--OR-- -- If you have an on-premises System Center Configuration Manager infrastructure, see [How to bulk enroll devices with On-premises Mobile Device Management in System Center Configuration Manager](https://technet.microsoft.com/library/mt627898.aspx). +- If you have an on-premises Microsoft Endpoint Configuration Manager infrastructure, see [How to bulk enroll devices with On-premises Mobile Device Management in Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm). ### Manual enrollment **To configure manual enrollment** @@ -52,11 +51,11 @@ Then, when devices are setup during First-run, pick the option to join to Azure ## Manage Surface Hub settings with MDM -You can use MDM to manage some [Surface Hub CSP settings](#supported-surface-hub-csp-settings), and some [Windows 10 settings](#supported-windows-10-settings). Depending on the MDM provider that you use, you may set these settings using a built-in user interface, or by deploying custom SyncML. Microsoft Intune and System Center Configuration Manager provide built-in experiences to help create policy templates for Surface Hub. Refer to documentation from your MDM provider to learn how to create and deploy SyncML. +You can use MDM to manage some [Surface Hub CSP settings](#supported-surface-hub-csp-settings), and some [Windows 10 settings](#supported-windows-10-settings). Depending on the MDM provider that you use, you may set these settings using a built-in user interface, or by deploying custom SyncML. Microsoft Intune and Microsoft Endpoint Configuration Manager provide built-in experiences to help create policy templates for Surface Hub. Refer to documentation from your MDM provider to learn how to create and deploy SyncML. ### Supported Surface Hub CSP settings -You can configure the Surface Hub settings in the following table using MDM. The table identifies if the setting is supported with Microsoft Intune, System Center Configuration Manager, or SyncML. +You can configure the Surface Hub settings in the following table using MDM. The table identifies if the setting is supported with Microsoft Intune, Microsoft Endpoint Configuration Manager, or SyncML. For more information, see [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323). @@ -92,7 +91,7 @@ For more information, see [SurfaceHub configuration service provider](https://ms In addition to Surface Hub-specific settings, there are numerous settings common to all Windows 10 devices. These settings are defined in the [Configuration service provider reference](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference). -The following tables include info on Windows 10 settings that have been validated with Surface Hub. There is a table with settings for these areas: security, browser, Windows Updates, Windows Defender, remote reboot, certificates, and logs. Each table identifies if the setting is supported with Microsoft Intune, System Center Configuration Manager, or SyncML. +The following tables include info on Windows 10 settings that have been validated with Surface Hub. There is a table with settings for these areas: security, browser, Windows Updates, Windows Defender, remote reboot, certificates, and logs. Each table identifies if the setting is supported with Microsoft Intune, Microsoft Endpoint Configuration Manager, or SyncML. #### Security settings @@ -160,10 +159,10 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | |---------------------------------|--------------------------------------------------------------|----------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------| -| Install trusted CA certificates | Use to deploy trusted root and intermediate CA certificates. | [RootCATrustedCertificates CSP](https://msdn.microsoft.com/library/windows/hardware/dn904970.aspx) | Yes.
See [Configure Intune certificate profiles](https://docs.microsoft.com/intune/deploy-use/configure-intune-certificate-profiles). | Yes.
See [How to create certificate profiles in System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/create-certificate-profiles). | Yes | +| Install trusted CA certificates | Use to deploy trusted root and intermediate CA certificates. | [RootCATrustedCertificates CSP](https://msdn.microsoft.com/library/windows/hardware/dn904970.aspx) | Yes.
See [Configure Intune certificate profiles](https://docs.microsoft.com/intune/deploy-use/configure-intune-certificate-profiles). | Yes.
See [How to create certificate profiles in Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/create-certificate-profiles). | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. @@ -202,7 +201,7 @@ The following tables include info on Windows 10 settings that have been validate \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. ### Generate OMA URIs for settings -You need to use a setting’s OMA URI to create a custom policy in Intune, or a custom setting in System Center Configuration Manager. +You need to use a setting’s OMA URI to create a custom policy in Intune, or a custom setting in Microsoft Endpoint Configuration Manager. **To generate the OMA URI for any setting in the CSP documentation** 1. In the CSP documentation, identify the root node of the CSP. Generally, this looks like `./Vendor/MSFT/
@@ -226,11 +225,11 @@ You can use Microsoft Intune to manage Surface Hub settings. For custom settings -## Example: Manage Surface Hub settings with System Center Configuration Manager -System Center Configuration Manager supports managing modern devices that do not require the Configuration Manager client to manage them, including Surface Hub. If you already use System Center Configuration Manager to manage other devices in your organization, you can continue to use the Configuration Manager console as your single location for managing Surface Hubs. +## Example: Manage Surface Hub settings with Microsoft Endpoint Configuration Manager +Configuration Manager supports managing modern devices that do not require the Configuration Manager client to manage them, including Surface Hub. If you already use Configuration Manager to manage other devices in your organization, you can continue to use the Configuration Manager console as your single location for managing Surface Hubs. > [!NOTE] -> These instructions are based on the current branch of System Center Configuration Manager. +> These instructions are based on the current branch of Configuration Manager. **To create a configuration item for Surface Hub settings** @@ -265,7 +264,7 @@ System Center Configuration Manager supports managing modern devices that do not 18. When you're done, on the **Browse Settings** dialog, click **Close**. 19. Complete the wizard.
You can view the new configuration item in the **Configuration Items** node of the **Assets and Compliance** workspace. -For more information, see [Create configuration items for Windows 8.1 and Windows 10 devices managed without the System Center Configuration Manager client](https://docs.microsoft.com/sccm/compliance/deploy-use/create-configuration-items-for-windows-8.1-and-windows-10-devices-managed-without-the-client). +For more information, see [Create configuration items for Windows 8.1 and Windows 10 devices managed without the Microsoft Endpoint Configuration Manager client](https://docs.microsoft.com/configmgr/compliance/deploy-use/create-configuration-items-for-windows-8.1-and-windows-10-devices-managed-without-the-client). ## Related topics diff --git a/devices/surface-hub/manage-surface-hub.md b/devices/surface-hub/manage-surface-hub.md index fcd75f6dfd..4ad681ff5f 100644 --- a/devices/surface-hub/manage-surface-hub.md +++ b/devices/surface-hub/manage-surface-hub.md @@ -19,7 +19,7 @@ ms.localizationpriority: medium After initial setup of Microsoft Surface Hub, the device’s settings and configuration can be modified or changed in a couple ways: - **Local management** - Every Surface Hub can be configured locally using the **Settings** app on the device. To prevent unauthorized users from changing settings, the Settings app requires admin credentials to open the app. For more information, see [Local management for Surface Hub settings](local-management-surface-hub-settings.md). -- **Remote management** - Surface Hub allow IT admins to manage settings and policies using a mobile device management (MDM) provider, such as Microsoft Intune, System Center Configuration Manager, and other third-party providers. Additionally, admins can monitor Surface Hubs using Microsoft Operations Management Suite (OMS). For more information, see [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md), and [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). +- **Remote management** - Surface Hub allow IT admins to manage settings and policies using a mobile device management (MDM) provider, such as Microsoft Intune, Microsoft Endpoint Configuration Manager, and other third-party providers. Additionally, admins can monitor Surface Hubs using Microsoft Operations Management Suite (OMS). For more information, see [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md), and [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). > [!NOTE] > These management methods are not mutually exclusive. Devices can be both locally and remotely managed if you choose. However, MDM policies and settings will overwrite any local changes when the Surface Hub syncs with the management server. diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md index 4535bd1f1b..961a12fcd0 100644 --- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md +++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md @@ -58,7 +58,7 @@ Surface Hubs, like all Windows 10 devices, include **Windows Update for Business 2. [Configure when Surface Hub receives updates](#configure-when-surface-hub-receives-updates). > [!NOTE] -> You can use Microsoft Intune, System Center Configuration Manager, or a supported third-party MDM provider to set up WUfB. [Walkthrough: use Microsoft Intune to configure Windows Update for Business.](https://docs.microsoft.com/windows/deployment/update/waas-wufb-intune) +> You can use Microsoft Intune, Microsoft Endpoint Configuration Manager, or a supported third-party MDM provider to set up WUfB. [Walkthrough: use Microsoft Intune to configure Windows Update for Business.](https://docs.microsoft.com/windows/deployment/update/waas-wufb-intune) ### Group Surface Hub into deployment rings diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md index a6eb33d8f4..198dba4f74 100644 --- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md +++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md @@ -28,7 +28,7 @@ Review these dependencies to make sure Surface Hub features will work in your IT | Active Directory or Azure Active Directory (Azure AD) |
The Surface Hub's uses an Active Directory or Azure AD account (called a **device account**) to access Exchange and Skype for Business services. The Surface Hub must be able to connect to your Active Directory domain controller or to your Azure AD tenant in order to validate the device account’s credentials, as well as to access information like the device account’s display name, alias, Exchange server, and Session Initiation Protocol (SIP) address.
You can also domain join or Azure AD join your Surface Hub to allow a group of authorized users to configure settings on the Surface Hub. | | Exchange (Exchange 2013 or later, or Exchange Online) and Exchange ActiveSync |Exchange is used for enabling mail and calendar features, and also lets people who use the device send meeting requests to the Surface Hub, enabling one-touch meeting join.
ActiveSync is used to sync the device account’s calendar and mail to the Surface Hub. If the device cannot use ActiveSync, it will not show meetings on the welcome screen, and joining meetings and emailing whiteboards will not be enabled. | | Skype for Business (Lync Server 2013 or later, or Skype for Business Online) | Skype for Business is used for various conferencing features, like video calls, instant messaging, and screen sharing.| -| Mobile device management (MDM) solution (Microsoft Intune, System Center Configuration Manager, or supported third-party MDM provider) | If you want to apply settings and install apps remotely, and to multiple devices at a time, you must set up a MDM solution and enroll the device to that solution. See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for details. | +| Mobile device management (MDM) solution (Microsoft Intune, Microsoft Endpoint Configuration Manager, or supported third-party MDM provider) | If you want to apply settings and install apps remotely, and to multiple devices at a time, you must set up a MDM solution and enroll the device to that solution. See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for details. | | Microsoft Operations Management Suite (OMS) | OMS is used to monitor the health of Surface Hub devices. See [Monitor your Surface Hub](monitor-surface-hub.md) for details. | | Network and Internet access | In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred. 802.1X Authentication is supported for both wired and wireless connections.**802.1X authentication:** In Windows 10, version 1703, 802.1X authentication for wired and wireless connections is enabled by default in Surface Hub. If your organization doesn't use 802.1X authentication, there is no configuration required and Surface Hub will continue to function as normal. If you use 802.1X authentication, you must ensure that the authentication certification is installed on Surface Hub. You can deliver the certificate to Surface Hub using the [ClientCertificateInstall CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/clientcertificateinstall-csp) in MDM, or you can [create a provisioning package](provisioning-packages-for-surface-hub.md) and install it during first run or through the Settings app. After the certificate is applied to Surface Hub, 802.1X authentication will start working automatically.**Note:** For more information on enabling 802.1X wired authentication on Surface Hub, see [Enable 802.1x wired authentication](enable-8021x-wired-authentication.md).**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. Proxy credentials are stored across Surface Hub sessions and only need to be set once. | diff --git a/devices/surface-hub/surface-hub-2s-pack-components.md b/devices/surface-hub/surface-hub-2s-pack-components.md index 287f43ec7b..ff8dbd07ad 100644 --- a/devices/surface-hub/surface-hub-2s-pack-components.md +++ b/devices/surface-hub/surface-hub-2s-pack-components.md @@ -9,7 +9,7 @@ ms.author: greglin manager: laurawi audience: Admin ms.topic: article -ms.date: 07/1/2019 +ms.date: 02/06/2019 ms.localizationpriority: Medium --- @@ -24,62 +24,45 @@ If you replace your Surface Hub 2S, one of its components, or a related accessor Use the following steps to pack your Surface Hub 2S 50" for shipment. - - +| | | | +| - | ----------------------------------------------------------------------------------------------------------------------------------------------- | ----- | +| **1.** | Remove the pen and the camera. Do not pack them with the unit. |  | +| **2.** | Remove the drive and the power cable. Do not pack them with the unit. Do not pack the Setup guide with the unit. |  | +| **3.** | Unplug all cables, slide the cover sideways, and unscrew the locking screw of the Compute Cartridge. |  | +| **4.** | Slide the Compute Cartridge out of the unit. |  | +| **5.** | You will need the Compute Cartridge and a screwdriver. | | +| **6.** | Remove the cover screw and the cover from the Compute Cartridge, and then remove the solid state drive (SSD). | | +| **7.** | Replace the cover and slide the Compute Cartridge back into the unit. | | +| **8.** | Re-fasten the locking screw and slide the cover into place. | | +| **9.** | Remove any base or mounting hardware. Using two people, place the unit in the base of the shipping container. | | +| **10.** | Replace the cover of the shipping container, and insert the four clips. | | - - - - - - - - - - - - - - - - - - - - - ## How to replace and pack your Surface Hub 2S Compute Cartridge -Use the following steps to remove the Surface Hub 2S Compute Cartridge, pack it for shipment, and install the new Compute Cartridge. +Use the following steps to remove the Surface Hub 2S Compute Cartridge, pack it for shipment, and install the new Compute Cartridge.+  - - - - - - - - - - - - - - - - - - - - - +| | | | +| - | ----------------------------------------------------------------------------------------------------------------------------------------------- | ----- | +| **1.** | Unplug all cables, slide the cover sideways, and unscrew the locking screw of the Compute Cartridge. |  | +| **2.** | Slide the Compute Cartridge out of the unit. |  | +| **3.** | You will need the Compute Cartridge and a screwdriver. |  | +| **4.** | Remove the cover screw and the cover from the Compute Cartridge, and then remove the solid state drive (SSD). When finished, replace the cover. |  | +| **5.**| You will need the packaging fixtures that were used to package your replacement Compute Cartridge. |  | +| **6.**| Place the old Compute Cartridge in the packaging fixtures. |  | +| **7.** | Place the old Compute Cartridge and its packaging into the box that was used for the replacement Compute Cartridge. Reseal the box. | | +| **8.**| Slide the replacement Compute Cartridge into the unit. |  | +| **9.**| Fasten the locking screw and slide the cover into place |  | ## How to replace your Surface Hub 2S Camera Use the following steps to remove the Surface Hub 2S camera and install the new camera. - - +| | | | +| - | ----------------------------------------------------------------------------------------------------------------------------------------------- | ----- | +| **1.** | You will need the new camera and the two-millimeter allen wrench. | | +| **2.** | Unplug the old camera from the unit. If needed, use the allen wrench to adjust the new camera. Plug the new camera into the unit. |  | diff --git a/devices/surface-hub/surface-hub-update-history.md b/devices/surface-hub/surface-hub-update-history.md index 943400d44c..5d6989d80b 100644 --- a/devices/surface-hub/surface-hub-update-history.md +++ b/devices/surface-hub/surface-hub-update-history.md @@ -24,6 +24,17 @@ Please refer to the “[Surface Hub Important Information](https://support.micro ## Windows 10 Team Creators Update 1703 +
+
+
January 14, 2020—update for Team edition based on KB4534296* (OS Build 15063.2254)
+ +This update to the Surface Hub includes quality improvements and security fixes. Key updates to Surface Hub, not already outlined in [Windows 10 Update History](https://support.microsoft.com/help/4018124/windows-10-update-history), include: + +* Addresses an issue with log collection for Microsoft Surface Hub 2S. + +Please refer to the [Surface Hub Admin guide](https://docs.microsoft.com/surface-hub/) for enabling/disabling device features and services. +*[KB4534296](https://support.microsoft.com/help/4534296) +September 24, 2019—update for Team edition based on KB4516059* (OS Build 15063.2078)
@@ -57,7 +68,6 @@ Please refer to the [Surface Hub Admin guide](https://docs.microsoft.com/surface This update to the Surface Hub includes quality improvements and security fixes. Key updates to Surface Hub, not already outlined in [Windows 10 Update History](https://support.microsoft.com/help/4018124/windows-10-update-history), include: -* Addresses an issue with log collection for Microsoft Surface Hub 2S. * Addresses an issue preventing a user from signing in to a Microsoft Surface Hub device with an Azure Active Directory account. This issue occurs because a previous session did not end successfully. * Adds support for TLS 1.2 connections to identity providers and Exchange in device account setup scenarios. * Fixes to improve reliability of Hardware Diagnostic App on Hub 2S. diff --git a/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md b/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md index 40a5768d27..e01737c52e 100644 --- a/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md +++ b/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md @@ -89,11 +89,11 @@ The Surface Hub Hardware Diagnostic tool is an easy-to-navigate tool that lets t Field |Success |Failure |Comment |Reference |------|------|------|------|------| -Internet Connectivity |Device does have Internet connectivity |Device does not have Internet connectivity |Verifies internet connectivity, including proxy connection |[Configuring a proxy for your Surface Hub](https://blogs.technet.microsoft.com/y0av/2017/12/03/7/) +Internet Connectivity |Device does have Internet connectivity |Device does not have Internet connectivity |Verifies internet connectivity, including proxy connection | HTTP Version |1.1 |1.0 |If HTTP 1.0 found, it will cause issue with WU and Store | Direct Internet Connectivity |Device has a Proxy configured Device has no Proxy configured |N/A |Informational. Is your device behind a proxy? | Proxy Address | | |If configured, returns proxy address. | -Proxy Authentication |Proxy does not require Authentication |Proxy requires Proxy Auth |Result may be a false positive if a user already has an open session in Edge and has authenticated thru the proxy. |[Configuring a proxy for your Surface Hub](https://blogs.technet.microsoft.com/y0av/2017/12/03/7/) +Proxy Authentication |Proxy does not require Authentication |Proxy requires Proxy Auth |Result may be a false positive if a user already has an open session in Edge and has authenticated through the proxy. | Proxy Auth Types | | |If proxy authentication is used, return the Authentication methods advertised by the proxy. | #### Environment @@ -131,5 +131,5 @@ SIP Pool Cert Root CA | | |Information. Display the SIP Pool Cert Root CA, if av Field |Success |Failure |Comment |Reference |------|------|------|------|------| -Trust Model Status |No Trust Model Issue Detected. |SIP Domain and server domain are different please add the following domains. |Check the LD FQDN/ LD Server Name/ Pool Server name for Trust model issue. |[Surface Hub and the Skype for Business Trusted Domain List](https://blogs.technet.microsoft.com/y0av/2017/10/25/95/) +Trust Model Status |No Trust Model Issue Detected. |SIP Domain and server domain are different please add the following domains. |Check the LD FQDN/ LD Server Name/ Pool Server name for Trust model issue. Domain Name(s) | | |Return the list of domains that should be added for SFB to connect. | diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md index faefd0d8fc..53918a7ad5 100644 --- a/devices/surface/TOC.md +++ b/devices/surface/TOC.md @@ -56,7 +56,7 @@ ### [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) ### [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md) ### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md) -### [Use System Center Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md) +### [Use Microsoft Endpoint Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md) ### [Surface Data Eraser](microsoft-surface-data-eraser.md) ## Troubleshoot diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md index f99bfa549c..18fc041b85 100644 --- a/devices/surface/change-history-for-surface.md +++ b/devices/surface/change-history-for-surface.md @@ -173,7 +173,7 @@ New or changed topic | Description |New or changed topic | Description | | --- | --- | |[Surface Enterprise Management Mode](surface-enterprise-management-mode.md) | Added procedure for viewing certificate thumbprint. | -|[Use System Center Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md) | New | +|[Use Microsoft Endpoint Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md) | New | @@ -181,7 +181,7 @@ New or changed topic | Description | New or changed topic | Description | | --- | --- | -| [Considerations for Surface and System Center Configuration Manager](considerations-for-surface-and-system-center-configuration-manager.md) | New | +| [Considerations for Surface and Microsoft Endpoint Configuration Manager](considerations-for-surface-and-system-center-configuration-manager.md) | New | | [Long-term servicing branch for Surface devices](ltsb-for-surface.md) | New | diff --git a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md index 2513abc0f9..0b9915c4b0 100644 --- a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md +++ b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md @@ -16,25 +16,23 @@ ms.reviewer: manager: dansimp --- -# Considerations for Surface and System Center Configuration Manager +# Considerations for Surface and Microsoft Endpoint Configuration Manager -Fundamentally, management and deployment of Surface devices with System Center Configuration Manager is the same as the management and deployment of any other PC. Like any other PC, a deployment to Surface devices includes importing drivers, importing a Windows image, preparing a deployment task sequence, and then deploying the task sequence to a collection. After deployment, Surface devices are like any other Windows client; to publish apps, settings, and policies, you use the same process as you would use for any other device. +Fundamentally, management and deployment of Surface devices with Microsoft Endpoint Configuration Manager is the same as the management and deployment of any other PC. Like any other PC, a deployment to Surface devices includes importing drivers, importing a Windows image, preparing a deployment task sequence, and then deploying the task sequence to a collection. After deployment, Surface devices are like any other Windows client; to publish apps, settings, and policies, you use the same process as you would use for any other device. -You can find more information about how to use Configuration Manager to deploy and manage devices in the [Documentation for System Center Configuration Manager](https://docs.microsoft.com/sccm/index). +You can find more information about how to use Configuration Manager to deploy and manage devices in the [Documentation for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/index). Although the deployment and management of Surface devices is fundamentally the same as any other PC, there are some scenarios that may require additional considerations or steps. This article provides descriptions and guidance for these scenarios. The solutions documented in this article may apply to other devices and manufacturers as well. > [!NOTE] -> For management of Surface devices it is recommended that you use the Current Branch of System Center Configuration Manager. +> For management of Surface devices it is recommended that you use the Current Branch of Microsoft Endpoint Configuration Manager. ## Updating Surface device drivers and firmware - -For devices that recieve updates through Windows Update, drivers for Surface components (and even firmware updates) are applied automatically as part of the Windows Update process. For devices with managed updates, such as those updated through Windows Server Update Services (WSUS) or System Center Configuration Manager, see [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-driver-and-firmware-updates/). - +For devices that recieve updates through Windows Update, drivers for Surface components (and even firmware updates) are applied automatically as part of the Windows Update process. For devices with managed updates, such as those updated through Windows Server Update Services (WSUS) or Configuration Manager, see [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-driver-and-firmware-updates/). > [!NOTE] -> Surface device drivers and firmware are signed with SHA-256, which is not natively supported by Windows Server 2008 R2. A workaround is available for Configuration Manager environments running on Windows Server 2008 R2. For more information, see [Can't import drivers into System Center Configuration Manager (KB3025419)](https://support.microsoft.com/kb/3025419). +> Surface device drivers and firmware are signed with SHA-256, which is not natively supported by Windows Server 2008 R2. A workaround is available for Configuration Manager environments running on Windows Server 2008 R2. For more information, see [Can't import drivers into Microsoft Endpoint Configuration Manager (KB3025419)](https://support.microsoft.com/kb/3025419). ## Surface Ethernet adapters and Configuration Manager deployment @@ -42,9 +40,9 @@ The default mechanism that Configuration Manager uses to identify devices during To ensure that Surface devices using the same Ethernet adapter are identified as unique devices during deployment, you can instruct Configuration Manager to identify devices using another method. This other method could be the MAC address of the wireless network adapter or the System Universal Unique Identifier (System UUID). You can specify that Configuration Manager use other identification methods with the following options: -* Add an exclusion for the MAC addresses of Surface Ethernet adapters, which forces Configuration Manager to overlook the MAC address in preference of the System UUID, as documented in the [Reusing the same NIC for multiple PXE initiated deployments in System Center Configuration Manager OSD](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2015/08/27/reusing-the-same-nic-for-multiple-pxe-initiated-deployments-in-system-center-configuration-manger-osd/) blog post. +* Add an exclusion for the MAC addresses of Surface Ethernet adapters, which forces Configuration Manager to overlook the MAC address in preference of the System UUID, as documented in the [Reusing the same NIC for multiple PXE initiated deployments in SMicrosoft Endpoint Configuration Manager OSD](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2015/08/27/reusing-the-same-nic-for-multiple-pxe-initiated-deployments-in-system-center-configuration-manger-osd/) blog post. -* Prestage devices by System UUID as documented in the [Reusing the same NIC for multiple PXE initiated deployments in System Center Configuration Manager OSD](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2015/08/27/reusing-the-same-nic-for-multiple-pxe-initiated-deployments-in-system-center-configuration-manger-osd/) blog post. +* Prestage devices by System UUID as documented in the [Reusing the same NIC for multiple PXE initiated deployments in Microsoft Endpoint Configuration Manager OSD](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2015/08/27/reusing-the-same-nic-for-multiple-pxe-initiated-deployments-in-system-center-configuration-manger-osd/) blog post. * Use a script to identify a newly deployed Surface device by the MAC address of its wireless adapter, as documented in the [How to Use The Same External Ethernet Adapter For Multiple SCCM OSD](https://blogs.technet.microsoft.com/askpfeplat/2014/07/27/how-to-use-the-same-external-ethernet-adapter-for-multiple-sccm-osd/) blog post. @@ -60,7 +58,7 @@ With the release of Microsoft Store for Business, Surface app is no longer avail If your organization uses prestaged media to pre-load deployment resources on to machines prior to deployment with Configuration Manager, the nature of Surface devices as UEFI devices may require you to take additional steps. Specifically, a native UEFI environment requires that you create multiple partitions on the boot disk of the system. If you are following along with the [documentation for prestaged media](https://technet.microsoft.com/library/79465d90-4831-4872-96c2-2062d80f5583?f=255&MSPPError=-2147217396#BKMK_CreatePrestagedMedia), the instructions provide for only single partition boot disks and therefore will fail when applied to Surface devices. -Instructions for applying prestaged media to UEFI devices, such as Surface devices, can be found in the [How to apply Task Sequence Prestaged Media on multi-partitioned disks for BIOS or UEFI PCs in System Center Configuration Manager](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2014/04/02/how-to-apply-task-sequence-prestaged-media-on-multi-partitioned-disks-for-bios-or-uefi-pcs-in-system-center-configuration-manager/) blog post. +Instructions for applying prestaged media to UEFI devices, such as Surface devices, can be found in the [How to apply Task Sequence Prestaged Media on multi-partitioned disks for BIOS or UEFI PCs in Microsoft Endpoint Configuration Manager](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2014/04/02/how-to-apply-task-sequence-prestaged-media-on-multi-partitioned-disks-for-bios-or-uefi-pcs-in-system-center-configuration-manager/) blog post. ## Licensing conflicts with OEM Activation 3.0 diff --git a/devices/surface/customize-the-oobe-for-surface-deployments.md b/devices/surface/customize-the-oobe-for-surface-deployments.md index efc6802f8f..46c321367b 100644 --- a/devices/surface/customize-the-oobe-for-surface-deployments.md +++ b/devices/surface/customize-the-oobe-for-surface-deployments.md @@ -34,7 +34,7 @@ In some scenarios, you may want to provide complete automation to ensure that at This article provides a summary of the scenarios where a deployment might require additional steps. It also provides the required information to ensure that the desired experience is achieved on any newly deployed Surface device. This article is intended for administrators who are familiar with the deployment process, as well as concepts such as answer files and [reference images](https://technet.microsoft.com/itpro/windows/deploy/create-a-windows-10-reference-image). >[!NOTE] ->Although the OOBE phase of setup is still run during a deployment with an automated deployment solution such as the [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=618117) or System Center Configuration Manager Operating System Deployment (OSD), it is automated by the settings supplied in the Deployment Wizard and task sequence. For more information see:+>Although the OOBE phase of setup is still run during a deployment with an automated deployment solution such as the [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=618117) or Microsoft Endpoint Configuration Manager Operating System Deployment (OSD), it is automated by the settings supplied in the Deployment Wizard and task sequence. For more information see:
>- [Deploy Windows 10 with the Microsoft Deployment Toolkit](https://technet.microsoft.com/itpro/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit) >- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager) diff --git a/devices/surface/deploy-surface-app-with-windows-store-for-business.md b/devices/surface/deploy-surface-app-with-windows-store-for-business.md index 7c3f3bd079..a03f6e46fa 100644 --- a/devices/surface/deploy-surface-app-with-windows-store-for-business.md +++ b/devices/surface/deploy-surface-app-with-windows-store-for-business.md @@ -101,7 +101,7 @@ After you add an app to the Microsoft Store for Business account in Offline mode *Figure 4. Download the AppxBundle package for an app* 5. Click **Download**. The AppxBundle package will be downloaded. Make sure you note the path of the downloaded file because you’ll need that later in this article. -6. Click either the **Encoded license** or **Unencoded license** option. Use the Encoded license option with management tools like System Center Configuration Manager or when you use Windows Configuration Designer to create a provisioning package. Select the Unencoded license option when you use Deployment Image Servicing and Management (DISM) or deployment solutions based on imaging, including the Microsoft Deployment Toolkit (MDT). +6. Click either the **Encoded license** or **Unencoded license** option. Use the Encoded license option with management tools like Microsoft Endpoint Configuration Manager or when you use Windows Configuration Designer to create a provisioning package. Select the Unencoded license option when you use Deployment Image Servicing and Management (DISM) or deployment solutions based on imaging, including the Microsoft Deployment Toolkit (MDT). 7. Click **Generate** to generate and download the license for the app. Make sure you note the path of the license file because you’ll need that later in this article. >[!NOTE] diff --git a/devices/surface/documentation/surface-system-sku-reference.md b/devices/surface/documentation/surface-system-sku-reference.md index c0aa8460a0..55a45cdd43 100644 --- a/devices/surface/documentation/surface-system-sku-reference.md +++ b/devices/surface/documentation/surface-system-sku-reference.md @@ -43,7 +43,7 @@ You can also find the System SKU and System Model for a device in System Informa - Click **Start** > **MSInfo32**. ### WMI -You can use System SKU variables in a Task Sequence WMI Condition in the Microsoft Deployment Toolkit (MDT) or System Center Configuration Manager. For example: +You can use System SKU variables in a Task Sequence WMI Condition in the Microsoft Deployment Toolkit (MDT) or Microsoft Endpoint Configuration Manager. For example: - WMI Namespace – Root\WMI - WQL Query – SELECT * FROM MS_SystemInformation WHERE SystemSKU = "Surface_Pro_1796" diff --git a/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md b/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md index 580498d41a..49e1bc555b 100644 --- a/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md +++ b/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md @@ -23,7 +23,7 @@ Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on yo If you use PEAP, EAP-FAST, or Cisco LEAP in your enterprise network, you probably already know that these three wireless authentication protocols are not supported by Surface devices out of the box. Some users may discover this when they attempt to connect to your wireless network; others may discover it when they are unable to gain access to resources inside the network, like file shares and internal sites. For more information, see [Extensible Authentication Protocol](https://technet.microsoft.com/network/bb643147). -You can add support for each protocol by executing a small MSI package from a USB stick or from a file share. For organizations that want to enable EAP support on their Surface devices, the MSI package format supports deployment with many management and deployment tools, like the Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager. +You can add support for each protocol by executing a small MSI package from a USB stick or from a file share. For organizations that want to enable EAP support on their Surface devices, the MSI package format supports deployment with many management and deployment tools, like the Microsoft Deployment Toolkit (MDT) and Microsoft Endpoint Configuration Manager. ## Download PEAP, EAP-FAST, or Cisco LEAP installation files diff --git a/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md b/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md index d627dec4e9..b49b04d13a 100644 --- a/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md +++ b/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md @@ -9,7 +9,7 @@ ms.sitesec: library author: Teresa-Motiv ms.author: v-tea ms.topic: article -ms.date: 01/17/2020 +ms.date: 01/30/2020 ms.reviewer: scottmca ms.localizationpriority: medium ms.audience: itpro @@ -58,12 +58,14 @@ To support Surface Laptop (1st Gen), import the following folders: - SurfacePlatformInstaller\Drivers\System\GPIO - SurfacePlatformInstaller\Drivers\System\SurfaceHidMiniDriver - SurfacePlatformInstaller\Drivers\System\SurfaceSerialHubDriver + - SurfacePlatformInstaller\Drivers\System\PreciseTouch Or for newer MSI files beginning with "SurfaceUpdate", use: - SurfaceUpdate\SerialIOGPIO - SurfaceUpdate\SurfaceHidMiniDriver - SurfaceUpdate\SurfaceSerialHubDriver +- SurfaceUpdate\Itouch To support Surface Laptop 2, import the following folders: @@ -73,6 +75,7 @@ To support Surface Laptop 2, import the following folders: - SurfacePlatformInstaller\Drivers\System\I2C - SurfacePlatformInstaller\Drivers\System\SPI - SurfacePlatformInstaller\Drivers\System\UART + - SurfacePlatformInstaller\Drivers\System\PreciseTouch Or for newer MSI files beginning with "SurfaceUpdate", use: @@ -82,6 +85,7 @@ Or for newer MSI files beginning with "SurfaceUpdate", use: - SurfaceUpdate\IclSerialIOUART - SurfaceUpdate\SurfaceHidMini - SurfaceUpdate\SurfaceSerialHub +- SurfaceUpdate\Itouch To support Surface Laptop 3 with Intel Processor, import the following folders: @@ -93,7 +97,57 @@ To support Surface Laptop 3 with Intel Processor, import the following folders: - SurfaceUpdate\SurfaceHidMini - SurfaceUpdate\SurfaceSerialHub - SurfaceUpdate\SurfaceHotPlug - +- SurfaceUpdate\Itouch + > [!NOTE] + > Check the downloaded MSI package to determine the format and directory structure. The directory structure will start with either SurfacePlatformInstaller (older MSI files) or SurfaceUpdate (Newer MSI files) depending on when the MSI was released. + + To support Surface Laptop (1st Gen), import the following folders: + + - SurfacePlatformInstaller\Drivers\System\GPIO + - SurfacePlatformInstaller\Drivers\System\SurfaceHidMiniDriver + - SurfacePlatformInstaller\Drivers\System\SurfaceSerialHubDriver + - SurfacePlatformInstaller\Drivers\System\PreciseTouch + + Or for newer MSI files beginning with "SurfaceUpdate", use: + + - SurfaceUpdate\SerialIOGPIO + - SurfaceUpdate\SurfaceHidMiniDriver + - SurfaceUpdate\SurfaceSerialHubDriver + - SurfaceUpdate\Itouch + + To support Surface Laptop 2, import the following folders: + + - SurfacePlatformInstaller\Drivers\System\GPIO + - SurfacePlatformInstaller\Drivers\System\SurfaceHIDMiniDriver + - SurfacePlatformInstaller\Drivers\System\SurfaceSerialHubDriver + - SurfacePlatformInstaller\Drivers\System\I2C + - SurfacePlatformInstaller\Drivers\System\SPI + - SurfacePlatformInstaller\Drivers\System\UART + - SurfacePlatformInstaller\Drivers\System\PreciseTouch + + Or for newer MSI files beginning with "SurfaceUpdate", use: + + - SurfaceUpdate\SerialIOGPIO + - SurfaceUpdate\IclSerialIOI2C + - SurfaceUpdate\IclSerialIOSPI + - SurfaceUpdate\IclSerialIOUART + - SurfaceUpdate\SurfaceHidMini + - SurfaceUpdate\SurfaceSerialHub + - SurfaceUpdate\Itouch + + To support Surface Laptop 3 with Intel Processor, import the following folders: + + - SurfaceUpdate\IclSerialIOGPIO + - SurfaceUpdate\IclSerialIOI2C + - SurfaceUpdate\IclSerialIOSPI + - SurfaceUpdate\IclSerialIOUART + - SurfaceUpdate\SurfaceHidMini + - SurfaceUpdate\SurfaceSerialHub + - SurfaceUpdate\SurfaceHotPlug + - SurfaceUpdate\Itouch + + > [!NOTE] + > For Surface Laptop 3 with Intel processor, the model is Surface Laptop 3. The remaining Surface Laptop drivers are located in the \MDT Deployment Share\Out-of-Box Drivers\Windows10\X64\Surface Laptop 3 folder. 6. Verify that the WindowsPEX64 folder now contains the imported drivers. The folder should resemble the following: @@ -113,7 +167,8 @@ To support Surface Laptop 3 with Intel Processor, import the following folders: 9. Verify that you have configured the remaining Surface Laptop drivers by using either a selection profile or a **DriverGroup001** variable. - For Surface Laptop (1st Gen), the model is **Surface Laptop**. The remaining Surface Laptop drivers should reside in the \MDT Deployment Share\Out-of-Box Drivers\Windows10\X64\Surface Laptop folder as shown in the figure that follows this list. - - For Surface Laptop 2, the model is **Surface Laptop 2**. The remaining Surface Laptop drivers should reside in the \MDT Deployment Share\Out-of-Box Drivers\Windows10\X64\Surface Laptop 2 folder. + - For Surface Laptop 2, the model is **Surface Laptop 2**. The remaining Surface Laptop drivers should reside in the \MDT Deployment Share\Out-of-Box Drivers\Windows10\X64\Surface Laptop 2 folder. + - For Surface Laptop 3 with Intel processor, the model is Surface Laptop 3. The remaining Surface Laptop drivers are located in the \MDT Deployment Share\Out-of-Box Drivers\Windows10\X64\Surface Laptop 3 folder.  diff --git a/devices/surface/enroll-and-configure-surface-devices-with-semm.md b/devices/surface/enroll-and-configure-surface-devices-with-semm.md index e8a0143aab..50ecb3cb35 100644 --- a/devices/surface/enroll-and-configure-surface-devices-with-semm.md +++ b/devices/surface/enroll-and-configure-surface-devices-with-semm.md @@ -137,9 +137,9 @@ You can also verify that the device is enrolled in SEMM in Surface UEFI – whil ## Configure Surface UEFI settings with SEMM -After a device is enrolled in SEMM, you can run Surface UEFI configuration packages signed with the same SEMM certificate to apply new Surface UEFI settings. These settings are applied automatically the next time the device boots, without any interaction from the user. You can use application deployment solutions like System Center Configuration Manager to deploy Surface UEFI configuration packages to Surface devices to change or manage the settings in Surface UEFI. +After a device is enrolled in SEMM, you can run Surface UEFI configuration packages signed with the same SEMM certificate to apply new Surface UEFI settings. These settings are applied automatically the next time the device boots, without any interaction from the user. You can use application deployment solutions like Microsoft Endpoint Configuration Manager to deploy Surface UEFI configuration packages to Surface devices to change or manage the settings in Surface UEFI. -For more information about how to deploy Windows Installer (.msi) files with Configuration Manager, see [Deploy and manage applications with System Center Configuration Manager](https://technet.microsoft.com/library/mt627959). +For more information about how to deploy Windows Installer (.msi) files with Configuration Manager, see [Deploy and manage applications with Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/library/mt627959). If you have secured Surface UEFI with a password, users without the password who attempt to boot to Surface UEFI will only have the **PC information**, **About**, **Enterprise management**, and **Exit** pages displayed to them. diff --git a/devices/surface/ethernet-adapters-and-surface-device-deployment.md b/devices/surface/ethernet-adapters-and-surface-device-deployment.md index 1b1216cd8d..3c05a0d165 100644 --- a/devices/surface/ethernet-adapters-and-surface-device-deployment.md +++ b/devices/surface/ethernet-adapters-and-surface-device-deployment.md @@ -29,13 +29,10 @@ Network deployment to Surface devices can pose some unique challenges for system Before you can address the concerns of how you will boot to your deployment environment or how devices will be recognized by your deployment solution, you have to use a wired network adapter. -The primary concern when selecting an Ethernet adapter is how that adapter will boot your Surface device from the network. If you are pre-staging clients with Windows Deployment Services (WDS) or if you are using System Center Configuration Manager, you may also want to consider whether the removable Ethernet adapters will be dedicated to a specific Surface device or shared among multiple devices. See the [Manage MAC addresses with removable Ethernet adapters](#manage-mac-addresses) section of this article for more information on potential conflicts with shared adapters. +The primary concern when selecting an Ethernet adapter is how that adapter will boot your Surface device from the network. If you are pre-staging clients with Windows Deployment Services (WDS) or if you are using Microsoft Endpoint Configuration Manager, you may also want to consider whether the removable Ethernet adapters will be dedicated to a specific Surface device or shared among multiple devices. See the [Manage MAC addresses with removable Ethernet adapters](#manage-mac-addresses) section of this article for more information on potential conflicts with shared adapters. Booting from the network (PXE boot) is only supported when you use an Ethernet adapter or docking station from Microsoft. To boot from the network, the chipset in the Ethernet adapter or dock must be detected and configured as a boot device in the firmware of the Surface device. Microsoft Ethernet adapters, such as the Surface Ethernet Adapter and the [Surface Dock](https://www.microsoft.com/surface/accessories/surface-dock) use a chipset that is compatible with the Surface firmware. -> [!NOTE] -> PXE boot is not supported on Surface Pro X. For more information, refer to [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md) - The following Ethernet devices are supported for network boot with Surface devices: - Surface USB-C to Ethernet and USB 3.0 Adapter diff --git a/devices/surface/manage-surface-driver-and-firmware-updates.md b/devices/surface/manage-surface-driver-and-firmware-updates.md index 8bb23669ef..df0d5c2874 100644 --- a/devices/surface/manage-surface-driver-and-firmware-updates.md +++ b/devices/surface/manage-surface-driver-and-firmware-updates.md @@ -1,6 +1,6 @@ --- -title: Manage Surface driver and firmware updates (Surface) -description: This article describes the available options to manage firmware and driver updates for Surface devices. +title: Manage and deploy Surface driver and firmware updates +description: This article describes the available options to manage and deploy firmware and driver updates for Surface devices. ms.assetid: CD1219BA-8EDE-4BC8-BEEF-99B50C211D73 ms.reviewer: manager: dansimp @@ -14,7 +14,7 @@ author: dansimp ms.author: dansimp ms.topic: article ms.audience: itpro -ms.date: 10/21/2019 +ms.date: 01/24/2020 --- # Manage and deploy Surface driver and firmware updates @@ -31,31 +31,37 @@ While enterprise-grade software distribution solutions continue to evolve, the b Microsoft has streamlined tools for managing devices – including driver and firmware updates -- into a single unified experience called [Microsoft Endpoint Manager admin center](https://devicemanagement.microsoft.com/) accessed from devicemanagement.microsoft.com. -### Manage updates with Endpoint Configuration Manager and Intune +### Manage updates with Configuration Manager and Intune -Endpoint Configuration Manager (formerly System Center Configuration Manager) allows you to synchronize and deploy Surface firmware and driver updates with the Configuration Manager client. Integration with Microsoft Intune lets you see all your managed, co-managed and partner-managed devices in one place. This is the recommended solution for large organizations to manage Surface updates. +Microsoft Endpoint Configuration Manager allows you to synchronize and deploy Surface firmware and driver updates with the Configuration Manager client. Integration with Microsoft Intune lets you see all your managed, co-managed and partner-managed devices in one place. This is the recommended solution for large organizations to manage Surface updates. For detailed steps, see the following resources: -- [How to manage Surface driver updates in Configuration Manager.](https://support.microsoft.com/en-sg/help/4098906/manage-surface-driver-updates-in-configuration-manager) -- [Deploy applications with Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/deploy-applications). +- [How to manage Surface driver updates in Configuration Manager.](https://support.microsoft.com/help/4098906/manage-surface-driver-updates-in-configuration-manager) +- [Deploy applications with Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications). - [Endpoint Configuration Manager documentation](https://docs.microsoft.com/configmgr/) ### Manage updates with Microsoft Deployment Toolkit -Included in Endpoint Configuration Manager, the Microsoft Deployment Toolkit (MDT) contains optional deployment tools that you may wish to use depending on your environment. MDT includes the Windows Assessment and Deployment Kit (Windows ADK), Windows System Image Manager (Windows SIM), Deployment Image Servicing and Management (DISM), and User State Migration Tool (USMT). You can download the latest version of MDT from the [Microsoft Deployment Toolkit download page](https://www.microsoft.com/download/details.aspx?id=54259). +Included in Microsoft Endpoint Configuration Manager, the Microsoft Deployment Toolkit (MDT) contains optional deployment tools that you may wish to use depending on your environment. MDT includes the Windows Assessment and Deployment Kit (Windows ADK), Windows System Image Manager (Windows SIM), Deployment Image Servicing and Management (DISM), and User State Migration Tool (USMT). You can download the latest version of MDT from the [Microsoft Deployment Toolkit download page](https://www.microsoft.com/download/details.aspx?id=54259). For detailed steps, see the following resources: +Surface driver and firmware updates are packaged as Windows Installer (MSI) files. To deploy these Windows Installer packages, you can use application deployment utilities such as the Microsoft Deployment Toolkit (MDT) or Microsoft Endpoint Configuration Manager. Such solutions provide the means for administrators to test and review updates before deploying them, and to centralize deployment. For each device, it is important to select the correct MSI file for the device and its operating system. For more information see [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md). + +For instructions on how to deploy updates by using Microsoft Endpoint Configuration Manager refer to [Deploy applications with Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications). For instructions on how to deploy updates by using MDT, see [Deploy a Windows 10 image using MDT](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt). - [Microsoft Deployment Toolkit documentation](https://docs.microsoft.com/configmgr/mdt/) - [Deploy Windows 10 with the Microsoft Deployment Toolkit](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit) - [Deploy Windows 10 to Surface devices with Microsoft Deployment Toolkit](https://docs.microsoft.com/surface/deploy-windows-10-to-surface-devices-with-mdt) **WindowsPE and Surface firmware and drivers** -System Center Configuration Manager and MDT both use the Windows Preinstallation Environment (WindowsPE) during the deployment process. WindowsPE only supports a limited set of basic drivers such as those for network adapters and storage controllers. Drivers for Windows components that are not part of WindowsPE might produce errors. As a best practice, you can prevent such errors by configuring the deployment process to use only the required drivers during the WindowsPE phase. +Microsoft Endpoint Configuration Manager and MDT both use the Windows Preinstallation Environment (WindowsPE) during the deployment process. WindowsPE only supports a limited set of basic drivers such as those for network adapters and storage controllers. Drivers for Windows components that are not part of WindowsPE might produce errors. As a best practice, you can prevent such errors by configuring the deployment process to use only the required drivers during the WindowsPE phase. +### Microsoft Endpoint Configuration Manager + +Starting in Microsoft Endpoint Configuration Manager, you can synchronize and deploy Microsoft Surface firmware and driver updates by using the Configuration Manager client. The process resembles that for deploying regular updates. For additional information, see KB 4098906, [How to manage Surface driver updates in Configuration Manager](https://support.microsoft.com/help/4098906/manage-surface-driver-updates-in-configuration-manager). ## Supported devices Downloadable MSI files are available for Surface devices from Surface Pro 2 and later. Information about MSI files for the newest Surface devices such as Surface Pro 7, Surface Pro X, and Surface Laptop 3 will be available from this page upon release. @@ -88,11 +94,11 @@ Specific versions of Windows 10 have separate .msi files, each containing all re ### Downloading .msi files 1. Browse to [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware) on the Microsoft Download Center. -2. Select the .msi file name that matches the Surface model and version of Windows. The .msi file name includes the minimum supported Windows build number required to install the drivers and firmware. For example, as shown in the following figure, to update a Surface Book 2 with build 18362 of Windows 10, choose **SurfaceBook2_Win10_18362_19.101.13994.msi.