From 825422fb5829ebf880a67e51ad9b61878eddd509 Mon Sep 17 00:00:00 2001 From: LauraKellerGitHub Date: Fri, 27 Dec 2019 04:49:53 -0800 Subject: [PATCH 01/14] Rebrand System Center to Microsoft Endpoint _ Five git status git commit -m Rebrand System Center to Microsoft Endpoint _ Five --- .../update/windows-analytics-get-started.md | 4 +- .../update/windows-analytics-overview.md | 2 +- windows/deployment/update/wufb-autoupdate.md | 2 +- .../deployment/update/wufb-managedrivers.md | 2 +- ...windows-upgrades-with-upgrade-readiness.md | 95 +- .../upgrade/resolution-procedures.md | 4 +- .../upgrade-readiness-deploy-windows.md | 2 +- .../upgrade/upgrade-readiness-get-started.md | 2 +- .../upgrade/upgrade-readiness-requirements.md | 4 +- ...with-system-center-configuraton-manager.md | 10 +- .../upgrade/windows-10-edition-upgrades.md | 501 ++-- .../usmt/usmt-common-migration-scenarios.md | 309 +-- .../usmt/usmt-test-your-migration.md | 107 +- .../configure-client-computers-vamt.md | 189 +- .../windows-10-deployment-posters.md | 6 +- .../windows-10-deployment-scenarios.md | 552 ++-- .../windows-10-enterprise-e3-overview.md | 518 ++-- windows/deployment/windows-10-media.md | 2 +- windows/deployment/windows-10-poc-mdt.md | 1312 +++++----- .../windows-10-poc-sc-config-mgr.md | 2164 ++++++++-------- windows/deployment/windows-10-poc.md | 2214 +++++++++-------- .../windows-autopilot/add-devices.md | 4 +- .../windows-autopilot/autopilot-faq.md | 4 +- .../windows-autopilot/deployment-process.md | 4 +- .../windows-autopilot/existing-devices.md | 2 +- .../windows-autopilot/windows-autopilot.md | 2 +- ...ndows-diagnostic-events-and-fields-1703.md | 4 +- ...ndows-diagnostic-events-and-fields-1709.md | 2 +- ...ndows-diagnostic-events-and-fields-1803.md | 2 +- ...ndows-diagnostic-events-and-fields-1809.md | 4 +- 30 files changed, 4022 insertions(+), 4007 deletions(-) diff --git a/windows/deployment/update/windows-analytics-get-started.md b/windows/deployment/update/windows-analytics-get-started.md index 18a4d35cd9..5a35460bf7 100644 --- a/windows/deployment/update/windows-analytics-get-started.md +++ b/windows/deployment/update/windows-analytics-get-started.md @@ -96,7 +96,7 @@ If your organization uses proxy server authentication for outbound traffic, use ## Deploy the compatibility update and related updates -The compatibility update scans your devices and enables application usage tracking. If you don’t already have these updates installed, you can download the applicable version from the Microsoft Update Catalog or deploy it using Windows Server Update Services (WSUS) or your software distribution solution, such as System Center Configuration Manager. +The compatibility update scans your devices and enables application usage tracking. If you don’t already have these updates installed, you can download the applicable version from the Microsoft Update Catalog or deploy it using Windows Server Update Services (WSUS) or your software distribution solution, such as Microsoft Endpoint Configuration Manager. | **Operating System** | **Updates** | |----------------------|-----------------------------------------------------------------------------| @@ -172,7 +172,7 @@ When you run the deployment script, it initiates a full scan. The daily schedule ### Distribute the deployment script at scale -Use a software distribution system such as System Center Configuration Manager to distribute the Upgrade Readiness deployment script at scale. For more information, see [Upgrade Readiness deployment script](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-readiness-deployment-script). For information on how to deploy PowerShell scripts by using Windows Intune, see [Manage PowerShell scripts in Intune for Windows 10 devices](https://docs.microsoft.com/intune/intune-management-extension). +Use a software distribution system such as Microsoft Endpoint Configuration Manager to distribute the Upgrade Readiness deployment script at scale. For more information, see [Upgrade Readiness deployment script](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-readiness-deployment-script). For information on how to deploy PowerShell scripts by using Windows Intune, see [Manage PowerShell scripts in Intune for Windows 10 devices](https://docs.microsoft.com/intune/intune-management-extension). ### Distributing policies at scale diff --git a/windows/deployment/update/windows-analytics-overview.md b/windows/deployment/update/windows-analytics-overview.md index 5d63af3e36..54503af57c 100644 --- a/windows/deployment/update/windows-analytics-overview.md +++ b/windows/deployment/update/windows-analytics-overview.md @@ -46,7 +46,7 @@ Use Upgrade Readiness to get: - Guidance and insights into application and driver compatibility issues, with suggested fixes - Data-driven application rationalization tools - Application usage information, allowing targeted validation; workflow to track validation progress and decisions -- Data export to commonly used software deployment tools, including System Center Configuration Manager +- Data export to commonly used software deployment tools, including Microsoft Endpoint Configuration Manager To get started with any of these solutions, visit the links for instructions to add it to Azure Portal. diff --git a/windows/deployment/update/wufb-autoupdate.md b/windows/deployment/update/wufb-autoupdate.md index 828c0bf6b7..f4d794c2b8 100644 --- a/windows/deployment/update/wufb-autoupdate.md +++ b/windows/deployment/update/wufb-autoupdate.md @@ -27,7 +27,7 @@ Automatic Update governs the "behind the scenes" download and installation proce |-|-| |Configure Automatic Updates|Governs the installation activity that happens in the background. This allows you to configure the installation to happen during the [maintenance window](https://docs.microsoft.com/sccm/core/clients/manage/collections/use-maintenance-windows). Also, you can specify an installation time where the device will also try to install the latest packages. You can also pick a certain day and or week.| |Automatic Update Detection Frequency|Lets you set the scan frequency the device will use to connect to Windows Update to see if there is any available content. Default is 22 hours, but you can increase or decrease the frequency. Keep in mind a desktop computer may need to scan less frequently than laptops, which can have intermittent internet connection.| -|Specify Intranet Microsoft Update Service Location|Used for Windows Server Update Services or System Center Configuration Manager users who want to install custom packages that are not offered through Windows Update.| +|Specify Intranet Microsoft Update Service Location|Used for Windows Server Update Services or Microsoft Endpoint Configuration Manager users who want to install custom packages that are not offered through Windows Update.| |Do not connect to any Windows Update Internet locations
Required for Dual Scan|Prevents access to Windows Update.| ## Suggested configuration diff --git a/windows/deployment/update/wufb-managedrivers.md b/windows/deployment/update/wufb-managedrivers.md index 0fe22b0935..e451d7751a 100644 --- a/windows/deployment/update/wufb-managedrivers.md +++ b/windows/deployment/update/wufb-managedrivers.md @@ -41,7 +41,7 @@ You can use an on-premises catalog, like WSUS, to deploy 3rd Party patches and u |Policy| Description | |-|-| -|Specify Intranet Microsoft Update Service Location| Used for WSUS/System Center Configuration Manager customers who want to install custom packages that are not offered through Windows Update.| +|Specify Intranet Microsoft Update Service Location| Used for WSUS/Microsoft Endpoint Configuration Manager customers who want to install custom packages that are not offered through Windows Update.| ### Suggested configuration diff --git a/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md b/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md index 078074ba23..bcfd0a6ac4 100644 --- a/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md +++ b/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md @@ -1,47 +1,48 @@ ---- -title: Manage Windows upgrades with Upgrade Readiness (Windows 10) -description: Provides an overview of the process of managing Windows upgrades with Upgrade Readiness. -ms.prod: w10 -audience: itpro author: greg-lindsay -ms.date: 04/25/2017 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.topic: article ---- - -# Manage Windows upgrades with Upgrade Readiness - -Upgrading to new operating systems has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points. - -With the release of Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released. Windows Upgrade Readiness not only supports upgrade management from Windows 7, Windows 8.1 to Windows 10, but also Windows 10 upgrades in the [Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview) model. - -Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. - -With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. - -Use Upgrade Readiness to get: - -- A visual workflow that guides you from pilot to production -- Detailed computer and application inventory -- Powerful computer level search and drill-downs -- Guidance and insights into application and driver compatibility issues, with suggested fixes -- Data driven application rationalization tools -- Application usage information, allowing targeted validation; workflow to track validation progress and decisions -- Data export to commonly used software deployment tools, including System Center Configuration Manager - -The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. - -**Important** For system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what diagnostic data Microsoft collects and how that data is used and protected by Microsoft, see: - -- [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization) -- [Manage connections from Windows operating system components to Microsoft services](/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services) -- [Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965) - -## **Related topics** - -[Upgrade Readiness architecture](upgrade-readiness-architecture.md)
-[Upgrade Readiness requirements](upgrade-readiness-requirements.md)
-[Upgrade Readiness release notes](upgrade-readiness-requirements.md#important-information-about-this-release)
-[Get started with Upgrade Readiness](upgrade-readiness-get-started.md)
-[Use Upgrade Readiness to manage Windows upgrades](use-upgrade-readiness-to-manage-windows-upgrades.md) +--- +title: Manage Windows upgrades with Upgrade Readiness (Windows 10) +description: Provides an overview of the process of managing Windows upgrades with Upgrade Readiness. +ms.prod: w10 +audience: itpro +author: greg-lindsay +ms.date: 04/25/2017 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.topic: article +--- + +# Manage Windows upgrades with Upgrade Readiness + +Upgrading to new operating systems has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points. + +With the release of Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released. Windows Upgrade Readiness not only supports upgrade management from Windows 7, Windows 8.1 to Windows 10, but also Windows 10 upgrades in the [Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview) model. + +Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. + +With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. + +Use Upgrade Readiness to get: + +- A visual workflow that guides you from pilot to production +- Detailed computer and application inventory +- Powerful computer level search and drill-downs +- Guidance and insights into application and driver compatibility issues, with suggested fixes +- Data driven application rationalization tools +- Application usage information, allowing targeted validation; workflow to track validation progress and decisions +- Data export to commonly used software deployment tools, including Microsoft Endpoint Configuration Manager + +The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. + +**Important** For system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what diagnostic data Microsoft collects and how that data is used and protected by Microsoft, see: + +- [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization) +- [Manage connections from Windows operating system components to Microsoft services](/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services) +- [Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965) + +## **Related topics** + +[Upgrade Readiness architecture](upgrade-readiness-architecture.md)
+[Upgrade Readiness requirements](upgrade-readiness-requirements.md)
+[Upgrade Readiness release notes](upgrade-readiness-requirements.md#important-information-about-this-release)
+[Get started with Upgrade Readiness](upgrade-readiness-get-started.md)
+[Use Upgrade Readiness to manage Windows upgrades](use-upgrade-readiness-to-manage-windows-upgrades.md) diff --git a/windows/deployment/upgrade/resolution-procedures.md b/windows/deployment/upgrade/resolution-procedures.md index 7b336767e8..c988b29eff 100644 --- a/windows/deployment/upgrade/resolution-procedures.md +++ b/windows/deployment/upgrade/resolution-procedures.md @@ -610,7 +610,7 @@ Download and run the media creation tool. See hotfix 3095113, WSUS doesn't recognize the Upgrades classification and instead treats the upgrade like a regular update. +Occurs when update synchronization fails. It can occur when you are using Windows Server Update Services on its own or when it is integrated with Microsoft Endpoint Configuration Manager. If you enable update synchronization before you install hotfix 3095113, WSUS doesn't recognize the Upgrades classification and instead treats the upgrade like a regular update. You can prevent this by installing hotfix 3095113 before you enable update synchronization. However, if you have already run into this problem, do the following:
  1. Disable the Upgrades classification.
    2. @@ -625,7 +625,7 @@ For detailed information on how to run these steps check out hotfix 3095113 installed before you enable update synchronization. Specifically, the CopyToCache operation fails on clients that have already downloaded the upgrade because Windows Server Update Services has bad metadata related to the upgrade. It can occur when you are using standalone Windows Server Update Services or when WSUS is integrated with System Center Configuration Manager. +Occurs when update synchronization fails because you do not have hotfix 3095113 installed before you enable update synchronization. Specifically, the CopyToCache operation fails on clients that have already downloaded the upgrade because Windows Server Update Services has bad metadata related to the upgrade. It can occur when you are using standalone Windows Server Update Services or when WSUS is integrated with Microsoft Endpoint Configuration Manager. Use the following steps to repair Windows Server Update Services. You must run these steps on each WSUS server that synched metadata before you installed the hotfix.
    1. Stop the Windows Update service. Sign in as a user with administrative privileges, and then do the following: diff --git a/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md b/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md index 7ae486f5d3..fa371c6122 100644 --- a/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md +++ b/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md @@ -43,7 +43,7 @@ Select **Export computers** for more details, including computer name, manufactu ## Computer groups -Computer groups allow you to segment your environment by creating device groups based on log search results, or by importing groups from Active Directory, WSUS or System Center Configuration Manager. Computer groups are an OMS feature. For more information, see [Computer groups in OMS](https://blogs.technet.microsoft.com/msoms/2016/04/04/computer-groups-in-oms/). +Computer groups allow you to segment your environment by creating device groups based on log search results, or by importing groups from Active Directory, WSUS or Microsoft Endpoint Configuration Manager. Computer groups are an OMS feature. For more information, see [Computer groups in OMS](https://blogs.technet.microsoft.com/msoms/2016/04/04/computer-groups-in-oms/). Query based computer groups are recommended in the initial release of this feature. A feature known as **Configuration Manager Upgrade Readiness Connector** is anticipated in a future release that will enable synchronization of **ConfigMgr Collections** with computer groups in OMS. diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md index 0e4b6350ae..ea1383f381 100644 --- a/windows/deployment/upgrade/upgrade-readiness-get-started.md +++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md @@ -29,7 +29,7 @@ Before you begin, consider reviewing the following helpful information:
      - [Upgrade Readiness requirements](upgrade-readiness-requirements.md): Provides detailed requirements to use Upgrade Readiness.
      - [Upgrade Readiness blog](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/bg-p/WindowsAnalyticsBlog): Contains announcements of new features and provides helpful tips for using Upgrade Readiness. ->If you are using System Center Configuration Manager, also check out information about how to integrate Upgrade Readiness with Configuration Manager: [Integrate Upgrade Readiness with System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics). +>If you are using Microsoft Endpoint Configuration Manager, also check out information about how to integrate Upgrade Readiness with Configuration Manager: [Integrate Upgrade Readiness with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics). When you are ready to begin using Upgrade Readiness, perform the following steps: diff --git a/windows/deployment/upgrade/upgrade-readiness-requirements.md b/windows/deployment/upgrade/upgrade-readiness-requirements.md index b200bd292e..63790211b8 100644 --- a/windows/deployment/upgrade/upgrade-readiness-requirements.md +++ b/windows/deployment/upgrade/upgrade-readiness-requirements.md @@ -55,9 +55,9 @@ If you are not using Azure Portal or Azure Log Analytics, go to [Log Analytics]( >[!IMPORTANT] >You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work or School account when you sign in to Azure Portal. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in Azure Portal. You also need an Azure subscription to link to your Azure Portal workspace. The account you used to create the workspace must have administrator permissions on the Azure subscription in order to link the workspace to the Azure account. Once the link has been established, you can revoke the administrator permissions. -## System Center Configuration Manager integration +## Microsoft Endpoint Configuration Manager integration -Upgrade Readiness can be integrated with your installation of Configuration Manager. For more information, see [Integrate Upgrade Readiness with System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics). +Upgrade Readiness can be integrated with your installation of Configuration Manager. For more information, see [Integrate Upgrade Readiness with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics). diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md index c6118f8f14..07cdb2d8da 100644 --- a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md +++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md @@ -1,6 +1,6 @@ --- title: Perform in-place upgrade to Windows 10 via Configuration Manager -description: In-place upgrades make upgrading Windows 7, Windows 8, and Windows 8.1 to Windows 10 easy -- you can even automate the whole process with a SCCM task sequence. +description: In-place upgrades make upgrading Windows 7, Windows 8, and Windows 8.1 to Windows 10 easy -- you can even automate the whole process with a Microsoft Endpoint Configuration Manager task sequence. ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878 ms.reviewer: manager: laurawi @@ -21,7 +21,7 @@ ms.topic: article - Windows 10 -The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. +The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Endpoint Configuration Manager task sequence to completely automate the process. ## Proof-of-concept environment @@ -111,10 +111,10 @@ Figure 2. Upgrade from Windows 7 to Windows 10 Enterprise x64 with a task sequ After the task sequence finishes, the computer will be fully upgraded to Windows 10. -## Upgrade to Windows 10 with System Center Configuration Manager Current Branch +## Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager Current Branch -With System Center Configuration Manager Current Branch, new built-in functionality makes it easier to upgrade to Windows 10. +With Microsoft Endpoint Configuration Manager Current Branch, new built-in functionality makes it easier to upgrade to Windows 10. **Note**   For more details about Configuration Manager Current Branch, see the [Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620205). An [evaluation version is currently available](https://go.microsoft.com/fwlink/p/?LinkId=620206) for you to try. The instructions below are specific to the Technical Preview 2 release and may change after the next version of Configuration Manager is released. @@ -147,7 +147,7 @@ Figure 3. The Configuration Manager upgrade task sequence. ### Create a device collection -After you create the upgrade task sequence, you can create a collection to test a deployment. In this section, we assume you have the PC0001 machine running Windows 7 SP1, with the next version of System Center Configuration Manager client installed. +After you create the upgrade task sequence, you can create a collection to test a deployment. In this section, we assume you have the PC0001 machine running Windows 7 SP1, with the next version of Microsoft Endpoint Configuration Manager client installed. 1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: - General diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md index d683bd63b3..f0ed48723b 100644 --- a/windows/deployment/upgrade/windows-10-edition-upgrades.md +++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md @@ -1,250 +1,251 @@ ---- -title: Windows 10 edition upgrade (Windows 10) -description: With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. -ms.assetid: A7642E90-A3E7-4A25-8044-C4E402DC462A -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mobile -audience: itpro author: greg-lindsay -ms.topic: article ---- - -# Windows 10 edition upgrade - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkID=690882). For a comprehensive list of all possible upgrade paths to Windows 10, see [Windows 10 upgrade paths](windows-10-upgrade-paths.md). Downgrading the edition of Windows is discussed in the [License expiration](#license-expiration) section on this page. - -For a list of operating systems that qualify for the Windows 10 Pro Upgrade or Windows 10 Enterprise Upgrade through Microsoft Volume Licensing, see [Windows 10 Qualifying Operating Systems](https://download.microsoft.com/download/2/d/1/2d14fe17-66c2-4d4c-af73-e122930b60f6/Windows10-QOS.pdf). - -The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. **Note**: The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607. - -Note: Although it isn't displayed yet in the table, edition upgrade is also possible using [edition upgrade policy](https://docs.microsoft.com/sccm/compliance/deploy-use/upgrade-windows-version) in System Center Configuration Manager. - -![not supported](../images/x_blk.png) (X) = not supported
      -![supported, reboot required](../images/check_grn.png) (green checkmark) = supported, reboot required
      -![supported, no reboot](../images/check_blu.png) (blue checkmark) = supported, no reboot required
      - - - -| Edition upgrade | Using mobile device management (MDM) | Using a provisioning package | Using a command-line tool | Using Microsoft Store for Business or PC | Entering a product key manually | Purchasing a license from the Microsoft Store | -|-----------------| ------------------------------------ | --------------------------- | ------------------------- | -------------------------------------- | ----------------------------------- | --------------------------------------------- | -| **Home > Pro** | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | -| **Home > Pro for Workstations** | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | -| **Home > Pro Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Home > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Pro > Pro for Workstations** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
      (MSfB) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | -| **Pro > Pro Education** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
      (MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | -| **Pro > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
      (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Pro > Enterprise** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
      (1703 - PC)
      (1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | -| **Pro for Workstations > Pro Education** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
      (MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | -| **Pro for Workstations > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
      (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Pro for Workstations > Enterprise** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
      (1703 - PC)
      (1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | -| **Pro Education > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
      (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Enterprise > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
      (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Mobile > Mobile Enterprise** | ![supported, no reboot](../images/check_blu.png) |![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | - -> [!NOTE] -> - For information about upgrade paths in Windows 10 in S mode (for Pro or Education), check out [Windows 10 Pro/Enterprise in S mode](../windows-10-pro-in-s-mode.md) -> - Each desktop edition in the table also has an N and KN SKU. These editions have had media-related functionality removed. Devices with N or KN SKUs installed can be upgraded to corresponding N or KN SKUs using the same methods. ->
      -> - Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes) the term LTSB might still be displayed in some products. This name will change to LTSC with subsequent feature updates. - -## Upgrade using mobile device management (MDM) -- To upgrade desktop editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithProductKey** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](https://go.microsoft.com/fwlink/p/?LinkID=690907). - -- To upgrade mobile editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithLicense** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](https://go.microsoft.com/fwlink/p/?LinkID=690907). - -## Upgrade using a provisioning package -Use Windows Configuration Designer to create a provisioning package to upgrade a desktop edition or mobile edition of Windows 10. To get started, [install Windows Configuration Designer from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22). - -- To create a provisioning package for upgrading desktop editions of Windows 10, go to **Runtime settings > EditionUpgrade > UpgradeEditionWithProductKey** in the **Available customizations** panel in Windows ICD and enter the product key for the upgraded edition. - -- To create a provisioning package for upgrading mobile editions of Windows 10, go to **Runtime settings > EditionUpgrade > UpgradeEditionWithLicense** in the **Available customizations** panel in Windows ICD and enter the product key for the upgraded edition. - -For more info about Windows Configuration Designer, see these topics: -- [Create a provisioining package for Windows 10](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-create-package) -- [Apply a provisioning package](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-apply-package) - - -## Upgrade using a command-line tool -You can run the changepk.exe command-line tool to upgrade devices to a supported edition of Windows 10: - -`changepk.exe /ProductKey ` - -You can also upgrade using slmgr.vbs and a [KMS client setup key](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v%3dws.11)). For example, the following command will upgrade to Windows 10 Enterprise. - -`Cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43` - - -## Upgrade by manually entering a product key -If you are upgrading only a few devices, you may want to enter a product key for the upgraded edition manually. - -**To manually enter a product key** - -1. From either the Start menu or the Start screen, type 'Activation' and click on the Activation shortcut. - -2. Click **Change product key**. - -3. Enter your product key. - -4. Follow the on-screen instructions. - -## Upgrade by purchasing a license from the Microsoft Store -If you do not have a product key, you can upgrade your edition of Windows 10 through the Microsoft Store. - -**To upgrade through the Microsoft Store** - -1. From either the **Start** menu or the **Start** screen, type 'Activation' and click on the Activation shortcut. - -2. Click **Go to Store**. - -3. Follow the on-screen instructions. - - **Note**
      If you are a Windows 10 Home N or Windows 10 Home KN user and have trouble finding your applicable upgrade in the Microsoft Store, click [here](ms-windows-store://windowsupgrade/). - -## License expiration - -Volume license customers whose license has expired will need to change the edition of Windows 10 to an edition with an active license. Switching to a downgraded edition of Windows 10 is possible using the same methods that were used to perform an edition upgrade. If the downgrade path is supported, then your apps and settings can be migrated from the current edition. If a path is not supported, then a clean install is required. - -Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a different product key is not supported. You also cannot downgrade from a later version to an earlier version of the same edition (Ex: Windows 10 Pro 1709 to 1703) unless the rollback process is used. This topic does not discuss version downgrades. - -Note: If you are using [Windows 10 Enterprise Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) and a license expires, devices will automatically revert to the original edition when the grace period expires. - -### Scenario example - -Downgrading from Enterprise -- Original edition: **Professional OEM** -- Upgrade edition: **Enterprise** -- Valid downgrade paths: **Pro, Pro for Workstations, Pro Education, Education** - -You can move directly from Enterprise to any valid destination edition. In this example, downgrading to Pro for Workstations, Pro Education, or Education requires an additional activation key to supersede the firmware-embedded Pro key. In all cases, you must comply with [Microsoft License Terms](https://www.microsoft.com/useterms). If you are a volume license customer, refer to the [Microsoft Volume Licensing Reference Guide](https://www.microsoft.com/download/details.aspx?id=11091). - -### Supported Windows 10 downgrade paths - -✔ = Supported downgrade path
      - S  = Supported; Not considered a downgrade or an upgrade
      -[blank] = Not supported or not a downgrade
      - -
      - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Destination edition
            HomeProPro for WorkstationsPro EducationEducationEnterprise LTSCEnterprise
      Starting edition
      Home
      Pro
      Pro for Workstations
      Pro Education
      EducationS
      Enterprise LTSC
      EnterpriseS
      - -> **Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions. -> -> **Windows N/KN**: Windows "N" and "KN" SKUs follow the same rules shown above. - -Some slightly more complex scenarios are not represented by the table above. For example, you can perform an upgrade from Pro to Pro for Workstation on a computer with an embedded Pro key using a Pro for Workstation license key, and then later downgrade this computer back to Pro with the firmware-embedded key. The downgrade is allowed but only because the pre-installed OS is Pro. - -## Related topics - -[Windows 10 upgrade paths](https://docs.microsoft.com/windows/deployment/upgrade/windows-10-upgrade-paths)
      -[Windows 10 volume license media](https://docs.microsoft.com/windows/deployment/windows-10-media)
      -[Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) +--- +title: Windows 10 edition upgrade (Windows 10) +description: With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. +ms.assetid: A7642E90-A3E7-4A25-8044-C4E402DC462A +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: mobile +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Windows 10 edition upgrade + +**Applies to** + +- Windows 10 +- Windows 10 Mobile + +With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkID=690882). For a comprehensive list of all possible upgrade paths to Windows 10, see [Windows 10 upgrade paths](windows-10-upgrade-paths.md). Downgrading the edition of Windows is discussed in the [License expiration](#license-expiration) section on this page. + +For a list of operating systems that qualify for the Windows 10 Pro Upgrade or Windows 10 Enterprise Upgrade through Microsoft Volume Licensing, see [Windows 10 Qualifying Operating Systems](https://download.microsoft.com/download/2/d/1/2d14fe17-66c2-4d4c-af73-e122930b60f6/Windows10-QOS.pdf). + +The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. **Note**: The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607. + +Note: Although it isn't displayed yet in the table, edition upgrade is also possible using [edition upgrade policy](https://docs.microsoft.com/sccm/compliance/deploy-use/upgrade-windows-version) in Microsoft Endpoint Configuration Manager. + +![not supported](../images/x_blk.png) (X) = not supported
      +![supported, reboot required](../images/check_grn.png) (green checkmark) = supported, reboot required
      +![supported, no reboot](../images/check_blu.png) (blue checkmark) = supported, no reboot required
      + + + +| Edition upgrade | Using mobile device management (MDM) | Using a provisioning package | Using a command-line tool | Using Microsoft Store for Business or PC | Entering a product key manually | Purchasing a license from the Microsoft Store | +|-----------------| ------------------------------------ | --------------------------- | ------------------------- | -------------------------------------- | ----------------------------------- | --------------------------------------------- | +| **Home > Pro** | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | +| **Home > Pro for Workstations** | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | +| **Home > Pro Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Home > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Pro > Pro for Workstations** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
      (MSfB) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | +| **Pro > Pro Education** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
      (MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | +| **Pro > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
      (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Pro > Enterprise** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
      (1703 - PC)
      (1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | +| **Pro for Workstations > Pro Education** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
      (MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | +| **Pro for Workstations > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
      (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Pro for Workstations > Enterprise** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
      (1703 - PC)
      (1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | +| **Pro Education > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
      (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Enterprise > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
      (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Mobile > Mobile Enterprise** | ![supported, no reboot](../images/check_blu.png) |![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | + +> [!NOTE] +> - For information about upgrade paths in Windows 10 in S mode (for Pro or Education), check out [Windows 10 Pro/Enterprise in S mode](../windows-10-pro-in-s-mode.md) +> - Each desktop edition in the table also has an N and KN SKU. These editions have had media-related functionality removed. Devices with N or KN SKUs installed can be upgraded to corresponding N or KN SKUs using the same methods. +>
