) - -In previous versions of the Windows 10 Assessment and Deployment Kit (ADK), you had to install additional features for Windows ICD to run. Starting in this version of Windows 10, you can install just the configuration designer component independent of the rest of the imaging components. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) - -Windows ICD now includes simplified workflows for creating provisioning packages: - -- [Simple provisioning to set up common settings for Active Directory-joined devices](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment) -- [Advanced provisioning to deploy certificates and apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates) -- [School provisioning to set up classroom devices for Active Directory](https://technet.microsoft.com/edu/windows/set-up-students-pcs-to-join-domain) - -[Learn more about using provisioning packages in Windows 10.](/windows/configuration/provisioning-packages/provisioning-packages) - -### Windows Upgrade Readiness - ->[!IMPORTANT] ->Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a semi-annual channel release. - -Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. - -With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. - -Use Upgrade Readiness to get: - -- A visual workflow that guides you from pilot to production -- Detailed computer and application inventory -- Powerful computer level search and drill-downs -- Guidance and insights into application and driver compatibility issues, with suggested fixes -- Data driven application rationalization tools -- Application usage information, allowing targeted validation; workflow to track validation progress and decisions -- Data export to commonly used software deployment tools - -The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are upgrade-ready. - -[Learn more about planning and managing Windows upgrades with Windows Upgrade Readiness.](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness) - -## Security - -### Credential Guard and Device Guard - -Isolated User Mode is now included with Hyper-V so you don't have to install it separately. - -### Windows Hello for Business - -When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in this version of Windows 10. Customers who have already deployed Microsoft Passport for Work will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. - -Additional changes for Windows Hello in Windows 10 Enterprise 2016 LTSC: - -- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. -- Group Policy settings for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**. -- Beginning in this version of Windows 10, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN, enable the Group Policy setting **Turn on convenience PIN sign-in**. - - -[Learn more about Windows Hello for Business.](/windows/access-protection/hello-for-business/hello-identity-verification) - -### Bitlocker - -#### New Bitlocker features - -- **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys. - It provides the following benefits: - - The algorithm is FIPS-compliant. - - Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization. - >**Note:** Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms. - -### Security auditing - -#### New Security auditing features - -- The [WindowsSecurityAuditing](https://go.microsoft.com/fwlink/p/?LinkId=690517) and [Reporting](https://go.microsoft.com/fwlink/p/?LinkId=690525) configuration service providers allow you to add security audit policies to mobile devices. - -### Trusted Platform Module - -#### New TPM features - -- Key Storage Providers (KSPs) and srvcrypt support elliptical curve cryptography (ECC). - -### Windows Information Protection (WIP), formerly known as enterprise data protection (EDP) - -With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. - -Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. - -- [Create a Windows Information Protection (WIP) policy](https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy) -- [General guidance and best practices for Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip) - -[Learn more about Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip) - -### Windows Defender - -Several new features and management options have been added to Windows Defender in this version of Windows 10. - -- [Windows Defender Offline in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-offline) can be run directly from within Windows, without having to create bootable media. -- [Use PowerShell cmdlets for Windows Defender](/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus) to configure options and run scans. -- [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware. -- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus) to see more information about threat detections and removal. -- [Run a Windows Defender scan from the command line](/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus). -- [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus) during download and install times. - -### Windows Defender Advanced Threat Protection (ATP) - -With the growing threat from more sophisticated targeted attacks, a new security solution is imperative in securing an increasingly complex network ecosystem. Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks. - -[Learn more about Windows Defender Advanced Threat Protection (ATP)](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). - -### VPN security - -- The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Azure Active Directory, to provide a device compliance option for remote clients. -- The VPN client can integrate with Windows Information Protection (WIP) policy to provide additional security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection. -- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607) -- Microsoft Intune: *VPN Profile (Windows 10 Desktop and Mobile and later)* policy template includes support for native VPN plug-ins. - -## Management - -### Use Remote Desktop Connection for PCs joined to Azure Active Directory - -From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in this version of Windows 10, you can also connect to a remote PC that is joined to Azure Active Directory (Azure AD). [Learn about the requirements and supported configurations.](/windows/client-management/connect-to-remote-aadj-pc) - -### Taskbar configuration - -Enterprise administrators can add and remove pinned apps from the taskbar. Users can pin apps, unpin apps, and change the order of pinned apps on the taskbar after the enterprise configuration is applied. [Learn how to configure the taskbar.](/windows/configuration/windows-10-start-layout-options-and-policies) - -### Mobile device management and configuration service providers (CSPs) - -Numerous settings have been added to the Windows 10 CSPs to expand MDM capabilities for managing devices. To learn more about the specific changes in MDM policies for this version of Windows 10, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607). - -### Shared PC mode - -This version of Windows 10, introduces shared PC mode, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Education, and Enterprise. [Learn how to set up a shared or guest PC.](/windows/configuration/set-up-shared-or-guest-pc) - -### Application Virtualization (App-V) for Windows 10 - -Application Virtualization (App-V) enables organizations to deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Microsoft Store, and interact with them as if they were installed locally. - -With the release of this version of Windows 10, App-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and App-V or if you're upgrading from a previous version of App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users. - -[Learn how to deliver virtual applications with App-V.](/windows/application-management/app-v/appv-getting-started) - -### User Experience Virtualization (UE-V) for Windows 10 - -Many users customize their settings for Windows and for specific applications. Customizable Windows settings include Microsoft Store appearance, language, background picture, font size, and accent colors. Customizable application settings include language, appearance, behavior, and user interface options. - -With User Experience Virtualization (UE-V), you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to. - -With the release of this version of Windows 10, UE-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and UE-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices. - -[Learn how to synchronize user-customized settings with UE-V.](/windows/configuration/ue-v/uev-for-windows) - -## See Also - -[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release. - +--- +title: What's new in Windows 10 Enterprise 2016 LTSC +ms.reviewer: +manager: laurawi +ms.author: greglin +description: New and updated IT Pro content about new features in Windows 10 Enterprise 2016 LTSC (also known as Windows 10 Enterprise 2016 LTSB). +keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2016 LTSC"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: low +ms.topic: article +--- + +# What's new in Windows 10 Enterprise 2016 LTSC + +**Applies to** +- Windows 10 Enterprise 2016 LTSC + +This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2016 LTSC (LTSB), compared to Windows 10 Enterprise 2015 LTSC (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md). + +>[!NOTE] +>Features in Windows 10 Enterprise 2016 LTSC are equivalent to Windows 10, version 1607. + +## Deployment + +### Windows Imaging and Configuration Designer (ICD) + +In previous versions of the Windows 10 Assessment and Deployment Kit (ADK), you had to install additional features for Windows ICD to run. Starting in this version of Windows 10, you can install just the configuration designer component independent of the rest of the imaging components. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) + +Windows ICD now includes simplified workflows for creating provisioning packages: + +- [Simple provisioning to set up common settings for Active Directory-joined devices](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment) +- [Advanced provisioning to deploy certificates and apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates) +- [School provisioning to set up classroom devices for Active Directory](https://technet.microsoft.com/edu/windows/set-up-students-pcs-to-join-domain) + +[Learn more about using provisioning packages in Windows 10.](/windows/configuration/provisioning-packages/provisioning-packages) + +### Windows Upgrade Readiness + +>[!IMPORTANT] +>Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a semi-annual channel release. + +Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. + +With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. + +Use Upgrade Readiness to get: + +- A visual workflow that guides you from pilot to production +- Detailed computer and application inventory +- Powerful computer level search and drill-downs +- Guidance and insights into application and driver compatibility issues, with suggested fixes +- Data driven application rationalization tools +- Application usage information, allowing targeted validation; workflow to track validation progress and decisions +- Data export to commonly used software deployment tools + +The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are upgrade-ready. + +[Learn more about planning and managing Windows upgrades with Windows Upgrade Readiness.](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness) + +## Security + +### Credential Guard and Device Guard + +Isolated User Mode is now included with Hyper-V so you don't have to install it separately. + +### Windows Hello for Business + +When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in this version of Windows 10. Customers who have already deployed Microsoft Passport for Work will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. + +Additional changes for Windows Hello in Windows 10 Enterprise 2016 LTSC: + +- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. +- Group Policy settings for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**. +- Beginning in this version of Windows 10, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN, enable the Group Policy setting **Turn on convenience PIN sign-in**. + + +[Learn more about Windows Hello for Business.](/windows/access-protection/hello-for-business/hello-identity-verification) + +### Bitlocker + +#### New Bitlocker features + +- **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys. + It provides the following benefits: + - The algorithm is FIPS-compliant. + - Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization. + >**Note:** Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms. + +### Security auditing + +#### New Security auditing features + +- The [WindowsSecurityAuditing](https://go.microsoft.com/fwlink/p/?LinkId=690517) and [Reporting](https://go.microsoft.com/fwlink/p/?LinkId=690525) configuration service providers allow you to add security audit policies to mobile devices. + +### Trusted Platform Module + +#### New TPM features + +- Key Storage Providers (KSPs) and srvcrypt support elliptical curve cryptography (ECC). + +### Windows Information Protection (WIP), formerly known as enterprise data protection (EDP) + +With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. + +Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. + +- [Create a Windows Information Protection (WIP) policy](https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy) +- [General guidance and best practices for Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip) + +[Learn more about Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip) + +### Windows Defender + +Several new features and management options have been added to Windows Defender in this version of Windows 10. + +- [Windows Defender Offline in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-offline) can be run directly from within Windows, without having to create bootable media. +- [Use PowerShell cmdlets for Windows Defender](/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus) to configure options and run scans. +- [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware. +- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus) to see more information about threat detections and removal. +- [Run a Windows Defender scan from the command line](/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus). +- [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus) during download and install times. + +### Windows Defender Advanced Threat Protection (ATP) + +With the growing threat from more sophisticated targeted attacks, a new security solution is imperative in securing an increasingly complex network ecosystem. Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks. + +[Learn more about Windows Defender Advanced Threat Protection (ATP)](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). + +### VPN security + +- The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Azure Active Directory, to provide a device compliance option for remote clients. +- The VPN client can integrate with Windows Information Protection (WIP) policy to provide additional security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection. +- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607) +- Microsoft Intune: *VPN Profile (Windows 10 Desktop and Mobile and later)* policy template includes support for native VPN plug-ins. + +## Management + +### Use Remote Desktop Connection for PCs joined to Azure Active Directory + +From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in this version of Windows 10, you can also connect to a remote PC that is joined to Azure Active Directory (Azure AD). [Learn about the requirements and supported configurations.](/windows/client-management/connect-to-remote-aadj-pc) + +### Taskbar configuration + +Enterprise administrators can add and remove pinned apps from the taskbar. Users can pin apps, unpin apps, and change the order of pinned apps on the taskbar after the enterprise configuration is applied. [Learn how to configure the taskbar.](/windows/configuration/windows-10-start-layout-options-and-policies) + +### Mobile device management and configuration service providers (CSPs) + +Numerous settings have been added to the Windows 10 CSPs to expand MDM capabilities for managing devices. To learn more about the specific changes in MDM policies for this version of Windows 10, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607). + +### Shared PC mode + +This version of Windows 10, introduces shared PC mode, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Education, and Enterprise. [Learn how to set up a shared or guest PC.](/windows/configuration/set-up-shared-or-guest-pc) + +### Application Virtualization (App-V) for Windows 10 + +Application Virtualization (App-V) enables organizations to deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Microsoft Store, and interact with them as if they were installed locally. + +With the release of this version of Windows 10, App-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and App-V or if you're upgrading from a previous version of App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users. + +[Learn how to deliver virtual applications with App-V.](/windows/application-management/app-v/appv-getting-started) + +### User Experience Virtualization (UE-V) for Windows 10 + +Many users customize their settings for Windows and for specific applications. Customizable Windows settings include Microsoft Store appearance, language, background picture, font size, and accent colors. Customizable application settings include language, appearance, behavior, and user interface options. + +With User Experience Virtualization (UE-V), you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to. + +With the release of this version of Windows 10, UE-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and UE-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices. + +[Learn how to synchronize user-customized settings with UE-V.](/windows/configuration/ue-v/uev-for-windows) + +## See Also + +[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release. + diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index dad076a535..129309368a 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -1,631 +1,631 @@ ---- -title: What's new in Windows 10 Enterprise 2019 LTSC -ms.reviewer: -manager: laurawi -ms.author: greglin -description: New and updated IT Pro content about new features in Windows 10 Enterprise 2019 LTSC (also known as Windows 10 Enterprise 2019 LTSB). -keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2019 LTSC"] -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: low -ms.topic: article ---- - -# What's new in Windows 10 Enterprise 2019 LTSC - -**Applies to** -- Windows 10 Enterprise 2019 LTSC - -This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2019 LTSC, compared to Windows 10 Enterprise 2016 LTSC (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md). - ->[!NOTE] ->Features in Windows 10 Enterprise 2019 LTSC are equivalent to Windows 10, version 1809. - -Windows 10 Enterprise LTSC 2019 builds on Windows 10 Pro, version 1809 adding premium features designed to address the needs of large and mid-size organizations (including large academic institutions), such as: - - Advanced protection against modern security threats - - Full flexibility of OS deployment - - Updating and support options - - Comprehensive device and app management and control capabilities - -The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC users because it includes the cumulative enhancements provided in Windows 10 versions 1703, 1709, 1803, and 1809. Details about these enhancements are provided below. - ->[!IMPORTANT] ->The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the semi-annual channel release of Windows 10 might be limited. - -## Microsoft Intune - ->Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows Update for Business (WUfB) does not currently support any LTSC releases, therefore you should use WSUS or Configuration Manager for patching. - -## Security - -This version of Window 10 includes security improvements for threat protection, information protection, and identity protection. - -### Threat protection - -#### Windows Defender ATP - -The Windows Defender Advanced Threat Protection ([Windows Defender ATP](/windows/security/threat-protection/index)) platform inludes the security pillars shown in the following diagram. In this version of Windows, Windows Defender ATP includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. - -![Windows Defender ATP](../images/wdatp.png) - -##### Attack surface reduction - -Attack surface reduction includes host-based intrusion prevention systems such as [controlled folder access](/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard). - - This feature can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether. - - When an app is blocked, it will appear in a recently blocked apps list, which you can get to by clicking **Manage settings** under the **Ransomware protection** heading. Click **Allow an app through Controlled folder access**. After the prompt, click the **+** button and choose **Recently blocked apps**. Select any of the apps to add them to the allowed list. You can also browse for an app from this page. - -###### Windows Defender Firewall - -Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes. You can add specific rules for a WSL process just as you would for any Windows process. Also, Windows Defender Firewall now supports notifications for WSL processes. For example, when a Linux tool wants to allow access to a port from the outside (like SSH or a web server like nginx), Windows Defender Firewall will prompt to allow access just like it would for a Windows process when the port starts accepting connections. This was first introduced in [Build 17627](https://docs.microsoft.com/windows/wsl/release-notes#build-17618-skip-ahead). - -##### Windows Defender Device Guard - -[Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control) has always been a collection of technologies that can be combined to lock down a PC, including: -- Software-based protection provided by code integrity policies -- Hardware-based protection provided by Hypervisor-protected code integrity (HVCI) - -But these protections can also be configured separately. And, unlike HVCI, code integrity policies do not require virtualization-based security (VBS). To help underscore the distinct value of these protections, code integrity policies have been rebranded as [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control). - -### Next-gen protection - -#### Office 365 Ransomware Detection - -For Office 365 Home and Office 365 Personal subscribers, Ransomware Detection notifies you when your OneDrive files have been attacked and guides you through the process of restoring your files. For more information, see [Ransomware detection and recovering your files](https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US) - -### Endpoint detection and response - -Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Windows Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Windows Defender ATP portal. - - Windows Defender is now called Windows Defender Antivirus and now shares detection status between M365 services and interoperates with Windows Defender ATP. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). - - We've also [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). The new library includes information on: -- [Deploying and enabling AV protection](/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus) -- [Managing updates](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus) -- [Reporting](/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus) -- [Configuring features](/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features) -- [Troubleshooting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus) - - Some of the highlights of the new library include [Evaluation guide for Windows Defender AV](/windows/threat-protection/windows-defender-antivirus//evaluate-windows-defender-antivirus) and [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus). - - New features for Windows Defender AV in Windows 10 Enterprise 2019 LTSC include: -- [Updates to how the Block at First Sight feature can be configured](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) -- [The ability to specify the level of cloud-protection](/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus) -- [Windows Defender Antivirus protection in the Windows Defender Security Center app](/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus) - - We've [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment with [updated behavior monitoring and always-on real-time protection](/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). - - **Endpoint detection and response** is also enhanced. New **detection** capabilities include: -- [Use the threat intelligence API to create custom alerts](/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization. - - [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections). With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. - - Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks. - - Upgraded detections of ransomware and other advanced attacks. - - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed. - - **Threat reponse** is improved when an attack is detected, enabling immediate action by security teams to contain a breach: -- [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package. - - [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file. - -Additional capabilities have been added to help you gain a holistic view on **investigations** include: - - [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics) - Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. - - [Query data using Advanced hunting in Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection) - - [Use Automated investigations to investigate and remediate threats](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) - - [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials. - - [Alert process tree](/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time. - - [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Windows Defender ATP. - -Other enhanced security features include: -- [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix known issues. -- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection) - Windows Defender ATP adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools. -- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center) - Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers. -- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration) - Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines. -- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019) - Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. -- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection) - Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor. -- [Enable conditional access to better protect users, devices, and data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection) - -We've also added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device’s time is not properly synced with our time servers and the time-syncing service is disabled, we’ll provide the option for you to turn it back on. - -We’re continuing to work on how other security apps you’ve installed show up in the **Windows Security** app. There’s a new page called **Security providers** that you can find in the **Settings** section of the app. Click **Manage providers** to see a list of all the other security providers (including antivirus, firewall, and web protection) that are running on your device. Here you can easily open the providers’ apps or get more information on how to resolve issues reported to you through **Windows Security**. - -This also means you’ll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you’ll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks). - -You can read more about ransomware mitigations and detection capability at: -- [Averting ransomware epidemics in corporate networks with Windows Defender ATP](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/) -- [Ransomware Protection in Windows 10 Anniversary Update whitepaper (PDF)](http://wincom.blob.core.windows.net/documents/Ransomware_protection_in_Windows_10_Anniversary_Update.pdf) -- [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/) - -Also see [New capabilities of Windows Defender ATP further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97) - -Get a quick, but in-depth overview of Windows Defender ATP for Windows 10: [Windows Defender Advanced Threat Protection](/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). - -For more information about features of Windows Defender ATP available in different editions of Windows 10, see the [Windows 10 commercial edition comparison](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf). - -### Information protection - -Improvements have been added to Windows Information Protection and BitLocker. - -#### Windows Information Protection - -Windows Information Protection is now designed to work with Microsoft Office and Azure Information Protection. For more information, see [Deploying and managing Windows Information Protection (WIP) with Azure Information Protection](https://myignite.microsoft.com/sessions/53660?source=sessions). - -Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune). - -You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For info, see the brand-new topic, [How to collect Windows Information Protection (WIP) audit event logs](/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs). - -This release enables support for WIP with Files on Demand, allows file encryption while the file is open in another app, and improves performance. For more information, see [OneDrive Files On-Demand For The Enterprise](https://techcommunity.microsoft.com/t5/OneDrive-Blog/OneDrive-Files-On-Demand-For-The-Enterprise/ba-p/117234). - -### BitLocker - -The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-group-policy-settings#bkmk-unlockpol3). - -#### Silent enforcement on fixed drives - -Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard AAD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don’t pass the HSTI. - -This is an update to the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp), which was introduced in Windows 10, version 1703, and leveraged by Intune and others. - -This feature will soon be enabled on Olympia Corp as an optional feature. - -#### Delivering BitLocker policy to AutoPilot devices during OOBE - -You can choose which encryption algorithm to apply to BitLocker encryption capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before BitLocker encryption begins. - -For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE. - -To achieve this: - -1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm. -2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group. - - **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users. -3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. - - **IMPORTANT**: If the ESP is not enabled, the policy will not apply before encryption starts. - -### Identity protection - -Improvements have been added are to Windows Hello for Business and Credential Guard. - -#### Windows Hello for Business - -New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you are not present. - -New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification.md) inlcude: -- You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). -- For Windows Phone devices, an administrator is able to initiate a remote PIN reset through the Intune portal. -- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-features#pin-reset). - -[Windows Hello](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in the [Kiosk configuration](#kiosk-configuration) section. -- Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/). -- Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions. -- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off. -- You can set up Windows Hello from lock screen for MSA accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options. -- New [public API](https://docs.microsoft.com/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider. -- It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off). - -For more information, see: [Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/#OdKBg3pwJQcEKCbJ.97) - -#### Windows Defender Credential Guard - -Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It is designed to protect against well-known threats such as Pass-the-Hash and credential harvesting. - -Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. Please note that Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions. - -For more information, see [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations). - -### Other security improvments - -#### Windows security baselines - -Microsoft has released new [Windows security baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/windows/device-security/security-compliance-toolkit-10). - -**Windows security baselines** have been updated for Windows 10. A [security baseline](https://docs.microsoft.com/windows/device-security/windows-security-baselines) is a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/windows/device-security/security-compliance-toolkit-10). - -The new [security baseline for Windows 10 version 1803](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10) has been published. - -#### SMBLoris vulnerability - -An issue, known as “SMBLoris�?, which could result in denial of service, has been addressed. - -#### Windows Security Center - -Windows Defender Security Center is now called **Windows Security Center**. - -You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Windows Defender Antivirus** and **Windows Defender Firewall**. - -The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Windows Defender Antivirus will remain enabled side-by-side with these products. - -WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**. - -![alt text](../images/defender.png "Windows Security Center") - -#### Group Policy Security Options - -The security setting [**Interactive logon: Display user information when the session is locked**](/windows/device-security/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. - -A new security policy setting -[**Interactive logon: Don't display username at sign-in**](/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 Enterprise 2019 LTSC. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile. - -#### Windows 10 in S mode - -We’ve continued to work on the **Current threats** area in [Virus & threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: - -![Virus & threat protection settings](../images/virus-and-threat-protection.png "Virus & threat protection settings") - -## Deployment - -### Windows Autopilot - -[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise 2019 LTSC (and later versions). Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10. - -Windows Autopilot is currently available with Surface, Dell, HP, and Lenovo. Other OEM partners such as Panasonic, and Acer will support Autopilot soon. Check the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog) or this article for updated information. - -Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly. - -You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](https://docs.microsoft.com/microsoft-store/add-profile-to-devices). - -#### Windows Autopilot self-deploying mode - -Windows Autopilot self-deploying mode enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured automatically by Windows Autopilot. - -This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process. - -You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization’s MDM provider, and provision policies and applications, all with no user authentication or user interaction required. - -To learn more about Autopilot self-deploying mode and to see step-by-step instructions to perform such a deployment, [Windows Autopilot self-deploying mode](https://docs.microsoft.com/windows/deployment/windows-autopilot/self-deploying). - - -#### Autopilot Reset - -IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset). - -### MBR2GPT.EXE - -MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise 2019 LTSC (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS). - -The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports additional partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk. - -Additional security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock. - -For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt). - -### DISM - -The following new DISM commands have been added to manage feature updates: - - DISM /Online /Initiate-OSUninstall - – Initiates a OS uninstall to take the computer back to the previous installation of windows. - DISM /Online /Remove-OSUninstall - – Removes the OS uninstall capability from the computer. - DISM /Online /Get-OSUninstallWindow - – Displays the number of days after upgrade during which uninstall can be performed. - DISM /Online /Set-OSUninstallWindow - – Sets the number of days after upgrade during which uninstall can be performed. - -For more information, see [DISM operating system uninstall command-line options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options). - -### Windows Setup - -You can now run your own custom actions or scripts in parallel with Windows Setup. Setup will also migrate your scripts to next feature release, so you only need to add them once. - -Prerequisites: -- Windows 10, version 1803 or Windows 10 Enterprise 2019 LTSC, or later. -- Windows 10 Enterprise or Pro - -For more information, see [Run custom actions during feature update](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions). - -It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option. - - /PostRollback [\setuprollback.cmd] [/postrollback {system / admin}] - -For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21) - -New command-line switches are also available to control BitLocker: - - Setup.exe /BitLocker AlwaysSuspend - – Always suspend bitlocker during upgrade. - Setup.exe /BitLocker TryKeepActive - – Enable upgrade without suspending bitlocker but if upgrade, does not work then suspend bitlocker and complete the upgrade. - Setup.exe /BitLocker ForceKeepActive - – Enable upgrade without suspending bitlocker, but if upgrade does not work, fail the upgrade. - -For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33) - -### Feature update improvements - -Portions of the work done during the offline phases of a Windows update have been moved to the online phase. This has resulted in a significant reduction of offline time when installing updates. For more information, see [We're listening to you](https://insider.windows.com/en-us/articles/were-listening-to-you/). - -### SetupDiag - -[SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag) is a new command-line tool that can help diagnose why a Windows 10 update failed. - -SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. - -## Sign-in - -### Faster sign-in to a Windows 10 shared pc - -If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](https://docs.microsoft.com/windows/configuration/set-up-shared-or-guest-pc) in a flash! - -**To enable fast sign-in:** -1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise 2019 LTSC. -2. Set the Policy CSP, and the **Authentication** and **EnableFastFirstSignIn** policies to enable fast sign-in. -3. Sign-in to a shared PC with your account. You'll notice the difference! - - ![fast sign-in](../images/fastsignin.png "fast sign-in") - -### Web sign-in to Windows 10 - -Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing “web sign-in,” a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML). - -**To try out web sign-in:** -1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs). -2. Set the Policy CSP, and the Authentication and EnableWebSignIn polices to enable web sign-in. -3. On the lock screen, select web sign-in under sign-in options. -4. Click the “Sign in” button to continue. - -![Web sign-in](../images/websignin.png "web sign-in") - -## Windows Analytics - -### Upgrade Readiness - ->[!IMPORTANT] ->Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a semi-annual channel release. - -Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017. - -The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled. - -For more information about Upgrade Readiness, see the following topics: - -- [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/) -- [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness) - -Upgrade Readiness provides insights into application and driver compatibility issues. New capabilities include better app coverage, post-upgrade health reports, and enhanced report filtering capabilities. For more information, see [Manage Windows upgrades with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). - -### Update Compliance - -Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date. - -Update Compliance is a solution built using OMS Log Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues. - -For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](/windows/deployment/update/update-compliance-monitor). - -New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Windows Defender Antivirus with Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor). - -### Device Health - -Maintaining devices is made easier with Device Health, a new, premium analytic tool that identifies devices and drivers that crash frequently and might need to be rebuilt or replaced. For more information, see [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor). - -## Accessibility and Privacy - -### Accessibility - -"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](https://docs.microsoft.com/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in the [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/) blog post. - -### Privacy - -In the Feedback and Settings page under Privacy Settings you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the [Diagnostic Data Viewer](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) app. - -## Configuration - -### Kiosk configuration - -Microsoft Edge has many improvements specifically targeted to Kiosks, however Edge is not available in the LTSC release of Windows 10. Internet Explorer is included in Windows 10 LTSC releases as its feature set is not changing, and it will continue to get security fixes for the life of a Windows 10 LTSC release. - -If you wish to take advantage of [Kiosk capabilities in Edge](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy), consider [Kiosk mode](https://docs.microsoft.com/windows/configuration/kiosk-methods) with a semi-annual release channel. - -### Co-management - -Intune and System Center Configuration Manager policies have been added to enable hyrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management. - -For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803) - -### OS uninstall period - -The OS uninstall period is a length of time that users are given when they can optionally roll back a Windows 10 update. With this release, administrators can use Intune or [DISM](#dism) to customize the length of the OS uninstall period. - -### Azure Active Directory join in bulk - -Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards. - -![get bulk token action in wizard](../images/bulk-token.png) - -### Windows Spotlight - -The following new Group Policy and mobile device management (MDM) settings are added to help you configure Windows Spotlight user experiences: - -- **Turn off the Windows Spotlight on Action Center** -- **Do not use diagnostic data for tailored experiences** -- **Turn off the Windows Welcome Experience** - -[Learn more about Windows Spotlight.](/windows/configuration/windows-spotlight) - -### Start and taskbar layout - -Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10 Enterprise 2019 LTSC adds support for customized taskbars to [MDM](/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management). - -[Additional MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include: - -- Settings for the User tile: [**Start/HideUserTile**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) -- Settings for Power: [**Start/HidePowerButton**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesleep) -- Additional new settings: [**Start/HideFrequentlyUsedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideapplist). - -## Windows Update - -### Windows Update for Business - -Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure). - -The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates). - - -Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details. - -WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds). - -Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure). - -The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates). - - -Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details. - -WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds). - -### Windows Insider for Business - -We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](/windows/deployment/update/waas-windows-insider-for-business). - -You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](https://docs.microsoft.com/windows/deployment/update/waas-windows-insider-for-business#getting-started-with-windows-insider-program-for-business). - - -### Optimize update delivery - -With changes delivered in Windows 10 Enterprise 2019 LTSC, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with System Center Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](https://technet.microsoft.com/windows-server-docs/management/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS. - ->[!NOTE] -> The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update. - -Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios. - -Added policies include: -- [Allow uploads while the device is on battery while under set Battery level](/windows/deployment/update/waas-delivery-optimization#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) -- [Enable Peer Caching while the device connects via VPN](/windows/deployment/update/waas-delivery-optimization#enable-peer-caching-while-the-device-connects-via-vpn) -- [Minimum RAM (inclusive) allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-ram-allowed-to-use-peer-caching) -- [Minimum disk size allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-disk-size-allowed-to-use-peer-caching) -- [Minimum Peer Caching Content File Size](/windows/deployment/update/waas-delivery-optimization#minimum-peer-caching-content-file-size) - -To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](/windows/deployment/update/waas-delivery-optimization) - -### Uninstalled in-box apps no longer automatically reinstall - -Starting with Windows 10 Enterprise 2019 LTSC, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process. - -Additionally, apps de-provisioned by admins on Windows 10 Enterprise 2019 LTSC machines will stay de-provisioned after future feature update installations. This will not apply to the update from Windows 10 Enterprise 2016 LTSC (or earlier) to Windows 10 Enterprise 2019 LTSC. - -## Management - -### New MDM capabilities - -Windows 10 Enterprise 2019 LTSC adds many new [configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful Group Policy settings via MDM - see [Policy CSP - ADMX-backed policies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-admx-backed). - -Some of the other new CSPs are: - -- The [DynamicManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs. - -- The [CleanPC CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cleanpc-csp) allows removal of user-installed and pre-installed applications, with the option to persist user data. - -- The [BitLocker CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/bitlocker-csp) is used to manage encryption of PCs and devices. For example, you can require storage card encryption on mobile devices, or require encryption for operating system drives. - -- The [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) is used to configure a proxy server for ethernet and Wi-Fi connections. - -- The [Office CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/office-csp) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/library/jj219426.aspx). - -- The [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM. - -IT pros can use the new [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents. - -[Learn more about new MDM capabilities.](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/new-in-windows-mdm-enrollment-management#whatsnew10) - -MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group Policy can be used with Active Directory joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](https://docs.microsoft.com/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy). - -Multiple new configuration items are also added. For more information, see [What's new in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1709). - -### Mobile application management support for Windows 10 - -The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10 