** For a Surface Book 2 with build 16299 of Windows 10, choose **SurfaceBook2_Win10_16299_1803509_3. msi**. +2. Select the .msi file name that matches the Surface model and version of Windows. The .msi file name includes the minimum supported Windows build number required to install the drivers and firmware. For example, as shown in the following figure, to update a Surface Book 2 with build 18362 of Windows 10, choose **SurfaceBook2_Win10_18362_19.101.13994.msi.** For a Surface Book 2 with build 16299 of Windows 10, choose **SurfaceBook2_Win10_16299_1803509_3.msi**. -  - -*Figure 1. Downloading Surface updates* +  + + *Figure 1. Downloading Surface updates* ### Surface .msi naming convention @@ -138,8 +144,8 @@ This file name provides the following information: ## Learn more - [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware) -- [How to manage Surface driver updates in Configuration Manager.](https://support.microsoft.com/en-sg/help/4098906/manage-surface-driver-updates-in-configuration-manager) -- [Deploy applications with Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/deploy-applications). +- [How to manage Surface driver updates in Configuration Manager.](https://support.microsoft.com/help/4098906/manage-surface-driver-updates-in-configuration-manager) +- [Deploy applications with Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications). - [Endpoint Configuration Manager documentation](https://docs.microsoft.com/configmgr/) - [Microsoft Deployment Toolkit documentation](https://docs.microsoft.com/configmgr/mdt/) - [Deploy Windows 10 with the Microsoft Deployment Toolkit](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit) diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md index 90b623c490..0fe84fc0b1 100644 --- a/devices/surface/microsoft-surface-data-eraser.md +++ b/devices/surface/microsoft-surface-data-eraser.md @@ -14,7 +14,7 @@ author: dansimp ms.author: dansimp ms.topic: article ms.audience: itpro -ms.date: 11/13/2019 +ms.date: 02/06/2020 --- # Microsoft Surface Data Eraser @@ -83,7 +83,10 @@ After the creation tool is installed, follow these steps to create a Microsoft S 1. Start Microsoft Surface Data Eraser from the Start menu or Start screen. -2. Click **Build** to begin the Microsoft Surface Data Eraser USB creation process. +2. Click **Build** to begin the Microsoft Surface Data Eraser USB creation process. + + >[!NOTE] + >For Surface Pro X devices, select **ARM64**. for other Surface devices, select **x64**. 3. Click **Start** to acknowledge that you have a USB stick of at least 4 GB connected, as shown in Figure 1. @@ -153,8 +156,8 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo 8. Click the **Yes** button to continue erasing data on the Surface device. ->[!NOTE] ->When you run Surface Data Eraser on the Surface Data Eraser USB drive, a log file is generated in the **SurfaceDataEraserLogs** folder. + >[!NOTE] + >When you run Surface Data Eraser on the Surface Data Eraser USB drive, a log file is generated in the **SurfaceDataEraserLogs** folder. ## Changes and updates @@ -222,8 +225,8 @@ This version of Microsoft Surface Data Eraser adds support for the following: - Surface Pro 1TB ->[!NOTE] ->Surface Data Eraser v3.2.45.0 and above can be used to restore Surface Pro or Surface Laptop devices with the 1TB storage option in the scenario that the device shows two separate 512GB volumes or encounters errors when attempting to deploy or install Windows 10. See [Surface Pro Model 1796 and Surface Laptop 1TB display two drives](https://support.microsoft.com/help/4046105/surface-pro-model-1796-and-surface-laptop-1tb-display-two-drives) for more information. + >[!NOTE] + >Surface Data Eraser v3.2.45.0 and above can be used to restore Surface Pro or Surface Laptop devices with the 1TB storage option in the scenario that the device shows two separate 512GB volumes or encounters errors when attempting to deploy or install Windows 10. See [Surface Pro Model 1796 and Surface Laptop 1TB display two drives](https://support.microsoft.com/help/4046105/surface-pro-model-1796-and-surface-laptop-1tb-display-two-drives) for more information. ### Version 3.2.36.0 diff --git a/devices/surface/step-by-step-surface-deployment-accelerator.md b/devices/surface/step-by-step-surface-deployment-accelerator.md index 488bd63a15..04d78253ee 100644 --- a/devices/surface/step-by-step-surface-deployment-accelerator.md +++ b/devices/surface/step-by-step-surface-deployment-accelerator.md @@ -328,7 +328,7 @@ The **2 – Create Windows Reference Image** task sequence is used to perform a Like the **1 – Deploy Microsoft Surface** task sequence, the **2 – Create Windows Reference Image** task sequence performs a deployment of the unaltered Windows image directly from the installation media. Creation of a reference image should always be performed on a virtual machine. Using a virtual machine as your reference system helps to ensure that the resulting image is compatible with different hardware configurations. >[!NOTE] ->Using a virtual machine when you create a reference image for Windows deployment is a recommended practice for performing Windows deployments with Microsoft deployment tools including the Microsoft Deployment Toolkit and System Center Configuration Manager. These Microsoft deployment technologies use the hardware agnostic images produced from a virtual machine and a collection of managed drivers to deploy to different configurations of hardware. For more information, see [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt). +>Using a virtual machine when you create a reference image for Windows deployment is a recommended practice for performing Windows deployments with Microsoft deployment tools including the Microsoft Deployment Toolkit and Microsoft Endpoint Configuration Manager. These Microsoft deployment technologies use the hardware agnostic images produced from a virtual machine and a collection of managed drivers to deploy to different configurations of hardware. For more information, see [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt). In addition to the information required by the **1 – Deploy Microsoft Surface** task sequence, you will also be prompted to capture an image when you run this task sequence on your reference virtual machine. The **Location** and **File name** fields are automatically populated with the proper information for your deployment share. All that you need to do is select the **Capture an image of this reference computer** option when you are prompted on the **Capture Image** page of the Windows Deployment Wizard. diff --git a/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md b/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md index 51e39c27a3..d57966b6cf 100644 --- a/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md +++ b/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md @@ -61,4 +61,4 @@ Before you choose to use Windows 10 Enterprise LTSC edition on Surface devices, Surface devices running Windows 10 Enterprise LTSC edition will not receive new features. In many cases these features are requested by customers to improve the usability and capabilities of Surface hardware. For example, new improvements for High DPI applications in Windows 10, version 1703. Customers that use Surface devices in the LTSC configuration will not see the improvements until they either update to a new Windows 10 Enterprise LTSC release or upgrade to a version of Windows 10 with support for the SAC servicing option. -Devices can be changed from Windows 10 Enterprise LTSC to a more recent version of Windows 10 Enterprise, with support for the SAC servicing option, without the loss of user data by performing an upgrade installation. You can also perform an upgrade installation on multiple devices by leveraging the Upgrade Task Sequence Templates available in the Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager. For more information, see [Upgrade Surface devices to Windows 10 with Microsoft Deployment Toolkit](https://technet.microsoft.com/itpro/surface/upgrade-surface-devices-to-windows-10-with-mdt). +Devices can be changed from Windows 10 Enterprise LTSC to a more recent version of Windows 10 Enterprise, with support for the SAC servicing option, without the loss of user data by performing an upgrade installation. You can also perform an upgrade installation on multiple devices by leveraging the Upgrade Task Sequence Templates available in the Microsoft Deployment Toolkit (MDT) and Microsoft Endpoint Configuration Manager. For more information, see [Upgrade Surface devices to Windows 10 with Microsoft Deployment Toolkit](https://technet.microsoft.com/itpro/surface/upgrade-surface-devices-to-windows-10-with-mdt). diff --git a/devices/surface/surface-diagnostic-toolkit-command-line.md b/devices/surface/surface-diagnostic-toolkit-command-line.md index f1e3460df4..6ea9d9ac55 100644 --- a/devices/surface/surface-diagnostic-toolkit-command-line.md +++ b/devices/surface/surface-diagnostic-toolkit-command-line.md @@ -43,7 +43,7 @@ Command | Notes >[!NOTE] ->To run the SDT app console remotely on target devices, you can use a configuration management tool such as System Center Configuration Manager. Alternatively, you can create a .zip file containing the console app and appropriate console commands and deploy per your organization’s software distribution processes. +>To run the SDT app console remotely on target devices, you can use a configuration management tool such as Microsoft Endpoint Configuration Manager. Alternatively, you can create a .zip file containing the console app and appropriate console commands and deploy per your organization’s software distribution processes. ## Running Best Practice Analyzer diff --git a/devices/surface/surface-dock-firmware-update.md b/devices/surface/surface-dock-firmware-update.md index 751ea36a4d..dc3e5b41f0 100644 --- a/devices/surface/surface-dock-firmware-update.md +++ b/devices/surface/surface-dock-firmware-update.md @@ -43,7 +43,7 @@ If preferred, you can manually complete the update as follows: ## Network deployment -You can use Windows Installer commands (Msiexec.exe) to deploy Surface Dock Firmware Update to multiple devices across your network. When using System Center Configuration Manager or other deployment tool, enter the following syntax to ensure the installation is silent: +You can use Windows Installer commands (Msiexec.exe) to deploy Surface Dock Firmware Update to multiple devices across your network. When using Microsoft Endpoint Configuration Manager or other deployment tool, enter the following syntax to ensure the installation is silent: - **Msiexec.exe /i
Intune| -|App and update management | Intune |System Center Configuration Manager
Intune| +|App and update management | Intune |Microsoft Endpoint Configuration Manager
Intune| *Table 1. Deployment and management scenarios* @@ -174,14 +174,14 @@ These scenarios assume the need to support: Some constraints exist in these scenarios. As you select the deployment and management methods for your device, keep the following constraints in mind: * You can use Group Policy or Intune to manage configuration settings on a device but not both. -* You can use System Center Configuration Manager or Intune to manage apps and updates on a device but not both. +* You can use Microsoft Endpoint Configuration Manager or Intune to manage apps and updates on a device but not both. * You cannot manage multiple users on a device with Intune if the device is AD DS domain joined. Use the cloud-centric scenario and on-premises and cloud scenario as a guide for your district. You may need to customize these scenarios, however, based on your district. As you go through the [Select the deployment methods](#select-the-deployment-methods), [Select the configuration setting management methods](#select-the-configuration-setting-management-methods), and the [Select the app and update management products](#select-the-app-and-update-management-products) sections, remember these scenarios and use them as the basis for your district. ### Select the deployment methods -To deploy Windows 10 and your apps, you can use MDT by itself or System Center Configuration Manager and MDT together. For a district, there are a few ways to deploy Windows 10 to devices. Table 2 lists the methods that this guide describes and recommends. Use this information to determine which combination of deployment methods is right for your institution. +To deploy Windows 10 and your apps, you can use MDT by itself or Microsoft Endpoint Configuration Manager and MDT together. For a district, there are a few ways to deploy Windows 10 to devices. Table 2 lists the methods that this guide describes and recommends. Use this information to determine which combination of deployment methods is right for your institution.
| System Center Configuration Manager | -System Center Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle. You can use System Center Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Microsoft Store apps and software updates as well as provide antivirus and antimalware protection. | Microsoft Endpoint Configuration Manager | +Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle. You can use Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Microsoft Store apps and software updates as well as provide antivirus and antimalware protection.
The disadvantages of this method are that it:
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Intune | Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
System Center Configuration Manager |
-System Center Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune. Microsoft Endpoint Configuration Manager |
+Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.
The disadvantages of this method are that it:
System Center Configuration Manager and Intune (hybrid) |
-System Center Configuration Manager and Intune together extend System Center Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both System Center Configuration Manager and Intune. Microsoft Endpoint Configuration Manager and Intune (hybrid) |
+Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.
The disadvantages of this method are that it:
If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business. -If you have Intune or System Center Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the Deploy and manage apps by using Intune and Deploy and manage apps by using System Center Configuration Manager sections. This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps. +If you have Intune or Microsoft Endpoint Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the Deploy and manage apps by using Intune and Deploy and manage apps by using Microsoft Endpoint Configuration Manager sections. This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps. In addition, you must prepare your environment for sideloading Microsoft Store apps. For more information about how to: x |
@@ -1728,7 +1728,7 @@ For more information about completing this task, see the following resources:
For more information, see:
@@ -1739,10 +1739,10 @@ For more information, see:
| Install new or update existing Microsoft Store apps used in the curriculum. |
Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download. -You can also deploy Microsoft Store apps directly to devices by using Intune, System Center Configuration Manager, or both in a hybrid configuration. For more information, see: +You can also deploy Microsoft Store apps directly to devices by using Intune, Microsoft Endpoint Configuration Manager, or both in a hybrid configuration. For more information, see:
diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md
index 5fd1f4093a..f582026716 100644
--- a/education/windows/deploy-windows-10-in-a-school.md
+++ b/education/windows/deploy-windows-10-in-a-school.md
@@ -88,7 +88,7 @@ Now that you have the plan (blueprint) for your classroom, you’re ready to lea
The primary tool you will use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI).
-You can use MDT as a stand-alone tool or integrate it with Microsoft System Center Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with System Center Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as System Center Configuration Manager) but result in fully automated deployments.
+You can use MDT as a stand-alone tool or integrate it with Microsoft Endpoint Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as Configuration Manager) but result in fully automated deployments.
MDT includes the Deployment Workbench—a console from which you can manage the deployment of Windows 10 and your apps. You configure the deployment process in the Deployment Workbench, including the management of operating systems, device drivers, apps and migration of user settings on existing devices.
diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md
index c49e6ea21f..c326ec1cba 100644
--- a/education/windows/take-a-test-multiple-pcs.md
+++ b/education/windows/take-a-test-multiple-pcs.md
@@ -28,7 +28,7 @@ Follow the guidance in this topic to set up Take a Test on multiple PCs.
To configure a dedicated test account on multiple PCs, select any of the following methods:
- [Provisioning package created through the Set up School PCs app](#set-up-a-test-account-in-the-set-up-school-pcs-app)
- [Configuration in Intune for Education](#set-up-a-test-account-in-intune-for-education)
-- [Mobile device management (MDM) or Microsoft System Center Configuration Manager](#set-up-a-test-account-in-mdm-or-configuration-manager)
+- [Mobile device management (MDM) or Microsoft Endpoint Configuration Manager](#set-up-a-test-account-in-mdm-or-configuration-manager)
- [Provisioning package created through Windows Configuration Designer](#set-up-a-test-account-through-windows-configuration-designer)
- [Group Policy to deploy a scheduled task that runs a Powershell script](https://docs.microsoft.com/education/windows/take-a-test-multiple-pcs#create-a-scheduled-task-in-group-policy)
diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md
index 4ff027e388..fed3ff8374 100644
--- a/education/windows/take-tests-in-windows-10.md
+++ b/education/windows/take-tests-in-windows-10.md
@@ -48,7 +48,7 @@ There are several ways to configure devices for assessments. You can:
- **For multiple PCs**
You can use any of these methods:
- - Mobile device management (MDM) or Microsoft System Center Configuration Manager
+ - Mobile device management (MDM) or Microsoft Endpoint Configuration Manager
- A provisioning package created in Windows Configuration Designer
- Group Policy to deploy a scheduled task that runs a Powershell script
diff --git a/mdop/agpm/resources-for-agpm.md b/mdop/agpm/resources-for-agpm.md
index 3ebc42e3e4..5aa2774df3 100644
--- a/mdop/agpm/resources-for-agpm.md
+++ b/mdop/agpm/resources-for-agpm.md
@@ -19,19 +19,19 @@ ms.date: 08/30/2016
### Documents for download
-- [Advanced Group Policy Management 4.0 documents](https://go.microsoft.com/fwlink/?LinkID=158931)
+- [Advanced Group Policy Management 4.0 documents](https://www.microsoft.com/download/details.aspx?id=13975)
### Microsoft Desktop Optimization Pack resources
-- [Microsoft Desktop Optimization Pack (MDOP) for Software Assurance TechCenter](https://go.microsoft.com/fwlink/?LinkID=159870) (http://www.microsoft.com/technet/mdop): Links to MDOP videos and resources.
+- [Microsoft Desktop Optimization Pack (MDOP) for Software Assurance TechCenter](https://go.microsoft.com/fwlink/?LinkID=159870) (https://www.microsoft.com/technet/mdop): Links to MDOP videos and resources.
- [Enterprise products: MDOP](https://go.microsoft.com/fwlink/?LinkID=160297): Overviews and information about the benefits of applications in MDOP.
### Group Policy resources
-- [Group Policy TechCenter](https://go.microsoft.com/fwlink/?LinkID=145531) (http://www.microsoft.com/grouppolicy): Links to Group Policy documentation, tools, and downloads.
+- [Group Policy TechCenter](https://go.microsoft.com/fwlink/?LinkID=145531) (https://www.microsoft.com/grouppolicy): Links to Group Policy documentation, tools, and downloads.
-- [Group Policy Team Blog](https://go.microsoft.com/fwlink/?LinkID=75192) (http://blogs.technet.com/GroupPolicy): Stay current on the latest news about Group Policy with articles by the Group Policy Team and other experts.
+- [Group Policy Team Blog](https://go.microsoft.com/fwlink/?LinkID=75192) (https://blogs.technet.com/GroupPolicy): Stay current on the latest news about Group Policy with articles by the Group Policy Team and other experts.
- [Group Policy Forum](https://go.microsoft.com/fwlink/?LinkID=145532): Do you have questions about Group Policy or AGPM? You can post your questions to the forum, and receive answers from the experts.
diff --git a/mdop/appv-v4/about-microsoft-application-virtualization-45.md b/mdop/appv-v4/about-microsoft-application-virtualization-45.md
index 827934974f..40b58ca9d6 100644
--- a/mdop/appv-v4/about-microsoft-application-virtualization-45.md
+++ b/mdop/appv-v4/about-microsoft-application-virtualization-45.md
@@ -27,7 +27,7 @@ Formerly known as SoftGrid Application Virtualization, Microsoft Application Vir
2. Application Virtualization Streaming Server, a lightweight version which also ships as part of the Microsoft Desktop Optimization Pack and Microsoft Application Virtualization for Remote Desktop Services packages, offers application streaming including package and active upgrades without the Active Directory Domain Services and database overheads, and enables administrators to deploy to existing servers or add streaming to Electronic Software Delivery (ESD) systems.
- 3. Standalone mode enables virtual applications to run without streaming and is interoperable with Microsoft Systems Management Server and System Center Configuration Manager 2007 and third-party ESD systems.
+ 3. Standalone mode enables virtual applications to run without streaming and is interoperable with Microsoft Endpoint Configuration Manager and third-party ESD systems.
- Globalization: The product is localized across 11 languages, includes support for foreign language applications that use special characters, and supports foreign language Active Directory and servers and runtime locale detection.
diff --git a/mdop/appv-v4/app-v-upgrade-checklist.md b/mdop/appv-v4/app-v-upgrade-checklist.md
index 942fa32de6..b81818e567 100644
--- a/mdop/appv-v4/app-v-upgrade-checklist.md
+++ b/mdop/appv-v4/app-v-upgrade-checklist.md
@@ -69,7 +69,7 @@ Before trying to upgrade to Microsoft Application Virtualization (App-V) 4.5 or
- Any virtual application packages sequenced in version 4.2 will not have to be sequenced again for use with version 4.5. However, you should consider upgrading the virtual packages to the Microsoft Application Virtualization 4.5 format if you want to apply default access control lists (ACLs) or generate a Windows Installer file. This is a simple process and requires only that the existing virtual application package be opened and saved with the App-V 4.5 Sequencer. This can be automated by using the App-VSequencer command-line interface. For more information, see [How to Create or Upgrade Virtual Applications Using the App-V Sequencer](how-to-create-or-upgrade-virtual-applications-using--the-app-v-sequencer.md)
-- One of the features of the 4.5 Sequencer is the ability to create Windows Installer (.msi) files as control points for virtual application package interoperability with electronic software distribution (ESD) systems, such as Microsoft System Center Configuration Manager 2007. Previous Windows Installer files created with the MSI tool for Application Virtualization that were installed on a App-V 4.1 or 4.2 client that is subsequently upgraded to App-V 4.5 will continue to work, although they cannot be installed on the App-V 4.5 client. However, they cannot be removed or upgraded unless they are upgraded in the App-V 4.5 Sequencer. The original App-V package earlier than 4.5 has to be opened in the App-V 4.5 Sequencer and then saved as a Windows Installer File.
+- One of the features of the 4.5 Sequencer is the ability to create Windows Installer (.msi) files as control points for virtual application package interoperability with electronic software distribution (ESD) systems, such as Microsoft Endpoint Configuration Manager. Previous Windows Installer files created with the MSI tool for Application Virtualization that were installed on a App-V 4.1 or 4.2 client that is subsequently upgraded to App-V 4.5 will continue to work, although they cannot be installed on the App-V 4.5 client. However, they cannot be removed or upgraded unless they are upgraded in the App-V 4.5 Sequencer. The original App-V package earlier than 4.5 has to be opened in the App-V 4.5 Sequencer and then saved as a Windows Installer File.
**Note**
If the App-V 4.2 Client has already been upgraded to App-V 4.5, it is possible to script a workaround to preserve the version 4.2 packages on version 4.5 clients and allow them to be managed. This script must copy two files, msvcp71.dll and msvcr71.dll, to the App-V installation folder and set the following registry key values under the registry key:\[HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\SoftGrid\\4.5\\Client\\Configuration\]:
diff --git a/mdop/appv-v4/determine-your-streaming-method.md b/mdop/appv-v4/determine-your-streaming-method.md
index eac83fa0c2..0033aa3003 100644
--- a/mdop/appv-v4/determine-your-streaming-method.md
+++ b/mdop/appv-v4/determine-your-streaming-method.md
@@ -24,7 +24,7 @@ The first time that a user double-clicks the icon that has been placed on a comp
-The streaming source location is usually a server that is accessible by the user’s computer; however, some electronic distribution systems, such as Microsoft System Center Configuration Manager, can distribute the SFT file to the user’s computer and then stream the virtual application package locally from that computer’s cache.
+The streaming source location is usually a server that is accessible by the user’s computer; however, some electronic distribution systems, such as Microsoft Endpoint Configuration Manager, can distribute the SFT file to the user’s computer and then stream the virtual application package locally from that computer’s cache.
**Note**
A streaming source location for virtual packages can be set up on a computer that is not a server. This is especially useful in a small branch office that has no server.
diff --git a/mdop/appv-v4/electronic-software-distribution-based-scenario-overview.md b/mdop/appv-v4/electronic-software-distribution-based-scenario-overview.md
index 6173dbdd7a..ebdfacc6c9 100644
--- a/mdop/appv-v4/electronic-software-distribution-based-scenario-overview.md
+++ b/mdop/appv-v4/electronic-software-distribution-based-scenario-overview.md
@@ -20,7 +20,7 @@ ms.date: 08/30/2016
If you plan to use an electronic software distribution (ESD) solution to deploy virtual applications, it is important to understand the factors that go into and are affected by that decision. This topic describes the benefits of using an ESD-based scenario and provides information about the publishing and package streaming methods that you will need to consider as you proceed with your deployment.
**Important**
-Whichever ESD solution you use, you must be familiar with the requirements of your particular solution. If you are using System Center Configuration Manager 2007 R2 or later, see the System Center Configuration Manager documentation at | Software requirements
Software requirements
Software requirements
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
](../images/UR-lift-report.jpg){kind=link}
](../images/ua-cg-15.png){kind=link}
| Feature | -Description | -
|---|---|
Credential Guard |
-This feature uses virtualization-based security to help protect security secrets (for example, NTLM password hashes, Kerberos Ticket Granting Tickets) so that only privileged system software can access them. This helps prevent Pass-the-Hash or Pass-the-Ticket attacks. -Credential Guard has the following features: -
For more information, see Protect derived domain credentials with Credential Guard. -Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present) |
-
Device Guard |
-This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows 10 Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code. -Device Guard does the following: -
For more information, see Introduction to Device Guard. |
-
AppLocker management |
-This feature helps IT pros determine which applications and files users can run on a device (also known as “whitelisting”). The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. -For more information, see AppLocker. |
-
Application Virtualization (App-V) |
-This feature makes applications available to end users without installing the applications directly on users’ devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates. -For more information, see Getting Started with App-V for Windows 10. |
-
User Experience Virtualization (UE-V) |
-With this feature, you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to. -UE-V provides the ability to do the following: -
For more information, see User Experience Virtualization (UE-V) for Windows 10 overview. |
-
Managed User Experience |
-This feature helps customize and lock down a Windows device’s user interface to restrict it to a specific task. For example, you can configure a device for a controlled scenario such as a kiosk or classroom device. The user experience would be automatically reset once a user signs off. You can also restrict access to services including Cortana or the Windows Store, and manage Start layout options, such as: -
|
For more information on these settings, see [Customize Windows 10 Start and taskbar with Group Policy](https://technet.microsoft.com/itpro/windows/manage/customize-windows-10-start-screens-by-using-group-policy). | -| Unbranded boot | You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error from which it cannot recover.
For more information on these settings, see [Unbranded Boot](https://msdn.microsoft.com/library/windows/hardware/mt571997(v=vs.85).aspx). | -| Custom logon | You can use the Custom Logon feature to suppress Windows 10 UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown.
For more information on these settings, see [Custom Logon](https://msdn.microsoft.com/library/windows/hardware/mt571990(v=vs.85).aspx). | -| Shell launcher | Enables Assigned Access to run only a classic Windows app via Shell Launcher to replace the shell.
For more information on these settings, see [Shell Launcher](https://msdn.microsoft.com/library/windows/hardware/mt571994(v=vs.85).aspx). | -| Keyboard filter | You can use Keyboard Filter to suppress undesirable key presses or key combinations. Normally, users can use certain Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to control a device by locking the screen or using Task Manager to close a running application. This is not desirable on devices intended for a dedicated purpose.
For more information on these settings, see [Keyboard Filter](https://msdn.microsoft.com/library/windows/hardware/mt587088(v=vs.85).aspx). | -| Unified write filter | You can use Unified Write Filter (UWF) on your device to help protect your physical storage media, including most standard writable storage types that are supported by Windows, such as physical hard disks, solid-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writable volume.
For more information on these settings, see [Unified Write Filter](https://msdn.microsoft.com/library/windows/hardware/mt572001(v=vs.85).aspx). | - -## Related topics - -[Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md) -
[Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-devices-group-policy/) -
[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare) -
[Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx) +--- +title: Windows 10 Enterprise E3 in CSP +description: Describes Windows 10 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10 Enterprise edition. +keywords: upgrade, update, task sequence, deploy +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: mdt +ms.date: 08/24/2017 +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +audience: itpro +author: greg-lindsay +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Windows 10 Enterprise E3 in CSP + +Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Windows 10 Enterprise E3 in CSP is a new offering that delivers, by subscription, exclusive features reserved for Windows 10 Enterprise edition. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10 Enterprise E3 in CSP provides a flexible, per-user subscription for small- and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following: + +- Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later, installed and activated, on the devices to be upgraded +- Azure Active Directory (Azure AD) available for identity management + +Starting with Windows 10, version 1607 (Windows 10 Anniversary Update), you can move from Windows 10 Pro to Windows 10 Enterprise more easily than ever before—no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise and all the appropriate Windows 10 Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Windows 10 Enterprise device seamlessly steps back down to Windows 10 Pro. + +Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise to their users. Now, with Windows 10 Enterprise E3 in CSP, small- and medium-sized organizations can more easily take advantage of Windows 10 Enterprise features. + +When you purchase Windows 10 Enterprise E3 via a partner, you get the following benefits: + +- **Windows 10 Enterprise edition**. Devices currently running Windows 10 Pro, version 1607 can get Windows 10 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit does not include Long Term Service Branch (LTSB). + +- **Support from one to hundreds of users**. Although the Windows 10 Enterprise E3 in CSP program does not have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations. + +- **Deploy on up to five devices**. For each user covered by the license, you can deploy Windows 10 Enterprise edition on up to five devices. + +- **Roll back to Windows 10 Pro at any time**. When a user’s subscription expires or is transferred to another user, the Windows 10 Enterprise device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 90 days). + +- **Monthly, per-user pricing model**. This makes Windows 10 Enterprise E3 affordable for any organization. + +- **Move licenses between users**. Licenses can be quickly and easily reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs. + +How does the Windows 10 Enterprise E3 in CSP program compare with Microsoft Volume Licensing Agreements and Software Assurance? + +- [Microsoft Volume Licensing](https://www.microsoft.com/licensing/default.aspx) programs are broader in scope, providing organizations with access to licensing for all Microsoft products. + +- [Software Assurance](https://www.microsoft.com/Licensing/licensing-programs/software-assurance-default.aspx) provides organizations with the following categories of benefits: + + - **Deployment and management**. These benefits include planning services, Microsoft Desktop Optimization (MDOP), Windows Virtual Desktop Access Rights, Windows-To-Go Rights, Windows Roaming Use Rights, Windows Thin PC, Windows RT Companion VDA Rights, and other benefits. + + - **Training**. These benefits include training vouchers, online e-learning, and a home use program. + + - **Support**. These benefits include 24x7 problem resolution support, backup capabilities for disaster recovery, System Center Global Service Monitor, and a passive secondary instance of SQL Server. + + - **Specialized**. These benefits include step-up licensing availability (which enables you to migrate software from an earlier edition to a higher-level edition) and to spread license and Software Assurance payments across three equal, annual sums. + + In addition, in Windows 10 Enterprise E3 in CSP, a partner can manage your licenses for you. With Software Assurance, you, the customer, manage your own licenses. + +In summary, the Windows 10 Enterprise E3 in CSP program is an upgrade offering that provides small- and medium-sized organizations easier, more flexible access to the benefits of Windows 10 Enterprise edition, whereas Microsoft Volume Licensing programs and Software Assurance are broader in scope and provide benefits beyond access to Windows 10 Enterprise edition. + +## Compare Windows 10 Pro and Enterprise editions + +Windows 10 Enterprise edition has a number of features that are unavailable in Windows 10 Pro. Table 1 lists the Windows 10 Enterprise features not found in Windows 10 Pro. Many of these features are security-related, whereas others enable finer-grained device management. + +*Table 1. Windows 10 Enterprise features not found in Windows 10 Pro* + +
| Feature | +Description | +
|---|---|
Credential Guard |
+This feature uses virtualization-based security to help protect security secrets (for example, NTLM password hashes, Kerberos Ticket Granting Tickets) so that only privileged system software can access them. This helps prevent Pass-the-Hash or Pass-the-Ticket attacks. +Credential Guard has the following features: +
For more information, see Protect derived domain credentials with Credential Guard. +Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present) |
+
Device Guard |
+This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows 10 Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code. +Device Guard does the following: +
For more information, see Introduction to Device Guard. |
+
AppLocker management |
+This feature helps IT pros determine which applications and files users can run on a device (also known as “whitelisting”). The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. +For more information, see AppLocker. |
+
Application Virtualization (App-V) |
+This feature makes applications available to end users without installing the applications directly on users’ devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates. +For more information, see Getting Started with App-V for Windows 10. |
+
User Experience Virtualization (UE-V) |
+With this feature, you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to. +UE-V provides the ability to do the following: +
For more information, see User Experience Virtualization (UE-V) for Windows 10 overview. |
+
Managed User Experience |
+This feature helps customize and lock down a Windows device’s user interface to restrict it to a specific task. For example, you can configure a device for a controlled scenario such as a kiosk or classroom device. The user experience would be automatically reset once a user signs off. You can also restrict access to services including Cortana or the Windows Store, and manage Start layout options, such as: +
|
For more information on these settings, see [Customize Windows 10 Start and taskbar with Group Policy](https://technet.microsoft.com/itpro/windows/manage/customize-windows-10-start-screens-by-using-group-policy). | +| Unbranded boot | You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error from which it cannot recover.
For more information on these settings, see [Unbranded Boot](https://msdn.microsoft.com/library/windows/hardware/mt571997(v=vs.85).aspx). | +| Custom logon | You can use the Custom Logon feature to suppress Windows 10 UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown.
For more information on these settings, see [Custom Logon](https://msdn.microsoft.com/library/windows/hardware/mt571990(v=vs.85).aspx). | +| Shell launcher | Enables Assigned Access to run only a classic Windows app via Shell Launcher to replace the shell.
For more information on these settings, see [Shell Launcher](https://msdn.microsoft.com/library/windows/hardware/mt571994(v=vs.85).aspx). | +| Keyboard filter | You can use Keyboard Filter to suppress undesirable key presses or key combinations. Normally, users can use certain Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to control a device by locking the screen or using Task Manager to close a running application. This is not desirable on devices intended for a dedicated purpose.
For more information on these settings, see [Keyboard Filter](https://msdn.microsoft.com/library/windows/hardware/mt587088(v=vs.85).aspx). | +| Unified write filter | You can use Unified Write Filter (UWF) on your device to help protect your physical storage media, including most standard writable storage types that are supported by Windows, such as physical hard disks, solid-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writable volume.
For more information on these settings, see [Unified Write Filter](https://msdn.microsoft.com/library/windows/hardware/mt572001(v=vs.85).aspx). | + +## Related topics + +[Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md) +
[Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-devices-group-policy/) +
[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare) +
[Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx) diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md index 2b435c0edc..24743735e8 100644 --- a/windows/deployment/windows-10-media.md +++ b/windows/deployment/windows-10-media.md @@ -44,7 +44,7 @@ For ISOs that you download from the VLSC or Visual Studio Subscriptions, you can  -When using the contents of these ISOs with tools such as the Microsoft Deployment Toolkit or System Center Configuration Manager, make sure you select the appropriate image index in any task sequences that you create or update. +When using the contents of these ISOs with tools such as the Microsoft Deployment Toolkit or Microsoft Endpoint Configuration Manager, make sure you select the appropriate image index in any task sequences that you create or update. For packages published to Windows Server Update Services (WSUS), you’ll also notice the change because, instead of having separate packages for each Windows edition, there will be just one package: diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md index 87eea0e845..a9ffbb1c73 100644 --- a/windows/deployment/windows-10-poc-mdt.md +++ b/windows/deployment/windows-10-poc-mdt.md @@ -1,655 +1,657 @@ ---- -title: Step by step - Deploy Windows 10 in a test lab using MDT -description: Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit (MDT) -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -keywords: deployment, automate, tools, configure, mdt -ms.localizationpriority: medium -ms.date: 10/11/2017 -ms.reviewer: -manager: laurawi -ms.audience: itpro author: greg-lindsay -audience: itpro author: greg-lindsay -ms.topic: article ---- - - -# Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit - -**Applies to** - -- Windows 10 - -**Important**: This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide: -- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) - -Please complete all steps in the prerequisite guide before starting this guide. This guide requires about 5 hours to complete, but can require less time or more time depending on the speed of the Hyper-V host. After completing the current guide, also see the companion guide: -- [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) - -The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs): -- **DC1**: A contoso.com domain controller, DNS server, and DHCP server. -- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network. -- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been shadow-copied from a physical computer on your corporate network. - ->This guide uses the Hyper-V server role. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work. - -## In this guide - -This guide provides instructions to install and configure the Microsoft Deployment Toolkit (MDT) to deploy a Windows 10 image. - -Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed. - -
- -
-
-
-
-
-
-
-## About MDT
-
-MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch Installation (ZTI), and User-Driven Installation (UDI) deployment methods.
-- LTI is the deployment method used in the current guide, requiring only MDT and performed with a minimum amount of user interaction.
-- ZTI is fully automated, requiring no user interaction and is performed using MDT and System Center Configuration Manager. After completing the steps in the current guide, see [Step by step: Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) to use the ZTI deployment method in the PoC environment.
-- UDI requires manual intervention to respond to installation prompts such as machine name, password and language settings. UDI requires MDT and System Center Configuration Manager.
-
-## Install MDT
-
-1. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt:
-
- ```
- $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
- Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0
- Stop-Process -Name Explorer
- ```
-2. Download and install the 64-bit version of [Microsoft Deployment Toolkit (MDT)](https://www.microsoft.com/download/details.aspx?id=54259) on SRV1 using the default options. As of the writing of this guide, the latest version of MDT was 8443.
-
-3. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1703. Installation might require several minutes to acquire all components.
-
-3. If desired, re-enable IE Enhanced Security Configuration:
-
- ```
- Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1
- Stop-Process -Name Explorer
- ```
-
-## Create a deployment share and reference image
-
-A reference image serves as the foundation for Windows 10 devices in your organization.
-
-1. In [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md), the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command:
-
- ```
- Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso
- ```
-2. On SRV1, verify that the Windows Enterprise installation DVD is mounted as drive letter D.
-
-3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**.
-
-4. To enable quick access to the application, right-click **Deployment Workbench** on the taskbar and then click **Pin this program to the taskbar**.
-
-5. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
-
-6. Use the following settings for the New Deployment Share Wizard:
- - Deployment share path: **C:\MDTBuildLab**| Topic | Description | Time - - |
| About MDT | A high-level overview of the Microsoft Deployment Toolkit (MDT). | Informational - |
| Install MDT | Download and install MDT. | 40 minutes - |
| Create a deployment share and reference image | A reference image is created to serve as the template for deploying new images. | 90 minutes - |
| Deploy a Windows 10 image using MDT | The reference image is deployed in the PoC environment. | 60 minutes - |
| Refresh a computer with Windows 10 | Export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. | 60 minutes - |
| Replace a computer with Windows 10 | Back up an existing client computer, then restore this backup to a new computer. | 60 minutes - |
| Troubleshooting logs, events, and utilities | Log locations and troubleshooting hints. | Informational - |
- - Share name: **MDTBuildLab$**
- - Deployment share description: **MDT build lab**
- - Options: click **Next** to accept the default
- - Summary: click **Next**
- - Progress: settings will be applied
- - Confirmation: click **Finish** - - -7. Expand the **Deployment Shares** node, and then expand **MDT build lab**. - -8. Right-click the **Operating Systems** node, and then click **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and click **Finish**. - -9. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**. - -10. Use the following settings for the Import Operating System Wizard: - - OS Type: **Full set of source files**
- - Source: **D:\\**
- - Destination: **W10Ent_x64**
- - Summary: click **Next** - - Progress: wait for files to be copied - - Confirmation: click **Finish** - - >For purposes of this test lab, we will only add the prerequisite .NET Framework feature. Commerical applications (ex: Microsoft Office) will not be added to the deployment share. For information about adding applications, see the [Add applications](https://technet.microsoft.com/itpro/windows/deploy/create-a-windows-10-reference-image#sec03) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library. - -11. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - - Task sequence ID: **REFW10X64-001**
- - Task sequence name: **Windows 10 Enterprise x64 Default Image**
- - Task sequence comments: **Reference Build**
- - Template: **Standard Client Task Sequence** - - Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim** - - Specify Product Key: **Do not specify a product key at this time** - - Full Name: **Contoso** - - Organization: **Contoso** - - Internet Explorer home page: **http://www.contoso.com** - - Admin Password: **Do not specify an Administrator password at this time** - - Summary: click **Next** - - Confirmation: click **Finish** - - -12. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step. - -13. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**. - -14. On the Properties tab of the group that was created in the previous step, change the Name from **New Group** to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. Click another location in the window to see the name change. - -15. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**. - -16. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**. - -17. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox. - - >Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications. - -18. Click **OK** to complete editing the task sequence. - -19. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click **MDT build lab (C:\MDTBuildLab)** and click **Properties**, and then click the **Rules** tab. - -20. Replace the default rules with the following text: - - ``` - [Settings] - Priority=Default - - [Default] - _SMSTSORGNAME=Contoso - UserDataLocation=NONE - DoCapture=YES - OSInstall=Y - AdminPassword=pass@word1 - TimeZoneName=Pacific Standard Time - OSDComputername=#Left("PC-%SerialNumber%",7)# - JoinWorkgroup=WORKGROUP - HideShell=YES - FinishAction=SHUTDOWN - DoNotCreateExtraPartition=YES - ApplyGPOPack=NO - SkipAdminPassword=YES - SkipProductKey=YES - SkipComputerName=YES - SkipDomainMembership=YES - SkipUserData=YES - SkipLocaleSelection=YES - SkipTaskSequence=NO - SkipTimeZone=YES - SkipApplications=YES - SkipBitLocker=YES - SkipSummary=YES - SkipRoles=YES - SkipCapture=NO - SkipFinalSummary=NO - ``` - -21. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file: - - ``` - [Settings] - Priority=Default - - [Default] - DeployRoot=\\SRV1\MDTBuildLab$ - UserDomain=CONTOSO - UserID=MDT_BA - UserPassword=pass@word1 - SkipBDDWelcome=YES - ``` - -22. Click **OK** to complete the configuration of the deployment share. - -23. Right-click **MDT build lab (C:\MDTBuildLab)** and then click **Update Deployment Share**. - -24. Accept all default values in the Update Deployment Share Wizard by clicking **Next** twice. The update process will take 5 to 10 minutes. When it has completed, click **Finish**. - -25. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI). - - >Hint: To copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**. - -26. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands: - -
-
-
- The VM will require a few minutes to prepare devices and boot from the LiteTouchPE_x86.iso file.