      +> - Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes) the term LTSB might still be displayed in some products. This name will change to LTSC with subsequent feature updates. + +## Upgrade using mobile device management (MDM) +- To upgrade desktop editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithProductKey** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](https://go.microsoft.com/fwlink/p/?LinkID=690907). + +- To upgrade mobile editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithLicense** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](https://go.microsoft.com/fwlink/p/?LinkID=690907). + +## Upgrade using a provisioning package +Use Windows Configuration Designer to create a provisioning package to upgrade a desktop edition or mobile edition of Windows 10. To get started, [install Windows Configuration Designer from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22). + +- To create a provisioning package for upgrading desktop editions of Windows 10, go to **Runtime settings > EditionUpgrade > UpgradeEditionWithProductKey** in the **Available customizations** panel in Windows ICD and enter the product key for the upgraded edition. + +- To create a provisioning package for upgrading mobile editions of Windows 10, go to **Runtime settings > EditionUpgrade > UpgradeEditionWithLicense** in the **Available customizations** panel in Windows ICD and enter the product key for the upgraded edition. + +For more info about Windows Configuration Designer, see these topics: +- [Create a provisioining package for Windows 10](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-create-package) +- [Apply a provisioning package](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-apply-package) + + +## Upgrade using a command-line tool +You can run the changepk.exe command-line tool to upgrade devices to a supported edition of Windows 10: + +`changepk.exe /ProductKey ` + +You can also upgrade using slmgr.vbs and a [KMS client setup key](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v%3dws.11)). For example, the following command will upgrade to Windows 10 Enterprise. + +`Cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43` + + +## Upgrade by manually entering a product key +If you are upgrading only a few devices, you may want to enter a product key for the upgraded edition manually. + +**To manually enter a product key** + +1. From either the Start menu or the Start screen, type 'Activation' and click on the Activation shortcut. + +2. Click **Change product key**. + +3. Enter your product key. + +4. Follow the on-screen instructions. + +## Upgrade by purchasing a license from the Microsoft Store +If you do not have a product key, you can upgrade your edition of Windows 10 through the Microsoft Store. + +**To upgrade through the Microsoft Store** + +1. From either the **Start** menu or the **Start** screen, type 'Activation' and click on the Activation shortcut. + +2. Click **Go to Store**. + +3. Follow the on-screen instructions. + + **Note**
      If you are a Windows 10 Home N or Windows 10 Home KN user and have trouble finding your applicable upgrade in the Microsoft Store, click [here](ms-windows-store://windowsupgrade/). + +## License expiration + +Volume license customers whose license has expired will need to change the edition of Windows 10 to an edition with an active license. Switching to a downgraded edition of Windows 10 is possible using the same methods that were used to perform an edition upgrade. If the downgrade path is supported, then your apps and settings can be migrated from the current edition. If a path is not supported, then a clean install is required. + +Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a different product key is not supported. You also cannot downgrade from a later version to an earlier version of the same edition (Ex: Windows 10 Pro 1709 to 1703) unless the rollback process is used. This topic does not discuss version downgrades. + +Note: If you are using [Windows 10 Enterprise Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) and a license expires, devices will automatically revert to the original edition when the grace period expires. + +### Scenario example + +Downgrading from Enterprise +- Original edition: **Professional OEM** +- Upgrade edition: **Enterprise** +- Valid downgrade paths: **Pro, Pro for Workstations, Pro Education, Education** + +You can move directly from Enterprise to any valid destination edition. In this example, downgrading to Pro for Workstations, Pro Education, or Education requires an additional activation key to supersede the firmware-embedded Pro key. In all cases, you must comply with [Microsoft License Terms](https://www.microsoft.com/useterms). If you are a volume license customer, refer to the [Microsoft Volume Licensing Reference Guide](https://www.microsoft.com/download/details.aspx?id=11091). + +### Supported Windows 10 downgrade paths + +✔ = Supported downgrade path
      + S  = Supported; Not considered a downgrade or an upgrade
      +[blank] = Not supported or not a downgrade
      + +
      + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Destination edition
            HomeProPro for WorkstationsPro EducationEducationEnterprise LTSCEnterprise
      Starting edition
      Home
      Pro
      Pro for Workstations
      Pro Education
      EducationS
      Enterprise LTSC
      EnterpriseS
      + +> **Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions. +> +> **Windows N/KN**: Windows "N" and "KN" SKUs follow the same rules shown above. + +Some slightly more complex scenarios are not represented by the table above. For example, you can perform an upgrade from Pro to Pro for Workstation on a computer with an embedded Pro key using a Pro for Workstation license key, and then later downgrade this computer back to Pro with the firmware-embedded key. The downgrade is allowed but only because the pre-installed OS is Pro. + +## Related topics + +[Windows 10 upgrade paths](https://docs.microsoft.com/windows/deployment/upgrade/windows-10-upgrade-paths)
      +[Windows 10 volume license media](https://docs.microsoft.com/windows/deployment/windows-10-media)
      +[Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) diff --git a/windows/deployment/usmt/usmt-common-migration-scenarios.md b/windows/deployment/usmt/usmt-common-migration-scenarios.md index bfc3a1013c..adbd9fbc55 100644 --- a/windows/deployment/usmt/usmt-common-migration-scenarios.md +++ b/windows/deployment/usmt/usmt-common-migration-scenarios.md @@ -1,154 +1,155 @@ ---- -title: Common Migration Scenarios (Windows 10) -description: Common Migration Scenarios -ms.assetid: 1d8170d5-e775-4963-b7a5-b55e8987c1e4 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Common Migration Scenarios - - -You use the User State Migration Tool (USMT) 10.0 when hardware and/or operating system upgrades are planned for a large number of computers. USMT manages the migration of an end-user's digital identity by capturing the user's operating-system settings, application settings, and personal files from a source computer and reinstalling them on a destination computer after the upgrade has occurred. - -One common scenario when only the operating system, and not the hardware, is being upgraded is referred to as *PC refresh*. A second common scenario is known as *PC replacement*, where one piece of hardware is being replaced, typically by newer hardware and a newer operating system. - -## In This Topic - - -[PC Refresh](#bkmk-pcrefresh) - -[Scenario One: PC-refresh offline using Windows PE and a hard-link migration store](#bkmk-onepcrefresh) - -[Scenario Two: PC-refresh using a compressed migration store](#bkmk-twopcrefresh) - -[Scenario Three: PC-refresh using a hard-link migration store](#bkmk-threepcrefresh) - -[Scenario Four: PC-refresh using Windows.old folder and a hard-link migration store](#bkmk-fourpcrefresh) - -[PC Replacement](#bkmk-pcreplace) - -[Scenario One: Offline migration using Windows PE and an external migration store](#bkmk-onepcreplace) - -[Scenario Two: Manual network migration](#bkmk-twopcreplace) - -[Scenario Three: Managed network migration](#bkmk-threepcreplace) - -## PC-Refresh - - -The following diagram shows a PC-refresh migration, also known as a computer refresh migration. First, the administrator migrates the user state from a source computer to an intermediate store. After installing the operating system, the administrator migrates the user state back to the source computer. - -  - -![usmt pc refresh scenario](images/dep-win8-l-usmt-pcrefresh.jpg) - -  - -### Scenario One: PC-refresh offline using Windows PE and a hard-link migration store - -A company has just received funds to update the operating system on all of its computers in the accounting department to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, the update is being handled completely offline, without a network connection. An administrator uses Windows Preinstallation Environment (WinPE) and a hard-link migration store to save each user state to their respective computer. - -1. On each computer, the administrator boots the machine into WinPE and runs the ScanState command-line tool, specifying the **/hardlink /nocompress** command-line options. ScanState saves the user state to a hard-link migration store on each computer, improving performance by minimizing network traffic as well as minimizing migration failures on computers with very limited space available on the hard drive. - -2. On each computer, the administrator installs the company’s standard operating environment (SOE) which includes Windows 10 and other company applications. - -3. The administrator runs the LoadState command-line tool on each computer. LoadState restores each user state back to each computer. - -### Scenario Two: PC-refresh using a compressed migration store - -A company has just received funds to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses a compressed migration store to save the user states to a server. - -1. The administrator runs the ScanState command-line tool on each computer. ScanState saves each user state to a server. - -2. On each computer, the administrator installs the company's standard SOE which includes Windows 10 and other company applications. - -3. The administrator runs the LoadState command-line tool on each source computer, and LoadState restores each user state back to the computer. - -### Scenario Three: PC-refresh using a hard-link migration store - -A company has just received funds to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses a hard-link migration store to save each user state to their respective computer. - -1. The administrator runs the ScanState command-line tool on each computer, specifying the **/hardlink /nocompress** command-line options. ScanState saves the user state to a hard-link migration store on each computer, improving performance by minimizing network traffic as well as minimizing migration failures on computers with very limited space available on the hard drive. - -2. On each computer, the administrator installs the company's SOE which includes Windows 10 and other company applications. - -3. The administrator runs the LoadState command-line tool on each computer. LoadState restores each user state back on each computer. - -### Scenario Four: PC-refresh using Windows.old folder and a hard-link migration store - -A company has decided to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses Windows.old and a hard-link migration store to save each user state to their respective computer. - -1. The administrator clean installs Windows 10 on each computer, making sure that the Windows.old directory is created by installing Windows 10 without formatting or repartitioning and by selecting a partition that contains the previous version of Windows. - -2. On each computer, the administrator installs the company’s SOE which includes company applications. - -3. The administrator runs the ScanState and LoadState command-line tools successively on each computer while specifying the **/hardlink /nocompress** command-line options. - -## PC-Replacement - - -The following diagram shows a PC-replacement migration. First, the administrator migrates the user state from the source computer to an intermediate store. After installing the operating system on the destination computer, the administrator migrates the user state from the store to the destination computer. - -  - -![usmt pc replace scenario](images/dep-win8-l-usmt-pcreplace.jpg) - -  - -### Scenario One: Offline migration using WinPE and an external migration store - -A company is allocating 20 new computers to users in the accounting department. The users each have a source computer with their files and settings. In this scenario, migration is being handled completely offline, without a network connection. - -1. On each source computer, an administrator boots the machine into WinPE and runs ScanState to collect the user state to either a server or an external hard disk. - -2. On each new computer, the administrator installs the company's SOE which includes Windows 10 and other company applications. - -3. On each of the new computers, the administrator runs the LoadState tool, restoring each user state from the migration store to one of the new computers. - -### Scenario Two: Manual network migration - -A company receives 50 new laptops for their managers and needs to reallocate 50 older laptops to new employees. In this scenario, an administrator runs the ScanState tool from the cmd prompt on each computer to collect the user states and save them to a server in a compressed migration store. - -1. The administrator runs the ScanState tool on each of the manager’s old laptops, and saves each user state to a server. - -2. On the new laptops, the administrator installs the company's SOE, which includes Windows 10 and other company applications. - -3. The administrator runs the LoadState tool on the new laptops to migrate the managers’ user states to the appropriate computer. The new laptops are now ready for the managers to use. - -4. On the old computers, the administrator installs the company’s SOE, which includes Windows 10, Microsoft Office, and other company applications. The old computers are now ready for the new employees to use. - -### Scenario Three: Managed network migration - -A company is allocating 20 new computers to users in the accounting department. The users each have a source computer that contains their files and settings. An administrator uses a management technology such as a logon script or a batch file to run ScanState on each source computer to collect the user states and save them to a server in a compressed migration store. - -1. On each source computer, the administrator runs the ScanState tool using Microsoft System Center Configuration Manager (SCCM), Microsoft Deployment Toolkit (MDT), a logon script, a batch file, or a non-Microsoft management technology. ScanState collects the user state from each source computer and then saves it to a server. - -2. On each new computer, the administrator installs the company's SOE, which includes Windows 10 and other company applications. - -3. On each of the new computers, the administrator runs the LoadState tool using System Center Configuration Manager, a logon script, a batch file, or a non-Microsoft management technology. LoadState migrates each user state from the migration store to one of the new computers. - -## Related topics - - -[Plan Your Migration](usmt-plan-your-migration.md) - -[Choose a Migration Store Type](usmt-choose-migration-store-type.md) - -[Offline Migration Reference](offline-migration-reference.md) - -  - -  - - - - - +--- +title: Common Migration Scenarios (Windows 10) +description: Common Migration Scenarios +ms.assetid: 1d8170d5-e775-4963-b7a5-b55e8987c1e4 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Common Migration Scenarios + + +You use the User State Migration Tool (USMT) 10.0 when hardware and/or operating system upgrades are planned for a large number of computers. USMT manages the migration of an end-user's digital identity by capturing the user's operating-system settings, application settings, and personal files from a source computer and reinstalling them on a destination computer after the upgrade has occurred. + +One common scenario when only the operating system, and not the hardware, is being upgraded is referred to as *PC refresh*. A second common scenario is known as *PC replacement*, where one piece of hardware is being replaced, typically by newer hardware and a newer operating system. + +## In This Topic + + +[PC Refresh](#bkmk-pcrefresh) + +[Scenario One: PC-refresh offline using Windows PE and a hard-link migration store](#bkmk-onepcrefresh) + +[Scenario Two: PC-refresh using a compressed migration store](#bkmk-twopcrefresh) + +[Scenario Three: PC-refresh using a hard-link migration store](#bkmk-threepcrefresh) + +[Scenario Four: PC-refresh using Windows.old folder and a hard-link migration store](#bkmk-fourpcrefresh) + +[PC Replacement](#bkmk-pcreplace) + +[Scenario One: Offline migration using Windows PE and an external migration store](#bkmk-onepcreplace) + +[Scenario Two: Manual network migration](#bkmk-twopcreplace) + +[Scenario Three: Managed network migration](#bkmk-threepcreplace) + +## PC-Refresh + + +The following diagram shows a PC-refresh migration, also known as a computer refresh migration. First, the administrator migrates the user state from a source computer to an intermediate store. After installing the operating system, the administrator migrates the user state back to the source computer. + +  + +![usmt pc refresh scenario](images/dep-win8-l-usmt-pcrefresh.jpg) + +  + +### Scenario One: PC-refresh offline using Windows PE and a hard-link migration store + +A company has just received funds to update the operating system on all of its computers in the accounting department to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, the update is being handled completely offline, without a network connection. An administrator uses Windows Preinstallation Environment (WinPE) and a hard-link migration store to save each user state to their respective computer. + +1. On each computer, the administrator boots the machine into WinPE and runs the ScanState command-line tool, specifying the **/hardlink /nocompress** command-line options. ScanState saves the user state to a hard-link migration store on each computer, improving performance by minimizing network traffic as well as minimizing migration failures on computers with very limited space available on the hard drive. + +2. On each computer, the administrator installs the company’s standard operating environment (SOE) which includes Windows 10 and other company applications. + +3. The administrator runs the LoadState command-line tool on each computer. LoadState restores each user state back to each computer. + +### Scenario Two: PC-refresh using a compressed migration store + +A company has just received funds to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses a compressed migration store to save the user states to a server. + +1. The administrator runs the ScanState command-line tool on each computer. ScanState saves each user state to a server. + +2. On each computer, the administrator installs the company's standard SOE which includes Windows 10 and other company applications. + +3. The administrator runs the LoadState command-line tool on each source computer, and LoadState restores each user state back to the computer. + +### Scenario Three: PC-refresh using a hard-link migration store + +A company has just received funds to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses a hard-link migration store to save each user state to their respective computer. + +1. The administrator runs the ScanState command-line tool on each computer, specifying the **/hardlink /nocompress** command-line options. ScanState saves the user state to a hard-link migration store on each computer, improving performance by minimizing network traffic as well as minimizing migration failures on computers with very limited space available on the hard drive. + +2. On each computer, the administrator installs the company's SOE which includes Windows 10 and other company applications. + +3. The administrator runs the LoadState command-line tool on each computer. LoadState restores each user state back on each computer. + +### Scenario Four: PC-refresh using Windows.old folder and a hard-link migration store + +A company has decided to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses Windows.old and a hard-link migration store to save each user state to their respective computer. + +1. The administrator clean installs Windows 10 on each computer, making sure that the Windows.old directory is created by installing Windows 10 without formatting or repartitioning and by selecting a partition that contains the previous version of Windows. + +2. On each computer, the administrator installs the company’s SOE which includes company applications. + +3. The administrator runs the ScanState and LoadState command-line tools successively on each computer while specifying the **/hardlink /nocompress** command-line options. + +## PC-Replacement + + +The following diagram shows a PC-replacement migration. First, the administrator migrates the user state from the source computer to an intermediate store. After installing the operating system on the destination computer, the administrator migrates the user state from the store to the destination computer. + +  + +![usmt pc replace scenario](images/dep-win8-l-usmt-pcreplace.jpg) + +  + +### Scenario One: Offline migration using WinPE and an external migration store + +A company is allocating 20 new computers to users in the accounting department. The users each have a source computer with their files and settings. In this scenario, migration is being handled completely offline, without a network connection. + +1. On each source computer, an administrator boots the machine into WinPE and runs ScanState to collect the user state to either a server or an external hard disk. + +2. On each new computer, the administrator installs the company's SOE which includes Windows 10 and other company applications. + +3. On each of the new computers, the administrator runs the LoadState tool, restoring each user state from the migration store to one of the new computers. + +### Scenario Two: Manual network migration + +A company receives 50 new laptops for their managers and needs to reallocate 50 older laptops to new employees. In this scenario, an administrator runs the ScanState tool from the cmd prompt on each computer to collect the user states and save them to a server in a compressed migration store. + +1. The administrator runs the ScanState tool on each of the manager’s old laptops, and saves each user state to a server. + +2. On the new laptops, the administrator installs the company's SOE, which includes Windows 10 and other company applications. + +3. The administrator runs the LoadState tool on the new laptops to migrate the managers’ user states to the appropriate computer. The new laptops are now ready for the managers to use. + +4. On the old computers, the administrator installs the company’s SOE, which includes Windows 10, Microsoft Office, and other company applications. The old computers are now ready for the new employees to use. + +### Scenario Three: Managed network migration + +A company is allocating 20 new computers to users in the accounting department. The users each have a source computer that contains their files and settings. An administrator uses a management technology such as a logon script or a batch file to run ScanState on each source computer to collect the user states and save them to a server in a compressed migration store. + +1. On each source computer, the administrator runs the ScanState tool using Microsoft Microsoft Endpoint Configuration Manager, Microsoft Deployment Toolkit (MDT), a logon script, a batch file, or a non-Microsoft management technology. ScanState collects the user state from each source computer and then saves it to a server. + +2. On each new computer, the administrator installs the company's SOE, which includes Windows 10 and other company applications. + +3. On each of the new computers, the administrator runs the LoadState tool using Microsoft Endpoint Configuration Manager, a logon script, a batch file, or a non-Microsoft management technology. LoadState migrates each user state from the migration store to one of the new computers. + +## Related topics + + +[Plan Your Migration](usmt-plan-your-migration.md) + +[Choose a Migration Store Type](usmt-choose-migration-store-type.md) + +[Offline Migration Reference](offline-migration-reference.md) + +  + +  + + + + + diff --git a/windows/deployment/usmt/usmt-test-your-migration.md b/windows/deployment/usmt/usmt-test-your-migration.md index 7c4185278b..533b7f5286 100644 --- a/windows/deployment/usmt/usmt-test-your-migration.md +++ b/windows/deployment/usmt/usmt-test-your-migration.md @@ -1,53 +1,54 @@ ---- -title: Test Your Migration (Windows 10) -description: Test Your Migration -ms.assetid: 754af276-8386-4eac-8079-3d1e45964a0d -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Test Your Migration - - -Always test your migration plan in a controlled laboratory setting before you deploy it to your entire organization. In your test environment, you need at least one computer for each type of operating system from which you are migrating data. - -After you have thoroughly tested the entire migration process on a single computer running each of your source operating systems, conduct a pilot migration with a small group of users. After migrating a few typical user states to the intermediate store, note the space required and adjust your initial calculations accordingly. For details about estimating the space needed for your migration, see [Estimate Migration Store Size](usmt-estimate-migration-store-size.md). You might also need to adjust the registry-setting and file-location information in your migration-rule files. If you make changes, test the migration again. Then verify that all data and settings have migrated as expected. A pilot migration also gives you an opportunity to test your space estimates for the intermediate store. - -If your test migration encounters any errors, examine the ScanState and LoadState logs to obtain the exact User State Migration Tool (USMT) 10.0 return code and associated error messages or Windows application programming interface (API) error message. For more information about USMT return codes and error messages, see [Return Codes](usmt-return-codes.md). You can also obtain more information about a Windows API error message by typing **net helpmsg** and the error message number on the command line. - -In most cases, the ScanState and LoadState logs indicate why a USMT migration is failing. We recommend that you use the **/v**:5 option when testing your migration. This verbosity level can be adjusted in a production migration. Reducing the verbosity level might make it more difficult to diagnose failures that are encountered during production migrations. You can use a higher verbosity level if you want the log files output to go to a debugger. - -**Note**   -Running the ScanState and LoadState tools with the **/v**:5 option creates a detailed log file. Although this option makes the log file large, it is helpful in determining where migration errors occurred. - - - -After you have determined that the pilot migration successfully migrated the specified files and settings, you are ready to add USMT to the server that is running Microsoft® System Center Configuration Manager (SCCM), or a non-Microsoft management technology. For more information, see [Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=140246). - -**Note**   -For testing purposes, you can create an uncompressed store using the **/hardlink /nocompress** option. When compression is disabled, the ScanState tool saves the files and settings to a hidden folder named "File" at *StorePath*\\USMT. You can use the uncompressed store to view what USMT has stored or to troubleshoot a problem, or you can run an antivirus utility against the files. Additionally, you can also use the **/listfiles** command-line option and the diagnostic log to list the files that were gathered and to troubleshoot problems with your migration. - - - -## Related topics - - -[Plan Your Migration](usmt-plan-your-migration.md) - -[Log Files](usmt-log-files.md) - - - - - - - - - +--- +title: Test Your Migration (Windows 10) +description: Test Your Migration +ms.assetid: 754af276-8386-4eac-8079-3d1e45964a0d +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Test Your Migration + + +Always test your migration plan in a controlled laboratory setting before you deploy it to your entire organization. In your test environment, you need at least one computer for each type of operating system from which you are migrating data. + +After you have thoroughly tested the entire migration process on a single computer running each of your source operating systems, conduct a pilot migration with a small group of users. After migrating a few typical user states to the intermediate store, note the space required and adjust your initial calculations accordingly. For details about estimating the space needed for your migration, see [Estimate Migration Store Size](usmt-estimate-migration-store-size.md). You might also need to adjust the registry-setting and file-location information in your migration-rule files. If you make changes, test the migration again. Then verify that all data and settings have migrated as expected. A pilot migration also gives you an opportunity to test your space estimates for the intermediate store. + +If your test migration encounters any errors, examine the ScanState and LoadState logs to obtain the exact User State Migration Tool (USMT) 10.0 return code and associated error messages or Windows application programming interface (API) error message. For more information about USMT return codes and error messages, see [Return Codes](usmt-return-codes.md). You can also obtain more information about a Windows API error message by typing **net helpmsg** and the error message number on the command line. + +In most cases, the ScanState and LoadState logs indicate why a USMT migration is failing. We recommend that you use the **/v**:5 option when testing your migration. This verbosity level can be adjusted in a production migration. Reducing the verbosity level might make it more difficult to diagnose failures that are encountered during production migrations. You can use a higher verbosity level if you want the log files output to go to a debugger. + +**Note**   +Running the ScanState and LoadState tools with the **/v**:5 option creates a detailed log file. Although this option makes the log file large, it is helpful in determining where migration errors occurred. + + + +After you have determined that the pilot migration successfully migrated the specified files and settings, you are ready to add USMT to the server that is running Microsoft Endpoint Configuration Manager, or a non-Microsoft management technology. For more information, see [Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=140246). + +**Note**   +For testing purposes, you can create an uncompressed store using the **/hardlink /nocompress** option. When compression is disabled, the ScanState tool saves the files and settings to a hidden folder named "File" at *StorePath*\\USMT. You can use the uncompressed store to view what USMT has stored or to troubleshoot a problem, or you can run an antivirus utility against the files. Additionally, you can also use the **/listfiles** command-line option and the diagnostic log to list the files that were gathered and to troubleshoot problems with your migration. + + + +## Related topics + + +[Plan Your Migration](usmt-plan-your-migration.md) + +[Log Files](usmt-log-files.md) + + + + + + + + + diff --git a/windows/deployment/volume-activation/configure-client-computers-vamt.md b/windows/deployment/volume-activation/configure-client-computers-vamt.md index 9cd6a07136..6b80a72d89 100644 --- a/windows/deployment/volume-activation/configure-client-computers-vamt.md +++ b/windows/deployment/volume-activation/configure-client-computers-vamt.md @@ -1,94 +1,95 @@ ---- -title: Configure Client Computers (Windows 10) -description: Configure Client Computers -ms.assetid: a48176c9-b05c-4dd5-a9ef-83073e2370fc -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -audience: itpro author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Configure Client Computers - -To enable the Volume Activation Management Tool (VAMT) to function correctly, certain configuration changes are required on all client computers: - -- An exception must be set in the client computer's firewall. -- A registry key must be created and set properly, for computers in a workgroup; otherwise, Windows® User Account Control (UAC) will not allow remote administrative operations. - -Organizations where the VAMT will be widely used may benefit from making these changes inside the master image for Windows. - -**Important**   -This procedure only applies to clients running Windows Vista or later. For clients running Windows XP Service Pack 1, see [Connecting Through Windows Firewall](https://go.microsoft.com/fwlink/p/?LinkId=182933). - -## Configuring the Windows Firewall to allow VAMT access - -Enable the VAMT to access client computers using the **Windows Firewall** Control Panel: -1. Open Control Panel and double-click **System and Security**. -2. Click **Windows Firewall**. -3. Click **Allow a program or feature through Windows Firewall**. -4. Click the **Change settings** option. -5. Select the **Windows Management Instrumentation (WMI)** checkbox. -6. Click **OK**. - - **Warning**   - By default, Windows Firewall Exceptions only apply to traffic originating on the local subnet. To expand the exception to apply to multiple subnets, you need to change the exception settings in the Windows Firewall with Advanced Security, as described below. - -## Configure Windows Firewall to allow VAMT access across multiple subnets - -Enable the VAMT to access client computers across multiple subnets using the **Windows Firewall with Advanced Security** Control Panel: - -![VAMT Firewall configuration for multiple subnets](images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif) - -1. Open the Control Panel and double-click **Administrative Tools**. -2. Click **Windows Firewall with Advanced Security**. -3. Make your changes for each of the following three WMI items, for the applicable Network Profile (Domain, Public, Private): - - Windows Management Instrumentation (ASync-In) - - Windows Management Instrumentation (DCOM-In) - - Windows Management Instrumentation (WMI-In) - -4. In the **Windows Firewall with Advanced Security** dialog box, select **Inbound Rules** from the left-hand panel. - -5. Right-click the desired rule and select **Properties** to open the **Properties** dialog box. - - - On the **General** tab, select the **Allow the connection** checkbox. - - On the **Scope** tab, change the Remote IP Address setting from "Local Subnet" (default) to allow the specific access you need. - - On the **Advanced** tab, verify selection of all profiles that are applicable to the network (Domain or Private/Public). - -In certain scenarios, only a limited set of TCP/IP ports are allowed through a hardware firewall. Administrators must ensure that WMI (which relies on RPC over TCP/IP) is allowed through these types of firewalls. By default, the WMI port is a dynamically allocated random port above 1024. The following Microsoft knowledge article discusses how administrators can limit the range of dynamically-allocated ports. This is useful if, for example, the hardware firewall only allows traffic in a certain range of ports. -For more info, see [How to configure RPC dynamic port allocation to work with firewalls](https://go.microsoft.com/fwlink/p/?LinkId=182911). - -## Create a registry value for the VAMT to access workgroup-joined computer - -**Caution**   -This section contains information about how to modify the registry. Make sure to back up the registry before you modify it; in addition, ensure that you know how to restore the registry, if a problem occurs. For more information about how to back up, restore, and modify the registry, see [Windows registry information for advanced users](https://go.microsoft.com/fwlink/p/?LinkId=182912). - -On the client computer, create the following registry key using regedit.exe. - -1. Navigate to `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system` -2. Enter the following details: - **Value Name: LocalAccountTokenFilterPolicy** - **Type: DWORD** - **Value Data: 1** - **Note**   - To discover VAMT-manageable Windows computers in workgroups, you must enable network discovery on each client. - -## Deployment options - -There are several options for organizations to configure the WMI firewall exception for computers: -- **Image.** Add the configurations to the master Windows image deployed to all clients. -- **Group Policy.** If the clients are part of a domain, then all clients can be configured using Group Policy. The Group Policy setting for the WMI firewall exception is found in GPMC.MSC at: **Computer Configuration\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Inbound Rules**. -- **Script.** Execute a script using Microsoft System Center Configuration Manager or a third-party remote script execution facility. -- **Manual.