Enterprise 2019 LTSC. - -For more info, see [Implement server-side support for mobile application management on Windows](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-management). - -### MDM diagnostics - -In Windows 10 Enterprise 2019 LTSC, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](https://www.microsoft.com/download/details.aspx?id=44226) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost. - -### Application Virtualization for Windows (App-V) - -Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10 Enterprise 2019 LTSC introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart. - -For more info, see the following topics: -- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-provision-a-vm) -- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-sequencing) -- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-updating) -- [Automatically cleanup unpublished packages on the App-V client](/windows/application-management/app-v/appv-auto-clean-unpublished-packages) - -### Windows diagnostic data - -Learn more about the diagnostic data that's collected at the Basic level and some examples of the types of data that is collected at the Full level. - -- [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703) -- [Windows 10, version 1703 Diagnostic Data](/windows/configuration/windows-diagnostic-data-1703) - -### Group Policy spreadsheet - -Learn about the new Group Policies that were added in Windows 10 Enterprise 2019 LTSC. - -- [Group Policy Settings Reference for Windows and Windows Server](https://www.microsoft.com/download/details.aspx?id=25250) - -### Mixed Reality Apps - -This version of Windows 10 introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/). Organizations that use WSUS must take action to enable Windows Mixed Reality. You can also prohibit use of Windows Mixed Reality by blocking installation of the Mixed Reality Portal. For more information, see [Enable or block Windows Mixed Reality apps in the enterprise](https://docs.microsoft.com/windows/application-management/manage-windows-mixed-reality). - -## Networking - -### Network stack - -Several network stack enhancements are available in this release. Some of these features were also available in Windows 10, version 1703. For more information, see [Core Network Stack Features in the Creators Update for Windows 10](https://blogs.technet.microsoft.com/networking/2017/07/13/core-network-stack-features-in-the-creators-update-for-windows-10/). - -### Miracast over Infrastructure - -In this version of Windows 10, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](https://msdn.microsoft.com/library/mt796768.aspx). - -How it works: - -Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection. - -Miracast over Infrastructure offers a number of benefits: - -- Windows automatically detects when sending the video stream over this path is applicable. -- Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network. -- Users do not have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections. -- No changes to current wireless drivers or PC hardware are required. -- It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct. -- It leverages an existing connection which both reduces the time to connect and provides a very stable stream. - -Enabling Miracast over Infrastructure: - -If you have a device that has been updated to Windows 10 Enterprise 2019 LTSC, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment: - -- The device (PC, phone, or Surface Hub) needs to be running Windows 10, version 1703, Windows 10 Enterprise 2019 LTSC, or a later OS. -- A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*. - - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself. - - As a Miracast source, the PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. -- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname. -- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. - -It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method. - -## Registry editor improvements - -We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word. - -![Registry editor dropdown](../images/regeditor.png "Registry editor dropdown") - -## Remote Desktop with Biometrics - -Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session. - -To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click **Connect**. - -- Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click **More choices** to choose alternate credentials. -- Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN. - -See the following example: - -![Enter your credentials](../images/RDPwBioTime.png "Windows Hello") -![Enter your credentials](../images/RDPwBio2.png "Windows Hello personal") -![Microsoft Hyper-V Server 2016](../images/hyper-v.png "Microsoft Hyper-V Server 2016") - -## See Also - -[Windows 10 Enterprise LTSC](index.md): A short description of the LTSC servicing channel with links to information about each release. +--- +title: What's new in Windows 10 Enterprise 2019 LTSC +ms.reviewer: +manager: laurawi +ms.author: greglin +description: New and updated IT Pro content about new features in Windows 10 Enterprise 2019 LTSC (also known as Windows 10 Enterprise 2019 LTSB). +keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2019 LTSC"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: low +ms.topic: article +--- + +# What's new in Windows 10 Enterprise 2019 LTSC + +**Applies to** +- Windows 10 Enterprise 2019 LTSC + +This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2019 LTSC, compared to Windows 10 Enterprise 2016 LTSC (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md). + +>[!NOTE] +>Features in Windows 10 Enterprise 2019 LTSC are equivalent to Windows 10, version 1809. + +Windows 10 Enterprise LTSC 2019 builds on Windows 10 Pro, version 1809 adding premium features designed to address the needs of large and mid-size organizations (including large academic institutions), such as: + - Advanced protection against modern security threats + - Full flexibility of OS deployment + - Updating and support options + - Comprehensive device and app management and control capabilities + +The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC users because it includes the cumulative enhancements provided in Windows 10 versions 1703, 1709, 1803, and 1809. Details about these enhancements are provided below. + +>[!IMPORTANT] +>The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the semi-annual channel release of Windows 10 might be limited. + +## Microsoft Intune + +>Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows Update for Business (WUfB) does not currently support any LTSC releases, therefore you should use WSUS or Configuration Manager for patching. + +## Security + +This version of Window 10 includes security improvements for threat protection, information protection, and identity protection. + +### Threat protection + +#### Windows Defender ATP + +The Windows Defender Advanced Threat Protection ([Windows Defender ATP](/windows/security/threat-protection/index)) platform inludes the security pillars shown in the following diagram. In this version of Windows, Windows Defender ATP includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. + +![Windows Defender ATP](../images/wdatp.png) + +##### Attack surface reduction + +Attack surface reduction includes host-based intrusion prevention systems such as [controlled folder access](/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard). + - This feature can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether. + - When an app is blocked, it will appear in a recently blocked apps list, which you can get to by clicking **Manage settings** under the **Ransomware protection** heading. Click **Allow an app through Controlled folder access**. After the prompt, click the **+** button and choose **Recently blocked apps**. Select any of the apps to add them to the allowed list. You can also browse for an app from this page. + +###### Windows Defender Firewall + +Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes. You can add specific rules for a WSL process just as you would for any Windows process. Also, Windows Defender Firewall now supports notifications for WSL processes. For example, when a Linux tool wants to allow access to a port from the outside (like SSH or a web server like nginx), Windows Defender Firewall will prompt to allow access just like it would for a Windows process when the port starts accepting connections. This was first introduced in [Build 17627](https://docs.microsoft.com/windows/wsl/release-notes#build-17618-skip-ahead). + +##### Windows Defender Device Guard + +[Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control) has always been a collection of technologies that can be combined to lock down a PC, including: +- Software-based protection provided by code integrity policies +- Hardware-based protection provided by Hypervisor-protected code integrity (HVCI) + +But these protections can also be configured separately. And, unlike HVCI, code integrity policies do not require virtualization-based security (VBS). To help underscore the distinct value of these protections, code integrity policies have been rebranded as [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control). + +### Next-gen protection + +#### Office 365 Ransomware Detection + +For Office 365 Home and Office 365 Personal subscribers, Ransomware Detection notifies you when your OneDrive files have been attacked and guides you through the process of restoring your files. For more information, see [Ransomware detection and recovering your files](https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US) + +### Endpoint detection and response + +Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Windows Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Windows Defender ATP portal. + + Windows Defender is now called Windows Defender Antivirus and now shares detection status between M365 services and interoperates with Windows Defender ATP. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). + + We've also [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). The new library includes information on: +- [Deploying and enabling AV protection](/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus) +- [Managing updates](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus) +- [Reporting](/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus) +- [Configuring features](/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features) +- [Troubleshooting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus) + + Some of the highlights of the new library include [Evaluation guide for Windows Defender AV](/windows/threat-protection/windows-defender-antivirus//evaluate-windows-defender-antivirus) and [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus). + + New features for Windows Defender AV in Windows 10 Enterprise 2019 LTSC include: +- [Updates to how the Block at First Sight feature can be configured](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) +- [The ability to specify the level of cloud-protection](/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus) +- [Windows Defender Antivirus protection in the Windows Defender Security Center app](/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus) + + We've [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment with [updated behavior monitoring and always-on real-time protection](/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). + + **Endpoint detection and response** is also enhanced. New **detection** capabilities include: +- [Use the threat intelligence API to create custom alerts](/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization. + - [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections). With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. + - Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks. + - Upgraded detections of ransomware and other advanced attacks. + - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed. + + **Threat reponse** is improved when an attack is detected, enabling immediate action by security teams to contain a breach: +- [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package. + - [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file. + +Additional capabilities have been added to help you gain a holistic view on **investigations** include: + - [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics) - Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. + - [Query data using Advanced hunting in Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection) + - [Use Automated investigations to investigate and remediate threats](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) + - [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials. + - [Alert process tree](/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time. + - [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Windows Defender ATP. + +Other enhanced security features include: +- [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix known issues. +- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection) - Windows Defender ATP adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools. +- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center) - Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers. +- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration) - Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines. +- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019) - Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. +- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection) - Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor. +- [Enable conditional access to better protect users, devices, and data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection) + +We've also added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device’s time is not properly synced with our time servers and the time-syncing service is disabled, we’ll provide the option for you to turn it back on. + +We’re continuing to work on how other security apps you’ve installed show up in the **Windows Security** app. There’s a new page called **Security providers** that you can find in the **Settings** section of the app. Click **Manage providers** to see a list of all the other security providers (including antivirus, firewall, and web protection) that are running on your device. Here you can easily open the providers’ apps or get more information on how to resolve issues reported to you through **Windows Security**. + +This also means you’ll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you’ll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks). + +You can read more about ransomware mitigations and detection capability at: +- [Averting ransomware epidemics in corporate networks with Windows Defender ATP](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/) +- [Ransomware Protection in Windows 10 Anniversary Update whitepaper (PDF)](http://wincom.blob.core.windows.net/documents/Ransomware_protection_in_Windows_10_Anniversary_Update.pdf) +- [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/) + +Also see [New capabilities of Windows Defender ATP further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97) + +Get a quick, but in-depth overview of Windows Defender ATP for Windows 10: [Windows Defender Advanced Threat Protection](/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). + +For more information about features of Windows Defender ATP available in different editions of Windows 10, see the [Windows 10 commercial edition comparison](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf). + +### Information protection + +Improvements have been added to Windows Information Protection and BitLocker. + +#### Windows Information Protection + +Windows Information Protection is now designed to work with Microsoft Office and Azure Information Protection. For more information, see [Deploying and managing Windows Information Protection (WIP) with Azure Information Protection](https://myignite.microsoft.com/sessions/53660?source=sessions). + +Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune). + +You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For info, see the brand-new topic, [How to collect Windows Information Protection (WIP) audit event logs](/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs). + +This release enables support for WIP with Files on Demand, allows file