-
-27. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then click **Next**.
-
-28. Accept the default values on the Capture Image page, and click **Next**. Operating system installation will complete after 5 to 10 minutes, and then the VM will reboot automatically. Allow the system to boot normally (do not press a key). The process is fully automated.
-
- Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures:
-
- - Install the Windows 10 Enterprise operating system.
- - Install added applications, roles, and features.
- - Update the operating system using Windows Update (or WSUS if optionally specified).
- - Stage Windows PE on the local disk.
- - Run System Preparation (Sysprep) and reboot into Windows PE.
- - Capture the installation to a Windows Imaging (WIM) file.
- - Turn off the virtual machine.- - New-VM REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB - Set-VMMemory REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20 - Set-VMDvdDrive REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso - Start-VM REFW10X64-001 - vmconnect localhost REFW10X64-001 --
- - This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on your deployment server (SRV1). The file name is **REFW10X64-001.wim**. - -## Deploy a Windows 10 image using MDT - -This procedure will demonstrate how to deploy the reference image to the PoC environment using MDT. - -1. On SRV1, open the MDT Deployment Workbench console, right-click **Deployment Shares**, and then click **New Deployment Share**. Use the following values in the New Deployment Share Wizard: - - **Deployment share path**: C:\MDTProd - - **Share name**: MDTProd$ - - **Deployment share description**: MDT Production - - **Options**: accept the default - - -2. Click **Next**, verify the new deployment share was added successfully, then click **Finish**. - -3. In the Deployment Workbench console, expand the MDT Production deployment share, right-click **Operating Systems**, and then click **New Folder**. Name the new folder **Windows 10** and complete the wizard using default values. - -4. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**. - -5. On the **OS Type** page, choose **Custom image file** and then click **Next**. - -6. On the Image page, browse to the **C:\MDTBuildLab\Captures\REFW10X64-001.wim** file created in the previous procedure, click **Open**, and then click **Next**. - -7. On the Setup page, select **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path**. - -8. Under **Setup source directory**, browse to **C:\MDTBuildLab\Operating Systems\W10Ent_x64** click **OK** and then click **Next**. - -9. On the Destination page, accept the default Destination directory name of **REFW10X64-001**, click **Next** twice, wait for the import process to complete, and then click **Finish**. - -10. In the **Operating Systems** > **Windows 10** node, double-click the operating system that was added to view its properties. Change the operating system name to **Windows 10 Enterprise x64 Custom Image** and then click **OK**. See the following example: - -  - - -### Create the deployment task sequence - -1. Using the Deployment Workbench, right-click **Task Sequences** under the **MDT Production** node, click **New Folder** and create a folder with the name: **Windows 10**. - -2. Right-click the **Windows 10** folder created in the previous step, and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - - Task sequence ID: W10-X64-001 - - Task sequence name: Windows 10 Enterprise x64 Custom Image - - Task sequence comments: Production Image - - Select Template: Standard Client Task Sequence - - Select OS: Windows 10 Enterprise x64 Custom Image - - Specify Product Key: Do not specify a product key at this time - - Full Name: Contoso - - Organization: Contoso - - Internet Explorer home page: http://www.contoso.com - - Admin Password: pass@word1 - -### Configure the MDT production deployment share - -1. On SRV1, open an elevated Windows PowerShell prompt and type the following commands: - - ``` - copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\Bootstrap.ini" C:\MDTProd\Control\Bootstrap.ini -Force - copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\CustomSettings.ini" C:\MDTProd\Control\CustomSettings.ini -Force - ``` -2. In the Deployment Workbench console on SRV1, right-click the **MDT Production** deployment share and then click **Properties**. - -3. Click the **Rules** tab and replace the rules with the following text (don't click OK yet): - - ``` - [Settings] - Priority=Default - - [Default] - _SMSTSORGNAME=Contoso - OSInstall=YES - UserDataLocation=AUTO - TimeZoneName=Pacific Standard Time - OSDComputername=#Left("PC-%SerialNumber%",7)# - AdminPassword=pass@word1 - JoinDomain=contoso.com - DomainAdmin=administrator - DomainAdminDomain=CONTOSO - DomainAdminPassword=pass@word1 - ScanStateArgs=/ue:*\* /ui:CONTOSO\* - USMTMigFiles001=MigApp.xml - USMTMigFiles002=MigUser.xml - HideShell=YES - ApplyGPOPack=NO - SkipAppsOnUpgrade=NO - SkipAdminPassword=YES - SkipProductKey=YES - SkipComputerName=YES - SkipDomainMembership=YES - SkipUserData=YES - SkipLocaleSelection=YES - SkipTaskSequence=NO - SkipTimeZone=YES - SkipApplications=NO - SkipBitLocker=YES - SkipSummary=YES - SkipCapture=YES - SkipFinalSummary=NO - EventService=http://SRV1:9800 - ``` - **Note**: The contents of the Rules tab are added to c:\MDTProd\Control\CustomSettings.ini. - - >In this example a **MachineObjectOU** entry is not provided. Normally this entry describes the specific OU where new client computer objects are created in Active Directory. However, for the purposes of this test lab clients are added to the default computers OU, which requires that this parameter be unspecified. - - If desired, edit the follow line to include or exclude other users when migrating settings. Currently, the command is set to user exclude (ue) all users except for CONTOSO users specified by the user include option (ui): - - ``` - ScanStateArgs=/ue:*\* /ui:CONTOSO\* - ``` - - For example, to migrate **all** users on the computer, replace this line with the following: - - ``` - ScanStateArgs=/all - ``` - - For more information, see [ScanState Syntax](https://technet.microsoft.com/library/cc749015.aspx). - -4. Click **Edit Bootstap.ini** and replace text in the file with the following text: - - ``` - [Settings] - Priority=Default - - [Default] - DeployRoot=\\SRV1\MDTProd$ - UserDomain=CONTOSO - UserID=MDT_BA - UserPassword=pass@word1 - SkipBDDWelcome=YES - ``` -5. Click **OK** when finished. - -### Update the deployment share - -1. Right-click the **MDT Production** deployment share and then click **Update Deployment Share**. - -2. Use the default options for the Update Deployment Share Wizard. The update process requires 5 to 10 minutes to complete. - -3. Click **Finish** when the update is complete. - -### Enable deployment monitoring - -1. In the Deployment Workbench console, right-click **MDT Production** and then click **Properties**. - -2. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**. - -3. Verify the monitoring service is working as expected by opening the following link on SRV1 in Internet Explorer: [http://localhost:9800/MDTMonitorEvent/](http://localhost:9800/MDTMonitorEvent/). If you do not see "**You have created a service**" at the top of the page, see [Troubleshooting MDT 2012 Monitoring](https://blogs.technet.microsoft.com/mniehaus/2012/05/10/troubleshooting-mdt-2012-monitoring/). - -4. Close Internet Explorer. - -### Configure Windows Deployment Services - -1. Initialize Windows Deployment Services (WDS) by typing the following command at an elevated Windows PowerShell prompt on SRV1: - - ``` - WDSUTIL /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall" - WDSUTIL /Set-Server /AnswerClients:All - ``` - -2. Click **Start**, type **Windows Deployment**, and then click **Windows Deployment Services**. - -3. In the Windows Deployment Services console, expand **Servers**, expand **SRV1.contoso.com**, right-click **Boot Images**, and then click **Add Boot Image**. - -4. Browse to the **C:\MDTProd\Boot\LiteTouchPE_x64.wim** file, click **Open**, click **Next**, and accept the defaults in the Add Image Wizard. Click **Finish** to complete adding a boot image. - -### Deploy the client image - -1. Before using WDS to deploy a client image, you must temporarily disable the external network adapter on SRV1. This is just an artifact of the lab environment. In a typical deployment environment WDS would not be installed on the default gateway. - - >**Note**: Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, type **Get-NetIPAddress | ft interfacealias, ipaddress** - - Assuming the external interface is named "Ethernet 2", to disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and type the following command: - - ``` - Disable-NetAdapter "Ethernet 2" -Confirm:$false - ``` - - >Wait until the disable-netadapter command completes before proceeding. - - -2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, type the following commands at an elevated Windows PowerShell prompt: - - ``` - New-VM –Name "PC2" –NewVHDPath "c:\vhd\pc2.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 - Set-VMMemory -VMName "PC2" -DynamicMemoryEnabled $true -MinimumBytes 720MB -MaximumBytes 2048MB -Buffer 20 - ``` - - >Dynamic memory is configured on the VM to conserve resources. However, this can cause memory allocation to be reduced past what is required to install an operating system. If this happens, reset the VM and begin the OS installation task sequence immediately. This ensures the VM memory allocation is not decreased too much while it is idle. - -3. Start the new VM and connect to it: - - ``` - Start-VM PC2 - vmconnect localhost PC2 - ``` -4. When prompted, hit ENTER to start the network boot process. - -5. In the Windows Deployment Wizard, choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**. - -6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. This is needed so the client can use Windows Update after operating system installation is complete.To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and type the following command: - - ``` - Enable-NetAdapter "Ethernet 2" - ``` -7. On SRV1, in the Deployment Workbench console, click on **Monitoring** and view the status of installation. Right-click **Monitoring** and click **Refresh** if no data is displayed. -8. OS installation requires about 10 minutes. When the installation is complete, the system will reboot automatically, configure devices, and install updates, requiring another 10-20 minutes. When the new client computer is finished updating, click **Finish**. You will be automatically signed in to the local computer as administrator. - -  - - -This completes the demonstration of how to deploy a reference image to the network. To conserve resources, turn off the PC2 VM before starting the next section. - -## Refresh a computer with Windows 10 - -This section will demonstrate how to export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. The scenario will use PC1, a computer that was cloned from a physical device to a VM, as described in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md). - -1. If the PC1 VM is not already running, then start and connect to it: - - ``` - Start-VM PC1 - vmconnect localhost PC1 - ``` - -2. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and to perform additional scenarios. Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - Checkpoint-VM -Name PC1 -SnapshotName BeginState - ``` - -3. Sign on to PC1 using the CONTOSO\Administrator account. - - >Specify **contoso\administrator** as the user name to ensure you do not sign on using the local administrator account. You must sign in with this account so that you have access to the deployment share. - -4. Open an elevated command prompt on PC1 and type the following: - - ``` - cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs - ``` - - **Note**: Litetouch.vbs must be able to create the C:\MININT directory on the local computer. - -5. Choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**. - -6. Choose **Do not back up the existing computer** and click **Next**. - - **Note**: The USMT will still back up the computer. - -7. Lite Touch Installation will perform the following actions: - - Back up user settings and data using USMT. - - Install the Windows 10 Enterprise X64 operating system. - - Update the operating system via Windows Update. - - Restore user settings and data using USMT. - - You can review the progress of installation on SRV1 by clicking on the **Monitoring** node in the deployment workbench. When OS installation is complete, the computer will restart, set up devices, and configure settings. - -8. Sign in with the CONTOSO\Administrator account and verify that all CONTOSO domain user accounts and data have been migrated to the new operating system, or other user accounts as specified [previously](#configure-the-mdt-production-deployment-share). - -9. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - Checkpoint-VM -Name PC1 -SnapshotName RefreshState - ``` - -10. Restore the PC1 VM to it's previous state in preparation for the replace procedure. To restore a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - Restore-VMSnapshot -VMName PC1 -Name BeginState -Confirm:$false - Start-VM PC1 - vmconnect localhost PC1 - ``` - -11. Sign in to PC1 using the contoso\administrator account. - -## Replace a computer with Windows 10 - -At a high level, the computer replace process consists of:
-- A special replace task sequence that runs the USMT backup and an optional full Window Imaging (WIM) backup.
-- A standard OS deployment on a new computer. At the end of the deployment, the USMT backup from the old computer is restored. - -### Create a backup-only task sequence - -1. On SRV1, in the deployment workbench console, right-click the MDT Production deployment share, click **Properties**, click the **Rules** tab, and change the line **SkipUserData=YES** to **SkipUserData=NO**. -2. Click **OK**, right-click **MDT Production**, click **Update Deployment Share** and accept the default options in the wizard to update the share. -3. Type the following commands at an elevated Windows PowerShell prompt on SRV1: - - ``` - New-Item -Path C:\MigData -ItemType directory - New-SmbShare -Name MigData$ -Path C:\MigData -ChangeAccess EVERYONE - icacls C:\MigData /grant '"contoso\administrator":(OI)(CI)(M)' - ``` -4. On SRV1 in the deployment workbench, under **MDT Production**, right-click the **Task Sequences** node, and click **New Folder**. -5. Name the new folder **Other**, and complete the wizard using default options. -6. Right-click the **Other** folder and then click **New Task Sequence**. Use the following values in the wizard: - - **Task sequence ID**: REPLACE-001 - - **Task sequence name**: Backup Only Task Sequence - - **Task sequence comments**: Run USMT to back up user data and settings - - **Template**: Standard Client Replace Task Sequence (note: this is not the default template) -7. Accept defaults for the rest of the wizard and then click **Finish**. The replace task sequence will skip OS selection and settings. -8. Open the new task sequence that was created and review it. Note the type of capture and backup tasks that are present. Click **OK** when you are finished reviewing the task sequence. - -### Run the backup-only task sequence - -1. If you are not already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, type the following command at an elevated command prompt: - - ``` - whoami - ``` -2. To ensure a clean environment before running the backup task sequence, type the following at an elevated Windows PowerShell prompt on PC1: - - ``` - Remove-Item c:\minint -recurse - Remove-Item c:\_SMSTaskSequence -recurse - Restart-Computer - ``` -3. Sign in to PC1 using the contoso\administrator account, and then type the following at an elevated command prompt: - - ``` - cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs - ``` -4. Complete the deployment wizard using the following: - - **Task Sequence**: Backup Only Task Sequence - - **User Data**: Specify a location: **\\\\SRV1\MigData$\PC1** - - **Computer Backup**: Do not back up the existing computer. -5. While the task sequence is running on PC1, open the deployment workbench console on SRV1 and click the **Monitoring* node. Press F5 to refresh the console, and view the status of current tasks. -6. On PC1, verify that **The user state capture was completed successfully** is displayed, and click **Finish** when the capture is complete. -7. On SRV1, verify that the file **USMT.MIG** was created in the **C:\MigData\PC1\USMT** directory. See the following example: - - ``` - PS C:\> dir C:\MigData\PC1\USMT - - Directory: C:\MigData\PC1\USMT - - Mode LastWriteTime Length Name - ---- ------------- ------ ---- - -a--- 9/6/2016 11:34 AM 14248685 USMT.MIG - ``` - ### Deploy PC3 - -8. On the Hyper-V host, type the following commands at an elevated Windows PowerShell prompt: - - ``` - New-VM –Name "PC3" –NewVHDPath "c:\vhd\pc3.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 - Set-VMMemory -VMName "PC3" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20 - ``` -9. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, type the following command at an elevated Windows PowerShell prompt on SRV1: - - ``` - Disable-NetAdapter "Ethernet 2" -Confirm:$false - ``` - - >As mentioned previously, ensure that you disable the **external** network adapter, and wait for the command to complete before proceeding. - - -10. Start and connect to PC3 by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - Start-VM PC3 - vmconnect localhost PC3 - ``` - -11. When prompted, press ENTER for network boot. - -12. On PC3, use the following settings for the Windows Deployment Wizard: - - **Task Sequence**: Windows 10 Enterprise x64 Custom Image - - **Move Data and Settings**: Do not move user data and settings - - **User Data (Restore)**: Specify a location: **\\\\SRV1\MigData$\PC1** - -13. When OS installation has started on PC1, re-enable the external network adapter on SRV1 by typing the following command on SRV1: - - ``` - Enable-NetAdapter "Ethernet 2" - ``` -14. Setup will install the Windows 10 Enterprise operating system, update via Windows Update, and restore the user settings and data from PC1. - -15. When PC3 has completed installing the OS, sign in to PC3 using the contoso\administrator account. When the PC completes updating, click **Finish**. - -16. Verify that settings have been migrated from PC1. This completes demonstration of the replace procedure. - -17. Shut down PC3 in preparation for the [next](windows-10-poc-sc-config-mgr.md) procedure. - -## Troubleshooting logs, events, and utilities - -Deployment logs are available on the client computer in the following locations: -- Before the image is applied: X:\MININT\SMSOSD\OSDLOGS -- After the system drive has been formatted: C:\MININT\SMSOSD\OSDLOGS -- After deployment: %WINDIR%\TEMP\DeploymentLogs - -You can review WDS events in Event Viewer at: **Applications and Services Logs > Microsoft > Windows > Deployment-Services-Diagnostics**. By default, only the **Admin** and **Operational** logs are enabled. To enable other logs, right-click the log and then click **Enable Log**. - -Tools for viewing log files, and to assist with troubleshooting are available in the [System Center 2012 R2 Configuration Manager Toolkit](https://www.microsoft.com/download/details.aspx?id=50012) - -Also see [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) for detailed troubleshooting information. - -## Related Topics - -[Microsoft Deployment Toolkit](https://technet.microsoft.com/windows/dn475741)
-[Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) - - - - - - - +--- +title: Step by step - Deploy Windows 10 in a test lab using MDT +description: Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit (MDT) +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +keywords: deployment, automate, tools, configure, mdt +ms.localizationpriority: medium +ms.date: 10/11/2017 +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +audience: itpro +author: greg-lindsay +ms.topic: article +--- + + +# Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit + +**Applies to** + +- Windows 10 + +**Important**: This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide: +- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) + +Please complete all steps in the prerequisite guide before starting this guide. This guide requires about 5 hours to complete, but can require less time or more time depending on the speed of the Hyper-V host. After completing the current guide, also see the companion guide: +- [Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md) + +The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs): +- **DC1**: A contoso.com domain controller, DNS server, and DHCP server. +- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network. +- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been shadow-copied from a physical computer on your corporate network. + +>This guide uses the Hyper-V server role. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work. + +## In this guide + +This guide provides instructions to install and configure the Microsoft Deployment Toolkit (MDT) to deploy a Windows 10 image. + +Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed. + +
+ +
+
+
+
+
+
+
+## About MDT
+
+MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch Installation (ZTI), and User-Driven Installation (UDI) deployment methods.
+- LTI is the deployment method used in the current guide, requiring only MDT and performed with a minimum amount of user interaction.
+- ZTI is fully automated, requiring no user interaction and is performed using MDT and Microsoft Endpoint Configuration Manager. After completing the steps in the current guide, see [Step by step: Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md) to use the ZTI deployment method in the PoC environment.
+- UDI requires manual intervention to respond to installation prompts such as machine name, password and language settings. UDI requires MDT and Microsoft Endpoint Configuration Manager.
+
+## Install MDT
+
+1. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt:
+
+ ```
+ $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
+ Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0
+ Stop-Process -Name Explorer
+ ```
+2. Download and install the 64-bit version of [Microsoft Deployment Toolkit (MDT)](https://www.microsoft.com/download/details.aspx?id=54259) on SRV1 using the default options. As of the writing of this guide, the latest version of MDT was 8443.
+
+3. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1703. Installation might require several minutes to acquire all components.
+
+3. If desired, re-enable IE Enhanced Security Configuration:
+
+ ```
+ Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1
+ Stop-Process -Name Explorer
+ ```
+
+## Create a deployment share and reference image
+
+A reference image serves as the foundation for Windows 10 devices in your organization.
+
+1. In [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md), the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command:
+
+ ```
+ Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso
+ ```
+2. On SRV1, verify that the Windows Enterprise installation DVD is mounted as drive letter D.
+
+3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**.
+
+4. To enable quick access to the application, right-click **Deployment Workbench** on the taskbar and then click **Pin this program to the taskbar**.
+
+5. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
+
+6. Use the following settings for the New Deployment Share Wizard:
+ - Deployment share path: **C:\MDTBuildLab**| Topic | Description | Time + + |
| About MDT | A high-level overview of the Microsoft Deployment Toolkit (MDT). | Informational + |
| Install MDT | Download and install MDT. | 40 minutes + |
| Create a deployment share and reference image | A reference image is created to serve as the template for deploying new images. | 90 minutes + |
| Deploy a Windows 10 image using MDT | The reference image is deployed in the PoC environment. | 60 minutes + |
| Refresh a computer with Windows 10 | Export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. | 60 minutes + |
| Replace a computer with Windows 10 | Back up an existing client computer, then restore this backup to a new computer. | 60 minutes + |
| Troubleshooting logs, events, and utilities | Log locations and troubleshooting hints. | Informational + |
+ - Share name: **MDTBuildLab$**
+ - Deployment share description: **MDT build lab**
+ - Options: click **Next** to accept the default
+ - Summary: click **Next**
+ - Progress: settings will be applied
+ - Confirmation: click **Finish** + + +7. Expand the **Deployment Shares** node, and then expand **MDT build lab**. + +8. Right-click the **Operating Systems** node, and then click **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and click **Finish**. + +9. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**. + +10. Use the following settings for the Import Operating System Wizard: + - OS Type: **Full set of source files**
+ - Source: **D:\\**
+ - Destination: **W10Ent_x64**
+ - Summary: click **Next** + - Progress: wait for files to be copied + - Confirmation: click **Finish** + + >For purposes of this test lab, we will only add the prerequisite .NET Framework feature. Commerical applications (ex: Microsoft Office) will not be added to the deployment share. For information about adding applications, see the [Add applications](https://technet.microsoft.com/itpro/windows/deploy/create-a-windows-10-reference-image#sec03) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library. + +11. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + - Task sequence ID: **REFW10X64-001**
+ - Task sequence name: **Windows 10 Enterprise x64 Default Image**
+ - Task sequence comments: **Reference Build**
+ - Template: **Standard Client Task Sequence** + - Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim** + - Specify Product Key: **Do not specify a product key at this time** + - Full Name: **Contoso** + - Organization: **Contoso** + - Internet Explorer home page: **http://www.contoso.com** + - Admin Password: **Do not specify an Administrator password at this time** + - Summary: click **Next** + - Confirmation: click **Finish** + + +12. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step. + +13. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**. + +14. On the Properties tab of the group that was created in the previous step, change the Name from **New Group** to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. Click another location in the window to see the name change. + +15. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**. + +16. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**. + +17. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox. + + >Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications. + +18. Click **OK** to complete editing the task sequence. + +19. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click **MDT build lab (C:\MDTBuildLab)** and click **Properties**, and then click the **Rules** tab. + +20. Replace the default rules with the following text: + + ``` + [Settings] + Priority=Default + + [Default] + _SMSTSORGNAME=Contoso + UserDataLocation=NONE + DoCapture=YES + OSInstall=Y + AdminPassword=pass@word1 + TimeZoneName=Pacific Standard Time + OSDComputername=#Left("PC-%SerialNumber%",7)# + JoinWorkgroup=WORKGROUP + HideShell=YES + FinishAction=SHUTDOWN + DoNotCreateExtraPartition=YES + ApplyGPOPack=NO + SkipAdminPassword=YES + SkipProductKey=YES + SkipComputerName=YES + SkipDomainMembership=YES + SkipUserData=YES + SkipLocaleSelection=YES + SkipTaskSequence=NO + SkipTimeZone=YES + SkipApplications=YES + SkipBitLocker=YES + SkipSummary=YES + SkipRoles=YES + SkipCapture=NO + SkipFinalSummary=NO + ``` + +21. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file: + + ``` + [Settings] + Priority=Default + + [Default] + DeployRoot=\\SRV1\MDTBuildLab$ + UserDomain=CONTOSO + UserID=MDT_BA + UserPassword=pass@word1 + SkipBDDWelcome=YES + ``` + +22. Click **OK** to complete the configuration of the deployment share. + +23. Right-click **MDT build lab (C:\MDTBuildLab)** and then click **Update Deployment Share**. + +24. Accept all default values in the Update Deployment Share Wizard by clicking **Next** twice. The update process will take 5 to 10 minutes. When it has completed, click **Finish**. + +25. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI). + + >Hint: To copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**. + +26. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands: + +
+
+
+ The VM will require a few minutes to prepare devices and boot from the LiteTouchPE_x86.iso file.
+
+27. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then click **Next**.
+
+28. Accept the default values on the Capture Image page, and click **Next**. Operating system installation will complete after 5 to 10 minutes, and then the VM will reboot automatically. Allow the system to boot normally (do not press a key). The process is fully automated.
+
+ Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures:
+
+ - Install the Windows 10 Enterprise operating system.
+ - Install added applications, roles, and features.
+ - Update the operating system using Windows Update (or WSUS if optionally specified).
+ - Stage Windows PE on the local disk.
+ - Run System Preparation (Sysprep) and reboot into Windows PE.
+ - Capture the installation to a Windows Imaging (WIM) file.
+ - Turn off the virtual machine.+ + New-VM REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB + Set-VMMemory REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20 + Set-VMDvdDrive REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso + Start-VM REFW10X64-001 + vmconnect localhost REFW10X64-001 ++
+ + This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on your deployment server (SRV1). The file name is **REFW10X64-001.wim**. + +## Deploy a Windows 10 image using MDT + +This procedure will demonstrate how to deploy the reference image to the PoC environment using MDT. + +1. On SRV1, open the MDT Deployment Workbench console, right-click **Deployment Shares**, and then click **New Deployment Share**. Use the following values in the New Deployment Share Wizard: + - **Deployment share path**: C:\MDTProd + - **Share name**: MDTProd$ + - **Deployment share description**: MDT Production + - **Options**: accept the default + + +2. Click **Next**, verify the new deployment share was added successfully, then click **Finish**. + +3. In the Deployment Workbench console, expand the MDT Production deployment share, right-click **Operating Systems**, and then click **New Folder**. Name the new folder **Windows 10** and complete the wizard using default values. + +4. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**. + +5. On the **OS Type** page, choose **Custom image file** and then click **Next**. + +6. On the Image page, browse to the **C:\MDTBuildLab\Captures\REFW10X64-001.wim** file created in the previous procedure, click **Open**, and then click **Next**. + +7. On the Setup page, select **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path**. + +8. Under **Setup source directory**, browse to **C:\MDTBuildLab\Operating Systems\W10Ent_x64** click **OK** and then click **Next**. + +9. On the Destination page, accept the default Destination directory name of **REFW10X64-001**, click **Next** twice, wait for the import process to complete, and then click **Finish**. + +10. In the **Operating Systems** > **Windows 10** node, double-click the operating system that was added to view its properties. Change the operating system name to **Windows 10 Enterprise x64 Custom Image** and then click **OK**. See the following example: + +  + + +### Create the deployment task sequence + +1. Using the Deployment Workbench, right-click **Task Sequences** under the **MDT Production** node, click **New Folder** and create a folder with the name: **Windows 10**. + +2. Right-click the **Windows 10** folder created in the previous step, and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + - Task sequence ID: W10-X64-001 + - Task sequence name: Windows 10 Enterprise x64 Custom Image + - Task sequence comments: Production Image + - Select Template: Standard Client Task Sequence + - Select OS: Windows 10 Enterprise x64 Custom Image + - Specify Product Key: Do not specify a product key at this time + - Full Name: Contoso + - Organization: Contoso + - Internet Explorer home page: http://www.contoso.com + - Admin Password: pass@word1 + +### Configure the MDT production deployment share + +1. On SRV1, open an elevated Windows PowerShell prompt and type the following commands: + + ``` + copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\Bootstrap.ini" C:\MDTProd\Control\Bootstrap.ini -Force + copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\CustomSettings.ini" C:\MDTProd\Control\CustomSettings.ini -Force + ``` +2. In the Deployment Workbench console on SRV1, right-click the **MDT Production** deployment share and then click **Properties**. + +3. Click the **Rules** tab and replace the rules with the following text (don't click OK yet): + + ``` + [Settings] + Priority=Default + + [Default] + _SMSTSORGNAME=Contoso + OSInstall=YES + UserDataLocation=AUTO + TimeZoneName=Pacific Standard Time + OSDComputername=#Left("PC-%SerialNumber%",7)# + AdminPassword=pass@word1 + JoinDomain=contoso.com + DomainAdmin=administrator + DomainAdminDomain=CONTOSO + DomainAdminPassword=pass@word1 + ScanStateArgs=/ue:*\* /ui:CONTOSO\* + USMTMigFiles001=MigApp.xml + USMTMigFiles002=MigUser.xml + HideShell=YES + ApplyGPOPack=NO + SkipAppsOnUpgrade=NO + SkipAdminPassword=YES + SkipProductKey=YES + SkipComputerName=YES + SkipDomainMembership=YES + SkipUserData=YES + SkipLocaleSelection=YES + SkipTaskSequence=NO + SkipTimeZone=YES + SkipApplications=NO + SkipBitLocker=YES + SkipSummary=YES + SkipCapture=YES + SkipFinalSummary=NO + EventService=http://SRV1:9800 + ``` + **Note**: The contents of the Rules tab are added to c:\MDTProd\Control\CustomSettings.ini. + + >In this example a **MachineObjectOU** entry is not provided. Normally this entry describes the specific OU where new client computer objects are created in Active Directory. However, for the purposes of this test lab clients are added to the default computers OU, which requires that this parameter be unspecified. + + If desired, edit the follow line to include or exclude other users when migrating settings. Currently, the command is set to user exclude (ue) all users except for CONTOSO users specified by the user include option (ui): + + ``` + ScanStateArgs=/ue:*\* /ui:CONTOSO\* + ``` + + For example, to migrate **all** users on the computer, replace this line with the following: + + ``` + ScanStateArgs=/all + ``` + + For more information, see [ScanState Syntax](https://technet.microsoft.com/library/cc749015.aspx). + +4. Click **Edit Bootstap.ini** and replace text in the file with the following text: + + ``` + [Settings] + Priority=Default + + [Default] + DeployRoot=\\SRV1\MDTProd$ + UserDomain=CONTOSO + UserID=MDT_BA + UserPassword=pass@word1 + SkipBDDWelcome=YES + ``` +5. Click **OK** when finished. + +### Update the deployment share + +1. Right-click the **MDT Production** deployment share and then click **Update Deployment Share**. + +2. Use the default options for the Update Deployment Share Wizard. The update process requires 5 to 10 minutes to complete. + +3. Click **Finish** when the update is complete. + +### Enable deployment monitoring + +1. In the Deployment Workbench console, right-click **MDT Production** and then click **Properties**. + +2. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**. + +3. Verify the monitoring service is working as expected by opening the following link on SRV1 in Internet Explorer: [http://localhost:9800/MDTMonitorEvent/](http://localhost:9800/MDTMonitorEvent/). If you do not see "**You have created a service**" at the top of the page, see [Troubleshooting MDT 2012 Monitoring](https://blogs.technet.microsoft.com/mniehaus/2012/05/10/troubleshooting-mdt-2012-monitoring/). + +4. Close Internet Explorer. + +### Configure Windows Deployment Services + +1. Initialize Windows Deployment Services (WDS) by typing the following command at an elevated Windows PowerShell prompt on SRV1: + + ``` + WDSUTIL /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall" + WDSUTIL /Set-Server /AnswerClients:All + ``` + +2. Click **Start**, type **Windows Deployment**, and then click **Windows Deployment Services**. + +3. In the Windows Deployment Services console, expand **Servers**, expand **SRV1.contoso.com**, right-click **Boot Images**, and then click **Add Boot Image**. + +4. Browse to the **C:\MDTProd\Boot\LiteTouchPE_x64.wim** file, click **Open**, click **Next**, and accept the defaults in the Add Image Wizard. Click **Finish** to complete adding a boot image. + +### Deploy the client image + +1. Before using WDS to deploy a client image, you must temporarily disable the external network adapter on SRV1. This is just an artifact of the lab environment. In a typical deployment environment WDS would not be installed on the default gateway. + + >**Note**: Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, type **Get-NetIPAddress | ft interfacealias, ipaddress** + + Assuming the external interface is named "Ethernet 2", to disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and type the following command: + + ``` + Disable-NetAdapter "Ethernet 2" -Confirm:$false + ``` + + >Wait until the disable-netadapter command completes before proceeding. + + +2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, type the following commands at an elevated Windows PowerShell prompt: + + ``` + New-VM –Name "PC2" –NewVHDPath "c:\vhd\pc2.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 + Set-VMMemory -VMName "PC2" -DynamicMemoryEnabled $true -MinimumBytes 720MB -MaximumBytes 2048MB -Buffer 20 + ``` + + >Dynamic memory is configured on the VM to conserve resources. However, this can cause memory allocation to be reduced past what is required to install an operating system. If this happens, reset the VM and begin the OS installation task sequence immediately. This ensures the VM memory allocation is not decreased too much while it is idle. + +3. Start the new VM and connect to it: + + ``` + Start-VM PC2 + vmconnect localhost PC2 + ``` +4. When prompted, hit ENTER to start the network boot process. + +5. In the Windows Deployment Wizard, choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**. + +6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. This is needed so the client can use Windows Update after operating system installation is complete.To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and type the following command: + + ``` + Enable-NetAdapter "Ethernet 2" + ``` +7. On SRV1, in the Deployment Workbench console, click on **Monitoring** and view the status of installation. Right-click **Monitoring** and click **Refresh** if no data is displayed. +8. OS installation requires about 10 minutes. When the installation is complete, the system will reboot automatically, configure devices, and install updates, requiring another 10-20 minutes. When the new client computer is finished updating, click **Finish**. You will be automatically signed in to the local computer as administrator. + +  + + +This completes the demonstration of how to deploy a reference image to the network. To conserve resources, turn off the PC2 VM before starting the next section. + +## Refresh a computer with Windows 10 + +This section will demonstrate how to export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. The scenario will use PC1, a computer that was cloned from a physical device to a VM, as described in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md). + +1. If the PC1 VM is not already running, then start and connect to it: + + ``` + Start-VM PC1 + vmconnect localhost PC1 + ``` + +2. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and to perform additional scenarios. Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Checkpoint-VM -Name PC1 -SnapshotName BeginState + ``` + +3. Sign on to PC1 using the CONTOSO\Administrator account. + + >Specify **contoso\administrator** as the user name to ensure you do not sign on using the local administrator account. You must sign in with this account so that you have access to the deployment share. + +4. Open an elevated command prompt on PC1 and type the following: + + ``` + cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs + ``` + + **Note**: For more information on tools for viewing log files and to assist with troubleshooting, see [Configuration Manager Tools](https://docs.microsoft.com/configmgr/core/support/tools). + +5. Choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**. + +6. Choose **Do not back up the existing computer** and click **Next**. + + **Note**: The USMT will still back up the computer. + +7. Lite Touch Installation will perform the following actions: + - Back up user settings and data using USMT. + - Install the Windows 10 Enterprise X64 operating system. + - Update the operating system via Windows Update. + - Restore user settings and data using USMT. + + You can review the progress of installation on SRV1 by clicking on the **Monitoring** node in the deployment workbench. When OS installation is complete, the computer will restart, set up devices, and configure settings. + +8. Sign in with the CONTOSO\Administrator account and verify that all CONTOSO domain user accounts and data have been migrated to the new operating system, or other user accounts as specified [previously](#configure-the-mdt-production-deployment-share). + +9. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Checkpoint-VM -Name PC1 -SnapshotName RefreshState + ``` + +10. Restore the PC1 VM to it's previous state in preparation for the replace procedure. To restore a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Restore-VMSnapshot -VMName PC1 -Name BeginState -Confirm:$false + Start-VM PC1 + vmconnect localhost PC1 + ``` + +11. Sign in to PC1 using the contoso\administrator account. + +## Replace a computer with Windows 10 + +At a high level, the computer replace process consists of:
+- A special replace task sequence that runs the USMT backup and an optional full Window Imaging (WIM) backup.
+- A standard OS deployment on a new computer. At the end of the deployment, the USMT backup from the old computer is restored. + +### Create a backup-only task sequence + +1. On SRV1, in the deployment workbench console, right-click the MDT Production deployment share, click **Properties**, click the **Rules** tab, and change the line **SkipUserData=YES** to **SkipUserData=NO**. +2. Click **OK**, right-click **MDT Production**, click **Update Deployment Share** and accept the default options in the wizard to update the share. +3. Type the following commands at an elevated Windows PowerShell prompt on SRV1: + + ``` + New-Item -Path C:\MigData -ItemType directory + New-SmbShare -Name MigData$ -Path C:\MigData -ChangeAccess EVERYONE + icacls C:\MigData /grant '"contoso\administrator":(OI)(CI)(M)' + ``` +4. On SRV1 in the deployment workbench, under **MDT Production**, right-click the **Task Sequences** node, and click **New Folder**. +5. Name the new folder **Other**, and complete the wizard using default options. +6. Right-click the **Other** folder and then click **New Task Sequence**. Use the following values in the wizard: + - **Task sequence ID**: REPLACE-001 + - **Task sequence name**: Backup Only Task Sequence + - **Task sequence comments**: Run USMT to back up user data and settings + - **Template**: Standard Client Replace Task Sequence (note: this is not the default template) +7. Accept defaults for the rest of the wizard and then click **Finish**. The replace task sequence will skip OS selection and settings. +8. Open the new task sequence that was created and review it. Note the type of capture and backup tasks that are present. Click **OK** when you are finished reviewing the task sequence. + +### Run the backup-only task sequence + +1. If you are not already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, type the following command at an elevated command prompt: + + ``` + whoami + ``` +2. To ensure a clean environment before running the backup task sequence, type the following at an elevated Windows PowerShell prompt on PC1: + + ``` + Remove-Item c:\minint -recurse + Remove-Item c:\_SMSTaskSequence -recurse + Restart-Computer + ``` +3. Sign in to PC1 using the contoso\administrator account, and then type the following at an elevated command prompt: + + ``` + cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs + ``` +4. Complete the deployment wizard using the following: + - **Task Sequence**: Backup Only Task Sequence + - **User Data**: Specify a location: **\\\\SRV1\MigData$\PC1** + - **Computer Backup**: Do not back up the existing computer. +5. While the task sequence is running on PC1, open the deployment workbench console on SRV1 and click the **Monitoring* node. Press F5 to refresh the console, and view the status of current tasks. +6. On PC1, verify that **The user state capture was completed successfully** is displayed, and click **Finish** when the capture is complete. +7. On SRV1, verify that the file **USMT.MIG** was created in the **C:\MigData\PC1\USMT** directory. See the following example: + + ``` + PS C:\> dir C:\MigData\PC1\USMT + + Directory: C:\MigData\PC1\USMT + + Mode LastWriteTime Length Name + ---- ------------- ------ ---- + -a--- 9/6/2016 11:34 AM 14248685 USMT.MIG + ``` + ### Deploy PC3 + +8. On the Hyper-V host, type the following commands at an elevated Windows PowerShell prompt: + + ``` + New-VM –Name "PC3" –NewVHDPath "c:\vhd\pc3.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 + Set-VMMemory -VMName "PC3" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20 + ``` +9. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, type the following command at an elevated Windows PowerShell prompt on SRV1: + + ``` + Disable-NetAdapter "Ethernet 2" -Confirm:$false + ``` + + >As mentioned previously, ensure that you disable the **external** network adapter, and wait for the command to complete before proceeding. + + +10. Start and connect to PC3 by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Start-VM PC3 + vmconnect localhost PC3 + ``` + +11. When prompted, press ENTER for network boot. + +12. On PC3, use the following settings for the Windows Deployment Wizard: + - **Task Sequence**: Windows 10 Enterprise x64 Custom Image + - **Move Data and Settings**: Do not move user data and settings + - **User Data (Restore)**: Specify a location: **\\\\SRV1\MigData$\PC1** + +13. When OS installation has started on PC1, re-enable the external network adapter on SRV1 by typing the following command on SRV1: + + ``` + Enable-NetAdapter "Ethernet 2" + ``` +14. Setup will install the Windows 10 Enterprise operating system, update via Windows Update, and restore the user settings and data from PC1. + +15. When PC3 has completed installing the OS, sign in to PC3 using the contoso\administrator account. When the PC completes updating, click **Finish**. + +16. Verify that settings have been migrated from PC1. This completes demonstration of the replace procedure. + +17. Shut down PC3 in preparation for the [next](windows-10-poc-sc-config-mgr.md) procedure. + +## Troubleshooting logs, events, and utilities + +Deployment logs are available on the client computer in the following locations: +- Before the image is applied: X:\MININT\SMSOSD\OSDLOGS +- After the system drive has been formatted: C:\MININT\SMSOSD\OSDLOGS +- After deployment: %WINDIR%\TEMP\DeploymentLogs + +You can review WDS events in Event Viewer at: **Applications and Services Logs > Microsoft > Windows > Deployment-Services-Diagnostics**. By default, only the **Admin** and **Operational** logs are enabled. To enable other logs, right-click the log and then click **Enable Log**. + +Tools for viewing log files, and to assist with troubleshooting are available in the [System Center 2012 R2 Configuration Manager Toolkit](https://www.microsoft.com/download/details.aspx?id=50012) + +Also see [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) for detailed troubleshooting information. + +## Related Topics + +[Microsoft Deployment Toolkit](https://technet.microsoft.com/windows/dn475741)
+[Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) + + + + + + + diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md index 929b097d58..fc6a392e8f 100644 --- a/windows/deployment/windows-10-poc-sc-config-mgr.md +++ b/windows/deployment/windows-10-poc-sc-config-mgr.md @@ -1,1081 +1,1083 @@ ---- -title: Step by step - Deploy Windows 10 using System Center Configuration Manager -description: Deploy Windows 10 in a test lab using System Center Configuration Manager -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -keywords: deployment, automate, tools, configure, sccm -ms.localizationpriority: medium -ms.date: 10/11/2017 -ms.reviewer: -manager: laurawi -ms.audience: itpro author: greg-lindsay -audience: itpro author: greg-lindsay -ms.topic: article ---- - -# Deploy Windows 10 in a test lab using System Center Configuration Manager - -**Applies to** - -- Windows 10 - -**Important**: This guide leverages the proof of concept (PoC) environment, and some settings that are configured in the following guides: -- [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) -- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) - -Please complete all steps in these guides before attempting the procedures in this guide. If you wish to skip the Windows 10 deployment procedures in the MDT guide and move directly to this guide, you must at least install MDT and the Windows ADK before performing procedures in this guide. All steps in the first guide are required before attempting the procedures in this guide. - -The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs): -- **DC1**: A contoso.com domain controller, DNS server, and DHCP server. -- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network. -- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been cloned from a physical computer on your corporate network for testing purposes. -This guide leverages the Hyper-V server role to perform procedures. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work. - ->Multiple features and services are installed on SRV1 in this guide. This is not a typical installation, and is only done to set up a lab environment with a bare minimum of resources. However, if less than 4 GB of RAM is allocated to SRV1 in the Hyper-V console, some procedures will be extremely slow to complete. If resources are limited on the Hyper-V host, consider reducing RAM allocation on DC1 and PC1, and then increasing the RAM allocation on SRV1. You can adjust RAM allocation for a VM by right-clicking the VM in the Hyper-V Manager console, clicking **Settings**, clicking **Memory**, and modifying the value next to **Maximum RAM**. - -## In this guide - -This guide provides end-to-end instructions to install and configure System Center Configuration Manager, and use it to deploy a Windows 10 image. Depending on the speed of your Hyper-V host, the procedures in this guide will require 6-10 hours to complete. - -Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed. - -
- -
-
-
-
-
-
-## Install prerequisites
-1. Before installing System Center Configuration Manager, we must install prerequisite services and features. Type the following command at an elevated Windows PowerShell prompt on SRV1:
-
- ```
- Install-WindowsFeature Web-Windows-Auth,Web-ISAPI-Ext,Web-Metabase,Web-WMI,BITS,RDC,NET-Framework-Features,Web-Asp-Net,Web-Asp-Net45,NET-HTTP-Activation,NET-Non-HTTP-Activ
- ```
-
- >If the request to add features fails, retry the installation by typing the command again.
-
-2. Download [SQL Server 2014 SP2](https://www.microsoft.com/evalcenter/evaluate-sql-server-2014-sp2) from the Microsoft Evaluation Center as an .ISO file on the Hyper-V host computer. Save the file to the **C:\VHD** directory.
-3. When you have downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
-
- ```
- Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\SQLServer2014SP2-FullSlipstream-x64-ENU.iso
- ```
-
- This command mounts the .ISO file to drive D on SRV1.