** Configure the WMI firewall exception individually on each client. -The above configurations will open an additional port through the Windows Firewall on target computers and should be performed on computers that are protected by a network firewall. In order to allow VAMT to query the up-to-date licensing status, the WMI exception must be maintained. We recommend administrators consult their network security policies and make clear decisions when creating the WMI exception. - -## Related topics - -- [Install and Configure VAMT](install-configure-vamt.md) - - +--- +title: Configure Client Computers (Windows 10) +description: Configure Client Computers +ms.assetid: a48176c9-b05c-4dd5-a9ef-83073e2370fc +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro +author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Configure Client Computers + +To enable the Volume Activation Management Tool (VAMT) to function correctly, certain configuration changes are required on all client computers: + +- An exception must be set in the client computer's firewall. +- A registry key must be created and set properly, for computers in a workgroup; otherwise, Windows® User Account Control (UAC) will not allow remote administrative operations. + +Organizations where the VAMT will be widely used may benefit from making these changes inside the master image for Windows. + +**Important**   +This procedure only applies to clients running Windows Vista or later. For clients running Windows XP Service Pack 1, see [Connecting Through Windows Firewall](https://go.microsoft.com/fwlink/p/?LinkId=182933). + +## Configuring the Windows Firewall to allow VAMT access + +Enable the VAMT to access client computers using the **Windows Firewall** Control Panel: +1. Open Control Panel and double-click **System and Security**. +2. Click **Windows Firewall**. +3. Click **Allow a program or feature through Windows Firewall**. +4. Click the **Change settings** option. +5. Select the **Windows Management Instrumentation (WMI)** checkbox. +6. Click **OK**. + + **Warning**   + By default, Windows Firewall Exceptions only apply to traffic originating on the local subnet. To expand the exception to apply to multiple subnets, you need to change the exception settings in the Windows Firewall with Advanced Security, as described below. + +## Configure Windows Firewall to allow VAMT access across multiple subnets + +Enable the VAMT to access client computers across multiple subnets using the **Windows Firewall with Advanced Security** Control Panel: + +![VAMT Firewall configuration for multiple subnets](images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif) + +1. Open the Control Panel and double-click **Administrative Tools**. +2. Click **Windows Firewall with Advanced Security**. +3. Make your changes for each of the following three WMI items, for the applicable Network Profile (Domain, Public, Private): + - Windows Management Instrumentation (ASync-In) + - Windows Management Instrumentation (DCOM-In) + - Windows Management Instrumentation (WMI-In) + +4. In the **Windows Firewall with Advanced Security** dialog box, select **Inbound Rules** from the left-hand panel. + +5. Right-click the desired rule and select **Properties** to open the **Properties** dialog box. + + - On the **General** tab, select the **Allow the connection** checkbox. + - On the **Scope** tab, change the Remote IP Address setting from "Local Subnet" (default) to allow the specific access you need. + - On the **Advanced** tab, verify selection of all profiles that are applicable to the network (Domain or Private/Public). + +In certain scenarios, only a limited set of TCP/IP ports are allowed through a hardware firewall. Administrators must ensure that WMI (which relies on RPC over TCP/IP) is allowed through these types of firewalls. By default, the WMI port is a dynamically allocated random port above 1024. The following Microsoft knowledge article discusses how administrators can limit the range of dynamically-allocated ports. This is useful if, for example, the hardware firewall only allows traffic in a certain range of ports. +For more info, see [How to configure RPC dynamic port allocation to work with firewalls](https://go.microsoft.com/fwlink/p/?LinkId=182911). + +## Create a registry value for the VAMT to access workgroup-joined computer + +**Caution**   +This section contains information about how to modify the registry. Make sure to back up the registry before you modify it; in addition, ensure that you know how to restore the registry, if a problem occurs. For more information about how to back up, restore, and modify the registry, see [Windows registry information for advanced users](https://go.microsoft.com/fwlink/p/?LinkId=182912). + +On the client computer, create the following registry key using regedit.exe. + +1. Navigate to `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system` +2. Enter the following details: + **Value Name: LocalAccountTokenFilterPolicy** + **Type: DWORD** + **Value Data: 1** + **Note**   + To discover VAMT-manageable Windows computers in workgroups, you must enable network discovery on each client. + +## Deployment options + +There are several options for organizations to configure the WMI firewall exception for computers: +- **Image.** Add the configurations to the master Windows image deployed to all clients. +- **Group Policy.** If the clients are part of a domain, then all clients can be configured using Group Policy. The Group Policy setting for the WMI firewall exception is found in GPMC.MSC at: **Computer Configuration\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Inbound Rules**. +- **Script.** Execute a script using Microsoft Endpoint Configuration Manager or a third-party remote script execution facility. +- **Manual.** Configure the WMI firewall exception individually on each client. +The above configurations will open an additional port through the Windows Firewall on target computers and should be performed on computers that are protected by a network firewall. In order to allow VAMT to query the up-to-date licensing status, the WMI exception must be maintained. We recommend administrators consult their network security policies and make clear decisions when creating the WMI exception. + +## Related topics + +- [Install and Configure VAMT](install-configure-vamt.md) + + diff --git a/windows/deployment/windows-10-deployment-posters.md b/windows/deployment/windows-10-deployment-posters.md index f36dea21ef..b37a3cf91f 100644 --- a/windows/deployment/windows-10-deployment-posters.md +++ b/windows/deployment/windows-10-deployment-posters.md @@ -1,6 +1,6 @@ --- title: Windows 10 deployment process posters -description: View and download Windows 10 deployment process flows for System Center Configuration Manager and Windows Autopilot. +description: View and download Windows 10 deployment process flows for Microsoft Endpoint Configuration Manager and Windows Autopilot. ms.reviewer: manager: laurawi ms.audience: itpro @@ -21,7 +21,7 @@ ms.topic: article **Applies to** - Windows 10 -The following posters step through various options for deploying Windows 10 with Windows Autopilot or System Center Configuration Manager. +The following posters step through various options for deploying Windows 10 with Windows Autopilot or Microsoft Endpoint Configuration Manager. ## Deploy Windows 10 with Autopilot @@ -29,7 +29,7 @@ The Windows Autopilot poster is two pages in portrait mode (11x17). Click the im [![Deploy Windows 10 with Autopilot](./media/windows10-autopilot-flowchart.png)](./media/Windows10AutopilotFlowchart.pdf) -## Deploy Windows 10 with System Center Configuration Manager +## Deploy Windows 10 with Microsoft Endpoint Configuration Manager The Configuration Manager poster is one page in landscape mode (17x11). Click the image to view a PDF in your browser. You can also download this poster in [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10DeploymentConfigManager.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10DeploymentConfigManager.vsdx) format. diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md index 26151664de..c702953e33 100644 --- a/windows/deployment/windows-10-deployment-scenarios.md +++ b/windows/deployment/windows-10-deployment-scenarios.md @@ -1,275 +1,277 @@ ---- -title: Windows 10 deployment scenarios (Windows 10) -description: To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. -ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5 -ms.reviewer: -manager: laurawi -ms.audience: itpro author: greg-lindsay -keywords: upgrade, in-place, configuration, deploy -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.date: 11/06/2018 -audience: itpro author: greg-lindsay -ms.topic: article ---- - -# Windows 10 deployment scenarios - -**Applies to** -- Windows 10 - -To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task. - -The following table summarizes various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories. -- Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home). -- Dynamic deployment methods enable you to configure applications and settings for specific use cases. -- Traditional deployment methods use existing tools to deploy operating system images.
        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      CategoryScenarioDescriptionMore information
      Modern - -[Windows Autopilot](#windows-autopilot) - Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured. - -Overview of Windows Autopilot -
      - -[In-place upgrade](#in-place-upgrade) - - - Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old. - -Perform an in-place upgrade to Windows 10 with MDT
      Perform an in-place upgrade to Windows 10 using Configuration Manager -
      - Dynamic - - -[Subscription Activation](#windows-10-subscription-activation) - - Switch from Windows 10 Pro to Enterprise when a subscribed user signs in. - -Windows 10 Subscription Activation -
      - - [AAD / MDM](#dynamic-provisioning) - - The device is automatically joined to AAD and configured by MDM. - -Azure Active Directory integration with MDM -
      - - [Provisioning packages](#dynamic-provisioning) - - Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices. - -Configure devices without MDM -
      - Traditional - - - [Bare metal](#new-computer) - - Deploy a new device, or wipe an existing device and deploy with a fresh image. - - Deploy a Windows 10 image using MDT
      Install a new version of Windows on a new computer with System Center Configuration Manager -
      - - [Refresh](#computer-refresh) - - Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. - - Refresh a Windows 7 computer with Windows 10
      Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager -
      - - [Replace](#computer-replace) - - Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device. - - Replace a Windows 7 computer with a Windows 10 computer
      Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager -
      - -
        - - ->[!IMPORTANT] ->The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.
      ->Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS. - -## Modern deployment methods - -Modern deployment methods embrace both traditional on-prem and cloud services to deliver a simple, streamlined, cost effective deployment experience. - -### Windows Autopilot - -Windows Autopilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows Autopilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device after just a few clicks. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator. - -For more information about Windows Autopilot, see [Overview of Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows Autopilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/). - -### In-place upgrade - -For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 leverages the Windows installation program (Setup.exe) to perform an in-place upgrade, which automatically preserves all data, settings, applications, and drivers from the existing operating system version. This requires the least IT effort, because there is no need for any complex deployment infrastructure. - -Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. This is accomplished by leveraging tools like System Center Configuration Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences. - -The in-place upgrade process is designed to be extremely reliable, with the ability to automatically roll back to the previous operating system if any issues are encountered during the deployment process, without any IT staff involvement. Rolling back manually can also be done by leveraging the automatically-created recovery information (stored in the Windows.old folder), in case any issues are encountered after the upgrade is finished. The upgrade process is also typically faster than traditional deployments, because applications do not need to be reinstalled as part of the process. - -Because existing applications are preserved through the process, the upgrade process uses the standard Windows installation media image (Install.wim); custom images are not needed and cannot be used because the upgrade process is unable to deal with conflicts between apps in the old and new operating system. (For example, Contoso Timecard 1.0 in Windows 7 and Contoso Timecard 3.0 in the Windows 10 image.) - -Scenarios that support in-place upgrade with some additional procedures include changing from BIOS to UEFI boot mode and upgrade of devices that use non-Microsoft disk encryption software. - -- **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 does not require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode. - -- **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting: - - [Windows Setup Automation Overview](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-automation-overview) - - [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options) - -There are some situations where you cannot use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include: - -- Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process cannot change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers. -- Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed. -- Updating existing images. While it might be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image, this is not supported – preparing an upgraded OS for imaging (using Sysprep.exe) is not supported and will not work when it detects the upgraded OS. -- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS; if using dual-boot or multi-boot systems with multiple operating systems (not leveraging virtual machines for the second and subsequent operating systems), additional care should be taken. - - -## Dynamic provisioning - -For new PCs, organizations have historically replaced the version of Windows included on the device with their own custom Windows image, because this was often faster and easier than leveraging the preinstalled version. But this is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows 10, it is now possible to avoid this. - -The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include: - -### Windows 10 Subscription Activation - -Windows 10 Subscription Activation is a modern deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation). - - -### Azure Active Directory (AAD) join with automatic mobile device management (MDM) enrollment - -In this scenario, the organization member just needs to provide their work or school user ID and password; the device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no additional user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Azure Active Directory integration with MDM](https://docs.microsoft.com/windows/client-management/mdm/azure-active-directory-integration-with-mdm). - -### Provisioning package configuration - -Using the [Windows Imaging and Configuration Designer (ICD)](https://go.microsoft.com/fwlink/p/?LinkId=619358), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through a variety of means, typically by IT professionals. For more information, see [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm). - -These scenarios can be used to enable “choose your own device” (CYOD) programs where the organization’s users can pick their own PC and not be restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios). - -While the initial Windows 10 release includes a variety of provisioning settings and deployment mechanisms, these will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for additional features through the Windows Feedback app or through their Microsoft Support contacts. - -## Traditional deployment: - -New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md), and [System Center Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md). - -With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important and will continue to be available to organizations that need them. - -The traditional deployment scenario can be divided into different sub-scenarios. These are explained in detail in the following sections, but the following provides a brief summary: - -- **New computer.** A bare-metal deployment of a new machine. - -- **Computer refresh.** A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup). - -- **Computer replace.** A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup). - -### New computer - -Also called a "bare metal" deployment. This scenario occurs when you have a blank machine you need to deploy, or an existing machine you want to wipe and redeploy without needing to preserve any existing data. The setup starts from a boot media, using CD, USB, ISO, or Pre-Boot Execution Environment (PXE). You can also generate a full offline media that includes all the files needed for a client deployment, allowing you to deploy without having to connect to a central deployment share. The target can be a physical computer, a virtual machine, or a Virtual Hard Disk (VHD) running on a physical computer (boot from VHD). - -The deployment process for the new machine scenario is as follows: - -1. Start the setup from boot media (CD, USB, ISO, or PXE). - -2. Wipe the hard disk clean and create new volume(s). - -3. Install the operating system image. - -4. Install other applications (as part of the task sequence). - -After taking these steps, the computer is ready for use. - -### Computer refresh - -A refresh is sometimes called wipe-and-load. The process is normally initiated in the running operating system. User data and settings are backed up and restored later as part of the deployment process. The target can be the same as for the new computer scenario. - -The deployment process for the wipe-and-load scenario is as follows: - -1. Start the setup on a running operating system. - -2. Save the user state locally. - -3. Wipe the hard disk clean (except for the folder containing the backup). - -4. Install the operating system image. - -5. Install other applications. - -6. Restore the user state. - -After taking these steps, the machine is ready for use. - -### Computer replace - -A computer replace is similar to the refresh scenario. However, since we are replacing the machine, we divide this scenario into two main tasks: backup of the old client and bare-metal deployment of the new client. As with the refresh scenario, user data and settings are backed up and restored. - -The deployment process for the replace scenario is as follows: - -1. Save the user state (data and settings) on the server through a backup job on the running operating system. - -2. Deploy the new computer as a bare-metal deployment. - - **Note**
      In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk. - -## Related topics - -- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) -- [Upgrade to Windows 10 with System Center Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md) -- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=620230) -- [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) -- [Windows setup technical reference](https://go.microsoft.com/fwlink/p/?LinkId=619357) -- [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=619358) -- [UEFI firmware](https://go.microsoft.com/fwlink/p/?LinkId=619359) +--- +title: Windows 10 deployment scenarios (Windows 10) +description: To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. +ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5 +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +keywords: upgrade, in-place, configuration, deploy +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.date: 11/06/2018 +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Windows 10 deployment scenarios + +**Applies to** +- Windows 10 + +To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task. + +The following table summarizes various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories. +- Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and Microsoft Endpoint Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home). +- Dynamic deployment methods enable you to configure applications and settings for specific use cases. +- Traditional deployment methods use existing tools to deploy operating system images.
        + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      CategoryScenarioDescriptionMore information
      Modern + +[Windows Autopilot](#windows-autopilot) + Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured. + +Overview of Windows Autopilot +
      + +[In-place upgrade](#in-place-upgrade) + + + Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old. + +Perform an in-place upgrade to Windows 10 with MDT
      Perform an in-place upgrade to Windows 10 using Configuration Manager +
      + Dynamic + + +[Subscription Activation](#windows-10-subscription-activation) + + Switch from Windows 10 Pro to Enterprise when a subscribed user signs in. + +Windows 10 Subscription Activation +
      + + [AAD / MDM](#dynamic-provisioning) + + The device is automatically joined to AAD and configured by MDM. + +Azure Active Directory integration with MDM +
      + + [Provisioning packages](#dynamic-provisioning) + + Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices. + +Configure devices without MDM +
      + Traditional + + + [Bare metal](#new-computer) + + Deploy a new device, or wipe an existing device and deploy with a fresh image. + + Deploy a Windows 10 image using MDT
      Install a new version of Windows on a new computer with Microsoft Endpoint Configuration Manager +
      + + [Refresh](#computer-refresh) + + Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. + + Refresh a Windows 7 computer with Windows 10
      Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager +
      + + [Replace](#computer-replace) + + Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device. + + Replace a Windows 7 computer with a Windows 10 computer
      Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager +
      + +
        + + +>[!IMPORTANT] +>The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.
      +>Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS. + +## Modern deployment methods + +Modern deployment methods embrace both traditional on-prem and cloud services to deliver a simple, streamlined, cost effective deployment experience. + +### Windows Autopilot + +Windows Autopilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows Autopilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device after just a few clicks. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator. + +For more information about Windows Autopilot, see [Overview of Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows Autopilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/). + +### In-place upgrade + +For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 leverages the Windows installation program (Setup.exe) to perform an in-place upgrade, which automatically preserves all data, settings, applications, and drivers from the existing operating system version. This requires the least IT effort, because there is no need for any complex deployment infrastructure. + +Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. This is accomplished by leveraging tools like Microsoft Endpoint Configuration Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences. + +The in-place upgrade process is designed to be extremely reliable, with the ability to automatically roll back to the previous operating system if any issues are encountered during the deployment process, without any IT staff involvement. Rolling back manually can also be done by leveraging the automatically-created recovery information (stored in the Windows.old folder), in case any issues are encountered after the upgrade is finished. The upgrade process is also typically faster than traditional deployments, because applications do not need to be reinstalled as part of the process. + +Because existing applications are preserved through the process, the upgrade process uses the standard Windows installation media image (Install.wim); custom images are not needed and cannot be used because the upgrade process is unable to deal with conflicts between apps in the old and new operating system. (For example, Contoso Timecard 1.0 in Windows 7 and Contoso Timecard 3.0 in the Windows 10 image.) + +Scenarios that support in-place upgrade with some additional procedures include changing from BIOS to UEFI boot mode and upgrade of devices that use non-Microsoft disk encryption software. + +- **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 does not require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode. + +- **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting: + - [Windows Setup Automation Overview](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-automation-overview) + - [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options) + +There are some situations where you cannot use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include: + +- Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process cannot change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers. +- Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed. +- Updating existing images. While it might be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image, this is not supported – preparing an upgraded OS for imaging (using Sysprep.exe) is not supported and will not work when it detects the upgraded OS. +- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS; if using dual-boot or multi-boot systems with multiple operating systems (not leveraging virtual machines for the second and subsequent operating systems), additional care should be taken. + + +## Dynamic provisioning + +For new PCs, organizations have historically replaced the version of Windows included on the device with their own custom Windows image, because this was often faster and easier than leveraging the preinstalled version. But this is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows 10, it is now possible to avoid this. + +The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include: + +### Windows 10 Subscription Activation + +Windows 10 Subscription Activation is a modern deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation). + + +### Azure Active Directory (AAD) join with automatic mobile device management (MDM) enrollment + +In this scenario, the organization member just needs to provide their work or school user ID and password; the device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no additional user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Azure Active Directory integration with MDM](https://docs.microsoft.com/windows/client-management/mdm/azure-active-directory-integration-with-mdm). + +### Provisioning package configuration + +Using the [Windows Imaging and Configuration Designer (ICD)](https://go.microsoft.com/fwlink/p/?LinkId=619358), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through a variety of means, typically by IT professionals. For more information, see [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm). + +These scenarios can be used to enable “choose your own device” (CYOD) programs where the organization’s users can pick their own PC and not be restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios). + +While the initial Windows 10 release includes a variety of provisioning settings and deployment mechanisms, these will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for additional features through the Windows Feedback app or through their Microsoft Support contacts. + +## Traditional deployment: + +New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md), and [Microsoft Endpoint Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md). + +With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important and will continue to be available to organizations that need them. + +The traditional deployment scenario can be divided into different sub-scenarios. These are explained in detail in the following sections, but the following provides a brief summary: + +- **New computer.** A bare-metal deployment of a new machine. + +- **Computer refresh.** A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup). + +- **Computer replace.** A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup). + +### New computer + +Also called a "bare metal" deployment. This scenario occurs when you have a blank machine you need to deploy, or an existing machine you want to wipe and redeploy without needing to preserve any existing data. The setup starts from a boot media, using CD, USB, ISO, or Pre-Boot Execution Environment (PXE). You can also generate a full offline media that includes all the files needed for a client deployment, allowing you to deploy without having to connect to a central deployment share. The target can be a physical computer, a virtual machine, or a Virtual Hard Disk (VHD) running on a physical computer (boot from VHD). + +The deployment process for the new machine scenario is as follows: + +1. Start the setup from boot media (CD, USB, ISO, or PXE). + +2. Wipe the hard disk clean and create new volume(s). + +3. Install the operating system image. + +4. Install other applications (as part of the task sequence). + +After taking these steps, the computer is ready for use. + +### Computer refresh + +A refresh is sometimes called wipe-and-load. The process is normally initiated in the running operating system. User data and settings are backed up and restored later as part of the deployment process. The target can be the same as for the new computer scenario. + +The deployment process for the wipe-and-load scenario is as follows: + +1. Start the setup on a running operating system. + +2. Save the user state locally. + +3. Wipe the hard disk clean (except for the folder containing the backup). + +4. Install the operating system image. + +5. Install other applications. + +6. Restore the user state. + +After taking these steps, the machine is ready for use. + +### Computer replace + +A computer replace is similar to the refresh scenario. However, since we are replacing the machine, we divide this scenario into two main tasks: backup of the old client and bare-metal deployment of the new client. As with the refresh scenario, user data and settings are backed up and restored. + +The deployment process for the replace scenario is as follows: + +1. Save the user state (data and settings) on the server through a backup job on the running operating system. + +2. Deploy the new computer as a bare-metal deployment. + + **Note**
      In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk. + +## Related topics + +- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) +- [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md) +- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=620230) +- [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) +- [Windows setup technical reference](https://go.microsoft.com/fwlink/p/?LinkId=619357) +- [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=619358) +- [UEFI firmware](https://go.microsoft.com/fwlink/p/?LinkId=619359) diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md index e241930c1e..e4cadbe165 100644 --- a/windows/deployment/windows-10-enterprise-e3-overview.md +++ b/windows/deployment/windows-10-enterprise-e3-overview.md @@ -1,258 +1,260 @@ ---- -title: Windows 10 Enterprise E3 in CSP -description: Describes Windows 10 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10 Enterprise edition. -keywords: upgrade, update, task sequence, deploy -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -ms.date: 08/24/2017 -ms.reviewer: -manager: laurawi -ms.audience: itpro author: greg-lindsay -audience: itpro author: greg-lindsay -ms.collection: M365-modern-desktop -ms.topic: article ---- - -# Windows 10 Enterprise E3 in CSP - -Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Windows 10 Enterprise E3 in CSP is a new offering that delivers, by subscription, exclusive features reserved for Windows 10 Enterprise edition. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10 Enterprise E3 in CSP provides a flexible, per-user subscription for small- and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following: - -- Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later, installed and activated, on the devices to be upgraded -- Azure Active Directory (Azure AD) available for identity management - -Starting with Windows 10, version 1607 (Windows 10 Anniversary Update), you can move from Windows 10 Pro to Windows 10 Enterprise more easily than ever before—no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise and all the appropriate Windows 10 Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Windows 10 Enterprise device seamlessly steps back down to Windows 10 Pro. - -Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise to their users. Now, with Windows 10 Enterprise E3 in CSP, small- and medium-sized organizations can more easily take advantage of Windows 10 Enterprise features. - -When you purchase Windows 10 Enterprise E3 via a partner, you get the following benefits: - -- **Windows 10 Enterprise edition**. Devices currently running Windows 10 Pro, version 1607 can get Windows 10 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit does not include Long Term Service Branch (LTSB). - -- **Support from one to hundreds of users**. Although the Windows 10 Enterprise E3 in CSP program does not have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations. - -- **Deploy on up to five devices**. For each user covered by the license, you can deploy Windows 10 Enterprise edition on up to five devices. - -- **Roll back to Windows 10 Pro at any time**. When a user’s subscription expires or is transferred to another user, the Windows 10 Enterprise device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 90 days). - -- **Monthly, per-user pricing model**. This makes Windows 10 Enterprise E3 affordable for any organization. - -- **Move licenses between users**. Licenses can be quickly and easily reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs. - -How does the Windows 10 Enterprise E3 in CSP program compare with Microsoft Volume Licensing Agreements and Software Assurance? - -- [Microsoft Volume Licensing](https://www.microsoft.com/licensing/default.aspx) programs are broader in scope, providing organizations with access to licensing for all Microsoft products. - -- [Software Assurance](https://www.microsoft.com/Licensing/licensing-programs/software-assurance-default.aspx) provides organizations with the following categories of benefits: - - - **Deployment and management**. These benefits include planning services, Microsoft Desktop Optimization (MDOP), Windows Virtual Desktop Access Rights, Windows-To-Go Rights, Windows Roaming Use Rights, Windows Thin PC, Windows RT Companion VDA Rights, and other benefits. - - - **Training**. These benefits include training vouchers, online e-learning, and a home use program. - - - **Support**. These benefits include 24x7 problem resolution support, backup capabilities for disaster recovery, System Center Global Service Monitor, and a passive secondary instance of SQL Server. - - - **Specialized**. These benefits include step-up licensing availability (which enables you to migrate software from an earlier edition to a higher-level edition) and to spread license and Software Assurance payments across three equal, annual sums. - - In addition, in Windows 10 Enterprise E3 in CSP, a partner can manage your licenses for you. With Software Assurance, you, the customer, manage your own licenses. - -In summary, the Windows 10 Enterprise E3 in CSP program is an upgrade offering that provides small- and medium-sized organizations easier, more flexible access to the benefits of Windows 10 Enterprise edition, whereas Microsoft Volume Licensing programs and Software Assurance are broader in scope and provide benefits beyond access to Windows 10 Enterprise edition. - -## Compare Windows 10 Pro and Enterprise editions - -Windows 10 Enterprise edition has a number of features that are unavailable in Windows 10 Pro. Table 1 lists the Windows 10 Enterprise features not found in Windows 10 Pro. Many of these features are security-related, whereas others enable finer-grained device management. - -*Table 1. Windows 10 Enterprise features not found in Windows 10 Pro* - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      FeatureDescription