encryption while the file is open in another app, and improves performance. For more information, see [OneDrive Files On-Demand For The Enterprise](https://techcommunity.microsoft.com/t5/OneDrive-Blog/OneDrive-Files-On-Demand-For-The-Enterprise/ba-p/117234). + +### BitLocker + +The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-group-policy-settings#bkmk-unlockpol3). + +#### Silent enforcement on fixed drives + +Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard AAD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don’t pass the HSTI. + +This is an update to the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp), which was introduced in Windows 10, version 1703, and leveraged by Intune and others. + +This feature will soon be enabled on Olympia Corp as an optional feature. + +#### Delivering BitLocker policy to AutoPilot devices during OOBE + +You can choose which encryption algorithm to apply to BitLocker encryption capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before BitLocker encryption begins. + +For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE. + +To achieve this: + +1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm. +2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group. + - **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users. +3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. + - **IMPORTANT**: If the ESP is not enabled, the policy will not apply before encryption starts. + +### Identity protection + +Improvements have been added are to Windows Hello for Business and Credential Guard. + +#### Windows Hello for Business + +New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you are not present. + +New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification.md) inlcude: +- You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). +- For Windows Phone devices, an administrator is able to initiate a remote PIN reset through the Intune portal. +- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-features#pin-reset). + +[Windows Hello](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in the [Kiosk configuration](#kiosk-configuration) section. +- Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/). +- Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions. +- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off. +- You can set up Windows Hello from lock screen for MSA accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options. +- New [public API](https://docs.microsoft.com/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider. +- It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off). + +For more information, see: [Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/#OdKBg3pwJQcEKCbJ.97) + +#### Windows Defender Credential Guard + +Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It is designed to protect against well-known threats such as Pass-the-Hash and credential harvesting. + +Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. Please note that Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions. + +For more information, see [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations). + +### Other security improvments + +#### Windows security baselines + +Microsoft has released new [Windows security baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/windows/device-security/security-compliance-toolkit-10). + +**Windows security baselines** have been updated for Windows 10. A [security baseline](https://docs.microsoft.com/windows/device-security/windows-security-baselines) is a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/windows/device-security/security-compliance-toolkit-10). + +The new [security baseline for Windows 10 version 1803](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10) has been published. + +#### SMBLoris vulnerability + +An issue, known as “SMBLoris�?, which could result in denial of service, has been addressed. + +#### Windows Security Center + +Windows Defender Security Center is now called **Windows Security Center**. + +You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Windows Defender Antivirus** and **Windows Defender Firewall**. + +The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Windows Defender Antivirus will remain enabled side-by-side with these products. + +WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**. + +![alt text](../images/defender.png "Windows Security Center") + +#### Group Policy Security Options + +The security setting [**Interactive logon: Display user information when the session is locked**](/windows/device-security/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. + +A new security policy setting +[**Interactive logon: Don't display username at sign-in**](/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 Enterprise 2019 LTSC. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile. + +#### Windows 10 in S mode + +We’ve continued to work on the **Current threats** area in [Virus & threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: + +![Virus & threat protection settings](../images/virus-and-threat-protection.png "Virus & threat protection settings") + +## Deployment + +### Windows Autopilot + +[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise 2019 LTSC (and later versions). Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10. + +Windows Autopilot is currently available with Surface, Dell, HP, and Lenovo. Other OEM partners such as Panasonic, and Acer will support Autopilot soon. Check the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog) or this article for updated information. + +Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly. + +You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](https://docs.microsoft.com/microsoft-store/add-profile-to-devices). + +#### Windows Autopilot self-deploying mode + +Windows Autopilot self-deploying mode enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured automatically by Windows Autopilot. + +This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process. + +You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization’s MDM provider, and provision policies and applications, all with no user authentication or user interaction required. + +To learn more about Autopilot self-deploying mode and to see step-by-step instructions to perform such a deployment, [Windows Autopilot self-deploying mode](https://docs.microsoft.com/windows/deployment/windows-autopilot/self-deploying). + + +#### Autopilot Reset + +IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset). + +### MBR2GPT.EXE + +MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise 2019 LTSC (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS). + +The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports additional partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk. + +Additional security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock. + +For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt). + +### DISM + +The following new DISM commands have been added to manage feature updates: + + DISM /Online /Initiate-OSUninstall + – Initiates a OS uninstall to take the computer back to the previous installation of windows. + DISM /Online /Remove-OSUninstall + – Removes the OS uninstall capability from the computer. + DISM /Online /Get-OSUninstallWindow + – Displays the number of days after upgrade during which uninstall can be performed. + DISM /Online /Set-OSUninstallWindow + – Sets the number of days after upgrade during which uninstall can be performed. + +For more information, see [DISM operating system uninstall command-line options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options). + +### Windows Setup + +You can now run your own custom actions or scripts in parallel with Windows Setup. Setup will also migrate your scripts to next feature release, so you only need to add them once. + +Prerequisites: +- Windows 10, version 1803 or Windows 10 Enterprise 2019 LTSC, or later. +- Windows 10 Enterprise or Pro + +For more information, see [Run custom actions during feature update](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions). + +It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option. + + /PostRollback [\setuprollback.cmd] [/postrollback {system / admin}] + +For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21) + +New command-line switches are also available to control BitLocker: + + Setup.exe /BitLocker AlwaysSuspend + – Always suspend bitlocker during upgrade. + Setup.exe /BitLocker TryKeepActive + – Enable upgrade without suspending bitlocker but if upgrade, does not work then suspend bitlocker and complete the upgrade. + Setup.exe /BitLocker ForceKeepActive + – Enable upgrade without suspending bitlocker, but if upgrade does not work, fail the upgrade. + +For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33) + +### Feature update improvements + +Portions of the work done during the offline phases of a Windows update have been moved to the online phase. This has resulted in a significant reduction of offline time when installing updates. For more information, see [We're listening to you](https://insider.windows.com/en-us/articles/were-listening-to-you/). + +### SetupDiag + +[SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag) is a new command-line tool that can help diagnose why a Windows 10 update failed. + +SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. + +## Sign-in + +### Faster sign-in to a Windows 10 shared pc + +If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](https://docs.microsoft.com/windows/configuration/set-up-shared-or-guest-pc) in a flash! + +**To enable fast sign-in:** +1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise 2019 LTSC. +2. Set the Policy CSP, and the **Authentication** and **EnableFastFirstSignIn** policies to enable fast sign-in. +3. Sign-in to a shared PC with your account. You'll notice the difference! + + ![fast sign-in](../images/fastsignin.png "fast sign-in") + +### Web sign-in to Windows 10 + +Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing “web sign-in,” a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML). + +**To try out web sign-in:** +1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs). +2. Set the Policy CSP, and the Authentication and EnableWebSignIn polices to enable web sign-in. +3. On the lock screen, select web sign-in under sign-in options. +4. Click the “Sign in” button to continue. + +![Web sign-in](../images/websignin.png "web sign-in") + +## Windows Analytics + +### Upgrade Readiness + +>[!IMPORTANT] +>Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a semi-annual channel release. + +Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017. + +The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled. + +For more information about Upgrade Readiness, see the following topics: + +- [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/) +- [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness) + +Upgrade Readiness provides insights into application and driver compatibility issues. New capabilities include better app coverage, post-upgrade health reports, and enhanced report filtering capabilities. For more information, see [Manage Windows upgrades with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). + +### Update Compliance + +Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date. + +Update Compliance is a solution built using OMS Log Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues. + +For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](/windows/deployment/update/update-compliance-monitor). + +New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Windows Defender Antivirus with Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor). + +### Device Health + +Maintaining devices is made easier with Device Health, a new, premium analytic tool that identifies devices and drivers that crash frequently and might need to be rebuilt or replaced. For more information, see [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor). + +## Accessibility and Privacy + +### Accessibility + +"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](https://docs.microsoft.com/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in the [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/) blog post. + +### Privacy + +In the Feedback and Settings page under Privacy Settings you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the [Diagnostic Data Viewer](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) app. + +## Configuration + +### Kiosk configuration + +Microsoft Edge has many improvements specifically targeted to Kiosks, however Edge is not available in the LTSC release of Windows 10. Internet Explorer is included in Windows 10 LTSC releases as its feature set is not changing, and it will continue to get security fixes for the life of a Windows 10 LTSC release. + +If you wish to take advantage of [Kiosk capabilities in Edge](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy), consider [Kiosk mode](https://docs.microsoft.com/windows/configuration/kiosk-methods) with a semi-annual release channel. + +### Co-management + +Intune and System Center Configuration Manager policies have been added to enable hyrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management. + +For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803) + +### OS uninstall period + +The OS uninstall period is a length of time that users are given when they can optionally roll back a Windows 10 update. With this release, administrators can use Intune or [DISM](#dism) to customize the length of the OS uninstall period. + +### Azure Active Directory join in bulk + +Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards. + +![get bulk token action in wizard](../images/bulk-token.png) + +### Windows Spotlight + +The following new Group Policy and mobile device management (MDM) settings are added to help you configure Windows Spotlight user experiences: + +- **Turn off the Windows Spotlight on Action Center** +- **Do not use diagnostic data for tailored experiences** +- **Turn off the Windows Welcome Experience** + +[Learn more about Windows Spotlight.](/windows/configuration/windows-spotlight) + +### Start and taskbar layout + +Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10 Enterprise 2019 LTSC adds support for customized taskbars to [MDM](/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management). + +[Additional MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include: + +- Settings for the User tile: [**Start/HideUserTile**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) +- Settings for Power: [**Start/HidePowerButton**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesleep) +- Additional new settings: [**Start/HideFrequentlyUsedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideapplist). + +## Windows Update + +### Windows Update for Business + +Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure). + +The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates). + + +Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details. + +WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds). + +Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure). + +The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates). + + +Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details. + +WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds). + +### Windows Insider for Business + +We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](/windows/deployment/update/waas-windows-insider-for-business). + +You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](https://docs.microsoft.com/windows/deployment/update/waas-windows-insider-for-business#getting-started-with-windows-insider-program-for-business). + + +### Optimize update delivery + +With changes delivered in Windows 10 Enterprise 2019 LTSC, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with System Center Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](https://technet.microsoft.com/windows-server-docs/management/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS. + +>[!NOTE] +> The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update. + +Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios. + +Added policies include: +- [Allow uploads while the device is on battery while under set Battery level](/windows/deployment/update/waas-delivery-optimization#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) +- [Enable Peer Caching