-
-4. Type the following command at an elevated Windows PowerShell prompt on SRV1 to install SQL Server:
-
- ```
- D:\setup.exe /q /ACTION=Install /ERRORREPORTING="False" /FEATURES=SQLENGINE,RS,IS,SSMS,TOOLS,ADV_SSMS,CONN /INSTANCENAME=MSSQLSERVER /INSTANCEDIR="C:\Program Files\Microsoft SQL Server" /SQLSVCACCOUNT="NT AUTHORITY\System" /SQLSYSADMINACCOUNTS="BUILTIN\ADMINISTRATORS" /SQLSVCSTARTUPTYPE=Automatic /AGTSVCACCOUNT="NT AUTHORITY\SYSTEM" /AGTSVCSTARTUPTYPE=Automatic /RSSVCACCOUNT="NT AUTHORITY\System" /RSSVCSTARTUPTYPE=Automatic /ISSVCACCOUNT="NT AUTHORITY\System" /ISSVCSTARTUPTYPE=Disabled /ASCOLLATION="Latin1_General_CI_AS" /SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS" /TCPENABLED="1" /NPENABLED="1" /IAcceptSQLServerLicenseTerms
- ```
- Installation will take several minutes. When installation is complete, the following output will be displayed:
-
- ```
- Microsoft (R) SQL Server 2014 12.00.5000.00
- Copyright (c) Microsoft Corporation. All rights reserved.
-
- Microsoft (R) .NET Framework CasPol 2.0.50727.7905
- Copyright (c) Microsoft Corporation. All rights reserved.
-
- Success
- Microsoft (R) .NET Framework CasPol 2.0.50727.7905
- Copyright (c) Microsoft Corporation. All rights reserved.
-
- Success
- One or more affected files have operations pending.
- You should restart your computer to complete this process.
- PS C:\>
- ```
-5. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
-
- ```
- New-NetFirewallRule -DisplayName “SQL Server” -Direction Inbound –Protocol TCP –LocalPort 1433 -Action allow
- New-NetFirewallRule -DisplayName “SQL Admin Connection” -Direction Inbound –Protocol TCP –LocalPort 1434 -Action allow
- New-NetFirewallRule -DisplayName “SQL Database Management” -Direction Inbound –Protocol UDP –LocalPort 1434 -Action allow
- New-NetFirewallRule -DisplayName “SQL Service Broker” -Direction Inbound –Protocol TCP –LocalPort 4022 -Action allow
- New-NetFirewallRule -DisplayName “SQL Debugger/RPC” -Direction Inbound –Protocol TCP –LocalPort 135 -Action allow
- ```
-
-7. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1703. Installation might require several minutes to acquire all components.
-
-## Install System Center Configuration Manager
-
-1. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt:
-
- ```
- $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
- Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0
- Stop-Process -Name Explorer
- ```
-
-2. Download [System Center Configuration Manager and Endpoint Protection](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) on SRV1 (download the executable file anywhere on SRV1), double-click the file, enter **C:\configmgr** for **Unzip to folder**, and click **Unzip**. The C:\configmgr directory will be automatically created. Click **OK** and then close the **WinZip Self-Extractor** dialog box when finished.
-
-3. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**:
-
- ```
- Get-Service Winmgmt
-
- Status Name DisplayName
- ------ ---- -----------
- Running Winmgmt Windows Management Instrumentation
-
- Test-NetConnection -ComputerName 192.168.0.2 -Port 135 -InformationLevel Detailed
-
- ComputerName : 192.168.0.2
- RemoteAddress : 192.168.0.2
- RemotePort : 135
- AllNameResolutionResults :
- MatchingIPsecRules :
- NetworkIsolationContext : Internet
- InterfaceAlias : Ethernet
- SourceAddress : 192.168.0.2
- NetRoute (NextHop) : 0.0.0.0
- PingSucceeded : True
- PingReplyDetails (RTT) : 0 ms
- TcpTestSucceeded : True
- ```
- You can also verify WMI using the WMI console by typing **wmimgmt.msc**, right-clicking **WMI Control (Local)** in the console tree, and then clicking **Properties**.
-
- If the WMI service is not started, attempt to start it or reboot the computer. If WMI is running but errors are present, see [WMIDiag](https://blogs.technet.microsoft.com/askperf/2015/05/12/wmidiag-2-2-is-here/) for troubleshooting information.
-
-4. To extend the Active Directory schema, type the following command at an elevated Windows PowerShell prompt:
-
- ```
- cmd /c C:\configmgr\SMSSETUP\BIN\X64\extadsch.exe
- ```
-
-5. Temporarily switch to the DC1 VM, and type the following command at an elevated command prompt on DC1:
-
- ```
- adsiedit.msc
- ```
-
-6. Right-click **ADSI Edit**, click **Connect to**, select **Default (Domain or server that you logged in to)** under **Computer** and then click **OK**.
-7. Expand **Default naming context**>**DC=contoso,DC=com**, and then in the console tree right-click **CN=System**, point to **New**, and then click **Object**.
-8. Click **container** and then click **Next**.
-9. Next to **Value**, type **System Management**, click **Next**, and then click **Finish**.
-10. Right-click **CN=system Management** and then click **Properties**.
-11. On the **Security** tab, click **Add**, click **Object Types**, select **Computers**, and click **OK**.
-12. Under **Enter the object names to select**, type **SRV1** and click **OK**.
-13. The **SRV1** computer account will be highlighted, select **Allow** next to **Full control**.
-14. Click **Advanced**, click **SRV1 (CONTOSO\SRV1$)** and click **Edit**.
-15. Next to **Applies to**, choose **This object and all descendant objects**, and then click **OK** three times.
-16. Close the ADSI Edit console and switch back to SRV1.
-17. To start Configuration Manager installation, type the following command at an elevated Windows PowerShell prompt on SRV1:
-
- ```
- cmd /c C:\configmgr\SMSSETUP\BIN\X64\Setup.exe
- ```
-18. Provide the following in the System Center Configuration Manager Setup Wizard:
- - **Before You Begin**: Read the text and click *Next*.
- - **Getting Started**: Choose **Install a Configuration Manager primary site** and select the **Use typical installation options for a stand-alone primary site** checkbox.
- - Click **Yes** in response to the popup window.
- - **Product Key**: Choose **Install the evaluation edition of this Product**.
- - **Microsoft Software License Terms**: Read the terms and then select the **I accept these license terms** checkbox.
- - **Prerequisite Licenses**: Review license terms and select all three checkboxes on the page.
- - **Prerequisite Downloads**: Choose **Download required files** and enter **c:\windows\temp** next to **Path**.
- - **Site and Installation Settings**: Site code: **PS1**, Site name: **Contoso**.
- - use default settings for all other options
- - **Usage Data**: Read the text and click **Next**.
- - **Service Connection Point Setup**: Accept the default settings (SRV1.contoso.com is automatically added under Select a server to use).
- - **Settings Summary**: Review settings and click **Next**.
- - **Prerequisite Check**: No failures should be listed. Ignore any warnings and click **Begin Install**.
-
- >There should be at most three warnings present: WSUS on site server, configuration for SQL Server memory usage, and SQL Server process memory allocation. These warnings can safely be ignored in this test environment.
-
- Depending on the speed of the Hyper-V host and resources allocated to SRV1, installation can require approximately one hour. Click **Close** when installation is complete.
-
-19. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1:
-
- ```
- Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1
- Stop-Process -Name Explorer
- ```
-
-## Download MDOP and install DaRT
-
->[!IMPORTANT]
->This step requires an MSDN subscription or volume licence agreement. For more information, see [Ready for Windows 10: MDOP 2015 and more tools are now available](https://blogs.technet.microsoft.com/windowsitpro/2015/08/17/ready-for-windows-10-mdop-2015-and-more-tools-are-now-available/).
->If your organization qualifies and does not already have an MSDN subscription, you can obtain a [free MSDN subscription with BizSpark](https://blogs.msdn.microsoft.com/zainnab/2011/03/14/bizspark-free-msdn-subscription-for-start-up-companies/).
-
-1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso, 2.79 GB) to the C:\VHD directory on the Hyper-V host.
-
-2. Type the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1:
-
- ```
- Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso
- ```
-3. Type the following command at an elevated Windows PowerShell prompt on SRV1:
-
- ```
- cmd /c "D:\DaRT\DaRT 10\Installers\en-us\x64\MSDaRT100.msi"
- ```
-4. Install DaRT 10 using default settings.
-5. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
-
- ```
- Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx64.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64"
- Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx86.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x86"
- ```
-
-## Prepare for Zero Touch installation
-
-This section contains several procedures to support Zero Touch installation with System Center Configuration Manager.
-
-### Create a folder structure
-
-1. Type the following commands at a Windows PowerShell prompt on SRV1:
-
- ```
- New-Item -ItemType Directory -Path "C:\Sources\OSD\Boot"
- New-Item -ItemType Directory -Path "C:\Sources\OSD\OS"
- New-Item -ItemType Directory -Path "C:\Sources\OSD\Settings"
- New-Item -ItemType Directory -Path "C:\Sources\OSD\Branding"
- New-Item -ItemType Directory -Path "C:\Sources\OSD\MDT"
- New-Item -ItemType Directory -Path "C:\Logs"
- New-SmbShare -Name Sources$ -Path C:\Sources -ChangeAccess EVERYONE
- New-SmbShare -Name Logs$ -Path C:\Logs -ChangeAccess EVERYONE
- ```
-
-### Enable MDT ConfigMgr integration
-
-1. On SRV1, click **Start**, type **configmgr**, and then click **Configure ConfigMgr Integration**.
-2. Type **PS1** next to **Site code**, and then click **Next**.
-3. Verify **The process completed successfully** is displayed, and then click **Finish**.
-
-### Configure client settings
-
-1. On SRV1, click **Start**, type **configuration manager**, right-click **Configuration Manager Console**, and then click **Pin to Taskbar**.
-2. Click **Desktop**, and then launch the Configuration Manager console from the taskbar.
-3. If the console notifies you that an update is available, click **OK**. It is not necessary to install updates to complete this lab.
-4. In the console tree, open the **Administration** workspace (in the lower left corner) and click **Client Settings**.
-5. In the display pane, double-click **Default Client Settings**.
-6. Click **Computer Agent**, next to **Organization name displayed in Software Center** type **Contoso**, and then click **OK**.
-
-### Configure the network access account
-
-1. In the Administration workspace, expand **Site Configuration** and click **Sites**.
-2. On the **Home** ribbon at the top of the console window, click **Configure Site Components** and then click **Software Distribution**.
-3. On the **Network Access Account** tab, choose **Specify the account that accesses network locations**.
-4. Click the yellow starburst and then click **New Account**.
-5. Click **Browse** and then under **Enter the object name to select**, type **CM_NAA** and click **OK**.
-6. Next to **Password** and **Confirm Password**, type pass@word1, and then click **OK** twice.
-
-### Configure a boundary group
-
-1. In the Administration workspace, expand **Hierarchy Configuration**, right-click **Boundaries** and then click **Create Boundary**.
-2. Next to **Description**, type **PS1**, next to **Type** choose **Active Directory Site**, and then click **Browse**.
-3. Choose **Default-First-Site-Name** and then click **OK** twice.
-4. In the Administration workspace, right-click **Boundary Groups** and then click **Create Boundary Group**.
-5. Next to **Name**, type **PS1 Site Assignment and Content Location**, click **Add**, select the **Default-First-Site-Name** boundary and then click **OK**.
-6. On the **References** tab in the **Create Boundary Group** window select the **Use this boundary group for site assignment** checkbox.
-7. Click **Add**, select the **\\\SRV1.contoso.com** checkbox, and then click **OK** twice.
-
-### Add the state migration point role
-
-1. In the Administration workspace, expand **Site Configuration**, click **Sites**, and then in on the **Home** ribbon at the top of the console click **Add Site System Roles**.
-2. In the Add site System Roles Wizard, click **Next** twice and then on the Specify roles for this server page, select the **State migration point** checkbox.
-3. Click **Next**, click the yellow starburst, type **C:\MigData** for the **Storage folder**, and click **OK**.
-4. Click **Next**, and then verify under **Boundary groups** that **PS1 Site Assignment and Content Location** is displayed.
-5. Click **Next** twice and then click **Close**.
-
-### Enable PXE on the distribution point
-
->[!IMPORTANT]
->Before enabling PXE in Configuration Manager, ensure that any previous installation of WDS does not cause conflicts. Configuration Manager will automatically configure the WDS service to manage PXE requests. To disable a previous installation, if it exists, type the following commands at an elevated Windows PowerShell prompt on SRV1:
-
-```
-WDSUTIL /Set-Server /AnswerClients:None
-```
-
-1. Determine the MAC address of the internal network adapter on SRV1. To determine this, type the following command at an elevated Windows PowerShell prompt on SRV1:
-
- ```
- (Get-NetAdapter "Ethernet").MacAddress
- ```
- >If the internal network adapter, assigned an IP address of 192.168.0.2, is not named "Ethernet" then replace the name "Ethernet" in the previous command with the name of this network adapter. You can review the names of network adapters and the IP addresses assigned to them by typing **ipconfig**.
-
-2. In the System Center Configuration Manager console, in the **Administration** workspace, click **Distribution Points**.
-3. In the display pane, right-click **SRV1.CONTOSO.COM** and then click **Properties**.
-4. On the PXE tab, select the following settings:
- - **Enable PXE support for clients**. Click **Yes** in the popup that appears.
- - **Allow this distribution point to respond to incoming PXE requests**
- - **Enable unknown computer support**. Click **OK** in the popup that appears.
- - **Require a password when computers use PXE**
- - **Password** and **Confirm password**: pass@word1
- - **Respond to PXE requests on specific network interfaces**: Click the yellow starburst and then enter the MAC address determined in the first step of this procedure.
-
- See the following example:
-
- | Topic | Description | Time - - |
| Install prerequisites | Install prerequisite Windows Server roles and features, download, install and configure SQL Server, configure firewall rules, and install the Windows ADK. | 60 minutes - |
| Install System Center Configuration Manager | Download System Center Configuration Manager, configure prerequisites, and install the package. | 45 minutes - |
| Download MDOP and install DaRT | Download the Microsoft Desktop Optimization Pack 2015 and install DaRT 10. | 15 minutes - |
| Prepare for Zero Touch installation | Prerequisite procedures to support Zero Touch installation. | 60 minutes - |
| Create a boot image for Configuration Manager | Use the MDT wizard to create the boot image in Configuration Manager. | 20 minutes - |
| Create a Windows 10 reference image | This procedure can be skipped if it was done previously, otherwise instructions are provided to create a reference image. | 0-60 minutes - |
| Add a Windows 10 operating system image | Add a Windows 10 operating system image and distribute it. | 10 minutes |
| Create a task sequence | Create a Configuration Manager task sequence with MDT integration using the MDT wizard | 15 minutes - |
| Finalize the operating system configuration | Enable monitoring, configure rules, and distribute content. | 30 minutes - |
| Deploy Windows 10 using PXE and Configuration Manager | Deploy Windows 10 using Configuration Manager deployment packages and task sequences. | 60 minutes - |
| Replace a client with Windows 10 using Configuration Manager | Replace a client computer with Windows 10 using Configuration Manager. | 90 minutes - |
| Refresh a client with Windows 10 using Configuration Manager | Use a task sequence to refresh a client with Windows 10 using Configuration Manager and MDT | 90 minutes - - |
-
-5. Click **OK**.
-6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present:
-
- ```
- cmd /c dir /b C:\RemoteInstall\SMSBoot\x64
-
- abortpxe.com
- bootmgfw.efi
- bootmgr.exe
- pxeboot.com
- pxeboot.n12
- wdsmgfw.efi
- wdsnbp.com
- ```
- >If these files are not present in the C:\RemoteInstall directory, verify that the REMINST share is configured as C:\RemoteInstall. You can view the properties of this share by typing "net share REMINST" at a command prompt. If the share path is set to a different value, then replace C:\RemoteInstall with your REMINST share path.
- >You can also type the following command at an elevated Windows PowerShell prompt to open the Configuration Manager Trace Log Tool. In the tool, click **File**, click **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red:
-
- ```
- Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
- ```
-
- The log file will updated continuously while Configuration Manager is running. Wait for Configuration Manager to repair any issues that are present, and periodically re-check that the files are present in the REMINST share location. Close the Configuration Manager Trace Log Tool when done. You will see the following line in distmgr.log that indicates the REMINST share is being populated with necessary files:
-
- Running: WDSUTIL.exe /Initialize-Server /REMINST:"C:\RemoteInstall"
-
- Once the files are present in the REMINST share location, you can close the cmtrace tool.
-
-### Create a branding image file
-
-1. If you have a bitmap (.BMP) image for suitable use as a branding image, copy it to the C:\Sources\OSD\Branding folder on SRV1. Otherwise, use the following step to copy a simple branding image.
-2. Type the following command at an elevated Windows PowerShell prompt:
-
- ```
- copy "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" "C:\Sources\OSD\Branding\contoso.bmp"
- ```
- >You can open C:\Sources\OSD\Branding\contoso.bmp in MSPaint.exe if desired to customize this image.
-
-
-### Create a boot image for Configuration Manager
-
-1. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and then click **Create Boot Image using MDT**.
-2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then click **Next**.
- - The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later.
-3. On the General Settings page, type **Zero Touch WinPE x64** next to **Name**, and click **Next**.
-4. On the Options page, under **Platform** choose **x64**, and click **Next**.
-5. On the Components page, in addition to the default selection of **Microsoft Data Access Components (MDAC/ADO) support**, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox, and click **Next**.
-6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, type or browse to **\\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then click **Next** twice. It will take a few minutes to generate the boot image.
-7. Click **Finish**.
-8. In the console display pane, right-click the **Zero Touch WinPE x64** boot image, and then click **Distribute Content**.
-9. In the Distribute Content Wizard, click **Next**, click **Add** and select **Distribution Point**, select the **SRV1.CONTOSO.COM** checkbox, click **OK**, click **Next** twice, and then click **Close**.
-10. Use the CMTrace application to view the **distmgr.log** file again and verify that the boot image has been distributed. To open CMTrace, type the following command at an elevated Windows PowerShell prompt on SRV1:
-
- ```
- Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
- ```
-
- In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example:
-
- ```
- STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=924 TID=1424 GMTDATE=Tue Oct 09 22:36:30.986 2018 ISTR0="Zero Touch WinPE x64" ISTR1="PS10000A" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS10000A" SMS_DISTRIBUTION_MANAGER 10/9/2018 3:36:30 PM 1424 (0x0590)
- ```
-
-11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Double-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab.
-12. Next, in the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then click the **Data Source** tab.
-13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and click **OK**.
-14. Review the distmgr.log file again for "**STATMSG: ID=2301**" and verify that there are three folders under **C:\RemoteInstall\SMSImages** with boot images. See the following example:
-
- ```
- cmd /c dir /s /b C:\RemoteInstall\SMSImages
-
- C:\RemoteInstall\SMSImages\PS100004
- C:\RemoteInstall\SMSImages\PS100005
- C:\RemoteInstall\SMSImages\PS100006
- C:\RemoteInstall\SMSImages\PS100004\boot.PS100004.wim
- C:\RemoteInstall\SMSImages\PS100005\boot.PS100005.wim
- C:\RemoteInstall\SMSImages\PS100006\WinPE.PS100006.wim
- ```
-
- >The first two images (*.wim files) are default boot images. The third is the new boot image with DaRT.
-
-### Create a Windows 10 reference image
-
-If you have already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you have already created a Windows 10 reference image. In this case, skip to the next procedure in this guide: [Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image). If you have not yet created a Windows 10 reference image, complete the steps in this section.
-
-1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command:
-
- ```
- Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso
- ```
-2. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D.
-
-3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**.
-
-4. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
-
-5. Use the following settings for the New Deployment Share Wizard:
- - Deployment share path: **C:\MDTBuildLab**- - Share name: **MDTBuildLab$**
- - Deployment share description: **MDT build lab**
- - Options: click **Next** to accept the default
- - Summary: click **Next**
- - Progress: settings will be applied
- - Confirmation: click **Finish** - -6. Expand the **Deployment Shares** node, and then expand **MDT build lab**. - -7. Right-click the **Operating Systems** node, and then click **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and click **Finish**. - -7. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**. - -8. Use the following settings for the Import Operating System Wizard: - - OS Type: **Full set of source files**
- - Source: **D:\\**
- - Destination: **W10Ent_x64**
- - Summary: click **Next** - - Confirmation: click **Finish** - -9. For purposes of this test lab, we will not add applications, such as Microsoft Office, to the deployment share. For information about adding applications, see the [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#sec03) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library. - -10. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - - Task sequence ID: **REFW10X64-001**
- - Task sequence name: **Windows 10 Enterprise x64 Default Image**
- - Task sequence comments: **Reference Build**
- - Template: **Standard Client Task Sequence** - - Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim** - - Specify Product Key: **Do not specify a product key at this time** - - Full Name: **Contoso** - - Organization: **Contoso** - - Internet Explorer home page: **http://www.contoso.com** - - Admin Password: **Do not specify an Administrator password at this time** - - Summary: click **Next** - - Confirmation: click **Finish** - -11. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step. - -12. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**. A new group will be added under Tattoo. - -13. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. To see the name change, click **Tattoo**, then click the new group again. - -14. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**. - -15. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**. - -16. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox. - >Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications. - -17. Click **OK** to complete editing the task sequence. - -18. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and click **Properties**, and then click the **Rules** tab. - -19. Replace the default rules with the following text: - - ``` - [Settings] - Priority=Default - - [Default] - _SMSTSORGNAME=Contoso - UserDataLocation=NONE - DoCapture=YES - OSInstall=Y - AdminPassword=pass@word1 - TimeZoneName=Pacific Standard TimeZoneName - OSDComputername=#Left("PC-%SerialNumber%",7)# - JoinWorkgroup=WORKGROUP - HideShell=YES - FinishAction=SHUTDOWN - DoNotCreateExtraPartition=YES - ApplyGPOPack=NO - SkipAdminPassword=YES - SkipProductKey=YES - SkipComputerName=YES - SkipDomainMembership=YES - SkipUserData=YES - SkipLocaleSelection=YES - SkipTaskSequence=NO - SkipTimeZone=YES - SkipApplications=YES - SkipBitLocker=YES - SkipSummary=YES - SkipRoles=YES - SkipCapture=NO - SkipFinalSummary=NO - ``` - -20. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file: - - ``` - [Settings] - Priority=Default - - [Default] - DeployRoot=\\SRV1\MDTBuildLab$ - UserDomain=CONTOSO - UserID=MDT_BA - UserPassword=pass@word1 - SkipBDDWelcome=YES - ``` - -21. Click **OK** to complete the configuration of the deployment share. - -22. Right-click **MDT build lab (C:\MDTBuildLab)** and then click **Update Deployment Share**. - -23. Accept all default values in the Update Deployment Share Wizard by clicking **Next**. The update process will take 5 to 10 minutes. When it has completed, click **Finish**. - -24. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI). - - >Hint: Top copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**. - -25. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands: - - ``` - New-VM –Name REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB - Set-VMMemory -VMName REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20 - Set-VMDvdDrive -VMName REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso - Start-VM REFW10X64-001 - vmconnect localhost REFW10X64-001 - ``` -26. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then click **Next**. - -27. Accept the default values on the Capture Image page, and click **Next**. Operating system installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally (do not press a key). The process is fully automated. - - Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures: - - - Install the Windows 10 Enterprise operating system. - - Install added applications, roles, and features. - - Update the operating system using Windows Update (or WSUS if optionally specified). - - Stage Windows PE on the local disk. - - Run System Preparation (Sysprep) and reboot into Windows PE. - - Capture the installation to a Windows Imaging (WIM) file. - - Turn off the virtual machine. - - This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host and your network's download speed. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on SRV1. The file name is **REFW10X64-001.wim**. - -### Add a Windows 10 operating system image - -1. Type the following commands at an elevated Windows PowerShell prompt on SRV1: - - ``` - New-Item -ItemType Directory -Path "C:\Sources\OSD\OS\Windows 10 Enterprise x64" - cmd /c copy /z "C:\MDTBuildLab\Captures\REFW10X64-001.wim" "C:\Sources\OSD\OS\Windows 10 Enterprise x64" - ``` - -2. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Operating System Images**, and then click **Add Operating System Image**. - -3. On the Data Source page, under **Path:**, type or browse to **\\\SRV1\Sources$\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim**, and click **Next**. - -4. On the General page, next to **Name:**, type **Windows 10 Enterprise x64**, click **Next** twice, and then click **Close**. - -5. Distribute the operating system image to the SRV1 distribution point by right-clicking the **Windows 10 Enterprise x64** operating system image and then clicking **Distribute Content**. - -6. In the Distribute Content Wizard, click **Next**, click **Add**, click **Distribution Point**, add the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**. - -7. Enter **\Monitoring\Overview\Distribution Status\Content Status** on the location bar (be sure there is no space at the end of the location or you will get an error), click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. Processing of the image on the site server can take several minutes. - - >If content distribution is not successful, verify that sufficient disk space is available. - -### Create a task sequence - ->Complete this section slowly. There are a large number of similar settings from which to choose. - -1. In the Configuration Manager console, in the **Software Library** workspace expand **Operating Systems**, right-click **Task Sequences**, and then click **Create MDT Task Sequence**. - -2. On the Choose Template page, select the **Client Task Sequence** template and click **Next**. - -3. On the General page, type **Windows 10 Enterprise x64** under **Task sequence name:** and then click **Next**. - -4. On the Details page, enter the following settings: - - Join a domain: **contoso.com** - - Account: click **Set** - - User name: **contoso\CM_JD** - - Password: pass@word1 - - Confirm password: pass@word1 - - Click **OK** - - Windows Settings - - User name: **Contoso** - - Organization name: **Contoso** - - Product key: \
- - Request state storage location to: **Restore state from another computer**
- - Select the **If computer account fails to connect to state store, use the Network Access account** checkbox.
- - Options tab: Select the **Continue on error** checkbox.
- - Add Condition: **Task Sequence Variable**:
- - Variable: **USMTLOCAL**
- - Condition: **not equals**
- - Value: **True**
- - Click **OK**.
- - Click **Apply**
. - -6. In the **State Restore** group, click **Restore User State**, click **Add**, point to **User State**, and click **Release State Store**. - -7. Configure the **Release State Store** action that was just added with the following settings:
- - Options tab: Select the **Continue on error** checkbox.
- - Add Condition: **Task Sequence Variable**:
- - Variable: **USMTLOCAL**
- - Condition: **not equals**
- - Value: **True**
- - Click **OK**.
- - Click **OK**
. - - -### Finalize the operating system configuration - ->If you completed all procedures in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then the MDT deployment share is already present on SRV1. In this case, skip the first four steps below and begin with step 5 to edit CustomSettings.ini. - -1. In the MDT deployment workbench on SRV1, right-click **Deployment Shares** and then click **New Deployment Share**. - -2. Use the following settings for the New Deployment Share Wizard: - - Deployment share path: **C:\MDTProduction**
- - Share name: **MDTProduction$**
- - Deployment share description: **MDT Production**
- - Options: click **Next** to accept the default
- - Summary: click **Next**
- - Progress: settings will be applied
- - Confirmation: click **Finish** - -3. Right-click the **MDT Production** deployment share, and click **Properties**. - -4. Click the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**. - -5. Type the following command at an elevated Windows PowerShell prompt on SRV1: - - ``` - notepad "C:\Sources\OSD\Settings\Windows 10 x64 Settings\CustomSettings.ini" - ``` -6. Replace the contents of the file with the following text, and then save the file: - - ``` - [Settings] - Priority=Default - Properties=OSDMigrateConfigFiles,OSDMigrateMode - - [Default] - DoCapture=NO - ComputerBackupLocation=NONE - OSDMigrateMode=Advanced - OSDMigrateAdditionalCaptureOptions=/ue:*\* /ui:CONTOSO\* - OSDMigrateConfigFiles=Miguser.xml,Migapp.xml - SLSHARE=\\SRV1\Logs$ - EventService=http://SRV1:9800 - ApplyGPOPack=NO - ``` - - >As noted previously, if you wish to migrate accounts other than those in the Contoso domain, then change the OSDMigrateAdditionalCaptureOptions option. For example, the following option will capture settings from all user accounts: - - ``` - OSDMigrateAdditionalCaptureOptions=/all - ``` - - -7. Return to the Configuration Manager console, and in the Software Library workspace, expand **Application Management**, click **Packages**, right-click **Windows 10 x64 Settings**, and then click **Update Distribution Points**. Click **OK** in the popup that appears. - -8. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Distribute Content**. - -9. In the Distribute Content Wizard, click **Next** twice, click **Add**, click **Distribution Point**, select the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**. - -10. Enter **\Monitoring\Overview\Distribution Status\Content Status\Windows 10 Enterprise x64** on the location bar, double-click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. - -### Create a deployment for the task sequence - -1. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Deploy**. - -2. On the General page, next to **Collection**, click **Browse**, select the **All Unknown Computers** collection, click **OK**, and then click **Next**. - -3. On the Deployment Settings page, use the following settings:
- - Purpose: **Available**
- - Make available to the following: **Only media and PXE**
- - Click **Next**.
-4. Click **Next** five times to accept defaults on the Scheduling, User Experience, Alerts, and Distribution Points pages. - -5. Click **Close**. - -## Deploy Windows 10 using PXE and Configuration Manager - -In this first deployment scenario, we will deploy Windows 10 using PXE. This scenario creates a new computer that does not have any migrated users or settings. - -1. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - New-VM –Name "PC4" –NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 40GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 - Set-VMMemory -VMName "PC4" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20 - Start-VM PC4 - vmconnect localhost PC4 - ``` - -2. Press ENTER when prompted to start the network boot service. - -3. In the Task Sequence Wizard, provide the password: pass@word1, and then click **Next**. - -4. Before you click **Next** in the Task Sequence Wizard, press the **F8** key. A command prompt will open. - -5. At the command prompt, type **explorer.exe** and review the Windows PE file structure. - -6. The smsts.log file is critical for troubleshooting any installation problems that might be encountered. Depending on the deployment phase, the smsts.log file is created in different locations: - - X:\windows\temp\SMSTSLog\smsts.log before disks are formatted. - - x:\smstslog\smsts.log after disks are formatted. - - c:\_SMSTaskSequence\Logs\Smstslog\smsts.log before the System Center Configuration Manager client is installed. - - c:\windows\ccm\logs\Smstslog\smsts.log after the System Center Configuration Manager client is installed. - - c:\windows\ccm\logs\smsts.log when the task sequence is complete. - - Note: If a reboot is pending on the client, the reboot will be blocked as long as the command window is open. - -7. In the explorer window, click **Tools** and then click **Map Network Drive**. - -8. Do not map a network drive at this time. If you need to save the smsts.log file, you can use this method to save the file to a location on SRV1. - -9. Close the Map Network Drive window, the Explorer window, and the command prompt. - -10. The **Windows 10 Enterprise x64** task sequence is selected in the Task Sequenc Wizard. Click **Next** to continue with the deployment. - -11. The task sequence will require several minutes to complete. You can monitor progress of the task sequence using the MDT Deployment Workbench under Deployment Shares > MDTProduction > Monitoring. The task sequence will: - - Install Windows 10 - - Install the Configuration Manager client and hotfix - - Join the computer to the contoso.com domain - - Install any applications that were specified in the reference image - - -12. When Windows 10 installation has completed, sign in to PC4 using the **contoso\administrator** account. - -13. Right-click **Start**, click **Run**, type **control appwiz.cpl**, press ENTER, click **Turn Windows features on or off**, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This is a feature included in the reference image. - -14. Shut down the PC4 VM. - ->Note: The following two procedures 1) Replace a client with Windows 10 and 2) Refresh a client with Windows 10 have been exchanged in their order in this guide compared to the previous version. This is to avoid having to restore Hyper-V checkpoints to have access to PC1 before the OS is upgraded. If this is your first time going through this guide, you won't notice any change, but if you have tried the guide previously then this change should make it simpler to complete. - -## Replace a client with Windows 10 using Configuration Manager - ->Before starting this section, you can delete computer objects from Active Directory that were created as part of previous deployment procedures. Use the Active Directory Users and Computers console on DC1 to remove stale entries under contoso.com\Computers, but do not delete the computer account (hostname) for PC1. There should be at least two computer accounts present in the contoso.com\Computers container: one for SRV1, and one for the hostname of PC1. It is not required to delete the stale entries, this is only done to remove clutter. - - - -In the replace procedure, PC1 will not be migrated to a new operating system. It is simplest to perform this procedure before performing the refresh procedure. After refreshing PC1, the operating system will be new. The next (replace) procedure does not install a new operating system on PC1 but rather performs a side-by-side migration of PC1 and another computer (PC4), to copy users and settings from PC1 to the new computer. - -### Create a replace task sequence - -1. On SRV1, in the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and then click **Create MDT Task Sequence**. - -2. On the Choose Template page, select **Client Replace Task Sequence** and click **Next**. - -3. On the General page, type the following: - - Task sequence name: **Replace Task Sequence** - - Task sequence comments: **USMT backup only** - -4. Click **Next**, and on the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package. Click **OK** and then click **Next** to continue. -5. On the MDT Package page, browse and select the **MDT** package. Click **OK** and then click **Next** to continue. -6. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package. Click **OK** and then click **Next** to continue. -7. On the Settings Package page, browse and select the **Windows 10 x64 Settings** package. Click **OK** and then click **Next** to continue. -8. On the Summary page, review the details and then click **Next**. -9. On the Confirmation page, click **Finish**. - ->If an error is displayed at this stage it can be caused by a corrupt MDT integration. To repair it, close the Configuration Manager console, remove MDT integration, and then restore MDT integration. - -### Deploy PC4 - -Create a VM named PC4 to receive the applications and settings from PC1. This VM represents a new computer that will replace PC1. To create this VM, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: - -``` -New-VM –Name "PC4" –NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 -Set-VMMemory -VMName "PC4" -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 2048MB -Buffer 20 -Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF -``` - ->Hyper-V enables us to define a static MAC address on PC4. In a real-world scenario you must determine the MAC address of the new computer. - -### Install the Configuration Manager client on PC1 - -1. Verify that the PC1 VM is running and in its original state, which was saved as a checkpoint and then restored in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md). - -2. If a PC1 checkpoint has not already been saved, then save a checkpoint by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - Checkpoint-VM -Name PC1 -SnapshotName BeginState - ``` - -3. On SRV1, in the Configuration Manager console, in the Administration workspace, expand **Hierarchy Configuration** and click on **Discovery Methods**. -4. Double-click **Active Directory System Discovery** and on the **General** tab select the **Enable Active Directory System Discovery** checkbox. -5. Click the yellow starburst, click **Browse**, select **contoso\Computers**, and then click **OK** three times. -6. When a popup dialog box asks if you want to run full discovery, click **Yes**. -7. In the Assets and Compliance workspace, click **Devices** and verify that the computer account names for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the computer account name of PC1 in this example): - -  - - >If you do not see the computer account for PC1, try clicking the **Refresh** button in the upper right corner of the console. - - The **Client** column indicates that the Configuration Manager client is not currently installed. This procedure will be carried out next. - -8. Sign in to PC1 using the contoso\administrator account and type the following at an elevated command prompt to remove any pre-existing client configuration, if it exists. Note: this command requires an elevated command prompt not an elevated Windows PowerShell prompt: - - ``` - sc stop ccmsetup - "\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /Uninstall - ``` - >If PC1 still has Configuration Manager registry settings that were applied by Group Policy, startup scripts, or other policies in its previous domain, these might not all be removed by CCMSetup /Uninstall and can cause problems with installation or registration of the client in its new environment. It might be necessary to manually remove these settings if they are present. For more information, see [Manual removal of the SCCM client](https://blogs.technet.microsoft.com/michaelgriswold/2013/01/02/manual-removal-of-the-sccm-client/). - -9. On PC1, temporarily stop Windows Update from queuing items for download and clear all BITS jobs from the queue: - - ``` - net stop wuauserv - net stop BITS - ``` - - Verify that both services were stopped successfully, then type the following at an elevated command prompt: - - ``` - del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat" - net start BITS - bitsadmin /list /allusers - ``` - - Verify that BITSAdmin displays 0 jobs. - -10. To install the Configuration Manager client as a standalone process, type the following at an elevated command prompt: - - ``` - "\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /mp:SRV1.contoso.com /logon SMSSITECODE=PS1 - ``` -11. On PC1, using file explorer, open the **C:\Windows\ccmsetup** directory. During client installation, files will be downloaded here. -12. Installation progress will be captured in the file: **c:\windows\ccmsetup\logs\ccmsetup.log**. You can periodically open this file in notepad, or you can type the following command at an elevated Windows PowerShell prompt to monitor installation progress: - - ``` - Get-Content -Path c:\windows\ccmsetup\logs\ccmsetup.log -Wait - ``` - - Installation might require several minutes, and display of the log file will appear to hang while some applications are installed. This is normal. When setup is complete, verify that **CcmSetup is existing with return code 0** is displayed on the last line of the ccmsetup.log file and then press **CTRL-C** to break out of the Get-Content operation (if you are viewing the log in Windows PowerShell the last line will be wrapped). A return code of 0 indicates that installation was successful and you should now see a directory created at **C:\Windows\CCM** that contains files used in registration of the client with its site. - -13. On PC1, open the Configuration Manager control panel applet by typing the following command: - - ``` - control smscfgrc - ``` - -14. Click the **Site** tab, click **Configure Settings**, and click **Find Site**. The client will report that it has found the PS1 site. See the following example: - -  - - If the client is not able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. A common reason the site code is not located is because a previous configuration exists. For example, if a previous site code is configured at **HKLM\SOFTWARE\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode** this must be deleted or updated. - -15. On SRV1, in the Assets and Compliance workspace, click **Device Collections** and then double-click **All Desktop and Server Clients**. This node will be added under **Devices**. - -16. Click **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example: - -  - - >It might take several minutes for the client to fully register with the site and complete a client check. When it is complete you will see a green check mark over the client icon as shown above. To refresh the client, click it and then press **F5** or right-click the client and click **Refresh**. - -### Create a device collection and deployment - -1. On SRV1, in the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections** and then click **Create Device Collection**. - -2. Use the following settings in the **Create Device Collection Wizard**: - - General > Name: **Install Windows 10 Enterprise x64**
- - General > Limiting collection: **All Systems**
- - Membership Rules > Add Rule: **Direct Rule**
- - The **Create Direct Membership Rule Wizard** opens, click **Next**
- - Search for Resources > Resource class: **System Resource**
- - Search for Resources > Attribute name: **Name**
- - Search for Resources > Value: **%**
- - Select Resources > Value: Select the computername associated with the PC1 VM
- - Click **Next** twice and then click **Close** in both windows (Next, Next, Close, then Next, Next, Close) - -3. Double-click the Install Windows 10 Enterprise x64 device collection and verify that the PC1 computer account is displayed. - -4. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64** and then click **Deploy**. - -5. Use the following settings in the Deploy Software wizard: - - General > Collection: Click Browse and select **Install Windows 10 Enterprise x64**
- - Deployment Settings > Purpose: **Available**
- - Deployment Settings > Make available to the following: **Configuration Manager clients, media and PXE**
- - Scheduling > Click **Next**
- - User Experience > Click **Next**
- - Alerts > Click **Next**
- - Distribution Points > Click **Next**
- - Summary > Click **Next**
- - Verify that the wizard completed successfully and then click **Close** - - -### Associate PC4 with PC1 - -1. On SRV1 in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices** and then click **Import Computer Information**. - -2. On the Select Source page, choose **Import single computer** and click **Next**. - -3. On the Single Computer page, use the following settings: - - Computer Name: **PC4** - - MAC Address: **00:15:5D:83:26:FF** - - Source Computer: \
- - General > Limiting collection: **All Systems**
- - Membership Rules > Add Rule: **Direct Rule**
- - The **Create Direct Membership Rule Wizard** opens, click **Next**
- - Search for Resources > Resource class: **System Resource**
- - Search for Resources > Attribute name: **Name**
- - Search for Resources > Value: **%**
- - Select Resources > Value: Select the computername associated with the PC1 VM (GREGLIN-PC1 in this example).
- - Click **Next** twice and then click **Close** in both windows. - -3. Click **Device Collections** and then double-click **USMT Backup (Replace)**. Verify that the computer name/hostname associated with PC1 is displayed in the collection. Do not proceed until this name is displayed. - -### Create a new deployment - -In the Configuration Manager console, in the Software Library workspace under Operating Systems, click **Task Sequences**, right-click **Replace Task Sequence**, click **Deploy**, and use the following settings: -- General > Collection: **USMT Backup (Replace)**
-- Deployment Settings > Purpose: **Available**
-- Deployment Settings > Make available to the following: **Only Configuration Manager Clients**
-- Scheduling: Click **Next**
-- User Experience: Click **Next**
-- Alerts: Click **Next**
-- Distribution Points: Click **Next**
-- Click **Next** and then click **Close**. - -### Verify the backup - -1. On PC1, open the Configuration Manager control panel applet by typing the following command: - - ``` - control smscfgrc - ``` -2. On the **Actions** tab, click **Machine Policy Retrieval & Evaluation Cycle**, click **Run Now**, click **OK**, and then click **OK** again. This is one method that can be used to run a task sequence in addition to the Client Notification method that will be demonstrated in the computer refresh procedure. - -3. Type the following at an elevated command prompt to open the Software Center: - - ``` - C:\Windows\CCM\SCClient.exe - ``` - -4. In the Software Center , click **Available Software** and then select the **Replace Task Sequence** checkbox. See the following example: - -  - - >If you do not see any available software, try running step #2 again to start the Machine Policy Retrieval & Evaluation Cycle. You should see an alert that new software is available. - -5. Click **INSTALL SELECTED** and then click **INSTALL OPERATING SYSTEM**. -6. Allow the **Replace Task Sequence** to complete, then verify that the C:\MigData folder on SRV1 contains the USMT backup. - -### Deploy the new computer - -1. Start PC4 and press ENTER for a network boot when prompted. To start PC4, type the following commands at an elevated Windows Powershell prompt on the Hyper-V host: - - ``` - Start-VM PC4 - vmconnect localhost PC4 - ``` -2. In the **Welcome to the Task Sequence Wizard**, enter pass@word1 and click **Next**. -3. Choose the **Windows 10 Enterprise X64** image. -4. Setup will install the operating system using the Windows 10 Enterprise x64 reference image, install the configuration manager client, join PC4 to the domain, and restore users and settings from PC1. -5. Save checkpoints for all VMs if you wish to review their status at a later date. This is not required (checkpoints do take up space on the Hyper-V host). Note: the next procedure will install a new OS on PC1 update its status in Configuration Manager and in Active Directory as a Windows 10 device, so you cannot return to a previous checkpoint only on the PC1 VM without a conflict. Therefore, if you do create a checkpoint, you should do this for all VMs. - - To save a checkpoint for all VMs, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - Checkpoint-VM -Name DC1 -SnapshotName cm-refresh - Checkpoint-VM -Name SRV1 -SnapshotName cm-refresh - Checkpoint-VM -Name PC1 -SnapshotName cm-refresh - ``` - -## Refresh a client with Windows 10 using Configuration Manager - - -### Initiate the computer refresh - -1. On SRV1, in the Assets and Compliance workspace, click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. -2. Right-click the computer account for PC1, point to **Client Notification**, click **Download Computer Policy**, and click **OK** in the popup dialog box. -3. On PC1, in the notification area, click **New software is available** and then click **Open Software Center**. -4. In the Software Center, click **Operating Systems**, click **Windows 10 Enterprise x64**, click **Install** and then click **INSTALL OPERATING SYSTEM**. See the following example: - -  - - The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the Monitoring workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then click **More Details**. Click the **Status** tab to see a list of tasks that have been performed. See the following example: - -  - - You can also monitor progress of the installation by using the MDT deployment workbench and viewing the **Monitoring** node under **Deployment Shares\MDT Production**. - - When installation has completed, sign in using the contoso\administrator account or the contoso\user1 account and verify that applications and settings have been successfully backed up and restored to your new Windows 10 Enterprise operating system. - -  - - - -## Related Topics - -[System Center 2012 Configuration Manager Survival Guide](https://social.technet.microsoft.com/wiki/contents/articles/7075.system-center-2012-configuration-manager-survival-guide.aspx#Step-by-Step_Guides) - - - - - - - +--- +title: Step by step - Deploy Windows 10 using Microsoft Endpoint Configuration Manager +description: Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +keywords: deployment, automate, tools, configure, sccm +ms.localizationpriority: medium +ms.date: 10/11/2017 +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager + +**Applies to** + +- Windows 10 + +**Important**: This guide leverages the proof of concept (PoC) environment, and some settings that are configured in the following guides: +- [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) +- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) + +Please complete all steps in these guides before attempting the procedures in this guide. If you wish to skip the Windows 10 deployment procedures in the MDT guide and move directly to this guide, you must at least install MDT and the Windows ADK before performing procedures in this guide. All steps in the first guide are required before attempting the procedures in this guide. + +The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs): +- **DC1**: A contoso.com domain controller, DNS server, and DHCP server. +- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network. +- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been cloned from a physical computer on your corporate network for testing purposes. +This guide leverages the Hyper-V server role to perform procedures. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work. + +>Multiple features and services are installed on SRV1 in this guide. This is not a typical installation, and is only done to set up a lab environment with a bare minimum of resources. However, if less than 4 GB of RAM is allocated to SRV1 in the Hyper-V console, some procedures will be extremely slow to complete. If resources are limited on the Hyper-V host, consider reducing RAM allocation on DC1 and PC1, and then increasing the RAM allocation on SRV1. You can adjust RAM allocation for a VM by right-clicking the VM in the Hyper-V Manager console, clicking **Settings**, clicking **Memory**, and modifying the value next to **Maximum RAM**. + +## In this guide + +This guide provides end-to-end instructions to install and configure Microsoft Endpoint Configuration Manager, and use it to deploy a Windows 10 image. Depending on the speed of your Hyper-V host, the procedures in this guide will require 6-10 hours to complete. + +Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed. + +
+ +
+
+
+
+
+
+## Install prerequisites
+1. Before installing Microsoft Endpoint Configuration Manager, we must install prerequisite services and features. Type the following command at an elevated Windows PowerShell prompt on SRV1:
+
+ ```
+ Install-WindowsFeature Web-Windows-Auth,Web-ISAPI-Ext,Web-Metabase,Web-WMI,BITS,RDC,NET-Framework-Features,Web-Asp-Net,Web-Asp-Net45,NET-HTTP-Activation,NET-Non-HTTP-Activ
+ ```
+
+ >If the request to add features fails, retry the installation by typing the command again.