      Credential Guard

      This feature uses virtualization-based security to help protect security secrets (for example, NTLM password hashes, Kerberos Ticket Granting Tickets) so that only privileged system software can access them. This helps prevent Pass-the-Hash or Pass-the-Ticket attacks.

      -

      Credential Guard has the following features:

      -
        -

      • Hardware-level security.  Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.

        • -

      • Virtualization-based security.  Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.

        • -

      • Improved protection against persistent threats.  Credential Guard works with other technologies (e.g., Device Guard) to help provide further protection against attacks, no matter how persistent.

        • -

      • Improved manageability.  Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.

        • -
      -

      For more information, see Protect derived domain credentials with Credential Guard.

      -

      Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)

      Device Guard

      This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows 10 Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.

      -

      Device Guard does the following:

      -
        -

      • Helps protect against malware

        • -

      • Helps protect the Windows system core from vulnerability and zero-day exploits

        • -

      • Allows only trusted apps to run

        • -
      -

      For more information, see Introduction to Device Guard.

      AppLocker management

      This feature helps IT pros determine which applications and files users can run on a device (also known as “whitelisting”). The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.

      -

      For more information, see AppLocker.

      Application Virtualization (App-V)

      This feature makes applications available to end users without installing the applications directly on users’ devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.

      -

      For more information, see Getting Started with App-V for Windows 10.

      User Experience Virtualization (UE-V)

      With this feature, you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.

      -

      UE-V provides the ability to do the following:

      -
        -

      • Specify which application and Windows settings synchronize across user devices

        • -

      • Deliver the settings anytime and anywhere users work throughout the enterprise

        • -

      • Create custom templates for your third-party or line-of-business applications

        • -

      • Recover settings after hardware replacement or upgrade, or after re-imaging a virtual machine to its initial state

        • -
      -

      For more information, see User Experience Virtualization (UE-V) for Windows 10 overview.

      Managed User Experience

      This feature helps customize and lock down a Windows device’s user interface to restrict it to a specific task. For example, you can configure a device for a controlled scenario such as a kiosk or classroom device. The user experience would be automatically reset once a user signs off. You can also restrict access to services including Cortana or the Windows Store, and manage Start layout options, such as:

      -
        -

      • Removing and preventing access to the Shut Down, Restart, Sleep, and Hibernate commands