while the device connects via VPN](/windows/deployment/update/waas-delivery-optimization#enable-peer-caching-while-the-device-connects-via-vpn) +- [Minimum RAM (inclusive) allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-ram-allowed-to-use-peer-caching) +- [Minimum disk size allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-disk-size-allowed-to-use-peer-caching) +- [Minimum Peer Caching Content File Size](/windows/deployment/update/waas-delivery-optimization#minimum-peer-caching-content-file-size) + +To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](/windows/deployment/update/waas-delivery-optimization) + +### Uninstalled in-box apps no longer automatically reinstall + +Starting with Windows 10 Enterprise 2019 LTSC, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process. + +Additionally, apps de-provisioned by admins on Windows 10 Enterprise 2019 LTSC machines will stay de-provisioned after future feature update installations. This will not apply to the update from Windows 10 Enterprise 2016 LTSC (or earlier) to Windows 10 Enterprise 2019 LTSC. + +## Management + +### New MDM capabilities + +Windows 10 Enterprise 2019 LTSC adds many new [configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful Group Policy settings via MDM - see [Policy CSP - ADMX-backed policies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-admx-backed). + +Some of the other new CSPs are: + +- The [DynamicManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs. + +- The [CleanPC CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cleanpc-csp) allows removal of user-installed and pre-installed applications, with the option to persist user data. + +- The [BitLocker CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/bitlocker-csp) is used to manage encryption of PCs and devices. For example, you can require storage card encryption on mobile devices, or require encryption for operating system drives. + +- The [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) is used to configure a proxy server for ethernet and Wi-Fi connections. + +- The [Office CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/office-csp) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/library/jj219426.aspx). + +- The [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM. + +IT pros can use the new [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents. + +[Learn more about new MDM capabilities.](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/new-in-windows-mdm-enrollment-management#whatsnew10) + +MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group Policy can be used with Active Directory joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](https://docs.microsoft.com/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy). + +Multiple new configuration items are also added. For more information, see [What's new in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1709). + +### Mobile application management support for Windows 10 + +The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10 Enterprise 2019 LTSC. + +For more info, see [Implement server-side support for mobile application management on Windows](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-management). + +### MDM diagnostics + +In Windows 10 Enterprise 2019 LTSC, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](https://www.microsoft.com/download/details.aspx?id=44226) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost. + +### Application Virtualization for Windows (App-V) + +Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10 Enterprise 2019 LTSC introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart. + +For more info, see the following topics: +- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-provision-a-vm) +- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-sequencing) +- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-updating) +- [Automatically cleanup unpublished packages on the App-V client](/windows/application-management/app-v/appv-auto-clean-unpublished-packages) + +### Windows diagnostic data + +Learn more about the diagnostic data that's collected at the Basic level and some examples of the types of data that is collected at the Full level. + +- [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703) +- [Windows 10, version 1703 Diagnostic Data](/windows/configuration/windows-diagnostic-data-1703) + +### Group Policy spreadsheet + +Learn about the new Group Policies that were added in Windows 10 Enterprise 2019 LTSC. + +- [Group Policy Settings Reference for Windows and Windows Server](https://www.microsoft.com/download/details.aspx?id=25250) + +### Mixed Reality Apps + +This version of Windows 10 introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/). Organizations that use WSUS must take action to enable Windows Mixed Reality. You can also prohibit use of Windows Mixed Reality by blocking installation of the Mixed Reality Portal. For more information, see [Enable or block Windows Mixed Reality apps in the enterprise](https://docs.microsoft.com/windows/application-management/manage-windows-mixed-reality). + +## Networking + +### Network stack + +Several network stack enhancements are available in this release. Some of these features were also available in Windows 10, version 1703. For more information, see [Core Network Stack Features in the Creators Update for Windows 10](https://blogs.technet.microsoft.com/networking/2017/07/13/core-network-stack-features-in-the-creators-update-for-windows-10/). + +### Miracast over Infrastructure + +In this version of Windows 10, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](https://msdn.microsoft.com/library/mt796768.aspx). + +How it works: + +Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection. + +Miracast over Infrastructure offers a number of benefits: + +- Windows automatically detects when sending the video stream over this path is applicable. +- Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network. +- Users do not have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections. +- No changes to current wireless drivers or PC hardware are required. +- It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct. +- It leverages an existing connection which both reduces the time to connect and provides a very stable stream. + +Enabling Miracast over Infrastructure: + +If you have a device that has been updated to Windows 10 Enterprise 2019 LTSC, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment: + +- The device (PC, phone, or Surface Hub) needs to be running Windows 10, version 1703, Windows 10 Enterprise 2019 LTSC, or a later OS. +- A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*. + - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself. + - As a Miracast source, the PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. +- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname. +- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. + +It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method. + +## Registry editor improvements + +We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word. + +![Registry editor dropdown](../images/regeditor.png "Registry editor dropdown") + +## Remote Desktop with Biometrics + +Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session. + +To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click **Connect**. + +- Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click **More choices** to choose alternate credentials. +- Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN. + +See the following example: + +![Enter your credentials](../images/RDPwBioTime.png "Windows Hello") +![Enter your credentials](../images/RDPwBio2.png "Windows Hello personal") +![Microsoft Hyper-V Server 2016](../images/hyper-v.png "Microsoft Hyper-V Server 2016") + +## See Also + +[Windows 10 Enterprise LTSC](index.md): A short description of the LTSC servicing channel with links to information about each release. diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md index bd6b7f1df1..0301b62f00 100644 --- a/windows/whats-new/whats-new-windows-10-version-1903.md +++ b/windows/whats-new/whats-new-windows-10-version-1903.md @@ -1,151 +1,151 @@ ---- -title: What's new in Windows 10, version 1903 -description: New and updated IT Pro content about new features in Windows 10, version 1903 (also known as the Windows 10 May 2019 Update). -keywords: ["What's new in Windows 10", "Windows 10", "May 2019 Update"] -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -manager: laurawi -ms.localizationpriority: high -ms.topic: article ---- - -# What's new in Windows 10, version 1903 IT Pro content - -**Applies to** -- Windows 10, version 1903 - -This article lists new and updated features and content that are of interest to IT Pros for Windows 10 version 1903, also known as the Windows 10 May 2019 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1809. - ->[!NOTE] ->New disk space requirement for Windows 10, version 1903 applies only to OEMs for the manufacture of new PCs. This new requirement does not apply to existing devices. PCs that don’t meet new device disk space requirements will continue to receive updates and the 1903 update will require about the same amount of free disk space as previous updates. For more information, see [Reserved storage](#reserved-storage). - -## Deployment - -### Windows Autopilot - -[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. The following Windows Autopilot features are available in Windows 10, version 1903 and later: - -- [Windows Autopilot for white glove deployment](https://docs.microsoft.com/windows/deployment/windows-autopilot/white-glove) is new in this version of Windows. "White glove" deployment enables partners or IT staff to pre-provision devices so they are fully configured and business ready for your users. -- The Intune [enrollment status page](https://docs.microsoft.com/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions​. -- [Cortana voiceover](https://docs.microsoft.com/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs. -- Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE. -- Windows Autopilot will set the [diagnostics data](https://docs.microsoft.com/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE. - -### Windows 10 Subscription Activation - -Windows 10 Education support has been added to Windows 10 Subscription Activation. - -With Windows 10, version 1903, you can step-up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions – Windows 10 Education. For more information, see [Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation). - -### SetupDiag - -[SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag) version 1.4.1 is available. - -SetupDiag is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. - -### Reserved storage - -[**Reserved storage**](https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Windows-10-and-reserved-storage/ba-p/428327): Reserved storage sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space. Reserved storage will be enabled automatically on new PCs with Windows 10, version 1903 pre-installed, and for clean installs. It will not be enabled when updating from a previous version of Windows 10. - -## Servicing - -- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Office 365 ProPlus updates, and Intune content, with System Center Configuration Manager content coming soon! -- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. -- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. -- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally. -- **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again. -- **Improved update notifications**: When there’s an update requiring you to restart your device, you’ll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar. -- **Intelligent active hours**: To further enhance active hours, users will now have the option to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns. -- **Improved update orchestration to improve system responsiveness**: This feature will improve system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions. - -## Security - -### Windows Information Protection - -With this release, Windows Defender ATP extends discovery and protection of sensitive information with [Auto Labeling](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels#how-wip-protects-automatically-classified-files). - -### Security configuration framework - -With this release of Windows 10, Microsoft is introducing a [new taxonomy for security configurations](https://docs.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework), called the **SECCON framework**, comprised of 5 device security configurations. - -### Security baseline for Windows 10 and Windows Server - -The draft release of the [security configuration baseline settings](https://blogs.technet.microsoft.com/secguide/2019/04/24/security-baseline-draft-for-windows-10-v1903-and-windows-server-v1903/) for Windows 10, version 1903 and for Windows Server version 1903 is available. - -### Intune security baselines - -[Intune Security Baselines](https://docs.microsoft.com/intune/security-baselines) (Preview): Now includes many settings supported by Intune that you can use to help secure and protect your users and devices. You can automatically set these settings to values recommended by security teams. - -### Microsoft Defender Advanced Threat Protection (ATP): - -- [Attack surface area reduction](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allow and deny lists for specific URL’s and IP addresses. -- [Next generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage. - - Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform. - - Tamper-proofing capabilities – Uses virtualization-based security to isolate critical ATP security capabilities away from the OS and attackers. -- [Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) – In addition to Windows 10, Windows Defender ATP’s functionality has been extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities. - -### Microsoft Defender ATP next-gen protection technologies: - -- **Advanced machine learning**: Improved with advanced machine learning and AI models that enable it to protect against apex attackers using innovative vulnerability exploit techniques, tools and malware. -- **Emergency outbreak protection**: Provides emergency outbreak protection which will automatically update devices with new intelligence when a new outbreak has been detected. -- **Certified ISO 27001 compliance**: Ensures that the cloud service has analyzed for threats, vulnerabilities and impacts, and that risk management and security controls are in place. -- **Geolocation support**: Support geolocation and sovereignty of sample data as well as configurable retention policies. - -### Threat Protection - -- [Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849): Isolated desktop environment where you can run untrusted software without the fear of lasting impact to your device. -- [Microphone privacy settings](https://support.microsoft.com/en-us/help/4468232/windows-10-camera-microphone-and-privacy-microsoft-privacy): A microphone icon appears in the notification area letting you see which apps are using your microphone. - -- [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements: - - Standalone users can install and configure their Windows Defender Application Guard settings without needing to change Registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior. - - WDAG is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend WDAG’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the WDAG extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigations to the WDAG Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch WDAG from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates. - - To try this extension: - 1. Configure WDAG policies on your device. - 2. Go to the Chrome Web Store or Firefox Add-ons and search for Application Guard. Install the extension. - 3. Follow any additional configuration steps on the extension setup page. - 4. Reboot the device. - 5. Navigate to an untrusted site in Chrome and Firefox. - - - WDAG allows dynamic navigation: Application Guard now allows users to navigate back to their default host browser from the WDAG Microsoft Edge. Previously, users browsing in WDAG Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users will automatically be redirected to their host default browser when they enter or click on a trusted site in WDAG Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates. - -- [Windows Defender Application Control (WDAC)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903 WDAC has a number of new features that light up key scenarios and provide feature parity with AppLocker. - - [Multiple Policies](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): WDAC now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side-by-side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy. - - [Path-Based Rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized by something other than a path rule like a signer or hash rule.