+
+2. Download [SQL Server 2014 SP2](https://www.microsoft.com/evalcenter/evaluate-sql-server-2014-sp2) from the Microsoft Evaluation Center as an .ISO file on the Hyper-V host computer. Save the file to the **C:\VHD** directory.
+3. When you have downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
+
+ ```
+ Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\SQLServer2014SP2-FullSlipstream-x64-ENU.iso
+ ```
+
+ This command mounts the .ISO file to drive D on SRV1.
+
+4. Type the following command at an elevated Windows PowerShell prompt on SRV1 to install SQL Server:
+
+ ```
+ D:\setup.exe /q /ACTION=Install /ERRORREPORTING="False" /FEATURES=SQLENGINE,RS,IS,SSMS,TOOLS,ADV_SSMS,CONN /INSTANCENAME=MSSQLSERVER /INSTANCEDIR="C:\Program Files\Microsoft SQL Server" /SQLSVCACCOUNT="NT AUTHORITY\System" /SQLSYSADMINACCOUNTS="BUILTIN\ADMINISTRATORS" /SQLSVCSTARTUPTYPE=Automatic /AGTSVCACCOUNT="NT AUTHORITY\SYSTEM" /AGTSVCSTARTUPTYPE=Automatic /RSSVCACCOUNT="NT AUTHORITY\System" /RSSVCSTARTUPTYPE=Automatic /ISSVCACCOUNT="NT AUTHORITY\System" /ISSVCSTARTUPTYPE=Disabled /ASCOLLATION="Latin1_General_CI_AS" /SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS" /TCPENABLED="1" /NPENABLED="1" /IAcceptSQLServerLicenseTerms
+ ```
+ Installation will take several minutes. When installation is complete, the following output will be displayed:
+
+ ```
+ Microsoft (R) SQL Server 2014 12.00.5000.00
+ Copyright (c) Microsoft Corporation. All rights reserved.
+
+ Microsoft (R) .NET Framework CasPol 2.0.50727.7905
+ Copyright (c) Microsoft Corporation. All rights reserved.
+
+ Success
+ Microsoft (R) .NET Framework CasPol 2.0.50727.7905
+ Copyright (c) Microsoft Corporation. All rights reserved.
+
+ Success
+ One or more affected files have operations pending.
+ You should restart your computer to complete this process.
+ PS C:\>
+ ```
+5. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
+
+ ```
+ New-NetFirewallRule -DisplayName “SQL Server” -Direction Inbound –Protocol TCP –LocalPort 1433 -Action allow
+ New-NetFirewallRule -DisplayName “SQL Admin Connection” -Direction Inbound –Protocol TCP –LocalPort 1434 -Action allow
+ New-NetFirewallRule -DisplayName “SQL Database Management” -Direction Inbound –Protocol UDP –LocalPort 1434 -Action allow
+ New-NetFirewallRule -DisplayName “SQL Service Broker” -Direction Inbound –Protocol TCP –LocalPort 4022 -Action allow
+ New-NetFirewallRule -DisplayName “SQL Debugger/RPC” -Direction Inbound –Protocol TCP –LocalPort 135 -Action allow
+ ```
+
+7. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1703. Installation might require several minutes to acquire all components.
+
+## Install Microsoft Endpoint Configuration Manager
+
+1. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt:
+
+ ```
+ $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
+ Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0
+ Stop-Process -Name Explorer
+ ```
+
+2. Download [Microsoft Endpoint Configuration Manager and Endpoint Protection](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) on SRV1 (download the executable file anywhere on SRV1), double-click the file, enter **C:\configmgr** for **Unzip to folder**, and click **Unzip**. The C:\configmgr directory will be automatically created. Click **OK** and then close the **WinZip Self-Extractor** dialog box when finished.
+
+3. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**:
+
+ ```
+ Get-Service Winmgmt
+
+ Status Name DisplayName
+ ------ ---- -----------
+ Running Winmgmt Windows Management Instrumentation
+
+ Test-NetConnection -ComputerName 192.168.0.2 -Port 135 -InformationLevel Detailed
+
+ ComputerName : 192.168.0.2
+ RemoteAddress : 192.168.0.2
+ RemotePort : 135
+ AllNameResolutionResults :
+ MatchingIPsecRules :
+ NetworkIsolationContext : Internet
+ InterfaceAlias : Ethernet
+ SourceAddress : 192.168.0.2
+ NetRoute (NextHop) : 0.0.0.0
+ PingSucceeded : True
+ PingReplyDetails (RTT) : 0 ms
+ TcpTestSucceeded : True
+ ```
+ You can also verify WMI using the WMI console by typing **wmimgmt.msc**, right-clicking **WMI Control (Local)** in the console tree, and then clicking **Properties**.
+
+ If the WMI service is not started, attempt to start it or reboot the computer. If WMI is running but errors are present, see [WMIDiag](https://blogs.technet.microsoft.com/askperf/2015/05/12/wmidiag-2-2-is-here/) for troubleshooting information.
+
+4. To extend the Active Directory schema, type the following command at an elevated Windows PowerShell prompt:
+
+ ```
+ cmd /c C:\configmgr\SMSSETUP\BIN\X64\extadsch.exe
+ ```
+
+5. Temporarily switch to the DC1 VM, and type the following command at an elevated command prompt on DC1:
+
+ ```
+ adsiedit.msc
+ ```
+
+6. Right-click **ADSI Edit**, click **Connect to**, select **Default (Domain or server that you logged in to)** under **Computer** and then click **OK**.
+7. Expand **Default naming context**>**DC=contoso,DC=com**, and then in the console tree right-click **CN=System**, point to **New**, and then click **Object**.
+8. Click **container** and then click **Next**.
+9. Next to **Value**, type **System Management**, click **Next**, and then click **Finish**.
+10. Right-click **CN=system Management** and then click **Properties**.
+11. On the **Security** tab, click **Add**, click **Object Types**, select **Computers**, and click **OK**.
+12. Under **Enter the object names to select**, type **SRV1** and click **OK**.
+13. The **SRV1** computer account will be highlighted, select **Allow** next to **Full control**.
+14. Click **Advanced**, click **SRV1 (CONTOSO\SRV1$)** and click **Edit**.
+15. Next to **Applies to**, choose **This object and all descendant objects**, and then click **OK** three times.
+16. Close the ADSI Edit console and switch back to SRV1.
+17. To start Configuration Manager installation, type the following command at an elevated Windows PowerShell prompt on SRV1:
+
+ ```
+ cmd /c C:\configmgr\SMSSETUP\BIN\X64\Setup.exe
+ ```
+18. Provide the following in the Microsoft Endpoint Configuration Manager Setup Wizard:
+ - **Before You Begin**: Read the text and click *Next*.
+ - **Getting Started**: Choose **Install a Configuration Manager primary site** and select the **Use typical installation options for a stand-alone primary site** checkbox.
+ - Click **Yes** in response to the popup window.
+ - **Product Key**: Choose **Install the evaluation edition of this Product**.
+ - **Microsoft Software License Terms**: Read the terms and then select the **I accept these license terms** checkbox.
+ - **Prerequisite Licenses**: Review license terms and select all three checkboxes on the page.
+ - **Prerequisite Downloads**: Choose **Download required files** and enter **c:\windows\temp** next to **Path**.
+ - **Site and Installation Settings**: Site code: **PS1**, Site name: **Contoso**.
+ - use default settings for all other options
+ - **Usage Data**: Read the text and click **Next**.
+ - **Service Connection Point Setup**: Accept the default settings (SRV1.contoso.com is automatically added under Select a server to use).
+ - **Settings Summary**: Review settings and click **Next**.
+ - **Prerequisite Check**: No failures should be listed. Ignore any warnings and click **Begin Install**.
+
+ >There should be at most three warnings present: WSUS on site server, configuration for SQL Server memory usage, and SQL Server process memory allocation. These warnings can safely be ignored in this test environment.
+
+ Depending on the speed of the Hyper-V host and resources allocated to SRV1, installation can require approximately one hour. Click **Close** when installation is complete.
+
+19. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1:
+
+ ```
+ Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1
+ Stop-Process -Name Explorer
+ ```
+
+## Download MDOP and install DaRT
+
+>[!IMPORTANT]
+>This step requires an MSDN subscription or volume licence agreement. For more information, see [Ready for Windows 10: MDOP 2015 and more tools are now available](https://blogs.technet.microsoft.com/windowsitpro/2015/08/17/ready-for-windows-10-mdop-2015-and-more-tools-are-now-available/).
+>If your organization qualifies and does not already have an MSDN subscription, you can obtain a [free MSDN subscription with BizSpark](https://blogs.msdn.microsoft.com/zainnab/2011/03/14/bizspark-free-msdn-subscription-for-start-up-companies/).
+
+1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso, 2.79 GB) to the C:\VHD directory on the Hyper-V host.
+
+2. Type the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1:
+
+ ```
+ Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso
+ ```
+3. Type the following command at an elevated Windows PowerShell prompt on SRV1:
+
+ ```
+ cmd /c "D:\DaRT\DaRT 10\Installers\en-us\x64\MSDaRT100.msi"
+ ```
+4. Install DaRT 10 using default settings.
+5. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
+
+ ```
+ Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx64.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64"
+ Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx86.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x86"
+ ```
+
+## Prepare for Zero Touch installation
+
+This section contains several procedures to support Zero Touch installation with Microsoft Endpoint Configuration Manager.
+
+### Create a folder structure
+
+1. Type the following commands at a Windows PowerShell prompt on SRV1:
+
+ ```
+ New-Item -ItemType Directory -Path "C:\Sources\OSD\Boot"
+ New-Item -ItemType Directory -Path "C:\Sources\OSD\OS"
+ New-Item -ItemType Directory -Path "C:\Sources\OSD\Settings"
+ New-Item -ItemType Directory -Path "C:\Sources\OSD\Branding"
+ New-Item -ItemType Directory -Path "C:\Sources\OSD\MDT"
+ New-Item -ItemType Directory -Path "C:\Logs"
+ New-SmbShare -Name Sources$ -Path C:\Sources -ChangeAccess EVERYONE
+ New-SmbShare -Name Logs$ -Path C:\Logs -ChangeAccess EVERYONE
+ ```
+
+### Enable MDT ConfigMgr integration
+
+1. On SRV1, click **Start**, type **configmgr**, and then click **Configure ConfigMgr Integration**.
+2. Type **PS1** next to **Site code**, and then click **Next**.
+3. Verify **The process completed successfully** is displayed, and then click **Finish**.
+
+### Configure client settings
+
+1. On SRV1, click **Start**, type **configuration manager**, right-click **Configuration Manager Console**, and then click **Pin to Taskbar**.
+2. Click **Desktop**, and then launch the Configuration Manager console from the taskbar.
+3. If the console notifies you that an update is available, click **OK**. It is not necessary to install updates to complete this lab.
+4. In the console tree, open the **Administration** workspace (in the lower left corner) and click **Client Settings**.
+5. In the display pane, double-click **Default Client Settings**.
+6. Click **Computer Agent**, next to **Organization name displayed in Software Center** type **Contoso**, and then click **OK**.
+
+### Configure the network access account
+
+1. In the Administration workspace, expand **Site Configuration** and click **Sites**.
+2. On the **Home** ribbon at the top of the console window, click **Configure Site Components** and then click **Software Distribution**.
+3. On the **Network Access Account** tab, choose **Specify the account that accesses network locations**.
+4. Click the yellow starburst and then click **New Account**.
+5. Click **Browse** and then under **Enter the object name to select**, type **CM_NAA** and click **OK**.
+6. Next to **Password** and **Confirm Password**, type pass@word1, and then click **OK** twice.
+
+### Configure a boundary group
+
+1. In the Administration workspace, expand **Hierarchy Configuration**, right-click **Boundaries** and then click **Create Boundary**.
+2. Next to **Description**, type **PS1**, next to **Type** choose **Active Directory Site**, and then click **Browse**.
+3. Choose **Default-First-Site-Name** and then click **OK** twice.
+4. In the Administration workspace, right-click **Boundary Groups** and then click **Create Boundary Group**.
+5. Next to **Name**, type **PS1 Site Assignment and Content Location**, click **Add**, select the **Default-First-Site-Name** boundary and then click **OK**.
+6. On the **References** tab in the **Create Boundary Group** window select the **Use this boundary group for site assignment** checkbox.
+7. Click **Add**, select the **\\\SRV1.contoso.com** checkbox, and then click **OK** twice.
+
+### Add the state migration point role
+
+1. In the Administration workspace, expand **Site Configuration**, click **Sites**, and then in on the **Home** ribbon at the top of the console click **Add Site System Roles**.
+2. In the Add site System Roles Wizard, click **Next** twice and then on the Specify roles for this server page, select the **State migration point** checkbox.
+3. Click **Next**, click the yellow starburst, type **C:\MigData** for the **Storage folder**, and click **OK**.
+4. Click **Next**, and then verify under **Boundary groups** that **PS1 Site Assignment and Content Location** is displayed.
+5. Click **Next** twice and then click **Close**.
+
+### Enable PXE on the distribution point
+
+>[!IMPORTANT]
+>Before enabling PXE in Configuration Manager, ensure that any previous installation of WDS does not cause conflicts. Configuration Manager will automatically configure the WDS service to manage PXE requests. To disable a previous installation, if it exists, type the following commands at an elevated Windows PowerShell prompt on SRV1:
+
+```
+WDSUTIL /Set-Server /AnswerClients:None
+```
+
+1. Determine the MAC address of the internal network adapter on SRV1. To determine this, type the following command at an elevated Windows PowerShell prompt on SRV1:
+
+ ```
+ (Get-NetAdapter "Ethernet").MacAddress
+ ```
+ >If the internal network adapter, assigned an IP address of 192.168.0.2, is not named "Ethernet" then replace the name "Ethernet" in the previous command with the name of this network adapter. You can review the names of network adapters and the IP addresses assigned to them by typing **ipconfig**.
+
+2. In the Microsoft Endpoint Configuration Manager console, in the **Administration** workspace, click **Distribution Points**.
+3. In the display pane, right-click **SRV1.CONTOSO.COM** and then click **Properties**.
+4. On the PXE tab, select the following settings:
+ - **Enable PXE support for clients**. Click **Yes** in the popup that appears.
+ - **Allow this distribution point to respond to incoming PXE requests**
+ - **Enable unknown computer support**. Click **OK** in the popup that appears.
+ - **Require a password when computers use PXE**
+ - **Password** and **Confirm password**: pass@word1
+ - **Respond to PXE requests on specific network interfaces**: Click the yellow starburst and then enter the MAC address determined in the first step of this procedure.
+
+ See the following example:
+
+ | Topic | Description | Time + + |
| Install prerequisites | Install prerequisite Windows Server roles and features, download, install and configure SQL Server, configure firewall rules, and install the Windows ADK. | 60 minutes + |
| Install Microsoft Endpoint Configuration Manager | Download Microsoft Endpoint Configuration Manager, configure prerequisites, and install the package. | 45 minutes + |
| Download MDOP and install DaRT | Download the Microsoft Desktop Optimization Pack 2015 and install DaRT 10. | 15 minutes + |
| Prepare for Zero Touch installation | Prerequisite procedures to support Zero Touch installation. | 60 minutes + |
| Create a boot image for Configuration Manager | Use the MDT wizard to create the boot image in Configuration Manager. | 20 minutes + |
| Create a Windows 10 reference image | This procedure can be skipped if it was done previously, otherwise instructions are provided to create a reference image. | 0-60 minutes + |
| Add a Windows 10 operating system image | Add a Windows 10 operating system image and distribute it. | 10 minutes |
| Create a task sequence | Create a Configuration Manager task sequence with MDT integration using the MDT wizard | 15 minutes + |
| Finalize the operating system configuration | Enable monitoring, configure rules, and distribute content. | 30 minutes + |
| Deploy Windows 10 using PXE and Configuration Manager | Deploy Windows 10 using Configuration Manager deployment packages and task sequences. | 60 minutes + |
| Replace a client with Windows 10 using Configuration Manager | Replace a client computer with Windows 10 using Configuration Manager. | 90 minutes + |
| Refresh a client with Windows 10 using Configuration Manager | Use a task sequence to refresh a client with Windows 10 using Configuration Manager and MDT | 90 minutes + + |
+
+5. Click **OK**.
+6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present:
+
+ ```
+ cmd /c dir /b C:\RemoteInstall\SMSBoot\x64
+
+ abortpxe.com
+ bootmgfw.efi
+ bootmgr.exe
+ pxeboot.com
+ pxeboot.n12
+ wdsmgfw.efi
+ wdsnbp.com
+ ```
+ >If these files are not present in the C:\RemoteInstall directory, verify that the REMINST share is configured as C:\RemoteInstall. You can view the properties of this share by typing "net share REMINST" at a command prompt. If the share path is set to a different value, then replace C:\RemoteInstall with your REMINST share path.
+ >You can also type the following command at an elevated Windows PowerShell prompt to open the Configuration Manager Trace Log Tool. In the tool, click **File**, click **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red:
+
+ ```
+ Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
+ ```
+
+ The log file will updated continuously while Configuration Manager is running. Wait for Configuration Manager to repair any issues that are present, and periodically re-check that the files are present in the REMINST share location. Close the Configuration Manager Trace Log Tool when done. You will see the following line in distmgr.log that indicates the REMINST share is being populated with necessary files:
+
+ Running: WDSUTIL.exe /Initialize-Server /REMINST:"C:\RemoteInstall"
+
+ Once the files are present in the REMINST share location, you can close the cmtrace tool.
+
+### Create a branding image file
+
+1. If you have a bitmap (.BMP) image for suitable use as a branding image, copy it to the C:\Sources\OSD\Branding folder on SRV1. Otherwise, use the following step to copy a simple branding image.
+2. Type the following command at an elevated Windows PowerShell prompt:
+
+ ```
+ copy "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" "C:\Sources\OSD\Branding\contoso.bmp"
+ ```
+ >You can open C:\Sources\OSD\Branding\contoso.bmp in MSPaint.exe if desired to customize this image.
+
+
+### Create a boot image for Configuration Manager
+
+1. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and then click **Create Boot Image using MDT**.
+2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then click **Next**.
+ - The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later.
+3. On the General Settings page, type **Zero Touch WinPE x64** next to **Name**, and click **Next**.
+4. On the Options page, under **Platform** choose **x64**, and click **Next**.
+5. On the Components page, in addition to the default selection of **Microsoft Data Access Components (MDAC/ADO) support**, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox, and click **Next**.
+6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, type or browse to **\\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then click **Next** twice. It will take a few minutes to generate the boot image.
+7. Click **Finish**.
+8. In the console display pane, right-click the **Zero Touch WinPE x64** boot image, and then click **Distribute Content**.
+9. In the Distribute Content Wizard, click **Next**, click **Add** and select **Distribution Point**, select the **SRV1.CONTOSO.COM** checkbox, click **OK**, click **Next** twice, and then click **Close**.
+10. Use the CMTrace application to view the **distmgr.log** file again and verify that the boot image has been distributed. To open CMTrace, type the following command at an elevated Windows PowerShell prompt on SRV1:
+
+ ```
+ Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
+ ```
+
+ In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example:
+
+ ```
+ STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=924 TID=1424 GMTDATE=Tue Oct 09 22:36:30.986 2018 ISTR0="Zero Touch WinPE x64" ISTR1="PS10000A" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS10000A" SMS_DISTRIBUTION_MANAGER 10/9/2018 3:36:30 PM 1424 (0x0590)
+ ```
+
+11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Double-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab.
+12. Next, in the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then click the **Data Source** tab.
+13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and click **OK**.
+14. Review the distmgr.log file again for "**STATMSG: ID=2301**" and verify that there are three folders under **C:\RemoteInstall\SMSImages** with boot images. See the following example:
+
+ ```
+ cmd /c dir /s /b C:\RemoteInstall\SMSImages
+
+ C:\RemoteInstall\SMSImages\PS100004
+ C:\RemoteInstall\SMSImages\PS100005
+ C:\RemoteInstall\SMSImages\PS100006
+ C:\RemoteInstall\SMSImages\PS100004\boot.PS100004.wim
+ C:\RemoteInstall\SMSImages\PS100005\boot.PS100005.wim
+ C:\RemoteInstall\SMSImages\PS100006\WinPE.PS100006.wim
+ ```
+
+ >The first two images (*.wim files) are default boot images. The third is the new boot image with DaRT.
+
+### Create a Windows 10 reference image
+
+If you have already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you have already created a Windows 10 reference image. In this case, skip to the next procedure in this guide: [Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image). If you have not yet created a Windows 10 reference image, complete the steps in this section.
+
+1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command:
+
+ ```
+ Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso
+ ```
+2. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D.
+
+3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**.
+
+4. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
+
+5. Use the following settings for the New Deployment Share Wizard:
+ - Deployment share path: **C:\MDTBuildLab**+ - Share name: **MDTBuildLab$**
+ - Deployment share description: **MDT build lab**
+ - Options: click **Next** to accept the default
+ - Summary: click **Next**
+ - Progress: settings will be applied
+ - Confirmation: click **Finish** + +6. Expand the **Deployment Shares** node, and then expand **MDT build lab**. + +7. Right-click the **Operating Systems** node, and then click **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and click **Finish**. + +7. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**. + +8. Use the following settings for the Import Operating System Wizard: + - OS Type: **Full set of source files**
+ - Source: **D:\\**
+ - Destination: **W10Ent_x64**
+ - Summary: click **Next** + - Confirmation: click **Finish** + +9. For purposes of this test lab, we will not add applications, such as Microsoft Office, to the deployment share. For information about adding applications, see the [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#sec03) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library. + +10. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + - Task sequence ID: **REFW10X64-001**
+ - Task sequence name: **Windows 10 Enterprise x64 Default Image**
+ - Task sequence comments: **Reference Build**
+ - Template: **Standard Client Task Sequence** + - Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim** + - Specify Product Key: **Do not specify a product key at this time** + - Full Name: **Contoso** + - Organization: **Contoso** + - Internet Explorer home page: **http://www.contoso.com** + - Admin Password: **Do not specify an Administrator password at this time** + - Summary: click **Next** + - Confirmation: click **Finish** + +11. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step. + +12. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**. A new group will be added under Tattoo. + +13. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. To see the name change, click **Tattoo**, then click the new group again. + +14. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**. + +15. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**. + +16. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox. + >Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications. + +17. Click **OK** to complete editing the task sequence. + +18. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and click **Properties**, and then click the **Rules** tab. + +19. Replace the default rules with the following text: + + ``` + [Settings] + Priority=Default + + [Default] + _SMSTSORGNAME=Contoso + UserDataLocation=NONE + DoCapture=YES + OSInstall=Y + AdminPassword=pass@word1 + TimeZoneName=Pacific Standard TimeZoneName + OSDComputername=#Left("PC-%SerialNumber%",7)# + JoinWorkgroup=WORKGROUP + HideShell=YES + FinishAction=SHUTDOWN + DoNotCreateExtraPartition=YES + ApplyGPOPack=NO + SkipAdminPassword=YES + SkipProductKey=YES + SkipComputerName=YES + SkipDomainMembership=YES + SkipUserData=YES + SkipLocaleSelection=YES + SkipTaskSequence=NO + SkipTimeZone=YES + SkipApplications=YES + SkipBitLocker=YES + SkipSummary=YES + SkipRoles=YES + SkipCapture=NO + SkipFinalSummary=NO + ``` + +20. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file: + + ``` + [Settings] + Priority=Default + + [Default] + DeployRoot=\\SRV1\MDTBuildLab$ + UserDomain=CONTOSO + UserID=MDT_BA + UserPassword=pass@word1 + SkipBDDWelcome=YES + ``` + +21. Click **OK** to complete the configuration of the deployment share. + +22. Right-click **MDT build lab (C:\MDTBuildLab)** and then click **Update Deployment Share**. + +23. Accept all default values in the Update Deployment Share Wizard by clicking **Next**. The update process will take 5 to 10 minutes. When it has completed, click **Finish**. + +24. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI). + + >Hint: Top copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**. + +25. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands: + + ``` + New-VM –Name REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB + Set-VMMemory -VMName REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20 + Set-VMDvdDrive -VMName REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso + Start-VM REFW10X64-001 + vmconnect localhost REFW10X64-001 + ``` +26. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then click **Next**. + +27. Accept the default values on the Capture Image page, and click **Next**. Operating system installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally (do not press a key). The process is fully automated. + + Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures: + + - Install the Windows 10 Enterprise operating system. + - Install added applications, roles, and features. + - Update the operating system using Windows Update (or WSUS if optionally specified). + - Stage Windows PE on the local disk. + - Run System Preparation (Sysprep) and reboot into Windows PE. + - Capture the installation to a Windows Imaging (WIM) file. + - Turn off the virtual machine. + + This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host and your network's download speed. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on SRV1. The file name is **REFW10X64-001.wim**. + +### Add a Windows 10 operating system image + +1. Type the following commands at an elevated Windows PowerShell prompt on SRV1: + + ``` + New-Item -ItemType Directory -Path "C:\Sources\OSD\OS\Windows 10 Enterprise x64" + cmd /c copy /z "C:\MDTBuildLab\Captures\REFW10X64-001.wim" "C:\Sources\OSD\OS\Windows 10 Enterprise x64" + ``` + +2. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Operating System Images**, and then click **Add Operating System Image**. + +3. On the Data Source page, under **Path:**, type or browse to **\\\SRV1\Sources$\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim**, and click **Next**. + +4. On the General page, next to **Name:**, type **Windows 10 Enterprise x64**, click **Next** twice, and then click **Close**. + +5. Distribute the operating system image to the SRV1 distribution point by right-clicking the **Windows 10 Enterprise x64** operating system image and then clicking **Distribute Content**. + +6. In the Distribute Content Wizard, click **Next**, click **Add**, click **Distribution Point**, add the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**. + +7. Enter **\Monitoring\Overview\Distribution Status\Content Status** on the location bar (be sure there is no space at the end of the location or you will get an error), click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. Processing of the image on the site server can take several minutes. + + >If content distribution is not successful, verify that sufficient disk space is available. + +### Create a task sequence + +>Complete this section slowly. There are a large number of similar settings from which to choose. + +1. In the Configuration Manager console, in the **Software Library** workspace expand **Operating Systems**, right-click **Task Sequences**, and then click **Create MDT Task Sequence**. + +2. On the Choose Template page, select the **Client Task Sequence** template and click **Next**. + +3. On the General page, type **Windows 10 Enterprise x64** under **Task sequence name:** and then click **Next**. + +4. On the Details page, enter the following settings: + - Join a domain: **contoso.com** + - Account: click **Set** + - User name: **contoso\CM_JD** + - Password: pass@word1 + - Confirm password: pass@word1 + - Click **OK** + - Windows Settings + - User name: **Contoso** + - Organization name: **Contoso** + - Product key: \
+ - Request state storage location to: **Restore state from another computer**
+ - Select the **If computer account fails to connect to state store, use the Network Access account** checkbox.
+ - Options tab: Select the **Continue on error** checkbox.
+ - Add Condition: **Task Sequence Variable**:
+ - Variable: **USMTLOCAL**
+ - Condition: **not equals**
+ - Value: **True**
+ - Click **OK**.
+ - Click **Apply**
. + +6. In the **State Restore** group, click **Restore User State**, click **Add**, point to **User State**, and click **Release State Store**. + +7. Configure the **Release State Store** action that was just added with the following settings:
+ - Options tab: Select the **Continue on error** checkbox.
+ - Add Condition: **Task Sequence Variable**:
+ - Variable: **USMTLOCAL**
+ - Condition: **not equals**
+ - Value: **True**
+ - Click **OK**.
+ - Click **OK**
. + + +### Finalize the operating system configuration + +>If you completed all procedures in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then the MDT deployment share is already present on SRV1. In this case, skip the first four steps below and begin with step 5 to edit CustomSettings.ini. + +1. In the MDT deployment workbench on SRV1, right-click **Deployment Shares** and then click **New Deployment Share**. + +2. Use the following settings for the New Deployment Share Wizard: + - Deployment share path: **C:\MDTProduction**
+ - Share name: **MDTProduction$**
+ - Deployment share description: **MDT Production**
+ - Options: click **Next** to accept the default
+ - Summary: click **Next**
+ - Progress: settings will be applied
+ - Confirmation: click **Finish** + +3. Right-click the **MDT Production** deployment share, and click **Properties**. + +4. Click the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**. + +5. Type the following command at an elevated Windows PowerShell prompt on SRV1: + + ``` + notepad "C:\Sources\OSD\Settings\Windows 10 x64 Settings\CustomSettings.ini" + ``` +6. Replace the contents of the file with the following text, and then save the file: + + ``` + [Settings] + Priority=Default + Properties=OSDMigrateConfigFiles,OSDMigrateMode + + [Default] + DoCapture=NO + ComputerBackupLocation=NONE + OSDMigrateMode=Advanced + OSDMigrateAdditionalCaptureOptions=/ue:*\* /ui:CONTOSO\* + OSDMigrateConfigFiles=Miguser.xml,Migapp.xml + SLSHARE=\\SRV1\Logs$ + EventService=http://SRV1:9800 + ApplyGPOPack=NO + ``` + + >As noted previously, if you wish to migrate accounts other than those in the Contoso domain, then change the OSDMigrateAdditionalCaptureOptions option. For example, the following option will capture settings from all user accounts: + + ``` + OSDMigrateAdditionalCaptureOptions=/all + ``` + + +7. Return to the Configuration Manager console, and in the Software Library workspace, expand **Application Management**, click **Packages**, right-click **Windows 10 x64 Settings**, and then click **Update Distribution Points**. Click **OK** in the popup that appears. + +8. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Distribute Content**. + +9. In the Distribute Content Wizard, click **Next** twice, click **Add**, click **Distribution Point**, select the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**. + +10. Enter **\Monitoring\Overview\Distribution Status\Content Status\Windows 10 Enterprise x64** on the location bar, double-click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. + +### Create a deployment for the task sequence + +1. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Deploy**. + +2. On the General page, next to **Collection**, click **Browse**, select the **All Unknown Computers** collection, click **OK**, and then click **Next**. + +3. On the Deployment Settings page, use the following settings:
+ - Purpose: **Available**
+ - Make available to the following: **Only media and PXE**
+ - Click **Next**.
+4. Click **Next** five times to accept defaults on the Scheduling, User Experience, Alerts, and Distribution Points pages. + +5. Click **Close**. + +## Deploy Windows 10 using PXE and Configuration Manager + +In this first deployment scenario, we will deploy Windows 10 using PXE. This scenario creates a new computer that does not have any migrated users or settings. + +1. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + New-VM –Name "PC4" –NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 40GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 + Set-VMMemory -VMName "PC4" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20 + Start-VM PC4 + vmconnect localhost PC4 + ``` + +2. Press ENTER when prompted to start the network boot service. + +3. In the Task Sequence Wizard, provide the password: pass@word1, and then click **Next**. + +4. Before you click **Next** in the Task Sequence Wizard, press the **F8** key. A command prompt will open. + +5. At the command prompt, type **explorer.exe** and review the Windows PE file structure. + +6. The smsts.log file is critical for troubleshooting any installation problems that might be encountered. Depending on the deployment phase, the smsts.log file is created in different locations: + - X:\windows\temp\SMSTSLog\smsts.log before disks are formatted. + - x:\smstslog\smsts.log after disks are formatted. + - c:\_SMSTaskSequence\Logs\Smstslog\smsts.log before the Microsoft Endpoint Configuration Manager client is installed. + - c:\windows\ccm\logs\Smstslog\smsts.log after the Microsoft Endpoint Configuration Manager client is installed. + - c:\windows\ccm\logs\smsts.log when the task sequence is complete. + + Note: If a reboot is pending on the client, the reboot will be blocked as long as the command window is open. + +7. In the explorer window, click **Tools** and then click **Map Network Drive**. + +8. Do not map a network drive at this time. If you need to save the smsts.log file, you can use this method to save the file to a location on SRV1. + +9. Close the Map Network Drive window, the Explorer window, and the command prompt. + +10. The **Windows 10 Enterprise x64** task sequence is selected in the Task Sequenc Wizard. Click **Next** to continue with the deployment. + +11. The task sequence will require several minutes to complete. You can monitor progress of the task sequence using the MDT Deployment Workbench under Deployment Shares > MDTProduction > Monitoring. The task sequence will: + - Install Windows 10 + - Install the Configuration Manager client and hotfix + - Join the computer to the contoso.com domain + - Install any applications that were specified in the reference image + + +12. When Windows 10 installation has completed, sign in to PC4 using the **contoso\administrator** account. + +13. Right-click **Start**, click **Run**, type **control appwiz.cpl**, press ENTER, click **Turn Windows features on or off**, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This is a feature included in the reference image. + +14. Shut down the PC4 VM. + +>Note: The following two procedures 1) Replace a client with Windows 10 and 2) Refresh a client with Windows 10 have been exchanged in their order in this guide compared to the previous version. This is to avoid having to restore Hyper-V checkpoints to have access to PC1 before the OS is upgraded. If this is your first time going through this guide, you won't notice any change, but if you have tried the guide previously then this change should make it simpler to complete. + +## Replace a client with Windows 10 using Configuration Manager + +>Before starting this section, you can delete computer objects from Active Directory that were created as part of previous deployment procedures. Use the Active Directory Users and Computers console on DC1 to remove stale entries under contoso.com\Computers, but do not delete the computer account (hostname) for PC1. There should be at least two computer accounts present in the contoso.com\Computers container: one for SRV1, and one for the hostname of PC1. It is not required to delete the stale entries, this is only done to remove clutter. + + + +In the replace procedure, PC1 will not be migrated to a new operating system. It is simplest to perform this procedure before performing the refresh procedure. After refreshing PC1, the operating system will be new. The next (replace) procedure does not install a new operating system on PC1 but rather performs a side-by-side migration of PC1 and another computer (PC4), to copy users and settings from PC1 to the new computer. + +### Create a replace task sequence + +1. On SRV1, in the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and then click **Create MDT Task Sequence**. + +2. On the Choose Template page, select **Client Replace Task Sequence** and click **Next**. + +3. On the General page, type the following: + - Task sequence name: **Replace Task Sequence** + - Task sequence comments: **USMT backup only** + +4. Click **Next**, and on the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package. Click **OK** and then click **Next** to continue. +5. On the MDT Package page, browse and select the **MDT** package. Click **OK** and then click **Next** to continue. +6. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package. Click **OK** and then click **Next** to continue. +7. On the Settings Package page, browse and select the **Windows 10 x64 Settings** package. Click **OK** and then click **Next** to continue. +8. On the Summary page, review the details and then click **Next**. +9. On the Confirmation page, click **Finish**. + +>If an error is displayed at this stage it can be caused by a corrupt MDT integration. To repair it, close the Configuration Manager console, remove MDT integration, and then restore MDT integration. + +### Deploy PC4 + +Create a VM named PC4 to receive the applications and settings from PC1. This VM represents a new computer that will replace PC1. To create this VM, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + +``` +New-VM –Name "PC4" –NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 +Set-VMMemory -VMName "PC4" -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 2048MB -Buffer 20 +Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF +``` + +>Hyper-V enables us to define a static MAC address on PC4. In a real-world scenario you must determine the MAC address of the new computer. + +### Install the Configuration Manager client on PC1 + +1. Verify that the PC1 VM is running and in its original state, which was saved as a checkpoint and then restored in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md). + +2. If a PC1 checkpoint has not already been saved, then save a checkpoint by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Checkpoint-VM -Name PC1 -SnapshotName BeginState + ``` + +3. On SRV1, in the Configuration Manager console, in the Administration workspace, expand **Hierarchy Configuration** and click on **Discovery Methods**. +4. Double-click **Active Directory System Discovery** and on the **General** tab select the **Enable Active Directory System Discovery** checkbox. +5. Click the yellow starburst, click **Browse**, select **contoso\Computers**, and then click **OK** three times. +6. When a popup dialog box asks if you want to run full discovery, click **Yes**. +7. In the Assets and Compliance workspace, click **Devices** and verify that the computer account names for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the computer account name of PC1 in this example): + +  + + >If you do not see the computer account for PC1, try clicking the **Refresh** button in the upper right corner of the console. + + The **Client** column indicates that the Configuration Manager client is not currently installed. This procedure will be carried out next. + +8. Sign in to PC1 using the contoso\administrator account and type the following at an elevated command prompt to remove any pre-existing client configuration, if it exists. Note: this command requires an elevated command prompt not an elevated Windows PowerShell prompt: + + ``` + sc stop ccmsetup + "\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /Uninstall + ``` + >If PC1 still has Configuration Manager registry settings that were applied by Group Policy, startup scripts, or other policies in its previous domain, these might not all be removed by CCMSetup /Uninstall and can cause problems with installation or registration of the client in its new environment. It might be necessary to manually remove these settings if they are present. For more information, see [Manual removal of the SCCM client](https://blogs.technet.microsoft.com/michaelgriswold/2013/01/02/manual-removal-of-the-sccm-client/). + +9. On PC1, temporarily stop Windows Update from queuing items for download and clear all BITS jobs from the queue: + + ``` + net stop wuauserv + net stop BITS + ``` + + Verify that both services were stopped successfully, then type the following at an elevated command prompt: + + ``` + del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat" + net start BITS + bitsadmin /list /allusers + ``` + + Verify that BITSAdmin displays 0 jobs. + +10. To install the Configuration Manager client as a standalone process, type the following at an elevated command prompt: + + ``` + "\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /mp:SRV1.contoso.com /logon SMSSITECODE=PS1 + ``` +11. On PC1, using file explorer, open the **C:\Windows\ccmsetup** directory. During client installation, files will be downloaded here. +12. Installation progress will be captured in the file: **c:\windows\ccmsetup\logs\ccmsetup.log**. You can periodically open this file in notepad, or you can type the following command at an elevated Windows PowerShell prompt to monitor installation progress: + + ``` + Get-Content -Path c:\windows\ccmsetup\logs\ccmsetup.log -Wait + ``` + + Installation might require several minutes, and display of the log file will appear to hang while some applications are installed. This is normal. When setup is complete, verify that **CcmSetup is existing with return code 0** is displayed on the last line of the ccmsetup.log file and then press **CTRL-C** to break out of the Get-Content operation (if you are viewing the log in Windows PowerShell the last line will be wrapped). A return code of 0 indicates that installation was successful and you should now see a directory created at **C:\Windows\CCM** that contains files used in registration of the client with its site. + +13. On PC1, open the Configuration Manager control panel applet by typing the following command: + + ``` + control smscfgrc + ``` + +14. Click the **Site** tab, click **Configure Settings**, and click **Find Site**. The client will report that it has found the PS1 site. See the following example: + +  + + If the client is not able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. A common reason the site code is not located is because a previous configuration exists. For example, if a previous site code is configured at **HKLM\SOFTWARE\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode** this must be deleted or updated. + +15. On SRV1, in the Assets and Compliance workspace, click **Device Collections** and then double-click **All Desktop and Server Clients**. This node will be added under **Devices**. + +16. Click **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example: + +  + + >It might take several minutes for the client to fully register with the site and complete a client check. When it is complete you will see a green check mark over the client icon as shown above. To refresh the client, click it and then press **F5** or right-click the client and click **Refresh**. + +### Create a device collection and deployment + +1. On SRV1, in the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections** and then click **Create Device Collection**. + +2. Use the following settings in the **Create Device Collection Wizard**: + - General > Name: **Install Windows 10 Enterprise x64**
+ - General > Limiting collection: **All Systems**
+ - Membership Rules > Add Rule: **Direct Rule**
+ - The **Create Direct Membership Rule Wizard** opens, click **Next**
+ - Search for Resources > Resource class: **System Resource**
+ - Search for Resources > Attribute name: **Name**
+ - Search for Resources > Value: **%**
+ - Select Resources > Value: Select the computername associated with the PC1 VM
+ - Click **Next** twice and then click **Close** in both windows (Next, Next, Close, then Next, Next, Close) + +3. Double-click the Install Windows 10 Enterprise x64 device collection and verify that the PC1 computer account is displayed. + +4. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64** and then click **Deploy**. + +5. Use the following settings in the Deploy Software wizard: + - General > Collection: Click Browse and select **Install Windows 10 Enterprise x64**
+ - Deployment Settings > Purpose: **Available**
+ - Deployment Settings > Make available to the following: **Configuration Manager clients, media and PXE**
+ - Scheduling > Click **Next**
+ - User Experience > Click **Next**
+ - Alerts > Click **Next**
+ - Distribution Points > Click **Next**
+ - Summary > Click **Next**
+ - Verify that the wizard completed successfully and then click **Close** + + +### Associate PC4 with PC1 + +1. On SRV1 in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices** and then click **Import Computer Information**. + +2. On the Select Source page, choose **Import single computer** and click **Next**. + +3. On the Single Computer page, use the following settings: + - Computer Name: **PC4** + - MAC Address: **00:15:5D:83:26:FF** + - Source Computer: \
+ - General > Limiting collection: **All Systems**
+ - Membership Rules > Add Rule: **Direct Rule**
+ - The **Create Direct Membership Rule Wizard** opens, click **Next**
+ - Search for Resources > Resource class: **System Resource**
+ - Search for Resources > Attribute name: **Name**
+ - Search for Resources > Value: **%**
+ - Select Resources > Value: Select the computername associated with the PC1 VM (GREGLIN-PC1 in this example).