        • -

      • Removing Log Off (the User tile) from the Start menu

        • -

      • Removing frequent programs from the Start menu

        • -

      • Removing the All Programs list from the Start menu

        • -

      • Preventing users from customizing their Start screen

        • -

      • Forcing Start menu to be either full-screen size or menu size

        • -

      • Preventing changes to Taskbar and Start menu settings

        • -
      -
      - -## Deployment of Windows 10 Enterprise E3 licenses - -See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md). - -## Deploy Windows 10 Enterprise features - -Now that you have Windows 10 Enterprise edition running on devices, how do you take advantage of the Enterprise edition features and capabilities? What are the next steps that need to be taken for each of the features discussed in [Table 1](#compare-windows10-pro-and-enterprise-editions)? - -The following sections provide you with the high-level tasks that need to be performed in your environment to help users take advantage of the Windows 10 Enterprise edition features. - -### Credential Guard\* - -You can implement Credential Guard on Windows 10 Enterprise devices by turning on Credential Guard on these devices. Credential Guard uses Windows 10 virtualization-based security features (Hyper-V features) that must be enabled on each device before you can turn on Credential Guard. You can turn on Credential Guard by using one of the following methods: - -- **Automated**. You can automatically turn on Credential Guard for one or more devices by using Group Policy. The Group Policy settings automatically add the virtualization-based security features and configure the Credential Guard registry settings on managed devices. - -- **Manual**. You can manually turn on Credential Guard by doing the following: - - - Add the virtualization-based security features by using Programs and Features or Deployment Image Servicing and Management (DISM). - - - Configure Credential Guard registry settings by using the Registry Editor or the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). - - You can automate these manual steps by using a management tool such as System Center Configuration Manager. - -For more information about implementing Credential Guard, see the following resources: - -- [Protect derived domain credentials with Credential Guard](https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard) -- [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514(v=vs.85).aspx) -- [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337) - -\* *Requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)* - -### Device Guard - -Now that the devices have Windows 10 Enterprise, you can implement Device Guard on the Windows 10 Enterprise devices by performing the following steps: - -1. **Optionally, create a signing certificate for code integrity policies**. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To do this, you will either need a publicly issued code signing certificate (that you purchase) or an internal certificate authority (CA). If you choose to use an internal CA, you will need to create a code signing certificate. - -2. **Create code integrity policies from “golden” computers**. When you have identified departments or roles that use distinctive or partly distinctive sets of hardware and software, you can set up “golden” computers containing that software and hardware. In this respect, creating and managing code integrity policies to align with the needs of roles or departments can be similar to managing corporate images. From each “golden” computer, you can create a code integrity policy and decide how to manage that policy. You can merge code integrity policies to create a broader policy or a master policy, or you can manage and deploy each policy individually. - -3. **Audit the code integrity policy and capture information about applications that are outside the policy**. We recommend that you use “audit mode” to carefully test each code integrity policy before you enforce it. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. Later, you can expand the policy to allow these applications, as needed. - -4. **Create a “catalog file” for unsigned line-of-business (LOB) applications**. Use the Package Inspector tool to create and sign a catalog file for your unsigned LOB applications. In later steps, you can merge the catalog file's signature into your code integrity policy so that applications in the catalog will be allowed by the policy. - -5. **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a code integrity policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log, and then merge that information into the existing policy. You can merge code integrity policies from other sources also, for flexibility in how you create your final code integrity policies. - -6. **Deploy code integrity policies and catalog files**. After you confirm that you have completed all the preceding steps, you can begin deploying catalog files and taking code integrity policies out of audit mode. We strongly recommend that you begin this process with a test group of users. This provides a final quality-control validation before you deploy the catalog files and code integrity policies more broadly. - -7. **Enable desired hardware security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies. - -For more information about implementing Device Guard, see: - -- [Planning and getting started on the Device Guard deployment process](https://technet.microsoft.com/itpro/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process) -- [Device Guard deployment guide](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide) - -### AppLocker management - -You can manage AppLocker in Windows 10 Enterprise by using Group Policy. Group Policy requires that the you have AD DS and that the Windows 10 Enterprise devices are joined to the your AD DS domain. You can create AppLocker rules by using Group Policy, and then target those rules to the appropriate devices. - -For more information about AppLocker management by using Group Policy, see [AppLocker deployment guide](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-policies-deployment-guide). - -### App-V - -App-V requires an App-V server infrastructure to support App-V clients. The primary App-V components that the you must have are as follows: - -- **App-V server**. The App-V server provides App-V management, virtualized app publishing, app streaming, and reporting services. Each of these services can be run on one server or can be run individually on multiple servers. For example, you could have multiple streaming servers. App-V clients contact App-V servers to determine which apps are published to the user or device, and then run the virtualized app from the server. - -- **App-V sequencer**. The App-V sequencer is a typical client device that is used to sequence (capture) apps and prepare them for hosting from the App-V server. You install apps on the App-V sequencer, and the App-V sequencer software determines the files and registry settings that are changed during app installation. Then the sequencer captures these settings to create a virtualized app. - -- **App-V client**. The App-V client must be enabled on any client device on which apps will be run from the App-V server. These will be the Windows 10 Enterprise E3 devices. - -For more information about implementing the App-V server, App-V sequencer, and App-V client, see the following resources: - -- [Getting Started with App-V for Windows 10](https://technet.microsoft.com/itpro/windows/manage/appv-getting-started) -- [Deploying the App-V server](https://technet.microsoft.com/itpro/windows/manage/appv-deploying-the-appv-server) -- [Deploying the App-V Sequencer and Configuring the Client](https://technet.microsoft.com/itpro/windows/manage/appv-deploying-the-appv-sequencer-and-client) - -### UE-V -UE-V requires server- and client-side components that you you’ll need to download, activate, and install. These components include: - -- **UE-V service**. The UE-V service (when enabled on devices) monitors registered applications and Windows for any settings changes, then synchronizes those settings between devices. - -- **Settings packages**. Settings packages created by the UE-V service store application settings and Windows settings. Settings packages are built, locally stored, and copied to the settings storage location. - -- **Settings storage location**. This location is a standard network share that your users can access. The UE-V service verifies the location and creates a hidden system folder in which to store and retrieve user settings. - -- **Settings location templates**. Settings location templates are XML files that UE-V uses to monitor and synchronize desktop application settings and Windows desktop settings between user computers. By default, some settings location templates are included in UE-V. You can also create, edit, or validate custom settings location templates by using the UE-V template generator. Settings location templates are not required for Windows applications. - -- **Universal Windows applications list**. UE-V determines which Windows applications are enabled for settings synchronization using a managed list of applications. By default, this list includes most Windows applications. - -For more information about deploying UE-V, see the following resources: - -- [User Experience Virtualization (UE-V) for Windows 10 overview](https://technet.microsoft.com/itpro/windows/manage/uev-for-windows) -- [Get Started with UE-V](https://technet.microsoft.com/itpro/windows/manage/uev-getting-started) -- [Prepare a UE-V Deployment](https://technet.microsoft.com/itpro/windows/manage/uev-prepare-for-deployment) - -### Managed User Experience - -The Managed User Experience feature is a set of Windows 10 Enterprise edition features and corresponding settings that you can use to manage user experience. Table 2 describes the Managed User Experience settings (by category), which are only available in Windows 10 Enterprise edition. The management methods used to configure each feature depend on the feature. Some features are configured by using Group Policy, while others are configured by using Windows PowerShell, Deployment Image Servicing and Management (DISM), or other command-line tools. For the Group Policy settings, you must have AD DS with the Windows 10 Enterprise devices joined to your AD DS domain. - -*Table 2. Managed User Experience features* - -| Feature | Description | -|------------------|-----------------| -| Start layout customization | You can deploy a customized Start layout to users in a domain. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
      For more information on these settings, see [Customize Windows 10 Start and taskbar with Group Policy](https://technet.microsoft.com/itpro/windows/manage/customize-windows-10-start-screens-by-using-group-policy). | -| Unbranded boot | You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error from which it cannot recover.
      For more information on these settings, see [Unbranded Boot](https://msdn.microsoft.com/library/windows/hardware/mt571997(v=vs.85).aspx). | -| Custom logon | You can use the Custom Logon feature to suppress Windows 10 UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown.
      For more information on these settings, see [Custom Logon](https://msdn.microsoft.com/library/windows/hardware/mt571990(v=vs.85).aspx). | -| Shell launcher | Enables Assigned Access to run only a classic Windows app via Shell Launcher to replace the shell.
      For more information on these settings, see [Shell Launcher](https://msdn.microsoft.com/library/windows/hardware/mt571994(v=vs.85).aspx). | -| Keyboard filter | You can use Keyboard Filter to suppress undesirable key presses or key combinations. Normally, users can use certain Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to control a device by locking the screen or using Task Manager to close a running application. This is not desirable on devices intended for a dedicated purpose.
      For more information on these settings, see [Keyboard Filter](https://msdn.microsoft.com/library/windows/hardware/mt587088(v=vs.85).aspx). | -| Unified write filter | You can use Unified Write Filter (UWF) on your device to help protect your physical storage media, including most standard writable storage types that are supported by Windows, such as physical hard disks, solid-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writable volume.
      For more information on these settings, see [Unified Write Filter](https://msdn.microsoft.com/library/windows/hardware/mt572001(v=vs.85).aspx). | - -## Related topics - -[Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md) -
      [Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-devices-group-policy/) -
      [Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare) -
      [Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx) +--- +title: Windows 10 Enterprise E3 in CSP +description: Describes Windows 10 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10 Enterprise edition. +keywords: upgrade, update, task sequence, deploy +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: mdt +ms.date: 08/24/2017 +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +audience: itpro +author: greg-lindsay +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Windows 10 Enterprise E3 in CSP + +Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Windows 10 Enterprise E3 in CSP is a new offering that delivers, by subscription, exclusive features reserved for Windows 10 Enterprise edition. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10 Enterprise E3 in CSP provides a flexible, per-user subscription for small- and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following: + +- Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later, installed and activated, on the devices to be upgraded +- Azure Active Directory (Azure AD) available for identity management + +Starting with Windows 10, version 1607 (Windows 10 Anniversary Update), you can move from Windows 10 Pro to Windows 10 Enterprise more easily than ever before—no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise and all the appropriate Windows 10 Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Windows 10 Enterprise device seamlessly steps back down to Windows 10 Pro. + +Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise to their users. Now, with Windows 10 Enterprise E3 in CSP, small- and medium-sized organizations can more easily take advantage of Windows 10 Enterprise features. + +When you purchase Windows 10 Enterprise E3 via a partner, you get the following benefits: + +- **Windows 10 Enterprise edition**. Devices currently running Windows 10 Pro, version 1607 can get Windows 10 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit does not include Long Term Service Branch (LTSB). + +- **Support from one to hundreds of users**. Although the Windows 10 Enterprise E3 in CSP program does not have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations. + +- **Deploy on up to five devices**. For each user covered by the license, you can deploy Windows 10 Enterprise edition on up to five devices. + +- **Roll back to Windows 10 Pro at any time**. When a user’s subscription expires or is transferred to another user, the Windows 10 Enterprise device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 90 days). + +- **Monthly, per-user pricing model**. This makes Windows 10 Enterprise E3 affordable for any organization. + +- **Move licenses between users**. Licenses can be quickly and easily reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs. + +How does the Windows 10 Enterprise E3 in CSP program compare with Microsoft Volume Licensing Agreements and Software Assurance? + +- [Microsoft Volume Licensing](https://www.microsoft.com/licensing/default.aspx) programs are broader in scope, providing organizations with access to licensing for all Microsoft products. + +- [Software Assurance](https://www.microsoft.com/Licensing/licensing-programs/software-assurance-default.aspx) provides organizations with the following categories of benefits: + + - **Deployment and management**. These benefits include planning services, Microsoft Desktop Optimization (MDOP), Windows Virtual Desktop Access Rights, Windows-To-Go Rights, Windows Roaming Use Rights, Windows Thin PC, Windows RT Companion VDA Rights, and other benefits. + + - **Training**. These benefits include training vouchers, online e-learning, and a home use program. + + - **Support**. These benefits include 24x7 problem resolution support, backup capabilities for disaster recovery, System Center Global Service Monitor, and a passive secondary instance of SQL Server. + + - **Specialized**. These benefits include step-up licensing availability (which enables you to migrate software from an earlier edition to a higher-level edition) and to spread license and Software Assurance payments across three equal, annual sums. + + In addition, in Windows 10 Enterprise E3 in CSP, a partner can manage your licenses for you. With Software Assurance, you, the customer, manage your own licenses. + +In summary, the Windows 10 Enterprise E3 in CSP program is an upgrade offering that provides small- and medium-sized organizations easier, more flexible access to the benefits of Windows 10 Enterprise edition, whereas Microsoft Volume Licensing programs and Software Assurance are broader in scope and provide benefits beyond access to Windows 10 Enterprise edition. + +## Compare Windows 10 Pro and Enterprise editions + +Windows 10 Enterprise edition has a number of features that are unavailable in Windows 10 Pro. Table 1 lists the Windows 10 Enterprise features not found in Windows 10 Pro. Many of these features are security-related, whereas others enable finer-grained device management. + +*Table 1. Windows 10 Enterprise features not found in Windows 10 Pro* + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      FeatureDescription

      Credential Guard

      This feature uses virtualization-based security to help protect security secrets (for example, NTLM password hashes, Kerberos Ticket Granting Tickets) so that only privileged system software can access them. This helps prevent Pass-the-Hash or Pass-the-Ticket attacks.

      +

      Credential Guard has the following features:

      +
        +

      • Hardware-level security.  Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.

        • +

      • Virtualization-based security.  Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.

        • +

      • Improved protection against persistent threats.  Credential Guard works with other technologies (e.g., Device Guard) to help provide further protection against attacks, no matter how persistent.

        • +

      • Improved manageability.  Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.

        • +
      +

      For more information, see Protect derived domain credentials with Credential Guard.

      +

      Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)

      Device Guard

      This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows 10 Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.

      +

      Device Guard does the following:

      +
        +

      • Helps protect against malware

        • +

      • Helps protect the Windows system core from vulnerability and zero-day exploits

        • +

      • Allows only trusted apps to run

        • +
      +

      For more information, see Introduction to Device Guard.

      AppLocker management

      This feature helps IT pros determine which applications and files users can run on a device (also known as “whitelisting”). The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.

      +

      For more information, see AppLocker.

      Application Virtualization (App-V)

      This feature makes applications available to end users without installing the applications directly on users’ devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.

      +

      For more information, see Getting Started with App-V for Windows 10.

      User Experience Virtualization (UE-V)

      With this feature, you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.

      +

      UE-V provides the ability to do the following:

      +
        +

      • Specify which application and Windows settings synchronize across user devices

        • +

      • Deliver the settings anytime and anywhere users work throughout the enterprise

        • +

      • Create custom templates for your third-party or line-of-business applications

        • +

      • Recover settings after hardware replacement or upgrade, or after re-imaging a virtual machine to its initial state

        • +
      +

      For more information, see User Experience Virtualization (UE-V) for Windows 10 overview.

      Managed User Experience

      This feature helps customize and lock down a Windows device’s user interface to restrict it to a specific task. For example, you can configure a device for a controlled scenario such as a kiosk or classroom device. The user experience would be automatically reset once a user signs off. You can also restrict access to services including Cortana or the Windows Store, and manage Start layout options, such as:

      +
        +

      • Removing and preventing access to the Shut Down, Restart, Sleep, and Hibernate commands

        • +

      • Removing Log Off (the User tile) from the Start menu

        • +

      • Removing frequent programs from the Start menu

        • +

      • Removing the All Programs list from the Start menu

        • +

      • Preventing users from customizing their Start screen

        • +

      • Forcing Start menu to be either full-screen size or menu size

        • +

      • Preventing changes to Taskbar and Start menu settings

        • +
      +
      + +## Deployment of Windows 10 Enterprise E3 licenses + +See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md). + +## Deploy Windows 10 Enterprise features + +Now that you have Windows 10 Enterprise edition running on devices, how do you take advantage of the Enterprise edition features and capabilities? What are the next steps that need to be taken for each of the features discussed in [Table 1](#compare-windows10-pro-and-enterprise-editions)? + +The following sections provide you with the high-level tasks that need to be performed in your environment to help users take advantage of the Windows 10 Enterprise edition features. + +### Credential Guard\* + +You can implement Credential Guard on Windows 10 Enterprise devices by turning on Credential Guard on these devices. Credential Guard uses Windows 10 virtualization-based security features (Hyper-V features) that must be enabled on each device before you can turn on Credential Guard. You can turn on Credential Guard by using one of the following methods: + +- **Automated**. You can automatically turn on Credential Guard for one or more devices by using Group Policy. The Group Policy settings automatically add the virtualization-based security features and configure the Credential Guard registry settings on managed devices. + +- **Manual**. You can manually turn on Credential Guard by doing the following: + + - Add the virtualization-based security features by using Programs and Features or Deployment Image Servicing and Management (DISM). + + - Configure Credential Guard registry settings by using the Registry Editor or the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). + + You can automate these manual steps by using a management tool such as Microsoft Endpoint Configuration Manager. + +For more information about implementing Credential Guard, see the following resources: + +- [Protect derived domain credentials with Credential Guard](https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard) +- [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514(v=vs.85).aspx) +- [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337) + +\* *Requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)* + +### Device Guard + +Now that the devices have Windows 10 Enterprise, you can implement Device Guard on the Windows 10 Enterprise devices by performing the following steps: + +1. **Optionally, create a signing certificate for code integrity policies**. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To do this, you will either need a publicly issued code signing certificate (that you purchase) or an internal certificate authority (CA). If you choose to use an internal CA, you will need to create a code signing certificate. + +2. **Create code integrity policies from “golden” computers**. When you have identified departments or roles that use distinctive or partly distinctive sets of hardware and software, you can set up “golden” computers containing that software and hardware. In this respect, creating and managing code integrity policies to align with the needs of roles or departments can be similar to managing corporate images. From each “golden” computer, you can create a code integrity policy and decide how to manage that policy. You can merge code integrity policies to create a broader policy or a master policy, or you can manage and deploy each policy individually. + +3. **Audit the code integrity policy and capture information about applications that are outside the policy**. We recommend that you use “audit mode” to carefully test each code integrity policy before you enforce it. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. Later, you can expand the policy to allow these applications, as needed. + +4. **Create a “catalog file” for unsigned line-of-business (LOB) applications**. Use the Package Inspector tool to create and sign a catalog file for your unsigned LOB applications. In later steps, you can merge the catalog file's signature into your code integrity policy so that applications in the catalog will be allowed by the policy. + +5. **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a code integrity policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log, and then merge that information into the existing policy. You can merge code integrity policies from other sources also, for flexibility in how you create your final code integrity policies. + +6. **Deploy code integrity policies and catalog files**. After you confirm that you have completed all the preceding steps, you can begin deploying catalog files and taking code integrity policies out of audit mode. We strongly recommend that you begin this process with a test group of users. This provides a final quality-control validation before you deploy the catalog files and code integrity policies more broadly. + +7. **Enable desired hardware security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies. + +For more information about implementing Device Guard, see: + +- [Planning and getting started on the Device Guard deployment process](https://technet.microsoft.com/itpro/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process) +- [Device Guard deployment guide](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide) + +### AppLocker management + +You can manage AppLocker in Windows 10 Enterprise by using Group Policy. Group Policy requires that the you have AD DS and that the Windows 10 Enterprise devices are joined to the your AD DS domain. You can create AppLocker rules by using Group Policy, and then target those rules to the appropriate devices. + +For more information about AppLocker management by using Group Policy, see [AppLocker deployment guide](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-policies-deployment-guide). + +### App-V + +App-V requires an App-V server infrastructure to support App-V clients. The primary App-V components that the you must have are as follows: + +- **App-V server**. The App-V server provides App-V management, virtualized app publishing, app streaming, and reporting services. Each of these services can be run on one server or can be run individually on multiple servers. For example, you could have multiple streaming servers. App-V clients contact App-V servers to determine which apps are published to the user or device, and then run the virtualized app from the server. + +- **App-V sequencer**. The App-V sequencer is a typical client device that is used to sequence (capture) apps and prepare them for hosting from the App-V server. You install apps on the App-V sequencer, and the App-V sequencer software determines the files and registry settings that are changed during app installation. Then the sequencer captures these settings to create a virtualized app. + +- **App-V client**. The App-V client must be enabled on any client device on which apps will be run from the App-V server. These will be the Windows 10 Enterprise E3 devices. + +For more information about implementing the App-V server, App-V sequencer, and App-V client, see the following resources: + +- [Getting Started with App-V for Windows 10](https://technet.microsoft.com/itpro/windows/manage/appv-getting-started) +- [Deploying the App-V server](https://technet.microsoft.com/itpro/windows/manage/appv-deploying-the-appv-server) +- [Deploying the App-V Sequencer and Configuring the Client](https://technet.microsoft.com/itpro/windows/manage/appv-deploying-the-appv-sequencer-and-client) + +### UE-V +UE-V requires server- and client-side components that you you’ll need to download, activate, and install. These components include: + +- **UE-V service**. The UE-V service (when enabled on devices) monitors registered applications and Windows for any settings changes, then synchronizes those settings between devices. + +- **Settings packages**. Settings packages created by the UE-V service store application settings and Windows settings. Settings packages are built, locally stored, and copied to the settings storage location. + +- **Settings storage location**. This location is a standard network share that your users can access. The UE-V service verifies the location and creates a hidden system folder in which to store and retrieve user settings. + +- **Settings location templates**. Settings location templates are XML files that UE-V uses to monitor and synchronize desktop application settings and Windows desktop settings between user computers. By default, some settings location templates are included in UE-V. You can also create, edit, or validate custom settings location templates by using the UE-V template generator. Settings location templates are not required for Windows applications. + +- **Universal Windows applications list**. UE-V determines which Windows applications are enabled for settings synchronization using a managed list of applications. By default, this list includes most Windows applications. + +For more information about deploying UE-V, see the following resources: + +- [User Experience Virtualization (UE-V) for Windows 10 overview](https://technet.microsoft.com/itpro/windows/manage/uev-for-windows) +- [Get Started with UE-V](https://technet.microsoft.com/itpro/windows/manage/uev-getting-started) +- [Prepare a UE-V Deployment](https://technet.microsoft.com/itpro/windows/manage/uev-prepare-for-deployment) + +### Managed User Experience + +The Managed User Experience feature is a set of Windows 10 Enterprise edition features and corresponding settings that you can use to manage user experience. Table 2 describes the Managed User Experience settings (by category), which are only available in Windows 10 Enterprise edition. The management methods used to configure each feature depend on the feature. Some features are configured by using Group Policy, while others are configured by using Windows PowerShell, Deployment Image Servicing and Management (DISM), or other command-line tools. For the Group Policy settings, you must have AD DS with the Windows 10 Enterprise devices joined to your AD DS domain. + +*Table 2. Managed User Experience features* + +| Feature | Description | +|------------------|-----------------| +| Start layout customization | You can deploy a customized Start layout to users in a domain. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
      For more information on these settings, see [Customize Windows 10 Start and taskbar with Group Policy](https://technet.microsoft.com/itpro/windows/manage/customize-windows-10-start-screens-by-using-group-policy). | +| Unbranded boot | You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error from which it cannot recover.
      For more information on these settings, see [Unbranded Boot](https://msdn.microsoft.com/library/windows/hardware/mt571997(v=vs.85).aspx). | +| Custom logon | You can use the Custom Logon feature to suppress Windows 10 UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown.
      For more information on these settings, see [Custom Logon](https://msdn.microsoft.com/library/windows/hardware/mt571990(v=vs.85).aspx). | +| Shell launcher | Enables Assigned Access to run only a classic Windows app via Shell Launcher to replace the shell.
      For more information on these settings, see [Shell Launcher](https://msdn.microsoft.com/library/windows/hardware/mt571994(v=vs.85).aspx). | +| Keyboard filter | You can use Keyboard Filter to suppress undesirable key presses or key combinations. Normally, users can use certain Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to control a device by locking the screen or using Task Manager to close a running application. This is not desirable on devices intended for a dedicated purpose.
      For more information on these settings, see [Keyboard Filter](https://msdn.microsoft.com/library/windows/hardware/mt587088(v=vs.85).aspx). | +| Unified write filter | You can use Unified Write Filter (UWF) on your device to help protect your physical storage media, including most standard writable storage types that are supported by Windows, such as physical hard disks, solid-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writable volume.
      For more information on these settings, see [Unified Write Filter](https://msdn.microsoft.com/library/windows/hardware/mt572001(v=vs.85).aspx). | + +## Related topics + +[Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md) +
      [Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-devices-group-policy/) +
      [Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare) +
      [Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx) diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md index 2b435c0edc..24743735e8 100644 --- a/windows/deployment/windows-10-media.md +++ b/windows/deployment/windows-10-media.md @@ -44,7 +44,7 @@ For ISOs that you download from the VLSC or Visual Studio Subscriptions, you can ![Images](images/table01.png) -When using the contents of these ISOs with tools such as the Microsoft Deployment Toolkit or System Center Configuration Manager, make sure you select the appropriate image index in any task sequences that you create or update. +When using the contents of these ISOs with tools such as the Microsoft Deployment Toolkit or Microsoft Endpoint Configuration Manager, make sure you select the appropriate image index in any task sequences that you create or update. For packages published to Windows Server Update Services (WSUS), you’ll also notice the change because, instead of having separate packages for each Windows edition, there will be just one package: diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md index 87eea0e845..dc74d56ad8 100644 --- a/windows/deployment/windows-10-poc-mdt.md +++ b/windows/deployment/windows-10-poc-mdt.md @@ -1,655 +1,657 @@ ---- -title: Step by step - Deploy Windows 10 in a test lab using MDT -description: Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit (MDT) -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -keywords: deployment, automate, tools, configure, mdt -ms.localizationpriority: medium -ms.date: 10/11/2017 -ms.reviewer: -manager: laurawi -ms.audience: itpro author: greg-lindsay -audience: itpro author: greg-lindsay -ms.topic: article ---- - - -# Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit - -**Applies to** - -- Windows 10 - -**Important**: This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide: -- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) - -Please complete all steps in the prerequisite guide before starting this guide. This guide requires about 5 hours to complete, but can require less time or more time depending on the speed of the Hyper-V host. After completing the current guide, also see the companion guide: -- [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) - -The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs): -- **DC1**: A contoso.com domain controller, DNS server, and DHCP server. -- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network. -- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been shadow-copied from a physical computer on your corporate network. - ->This guide uses the Hyper-V server role. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work. - -## In this guide - -This guide provides instructions to install and configure the Microsoft Deployment Toolkit (MDT) to deploy a Windows 10 image. - -Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed. - -
      - -
      - - -
      TopicDescriptionTime - -
      About MDTA high-level overview of the Microsoft Deployment Toolkit (MDT).Informational -
      Install MDTDownload and install MDT.40 minutes -
      Create a deployment share and reference imageA reference image is created to serve as the template for deploying new images.90 minutes -
      Deploy a Windows 10 image using MDTThe reference image is deployed in the PoC environment.60 minutes -
      Refresh a computer with Windows 10Export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings.60 minutes -
      Replace a computer with Windows 10Back up an existing client computer, then restore this backup to a new computer.60 minutes -
      Troubleshooting logs, events, and utilitiesLog locations and troubleshooting hints.Informational -
      - -
      - -## About MDT - -MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch Installation (ZTI), and User-Driven Installation (UDI) deployment methods. -- LTI is the deployment method used in the current guide, requiring only MDT and performed with a minimum amount of user interaction. -- ZTI is fully automated, requiring no user interaction and is performed using MDT and System Center Configuration Manager. After completing the steps in the current guide, see [Step by step: Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) to use the ZTI deployment method in the PoC environment. -- UDI requires manual intervention to respond to installation prompts such as machine name, password and language settings. UDI requires MDT and System Center Configuration Manager. - -## Install MDT - -1. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt: - - ``` - $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" - Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0 - Stop-Process -Name Explorer - ``` -2. Download and install the 64-bit version of [Microsoft Deployment Toolkit (MDT)](https://www.microsoft.com/download/details.aspx?id=54259) on SRV1 using the default options. As of the writing of this guide, the latest version of MDT was 8443. - -3. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1703. Installation might require several minutes to acquire all components. - -3. If desired, re-enable IE Enhanced Security Configuration: - - ``` - Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1 - Stop-Process -Name Explorer - ``` - -## Create a deployment share and reference image - -A reference image serves as the foundation for Windows 10 devices in your organization. - -1. In [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md), the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command: - - ``` - Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso - ``` -2. On SRV1, verify that the Windows Enterprise installation DVD is mounted as drive letter D. - -3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**. - -4. To enable quick access to the application, right-click **Deployment Workbench** on the taskbar and then click **Pin this program to the taskbar**. - -5. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. - -6. Use the following settings for the New Deployment Share Wizard: - - Deployment share path: **C:\MDTBuildLab**
      - - Share name: **MDTBuildLab$**
      - - Deployment share description: **MDT build lab**
      - - Options: click **Next** to accept the default
      - - Summary: click **Next**
      - - Progress: settings will be applied
      - - Confirmation: click **Finish** - - -7. Expand the **Deployment Shares** node, and then expand **MDT build lab**. - -8. Right-click the **Operating Systems** node, and then click **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and click **Finish**. - -9. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**. - -10. Use the following settings for the Import Operating System Wizard: - - OS Type: **Full set of source files**
      - - Source: **D:\\**
      - - Destination: **W10Ent_x64**
      - - Summary: click **Next** - - Progress: wait for files to be copied - - Confirmation: click **Finish** - - >For purposes of this test lab, we will only add the prerequisite .NET Framework feature. Commerical applications (ex: Microsoft Office) will not be added to the deployment share. For information about adding applications, see the [Add applications](https://technet.microsoft.com/itpro/windows/deploy/create-a-windows-10-reference-image#sec03) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library. - -11. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - - Task sequence ID: **REFW10X64-001**
      - - Task sequence name: **Windows 10 Enterprise x64 Default Image**
      - - Task sequence comments: **Reference Build**
      - - Template: **Standard Client Task Sequence** - - Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim** - - Specify Product Key: **Do not specify a product key at this time** - - Full Name: **Contoso** - - Organization: **Contoso** - - Internet Explorer home page: **http://www.contoso.com** - - Admin Password: **Do not specify an Administrator password at this time** - - Summary: click **Next** - - Confirmation: click **Finish** - - -12. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step. - -13. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**. - -14. On the Properties tab of the group that was created in the previous step, change the Name from **New Group** to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. Click another location in the window to see the name change. - -15. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**. - -16. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**. - -17. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox. - - >Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications. - -18. Click **OK** to complete editing the task sequence. - -19. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click **MDT build lab (C:\MDTBuildLab)** and click **Properties**, and then click the **Rules** tab. - -20. Replace the default rules with the following text: - - ``` - [Settings] - Priority=Default - - [Default] - _SMSTSORGNAME=Contoso - UserDataLocation=NONE - DoCapture=YES - OSInstall=Y - AdminPassword=pass@word1 - TimeZoneName=Pacific Standard Time - OSDComputername=#Left("PC-%SerialNumber%",7)# - JoinWorkgroup=WORKGROUP - HideShell=YES - FinishAction=SHUTDOWN - DoNotCreateExtraPartition=YES - ApplyGPOPack=NO - SkipAdminPassword=YES - SkipProductKey=YES - SkipComputerName=YES - SkipDomainMembership=YES - SkipUserData=YES - SkipLocaleSelection=YES - SkipTaskSequence=NO - SkipTimeZone=YES - SkipApplications=YES - SkipBitLocker=YES - SkipSummary=YES - SkipRoles=YES - SkipCapture=NO - SkipFinalSummary=NO - ``` - -21. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file: - - ``` - [Settings] - Priority=Default - - [Default] - DeployRoot=\\SRV1\MDTBuildLab$ - UserDomain=CONTOSO - UserID=MDT_BA - UserPassword=pass@word1 - SkipBDDWelcome=YES - ``` - -22. Click **OK** to complete the configuration of the deployment share. - -23. Right-click **MDT build lab (C:\MDTBuildLab)** and then click **Update Deployment Share**. - -24. Accept all default values in the Update Deployment Share Wizard by clicking **Next** twice. The update process will take 5 to 10 minutes. When it has completed, click **Finish**. - -25. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI). - - >Hint: To copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**. - -26. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands: - -
      - 
      -
-    New-VM REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB
-    Set-VMMemory REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20
-    Set-VMDvdDrive REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso
-    Start-VM REFW10X64-001
-    vmconnect localhost REFW10X64-001
-
      -
      - - The VM will require a few minutes to prepare devices and boot from the LiteTouchPE_x86.iso file. - -27. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then click **Next**. - -28. Accept the default values on the Capture Image page, and click **Next**. Operating system installation will complete after 5 to 10 minutes, and then the VM will reboot automatically. Allow the system to boot normally (do not press a key). The process is fully automated. - - Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures: - - - Install the Windows 10 Enterprise operating system. - - Install added applications, roles, and features. - - Update the operating system using Windows Update (or WSUS if optionally specified). - - Stage Windows PE on the local disk. - - Run System Preparation (Sysprep) and reboot into Windows PE. - - Capture the installation to a Windows Imaging (WIM) file. - - Turn off the virtual machine.