          - This brings WDAC to functionality parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that is not available with AppLocker. - - [Allow COM Object Registration](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, WDAC enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy. - -#### System Guard - -[System Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) has added a new feature in this version of Windows called **SMM Firmware Measurement**. This feature is built on top of [System Guard Secure Launch](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to check that the System Management Mode (SMM) firmware on the device is operating in a healthy manner - specifically, OS memory and secrets are protected from SMM. There are currently no devices out there with compatible hardware, but they will be coming out in the next few months. - -This new feature is displayed under the Device Security page with the string “Your device exceeds the requirements for enhanced hardware security” if configured properly: - -![System Guard](images/system-guard.png "SMM Firmware Measurement") - -### Identity Protection - -- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less login for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD. -- [Streamlined Windows Hello PIN reset experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web. -- Sign-in with [Password-less](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience! -- [Remote Desktop with Biometrics](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features#remote-desktop-with-biometrics): Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session. - -### Security management - -- [Windows Defender Firewall now supports Windows Subsystem for Linux (WSL)](https://blogs.windows.com/windowsexperience/2018/04/19/announcing-windows-10-insider-preview-build-17650-for-skip-ahead/#II14f7VlSBcZ0Gs4.97): Lets you add rules for WSL process, just like for Windows processes. -- [Windows Security app](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center) improvements now include Protection history, including detailed and easier to understand information about threats and available actions, Controlled Folder Access blocks are now in the Protection history, Windows Defender Offline Scanning tool actions, and any pending recommendations. -- [Tamper Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection) lets you prevent others from tampering with important security features. - -## Microsoft Edge - -Several new features are coming in the next version of Edge. See the [news from Build 2019](https://blogs.windows.com/msedgedev/2019/05/06/edge-chromium-build-2019-pwa-ie-mode-devtools/#2QJF4u970WjQ2Sv7.97) for more information. - -## See Also - -[What's New in Windows Server, version 1903](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1903): New and updated features in Windows Server.
          -[Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features.
          -[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
          -[What's new in Windows 10](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
          -[What's new in Windows 10 for developers](https://blogs.windows.com/buildingapps/2019/04/18/start-developing-on-windows-10-may-2019-update-today/#2Lp8FUFQ3Jm8KVcq.97): New and updated features in Windows 10 that are of interest to developers. +--- +title: What's new in Windows 10, version 1903 +description: New and updated IT Pro content about new features in Windows 10, version 1903 (also known as the Windows 10 May 2019 Update). +keywords: ["What's new in Windows 10", "Windows 10", "May 2019 Update"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +manager: laurawi +ms.localizationpriority: high +ms.topic: article +--- + +# What's new in Windows 10, version 1903 IT Pro content + +**Applies to** +- Windows 10, version 1903 + +This article lists new and updated features and content that are of interest to IT Pros for Windows 10 version 1903, also known as the Windows 10 May 2019 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1809. + +>[!NOTE] +>New disk space requirement for Windows 10, version 1903 applies only to OEMs for the manufacture of new PCs. This new requirement does not apply to existing devices. PCs that don’t meet new device disk space requirements will continue to receive updates and the 1903 update will require about the same amount of free disk space as previous updates. For more information, see [Reserved storage](#reserved-storage). + +## Deployment + +### Windows Autopilot + +[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. The following Windows Autopilot features are available in Windows 10, version 1903 and later: + +- [Windows Autopilot for white glove deployment](https://docs.microsoft.com/windows/deployment/windows-autopilot/white-glove) is new in this version of Windows. "White glove" deployment enables partners or IT staff to pre-provision devices so they are fully configured and business ready for your users. +- The Intune [enrollment status page](https://docs.microsoft.com/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions​. +- [Cortana voiceover](https://docs.microsoft.com/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs. +- Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE. +- Windows Autopilot will set the [diagnostics data](https://docs.microsoft.com/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE. + +### Windows 10 Subscription Activation + +Windows 10 Education support has been added to Windows 10 Subscription Activation. + +With Windows 10, version 1903, you can step-up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions – Windows 10 Education. For more information, see [Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation). + +### SetupDiag + +[SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag) version 1.4.1 is available. + +SetupDiag is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. + +### Reserved storage + +[**Reserved storage**](https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Windows-10-and-reserved-storage/ba-p/428327): Reserved storage sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space. Reserved storage will be enabled automatically on new PCs with Windows 10, version 1903 pre-installed, and for clean installs. It will not be enabled when updating from a previous version of Windows 10. + +## Servicing + +- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Office 365 ProPlus updates, and Intune content, with System Center Configuration Manager content coming soon! +- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. +- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. +- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally. +- **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again. +- **Improved update notifications**: When there’s an update requiring you to restart your device, you’ll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar. +- **Intelligent active hours**: To further enhance active hours, users will now have the option to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns. +- **Improved update orchestration to improve system responsiveness**: This feature will improve system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions. + +## Security + +### Windows Information Protection + +With this release, Windows Defender ATP extends discovery and protection of sensitive information with [Auto Labeling](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels#how-wip-protects-automatically-classified-files). + +### Security configuration framework + +With this release of Windows 10, Microsoft is introducing a [new taxonomy for security configurations](https://docs.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework), called the **SECCON framework**, comprised of 5 device security configurations. + +### Security baseline for Windows 10 and Windows Server + +The draft release of the [security configuration baseline settings](https://blogs.technet.microsoft.com/secguide/2019/04/24/security-baseline-draft-for-windows-10-v1903-and-windows-server-v1903/) for Windows 10, version 1903 and for Windows Server version 1903 is available. + +### Intune security baselines + +[Intune Security Baselines](https://docs.microsoft.com/intune/security-baselines) (Preview): Now includes many settings supported by Intune that you can use to help secure and protect your users and devices. You can automatically set these settings to values recommended by security teams. + +### Microsoft Defender Advanced Threat Protection (ATP): + +- [Attack surface area reduction](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allow and deny lists for specific URL’s and IP addresses. +- [Next generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage. + - Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform. + - Tamper-proofing capabilities – Uses virtualization-based security to isolate critical ATP security capabilities away from the OS and attackers. +- [Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) – In addition to Windows 10, Windows Defender ATP’s functionality has been extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities. + +### Microsoft Defender ATP next-gen protection technologies: + +- **Advanced machine learning**: Improved with advanced machine learning and AI models that enable it to protect against apex attackers using innovative vulnerability exploit techniques, tools and malware. +- **Emergency outbreak protection**: Provides emergency outbreak protection which will automatically update devices with new intelligence when a new outbreak has been detected. +- **Certified ISO 27001 compliance**: Ensures that the cloud service has analyzed for threats, vulnerabilities and impacts, and that risk management and security controls are in place. +- **Geolocation support**: Support geolocation and sovereignty of sample data as well as configurable retention policies. + +### Threat Protection + +- [Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849): Isolated desktop environment where you can run untrusted software without the fear of lasting impact to your device. +- [Microphone privacy settings](https://support.microsoft.com/en-us/help/4468232/windows-10-camera-microphone-and-privacy-microsoft-privacy): A microphone icon appears in the notification area letting you see which apps are using your microphone. + +- [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements: + - Standalone users can install and configure their Windows Defender Application Guard settings without needing to change Registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior. + - WDAG is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend WDAG’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the WDAG extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigations to the WDAG Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch WDAG from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates. + + To try this extension: + 1. Configure WDAG policies on your device. + 2. Go to the Chrome Web Store or Firefox Add-ons and search for Application Guard. Install the extension. + 3. Follow any additional configuration steps on the extension setup page. + 4. Reboot the device. + 5. Navigate to an untrusted site in Chrome and Firefox. + + - WDAG allows dynamic navigation: Application Guard now allows users to navigate back to their default host browser from the WDAG Microsoft Edge. Previously, users browsing in WDAG Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users will automatically be redirected to their host default browser when they enter or click on a trusted site in WDAG Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates. + +- [Windows Defender Application Control (WDAC)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903 WDAC has a number of new features that light up key scenarios and provide feature parity with AppLocker. + - [Multiple Policies](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): WDAC now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side-by-side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy. + - [Path-Based Rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized by something other than a path rule like a signer or hash rule.
          + This brings WDAC to functionality parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that is not available with AppLocker. + - [Allow COM Object Registration](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, WDAC enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy. + +#### System Guard + +[System Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) has added a new feature in this version of Windows called **SMM Firmware Measurement**. This feature is built on top of [System Guard Secure Launch](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to check that the System Management Mode (SMM) firmware on the device is operating in a healthy manner - specifically, OS memory and secrets are protected from SMM. There are currently no devices out there with compatible hardware, but they will be coming out in the next few months. + +This new feature is displayed under the Device Security page with the string “Your device exceeds the requirements for enhanced hardware security” if configured properly: + +![System Guard](images/system-guard.png "SMM Firmware Measurement") + +### Identity Protection + +- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less login for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD. +- [Streamlined Windows Hello PIN reset experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web. +- Sign-in with [Password-less](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience! +- [Remote Desktop with Biometrics](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features#remote-desktop-with-biometrics): Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session. + +### Security management + +- [Windows Defender Firewall now supports Windows Subsystem for Linux (WSL)](https://blogs.windows.com/windowsexperience/2018/04/19/announcing-windows-10-insider-preview-build-17650-for-skip-ahead/#II14f7VlSBcZ0Gs4.97): Lets you add rules for WSL process, just like for Windows processes. +- [Windows Security app](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center) improvements now include Protection history, including detailed and easier to understand information about threats and available actions, Controlled Folder Access blocks are now in the Protection history, Windows Defender Offline Scanning tool actions, and any pending recommendations. +- [Tamper Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection) lets you prevent others from tampering with important security features. + +## Microsoft Edge + +Several new features are coming in the next version of Edge. See the [news from Build 2019](https://blogs.windows.com/msedgedev/2019/05/06/edge-chromium-build-2019-pwa-ie-mode-devtools/#2QJF4u970WjQ2Sv7.97) for more information. + +## See Also + +[What's New in Windows Server, version 1903](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1903): New and updated features in Windows Server.
          +[Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features.
          +[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
          +[What's new in Windows 10](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
          +[What's new in Windows 10 for developers](https://blogs.windows.com/buildingapps/2019/04/18/start-developing-on-windows-10-may-2019-update-today/#2Lp8FUFQ3Jm8KVcq.97): New and updated features in Windows 10 that are of interest to developers.
          DetailsOriginating updateStatusHistory
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4497935. Devices that are domain controllers or domain members are both affected.