+ - Click **Next** twice and then click **Close** in both windows. + +3. Click **Device Collections** and then double-click **USMT Backup (Replace)**. Verify that the computer name/hostname associated with PC1 is displayed in the collection. Do not proceed until this name is displayed. + +### Create a new deployment + +In the Configuration Manager console, in the Software Library workspace under Operating Systems, click **Task Sequences**, right-click **Replace Task Sequence**, click **Deploy**, and use the following settings: +- General > Collection: **USMT Backup (Replace)**
+- Deployment Settings > Purpose: **Available**
+- Deployment Settings > Make available to the following: **Only Configuration Manager Clients**
+- Scheduling: Click **Next**
+- User Experience: Click **Next**
+- Alerts: Click **Next**
+- Distribution Points: Click **Next**
+- Click **Next** and then click **Close**. + +### Verify the backup + +1. On PC1, open the Configuration Manager control panel applet by typing the following command: + + ``` + control smscfgrc + ``` +2. On the **Actions** tab, click **Machine Policy Retrieval & Evaluation Cycle**, click **Run Now**, click **OK**, and then click **OK** again. This is one method that can be used to run a task sequence in addition to the Client Notification method that will be demonstrated in the computer refresh procedure. + +3. Type the following at an elevated command prompt to open the Software Center: + + ``` + C:\Windows\CCM\SCClient.exe + ``` + +4. In the Software Center , click **Available Software** and then select the **Replace Task Sequence** checkbox. See the following example: + +  + + >If you do not see any available software, try running step #2 again to start the Machine Policy Retrieval & Evaluation Cycle. You should see an alert that new software is available. + +5. Click **INSTALL SELECTED** and then click **INSTALL OPERATING SYSTEM**. +6. Allow the **Replace Task Sequence** to complete, then verify that the C:\MigData folder on SRV1 contains the USMT backup. + +### Deploy the new computer + +1. Start PC4 and press ENTER for a network boot when prompted. To start PC4, type the following commands at an elevated Windows Powershell prompt on the Hyper-V host: + + ``` + Start-VM PC4 + vmconnect localhost PC4 + ``` +2. In the **Welcome to the Task Sequence Wizard**, enter pass@word1 and click **Next**. +3. Choose the **Windows 10 Enterprise X64** image. +4. Setup will install the operating system using the Windows 10 Enterprise x64 reference image, install the configuration manager client, join PC4 to the domain, and restore users and settings from PC1. +5. Save checkpoints for all VMs if you wish to review their status at a later date. This is not required (checkpoints do take up space on the Hyper-V host). Note: the next procedure will install a new OS on PC1 update its status in Configuration Manager and in Active Directory as a Windows 10 device, so you cannot return to a previous checkpoint only on the PC1 VM without a conflict. Therefore, if you do create a checkpoint, you should do this for all VMs. + + To save a checkpoint for all VMs, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Checkpoint-VM -Name DC1 -SnapshotName cm-refresh + Checkpoint-VM -Name SRV1 -SnapshotName cm-refresh + Checkpoint-VM -Name PC1 -SnapshotName cm-refresh + ``` + +## Refresh a client with Windows 10 using Configuration Manager + + +### Initiate the computer refresh + +1. On SRV1, in the Assets and Compliance workspace, click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. +2. Right-click the computer account for PC1, point to **Client Notification**, click **Download Computer Policy**, and click **OK** in the popup dialog box. +3. On PC1, in the notification area, click **New software is available** and then click **Open Software Center**. +4. In the Software Center, click **Operating Systems**, click **Windows 10 Enterprise x64**, click **Install** and then click **INSTALL OPERATING SYSTEM**. See the following example: + +  + + The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the Monitoring workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then click **More Details**. Click the **Status** tab to see a list of tasks that have been performed. See the following example: + +  + + You can also monitor progress of the installation by using the MDT deployment workbench and viewing the **Monitoring** node under **Deployment Shares\MDT Production**. + + When installation has completed, sign in using the contoso\administrator account or the contoso\user1 account and verify that applications and settings have been successfully backed up and restored to your new Windows 10 Enterprise operating system. + +  + + + +## Related Topics + +[System Center 2012 Configuration Manager Survival Guide](https://social.technet.microsoft.com/wiki/contents/articles/7075.system-center-2012-configuration-manager-survival-guide.aspx#Step-by-Step_Guides) + + + + + + + diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md index fb9fdbecee..2b72ab624c 100644 --- a/windows/deployment/windows-10-poc.md +++ b/windows/deployment/windows-10-poc.md @@ -25,7 +25,7 @@ ms.topic: article This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides: - [Step by step: Deploy Windows 10 in a test lab using MDT](windows-10-poc-mdt.md)
-- [Step by step: Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
+- [Step by step: Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md)
The PoC deployment guides are intended to provide a demonstration of Windows 10 deployment tools and processes for IT professionals that are not familiar with these tools, and those that are interested in setting up a proof of concept environment. The instructions in this guide should not be used in a production setting, and are not meant to replace the instructions found in production deployment guidance. @@ -111,13 +111,13 @@ Hardware requirements are displayed below:
Note: Retaining applications and settings requires that architecture (32 or 64-bit) is the same before and after the upgrade.
16 GB RAM to test Windows 10 deployment with System Center Configuration Manager.
16 GB RAM to test Windows 10 deployment with Microsoft Endpoint Configuration Manager.
**Saving the file with Unicode or UTF-8 encoding or saving it with a different file name will cause Windows 10 OOBE to not follow the Autopilot experience**.
@@ -156,7 +156,7 @@ See the following examples. - Program Type: **Do not create a program** 4. Click **Next** twice and then click **Close**. -**NOTE**: If you change user-driven Autopilot profile settings in Intune at a later date, you must also update the JSON file and redistribute the associated Config Mgr package. +**NOTE**: If you change user-driven Autopilot profile settings in Intune at a later date, you must also update the JSON file and redistribute the associated Configuration Manager package. ### Create a target collection @@ -215,7 +215,7 @@ See the following examples. - Click **Next**. >[!NOTE] - >The Autopilot for existing devices task sequence will result in an Azure Active Directory Domain (AAD) joined device. The User State Migration Toolkit (USMT) does not support AAD joined or hybrid AAD joined devices. + >Because the Autopilot for existing devices task sequence completes while in Windows PE, User State Migration Toolkit (USMT) data migration is not supported as there is no way to restore the user state into the new OS. Also, the User State Migration Toolkit (USMT) does not support Azure AD-joined devices. 7. On the Include Updates page, choose one of the three available options. This selection is optional. 8. On the Install applications page, add applications if desired. This is optional. diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md index b93eba2709..338d548271 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md @@ -121,8 +121,11 @@ Specific scenarios will then have additional requirements. Generally, there are See [Windows Autopilot Scenarios](windows-autopilot-scenarios.md) for additional details. For a walkthrough for some of these and related steps, see this video: -
- + + + + + There are no additional hardware requirements to use Windows 10 Autopilot, beyond the [requirements to run Windows 10](https://www.microsoft.com/windows/windows-10-specifications). diff --git a/windows/deployment/windows-autopilot/windows-autopilot.md b/windows/deployment/windows-autopilot/windows-autopilot.md index a7e2877f3a..a24ff772a4 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot.md +++ b/windows/deployment/windows-autopilot/windows-autopilot.md @@ -31,7 +31,7 @@ Windows Autopilot is designed to simplify all parts of the lifecycle of Windows When initially deploying new Windows devices, Windows Autopilot leverages the OEM-optimized version of Windows 10 that is preinstalled on the device, saving organizations the effort of having to maintain custom images and drivers for every model of device being used. Instead of re-imaging the device, your existing Windows 10 installation can be transformed into a “business-ready” state, applying settings and policies, installing apps, and even changing the edition of Windows 10 being used (e.g. from Windows 10 Pro to Windows 10 Enterprise) to support advanced features. -Once deployed, Windows 10 devices can be managed by tools such as Microsoft Intune, Windows Update for Business, System Center Configuration Manager, and other similar tools. Windows Autopilot can also be used to re-purpose a device by leveraging Windows Autopilot Reset to quickly prepare a device for a new user, or in break/fix scenarios to enable a device to quickly be brought back to a business-ready state. +Once deployed, Windows 10 devices can be managed by tools such as Microsoft Intune, Windows Update for Business, Microsoft Endpoint Configuration Manager, and other similar tools. Windows Autopilot can also be used to re-purpose a device by leveraging Windows Autopilot Reset to quickly prepare a device for a new user, or in break/fix scenarios to enable a device to quickly be brought back to a business-ready state. Windows Autopilot enables you to: * Automatically join devices to Azure Active Directory (Azure AD) or Active Directory (via Hybrid Azure AD Join). See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 2119a4bb72..b679ecf92c 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -1321,9 +1321,9 @@ The following fields are available: - **IsEDPEnabled** Represents if Enterprise data protected on the device. - **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. - **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID -- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise System Center Configuration Manager (SCCM) environment. +- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise Microsoft Endpoint Configuration Manager environment. - **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. -- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier. +- **SystemCenterID** The Microsoft Endpoint Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier. ### Census.Firmware @@ -3129,7 +3129,7 @@ The following fields are available: - **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin. - **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled. - **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS. -- **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager). +- **RemediationShellDeviceSccm** TRUE if the device is managed by Microsoft Endpoint Configuration Manager. - **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely. - **RemediationTargetMachine** Indicates whether the device is a target of the specified fix. - **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task. @@ -4528,7 +4528,7 @@ The following fields are available: - **DeviceIsMdmManaged** This device is MDM managed. - **IsNetworkAvailable** If the device network is not available. - **IsNetworkMetered** If network is metered. -- **IsSccmManaged** This device is SCCM managed. +- **IsSccmManaged** This device is managed by Microsoft Endpoint Configuration Manager. - **NewlyInstalledOs** OS is newly installed quiet period. - **PausedByPolicy** Updates are paused by policy. - **RecoveredFromRS3** Previously recovered from RS3. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 8c6ee5c804..e6d8367682 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -3276,7 +3276,7 @@ The following fields are available: - **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin. - **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled. - **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS. -- **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager). +- **RemediationShellDeviceSccm** TRUE if the device is managed by Microsoft Endpoint Configuration Manager. - **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely. - **RemediationTargetMachine** Indicates whether the device is a target of the specified fix. - **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 64a869e06a..81f8c0c5fc 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -4604,7 +4604,7 @@ The following fields are available: - **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin. - **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled. - **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS. -- **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager). +- **RemediationShellDeviceSccm** TRUE if the device is managed by Microsoft Endpoint Configuration Manager. - **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely. - **RemediationTargetMachine** Indicates whether the device is a target of the specified fix. - **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index bbf2e70bfb..8048327d37 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -2994,7 +2994,7 @@ The following fields are available: - **IsDeviceNetworkMetered** Indicates whether the device is connected to a metered network. - **IsDeviceOobeBlocked** Indicates whether user approval is required to install updates on the device. - **IsDeviceRequireUpdateApproval** Indicates whether user approval is required to install updates on the device. -- **IsDeviceSccmManaged** Indicates whether the device is running the Microsoft SCCM (System Center Configuration Manager) to keep the operating system and applications up to date. +- **IsDeviceSccmManaged** Indicates whether the device is running the Microsoft Endpoint Configuration Manager client to keep the operating system and applications up to date. - **IsDeviceUninstallActive** Indicates whether the OS (operating system) on the device was recently updated. - **IsDeviceUpdateNotificationLevel** Indicates whether the device has a set policy to control update notifications. - **IsDeviceUpdateServiceManaged** Indicates whether the device uses WSUS (Windows Server Update Services). @@ -5410,7 +5410,7 @@ The following fields are available: - **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS. - **RemediationShellDeviceProSku** Indicates whether a Windows 10 Professional edition is detected. - **RemediationShellDeviceQualityUpdatesPaused** Indicates whether Quality Updates are paused on the device. -- **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager). +- **RemediationShellDeviceSccm** TRUE if the device is managed by Microsoft Endpoint Configuration Manager. - **RemediationShellDeviceSedimentMutexInUse** Indicates whether the Sediment Pack mutual exclusion object (mutex) is in use. - **RemediationShellDeviceSetupMutexInUse** Indicates whether device setup is in progress. - **RemediationShellDeviceWuRegistryBlocked** Indicates whether the Windows Update is blocked on the device via the registry. diff --git a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml index a5cd7e2724..10ac2c6e75 100644 --- a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml +++ b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml @@ -60,7 +60,7 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
| Custom wallpaper displays as black Using a custom image set to \"Stretch\" might not display as expected. See details > | January 14, 2020 KB4534310 | Mitigated | January 27, 2020 12:27 PM PT |
| Custom wallpaper displays as black Using a custom image set to \"Stretch\" might not display as expected. See details > | January 14, 2020 KB4534310 | Mitigated KB4539601 | January 27, 2020 12:27 PM PT |
| MSRT might fail to install and be re-offered from Windows Update or WSUS The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from WU/WSUS. See details > | Resolved | January 23, 2020 02:08 PM PT | |
| TLS connections might fail or timeout Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption. See details > | October 08, 2019 KB4519976 | Mitigated External | November 05, 2019 03:36 PM PT |
| IA64 and x64 devices may fail to start after installing updates After installing updates released on or after August 13, 2019, IA64 and x64 devices using EFI Boot may fail to start. See details > | August 13, 2019 KB4512506 | Mitigated | August 17, 2019 12:59 PM PT |
| Details | Originating update | Status | History |
| Custom wallpaper displays as black After installing KB4534310, your desktop wallpaper when set to \"Stretch\" might display as black. Affected platforms:
Workaround: To mitigate the issue, you can do one of the following:
Next steps: We are working on a resolution and estimate a solution will be available mid-February, which will be released to all customers running Windows 7 and Windows Server 2008 R2 SP1. Back to top | January 14, 2020 KB4534310 | Mitigated | Last updated: January 27, 2020 12:27 PM PT Opened: January 24, 2020 09:15 AM PT |
| Custom wallpaper displays as black After installing KB4534310, your desktop wallpaper when set to \"Stretch\" might display as black. Affected platforms:
Workaround: To mitigate the issue, you can do one of the following:
Next steps: We are working on a resolution and estimate a solution will be available mid-February, which will be released to all customers running Windows 7 and Windows Server 2008 R2 SP1. Back to top | January 14, 2020 KB4534310 | Mitigated KB4539601 | Last updated: January 27, 2020 12:27 PM PT Opened: January 24, 2020 09:15 AM PT |
| Message | Date |
| Resolved: Windows Search shows blank box We are aware of a temporary server-side issue causing Windows search to show a blank box. This issue has been resolved for most users and in some cases, you might need to restart your device. We are working diligently to fully resolve the issue and will provide an update once resolved. This issue was resolved at 12:00 PM PST. If you are still experiencing issues, please restart your device. In rare cases, you may need to manually end the SearchUI.exe or SearchApp.exe process via Task Manager. (To locate these processes, select CTRL + Shift + Esc then select the Details tab.) | February 05, 2020 12:00 PM PT |
| January 2020 Windows 10, version 1909 \"D\" optional release is available. The January 2020 optional monthly “D” release for Windows 10, version 1909 and Windows 10, version 1903 is now available. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. Follow @WindowsUpdate for the latest on the availability of this release. | January 28, 2020 08:00 AM PT |
| January 2020 Windows \"C\" optional release is available. The January 2020 optional monthly “C” release for all supported versions of Windows is now available. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. Follow @WindowsUpdate for the latest on the availability of this release. | January 23, 2020 12:00 PM PT |
| Windows 7 has reached end of support Windows 7 reached end of support on January 14, 2020. If your organization has not yet been able to complete your transition from Windows 7 to Windows 10, and want to continue to receive security updates while you complete your upgrade projects, please read How to get Extended Security Updates for eligible Windows devices. For more information on end of service dates for currently supported versions of Windows 10, see the Windows lifecycle fact sheet. | January 15, 2020 10:00 AM PT |
| Windows 10, version 1903 starting to roll out to devices running Windows 10, version 1803 and earlier We are now beginning to build and train the machine learning (ML) based rollout process to update devices running Windows 10, version 1803 (the April 2018 Update) and earlier versions of Windows 10, to ensure we can continue to service these devices and provide the latest updates, security updates, and improvements. | June 18, 2019 02:00 PM PT |
| Windows 10, version 1903 available by selecting “Check for updates” Windows 10, version 1903 is now available for any user who manually selects “Check for updates” via Windows Update. The recommended servicing status is Semi-Annual Channel. | June 06, 2019 06:00 PM PT |
| Windows 10, version 1903 rollout begins The Windows 10 May 2019 Update (Windows 10, version 1903) is available today to commercial customers via Windows Server Update Services (WSUS), Windows Update for Business, and the Volume Licensing Service Center (VLSC)—and to end users who manually select “Check for updates.” We are slowly throttling up availability while we carefully monitor data and feedback. | May 21, 2019 10:00 AM PT |
| What’s new in Windows Update for Business We are enhancing and expanding the capabilities of Windows Update for Business to make the move to the cloud even easier. From simplified branch readiness options to better control over deadlines and reboots, read about the enhancements to Windows Update for Business as a part of Windows 10, version 1903. | May 21, 2019 10:00 AM PT |
| What’s new for businesses and IT pros in Windows 10 Explore the newest capabilities for businesses and IT in the latest feature update in the areas of intelligent security, simplified updates, flexible management, and enhanced productivity. | May 21, 2019 10:00 AM PT |
| Reminder: Install the latest SSU for a smoother update experience We strongly recommend that you install the latest servicing stack update (SSU) before installing any Windows update; especially as an SSU may be a prerequisite for some updates. If you have difficulty installing Windows updates, verify that you have installed the latest SSU package for your version of Windows and then try installing the update again. Links to the latest SSU are always provided in the “How to get this update” section of each update KB article (e.g., KB4494441). For more information about SSUs, see our Servicing stack updates guidance. | May 14, 2019 10:00 AM PT |
| Take action: Update Remote Desktop Services on older versions of Windows Today, we released fixes for a critical wormable, remote code execution vulnerability (CVE-2019-0708) in Remote Desktop Services—formerly known as Terminal Services. This vulnerability affects Windows 7, Windows Server 2008 R2, and earlier versions of Windows nearing end of support. It does not affect Windows 8, Windows Server 2012, or newer operating systems. While we have not observed attacks exploiting this vulnerability, affected systems should be patched with priority. Here is what you need to know:
--Call to action: -
| May 14, 2019 10:00 AM PT |
| Reminder: Windows 10 update servicing cadence This month we received questions about the cadence of updates we released in April and May 2019. Here's a quick recap of our releases and servicing cadence:
--
| May 10, 2019 10:00 AM PT |
Use DES encryption types for this account
Provides support for the Data Encryption Standard (DES). DES supports multiple levels of encryption, including Microsoft Point-to-Point Encryption (MPPE) Standard (40-bit and 56-bit), MPPE standard (56-bit), MPPE Strong (128-bit), Internet Protocol security (IPSec) DES (40-bit), IPSec 56-bit DES, and IPSec Triple DES (3DES).
-Note
DES is not enabled by default in Windows Server operating systems starting with Windows Server 2008 R2, nor in Windows client operating systems starting with Windows 7. For these operating systems, computers will not use DES-CBC-MD5 or DES-CBC-CRC cipher suites by default. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see Hunting down DES in order to securely deploy Kerberos.
+NoteDES is not enabled by default in Windows Server operating systems starting with Windows Server 2008 R2, nor in Windows client operating systems starting with Windows 7. For these operating systems, computers will not use DES-CBC-MD5 or DES-CBC-CRC cipher suites by default. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see Hunting down DES in order to securely deploy Kerberos.
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
index 68102f6e49..d0124ff8cf 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@@ -78,9 +78,6 @@ Applications may cause performance issues when they attempt to hook the isolated
Services or protocols that rely on Kerberos, such as file shares, remote desktop, or BranchCache, continue to work and are not affected by Windows Defender Credential Guard.
-See this video: [Credentials Protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
-
-
## Security considerations
All computers that meet baseline protections for hardware, firmware, and software can use Windows Defender Credential Guard.
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md
index 0cfbf47cc6..57b0ea0add 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.md
@@ -30,8 +30,8 @@ Microsoft is committed to its vision of a world without passwords. We rec
## Can I use Windows Hello for Business key trust and RDP?
RDP currently does not support key based authentication and does not support self signed certificates. RDP with Windows Hello for Business is currently only supported with certificate based deployments.
-## Can I deploy Windows Hello for Business using System Center Configuration Manager?
-Windows Hello for Business deployments using System Center Configuration Manager need to move to the hybrid deployment model that uses Active Directory Federation Services. Deployments using System Center Configuration Manager will no longer be supported after November 2018.
+## Can I deploy Windows Hello for Business using Microsoft Endpoint Configuration Manager?
+Windows Hello for Business deployments using Configuration Manager need to move to the hybrid deployment model that uses Active Directory Federation Services. Deployments using Configuration Manager will no longer be supported after November 2018.
## How many users can enroll for Windows Hello for Business on a single Windows 10 computer?
The maximum number of supported enrollments on a single Windows 10 computer is 10. That enables 10 users to each enroll their face and up to 10 fingerprints. While we support 10 enrollments, we will strongly encourage the use of Windows Hello security keys for the shared computer scenario when they become available.
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index 012051d5e2..7de79a7f47 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -162,7 +162,7 @@ Primarily for large enterprise organizations with more complex authentication re
For more than a decade, many organizations have used the domain join to their on-premises Active Directory to enable:
- IT departments to manage work-owned devices from a central location.
- Users to sign in to their devices with their Active Directory work or school accounts.
-Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use System Center Configuration Manager (SCCM) or group policy (GP) to manage them.
+Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use Microsoft Endpoint Configuration Manager or group policy (GP) to manage them.
If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Azure Active Directory, you can implement hybrid Azure AD joined devices. These are devices that are both, joined to your on-premises Active Directory and your Azure Active Directory.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
index 41d11386b2..bbe8176263 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
@@ -55,6 +55,9 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e
7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**.
8. Close the console.
+>[!NOTE]
+>Don't confuse the **Request hash** algorithm with the hash argorithm of the certificate.
+
#### Configure Certificate Superseding for the Domain Controller Authentication (Kerberos) Certificate Template
Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template for domain controllers--the domain controller certificate template. Later releases provided a new certificate template--the domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the **KDC Authentication** extension.
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index 7dffe7b0a9..17f9e5e49f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -65,7 +65,7 @@ The hybrid deployment model is for organizations that:
* Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources
> [!Important]
-> Hybrid deployments support non-destructive PIN reset that only works with the certificate trust model.
+> Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
> **Requirements:**
> Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903
> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
index 7cdd7f45b1..56c13ecbbe 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
@@ -55,7 +55,8 @@ Network Unlock must meet mandatory hardware and software requirements before the
The network stack must be enabled to use the Network Unlock feature. Equipment manufacturers deliver their products in various states and with different BIOS menus, so you need to confirm that the network stack has been enabled in the BIOS before starting the computer.
->**Note:** To properly support DHCP within UEFI, the UEFI-based system should be in native mode without a compatibility support module (CSM) enabled.
+> [!NOTE]
+> To properly support DHCP within UEFI, the UEFI-based system should be in native mode without a compatibility support module (CSM) enabled.
For Network Unlock to work reliably on computers running Windows 8 and later, the first network adapter on the computer, usually the onboard adapter, must be configured to support DHCP and used for Network Unlock. This is especially worth noting when you have multiple adapters, and you wish to configure one without DHCP, such as for a lights-out management protocol. This configuration is necessary because Network Unlock will stop enumerating adapters when it reaches one with a DHCP port failure for any reason. Thus, if the first enumerated adapter does not support DHCP, is not plugged into the network, or fails to report availability of the DHCP port for any reason, then Network Unlock will fail.
@@ -243,7 +244,8 @@ The following steps describe how to enable the Group Policy setting that is a re
The following steps describe how to deploy the required Group Policy setting:
->**Note:** The Group Policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012.
+> [!NOTE]
+> The Group Policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012.
1. Copy the .cer file created for Network Unlock to the domain controller.
2. On the domain controller, launch Group Policy Management Console (gpmc.msc).
@@ -254,10 +256,12 @@ The following steps describe how to deploy the required Group Policy setting:
2. Right-click the folder and choose **Add Network Unlock Certificate**.
3. Follow the wizard steps and import the .cer file that was copied earlier.
->**Note:** Only one network unlock certificate can be available at a time. If a new certificate is required, delete the current certificate before deploying a new one. The Network Unlock certificate is located in the **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** key on the client computer.
+> [!NOTE]
+> Only one network unlock certificate can be available at a time. If a new certificate is required, delete the current certificate before deploying a new one. The Network Unlock certificate is located in the **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** key on the client computer.
5. Reboot the clients after deploying the group policy.
- >**Note:** The **Network (Certificate Based)** protector will be added only after a reboot with the policy enabled and a valid certificate present in the FVE_NKP store.
+ > [!NOTE]
+ > The **Network (Certificate Based)** protector will be added only after a reboot with the policy enabled and a valid certificate present in the FVE_NKP store.
### Subnet policy configuration files on WDS Server (Optional)
@@ -276,7 +280,8 @@ SUBNET4=2001:4898:a:3::/64; in production, the admin would likely give more usef
```
Following the \[SUBNETS\] section, there can be sections for each Network Unlock certificate, identified by the certificate thumbprint formatted without any spaces, which define subnets clients can be unlocked from with that certificate.
->**Note:** When specifying the certificate thumbprint, do not include any spaces. If spaces are included in the thumbprint the subnet configuration will fail because the thumbprint will not be recognized as valid.
+> [!NOTE]
+> When specifying the certificate thumbprint, do not include any spaces. If spaces are included in the thumbprint the subnet configuration will fail because the thumbprint will not be recognized as valid.
Subnet restrictions are defined within each certificate section by denoting the allowed list of permitted subnets. If any subnet is listed in a certificate section, then only those subnets listed are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate does not have a section in the subnet policy configuration file, then no subnet restrictions are applied for unlocking with that certificate. This means for restrictions to apply to every certificate, there must be a certificate section for every Network Unlock certificate on the server, and an explicit allowed list set for each certificate section.
Subnet lists are created by putting the name of a subnet from the \[SUBNETS\] section on its own line below the certificate section header. Then, the server will only unlock clients with this certificate on the subnet(s) specified as in the list. For troubleshooting, a subnet can be quickly excluded without deleting it from the section by simply commenting it out with a prepended semi-colon.
@@ -295,7 +300,8 @@ To disallow the use of a certificate altogether, its subnet list may contain the
To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating Network Unlock protectors the **Allow Network Unlock at startup** Group Policy setting should be disabled. When this policy setting is updated to disabled on client computers any Network Unlock key protectors on the computer will be deleted. Alternatively, the BitLocker Network Unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain.
->**Note:** Removing the FVE_NKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server’s ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the Network Unlock server.
+> [!NOTE]
+> Removing the FVE_NKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server’s ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the Network Unlock server.
## Update Network Unlock certificates
@@ -311,12 +317,13 @@ Troubleshooting Network Unlock issues begins by verifying the environment. Many
- Group policy for Network Unlock is enabled and linked to the appropriate domains.
- Verify group policy is reaching the clients properly. This can be done using the GPRESULT.exe or RSOP.msc utilities.
- Verify the clients were rebooted after applying the policy.
-- Verify the **Network (Certificate Based)** protector is listed on the client. This can be done using either manage-bde or Windows PowerShell cmdlets. For example the following command will list the key protectors currently configured on the C: drive of the lcoal computer:
+- Verify the **Network (Certificate Based)** protector is listed on the client. This can be done using either manage-bde or Windows PowerShell cmdlets. For example the following command will list the key protectors currently configured on the C: drive of the local computer:
```powershell
manage-bde -protectors -get C:
```
- >**Note:** Use the output of manage-bde along with the WDS debug log to determine if the proper certificate thumbprint is being used for Network Unlock
+ > [!NOTE]
+ > Use the output of manage-bde along with the WDS debug log to determine if the proper certificate thumbprint is being used for Network Unlock
Files to gather when troubleshooting BitLocker Network Unlock include:
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
index b7f351b324..2f83a67ca2 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
@@ -305,7 +305,7 @@ The OMA-URI references for these settings are as follows:
> Because of an update to the BitLocker Policy CSP, if the device uses Windows 10 version 1809 or later, you can use an endpoint protection policy to enforce silent BitLocker Device Encryption even if the device is not HSTI-compliant.
> [!NOTE]
-> If the **Waiting for other disk encryption** setting is set to **Not configured**, you have to manually start the BitLocker Drive Encryption wizard.
+> If the **Warning for other disk encryption** setting is set to **Not configured**, you have to manually start the BitLocker Drive Encryption wizard.
If the device does not support Modern Standby but is HSTI-compliant, and it uses a version of Windows that is earlier than Windows 10, version 1803, an endpoint protection policy that has the settings that are described in this article delivers the policy configuration to the device. However, Windows then notifies the user to manually enable BitLocker Drive Encryption. To do this, the user selects the notification. This action starts the BitLocker Drive Encryption wizard.
diff --git a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
index 7549d29961..47d4db6ed7 100644
--- a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
+++ b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
@@ -47,7 +47,7 @@ Microsoft information protection technologies include:
## How WIP protects sensitivity labels with endpoint data loss prevention
You can create and manage [sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) in the Microsoft 365 compliance center.
-When you create a sensitivity label, you can specify that endpoint data loss prevention applies to content with that label.
+When you [create a sensitivity label](https://docs.microsoft.com/microsoft-365/compliance/create-sensitivity-labels), you can specify that endpoint data loss prevention applies to content with that label.
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 82dd8ef26b..e108eeae6b 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -44,7 +44,7 @@
#### [Attack surface reduction](microsoft-defender-atp/attack-surface-reduction.md)
#### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
-### [Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
+### [Next-generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
#### [Better together: Windows Defender Antivirus and Microsoft Defender ATP](windows-defender-antivirus/why-use-microsoft-antivirus.md)
### [Endpoint detection and response]()
@@ -187,7 +187,7 @@
##### [Controlled folder access](microsoft-defender-atp/evaluate-controlled-folder-access.md)
##### [Attack surface reduction](microsoft-defender-atp/evaluate-attack-surface-reduction.md)
##### [Network firewall](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
-##### [Evaluate next generation protection](windows-defender-antivirus/evaluate-windows-defender-antivirus.md)
+##### [Evaluate next-generation protection](windows-defender-antivirus/evaluate-windows-defender-antivirus.md)
### [Access the Windows Defender Security Center Community Center](microsoft-defender-atp/community.md)
@@ -231,7 +231,7 @@
-### [Configure next generation protection]()
+### [Configure next-generation protection]()
#### [Configure Windows Defender Antivirus features](windows-defender-antivirus/configure-windows-defender-antivirus-features.md)
#### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
@@ -315,7 +315,8 @@
##### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md)
##### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md)
-#### [Manage next generation protection in your business]()
+#### [Manage next-generation protection in your business]()
+##### [Handle false positives/negatives in Windows Defender Antivirus](windows-defender-antivirus/antivirus-false-positives-negatives.md)
##### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
##### [Use Microsoft Intune and Microsoft Endpoint Configuration Manager to manage next generation protection](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
##### [Use Group Policy settings to manage next generation protection](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
@@ -323,7 +324,6 @@
##### [Use Windows Management Instrumentation (WMI) to manage next generation protection](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
##### [Use the mpcmdrun.exe command line tool to manage next generation protection](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
-
### [Microsoft Defender Advanced Threat Protection for Mac](microsoft-defender-atp/microsoft-defender-atp-mac.md)
#### [What's New](microsoft-defender-atp/mac-whatsnew.md)
#### [Deploy]()
@@ -383,6 +383,7 @@
##### [Microsoft Defender ATP APIs Schema]()
###### [Supported Microsoft Defender ATP APIs](microsoft-defender-atp/exposed-apis-list.md)
+###### [Common REST API error codes](microsoft-defender-atp/common-errors.md)
###### [Advanced Hunting](microsoft-defender-atp/run-advanced-query-api.md)
###### [Alert]()
@@ -460,7 +461,7 @@
####### [Score methods and properties](microsoft-defender-atp/score.md)
####### [List exposure score by machine group](microsoft-defender-atp/get-machine-group-exposure-score.md)
####### [Get exposure score](microsoft-defender-atp/get-exposure-score.md)
-####### [Get device secure score](microsoft-defender-atp/get-device-secure-score.md)
+####### [Get machine secure score](microsoft-defender-atp/get-device-secure-score.md)
###### [Software]()
####### [Software methods and properties](microsoft-defender-atp/software.md)
@@ -472,7 +473,7 @@
###### [Vulnerability]()
####### [Vulnerability methods and properties](microsoft-defender-atp/vulnerability.md)
-####### [Get all vulnerabilities](microsoft-defender-atp/get-all-vulnerabilities.md)
+####### [List vulnerabilities](microsoft-defender-atp/get-all-vulnerabilities.md)
####### [Get vulnerability by Id](microsoft-defender-atp/get-vulnerability-by-id.md)
####### [List machines by vulnerability](microsoft-defender-atp/get-machines-by-vulnerability.md)
@@ -481,8 +482,8 @@
####### [List all recommendations](microsoft-defender-atp/get-all-recommendations.md)
####### [Get recommendation by Id](microsoft-defender-atp/get-recommendation-by-id.md)
####### [Get recommendation by software](microsoft-defender-atp/get-recommendation-software.md)
-####### [Get recommendation by machines](microsoft-defender-atp/get-recommendation-machines.md)
-####### [Get recommendation by vulnerabilities](microsoft-defender-atp/get-recommendation-vulnerabilities.md)
+####### [List machines by recommendation](microsoft-defender-atp/get-recommendation-machines.md)
+####### [List vulnerabilities by recommendation](microsoft-defender-atp/get-recommendation-vulnerabilities.md)
##### [How to use APIs - Samples]()
###### [Microsoft Flow](microsoft-defender-atp/api-microsoft-flow.md)
@@ -611,7 +612,7 @@
#### [Network protection](microsoft-defender-atp/troubleshoot-np.md)
#### [Attack surface reduction rules](microsoft-defender-atp/troubleshoot-asr.md)
-### [Troubleshoot next generation protection](windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md)
+### [Troubleshoot next-generation protection](windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md
index 7be96ce69b..fac29703cb 100644
--- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md
+++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md
@@ -1,6 +1,6 @@
---
title: Monitor central access policies on a file server (Windows 10)
-description: Learn how to monitor changes to the central access policies that apply to a file server, when using advanced security auditing options.
+description: Learn how to monitor changes to the central access policies that apply to a file server when using advanced security auditing options.
ms.assetid: 126b051e-c20d-41f1-b42f-6cff24dcf20c
ms.reviewer:
ms.author: dansimp
@@ -22,40 +22,42 @@ ms.date: 04/19/2017
**Applies to**
- Windows 10
-This topic for the IT professional describes how to monitor changes to the central access policies that apply to a file server when using advanced security auditing options to monitor dynamic access control objects. Central access policies are created on a domain controller and then applied to file servers through Group Policy management.
+This article describes how to monitor changes to the central access policies (CAPs) that apply to a file server when using advanced security auditing options to monitor dynamic access control objects. CAPs are created on a domain controller and then applied to file servers through Group Policy management.
-Use the following procedures to configure and verify security auditing settings that are used to monitor changes to the set of central access policies on a file server. The following procedures assume that you have configured and deployed dynamic access control, including central access policies, and claims in your network. If you have not yet deployed dynamic access control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](https://technet.microsoft.com/library/hh846167.aspx).
+Use the following procedures to configure and verify security auditing settings that are used to monitor changes to the set of CAPs on a file server. The following procedures assume that you have configured and deployed dynamic access control, including CAPs and claims, in your network. If you have not yet deployed dynamic access control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](https://technet.microsoft.com/library/hh846167.aspx).
**To configure settings to monitor changes to central access policies**
1. Sign in to your domain controller by using domain administrator credentials.
-2. In Server Manager, point to **Tools**, and then click **Group Policy Management**.
-3. In the console tree, right-click the flexible access Group Policy Object, and then click **Edit**.
-4. Double-click **Computer Configuration**, double-click **Security Settings**, double-click **Advanced Audit Policy Configuration**, double-click **Policy Change**, and then double-click **Other Policy Change Events**.
+2. In Server Manager, point to **Tools**, and then select **Group Policy Management**.
+3. In the console tree, select the flexible access Group Policy Object, and then select **Edit**.
+4. Select **Computer Configuration** > **Security Settings** > **Advanced Audit Policy Configuration** > **Policy Change** > **Other Policy Change Events**.
- >**Note:** This policy setting monitors policy changes that might not be captured otherwise, such as central access policy changes or trusted platform module configuration changes.
+ > [!NOTE]
+ > This policy setting monitors policy changes that might not be captured otherwise, such as CAP changes or trusted platform module configuration changes.
-5. Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then click **OK**.
+5. Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then select **OK**.
-After you modify the central access policies on the domain controller, verify that the changes have been applied to the file server and that the proper events are logged.
+After you modify the CAPs on the domain controller, verify that the changes have been applied to the file server and that the proper events are logged.
**To verify changes to the central access policies**
1. Sign in to your domain controller by using domain administrator credentials.
2. Open the Group Policy Management Console.
-3. Right-click **Default domain policy**, and then click **Edit**.
-4. Double-click **Computer Configuration**, double-click **Policies**, and then double-click **Windows Settings**.
-5. Double-click **Security Settings**, right-click **File system**, and then click **Manage CAPs**.
-6. In the wizard that appears, follow the instructions to add a new central access policy (CAP), and then click **OK**.
-7. Use local administrator credentials to sign in to the server that hosts resources that are subject to the central access policies you changed.
-8. Press the Windows key + R, then type **cmd** to open a Command Prompt window.
+3. Select **Default domain policy**, and then select **Edit**.
+4. Select **Computer Configuration** > **Policies**, and then select **Windows Settings**.
+5. Select **Security Settings** > **File system**, and then select **Manage CAPs**.
+6. In the wizard that appears, follow the instructions to add a new CAP, and then select **OK**.
+7. Use local administrator credentials to sign in to the server that hosts resources that are subject to the CAPs you changed.
+8. Select the Windows logo key+R, and then type **cmd** to open a command prompt window.
- >**Note:** If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
+ > [!NOTE]
+ > If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
-9. Type **gpupdate /force**, and press ENTER.
-10. In Server Manager, click **Tools**, and then click **Event Viewer**.
-11. Expand **Windows Logs**, and then click **Security**. Verify that event 4819 appears in the security log.
+9. Type **gpupdate /force**, and then select the Enter key.
+10. In Server Manager, select **Tools**, and then select **Event Viewer**.
+11. Expand **Windows Logs**, and then select **Security**. Verify that event 4819 appears in the security log.
-## Related resource
+## Related resources
- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/common-errors.md b/windows/security/threat-protection/microsoft-defender-atp/common-errors.md
new file mode 100644
index 0000000000..bcc6ba7dc3
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/common-errors.md
@@ -0,0 +1,83 @@
+---
+title: Common Microsoft Defender ATP API errors
+description: List of common Microsoft Defender ATP API errors with descriptions.
+keywords: apis, mdatp api, errors, troubleshooting
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Common REST API error codes
+
+* The error codes listed in the following table may be returned by an operation on any of Microsoft Defender ATP APIs.
+* Note that in addition to the error code, every error response contains an error message which can help resolving the problem.
+* Note that the message is a free text that can be changed.
+* At the bottom of the page you can find response examples.
+
+Error code |HTTP status code |Message
+:---|:---|:---
+BadRequest | BadRequest (400) | General Bad Request error message.
+ODataError | BadRequest (400) | Invalid OData URI query (the specific error is specified).
+InvalidInput | BadRequest (400) | Invalid input {the invalid input}.
+InvalidRequestBody | BadRequest (400) | Invalid request body.
+InvalidHashValue | BadRequest (400) | Hash value {the invalid hash} is invalid.
+InvalidDomainName | BadRequest (400) | Domain name {the invalid domain} is invalid.
+InvalidIpAddress | BadRequest (400) | IP address {the invalid IP} is invalid.
+InvalidUrl | BadRequest (400) | URL {the invalid URL} is invalid.
+MaximumBatchSizeExceeded | BadRequest (400) | Maximum batch size exceeded. Received: {batch size received}, allowed: {batch size allowed}.
+MissingRequiredParameter | BadRequest (400) | Parameter {the missing parameter} is missing.
+OsPlatformNotSupported | BadRequest (400) | OS Platform {the client OS Platform} is not supported for this action.
+ClientVersionNotSupported | BadRequest (400) | {The requested action} is supported on client version {supported client version} and above.
+Unauthorized | Unauthorized (401) | Unauthorized (usually invalid or expired authorization header).
+Forbidden | Forbidden (403) | Forbidden (valid token but insufficient permission for the action).
+DisabledFeature | Forbidden (403) | Tenant feature is not enabled.
+DisallowedOperation | Forbidden (403) | {the disallowed operation and the reason}.
+NotFound | Not Found (404) | General Not Found error message.
+ResourceNotFound | Not Found (404) | Resource {the requested resource} was not found.
+InternalServerError | Internal Server Error (500) | (No error message, try retry the operation or contact us if it does not resolved)
+
+## Body parameters are case sensitive
+
+The submitted body parameters are currently case sensitive.
+
If you experience an **InvalidRequestBody** or **MissingRequiredParameter** errors, it might be caused from a wrong parameter capital or lower-case letter. +
It is recommended to go to the requested Api documentation page and check that the submitted parameters match the relevant example. + +## Correlation request ID + +Each error response contains a unique ID parameter for tracking. +
The property name of this parameter is "target". +
When contacting us about an error, attaching this ID will help find the root cause of the problem. + +## Examples + +```json +{ + "error": { + "code": "ResourceNotFound", + "message": "Machine 123123123 was not found", + "target": "43f4cb08-8fac-4b65-9db1-745c2ae65f3a" + } +} +``` + + +```json +{ + "error": { + "code": "InvalidRequestBody", + "message": "Request body is incorrect", + "target": "1fa66c0f-18bd-4133-b378-36d76f3a2ba0" + } +} +``` + + diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md index 60b3f33af2..e7ec35ea55 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md @@ -26,11 +26,10 @@ ms.date: 12/11/2018 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - System Center 2012 Configuration Manager or later versions - - >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink) + ## Onboard Windows 10 machines using System Center Configuration Manager (current branch) version 1606 System Center Configuration Manager (SCCM) (current branch) version 1606, has UI integrated support for configuring and managing Microsoft Defender ATP on machines. For more information, see Support for Microsoft Defender Advanced Threat Protection service. @@ -40,6 +39,7 @@ System Center Configuration Manager (SCCM) (current branch) version 1606, has UI + ## Onboard Windows 10 machines using System Center Configuration Manager earlier versions You can use existing System Center Configuration Manager functionality to create a policy to configure your machines. This is supported in the following System Center Configuration Manager versions: @@ -50,7 +50,6 @@ You can use existing System Center Configuration Manager functionality to create ### Onboard machines using System Center Configuration Manager - 1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): a. In the navigation pane, select **Settings** > **Onboarding**. @@ -72,6 +71,14 @@ You can use existing System Center Configuration Manager functionality to create >[!TIP] > After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md). +> +> Note that it is possible to create a detection rule within ConfigMgr to continuously check if a machine has been onboarded. +> If a machine is not yet onboarded (due to pending OOBE completion or any other reason), ConfigMgr will retry to onboard the machine until the rule detects the status change. +> +> This can be accomplished by creating a detection rule checking if the "OnboardingState" registry value (of type REG_DWORD) = 1. +> This registry value is located under "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status". +Refer to the following ConfigMgr article for more information: https://docs.microsoft.com/en-us/configmgr/apps/deploy-use/create-applications#bkmk_detect-rule + ### Configure sample collection settings For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through Microsoft Defender Security Center to submit a file for deep analysis. @@ -142,9 +149,9 @@ Monitoring with SCCM consists of two parts: 4. Review the status indicators under **Completion Statistics** and **Content Status**. -If there are failed deployments (machines with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the machines. For more information see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md). + If there are failed deployments (machines with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the machines. For more information see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md). - +  **Check that the machines are compliant with the Microsoft Defender ATP service:**
You can set a compliance rule for configuration item in System Center Configuration Manager to monitor your deployment. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md index 6140a832e2..c25ee5cfa4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md @@ -26,8 +26,9 @@ ms.topic: article ## Before you begin Ensure that you have Microsoft Defender ATP deployed in your environment with machines enrolled, and not just on a laboratory set-up. ->[!NOTE] ->Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive targeted attack notifications and to collaborate with experts on demand. A Microsoft Threat Experts subscription is a prerequisite for experts on demand collaboration. +Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service. + +If you are not enrolled yet and would like to experience its benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on Demand subscription. ## Register to Microsoft Threat Experts managed threat hunting service If you're already a Microsoft Defender ATP customer, you can apply through the Microsoft Defender ATP portal. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md index 301d635bef..ab87a6d7f1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md @@ -40,7 +40,7 @@ You'll need to take the following configuration steps to enable the managed secu The integration will allow MSSPs to take the following actions: -- Get access to MSSP customer's Windows Defender Security Center portal +- Get access to MSSP customer's Microsoft Defender Security Center portal - Get email notifications, and - Fetch alerts through security information and event management (SIEM) tools @@ -53,7 +53,7 @@ Typically, MSSP customers take the initial configuration steps to grant MSSPs ac In general, the following configuration steps need to be taken: -- **Grant the MSSP access to Windows Defender Security Center**
+- **Grant the MSSP access to Microsoft Defender Security Center**
This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Windows Defender ATP tenant. @@ -74,7 +74,7 @@ This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs. > These set of steps are directed towards the MSSP customer.