      - - This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on your deployment server (SRV1). The file name is **REFW10X64-001.wim**. - -## Deploy a Windows 10 image using MDT - -This procedure will demonstrate how to deploy the reference image to the PoC environment using MDT. - -1. On SRV1, open the MDT Deployment Workbench console, right-click **Deployment Shares**, and then click **New Deployment Share**. Use the following values in the New Deployment Share Wizard: - - **Deployment share path**: C:\MDTProd - - **Share name**: MDTProd$ - - **Deployment share description**: MDT Production - - **Options**: accept the default - - -2. Click **Next**, verify the new deployment share was added successfully, then click **Finish**. - -3. In the Deployment Workbench console, expand the MDT Production deployment share, right-click **Operating Systems**, and then click **New Folder**. Name the new folder **Windows 10** and complete the wizard using default values. - -4. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**. - -5. On the **OS Type** page, choose **Custom image file** and then click **Next**. - -6. On the Image page, browse to the **C:\MDTBuildLab\Captures\REFW10X64-001.wim** file created in the previous procedure, click **Open**, and then click **Next**. - -7. On the Setup page, select **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path**. - -8. Under **Setup source directory**, browse to **C:\MDTBuildLab\Operating Systems\W10Ent_x64** click **OK** and then click **Next**. - -9. On the Destination page, accept the default Destination directory name of **REFW10X64-001**, click **Next** twice, wait for the import process to complete, and then click **Finish**. - -10. In the **Operating Systems** > **Windows 10** node, double-click the operating system that was added to view its properties. Change the operating system name to **Windows 10 Enterprise x64 Custom Image** and then click **OK**. See the following example: - - ![custom image](images/image.png) - - -### Create the deployment task sequence - -1. Using the Deployment Workbench, right-click **Task Sequences** under the **MDT Production** node, click **New Folder** and create a folder with the name: **Windows 10**. - -2. Right-click the **Windows 10** folder created in the previous step, and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - - Task sequence ID: W10-X64-001 - - Task sequence name: Windows 10 Enterprise x64 Custom Image - - Task sequence comments: Production Image - - Select Template: Standard Client Task Sequence - - Select OS: Windows 10 Enterprise x64 Custom Image - - Specify Product Key: Do not specify a product key at this time - - Full Name: Contoso - - Organization: Contoso - - Internet Explorer home page: http://www.contoso.com - - Admin Password: pass@word1 - -### Configure the MDT production deployment share - -1. On SRV1, open an elevated Windows PowerShell prompt and type the following commands: - - ``` - copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\Bootstrap.ini" C:\MDTProd\Control\Bootstrap.ini -Force - copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\CustomSettings.ini" C:\MDTProd\Control\CustomSettings.ini -Force - ``` -2. In the Deployment Workbench console on SRV1, right-click the **MDT Production** deployment share and then click **Properties**. - -3. Click the **Rules** tab and replace the rules with the following text (don't click OK yet): - - ``` - [Settings] - Priority=Default - - [Default] - _SMSTSORGNAME=Contoso - OSInstall=YES - UserDataLocation=AUTO - TimeZoneName=Pacific Standard Time - OSDComputername=#Left("PC-%SerialNumber%",7)# - AdminPassword=pass@word1 - JoinDomain=contoso.com - DomainAdmin=administrator - DomainAdminDomain=CONTOSO - DomainAdminPassword=pass@word1 - ScanStateArgs=/ue:*\* /ui:CONTOSO\* - USMTMigFiles001=MigApp.xml - USMTMigFiles002=MigUser.xml - HideShell=YES - ApplyGPOPack=NO - SkipAppsOnUpgrade=NO - SkipAdminPassword=YES - SkipProductKey=YES - SkipComputerName=YES - SkipDomainMembership=YES - SkipUserData=YES - SkipLocaleSelection=YES - SkipTaskSequence=NO - SkipTimeZone=YES - SkipApplications=NO - SkipBitLocker=YES - SkipSummary=YES - SkipCapture=YES - SkipFinalSummary=NO - EventService=http://SRV1:9800 - ``` - **Note**: The contents of the Rules tab are added to c:\MDTProd\Control\CustomSettings.ini. - - >In this example a **MachineObjectOU** entry is not provided. Normally this entry describes the specific OU where new client computer objects are created in Active Directory. However, for the purposes of this test lab clients are added to the default computers OU, which requires that this parameter be unspecified. - - If desired, edit the follow line to include or exclude other users when migrating settings. Currently, the command is set to user exclude (ue) all users except for CONTOSO users specified by the user include option (ui): - - ``` - ScanStateArgs=/ue:*\* /ui:CONTOSO\* - ``` - - For example, to migrate **all** users on the computer, replace this line with the following: - - ``` - ScanStateArgs=/all - ``` - - For more information, see [ScanState Syntax](https://technet.microsoft.com/library/cc749015.aspx). - -4. Click **Edit Bootstap.ini** and replace text in the file with the following text: - - ``` - [Settings] - Priority=Default - - [Default] - DeployRoot=\\SRV1\MDTProd$ - UserDomain=CONTOSO - UserID=MDT_BA - UserPassword=pass@word1 - SkipBDDWelcome=YES - ``` -5. Click **OK** when finished. - -### Update the deployment share - -1. Right-click the **MDT Production** deployment share and then click **Update Deployment Share**. - -2. Use the default options for the Update Deployment Share Wizard. The update process requires 5 to 10 minutes to complete. - -3. Click **Finish** when the update is complete. - -### Enable deployment monitoring - -1. In the Deployment Workbench console, right-click **MDT Production** and then click **Properties**. - -2. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**. - -3. Verify the monitoring service is working as expected by opening the following link on SRV1 in Internet Explorer: [http://localhost:9800/MDTMonitorEvent/](http://localhost:9800/MDTMonitorEvent/). If you do not see "**You have created a service**" at the top of the page, see [Troubleshooting MDT 2012 Monitoring](https://blogs.technet.microsoft.com/mniehaus/2012/05/10/troubleshooting-mdt-2012-monitoring/). - -4. Close Internet Explorer. - -### Configure Windows Deployment Services - -1. Initialize Windows Deployment Services (WDS) by typing the following command at an elevated Windows PowerShell prompt on SRV1: - - ``` - WDSUTIL /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall" - WDSUTIL /Set-Server /AnswerClients:All - ``` - -2. Click **Start**, type **Windows Deployment**, and then click **Windows Deployment Services**. - -3. In the Windows Deployment Services console, expand **Servers**, expand **SRV1.contoso.com**, right-click **Boot Images**, and then click **Add Boot Image**. - -4. Browse to the **C:\MDTProd\Boot\LiteTouchPE_x64.wim** file, click **Open**, click **Next**, and accept the defaults in the Add Image Wizard. Click **Finish** to complete adding a boot image. - -### Deploy the client image - -1. Before using WDS to deploy a client image, you must temporarily disable the external network adapter on SRV1. This is just an artifact of the lab environment. In a typical deployment environment WDS would not be installed on the default gateway. - - >**Note**: Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, type **Get-NetIPAddress | ft interfacealias, ipaddress** - - Assuming the external interface is named "Ethernet 2", to disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and type the following command: - - ``` - Disable-NetAdapter "Ethernet 2" -Confirm:$false - ``` - - >Wait until the disable-netadapter command completes before proceeding. - - -2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, type the following commands at an elevated Windows PowerShell prompt: - - ``` - New-VM –Name "PC2" –NewVHDPath "c:\vhd\pc2.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 - Set-VMMemory -VMName "PC2" -DynamicMemoryEnabled $true -MinimumBytes 720MB -MaximumBytes 2048MB -Buffer 20 - ``` - - >Dynamic memory is configured on the VM to conserve resources. However, this can cause memory allocation to be reduced past what is required to install an operating system. If this happens, reset the VM and begin the OS installation task sequence immediately. This ensures the VM memory allocation is not decreased too much while it is idle. - -3. Start the new VM and connect to it: - - ``` - Start-VM PC2 - vmconnect localhost PC2 - ``` -4. When prompted, hit ENTER to start the network boot process. - -5. In the Windows Deployment Wizard, choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**. - -6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. This is needed so the client can use Windows Update after operating system installation is complete.To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and type the following command: - - ``` - Enable-NetAdapter "Ethernet 2" - ``` -7. On SRV1, in the Deployment Workbench console, click on **Monitoring** and view the status of installation. Right-click **Monitoring** and click **Refresh** if no data is displayed. -8. OS installation requires about 10 minutes. When the installation is complete, the system will reboot automatically, configure devices, and install updates, requiring another 10-20 minutes. When the new client computer is finished updating, click **Finish**. You will be automatically signed in to the local computer as administrator. - - ![finish](images/deploy-finish.png) - - -This completes the demonstration of how to deploy a reference image to the network. To conserve resources, turn off the PC2 VM before starting the next section. - -## Refresh a computer with Windows 10 - -This section will demonstrate how to export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. The scenario will use PC1, a computer that was cloned from a physical device to a VM, as described in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md). - -1. If the PC1 VM is not already running, then start and connect to it: - - ``` - Start-VM PC1 - vmconnect localhost PC1 - ``` - -2. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and to perform additional scenarios. Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - Checkpoint-VM -Name PC1 -SnapshotName BeginState - ``` - -3. Sign on to PC1 using the CONTOSO\Administrator account. - - >Specify **contoso\administrator** as the user name to ensure you do not sign on using the local administrator account. You must sign in with this account so that you have access to the deployment share. - -4. Open an elevated command prompt on PC1 and type the following: - - ``` - cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs - ``` - - **Note**: Litetouch.vbs must be able to create the C:\MININT directory on the local computer. - -5. Choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**. - -6. Choose **Do not back up the existing computer** and click **Next**. - - **Note**: The USMT will still back up the computer. - -7. Lite Touch Installation will perform the following actions: - - Back up user settings and data using USMT. - - Install the Windows 10 Enterprise X64 operating system. - - Update the operating system via Windows Update. - - Restore user settings and data using USMT. - - You can review the progress of installation on SRV1 by clicking on the **Monitoring** node in the deployment workbench. When OS installation is complete, the computer will restart, set up devices, and configure settings. - -8. Sign in with the CONTOSO\Administrator account and verify that all CONTOSO domain user accounts and data have been migrated to the new operating system, or other user accounts as specified [previously](#configure-the-mdt-production-deployment-share). - -9. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - Checkpoint-VM -Name PC1 -SnapshotName RefreshState - ``` - -10. Restore the PC1 VM to it's previous state in preparation for the replace procedure. To restore a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - Restore-VMSnapshot -VMName PC1 -Name BeginState -Confirm:$false - Start-VM PC1 - vmconnect localhost PC1 - ``` - -11. Sign in to PC1 using the contoso\administrator account. - -## Replace a computer with Windows 10 - -At a high level, the computer replace process consists of:
      -- A special replace task sequence that runs the USMT backup and an optional full Window Imaging (WIM) backup.
      -- A standard OS deployment on a new computer. At the end of the deployment, the USMT backup from the old computer is restored. - -### Create a backup-only task sequence - -1. On SRV1, in the deployment workbench console, right-click the MDT Production deployment share, click **Properties**, click the **Rules** tab, and change the line **SkipUserData=YES** to **SkipUserData=NO**. -2. Click **OK**, right-click **MDT Production**, click **Update Deployment Share** and accept the default options in the wizard to update the share. -3. Type the following commands at an elevated Windows PowerShell prompt on SRV1: - - ``` - New-Item -Path C:\MigData -ItemType directory - New-SmbShare -Name MigData$ -Path C:\MigData -ChangeAccess EVERYONE - icacls C:\MigData /grant '"contoso\administrator":(OI)(CI)(M)' - ``` -4. On SRV1 in the deployment workbench, under **MDT Production**, right-click the **Task Sequences** node, and click **New Folder**. -5. Name the new folder **Other**, and complete the wizard using default options. -6. Right-click the **Other** folder and then click **New Task Sequence**. Use the following values in the wizard: - - **Task sequence ID**: REPLACE-001 - - **Task sequence name**: Backup Only Task Sequence - - **Task sequence comments**: Run USMT to back up user data and settings - - **Template**: Standard Client Replace Task Sequence (note: this is not the default template) -7. Accept defaults for the rest of the wizard and then click **Finish**. The replace task sequence will skip OS selection and settings. -8. Open the new task sequence that was created and review it. Note the type of capture and backup tasks that are present. Click **OK** when you are finished reviewing the task sequence. - -### Run the backup-only task sequence - -1. If you are not already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, type the following command at an elevated command prompt: - - ``` - whoami - ``` -2. To ensure a clean environment before running the backup task sequence, type the following at an elevated Windows PowerShell prompt on PC1: - - ``` - Remove-Item c:\minint -recurse - Remove-Item c:\_SMSTaskSequence -recurse - Restart-Computer - ``` -3. Sign in to PC1 using the contoso\administrator account, and then type the following at an elevated command prompt: - - ``` - cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs - ``` -4. Complete the deployment wizard using the following: - - **Task Sequence**: Backup Only Task Sequence - - **User Data**: Specify a location: **\\\\SRV1\MigData$\PC1** - - **Computer Backup**: Do not back up the existing computer. -5. While the task sequence is running on PC1, open the deployment workbench console on SRV1 and click the **Monitoring* node. Press F5 to refresh the console, and view the status of current tasks. -6. On PC1, verify that **The user state capture was completed successfully** is displayed, and click **Finish** when the capture is complete. -7. On SRV1, verify that the file **USMT.MIG** was created in the **C:\MigData\PC1\USMT** directory. See the following example: - - ``` - PS C:\> dir C:\MigData\PC1\USMT - - Directory: C:\MigData\PC1\USMT - - Mode LastWriteTime Length Name - ---- ------------- ------ ---- - -a--- 9/6/2016 11:34 AM 14248685 USMT.MIG - ``` - ### Deploy PC3 - -8. On the Hyper-V host, type the following commands at an elevated Windows PowerShell prompt: - - ``` - New-VM –Name "PC3" –NewVHDPath "c:\vhd\pc3.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 - Set-VMMemory -VMName "PC3" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20 - ``` -9. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, type the following command at an elevated Windows PowerShell prompt on SRV1: - - ``` - Disable-NetAdapter "Ethernet 2" -Confirm:$false - ``` - - >As mentioned previously, ensure that you disable the **external** network adapter, and wait for the command to complete before proceeding. - - -10. Start and connect to PC3 by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - Start-VM PC3 - vmconnect localhost PC3 - ``` - -11. When prompted, press ENTER for network boot. - -12. On PC3, use the following settings for the Windows Deployment Wizard: - - **Task Sequence**: Windows 10 Enterprise x64 Custom Image - - **Move Data and Settings**: Do not move user data and settings - - **User Data (Restore)**: Specify a location: **\\\\SRV1\MigData$\PC1** - -13. When OS installation has started on PC1, re-enable the external network adapter on SRV1 by typing the following command on SRV1: - - ``` - Enable-NetAdapter "Ethernet 2" - ``` -14. Setup will install the Windows 10 Enterprise operating system, update via Windows Update, and restore the user settings and data from PC1. - -15. When PC3 has completed installing the OS, sign in to PC3 using the contoso\administrator account. When the PC completes updating, click **Finish**. - -16. Verify that settings have been migrated from PC1. This completes demonstration of the replace procedure. - -17. Shut down PC3 in preparation for the [next](windows-10-poc-sc-config-mgr.md) procedure. - -## Troubleshooting logs, events, and utilities - -Deployment logs are available on the client computer in the following locations: -- Before the image is applied: X:\MININT\SMSOSD\OSDLOGS -- After the system drive has been formatted: C:\MININT\SMSOSD\OSDLOGS -- After deployment: %WINDIR%\TEMP\DeploymentLogs - -You can review WDS events in Event Viewer at: **Applications and Services Logs > Microsoft > Windows > Deployment-Services-Diagnostics**. By default, only the **Admin** and **Operational** logs are enabled. To enable other logs, right-click the log and then click **Enable Log**. - -Tools for viewing log files, and to assist with troubleshooting are available in the [System Center 2012 R2 Configuration Manager Toolkit](https://www.microsoft.com/download/details.aspx?id=50012) - -Also see [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) for detailed troubleshooting information. - -## Related Topics - -[Microsoft Deployment Toolkit](https://technet.microsoft.com/windows/dn475741)
      -[Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) - - - - - - - +--- +title: Step by step - Deploy Windows 10 in a test lab using MDT +description: Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit (MDT) +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +keywords: deployment, automate, tools, configure, mdt +ms.localizationpriority: medium +ms.date: 10/11/2017 +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +audience: itpro +author: greg-lindsay +ms.topic: article +--- + + +# Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit + +**Applies to** + +- Windows 10 + +**Important**: This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide: +- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) + +Please complete all steps in the prerequisite guide before starting this guide. This guide requires about 5 hours to complete, but can require less time or more time depending on the speed of the Hyper-V host. After completing the current guide, also see the companion guide: +- [Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md) + +The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs): +- **DC1**: A contoso.com domain controller, DNS server, and DHCP server. +- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network. +- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been shadow-copied from a physical computer on your corporate network. + +>This guide uses the Hyper-V server role. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work. + +## In this guide + +This guide provides instructions to install and configure the Microsoft Deployment Toolkit (MDT) to deploy a Windows 10 image. + +Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed. + +
      + +
      + + +
      TopicDescriptionTime + +
      About MDTA high-level overview of the Microsoft Deployment Toolkit (MDT).Informational +
      Install MDTDownload and install MDT.40 minutes +
      Create a deployment share and reference imageA reference image is created to serve as the template for deploying new images.90 minutes +
      Deploy a Windows 10 image using MDTThe reference image is deployed in the PoC environment.60 minutes +
      Refresh a computer with Windows 10Export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings.60 minutes +
      Replace a computer with Windows 10Back up an existing client computer, then restore this backup to a new computer.60 minutes +
      Troubleshooting logs, events, and utilitiesLog locations and troubleshooting hints.Informational +
      + +
      + +## About MDT + +MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch Installation (ZTI), and User-Driven Installation (UDI) deployment methods. +- LTI is the deployment method used in the current guide, requiring only MDT and performed with a minimum amount of user interaction. +- ZTI is fully automated, requiring no user interaction and is performed using MDT and Microsoft Endpoint Configuration Manager. After completing the steps in the current guide, see [Step by step: Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md) to use the ZTI deployment method in the PoC environment. +- UDI requires manual intervention to respond to installation prompts such as machine name, password and language settings. UDI requires MDT and Microsoft Endpoint Configuration Manager. + +## Install MDT + +1. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt: + + ``` + $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" + Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0 + Stop-Process -Name Explorer + ``` +2. Download and install the 64-bit version of [Microsoft Deployment Toolkit (MDT)](https://www.microsoft.com/download/details.aspx?id=54259) on SRV1 using the default options. As of the writing of this guide, the latest version of MDT was 8443. + +3. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1703. Installation might require several minutes to acquire all components. + +3. If desired, re-enable IE Enhanced Security Configuration: + + ``` + Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1 + Stop-Process -Name Explorer + ``` + +## Create a deployment share and reference image + +A reference image serves as the foundation for Windows 10 devices in your organization. + +1. In [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md), the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command: + + ``` + Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso + ``` +2. On SRV1, verify that the Windows Enterprise installation DVD is mounted as drive letter D. + +3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**. + +4. To enable quick access to the application, right-click **Deployment Workbench** on the taskbar and then click **Pin this program to the taskbar**. + +5. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. + +6. Use the following settings for the New Deployment Share Wizard: + - Deployment share path: **C:\MDTBuildLab**
      + - Share name: **MDTBuildLab$**
      + - Deployment share description: **MDT build lab**
      + - Options: click **Next** to accept the default
      + - Summary: click **Next**
      + - Progress: settings will be applied
      + - Confirmation: click **Finish** + + +7. Expand the **Deployment Shares** node, and then expand **MDT build lab**. + +8. Right-click the **Operating Systems** node, and then click **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and click **Finish**. + +9. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**. + +10. Use the following settings for the Import Operating System Wizard: + - OS Type: **Full set of source files**
      + - Source: **D:\\**
      + - Destination: **W10Ent_x64**
      + - Summary: click **Next** + - Progress: wait for files to be copied + - Confirmation: click **Finish** + + >For purposes of this test lab, we will only add the prerequisite .NET Framework feature. Commerical applications (ex: Microsoft Office) will not be added to the deployment share. For information about adding applications, see the [Add applications](https://technet.microsoft.com/itpro/windows/deploy/create-a-windows-10-reference-image#sec03) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library. + +11. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + - Task sequence ID: **REFW10X64-001**
      + - Task sequence name: **Windows 10 Enterprise x64 Default Image**
      + - Task sequence comments: **Reference Build**
      + - Template: **Standard Client Task Sequence** + - Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim** + - Specify Product Key: **Do not specify a product key at this time** + - Full Name: **Contoso** + - Organization: **Contoso** + - Internet Explorer home page: **http://www.contoso.com** + - Admin Password: **Do not specify an Administrator password at this time** + - Summary: click **Next** + - Confirmation: click **Finish** + + +12. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step. + +13. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**. + +14. On the Properties tab of the group that was created in the previous step, change the Name from **New Group** to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. Click another location in the window to see the name change. + +15. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**. + +16. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**. + +17. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox. + + >Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications. + +18. Click **OK** to complete editing the task sequence. + +19. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click **MDT build lab (C:\MDTBuildLab)** and click **Properties**, and then click the **Rules** tab. + +20. Replace the default rules with the following text: + + ``` + [Settings] + Priority=Default + + [Default] + _SMSTSORGNAME=Contoso + UserDataLocation=NONE + DoCapture=YES + OSInstall=Y + AdminPassword=pass@word1 + TimeZoneName=Pacific Standard Time + OSDComputername=#Left("PC-%SerialNumber%",7)# + JoinWorkgroup=WORKGROUP + HideShell=YES + FinishAction=SHUTDOWN + DoNotCreateExtraPartition=YES + ApplyGPOPack=NO + SkipAdminPassword=YES + SkipProductKey=YES + SkipComputerName=YES + SkipDomainMembership=YES + SkipUserData=YES + SkipLocaleSelection=YES + SkipTaskSequence=NO + SkipTimeZone=YES + SkipApplications=YES + SkipBitLocker=YES + SkipSummary=YES + SkipRoles=YES + SkipCapture=NO + SkipFinalSummary=NO + ``` + +21. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file: + + ``` + [Settings] + Priority=Default + + [Default] + DeployRoot=\\SRV1\MDTBuildLab$ + UserDomain=CONTOSO + UserID=MDT_BA + UserPassword=pass@word1 + SkipBDDWelcome=YES + ``` + +22. Click **OK** to complete the configuration of the deployment share. + +23. Right-click **MDT build lab (C:\MDTBuildLab)** and then click **Update Deployment Share**. + +24. Accept all default values in the Update Deployment Share Wizard by clicking **Next** twice. The update process will take 5 to 10 minutes. When it has completed, click **Finish**. + +25. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI). + + >Hint: To copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**. + +26. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands: + +
      + 
      +
+    New-VM REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB
+    Set-VMMemory REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20
+    Set-VMDvdDrive REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso
+    Start-VM REFW10X64-001
+    vmconnect localhost REFW10X64-001
+
      +
      + + The VM will require a few minutes to prepare devices and boot from the LiteTouchPE_x86.iso file. + +27. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then click **Next**. + +28. Accept the default values on the Capture Image page, and click **Next**. Operating system installation will complete after 5 to 10 minutes, and then the VM will reboot automatically. Allow the system to boot normally (do not press a key). The process is fully automated. + + Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures: + + - Install the Windows 10 Enterprise operating system. + - Install added applications, roles, and features. + - Update the operating system using Windows Update (or WSUS if optionally specified). + - Stage Windows PE on the local disk. + - Run System Preparation (Sysprep) and reboot into Windows PE. + - Capture the installation to a Windows Imaging (WIM) file. + - Turn off the virtual machine.