          To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

          Note If you are not sure if your device is affected, contact your administrator. Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos.

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
          Next steps: At this time, we suggest that devices in an affected environment do not install KB4497935. We are working on a resolution and estimate a solution will be available in mid-August.

          Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

          Back to top          		OS Build 18362.145

          May 29, 2019
          KB4497935          		Investigating
          		Last updated:
          August 01, 2019
          06:12 PM PT

          Opened:
          July 25, 2019
          06:10 PM PT
          Issues updating when certain versions of Intel storage drivers are installed
          Intel and Microsoft have found incompatibility issues with certain versions of the Intel Rapid Storage Technology (Intel RST) drivers and the Windows 10 May 2019 Update (Windows 10, version 1903).  

          To safeguard your update experience, we have applied a compatibility hold on devices with Intel RST drivers, versions 15.1.0.1002 through version 15.5.2.1053 installed from installing Windows 10, version 1903 or Windows Server, version 1903, until the driver has been updated.

          Versions 15.5.2.1054 or later are compatible, and a device that has these drivers installed can install the Windows 10 May 2019 Update. For affected devices, the recommended version is 15.9.6.1044.

          Affected platforms:
          • Client: Windows 10, version 1903
          • Server: Windows Server, version 1903
          Next steps: To resolve this issue, you will need to update the Intel RST drivers for your device to version 15.5.2.1054 or a later.  Check with your device manufacturer (OEM) to see if an updated driver is available and install it. You can also download the latest Intel RST drivers directly from Intel at Intel® Rapid Storage Technology (Intel® RST) User Interface and Driver. Once your drivers are updated, you can restart the installation process for the May 2019 Update. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.

          Note Until an updated driver has been installed, we recommend you do not attempt to manually update using the Update now button or the Media Creation Tool. 

          Back to top          		OS Build 18362.145

          May 29, 2019
          KB4497935          		Mitigated External
          		Last updated:
          August 01, 2019
          05:58 PM PT

          Opened:
          July 25, 2019
          06:10 PM PT
          Issues updating when certain versions of Intel storage drivers are installed
          Intel and Microsoft have found incompatibility issues with certain versions of the Intel Rapid Storage Technology (Intel RST) drivers and the Windows 10 May 2019 Update (Windows 10, version 1903).  

          To safeguard your update experience, we have applied a compatibility hold on devices with Intel RST drivers, versions 15.1.0.1002 through version 15.5.2.1053 installed from installing Windows 10, version 1903 or Windows Server, version 1903, until the driver has been updated.

          Versions 15.5.2.1054 or later are compatible, and a device that has these drivers installed can install the Windows 10 May 2019 Update. For affected devices, the recommended version is 15.9.8.1050.

          Affected platforms:
          • Client: Windows 10, version 1903
          • Server: Windows Server, version 1903
          Next steps: To resolve this issue, you will need to update the Intel RST drivers for your device to version 15.5.2.1054 or a later.  Check with your device manufacturer (OEM) to see if an updated driver is available and install it. You can also download the latest Intel RST drivers directly from Intel at Intel® Rapid Storage Technology (Intel® RST) User Interface and Driver. Once your drivers are updated, you can restart the installation process for the May 2019 Update. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.

          Note Until an updated driver has been installed, we recommend you do not attempt to manually update using the Update now button or the Media Creation Tool. 

          Back to top          		OS Build 18362.145

          May 29, 2019
          KB4497935          		Mitigated External
          		Last updated:
          August 08, 2019
          05:50 PM PT

          Opened:
          July 25, 2019
          06:10 PM PT
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4497935. Devices that are domain controllers or domain members are both affected.

          To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

          Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
          HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
+

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
          Next steps: At this time, we suggest that devices in an affected environment do not install KB4497935. We are working on a resolution and estimate a solution will be available in mid-August.

          Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

          Back to top          		OS Build 18362.145

          May 29, 2019
          KB4497935          		Investigating
          		Last updated:
          August 08, 2019
          03:14 PM PT

          Opened:
          July 25, 2019
          06:10 PM PT
          The dGPU may occasionally disappear from device manager on Surface Book 2 with dGPU
          Microsoft has identified a compatibility issue on some Surface Book 2 devices configured with Nvidia discrete graphics processing unit (dGPU). After updating to Windows 10, version 1903 (May 2019 Feature Update), some apps or games that needs to perform graphics intensive operations may close or fail to open.

          To safeguard your update experience, we have applied a compatibility hold on Surface Book 2 devices with Nvidia dGPUs from being offered Windows 10, version 1903, until this issue is resolved.

          Affected platforms:
          • Client: Windows 10, version 1903
          Workaround: To mitigate the issue if you are already on Windows 10, version 1903, you can restart the device or select the Scan for hardware changes button in the Action menu or on the toolbar in Device Manager.

          Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

          Next steps: We are working on a resolution and will provide an update in an upcoming release.

          Back to top          		OS Build 18362.145

          May 29, 2019
          KB4497935          		Investigating
          		Last updated:
          July 16, 2019
          09:04 AM PT

          Opened:
          July 12, 2019
          04:20 PM PT
          Initiating a Remote Desktop connection may result in black screen
          When initiating a Remote Desktop connection to devices with some older GPU drivers, you may receive a black screen. Any version of Windows may encounter this issue when initiating a Remote Desktop connection to a Windows 10, version 1903 device which is running an affected display driver, including the drivers for the Intel 4 series chipset integrated GPU (iGPU).

          Affected platforms:
          • Client: Windows 10, version 1903
          • Server: Windows Server, version 1903
          Next steps: We are working on a resolution that will be made available in upcoming release.

          Back to top          		OS Build 18362.145

          May 29, 2019
          KB4497935          		Investigating
          		Last updated:
          July 12, 2019
          04:42 PM PT

          Opened:
          July 12, 2019
          04:42 PM PT
          Devices starting using PXE from a WDS or SCCM servers may fail to start
          Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503293 on a WDS server.

          Affected platforms:
          • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
          Workaround:
          To mitigate this issue on an SCCM server:
          1. Verify Variable Window Extension is enabled.
          2. Set the values of TFTP block size to 4096 and TFTP window size to 1. For guidance on how to configure them, see Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points.
          Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.

          To mitigate this issue on a WDS server without SCCM:
          1. In WDS TFTP settings, verify Variable Window Extension is enabled.
          2. In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
          3. In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
          Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.

          Next steps: We are working on a resolution and will provide an update in an upcoming release.

          Back to top          		OS Build 18362.175

          June 11, 2019
          KB4503293          		Mitigated
          		Last updated:
          July 10, 2019
          07:09 PM PT

          Opened:
          July 10, 2019
          02:51 PM PT