> Access to the portal can only be done by the MSSP customer. -As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Windows Defender Security Center. +As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Microsoft Defender Security Center. Authentication and authorization of the MSSP user is built on top of Azure Active Directory (Azure AD) B2B functionality. @@ -82,7 +82,7 @@ Authentication and authorization of the MSSP user is built on top of Azure Activ You'll need to take the following 2 steps: - Add MSSP user to your tenant as a guest user -- Grant MSSP user access to Windows Defender Security Center +- Grant MSSP user access to Microsoft Defender Security Center ### Add MSSP user to your tenant as a guest user @@ -90,8 +90,8 @@ Add a user who is a member of the MSSP tenant to your tenant as a guest user. To grant portal access to the MSSP, you must add the MSSP user to your Azure AD as a guest user. For more information, see [Add Azure Active Directory B2B collaboration users in the Azure portal](https://docs.microsoft.com/azure/active-directory/b2b/add-users-administrator). -### Grant MSSP user access to Windows Defender Security Center -Grant the guest user access and permissions to your Windows Defender Security Center tenant. +### Grant MSSP user access to Microsoft Defender Security Center +Grant the guest user access and permissions to your Microsoft Defender Security Center tenant. Granting access to guest user is done the same way as granting access to a user who is a member of your tenant. @@ -108,12 +108,12 @@ It is recommended that groups are created for MSSPs to make authorization access As a MSSP customer, you can always remove or modify the permissions granted to the MSSP by updating the Azure AD user groups. -## Access the Windows Defender Security Center MSSP customer portal +## Access the Microsoft Defender Security Center MSSP customer portal >[!NOTE] >These set of steps are directed towards the MSSP. -By default, MSSP customers access their Windows Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`. +By default, MSSP customers access their Microsoft Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`. MSSPs however, will need to use a tenant-specific URL in the following format: `https://securitycenter.windows.com?tid=customer_tenant_id` to access the MSSP customer portal. @@ -159,7 +159,7 @@ Step 1: Create a third-party application Step 2: Get access and refresh tokens from your customer's tenant -Step 3: Whitelist your application on Windows Defender Security Center +Step 3: Whitelist your application on Microsoft Defender Security Center @@ -279,8 +279,8 @@ After providing your credentials, you'll need to grant consent to the applicatio 8. In the PowerShell window, you'll receive an access token and a refresh token. Save the refresh token to configure your SIEM connector. -### Step 3: Whitelist your application on Windows Defender Security Center -You'll need to whitelist the application you created in Windows Defender Security Center. +### Step 3: Whitelist your application on Microsoft Defender Security Center +You'll need to whitelist the application you created in Microsoft Defender Security Center. You'll need to have **Manage portal system settings** permission to whitelist the application. Otherwise, you'll need to request your customer to whitelist the application for you. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md index 162531b03e..c8ddf79198 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md @@ -105,14 +105,18 @@ See [Netsh Command Syntax, Contexts, and Formatting](https://docs.microsoft.com/ If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are not blocked by default. Do not disable security monitoring or inspection of these URLs, but allow them as you would other internet traffic. They permit communication with Microsoft Defender ATP service in port 80 and 443: > [!NOTE] -> URLs that include v20 in them are only needed if you have Windows 10, version 1803 or later machines. For example, ```us-v20.events.data.microsoft.com``` is only needed if the machine is on Windows 10, version 1803 or later. +> settings-win.data.microsoft.com is only needed if you have Windows 10 machines running version 1803 or earlier.
+> URLs that include v20 in them are only needed if you have Windows 10 machines running version 1803 or later. For example, ```us-v20.events.data.microsoft.com``` is needed for a Windows 10 machine running version 1803 or later and onboarded to US Data Storage region. Service location | Microsoft.com DNS record -|- Common URLs for all locations | ```crl.microsoft.com```
```ctldl.windowsupdate.com```
```events.data.microsoft.com```
```notify.windows.com```
```settings-win.data.microsoft.com``` -European Union | ```eu.vortex-win.data.microsoft.com```
```eu-v20.events.data.microsoft.com```
```usseu1northprod.blob.core.windows.net```
```usseu1westprod.blob.core.windows.net```
```winatp-gw-neu.microsoft.com```
```winatp-gw-weu.microsoft.com```
```wseu1northprod.blob.core.windows.net```
```wseu1westprod.blob.core.windows.net``` -United Kingdom | ```uk.vortex-win.data.microsoft.com```
```uk-v20.events.data.microsoft.com```
```ussuk1southprod.blob.core.windows.net```
```ussuk1westprod.blob.core.windows.net```
```winatp-gw-uks.microsoft.com```
```winatp-gw-ukw.microsoft.com```
```wsuk1southprod.blob.core.windows.net```
```wsuk1westprod.blob.core.windows.net``` -United States | ```us.vortex-win.data.microsoft.com```
```ussus1eastprod.blob.core.windows.net```
```ussus1westprod.blob.core.windows.net```
```ussus2eastprod.blob.core.windows.net```
```ussus2westprod.blob.core.windows.net```
```ussus3eastprod.blob.core.windows.net```
```ussus3westprod.blob.core.windows.net```
```ussus4eastprod.blob.core.windows.net```
```ussus4westprod.blob.core.windows.net```
```us-v20.events.data.microsoft.com```
```winatp-gw-cus.microsoft.com```
```winatp-gw-eus.microsoft.com```
```wsus1eastprod.blob.core.windows.net```
```wsus1westprod.blob.core.windows.net```
```wsus2eastprod.blob.core.windows.net```
```wsus2westprod.blob.core.windows.net``` +European Union | ```eu.vortex-win.data.microsoft.com```
```eu-v20.events.data.microsoft.com```
```usseu1northprod.blob.core.windows.net```
```usseu1westprod.blob.core.windows.net```
```winatp-gw-neu.microsoft.com```
```winatp-gw-weu.microsoft.com```
```wseu1northprod.blob.core.windows.net```
```wseu1westprod.blob.core.windows.net```
```automatedirstrprdweu.blob.core.windows.net```
```automatedirstrprdneu.blob.core.windows.net``` +United Kingdom | ```uk.vortex-win.data.microsoft.com```
```uk-v20.events.data.microsoft.com```
```ussuk1southprod.blob.core.windows.net```
```ussuk1westprod.blob.core.windows.net```
```winatp-gw-uks.microsoft.com```
```winatp-gw-ukw.microsoft.com```
```wsuk1southprod.blob.core.windows.net```
```wsuk1westprod.blob.core.windows.net```
```automatedirstrprduks.blob.core.windows.net```
```automatedirstrprdukw.blob.core.windows.net``` +United States | ```us.vortex-win.data.microsoft.com```
```ussus1eastprod.blob.core.windows.net```
```ussus1westprod.blob.core.windows.net```
```ussus2eastprod.blob.core.windows.net```
```ussus2westprod.blob.core.windows.net```
```ussus3eastprod.blob.core.windows.net```
```ussus3westprod.blob.core.windows.net```
```ussus4eastprod.blob.core.windows.net```
```ussus4westprod.blob.core.windows.net```
```us-v20.events.data.microsoft.com```
```winatp-gw-cus.microsoft.com```
```winatp-gw-eus.microsoft.com```
```wsus1eastprod.blob.core.windows.net```
```wsus1westprod.blob.core.windows.net```
```wsus2eastprod.blob.core.windows.net```
```wsus2westprod.blob.core.windows.net```
```automatedirstrprdcus.blob.core.windows.net```
```automatedirstrprdeus.blob.core.windows.net``` + +> [!NOTE] +> If you are using Windows Defender Antivirus in your environment, please refer to the following article for details on allowing connections to the Windows Defender Antivirus cloud service: https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs. @@ -139,9 +143,9 @@ You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https: Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender ATP service URLs. -1. Download the [connectivity verification tool](https://aka.ms/mdatpanalyzer) to the PC where Microsoft Defender ATP sensor is running on. +1. Download the [MDATP Client Analyzer tool](https://aka.ms/mdatpanalyzer) to the PC where Microsoft Defender ATP sensor is running on. -2. Extract the contents of MDATPClientAnalyzer on the machine. +2. Extract the contents of MDATPClientAnalyzer.zip on the machine. 3. Open an elevated command-line: diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md index 511c7973f6..f78270d508 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md @@ -98,14 +98,16 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt 3. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**. 4. Double-click the **Configure Controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following: - * **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log + * **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log. * **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders. * **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization. + * **Block disk modification only** - Attempts by untrusted apps to write to disk sectors will be logged in Windows Event log. These logs can be found in **Applications and Services Logs** > Microsoft > Windows > Windows Defender > Operational > ID 1123. + * **Audit disk modification only** - Only attempts to write to protected disk sectors will be recorded in the Windows event log (under **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender** > **Operational** > **ID 1124**). Attempts to modify or delete files in protected folders will not be recorded. -  +  > [!IMPORTANT] -> To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu. +> To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and select **Block** in the options drop-down menu. ## PowerShell diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md index ccab9e8250..42ce3aa2b6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md @@ -127,8 +127,8 @@ If you are looking for a pre-made simulation, you can use our ["Do It Yourself" You can also use [Advanced hunting](advanced-hunting-query-language.md) to query data and [Threat analytics](threat-analytics.md) to view reports about emerging threats. ->[!NOTE] ->The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections. +> [!NOTE] +> The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections. 1. Connect to your machine and run an attack simulation by selecting **Connect**. @@ -179,4 +179,3 @@ Your feedback helps us get better in protecting your environment from advanced a Let us know what you think, by selecting **Provide feedback**.  - diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md index 1735811830..5f0bb3386d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md @@ -66,8 +66,7 @@ GET https://api.securitycenter.windows.com/api/recommendations Here is an example of the response. -``` -Content-type: json +```json { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations", "value": [ @@ -99,7 +98,8 @@ Content-type: json "nonProductivityImpactedAssets": 0, "relatedComponent": "Windows 10" } - ] + ... + ] } ``` ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md index e0e4243d76..4114015c39 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md @@ -16,7 +16,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Get all vulnerabilities +# List vulnerabilities **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -66,8 +66,7 @@ GET https://api.securitycenter.windows.com/api/Vulnerabilities Here is an example of the response. -``` -Content-type: json +```json { "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities", "value": [ @@ -86,8 +85,9 @@ Content-type: json "exploitTypes": [], "exploitUris": [] } - ] - { + ... + ] + } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md index dfd844de6b..b0f731be41 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md @@ -1,6 +1,6 @@ --- -title: Get Device Secure score -description: Retrieves the organizational device secure score. +title: Get Machine Secure score +description: Retrieves the organizational machine secure score. keywords: apis, graph api, supported apis, get, alerts, recent search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -16,7 +16,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Get Device Secure score +# Get Machine Secure score **Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -75,8 +75,7 @@ Here is an example of the response. { "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ConfigurationScore/$entity", "time": "2019-12-03T09:15:58.1665846Z", - "score": 340, - "rbacGroupId": null + "score": 340 } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md index f57f5e53cf..794272d101 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md @@ -76,8 +76,7 @@ Here is an example of the response. { "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ExposureScore/$entity", "time": "2019-12-03T07:23:53.280499Z", - "score": 33.491554051195706, - "rbacGroupId": null + "score": 33.491554051195706 } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md index a85a0bc44e..b9a2498569 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md @@ -18,9 +18,9 @@ ms.topic: article # List exposure score by machine group -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] @@ -74,23 +74,14 @@ Here is an example of the response. { "time": "2019-12-03T09:51:28.214338Z", "score": 41.38041766305988, - "rbacGroupId": 10 + "rbacGroupName": "GroupOne" }, { "time": "2019-12-03T09:51:28.2143399Z", "score": 37.403726933165366, - "rbacGroupId": 11 - }, - { - "time": "2019-12-03T09:51:28.2143407Z", - "score": 26.390921344426033, - "rbacGroupId": 9 - }, - { - "time": "2019-12-03T09:51:28.2143414Z", - "score": 23.58823563070858, - "rbacGroupId": 5 + "rbacGroupName": "GroupTwo" } + ... ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md index 81d6659101..b4a8ff7d35 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md @@ -24,7 +24,7 @@ ms.topic: article [!include[Prerelease information](../../includes/prerelease.md)] -Retrieve a list of machines that has this software installed. +Retrieve a list of machine references that has this software installed. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details. @@ -75,15 +75,16 @@ Here is an example of the response. "id": "7c7e1896fa39efb0a32a2cf421d837af1b9bf762", "computerDnsName": "dave_desktop", "osPlatform": "Windows10", - "rbacGroupId": 9 + "rbacGroupName": "GroupTwo" }, { "id": "7d5cc2e7c305e4a0a290392abf6707f9888fda0d", "computerDnsName": "jane_PC", "osPlatform": "Windows10", - "rbacGroupId": 9 + "rbacGroupName": "GroupTwo" } -] + ... + ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md index 5ee5fe1b47..b27ecfca50 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md @@ -66,8 +66,7 @@ GET https://api.securitycenter.windows.com/api/vulnerabilities/CVE-2019-0608/mac Here is an example of the response. -``` -Content-type: json +```json { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineReferences", "value": [ @@ -75,14 +74,15 @@ Content-type: json "id": "235a2e6278c63fcf85bab9c370396972c58843de", "computerDnsName": "h1mkn_PC", "osPlatform": "Windows10", - "rbacGroupId": 1268 + "rbacGroupName": "GroupTwo" }, { "id": "afb3f807d1a185ac66668f493af028385bfca184", "computerDnsName": "chat_Desk ", "osPlatform": "Windows10", - "rbacGroupId": 410 + "rbacGroupName": "GroupTwo" } + ... ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md index 6a56d41c99..9254f80562 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md @@ -65,8 +65,7 @@ GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chr Here is an example of the response. -``` -Content-type: json +```json { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations/$entity", "id": "va-_-google-_-chrome", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md index d74dc47279..1343ebbc71 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md @@ -1,5 +1,5 @@ --- -title: Get recommendation by machines +title: List machines by recommendation description: Retrieves a list of machines associated with the security recommendation. keywords: apis, graph api, supported apis, get, security recommendation for vulnerable machines, threat and vulnerability management, threat and vulnerability management api search.product: eADQiWindows 10XVcnh @@ -16,7 +16,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Get recommendation by machines +# List machines by recommendation **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -75,7 +75,8 @@ Here is an example of the response. "osPlatform": "Windows10", "rbacGroupId": 2154 } - ] + ... + ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md index de192c1e9f..d4e5a895ef 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md @@ -65,8 +65,7 @@ GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chr Here is an example of the response. -``` -Content-type: json +```json { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Analytics.Contracts.PublicAPI.PublicProductDto", "id": "google-_-chrome", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md index c9ca363c20..e7e5725b8a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md @@ -1,5 +1,5 @@ --- -title: Get recommendation by vulnerabilities +title: List vulnerabilities by recommendation description: Retrieves a list of vulnerabilities associated with the security recommendation. keywords: apis, graph api, supported apis, get, list of vulnerabilities, security recommendation, security recommendation for vulnerabilities, threat and vulnerability management, threat and vulnerability management api search.product: eADQiWindows 10XVcnh @@ -16,7 +16,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Get recommendation by vulnerabilities +# List vulnerabilities by recommendation **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -65,8 +65,7 @@ GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chr Here is an example of the response. -``` -Content-type: json +```json { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)", "value": [ @@ -85,7 +84,8 @@ Content-type: json "exploitTypes": [], "exploitUris": [] } - ] + ... + ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md index 2ba8c06b69..159f48e08e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md @@ -81,7 +81,8 @@ Here is an example of the response. "installations": 750, "vulnerabilities": 0 } - ] + ... + ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-software.md index 1ec2bcccd1..883c240d11 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-software.md @@ -17,10 +17,10 @@ ms.topic: article --- # List software inventory API -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prerelease information](../../includes/prerelease.md)] +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) Retrieves the organization software inventory. @@ -66,20 +66,21 @@ GET https://api.securitycenter.windows.com/api/Software Here is an example of the response. -``` +```json { "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Software", "value": [ - { - "id": "microsoft-_-edge", - "name": "edge", - "vendor": "microsoft", - "weaknesses": 467, - "publicExploit": true, - "activeAlert": false, - "exposedMachines": 172, - "impactScore": 2.39947438 - } + { + "id": "microsoft-_-edge", + "name": "edge", + "vendor": "microsoft", + "weaknesses": 467, + "publicExploit": true, + "activeAlert": false, + "exposedMachines": 172, + "impactScore": 2.39947438 + } + ... ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md index 6fa52754b7..42147bc353 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md @@ -71,21 +71,22 @@ Here is an example of the response. { "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)", "value": [ - { - "id": "CVE-2017-0140", - "name": "CVE-2017-0140", - "description": "A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins. The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.The security update addresses the vulnerability by modifying how affected Microsoft Edge handles different-origin requests.", - "severity": "Medium", - "cvssV3": 4.2, - "exposedMachines": 1, - "publishedOn": "2017-03-14T00:00:00Z", - "updatedOn": "2019-10-03T00:03:00Z", - "publicExploit": false, - "exploitVerified": false, - "exploitInKit": false, - "exploitTypes": [], - "exploitUris": [] - } + { + "id": "CVE-2017-0140", + "name": "CVE-2017-0140", + "description": "A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins. The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.The security update addresses the vulnerability by modifying how affected Microsoft Edge handles different-origin requests.", + "severity": "Medium", + "cvssV3": 4.2, + "exposedMachines": 1, + "publishedOn": "2017-03-14T00:00:00Z", + "updatedOn": "2019-10-03T00:03:00Z", + "publicExploit": false, + "exploitVerified": false, + "exploitInKit": false, + "exploitTypes": [], + "exploitUris": [] + } + ... ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md index e4ccb6c433..a7ec42d80f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md @@ -65,8 +65,7 @@ GET https://api.securitycenter.windows.com/api/Vulnerabilities/CVE-2019-0608 Here is an example of the response. -``` -Content-type: json +```json { "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities/$entity", "id": "CVE-2019-0608", diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md index 88ac0b8be9..0ef1449bfa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md @@ -36,7 +36,7 @@ Monitoring network connection behind a forward proxy is possible due to addition Network protection can be controlled using the following modes: -- **Block**
Users or apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center. +- **Block**
Users or apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Microsoft Defender Security Center. - **Audit**
Users or apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Microsoft Defender Security Center. diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response.md b/windows/security/threat-protection/microsoft-defender-atp/live-response.md index 3003c707b4..ddd34985a3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/live-response.md @@ -119,11 +119,11 @@ The following commands are available for user roles that's been granted the abil Command | Description :---|:--- analyze | Analyses the entity with various incrimination engines to reach a verdict. -getfile | Gets a file from the machine.
NOTE: This command has a prerequisite command. You can use the `-auto` command in conjuction with `getfile` to automatically run the prerequisite command. +getfile | Gets a file from the machine.
NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `getfile` to automatically run the prerequisite command. run | Runs a PowerShell script from the library on the machine. library | Lists files that were uploaded to the live response library. putfile | Puts a file from the library to the machine. Files are saved in a working folder and are deleted when the machine restarts by default. -remediate | Remediates an entity on the machine. The remediation action will vary depending on the entity type:
- File: delete
- Process: stop, delete image file
- Service: stop, delete image file
- Registry entry: delete
- Scheduled task: remove
- Startup folder item: delete file
NOTE: This command has a prerequisite command. You can use the `-auto` command in conjuction with `remediate` to automatically run the prerequisite command. +remediate | Remediates an entity on the machine. The remediation action will vary depending on the entity type:
- File: delete
- Process: stop, delete image file
- Service: stop, delete image file
- Registry entry: delete
- Scheduled task: remove
- Startup folder item: delete file
NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `remediate` to automatically run the prerequisite command. undo | Restores an entity that was remediated. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md index 117296a474..a3c0a5a7a2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md @@ -34,14 +34,14 @@ Before you get started, see [the main Microsoft Defender ATP for Mac page](micro ## Download installation and onboarding packages -Download the installation and onboarding packages from Windows Defender Security Center: +Download the installation and onboarding packages from Microsoft Defender Security Center: -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**. 2. In Section 1 of the page, set operating system to **Linux, macOS, iOS, and Android** and Deployment method to **Local script**. 3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. 4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. -  +  5. From a command prompt, verify that you have the two files. Extract the contents of the .zip files: @@ -112,6 +112,7 @@ The installation proceeds. After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner.  + ## How to Allow Full Disk Access diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md index 6a79d9fca6..0e9abb20c1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md @@ -43,7 +43,7 @@ Download the installation and onboarding packages from Microsoft Defender Securi 4. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory. 5. Download **IntuneAppUtil** from [https://docs.microsoft.com/intune/lob-apps-macos](https://docs.microsoft.com/intune/lob-apps-macos). -  +  6. From a command prompt, verify that you have the three files. Extract the contents of the .zip files: @@ -90,19 +90,19 @@ You need no special provisioning for a Mac device beyond a standard [Company Por 1. You are asked to confirm device management. - +  -Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**: + Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**: - +  2. Select **Continue** and complete the enrollment. -You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages. + You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages. 3. In Intune, open **Manage** > **Devices** > **All devices**. Here you can see your device among those listed: - +  ## Create System Configuration profiles @@ -284,9 +284,9 @@ You may now enroll more devices. You can also enroll them later, after you have 10. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. -Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**: + Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**: - +  ## Publish application diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md index 083d1a181e..04f3d87059 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md @@ -38,14 +38,19 @@ In addition, for JAMF deployment, you need to be familiar with JAMF administrati ## Download installation and onboarding packages -Download the installation and onboarding packages from Windows Defender Security Center: +Download the installation and onboarding packages from Microsoft Defender Security Center: -1. In Windows Defender Security Center, go to **Settings > device Management > Onboarding**. -2. In Section 1 of the page, set the operating system to **Linux, macOS, iOS or Android** and deployment method to **Mobile Device Management / Microsoft Intune**. -3. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory. +1. In Microsoft Defender Security Center, go to **Settings > Machine management > Onboarding**. +2. In Section 1 of the page, set the operating system to **Linux, macOS, iOS or Android**. +3. Set the deployment method to **Mobile Device Management / Microsoft Intune**. + + >[!NOTE] + >JamF falls under **Mobile Device Management**. + +4. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory. +5. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory. -  +  5. From the command prompt, verify that you have the two files. Extract the contents of the .zip files like so: @@ -87,7 +92,7 @@ To approve the kernel extension: 1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**. 2. Use **UBF8T346G9** for Team Id. - +  ### Privacy Preferences Policy Control @@ -103,7 +108,7 @@ Add the following JAMF policy to grant Full Disk Access to Microsoft Defender AT 3. Set Code Requirement to `identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9`. 4. Set app or service to SystemPolicyAllFiles and access to Allow. - +  #### Configuration Profile's Scope @@ -153,16 +158,16 @@ You'll need no special provisioning for a macOS computer, beyond the standard JA > [!NOTE] > After a computer is enrolled, it will show up in the Computers inventory (All Computers). -1. Open **Device Profiles**, from the **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's currently set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. + - Open **Device Profiles**, from the **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's currently set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. -
- + 
+  -After a moment, the device's User Approved MDM status will change to **Yes**. + After a moment, the device's User Approved MDM status will change to **Yes**. - +  -You may now enroll additional devices. You may also enroll them later, after you have finished provisioning system configuration and application packages. + You may now enroll additional devices. You may also enroll them later, after you have finished provisioning system configuration and application packages. ## Deployment diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md index 85deccc918..315ec0f230 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md @@ -80,6 +80,18 @@ Specify whether the antivirus engine runs in passive mode. Passive mode has the | **Possible values** | false (default)
true | | **Comments** | Available in Microsoft Defender ATP version 100.67.60 or higher. | +#### Exclusion merge policy + +Specify the merge policy for exclusions. This can be a combination of administrator-defined and user-defined exclusions (`merge`) or only administrator-defined exclusions (`admin_only`). This setting can be used to restrict local users from defining their own exclusions. + +||| +|:---|:---| +| **Domain** | `com.microsoft.wdav` | +| **Key** | exclusionsMergePolicy | +| **Data type** | String | +| **Possible values** | merge (default)
admin_only | +| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. | + #### Scan exclusions Specify entities excluded from being scanned. Exclusions can be specified by full paths, extensions, or file names. @@ -138,9 +150,9 @@ Specify content excluded from being scanned by file extension. | **Possible values** | valid file extensions | | **Comments** | Applicable only if *$type* is *excludedFileExtension* | -##### Name of excluded content +##### Process excluded from the scan -Specify content excluded from being scanned by file name. +Specify a process for which all file activity is excluded from scanning. The process can be specified either by its name (e.g. `cat`) or full path (e.g. `/bin/cat`). ||| |:---|:---| @@ -160,6 +172,18 @@ Specify threats by name that are not blocked by Microsoft Defender ATP for Mac. | **Key** | allowedThreats | | **Data type** | Array of strings | +#### Disallowed threat actions + +Restricts the actions that the local user of a device can take when threats are detected. The actions included in this list are not displayed in the user interface. + +||| +|:---|:---| +| **Domain** | `com.microsoft.wdav` | +| **Key** | disallowedThreatActions | +| **Data type** | Array of strings | +| **Possible values** | allow (restricts users from allowing threats)
restore (restricts users from restoring threats from the quarantine) | +| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. | + #### Threat type settings Specify how certain threat types are handled by Microsoft Defender ATP for Mac. @@ -197,6 +221,18 @@ Specify what action to take when a threat of the type specified in the preceding | **Data type** | String | | **Possible values** | audit (default)
block
off | +#### Threat type settings merge policy + +Specify the merge policy for threat type settings. This can be a combination of administrator-defined and user-defined settings (`merge`) or only administrator-defined settings (`admin_only`). This setting can be used to restrict local users from defining their own settings for different threat types. + +||| +|:---|:---| +| **Domain** | `com.microsoft.wdav` | +| **Key** | threatTypeSettingsMergePolicy | +| **Data type** | String | +| **Possible values** | merge (default)
admin_only | +| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. | + ### Cloud-delivered protection preferences Configure the cloud-driven protection features of Microsoft Defender ATP for Mac. @@ -371,6 +407,10 @@ The following configuration profile will: ### Intune profile ```XML + + +
+
PayloadUUID
C4E6A782-0C8D-44AB-A025-EB893987A295
PayloadType
@@ -439,6 +479,8 @@ The following configuration profile will:
+
+
```
## Full configuration profile example
@@ -482,11 +524,24 @@ The following configuration profile contains entries for all settings described
extension
pdf
+
+ $type
+ excludedFileName
+ name
+ cat
+
+ exclusionsMergePolicy
+ merge
allowedThreats
EICAR-Test-File (not a virus)
+ disallowedThreatActions
+
+ allow
+ restore
+
threatTypeSettings
@@ -502,6 +557,8 @@ The following configuration profile contains entries for all settings described
audit
+ threatTypeSettingsMergePolicy
+ merge
cloudService
@@ -593,11 +650,24 @@ The following configuration profile contains entries for all settings described
extension
pdf
+
+ $type
+ excludedFileName
+ name
+ cat
+
+ exclusionsMergePolicy
+ merge
allowedThreats
EICAR-Test-File (not a virus)
+ disallowedThreatActions
+
+ allow
+ restore
+
threatTypeSettings
@@ -613,6 +683,8 @@ The following configuration profile contains entries for all settings described
audit
+ threatTypeSettingsMergePolicy
+ merge
cloudService
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
index 43323ca96d..34df1f32fc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
@@ -19,6 +19,12 @@ ms.topic: conceptual
# What's new in Microsoft Defender Advanced Threat Protection for Mac
+## 100.83.73
+
+- Added more controls for IT administrators around [management of exclusions](mac-preferences.md#exclusion-merge-policy), [management of threat type settings](mac-preferences.md#threat-type-settings-merge-policy), and [disallowed threat actions](mac-preferences.md#disallowed-threat-actions)
+- When Full Disk Access is not enabled on the device, a warning is now displayed in the status menu
+- Performance improvements & bug fixes
+
## 100.82.60
- Addressed an issue where the product fails to start following a definition update.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
index 9614834d72..32343d94bd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
@@ -35,7 +35,7 @@ You can use the following operations to customize the list of automated investig
**Triggering alert**
-The alert the initiated the automated investigation.
+The alert that initiated the automated investigation.
**Status**
An automated investigation can be in one of the following status:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
index e2674754d6..be8b72641f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
@@ -78,7 +78,6 @@ It's important to understand the following prerequisites prior to creating indic
>[!IMPORTANT]
>- The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action
>- Trusted signed files will be treated differently. Microsoft Defender ATP is optimized to handle malicious files. Trying to block trusted signed files, in some cases, may have performance implications.
->- The PE file needs to be in the machine timeline for you to be able to take this action.
>[!NOTE]
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
index 56b73435ad..34a417fdef 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
@@ -108,6 +108,10 @@ Microsoft Defender ATP includes a secure score to help you dynamically assess th
**[Microsoft Threat Experts](microsoft-threat-experts.md)**
Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights that further empower Security operation centers (SOCs) to identify and respond to threats quickly and accurately. +>[!IMPORTANT] +>Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service.
If you experience an **InvalidRequestBody** or **MissingRequiredParameter** errors, it might be caused from a wrong parameter capital or lower-case letter. +
It is recommended to go to the requested Api documentation page and check that the submitted parameters match the relevant example. + +## Correlation request ID + +Each error response contains a unique ID parameter for tracking. +
The property name of this parameter is "target". +
When contacting us about an error, attaching this ID will help find the root cause of the problem. + +## Examples + +```json +{ + "error": { + "code": "ResourceNotFound", + "message": "Machine 123123123 was not found", + "target": "43f4cb08-8fac-4b65-9db1-745c2ae65f3a" + } +} +``` + + +```json +{ + "error": { + "code": "InvalidRequestBody", + "message": "Request body is incorrect", + "target": "1fa66c0f-18bd-4133-b378-36d76f3a2ba0" + } +} +``` + + diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md index 60b3f33af2..e7ec35ea55 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md @@ -26,11 +26,10 @@ ms.date: 12/11/2018 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - System Center 2012 Configuration Manager or later versions - - >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink) + ## Onboard Windows 10 machines using System Center Configuration Manager (current branch) version 1606 System Center Configuration Manager (SCCM) (current branch) version 1606, has UI integrated support for configuring and managing Microsoft Defender ATP on machines. For more information, see Support for Microsoft Defender Advanced Threat Protection service. @@ -40,6 +39,7 @@ System Center Configuration Manager (SCCM) (current branch) version 1606, has UI + ## Onboard Windows 10 machines using System Center Configuration Manager earlier versions You can use existing System Center Configuration Manager functionality to create a policy to configure your machines. This is supported in the following System Center Configuration Manager versions: @@ -50,7 +50,6 @@ You can use existing System Center Configuration Manager functionality to create ### Onboard machines using System Center Configuration Manager - 1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): a. In the navigation pane, select **Settings** > **Onboarding**. @@ -72,6 +71,14 @@ You can use existing System Center Configuration Manager functionality to create >[!TIP] > After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md). +> +> Note that it is possible to create a detection rule within ConfigMgr to continuously check if a machine has been onboarded. +> If a machine is not yet onboarded (due to pending OOBE completion or any other reason), ConfigMgr will retry to onboard the machine until the rule detects the status change. +> +> This can be accomplished by creating a detection rule checking if the "OnboardingState" registry value (of type REG_DWORD) = 1. +> This registry value is located under "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status". +Refer to the following ConfigMgr article for more information: https://docs.microsoft.com/en-us/configmgr/apps/deploy-use/create-applications#bkmk_detect-rule + ### Configure sample collection settings For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through Microsoft Defender Security Center to submit a file for deep analysis. @@ -142,9 +149,9 @@ Monitoring with SCCM consists of two parts: 4. Review the status indicators under **Completion Statistics** and **Content Status**. -If there are failed deployments (machines with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the machines. For more information see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md). + If there are failed deployments (machines with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the machines. For more information see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md). - +  **Check that the machines are compliant with the Microsoft Defender ATP service:**
You can set a compliance rule for configuration item in System Center Configuration Manager to monitor your deployment. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md index 6140a832e2..c25ee5cfa4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md @@ -26,8 +26,9 @@ ms.topic: article ## Before you begin Ensure that you have Microsoft Defender ATP deployed in your environment with machines enrolled, and not just on a laboratory set-up. ->[!NOTE] ->Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive targeted attack notifications and to collaborate with experts on demand. A Microsoft Threat Experts subscription is a prerequisite for experts on demand collaboration. +Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service. + +If you are not enrolled yet and would like to experience its benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on Demand subscription. ## Register to Microsoft Threat Experts managed threat hunting service If you're already a Microsoft Defender ATP customer, you can apply through the Microsoft Defender ATP portal. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md index 301d635bef..ab87a6d7f1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md @@ -40,7 +40,7 @@ You'll need to take the following configuration steps to enable the managed secu The integration will allow MSSPs to take the following actions: -- Get access to MSSP customer's Windows Defender Security Center portal +- Get access to MSSP customer's Microsoft Defender Security Center portal - Get email notifications, and - Fetch alerts through security information and event management (SIEM) tools @@ -53,7 +53,7 @@ Typically, MSSP customers take the initial configuration steps to grant MSSPs ac In general, the following configuration steps need to be taken: -- **Grant the MSSP access to Windows Defender Security Center**
+- **Grant the MSSP access to Microsoft Defender Security Center**
This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Windows Defender ATP tenant. @@ -74,7 +74,7 @@ This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs. > These set of steps are directed towards the MSSP customer.
> Access to the portal can only be done by the MSSP customer. -As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Windows Defender Security Center. +As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Microsoft Defender Security Center. Authentication and authorization of the MSSP user is built on top of Azure Active Directory (Azure AD) B2B functionality. @@ -82,7 +82,7 @@ Authentication and authorization of the MSSP user is built on top of Azure Activ You'll need to take the following 2 steps: - Add MSSP user to your tenant as a guest user -- Grant MSSP user access to Windows Defender Security Center +- Grant MSSP user access to Microsoft Defender Security Center ### Add MSSP user to your tenant as a guest user @@ -90,8 +90,8 @@ Add a user who is a member of the MSSP tenant to your tenant as a guest user. To grant portal access to the MSSP, you must add the MSSP user to your Azure AD as a guest user. For more information, see [Add Azure Active Directory B2B collaboration users in the Azure portal](https://docs.microsoft.com/azure/active-directory/b2b/add-users-administrator). -### Grant MSSP user access to Windows Defender Security Center -Grant the guest user access and permissions to your Windows Defender Security Center tenant. +### Grant MSSP user access to Microsoft Defender Security Center +Grant the guest user access and permissions to your Microsoft Defender Security Center tenant. Granting access to guest user is done the same way as granting access to a user who is a member of your tenant. @@ -108,12 +108,12 @@ It is recommended that groups are created for MSSPs to make authorization access As a MSSP customer, you can always remove or modify the permissions granted to the MSSP by updating the Azure AD user groups. -## Access the Windows Defender Security Center MSSP customer portal +## Access the Microsoft Defender Security Center MSSP customer portal >[!NOTE] >These set of steps are directed towards the MSSP. -By default, MSSP customers access their Windows Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`. +By default, MSSP customers access their Microsoft Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`. MSSPs however, will need to use a tenant-specific URL in the following format: `https://securitycenter.windows.com?tid=customer_tenant_id` to access the MSSP customer portal. @@ -159,7 +159,7 @@ Step 1: Create a third-party application Step 2: Get access and refresh tokens from your customer's tenant -Step 3: Whitelist your application on Windows Defender Security Center +Step 3: Whitelist your application on Microsoft Defender Security Center @@ -279,8 +279,8 @@ After providing your credentials, you'll need to grant consent to the applicatio 8. In the PowerShell window, you'll receive an access token and a refresh token. Save the refresh token to configure your SIEM connector. -### Step 3: Whitelist your application on Windows Defender Security Center -You'll need to whitelist the application you created in Windows Defender Security Center. +### Step 3: Whitelist your application on Microsoft Defender Security Center +You'll need to whitelist the application you created in Microsoft Defender Security Center. You'll need to have **Manage portal system settings** permission to whitelist the application. Otherwise, you'll need to request your customer to whitelist the application for you. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md index 162531b03e..c8ddf79198 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md @@ -105,14 +105,18 @@ See [Netsh Command Syntax, Contexts, and Formatting](https://docs.microsoft.com/ If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are not blocked by default. Do not disable security monitoring or inspection of these URLs, but allow them as you would other internet traffic. They permit communication with Microsoft Defender ATP service in port 80 and 443: > [!NOTE] -> URLs that include v20 in them are only needed if you have Windows 10, version 1803 or later machines. For example, ```us-v20.events.data.microsoft.com``` is only needed if the machine is on Windows 10, version 1803 or later. +> settings-win.data.microsoft.com is only needed if you have Windows 10 machines running version 1803 or earlier.