      + + This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on your deployment server (SRV1). The file name is **REFW10X64-001.wim**. + +## Deploy a Windows 10 image using MDT + +This procedure will demonstrate how to deploy the reference image to the PoC environment using MDT. + +1. On SRV1, open the MDT Deployment Workbench console, right-click **Deployment Shares**, and then click **New Deployment Share**. Use the following values in the New Deployment Share Wizard: + - **Deployment share path**: C:\MDTProd + - **Share name**: MDTProd$ + - **Deployment share description**: MDT Production + - **Options**: accept the default + + +2. Click **Next**, verify the new deployment share was added successfully, then click **Finish**. + +3. In the Deployment Workbench console, expand the MDT Production deployment share, right-click **Operating Systems**, and then click **New Folder**. Name the new folder **Windows 10** and complete the wizard using default values. + +4. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**. + +5. On the **OS Type** page, choose **Custom image file** and then click **Next**. + +6. On the Image page, browse to the **C:\MDTBuildLab\Captures\REFW10X64-001.wim** file created in the previous procedure, click **Open**, and then click **Next**. + +7. On the Setup page, select **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path**. + +8. Under **Setup source directory**, browse to **C:\MDTBuildLab\Operating Systems\W10Ent_x64** click **OK** and then click **Next**. + +9. On the Destination page, accept the default Destination directory name of **REFW10X64-001**, click **Next** twice, wait for the import process to complete, and then click **Finish**. + +10. In the **Operating Systems** > **Windows 10** node, double-click the operating system that was added to view its properties. Change the operating system name to **Windows 10 Enterprise x64 Custom Image** and then click **OK**. See the following example: + + ![custom image](images/image.png) + + +### Create the deployment task sequence + +1. Using the Deployment Workbench, right-click **Task Sequences** under the **MDT Production** node, click **New Folder** and create a folder with the name: **Windows 10**. + +2. Right-click the **Windows 10** folder created in the previous step, and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + - Task sequence ID: W10-X64-001 + - Task sequence name: Windows 10 Enterprise x64 Custom Image + - Task sequence comments: Production Image + - Select Template: Standard Client Task Sequence + - Select OS: Windows 10 Enterprise x64 Custom Image + - Specify Product Key: Do not specify a product key at this time + - Full Name: Contoso + - Organization: Contoso + - Internet Explorer home page: http://www.contoso.com + - Admin Password: pass@word1 + +### Configure the MDT production deployment share + +1. On SRV1, open an elevated Windows PowerShell prompt and type the following commands: + + ``` + copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\Bootstrap.ini" C:\MDTProd\Control\Bootstrap.ini -Force + copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\CustomSettings.ini" C:\MDTProd\Control\CustomSettings.ini -Force + ``` +2. In the Deployment Workbench console on SRV1, right-click the **MDT Production** deployment share and then click **Properties**. + +3. Click the **Rules** tab and replace the rules with the following text (don't click OK yet): + + ``` + [Settings] + Priority=Default + + [Default] + _SMSTSORGNAME=Contoso + OSInstall=YES + UserDataLocation=AUTO + TimeZoneName=Pacific Standard Time + OSDComputername=#Left("PC-%SerialNumber%",7)# + AdminPassword=pass@word1 + JoinDomain=contoso.com + DomainAdmin=administrator + DomainAdminDomain=CONTOSO + DomainAdminPassword=pass@word1 + ScanStateArgs=/ue:*\* /ui:CONTOSO\* + USMTMigFiles001=MigApp.xml + USMTMigFiles002=MigUser.xml + HideShell=YES + ApplyGPOPack=NO + SkipAppsOnUpgrade=NO + SkipAdminPassword=YES + SkipProductKey=YES + SkipComputerName=YES + SkipDomainMembership=YES + SkipUserData=YES + SkipLocaleSelection=YES + SkipTaskSequence=NO + SkipTimeZone=YES + SkipApplications=NO + SkipBitLocker=YES + SkipSummary=YES + SkipCapture=YES + SkipFinalSummary=NO + EventService=http://SRV1:9800 + ``` + **Note**: The contents of the Rules tab are added to c:\MDTProd\Control\CustomSettings.ini. + + >In this example a **MachineObjectOU** entry is not provided. Normally this entry describes the specific OU where new client computer objects are created in Active Directory. However, for the purposes of this test lab clients are added to the default computers OU, which requires that this parameter be unspecified. + + If desired, edit the follow line to include or exclude other users when migrating settings. Currently, the command is set to user exclude (ue) all users except for CONTOSO users specified by the user include option (ui): + + ``` + ScanStateArgs=/ue:*\* /ui:CONTOSO\* + ``` + + For example, to migrate **all** users on the computer, replace this line with the following: + + ``` + ScanStateArgs=/all + ``` + + For more information, see [ScanState Syntax](https://technet.microsoft.com/library/cc749015.aspx). + +4. Click **Edit Bootstap.ini** and replace text in the file with the following text: + + ``` + [Settings] + Priority=Default + + [Default] + DeployRoot=\\SRV1\MDTProd$ + UserDomain=CONTOSO + UserID=MDT_BA + UserPassword=pass@word1 + SkipBDDWelcome=YES + ``` +5. Click **OK** when finished. + +### Update the deployment share + +1. Right-click the **MDT Production** deployment share and then click **Update Deployment Share**. + +2. Use the default options for the Update Deployment Share Wizard. The update process requires 5 to 10 minutes to complete. + +3. Click **Finish** when the update is complete. + +### Enable deployment monitoring + +1. In the Deployment Workbench console, right-click **MDT Production** and then click **Properties**. + +2. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**. + +3. Verify the monitoring service is working as expected by opening the following link on SRV1 in Internet Explorer: [http://localhost:9800/MDTMonitorEvent/](http://localhost:9800/MDTMonitorEvent/). If you do not see "**You have created a service**" at the top of the page, see [Troubleshooting MDT 2012 Monitoring](https://blogs.technet.microsoft.com/mniehaus/2012/05/10/troubleshooting-mdt-2012-monitoring/). + +4. Close Internet Explorer. + +### Configure Windows Deployment Services + +1. Initialize Windows Deployment Services (WDS) by typing the following command at an elevated Windows PowerShell prompt on SRV1: + + ``` + WDSUTIL /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall" + WDSUTIL /Set-Server /AnswerClients:All + ``` + +2. Click **Start**, type **Windows Deployment**, and then click **Windows Deployment Services**. + +3. In the Windows Deployment Services console, expand **Servers**, expand **SRV1.contoso.com**, right-click **Boot Images**, and then click **Add Boot Image**. + +4. Browse to the **C:\MDTProd\Boot\LiteTouchPE_x64.wim** file, click **Open**, click **Next**, and accept the defaults in the Add Image Wizard. Click **Finish** to complete adding a boot image. + +### Deploy the client image + +1. Before using WDS to deploy a client image, you must temporarily disable the external network adapter on SRV1. This is just an artifact of the lab environment. In a typical deployment environment WDS would not be installed on the default gateway. + + >**Note**: Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, type **Get-NetIPAddress | ft interfacealias, ipaddress** + + Assuming the external interface is named "Ethernet 2", to disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and type the following command: + + ``` + Disable-NetAdapter "Ethernet 2" -Confirm:$false + ``` + + >Wait until the disable-netadapter command completes before proceeding. + + +2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, type the following commands at an elevated Windows PowerShell prompt: + + ``` + New-VM –Name "PC2" –NewVHDPath "c:\vhd\pc2.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 + Set-VMMemory -VMName "PC2" -DynamicMemoryEnabled $true -MinimumBytes 720MB -MaximumBytes 2048MB -Buffer 20 + ``` + + >Dynamic memory is configured on the VM to conserve resources. However, this can cause memory allocation to be reduced past what is required to install an operating system. If this happens, reset the VM and begin the OS installation task sequence immediately. This ensures the VM memory allocation is not decreased too much while it is idle. + +3. Start the new VM and connect to it: + + ``` + Start-VM PC2 + vmconnect localhost PC2 + ``` +4. When prompted, hit ENTER to start the network boot process. + +5. In the Windows Deployment Wizard, choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**. + +6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. This is needed so the client can use Windows Update after operating system installation is complete.To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and type the following command: + + ``` + Enable-NetAdapter "Ethernet 2" + ``` +7. On SRV1, in the Deployment Workbench console, click on **Monitoring** and view the status of installation. Right-click **Monitoring** and click **Refresh** if no data is displayed. +8. OS installation requires about 10 minutes. When the installation is complete, the system will reboot automatically, configure devices, and install updates, requiring another 10-20 minutes. When the new client computer is finished updating, click **Finish**. You will be automatically signed in to the local computer as administrator. + + ![finish](images/deploy-finish.png) + + +This completes the demonstration of how to deploy a reference image to the network. To conserve resources, turn off the PC2 VM before starting the next section. + +## Refresh a computer with Windows 10 + +This section will demonstrate how to export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. The scenario will use PC1, a computer that was cloned from a physical device to a VM, as described in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md). + +1. If the PC1 VM is not already running, then start and connect to it: + + ``` + Start-VM PC1 + vmconnect localhost PC1 + ``` + +2. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and to perform additional scenarios. Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Checkpoint-VM -Name PC1 -SnapshotName BeginState + ``` + +3. Sign on to PC1 using the CONTOSO\Administrator account. + + >Specify **contoso\administrator** as the user name to ensure you do not sign on using the local administrator account. You must sign in with this account so that you have access to the deployment share. + +4. Open an elevated command prompt on PC1 and type the following: + + ``` + cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs + ``` + + **Note**: Litetouch.vbs must be able to create the C:\MININT directory on the local computer. + +5. Choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**. + +6. Choose **Do not back up the existing computer** and click **Next**. + + **Note**: The USMT will still back up the computer. + +7. Lite Touch Installation will perform the following actions: + - Back up user settings and data using USMT. + - Install the Windows 10 Enterprise X64 operating system. + - Update the operating system via Windows Update. + - Restore user settings and data using USMT. + + You can review the progress of installation on SRV1 by clicking on the **Monitoring** node in the deployment workbench. When OS installation is complete, the computer will restart, set up devices, and configure settings. + +8. Sign in with the CONTOSO\Administrator account and verify that all CONTOSO domain user accounts and data have been migrated to the new operating system, or other user accounts as specified [previously](#configure-the-mdt-production-deployment-share). + +9. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Checkpoint-VM -Name PC1 -SnapshotName RefreshState + ``` + +10. Restore the PC1 VM to it's previous state in preparation for the replace procedure. To restore a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Restore-VMSnapshot -VMName PC1 -Name BeginState -Confirm:$false + Start-VM PC1 + vmconnect localhost PC1 + ``` + +11. Sign in to PC1 using the contoso\administrator account. + +## Replace a computer with Windows 10 + +At a high level, the computer replace process consists of:
      +- A special replace task sequence that runs the USMT backup and an optional full Window Imaging (WIM) backup.
      +- A standard OS deployment on a new computer. At the end of the deployment, the USMT backup from the old computer is restored. + +### Create a backup-only task sequence + +1. On SRV1, in the deployment workbench console, right-click the MDT Production deployment share, click **Properties**, click the **Rules** tab, and change the line **SkipUserData=YES** to **SkipUserData=NO**. +2. Click **OK**, right-click **MDT Production**, click **Update Deployment Share** and accept the default options in the wizard to update the share. +3. Type the following commands at an elevated Windows PowerShell prompt on SRV1: + + ``` + New-Item -Path C:\MigData -ItemType directory + New-SmbShare -Name MigData$ -Path C:\MigData -ChangeAccess EVERYONE + icacls C:\MigData /grant '"contoso\administrator":(OI)(CI)(M)' + ``` +4. On SRV1 in the deployment workbench, under **MDT Production**, right-click the **Task Sequences** node, and click **New Folder**. +5. Name the new folder **Other**, and complete the wizard using default options. +6. Right-click the **Other** folder and then click **New Task Sequence**. Use the following values in the wizard: + - **Task sequence ID**: REPLACE-001 + - **Task sequence name**: Backup Only Task Sequence + - **Task sequence comments**: Run USMT to back up user data and settings + - **Template**: Standard Client Replace Task Sequence (note: this is not the default template) +7. Accept defaults for the rest of the wizard and then click **Finish**. The replace task sequence will skip OS selection and settings. +8. Open the new task sequence that was created and review it. Note the type of capture and backup tasks that are present. Click **OK** when you are finished reviewing the task sequence. + +### Run the backup-only task sequence + +1. If you are not already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, type the following command at an elevated command prompt: + + ``` + whoami + ``` +2. To ensure a clean environment before running the backup task sequence, type the following at an elevated Windows PowerShell prompt on PC1: + + ``` + Remove-Item c:\minint -recurse + Remove-Item c:\_SMSTaskSequence -recurse + Restart-Computer + ``` +3. Sign in to PC1 using the contoso\administrator account, and then type the following at an elevated command prompt: + + ``` + cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs + ``` +4. Complete the deployment wizard using the following: + - **Task Sequence**: Backup Only Task Sequence + - **User Data**: Specify a location: **\\\\SRV1\MigData$\PC1** + - **Computer Backup**: Do not back up the existing computer. +5. While the task sequence is running on PC1, open the deployment workbench console on SRV1 and click the **Monitoring* node. Press F5 to refresh the console, and view the status of current tasks. +6. On PC1, verify that **The user state capture was completed successfully** is displayed, and click **Finish** when the capture is complete. +7. On SRV1, verify that the file **USMT.MIG** was created in the **C:\MigData\PC1\USMT** directory. See the following example: + + ``` + PS C:\> dir C:\MigData\PC1\USMT + + Directory: C:\MigData\PC1\USMT + + Mode LastWriteTime Length Name + ---- ------------- ------ ---- + -a--- 9/6/2016 11:34 AM 14248685 USMT.MIG + ``` + ### Deploy PC3 + +8. On the Hyper-V host, type the following commands at an elevated Windows PowerShell prompt: + + ``` + New-VM –Name "PC3" –NewVHDPath "c:\vhd\pc3.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 + Set-VMMemory -VMName "PC3" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20 + ``` +9. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, type the following command at an elevated Windows PowerShell prompt on SRV1: + + ``` + Disable-NetAdapter "Ethernet 2" -Confirm:$false + ``` + + >As mentioned previously, ensure that you disable the **external** network adapter, and wait for the command to complete before proceeding. + + +10. Start and connect to PC3 by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Start-VM PC3 + vmconnect localhost PC3 + ``` + +11. When prompted, press ENTER for network boot. + +12. On PC3, use the following settings for the Windows Deployment Wizard: + - **Task Sequence**: Windows 10 Enterprise x64 Custom Image + - **Move Data and Settings**: Do not move user data and settings + - **User Data (Restore)**: Specify a location: **\\\\SRV1\MigData$\PC1** + +13. When OS installation has started on PC1, re-enable the external network adapter on SRV1 by typing the following command on SRV1: + + ``` + Enable-NetAdapter "Ethernet 2" + ``` +14. Setup will install the Windows 10 Enterprise operating system, update via Windows Update, and restore the user settings and data from PC1. + +15. When PC3 has completed installing the OS, sign in to PC3 using the contoso\administrator account. When the PC completes updating, click **Finish**. + +16. Verify that settings have been migrated from PC1. This completes demonstration of the replace procedure. + +17. Shut down PC3 in preparation for the [next](windows-10-poc-sc-config-mgr.md) procedure. + +## Troubleshooting logs, events, and utilities + +Deployment logs are available on the client computer in the following locations: +- Before the image is applied: X:\MININT\SMSOSD\OSDLOGS +- After the system drive has been formatted: C:\MININT\SMSOSD\OSDLOGS +- After deployment: %WINDIR%\TEMP\DeploymentLogs + +You can review WDS events in Event Viewer at: **Applications and Services Logs > Microsoft > Windows > Deployment-Services-Diagnostics**. By default, only the **Admin** and **Operational** logs are enabled. To enable other logs, right-click the log and then click **Enable Log**. + +Tools for viewing log files, and to assist with troubleshooting are available in the [System Center 2012 R2 Configuration Manager Toolkit](https://www.microsoft.com/download/details.aspx?id=50012) + +Also see [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) for detailed troubleshooting information. + +## Related Topics + +[Microsoft Deployment Toolkit](https://technet.microsoft.com/windows/dn475741)
      +[Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) + + + + + + + diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md index 929b097d58..96ff61fc93 100644 --- a/windows/deployment/windows-10-poc-sc-config-mgr.md +++ b/windows/deployment/windows-10-poc-sc-config-mgr.md @@ -1,1081 +1,1083 @@ ---- -title: Step by step - Deploy Windows 10 using System Center Configuration Manager -description: Deploy Windows 10 in a test lab using System Center Configuration Manager -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -keywords: deployment, automate, tools, configure, sccm -ms.localizationpriority: medium -ms.date: 10/11/2017 -ms.reviewer: -manager: laurawi -ms.audience: itpro author: greg-lindsay -audience: itpro author: greg-lindsay -ms.topic: article ---- - -# Deploy Windows 10 in a test lab using System Center Configuration Manager - -**Applies to** - -- Windows 10 - -**Important**: This guide leverages the proof of concept (PoC) environment, and some settings that are configured in the following guides: -- [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) -- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) - -Please complete all steps in these guides before attempting the procedures in this guide. If you wish to skip the Windows 10 deployment procedures in the MDT guide and move directly to this guide, you must at least install MDT and the Windows ADK before performing procedures in this guide. All steps in the first guide are required before attempting the procedures in this guide. - -The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs): -- **DC1**: A contoso.com domain controller, DNS server, and DHCP server. -- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network. -- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been cloned from a physical computer on your corporate network for testing purposes. -This guide leverages the Hyper-V server role to perform procedures. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work. - ->Multiple features and services are installed on SRV1 in this guide. This is not a typical installation, and is only done to set up a lab environment with a bare minimum of resources. However, if less than 4 GB of RAM is allocated to SRV1 in the Hyper-V console, some procedures will be extremely slow to complete. If resources are limited on the Hyper-V host, consider reducing RAM allocation on DC1 and PC1, and then increasing the RAM allocation on SRV1. You can adjust RAM allocation for a VM by right-clicking the VM in the Hyper-V Manager console, clicking **Settings**, clicking **Memory**, and modifying the value next to **Maximum RAM**. - -## In this guide - -This guide provides end-to-end instructions to install and configure System Center Configuration Manager, and use it to deploy a Windows 10 image. Depending on the speed of your Hyper-V host, the procedures in this guide will require 6-10 hours to complete. - -Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed. - -
      - -
      - -
      TopicDescriptionTime - -
      Install prerequisitesInstall prerequisite Windows Server roles and features, download, install and configure SQL Server, configure firewall rules, and install the Windows ADK.60 minutes -
      Install System Center Configuration ManagerDownload System Center Configuration Manager, configure prerequisites, and install the package.45 minutes -
      Download MDOP and install DaRTDownload the Microsoft Desktop Optimization Pack 2015 and install DaRT 10.15 minutes -
      Prepare for Zero Touch installationPrerequisite procedures to support Zero Touch installation.60 minutes -
      Create a boot image for Configuration ManagerUse the MDT wizard to create the boot image in Configuration Manager.20 minutes -
      Create a Windows 10 reference imageThis procedure can be skipped if it was done previously, otherwise instructions are provided to create a reference image.0-60 minutes -
      Add a Windows 10 operating system imageAdd a Windows 10 operating system image and distribute it.10 minutes
      Create a task sequenceCreate a Configuration Manager task sequence with MDT integration using the MDT wizard15 minutes -