+> URLs that include v20 in them are only needed if you have Windows 10 machines running version 1803 or later. For example, ```us-v20.events.data.microsoft.com``` is needed for a Windows 10 machine running version 1803 or later and onboarded to US Data Storage region. Service location | Microsoft.com DNS record -|- Common URLs for all locations | ```crl.microsoft.com```
```ctldl.windowsupdate.com```
```events.data.microsoft.com```
```notify.windows.com```
```settings-win.data.microsoft.com``` -European Union | ```eu.vortex-win.data.microsoft.com```
```eu-v20.events.data.microsoft.com```
```usseu1northprod.blob.core.windows.net```
```usseu1westprod.blob.core.windows.net```
```winatp-gw-neu.microsoft.com```
```winatp-gw-weu.microsoft.com```
```wseu1northprod.blob.core.windows.net```
```wseu1westprod.blob.core.windows.net``` -United Kingdom | ```uk.vortex-win.data.microsoft.com```
```uk-v20.events.data.microsoft.com```
```ussuk1southprod.blob.core.windows.net```
```ussuk1westprod.blob.core.windows.net```
```winatp-gw-uks.microsoft.com```
```winatp-gw-ukw.microsoft.com```
```wsuk1southprod.blob.core.windows.net```
```wsuk1westprod.blob.core.windows.net``` -United States | ```us.vortex-win.data.microsoft.com```
```ussus1eastprod.blob.core.windows.net```
```ussus1westprod.blob.core.windows.net```
```ussus2eastprod.blob.core.windows.net```
```ussus2westprod.blob.core.windows.net```
```ussus3eastprod.blob.core.windows.net```
```ussus3westprod.blob.core.windows.net```
```ussus4eastprod.blob.core.windows.net```
```ussus4westprod.blob.core.windows.net```
```us-v20.events.data.microsoft.com```
```winatp-gw-cus.microsoft.com```
```winatp-gw-eus.microsoft.com```
```wsus1eastprod.blob.core.windows.net```
```wsus1westprod.blob.core.windows.net```
```wsus2eastprod.blob.core.windows.net```
```wsus2westprod.blob.core.windows.net``` +European Union | ```eu.vortex-win.data.microsoft.com```
```eu-v20.events.data.microsoft.com```
```usseu1northprod.blob.core.windows.net```
```usseu1westprod.blob.core.windows.net```
```winatp-gw-neu.microsoft.com```
```winatp-gw-weu.microsoft.com```
```wseu1northprod.blob.core.windows.net```
```wseu1westprod.blob.core.windows.net```
```automatedirstrprdweu.blob.core.windows.net```
```automatedirstrprdneu.blob.core.windows.net``` +United Kingdom | ```uk.vortex-win.data.microsoft.com```
```uk-v20.events.data.microsoft.com```
```ussuk1southprod.blob.core.windows.net```
```ussuk1westprod.blob.core.windows.net```
```winatp-gw-uks.microsoft.com```
```winatp-gw-ukw.microsoft.com```
```wsuk1southprod.blob.core.windows.net```
```wsuk1westprod.blob.core.windows.net```
```automatedirstrprduks.blob.core.windows.net```
```automatedirstrprdukw.blob.core.windows.net``` +United States | ```us.vortex-win.data.microsoft.com```
```ussus1eastprod.blob.core.windows.net```
```ussus1westprod.blob.core.windows.net```
```ussus2eastprod.blob.core.windows.net```
```ussus2westprod.blob.core.windows.net```
```ussus3eastprod.blob.core.windows.net```
```ussus3westprod.blob.core.windows.net```
```ussus4eastprod.blob.core.windows.net```
```ussus4westprod.blob.core.windows.net```
```us-v20.events.data.microsoft.com```
```winatp-gw-cus.microsoft.com```
```winatp-gw-eus.microsoft.com```
```wsus1eastprod.blob.core.windows.net```
```wsus1westprod.blob.core.windows.net```
```wsus2eastprod.blob.core.windows.net```
```wsus2westprod.blob.core.windows.net```
```automatedirstrprdcus.blob.core.windows.net```
```automatedirstrprdeus.blob.core.windows.net``` + +> [!NOTE] +> If you are using Windows Defender Antivirus in your environment, please refer to the following article for details on allowing connections to the Windows Defender Antivirus cloud service: https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs. @@ -139,9 +143,9 @@ You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https: Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender ATP service URLs. -1. Download the [connectivity verification tool](https://aka.ms/mdatpanalyzer) to the PC where Microsoft Defender ATP sensor is running on. +1. Download the [MDATP Client Analyzer tool](https://aka.ms/mdatpanalyzer) to the PC where Microsoft Defender ATP sensor is running on. -2. Extract the contents of MDATPClientAnalyzer on the machine. +2. Extract the contents of MDATPClientAnalyzer.zip on the machine. 3. Open an elevated command-line: diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md index 511c7973f6..f78270d508 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md @@ -98,14 +98,16 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt 3. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**. 4. Double-click the **Configure Controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following: - * **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log + * **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log. * **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders. * **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization. + * **Block disk modification only** - Attempts by untrusted apps to write to disk sectors will be logged in Windows Event log. These logs can be found in **Applications and Services Logs** > Microsoft > Windows > Windows Defender > Operational > ID 1123. + * **Audit disk modification only** - Only attempts to write to protected disk sectors will be recorded in the Windows event log (under **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender** > **Operational** > **ID 1124**). Attempts to modify or delete files in protected folders will not be recorded. -  +  > [!IMPORTANT] -> To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu. +> To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and select **Block** in the options drop-down menu. ## PowerShell diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md index ccab9e8250..42ce3aa2b6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md @@ -127,8 +127,8 @@ If you are looking for a pre-made simulation, you can use our ["Do It Yourself" You can also use [Advanced hunting](advanced-hunting-query-language.md) to query data and [Threat analytics](threat-analytics.md) to view reports about emerging threats. ->[!NOTE] ->The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections. +> [!NOTE] +> The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections. 1. Connect to your machine and run an attack simulation by selecting **Connect**. @@ -179,4 +179,3 @@ Your feedback helps us get better in protecting your environment from advanced a Let us know what you think, by selecting **Provide feedback**.  - diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md index 1735811830..5f0bb3386d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md @@ -66,8 +66,7 @@ GET https://api.securitycenter.windows.com/api/recommendations Here is an example of the response. -``` -Content-type: json +```json { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations", "value": [ @@ -99,7 +98,8 @@ Content-type: json "nonProductivityImpactedAssets": 0, "relatedComponent": "Windows 10" } - ] + ... + ] } ``` ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md index e0e4243d76..4114015c39 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md @@ -16,7 +16,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Get all vulnerabilities +# List vulnerabilities **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -66,8 +66,7 @@ GET https://api.securitycenter.windows.com/api/Vulnerabilities Here is an example of the response. -``` -Content-type: json +```json { "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities", "value": [ @@ -86,8 +85,9 @@ Content-type: json "exploitTypes": [], "exploitUris": [] } - ] - { + ... + ] + } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md index dfd844de6b..b0f731be41 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md @@ -1,6 +1,6 @@ --- -title: Get Device Secure score -description: Retrieves the organizational device secure score. +title: Get Machine Secure score +description: Retrieves the organizational machine secure score. keywords: apis, graph api, supported apis, get, alerts, recent search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -16,7 +16,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Get Device Secure score +# Get Machine Secure score **Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -75,8 +75,7 @@ Here is an example of the response. { "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ConfigurationScore/$entity", "time": "2019-12-03T09:15:58.1665846Z", - "score": 340, - "rbacGroupId": null + "score": 340 } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md index f57f5e53cf..794272d101 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md @@ -76,8 +76,7 @@ Here is an example of the response. { "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ExposureScore/$entity", "time": "2019-12-03T07:23:53.280499Z", - "score": 33.491554051195706, - "rbacGroupId": null + "score": 33.491554051195706 } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md index a85a0bc44e..b9a2498569 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md @@ -18,9 +18,9 @@ ms.topic: article # List exposure score by machine group -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] @@ -74,23 +74,14 @@ Here is an example of the response. { "time": "2019-12-03T09:51:28.214338Z", "score": 41.38041766305988, - "rbacGroupId": 10 + "rbacGroupName": "GroupOne" }, { "time": "2019-12-03T09:51:28.2143399Z", "score": 37.403726933165366, - "rbacGroupId": 11 - }, - { - "time": "2019-12-03T09:51:28.2143407Z", - "score": 26.390921344426033, - "rbacGroupId": 9 - }, - { - "time": "2019-12-03T09:51:28.2143414Z", - "score": 23.58823563070858, - "rbacGroupId": 5 + "rbacGroupName": "GroupTwo" } + ... ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md index 81d6659101..b4a8ff7d35 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md @@ -24,7 +24,7 @@ ms.topic: article [!include[Prerelease information](../../includes/prerelease.md)] -Retrieve a list of machines that has this software installed. +Retrieve a list of machine references that has this software installed. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details. @@ -75,15 +75,16 @@ Here is an example of the response. "id": "7c7e1896fa39efb0a32a2cf421d837af1b9bf762", "computerDnsName": "dave_desktop", "osPlatform": "Windows10", - "rbacGroupId": 9 + "rbacGroupName": "GroupTwo" }, { "id": "7d5cc2e7c305e4a0a290392abf6707f9888fda0d", "computerDnsName": "jane_PC", "osPlatform": "Windows10", - "rbacGroupId": 9 + "rbacGroupName": "GroupTwo" } -] + ... + ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md index 5ee5fe1b47..b27ecfca50 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md @@ -66,8 +66,7 @@ GET https://api.securitycenter.windows.com/api/vulnerabilities/CVE-2019-0608/mac Here is an example of the response. -``` -Content-type: json +```json { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineReferences", "value": [ @@ -75,14 +74,15 @@ Content-type: json "id": "235a2e6278c63fcf85bab9c370396972c58843de", "computerDnsName": "h1mkn_PC", "osPlatform": "Windows10", - "rbacGroupId": 1268 + "rbacGroupName": "GroupTwo" }, { "id": "afb3f807d1a185ac66668f493af028385bfca184", "computerDnsName": "chat_Desk ", "osPlatform": "Windows10", - "rbacGroupId": 410 + "rbacGroupName": "GroupTwo" } + ... ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md index 6a56d41c99..9254f80562 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md @@ -65,8 +65,7 @@ GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chr Here is an example of the response. -``` -Content-type: json +```json { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations/$entity", "id": "va-_-google-_-chrome", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md index d74dc47279..1343ebbc71 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md @@ -1,5 +1,5 @@ --- -title: Get recommendation by machines +title: List machines by recommendation description: Retrieves a list of machines associated with the security recommendation. keywords: apis, graph api, supported apis, get, security recommendation for vulnerable machines, threat and vulnerability management, threat and vulnerability management api search.product: eADQiWindows 10XVcnh @@ -16,7 +16,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Get recommendation by machines +# List machines by recommendation **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -75,7 +75,8 @@ Here is an example of the response. "osPlatform": "Windows10", "rbacGroupId": 2154 } - ] + ... + ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md index de192c1e9f..d4e5a895ef 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md @@ -65,8 +65,7 @@ GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chr Here is an example of the response. -``` -Content-type: json +```json { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Analytics.Contracts.PublicAPI.PublicProductDto", "id": "google-_-chrome", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md index c9ca363c20..e7e5725b8a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md @@ -1,5 +1,5 @@ --- -title: Get recommendation by vulnerabilities +title: List vulnerabilities by recommendation description: Retrieves a list of vulnerabilities associated with the security recommendation. keywords: apis, graph api, supported apis, get, list of vulnerabilities, security recommendation, security recommendation for vulnerabilities, threat and vulnerability management, threat and vulnerability management api search.product: eADQiWindows 10XVcnh @@ -16,7 +16,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Get recommendation by vulnerabilities +# List vulnerabilities by recommendation **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -65,8 +65,7 @@ GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chr Here is an example of the response. -``` -Content-type: json +```json { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)", "value": [ @@ -85,7 +84,8 @@ Content-type: json "exploitTypes": [], "exploitUris": [] } - ] + ... + ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md index 2ba8c06b69..159f48e08e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md @@ -81,7 +81,8 @@ Here is an example of the response. "installations": 750, "vulnerabilities": 0 } - ] + ... + ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-software.md index 1ec2bcccd1..883c240d11 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-software.md @@ -17,10 +17,10 @@ ms.topic: article --- # List software inventory API -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prerelease information](../../includes/prerelease.md)] +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) Retrieves the organization software inventory. @@ -66,20 +66,21 @@ GET https://api.securitycenter.windows.com/api/Software Here is an example of the response. -``` +```json { "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Software", "value": [ - { - "id": "microsoft-_-edge", - "name": "edge", - "vendor": "microsoft", - "weaknesses": 467, - "publicExploit": true, - "activeAlert": false, - "exposedMachines": 172, - "impactScore": 2.39947438 - } + { + "id": "microsoft-_-edge", + "name": "edge", + "vendor": "microsoft", + "weaknesses": 467, + "publicExploit": true, + "activeAlert": false, + "exposedMachines": 172, + "impactScore": 2.39947438 + } + ... ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md index 6fa52754b7..42147bc353 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md @@ -71,21 +71,22 @@ Here is an example of the response. { "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)", "value": [ - { - "id": "CVE-2017-0140", - "name": "CVE-2017-0140", - "description": "A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins. The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.The security update addresses the vulnerability by modifying how affected Microsoft Edge handles different-origin requests.", - "severity": "Medium", - "cvssV3": 4.2, - "exposedMachines": 1, - "publishedOn": "2017-03-14T00:00:00Z", - "updatedOn": "2019-10-03T00:03:00Z", - "publicExploit": false, - "exploitVerified": false, - "exploitInKit": false, - "exploitTypes": [], - "exploitUris": [] - } + { + "id": "CVE-2017-0140", + "name": "CVE-2017-0140", + "description": "A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins. The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.The security update addresses the vulnerability by modifying how affected Microsoft Edge handles different-origin requests.", + "severity": "Medium", + "cvssV3": 4.2, + "exposedMachines": 1, + "publishedOn": "2017-03-14T00:00:00Z", + "updatedOn": "2019-10-03T00:03:00Z", + "publicExploit": false, + "exploitVerified": false, + "exploitInKit": false, + "exploitTypes": [], + "exploitUris": [] + } + ... ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md index e4ccb6c433..a7ec42d80f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md @@ -65,8 +65,7 @@ GET https://api.securitycenter.windows.com/api/Vulnerabilities/CVE-2019-0608 Here is an example of the response. -``` -Content-type: json +```json { "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities/$entity", "id": "CVE-2019-0608", diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md index 88ac0b8be9..0ef1449bfa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md @@ -36,7 +36,7 @@ Monitoring network connection behind a forward proxy is possible due to addition Network protection can be controlled using the following modes: -- **Block**
Users or apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center. +- **Block**
Users or apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Microsoft Defender Security Center. - **Audit**
Users or apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Microsoft Defender Security Center. diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response.md b/windows/security/threat-protection/microsoft-defender-atp/live-response.md index 3003c707b4..ddd34985a3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/live-response.md @@ -119,11 +119,11 @@ The following commands are available for user roles that's been granted the abil Command | Description :---|:--- analyze | Analyses the entity with various incrimination engines to reach a verdict. -getfile | Gets a file from the machine.
NOTE: This command has a prerequisite command. You can use the `-auto` command in conjuction with `getfile` to automatically run the prerequisite command. +getfile | Gets a file from the machine.
NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `getfile` to automatically run the prerequisite command. run | Runs a PowerShell script from the library on the machine. library | Lists files that were uploaded to the live response library. putfile | Puts a file from the library to the machine. Files are saved in a working folder and are deleted when the machine restarts by default. -remediate | Remediates an entity on the machine. The remediation action will vary depending on the entity type:
- File: delete
- Process: stop, delete image file
- Service: stop, delete image file
- Registry entry: delete
- Scheduled task: remove
- Startup folder item: delete file
NOTE: This command has a prerequisite command. You can use the `-auto` command in conjuction with `remediate` to automatically run the prerequisite command. +remediate | Remediates an entity on the machine. The remediation action will vary depending on the entity type:
- File: delete
- Process: stop, delete image file
- Service: stop, delete image file
- Registry entry: delete
- Scheduled task: remove
- Startup folder item: delete file
NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `remediate` to automatically run the prerequisite command. undo | Restores an entity that was remediated. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md index 117296a474..a3c0a5a7a2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md @@ -34,14 +34,14 @@ Before you get started, see [the main Microsoft Defender ATP for Mac page](micro ## Download installation and onboarding packages -Download the installation and onboarding packages from Windows Defender Security Center: +Download the installation and onboarding packages from Microsoft Defender Security Center: -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**. 2. In Section 1 of the page, set operating system to **Linux, macOS, iOS, and Android** and Deployment method to **Local script**. 3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. 4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. -  +  5. From a command prompt, verify that you have the two files. Extract the contents of the .zip files: @@ -112,6 +112,7 @@ The installation proceeds. After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner.  + ## How to Allow Full Disk Access diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md index 6a79d9fca6..0e9abb20c1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md @@ -43,7 +43,7 @@ Download the installation and onboarding packages from Microsoft Defender Securi 4. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory. 5. Download **IntuneAppUtil** from [https://docs.microsoft.com/intune/lob-apps-macos](https://docs.microsoft.com/intune/lob-apps-macos). -  +  6. From a command prompt, verify that you have the three files. Extract the contents of the .zip files: @@ -90,19 +90,19 @@ You need no special provisioning for a Mac device beyond a standard [Company Por 1. You are asked to confirm device management. - +  -Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**: + Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**: - +  2. Select **Continue** and complete the enrollment. -You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages. + You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages. 3. In Intune, open **Manage** > **Devices** > **All devices**. Here you can see your device among those listed: - +  ## Create System Configuration profiles @@ -284,9 +284,9 @@ You may now enroll more devices. You can also enroll them later, after you have 10. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. -Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**: + Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**: - +  ## Publish application diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md index 083d1a181e..04f3d87059 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md @@ -38,14 +38,19 @@ In addition, for JAMF deployment, you need to be familiar with JAMF administrati ## Download installation and onboarding packages -Download the installation and onboarding packages from Windows Defender Security Center: +Download the installation and onboarding packages from Microsoft Defender Security Center: -1. In Windows Defender Security Center, go to **Settings > device Management > Onboarding**. -2. In Section 1 of the page, set the operating system to **Linux, macOS, iOS or Android** and deployment method to **Mobile Device Management / Microsoft Intune**. -3. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory. +1. In Microsoft Defender Security Center, go to **Settings > Machine management > Onboarding**. +2. In Section 1 of the page, set the operating system to **Linux, macOS, iOS or Android**. +3. Set the deployment method to **Mobile Device Management / Microsoft Intune**. + + >[!NOTE] + >JamF falls under **Mobile Device Management**. + +4. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory. +5. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory. -  +  5. From the command prompt, verify that you have the two files. Extract the contents of the .zip files like so: @@ -87,7 +92,7 @@ To approve the kernel extension: 1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**. 2. Use **UBF8T346G9** for Team Id. - +  ### Privacy Preferences Policy Control @@ -103,7 +108,7 @@ Add the following JAMF policy to grant Full Disk Access to Microsoft Defender AT 3. Set Code Requirement to `identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9`. 4. Set app or service to SystemPolicyAllFiles and access to Allow. - +  #### Configuration Profile's Scope @@ -153,16 +158,16 @@ You'll need no special provisioning for a macOS computer, beyond the standard JA > [!NOTE] > After a computer is enrolled, it will show up in the Computers inventory (All Computers). -1. Open **Device Profiles**, from the **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's currently set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. + - Open **Device Profiles**, from the **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's currently set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. -
- + 
+  -After a moment, the device's User Approved MDM status will change to **Yes**. + After a moment, the device's User Approved MDM status will change to **Yes**. - +  -You may now enroll additional devices. You may also enroll them later, after you have finished provisioning system configuration and application packages. + You may now enroll additional devices. You may also enroll them later, after you have finished provisioning system configuration and application packages. ## Deployment diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md index 85deccc918..315ec0f230 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md @@ -80,6 +80,18 @@ Specify whether the antivirus engine runs in passive mode. Passive mode has the | **Possible values** | false (default)
true | | **Comments** | Available in Microsoft Defender ATP version 100.67.60 or higher. | +#### Exclusion merge policy + +Specify the merge policy for exclusions. This can be a combination of administrator-defined and user-defined exclusions (`merge`) or only administrator-defined exclusions (`admin_only`). This setting can be used to restrict local users from defining their own exclusions. + +||| +|:---|:---| +| **Domain** | `com.microsoft.wdav` | +| **Key** | exclusionsMergePolicy | +| **Data type** | String | +| **Possible values** | merge (default)
admin_only | +| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. | + #### Scan exclusions Specify entities excluded from being scanned. Exclusions can be specified by full paths, extensions, or file names. @@ -138,9 +150,9 @@ Specify content excluded from being scanned by file extension. | **Possible values** | valid file extensions | | **Comments** | Applicable only if *$type* is *excludedFileExtension* | -##### Name of excluded content +##### Process excluded from the scan -Specify content excluded from being scanned by file name. +Specify a process for which all file activity is excluded from scanning. The process can be specified either by its name (e.g. `cat`) or full path (e.g. `/bin/cat`). ||| |:---|:---| @@ -160,6 +172,18 @@ Specify threats by name that are not blocked by Microsoft Defender ATP for Mac. | **Key** | allowedThreats | | **Data type** | Array of strings | +#### Disallowed threat actions + +Restricts the actions that the local user of a device can take when threats are detected. The actions included in this list are not displayed in the user interface. + +||| +|:---|:---| +| **Domain** | `com.microsoft.wdav` | +| **Key** | disallowedThreatActions | +| **Data type** | Array of strings | +| **Possible values** | allow (restricts users from allowing threats)
restore (restricts users from restoring threats from the quarantine) | +| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. | + #### Threat type settings Specify how certain threat types are handled by Microsoft Defender ATP for Mac. @@ -197,6 +221,18 @@ Specify what action to take when a threat of the type specified in the preceding | **Data type** | String | | **Possible values** | audit (default)
block
off | +#### Threat type settings merge policy + +Specify the merge policy for threat type settings. This can be a combination of administrator-defined and user-defined settings (`merge`) or only administrator-defined settings (`admin_only`). This setting can be used to restrict local users from defining their own settings for different threat types. + +||| +|:---|:---| +| **Domain** | `com.microsoft.wdav` | +| **Key** | threatTypeSettingsMergePolicy | +| **Data type** | String | +| **Possible values** | merge (default)
admin_only | +| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. | + ### Cloud-delivered protection preferences Configure the cloud-driven protection features of Microsoft Defender ATP for Mac. @@ -371,6 +407,10 @@ The following configuration profile will: ### Intune profile ```XML + + +
Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights that further empower Security operation centers (SOCs) to identify and respond to threats quickly and accurately. +>[!IMPORTANT] +>Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service.
+>
If you are not enrolled yet and would like to experience its benefits, go to Settings > General > Advanced features > Microsoft Threat Experts to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on Demand subscription.
+
**[Management and APIs](management-apis.md)**
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
index c451cf8400..a28cd30703 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
@@ -26,9 +26,12 @@ Microsoft Threat Experts is a managed detection and response (MDR) service that
This new capability provides expert-driven insights and data through targeted attack notification and access to experts on demand.
->[!NOTE]
->Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive targeted attack notifications and to collaborate with experts on demand. A Microsoft Threat Experts subscription is a prerequisite for experts on demand collaboration. See [Configure Microsoft Threat Experts capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#before-you-begin) for details.
-
+
+## Before you begin
+Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service.
+
+If you are not enrolled yet and would like to experience its benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on Demand subscription. See [Configure Microsoft Threat Experts capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#before-you-begin) for details.
+
## Targeted attack notification
Microsoft Threat Experts provides proactive hunting for the most important threats to your network, including human adversary intrusions, hands-on-keyboard attacks, or advanced attacks like cyberespionage. The managed hunting service includes:
- Threat monitoring and analysis, reducing dwell time and risk to the business
diff --git a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
index 987d3c8ce0..2e2b69385b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
+++ b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
@@ -345,6 +345,7 @@
##### [APIs]()
###### [Supported Microsoft Defender ATP APIs](exposed-apis-list.md)
+###### [Common REST API error codes](common-errors.md)
###### [Advanced Hunting](run-advanced-query-api.md)
###### [Alert]()
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview.md b/windows/security/threat-protection/microsoft-defender-atp/overview.md
index be86e6742f..0e926f6f8d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview.md
@@ -39,7 +39,7 @@ Topic | Description
[Endpoint detection and response](overview-endpoint-detection-response.md) | Understand how Microsoft Defender ATP continuously monitors your organization for possible attacks against systems, networks, or users in your organization and the features you can use to mitigate and remediate threats.
[Automated investigation and remediation](automated-investigations.md) | In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
[Secure score](overview-secure-score.md) | Quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to better protect your organization - all in one place.
-[Microsoft Threat Experts](microsoft-threat-experts.md) | Managed cybersecurity threat hunting service. Learn how you can get expert-driven insights and data through targeted attack notification and access to experts on demand.
+[Microsoft Threat Experts](microsoft-threat-experts.md) | Managed cybersecurity threat hunting service. Learn how you can get expert-driven insights and data through targeted attack notification and access to experts on demand.
**NOTE:**
Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service.
If you are not enrolled yet and would like to experience its benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on Demand subscription.
[Advanced hunting](advanced-hunting-overview.md) | Use a powerful query-based threat-hunting tool to proactively find breach activity and create custom detection rules.
[Management and APIs](management-apis.md) | Microsoft Defender ATP supports a wide variety of tools to help you manage and interact with the platform so that you can integrate the service into your existing workflows.
[Microsoft Threat Protection](threat-protection-integration.md) | Microsoft security products work better together. Learn about other how Microsoft Defender ATP works with other Microsoft security solutions.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/score.md b/windows/security/threat-protection/microsoft-defender-atp/score.md
index 9a903d296f..a0a67a5dd0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/score.md
@@ -37,41 +37,4 @@ Property | Type | Description
:---|:---|:---
Score | Double | The current score.
Time | DateTime | The date and time in which the call for this API was made.
-RbacGroupId | Nullable Int | RBAC Group ID.
-
-
-### Response example for getting machine groups score:
-
-```
-GET https://api.securitycenter.windows.com/api/exposureScore/byMachineGroups
-```
-
-```json
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ExposureScore",
- "value": [
- {
- "time": "2019-12-03T07:26:49.9376328Z",
- "score": 41.38041766305988,
- "rbacGroupId": 10
- },
- {
- "time": "2019-12-03T07:26:49.9376375Z",
- "score": 23.58823563070858,
- "rbacGroupId": 5
- },
- {
- "time": "2019-12-03T07:26:49.9376382Z",
- "score": 37.403726933165366,
- "rbacGroupId": 11
- },
- {
- "time": "2019-12-03T07:26:49.9376388Z",
- "score": 26.323200116475423,
- "rbacGroupId": 9
- }
- ]
-}
-
-
-```
+RbacGroupName | String | The machine group name.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md
index 6641950721..cc0b92af10 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md
@@ -39,9 +39,7 @@ If your client secret expires or if you've misplaced the copy provided when you
3. Select your tenant.
-4. Click **App registrations**. Then in the applications list, select the application:
- - For SIEM: `https://WindowsDefenderATPSiemConnector`
- - For Threat intelligence API: `https://WindowsDefenderATPCustomerTiConnector`
+4. Click **App registrations**. Then in the applications list, select the application.
5. Select **Keys** section, then provide a key description and specify the key validity duration.
@@ -59,9 +57,7 @@ If you encounter an error when trying to get a refresh token when using the thre
3. Select your tenant.
-4. Click **App Registrations**. Then in the applications list, select the application:
- - For SIEM: `https://WindowsDefenderATPSiemConnector`
- - For Threat intelligence API: `https://WindowsDefenderATPCustomerTiConnector`
+4. Click **App Registrations**. Then in the applications list, select the application.
5. Add the following URL:
- For the European Union: `https://winatpmanagement-eu.securitycenter.windows.com/UserAuthenticationCallback`
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
index 1ffd2a0270..de5dd35eec 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
@@ -1,6 +1,6 @@
---
title: Weaknesses
-description: Windows Defender Security Center offers a Weaknesses page, which lists vulnerabilities found in the infected software running in your organization.
+description: Microsoft Defender Security Center offers a Weaknesses page, which lists vulnerabilities found in the infected software running in your organization.
keywords: mdatp threat & vulnerability management, mdatp tvm weaknesses page, finding weaknesses through tvm, tvm vulnerability list, vulnerability details in tvm
search.product: eADQiWindows 10XVcnh
search.appverid: met150
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md
index d3dd75a836..877203d476 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md
@@ -1,7 +1,7 @@
---
title: Web protection
description: Learn about web protection in Microsoft Defender ATP and how it can protect your organization
-keywords: web protection, web threat protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser
+keywords: web protection, web threat protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser, malicious websites
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -36,7 +36,7 @@ Web threat protection includes:
## Web content filtering
-The cards that make up web content filtering are **Web activity by category**, **Web content filtering summary**, and **Web activity summary**.
+The cards that comprise web content filtering are **Web activity by category**, **Web content filtering summary**, and **Web activity summary**.
Web content filtering includes:
- Users are prevented from accessing websites in blocked categories, whether they are browsing on-premises or away
diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md
index 8d134aaa46..4c475c71c0 100644
--- a/windows/security/threat-protection/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/security-compliance-toolkit-10.md
@@ -41,7 +41,10 @@ The Security Compliance Toolkit consists of:
- Windows Server 2012 R2
- Microsoft Office security baseline
- - Office365 ProPlus (Sept 2019)
+ - Office 365 ProPlus (Sept 2019)
+
+- Microsoft Edge security baseline
+ - Version 79
- Tools
- Policy Analyzer tool
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
index 1ada850d3b..37700da3a6 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
@@ -20,7 +20,7 @@ ms.date: 04/19/2017
# Network security: Configure encryption types allowed for Kerberos
**Applies to**
-- Windows 10
+- Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
Describes the best practices, location, values and security considerations for the **Network security: Configure encryption types allowed for Kerberos** security policy setting.
@@ -35,11 +35,11 @@ The following table lists and explains the allowed encryption types.
| Encryption type | Description and version support |
| - | - |
-| DES_CBC_CRC | Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function
Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10 and Windows Server 2008 R2 operating systems do not support DES by default. |
-| DES_CBC_MD5| Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function
Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10 and Windows Server 2008 R2 operating systems do not support DES by default. |
-| RC4_HMAC_MD5| Rivest Cipher 4 with Hashed Message Authentication Code using the Message-Digest algorithm 5 checksum function
Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 10 and Windows Server 2008 R2.|
-| AES128_HMAC_SHA1| Advanced Encryption Standard in 128 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10 and Windows Server 2008 R2. |
-| AES256_HMAC_SHA1| Advanced Encryption Standard in 256 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10 and Windows Server 2008 R2. |
+| DES_CBC_CRC | Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function
Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10, Windows Server 2008 R2 and later operating systems do not support DES by default. |
+| DES_CBC_MD5| Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function
Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10, Windows Server 2008 R2 and later operating systems do not support DES by default. |
+| RC4_HMAC_MD5| Rivest Cipher 4 with Hashed Message Authentication Code using the Message-Digest algorithm 5 checksum function
Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 10, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2.|
+| AES128_HMAC_SHA1| Advanced Encryption Standard in 128 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2. |
+| AES256_HMAC_SHA1| Advanced Encryption Standard in 256 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2. |
| Future encryption types| Reserved by Microsoft for additional encryption types that might be implemented.|
### Possible values
diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
index 253e07225b..20fd54f909 100644
--- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
@@ -49,7 +49,7 @@ The rules that are included in the Windows Server password complexity requiremen
Enabling the default Passfilt.dll may cause some additional Help Desk calls for locked-out accounts because users might not be used to having passwords that contain characters other than those found in the alphabet. However, this policy setting is liberal enough that all users should be able to abide by the requirements with a minor learning curve.
-Additional settings that can be included in a custom Passfilt.dll are the use of non–upper-row characters. Upper-row characters are those that are typed by holding down the SHIFT key and typing any of the digits from 1 through 10.
+Additional settings that can be included in a custom Passfilt.dll are the use of non–upper-row characters. Upper-row characters are those typed by pressing and holding the SHIFT key and then pressing any of the keys on the number row of the keyboard (from 1 through 9 and 0).
### Possible values
@@ -100,7 +100,7 @@ When combined with a [Minimum password length](minimum-password-length.md) of 8,
If the default password complexity configuration is retained, additional Help Desk calls for locked-out accounts could occur because users might not be accustomed to passwords that contain non-alphabetical characters, or they might have problems entering passwords that contain accented characters or symbols on keyboards with different layouts. However, all users should be able to comply with the complexity requirement with minimal difficulty.
-If your organization has more stringent security requirements, you can create a custom version of the Passfilt.dll file that allows the use of arbitrarily complex password strength rules. For example, a custom password filter might require the use of non-upper-row symbols. (Upper-row symbols are those that require you to press and hold the SHIFT key and then press any of the digits between 1 and 0.) A custom password filter might also perform a dictionary check to verify that the proposed password does not contain common dictionary words or fragments.
+If your organization has more stringent security requirements, you can create a custom version of the Passfilt.dll file that allows the use of arbitrarily complex password strength rules. For example, a custom password filter might require the use of non-upper-row symbols. (Upper-row symbols are those that require you to press and hold the SHIFT key and then press any of the keys on the number row of the keyboard, from 1 through 9 and 0.) A custom password filter might also perform a dictionary check to verify that the proposed password does not contain common dictionary words or fragments.
The use of ALT key character combinations can greatly enhance the complexity of a password. However, such stringent password requirements can result in additional Help Desk requests. Alternatively, your organization could consider a requirement for all administrator passwords to use ALT characters in the 0128–0159 range. (ALT characters outside of this range can represent standard alphanumeric characters that would not add additional complexity to the password.)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/antivirus-false-positives-negatives.md b/windows/security/threat-protection/windows-defender-antivirus/antivirus-false-positives-negatives.md
new file mode 100644
index 0000000000..228378515b
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-antivirus/antivirus-false-positives-negatives.md
@@ -0,0 +1,75 @@
+---
+title: What to do with false positives/negatives in Windows Defender Antivirus
+description: Did Windows Defender Antivirus miss or wrongly detect something? Find out what you can do.
+keywords: Windows Defender Antivirus, false positives, false negatives, exclusions
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
+ms.date: 02/05/2020
+ms.reviewer:
+manager: dansimp
+audience: ITPro
+ms.topic: article
+---
+
+# What to do with false positives/negatives in Windows Defender Antivirus
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Windows Defender Antivirus is designed to keep your PC safe with built-in, trusted antivirus protection. With Windows Defender Antivirus, you get comprehensive, ongoing, and real-time protection against software threats like viruses, malware and spyware across email, apps, the cloud, and the web.
+
+But what if something gets detected wrongly as malware, or something is missed? We call these false positives and false negatives. Fortunately, there are some steps you can take to deal with these things. You can:
+- [Submit a file to Microsoft for analysis](#submit-a-file-to-microsoft-for-analysis);
+- [Create an "Allow" indicator to prevent a false positive from recurring](#create-an-allow-indicator-to-prevent-a-false-positive-from-recurring); or
+- [Define an exclusion on an individual Windows device to prevent an item from being scanned](#define-an-exclusion-on-an-individual-windows-device-to-prevent-an-item-from-being-scanned) by Windows Defender Antivirus.
+
+## Submit a file to Microsoft for analysis
+
+1. Review the [submission guidelines](../intelligence/submission-guide.md).
+2. [Submit your file or sample](https://www.microsoft.com/wdsi/filesubmission).
+
+> [!TIP]
+> We recommend signing in at the submission portal so you can track the results of your submissions.
+
+## Create an "Allow" indicator to prevent a false positive from recurring
+
+If a file, IP address, URL, or domain is treated as malware on a device, even though it's safe, you can create an "Allow" indicator. This indicator tells Windows Defender Antivirus (and Microsoft Defender Advanced Threat Protection) that the item is safe.
+
+To set up your "Allow" indicator, follow the guidance in [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators).
+
+## Define an exclusion on an individual Windows device to prevent an item from being scanned
+
+When you define an exclusion for Windows Defender Antivirus, you configure your antivirus to skip that item.
+
+1. On your Windows 10 device, open the Windows Security app.
+2. Select **Virus & threat protection** > **Virus & threat protection settings**.
+3. Under **Exclusions**, select **Add or remove exclusions**.
+4. Select **+ Add an exclusion**, and specify its type (**File**, **Folder**, **File type**, or **Process**).
+
+The following table summarizes exclusion types, how they're defined, and what happens when they're in effect.
+
+|Exclusion type |Defined by |What happens |
+|---------|---------|---------|
+|**File** |Location
Example: `c:\sample\sample.test` |The specified file is skipped by Windows Defender Antivirus. |
+|**Folder** |Location
Example: `c:\test\sample` |All items in the specified folder are skipped by Windows Defender Antivirus. |
+|**File type** |File extension
Example: `.test` |All files with the specified extension anywhere on your device are skipped by Windows Defender Antivirus. |
+|**Process** |Executable file path
Example: `c:\test\process.exe` |The specified process and any files that are opened by that process are skipped by Windows Defender Antivirus. |
+
+To learn more, see:
+- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus)
+- [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus)
+
+## Related articles
+
+[What is Microsoft Defender Advanced Threat Protection?](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection)
+
+[Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
index 18816d928e..981c05b0ae 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
@@ -29,7 +29,7 @@ See [Configure device restriction settings in Microsoft Intune](https://docs.mic
-## Use Configuration Manager to configure scanning options:
+## Use Microsoft Endpoint Configuration Manager to configure scanning options:
See [How to create and deploy antimalware policies: Scan settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch).
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
index f6da565014..03cf88d610 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 09/03/2018
+ms.date: 02/05/2020
ms.reviewer:
manager: dansimp
---
@@ -23,21 +23,15 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-You can exclude certain files, folders, processes, and process-opened files from Windows Defender Antivirus scans.
-
-The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). Exclusions for process-opened files only apply to real-time protection.
-
-Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization.
-
-Windows Server 2016 also features automatic exclusions that are defined by the server roles you enable. See the [Windows Defender Antivirus exclusions on Windows Server 2016](configure-server-exclusions-windows-defender-antivirus.md) topic for more information and a list of the automatic exclusions.
+You can exclude certain files, folders, processes, and process-opened files from Windows Defender Antivirus scans. Such exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). Exclusions for process-opened files only apply to real-time protection.
>[!WARNING]
>Defining exclusions lowers the protection offered by Windows Defender Antivirus. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
-## In this section
+- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md). This enables you to exclude files from Windows Defender Antivirus scans based on their file extension, file name, or location.
-Topic | Description
----|---
-[Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) | Exclude files from Windows Defender Antivirus scans based on their file extension, file name, or location
-[Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) | Exclude files from scans that have been opened by a specific process
-[Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) | Windows Server 2016 includes automatic exclusions, based on the defined server role. You can also add custom exclusions.
+- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md). This enables you to exclude files from scans that have been opened by a specific process.
+
+## Related articles
+
+[Windows Defender Antivirus exclusions on Windows Server 2016](configure-server-exclusions-windows-defender-antivirus.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
index 9a1559d85e..588354937a 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
@@ -364,3 +364,4 @@ You can also copy the string into a blank text file and attempt to save it with
- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)
- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Handling false positives/negatives](antivirus-false-positives-negatives.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
index 85b7b015a3..6c817499da 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
@@ -266,7 +266,7 @@ This section lists the exclusions that are delivered automatically when you inst
- %windir%\Ntds\ntds.pat
-- The AD DS transaction log files. The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files`
+- The AD DS transaction log files. The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path`
- %windir%\Ntds\EDB*.log
diff --git a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
index b5a79ca055..ad266974fa 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
@@ -1,6 +1,6 @@
---
-title: Windows Defender Antivirus VDI deployment guide
-description: Learn how to deploy Windows Defender Antivirus in a VDI environment for the best balance between protection and performance.
+title: Windows Defender Antivirus Virtual Desktop Infrastructure deployment guide
+description: Learn how to deploy Windows Defender Antivirus in a virtual desktop environment for the best balance between protection and performance.
keywords: vdi, hyper-v, vm, virtual machine, windows defender, antivirus, av, virtual desktop, rds, remote desktop
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 09/03/2018
+ms.date: 01/31/2020
ms.reviewer:
manager: dansimp
---
@@ -25,13 +25,13 @@ manager: dansimp
In addition to standard on-premises or hardware configurations, you can also use Windows Defender Antivirus in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment.
-See the [Microsoft Desktop virtualization site](https://www.microsoft.com/server-cloud/products/virtual-desktop-infrastructure/) for more details on Microsoft Remote Desktop Services and VDI support.
+See [Windows Virtual Desktop Documentation](https://docs.microsoft.com/azure/virtual-desktop) for more details on Microsoft Remote Desktop Services and VDI support.
For Azure-based virtual machines, you can also review the [Install Endpoint Protection in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection) topic.
With the ability to easily deploy updates to VMs running in VDIs, we've shortened this guide to focus on how you can get updates on your machines quickly and easily. You no longer need to create and seal golden images on a periodic basis, as updates are expanded into their component bits on the host server and then downloaded directly to the VM when it's turned on.
-This guide will show you how to configure your VMs for optimal protection and performance, including how to:
+This guide describes how to configure your VMs for optimal protection and performance, including how to:
- [Set up a dedicated VDI file share for security intelligence updates](#set-up-a-dedicated-vdi-file-share)
- [Randomize scheduled scans](#randomize-scheduled-scans)
@@ -41,64 +41,93 @@ This guide will show you how to configure your VMs for optimal protection and pe
- [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline)
- [Apply exclusions](#exclusions)
-You can also download the whitepaper [Windows Defender Antivirus on Virtual Desktop Infrastructure](https://demo.wd.microsoft.com/Content/wdav-testing-vdi-ssu.pdf) which looks at the new shared security intelligence update feature, alongside performance testing and guidance on how you can test antivirus performance on your own VDI.
+You can also download the whitepaper [Windows Defender Antivirus on Virtual Desktop Infrastructure](https://demo.wd.microsoft.com/Content/wdav-testing-vdi-ssu.pdf), which looks at the new shared security intelligence update feature, alongside performance testing and guidance on how you can test antivirus performance on your own VDI.
> [!IMPORTANT]
-> While the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows.
-
-
-> [!NOTE]
-> There are performance and feature improvements to the way in which Windows Defender AV operates on virtual machines in Windows 10 Insider Preview, build 18323 (and later). We'll identify in this guide if you need to be using an Insider Preview build; if it isn't specified, then the minimum required version for the best protection and performance is Windows 10 1607.
-
-
+> Although the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows.
There are performance and feature improvements to the way in which Windows Defender AV operates on virtual machines in Windows 10 Insider Preview, build 18323 (and later). We'll identify in this guide if you need to be using an Insider Preview build; if it isn't specified, then the minimum required version for the best protection and performance is Windows 10 1607.
### Set up a dedicated VDI file share
-In Windows 10, version 1903, we introduced the shared security intelligence feature. This offloads the unpackaging of downloaded security intelligence updates onto a host machine - thus saving previous CPU, disk, and memory resources on individual machines.
+In Windows 10, version 1903, we introduced the shared security intelligence feature. This offloads the unpackaging of downloaded security intelligence updates onto a host machine - thus saving previous CPU, disk, and memory resources on individual machines. You can set this feature with [Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune), Group Policy, or PowerShell.
-You can set this feature with Intune, Group Policy, or PowerShell.
+> [!TIP]
+> If you don't already have Intune, [try it for free](https://docs.microsoft.com/intune/fundamentals/free-trial-sign-up)!
-Open the Intune management portal either by searching for Intune on https://portal.azure.com or going to https://devicemanagement.microsoft.com and logging in.
+Open the Intune Management Portal either by searching for Intune on [https://portal.azure.com](https://portal.azure.com) or going to [https://devicemanagement.microsoft.com](https://devicemanagement.microsoft.com) and logging in.
-1. To create a group with only the devices or users you specify:
-1. Go to **Groups**. Click **New group**. Use the following values:
- 1. Group type: **Security**
- 2. Group name: **VDI test VMs**
- 3. Group description: *Optional*
- 4. Membership type: **Assigned**
-
-1. Add the devices or users you want to be a part of this test and then click **Create** to save the group. It’s a good idea to create a couple of groups, one with VMs running the latest Insider Preview build and with the shared security intelligence update feature enabled, and another with VMs that are running Windows 10 1809 or earlier versions. This will help when you create dashboards to test the performance changes.
+#### To create a group with only the devices or users you specify
-1. To create a group that will include any machine in your tenant that is a VM, even when they are newly created:
+1. Go to **Groups** > **New group**.
+
+2. Specify the following values:
+ - Group type: **Security**
+ - Group name: **VDI test VMs**
+ - Group description: *Optional*
+ - Membership type: **Assigned**
+
+3. Add the devices or users you want to be a part of this test and then click **Create** to save the group.
+
+It’s a good idea to create a couple of groups, one with VMs running the latest Insider Preview build and with the shared security intelligence update feature enabled, and another with VMs that are running Windows 10 1809 or earlier versions. This will help when you create dashboards to test the performance changes.
+
+#### To create a group that will include any machine in your tenant that is a VM, even when they are newly created
+
+1. Go to **Groups** > **New group**.
+
+2. Specify the following values:
+ - Group type: **Security**
+ - Group name: **VDI test VMs**
+ - Group description: *Optional*
+ - Membership type: **Dynamic Device**
+
+3. Click **Simple rule**, and select **deviceModel**, **Equals**, and enter **Virtual Machine**.
+
+4. Click **Add query** and then **Create** to save the group.
+
+5. Go to **Device configuration**, then **Profiles**. You can modify an existing custom profile or create a new one.
+
+#### Create a new device configuration profile
+
+In this example, we create a new device configuration profile by clicking **Create profile**.
-1. Go to **Groups**. Click **New group**. Use the following values:
- 1. Group type: **Security**
- 2. Group name: **VDI test VMs**
- 3. Group description: *Optional*
- 4. Membership type: **Dynamic Device**
-1. Click **Simple rule**, and select **deviceModel**, **Equals**, and enter **Virtual Machine**. Click **Add query** and then **Create** to save the group.
-1. Go to **Device configuration**, then **Profiles**. You can modify an existing custom profile or create a new one. In this demo I’m going to create a new one by clicking **Create profile**.
1. Name it, choose **Windows 10 and later** as the Platform and – most importantly – select **Custom** as the profile type.
-1. The **Custom OMA-URI Settings** blade is opened automatically. Click **Add** then enter the following values:
- 1. Name: **VDI shared sig location**
- 1. Description: *Optional*
- 1. OMA-URI: **./Vendor/MSFT/Defender/SharedSignatureRoot**
- 1. Data type: **String**
- 1. Value: **\\
If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
>It may also prevent Windows Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed.
>This will significantly lower the protection of your device and could lead to malware infection.
-See the [Windows Security topic](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app.
+See the [Windows Security article](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app.
->[!NOTE]
->The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal that is used to review and manage [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md).
+The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal that is used to review and manage [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md).
## Review virus and threat protection settings in the Windows Security app
@@ -130,6 +126,19 @@ This section describes how to perform some of the most common tasks when reviewi
5. Click the plus icon to choose the type and set the options for each exclusion.
+The following table summarizes exclusion types and what happens:
+
+|Exclusion type |Defined by |What happens |
+|---------|---------|---------|
+|**File** |Location
Example: `c:\sample\sample.test` |The specific file is skipped by Windows Defender Antivirus. |
+|**Folder** |Location
Example: `c:\test\sample` |All items in the specified folder are skipped by Windows Defender Antivirus. |
+|**File type** |File extension
Example: `.test` |All files with the `.test` extension anywhere on your device are skipped by Windows Defender Antivirus. |
+|**Process** |Executable file path
Example: `c:\test\process.exe` |The specific process and any files that are opened by that process are skipped by Windows Defender Antivirus. |
+
+To learn more, see:
+- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus)
+- [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus)
+
### Review threat detection history in the Windows Defender Security Center app
1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or
diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
index 4095a6a122..4ead268500 100644
--- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
+++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
@@ -32,7 +32,8 @@ Refer to the below video for an overview and brief demo.
## Policy Authorization Process
-The general steps for expanding the S mode base policy on your devices are to generate a supplemental policy, sign that policy, and then upload the signed policy to Intune and assign it to user or device groups.
+The general steps for expanding the S mode base policy on your Intune-managed devices are to generate a supplemental policy, sign that policy, and then upload the signed policy to Intune and assign it to user or device groups. Because you need access to WDAC PowerShell cmdlets to generate your supplemental policy, you should create and manage your policies on a non-S mode device. Once the policy has been uploaded to Intune, we recommend assigning it to a single test S-mode device to verify expected functioning before deploying the policy more broadly.
+
1. Generate a supplemental policy with WDAC tooling
This policy will expand the S mode base policy to authorize additional applications. Anything authorized by either the S mode base policy or your supplemental policy will be allowed to run. Your supplemental policies can specify filepath rules, trusted publishers, and more.
@@ -60,7 +61,7 @@ The general steps for expanding the S mode base policy on your devices are to ge
- Since you'll be signing your policy, you must authorize the signing certificate you will use to sign the policy and optionally one or more additional signers that can be used to sign updates to the policy in the future. For more information, refer to Section 2, Sign policy. Use Add-SignerRule to add the signing certificate to the WDAC policy:
```powershell
- Add-SignerRule -FilePath