      Finalize the operating system configurationEnable monitoring, configure rules, and distribute content.30 minutes -
      Deploy Windows 10 using PXE and Configuration ManagerDeploy Windows 10 using Configuration Manager deployment packages and task sequences.60 minutes -
      Replace a client with Windows 10 using Configuration ManagerReplace a client computer with Windows 10 using Configuration Manager.90 minutes -
      Refresh a client with Windows 10 using Configuration ManagerUse a task sequence to refresh a client with Windows 10 using Configuration Manager and MDT90 minutes - -
      - -
      - -## Install prerequisites -1. Before installing System Center Configuration Manager, we must install prerequisite services and features. Type the following command at an elevated Windows PowerShell prompt on SRV1: - - ``` - Install-WindowsFeature Web-Windows-Auth,Web-ISAPI-Ext,Web-Metabase,Web-WMI,BITS,RDC,NET-Framework-Features,Web-Asp-Net,Web-Asp-Net45,NET-HTTP-Activation,NET-Non-HTTP-Activ - ``` - - >If the request to add features fails, retry the installation by typing the command again. - -2. Download [SQL Server 2014 SP2](https://www.microsoft.com/evalcenter/evaluate-sql-server-2014-sp2) from the Microsoft Evaluation Center as an .ISO file on the Hyper-V host computer. Save the file to the **C:\VHD** directory. -3. When you have downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\SQLServer2014SP2-FullSlipstream-x64-ENU.iso - ``` - - This command mounts the .ISO file to drive D on SRV1. - -4. Type the following command at an elevated Windows PowerShell prompt on SRV1 to install SQL Server: - - ``` - D:\setup.exe /q /ACTION=Install /ERRORREPORTING="False" /FEATURES=SQLENGINE,RS,IS,SSMS,TOOLS,ADV_SSMS,CONN /INSTANCENAME=MSSQLSERVER /INSTANCEDIR="C:\Program Files\Microsoft SQL Server" /SQLSVCACCOUNT="NT AUTHORITY\System" /SQLSYSADMINACCOUNTS="BUILTIN\ADMINISTRATORS" /SQLSVCSTARTUPTYPE=Automatic /AGTSVCACCOUNT="NT AUTHORITY\SYSTEM" /AGTSVCSTARTUPTYPE=Automatic /RSSVCACCOUNT="NT AUTHORITY\System" /RSSVCSTARTUPTYPE=Automatic /ISSVCACCOUNT="NT AUTHORITY\System" /ISSVCSTARTUPTYPE=Disabled /ASCOLLATION="Latin1_General_CI_AS" /SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS" /TCPENABLED="1" /NPENABLED="1" /IAcceptSQLServerLicenseTerms - ``` - Installation will take several minutes. When installation is complete, the following output will be displayed: - - ``` - Microsoft (R) SQL Server 2014 12.00.5000.00 - Copyright (c) Microsoft Corporation. All rights reserved. - - Microsoft (R) .NET Framework CasPol 2.0.50727.7905 - Copyright (c) Microsoft Corporation. All rights reserved. - - Success - Microsoft (R) .NET Framework CasPol 2.0.50727.7905 - Copyright (c) Microsoft Corporation. All rights reserved. - - Success - One or more affected files have operations pending. - You should restart your computer to complete this process. - PS C:\> - ``` -5. Type the following commands at an elevated Windows PowerShell prompt on SRV1: - - ``` - New-NetFirewallRule -DisplayName “SQL Server” -Direction Inbound –Protocol TCP –LocalPort 1433 -Action allow - New-NetFirewallRule -DisplayName “SQL Admin Connection” -Direction Inbound –Protocol TCP –LocalPort 1434 -Action allow - New-NetFirewallRule -DisplayName “SQL Database Management” -Direction Inbound –Protocol UDP –LocalPort 1434 -Action allow - New-NetFirewallRule -DisplayName “SQL Service Broker” -Direction Inbound –Protocol TCP –LocalPort 4022 -Action allow - New-NetFirewallRule -DisplayName “SQL Debugger/RPC” -Direction Inbound –Protocol TCP –LocalPort 135 -Action allow - ``` - -7. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1703. Installation might require several minutes to acquire all components. - -## Install System Center Configuration Manager - -1. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt: - - ``` - $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" - Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0 - Stop-Process -Name Explorer - ``` - -2. Download [System Center Configuration Manager and Endpoint Protection](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) on SRV1 (download the executable file anywhere on SRV1), double-click the file, enter **C:\configmgr** for **Unzip to folder**, and click **Unzip**. The C:\configmgr directory will be automatically created. Click **OK** and then close the **WinZip Self-Extractor** dialog box when finished. - -3. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**: - - ``` - Get-Service Winmgmt - - Status Name DisplayName - ------ ---- ----------- - Running Winmgmt Windows Management Instrumentation - - Test-NetConnection -ComputerName 192.168.0.2 -Port 135 -InformationLevel Detailed - - ComputerName : 192.168.0.2 - RemoteAddress : 192.168.0.2 - RemotePort : 135 - AllNameResolutionResults : - MatchingIPsecRules : - NetworkIsolationContext : Internet - InterfaceAlias : Ethernet - SourceAddress : 192.168.0.2 - NetRoute (NextHop) : 0.0.0.0 - PingSucceeded : True - PingReplyDetails (RTT) : 0 ms - TcpTestSucceeded : True - ``` - You can also verify WMI using the WMI console by typing **wmimgmt.msc**, right-clicking **WMI Control (Local)** in the console tree, and then clicking **Properties**. - - If the WMI service is not started, attempt to start it or reboot the computer. If WMI is running but errors are present, see [WMIDiag](https://blogs.technet.microsoft.com/askperf/2015/05/12/wmidiag-2-2-is-here/) for troubleshooting information. - -4. To extend the Active Directory schema, type the following command at an elevated Windows PowerShell prompt: - - ``` - cmd /c C:\configmgr\SMSSETUP\BIN\X64\extadsch.exe - ``` - -5. Temporarily switch to the DC1 VM, and type the following command at an elevated command prompt on DC1: - - ``` - adsiedit.msc - ``` - -6. Right-click **ADSI Edit**, click **Connect to**, select **Default (Domain or server that you logged in to)** under **Computer** and then click **OK**. -7. Expand **Default naming context**>**DC=contoso,DC=com**, and then in the console tree right-click **CN=System**, point to **New**, and then click **Object**. -8. Click **container** and then click **Next**. -9. Next to **Value**, type **System Management**, click **Next**, and then click **Finish**. -10. Right-click **CN=system Management** and then click **Properties**. -11. On the **Security** tab, click **Add**, click **Object Types**, select **Computers**, and click **OK**. -12. Under **Enter the object names to select**, type **SRV1** and click **OK**. -13. The **SRV1** computer account will be highlighted, select **Allow** next to **Full control**. -14. Click **Advanced**, click **SRV1 (CONTOSO\SRV1$)** and click **Edit**. -15. Next to **Applies to**, choose **This object and all descendant objects**, and then click **OK** three times. -16. Close the ADSI Edit console and switch back to SRV1. -17. To start Configuration Manager installation, type the following command at an elevated Windows PowerShell prompt on SRV1: - - ``` - cmd /c C:\configmgr\SMSSETUP\BIN\X64\Setup.exe - ``` -18. Provide the following in the System Center Configuration Manager Setup Wizard: - - **Before You Begin**: Read the text and click *Next*. - - **Getting Started**: Choose **Install a Configuration Manager primary site** and select the **Use typical installation options for a stand-alone primary site** checkbox. - - Click **Yes** in response to the popup window. - - **Product Key**: Choose **Install the evaluation edition of this Product**. - - **Microsoft Software License Terms**: Read the terms and then select the **I accept these license terms** checkbox. - - **Prerequisite Licenses**: Review license terms and select all three checkboxes on the page. - - **Prerequisite Downloads**: Choose **Download required files** and enter **c:\windows\temp** next to **Path**. - - **Site and Installation Settings**: Site code: **PS1**, Site name: **Contoso**. - - use default settings for all other options - - **Usage Data**: Read the text and click **Next**. - - **Service Connection Point Setup**: Accept the default settings (SRV1.contoso.com is automatically added under Select a server to use). - - **Settings Summary**: Review settings and click **Next**. - - **Prerequisite Check**: No failures should be listed. Ignore any warnings and click **Begin Install**. - - >There should be at most three warnings present: WSUS on site server, configuration for SQL Server memory usage, and SQL Server process memory allocation. These warnings can safely be ignored in this test environment. - - Depending on the speed of the Hyper-V host and resources allocated to SRV1, installation can require approximately one hour. Click **Close** when installation is complete. - -19. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1: - - ``` - Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1 - Stop-Process -Name Explorer - ``` - -## Download MDOP and install DaRT - ->[!IMPORTANT] ->This step requires an MSDN subscription or volume licence agreement. For more information, see [Ready for Windows 10: MDOP 2015 and more tools are now available](https://blogs.technet.microsoft.com/windowsitpro/2015/08/17/ready-for-windows-10-mdop-2015-and-more-tools-are-now-available/). ->If your organization qualifies and does not already have an MSDN subscription, you can obtain a [free MSDN subscription with BizSpark](https://blogs.msdn.microsoft.com/zainnab/2011/03/14/bizspark-free-msdn-subscription-for-start-up-companies/). - -1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso, 2.79 GB) to the C:\VHD directory on the Hyper-V host. - -2. Type the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1: - - ``` - Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso - ``` -3. Type the following command at an elevated Windows PowerShell prompt on SRV1: - - ``` - cmd /c "D:\DaRT\DaRT 10\Installers\en-us\x64\MSDaRT100.msi" - ``` -4. Install DaRT 10 using default settings. -5. Type the following commands at an elevated Windows PowerShell prompt on SRV1: - - ``` - Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx64.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64" - Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx86.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x86" - ``` - -## Prepare for Zero Touch installation - -This section contains several procedures to support Zero Touch installation with System Center Configuration Manager. - -### Create a folder structure - -1. Type the following commands at a Windows PowerShell prompt on SRV1: - - ``` - New-Item -ItemType Directory -Path "C:\Sources\OSD\Boot" - New-Item -ItemType Directory -Path "C:\Sources\OSD\OS" - New-Item -ItemType Directory -Path "C:\Sources\OSD\Settings" - New-Item -ItemType Directory -Path "C:\Sources\OSD\Branding" - New-Item -ItemType Directory -Path "C:\Sources\OSD\MDT" - New-Item -ItemType Directory -Path "C:\Logs" - New-SmbShare -Name Sources$ -Path C:\Sources -ChangeAccess EVERYONE - New-SmbShare -Name Logs$ -Path C:\Logs -ChangeAccess EVERYONE - ``` - -### Enable MDT ConfigMgr integration - -1. On SRV1, click **Start**, type **configmgr**, and then click **Configure ConfigMgr Integration**. -2. Type **PS1** next to **Site code**, and then click **Next**. -3. Verify **The process completed successfully** is displayed, and then click **Finish**. - -### Configure client settings - -1. On SRV1, click **Start**, type **configuration manager**, right-click **Configuration Manager Console**, and then click **Pin to Taskbar**. -2. Click **Desktop**, and then launch the Configuration Manager console from the taskbar. -3. If the console notifies you that an update is available, click **OK**. It is not necessary to install updates to complete this lab. -4. In the console tree, open the **Administration** workspace (in the lower left corner) and click **Client Settings**. -5. In the display pane, double-click **Default Client Settings**. -6. Click **Computer Agent**, next to **Organization name displayed in Software Center** type **Contoso**, and then click **OK**. - -### Configure the network access account - -1. In the Administration workspace, expand **Site Configuration** and click **Sites**. -2. On the **Home** ribbon at the top of the console window, click **Configure Site Components** and then click **Software Distribution**. -3. On the **Network Access Account** tab, choose **Specify the account that accesses network locations**. -4. Click the yellow starburst and then click **New Account**. -5. Click **Browse** and then under **Enter the object name to select**, type **CM_NAA** and click **OK**. -6. Next to **Password** and **Confirm Password**, type pass@word1, and then click **OK** twice. - -### Configure a boundary group - -1. In the Administration workspace, expand **Hierarchy Configuration**, right-click **Boundaries** and then click **Create Boundary**. -2. Next to **Description**, type **PS1**, next to **Type** choose **Active Directory Site**, and then click **Browse**. -3. Choose **Default-First-Site-Name** and then click **OK** twice. -4. In the Administration workspace, right-click **Boundary Groups** and then click **Create Boundary Group**. -5. Next to **Name**, type **PS1 Site Assignment and Content Location**, click **Add**, select the **Default-First-Site-Name** boundary and then click **OK**. -6. On the **References** tab in the **Create Boundary Group** window select the **Use this boundary group for site assignment** checkbox. -7. Click **Add**, select the **\\\SRV1.contoso.com** checkbox, and then click **OK** twice. - -### Add the state migration point role - -1. In the Administration workspace, expand **Site Configuration**, click **Sites**, and then in on the **Home** ribbon at the top of the console click **Add Site System Roles**. -2. In the Add site System Roles Wizard, click **Next** twice and then on the Specify roles for this server page, select the **State migration point** checkbox. -3. Click **Next**, click the yellow starburst, type **C:\MigData** for the **Storage folder**, and click **OK**. -4. Click **Next**, and then verify under **Boundary groups** that **PS1 Site Assignment and Content Location** is displayed. -5. Click **Next** twice and then click **Close**. - -### Enable PXE on the distribution point - ->[!IMPORTANT] ->Before enabling PXE in Configuration Manager, ensure that any previous installation of WDS does not cause conflicts. Configuration Manager will automatically configure the WDS service to manage PXE requests. To disable a previous installation, if it exists, type the following commands at an elevated Windows PowerShell prompt on SRV1: - -``` -WDSUTIL /Set-Server /AnswerClients:None -``` - -1. Determine the MAC address of the internal network adapter on SRV1. To determine this, type the following command at an elevated Windows PowerShell prompt on SRV1: - - ``` - (Get-NetAdapter "Ethernet").MacAddress - ``` - >If the internal network adapter, assigned an IP address of 192.168.0.2, is not named "Ethernet" then replace the name "Ethernet" in the previous command with the name of this network adapter. You can review the names of network adapters and the IP addresses assigned to them by typing **ipconfig**. - -2. In the System Center Configuration Manager console, in the **Administration** workspace, click **Distribution Points**. -3. In the display pane, right-click **SRV1.CONTOSO.COM** and then click **Properties**. -4. On the PXE tab, select the following settings: - - **Enable PXE support for clients**. Click **Yes** in the popup that appears. - - **Allow this distribution point to respond to incoming PXE requests** - - **Enable unknown computer support**. Click **OK** in the popup that appears. - - **Require a password when computers use PXE** - - **Password** and **Confirm password**: pass@word1 - - **Respond to PXE requests on specific network interfaces**: Click the yellow starburst and then enter the MAC address determined in the first step of this procedure. - - See the following example: - - Config Mgr PXE - -5. Click **OK**. -6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present: - - ``` - cmd /c dir /b C:\RemoteInstall\SMSBoot\x64 - - abortpxe.com - bootmgfw.efi - bootmgr.exe - pxeboot.com - pxeboot.n12 - wdsmgfw.efi - wdsnbp.com - ``` - >If these files are not present in the C:\RemoteInstall directory, verify that the REMINST share is configured as C:\RemoteInstall. You can view the properties of this share by typing "net share REMINST" at a command prompt. If the share path is set to a different value, then replace C:\RemoteInstall with your REMINST share path. - >You can also type the following command at an elevated Windows PowerShell prompt to open the Configuration Manager Trace Log Tool. In the tool, click **File**, click **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red: - - ``` - Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe' - ``` - - The log file will updated continuously while Configuration Manager is running. Wait for Configuration Manager to repair any issues that are present, and periodically re-check that the files are present in the REMINST share location. Close the Configuration Manager Trace Log Tool when done. You will see the following line in distmgr.log that indicates the REMINST share is being populated with necessary files: - - Running: WDSUTIL.exe /Initialize-Server /REMINST:"C:\RemoteInstall" - - Once the files are present in the REMINST share location, you can close the cmtrace tool. - -### Create a branding image file - -1. If you have a bitmap (.BMP) image for suitable use as a branding image, copy it to the C:\Sources\OSD\Branding folder on SRV1. Otherwise, use the following step to copy a simple branding image. -2. Type the following command at an elevated Windows PowerShell prompt: - - ``` - copy "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" "C:\Sources\OSD\Branding\contoso.bmp" - ``` - >You can open C:\Sources\OSD\Branding\contoso.bmp in MSPaint.exe if desired to customize this image. - - -### Create a boot image for Configuration Manager - -1. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and then click **Create Boot Image using MDT**. -2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then click **Next**. - - The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later. -3. On the General Settings page, type **Zero Touch WinPE x64** next to **Name**, and click **Next**. -4. On the Options page, under **Platform** choose **x64**, and click **Next**. -5. On the Components page, in addition to the default selection of **Microsoft Data Access Components (MDAC/ADO) support**, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox, and click **Next**. -6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, type or browse to **\\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then click **Next** twice. It will take a few minutes to generate the boot image. -7. Click **Finish**. -8. In the console display pane, right-click the **Zero Touch WinPE x64** boot image, and then click **Distribute Content**. -9. In the Distribute Content Wizard, click **Next**, click **Add** and select **Distribution Point**, select the **SRV1.CONTOSO.COM** checkbox, click **OK**, click **Next** twice, and then click **Close**. -10. Use the CMTrace application to view the **distmgr.log** file again and verify that the boot image has been distributed. To open CMTrace, type the following command at an elevated Windows PowerShell prompt on SRV1: - - ``` - Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe' - ``` - - In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example: - - ``` - STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=924 TID=1424 GMTDATE=Tue Oct 09 22:36:30.986 2018 ISTR0="Zero Touch WinPE x64" ISTR1="PS10000A" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS10000A" SMS_DISTRIBUTION_MANAGER 10/9/2018 3:36:30 PM 1424 (0x0590) - ``` - -11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Double-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab. -12. Next, in the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then click the **Data Source** tab. -13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and click **OK**. -14. Review the distmgr.log file again for "**STATMSG: ID=2301**" and verify that there are three folders under **C:\RemoteInstall\SMSImages** with boot images. See the following example: - - ``` - cmd /c dir /s /b C:\RemoteInstall\SMSImages - - C:\RemoteInstall\SMSImages\PS100004 - C:\RemoteInstall\SMSImages\PS100005 - C:\RemoteInstall\SMSImages\PS100006 - C:\RemoteInstall\SMSImages\PS100004\boot.PS100004.wim - C:\RemoteInstall\SMSImages\PS100005\boot.PS100005.wim - C:\RemoteInstall\SMSImages\PS100006\WinPE.PS100006.wim - ``` - - >The first two images (*.wim files) are default boot images. The third is the new boot image with DaRT. - -### Create a Windows 10 reference image - -If you have already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you have already created a Windows 10 reference image. In this case, skip to the next procedure in this guide: [Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image). If you have not yet created a Windows 10 reference image, complete the steps in this section. - -1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command: - - ``` - Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso - ``` -2. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D. - -3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**. - -4. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. - -5. Use the following settings for the New Deployment Share Wizard: - - Deployment share path: **C:\MDTBuildLab**
      - - Share name: **MDTBuildLab$**
      - - Deployment share description: **MDT build lab**
      - - Options: click **Next** to accept the default
      - - Summary: click **Next**
      - - Progress: settings will be applied
      - - Confirmation: click **Finish** - -6. Expand the **Deployment Shares** node, and then expand **MDT build lab**. - -7. Right-click the **Operating Systems** node, and then click **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and click **Finish**. - -7. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**. - -8. Use the following settings for the Import Operating System Wizard: - - OS Type: **Full set of source files**
      - - Source: **D:\\**
      - - Destination: **W10Ent_x64**
      - - Summary: click **Next** - - Confirmation: click **Finish** - -9. For purposes of this test lab, we will not add applications, such as Microsoft Office, to the deployment share. For information about adding applications, see the [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#sec03) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library. - -10. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - - Task sequence ID: **REFW10X64-001**
      - - Task sequence name: **Windows 10 Enterprise x64 Default Image**
      - - Task sequence comments: **Reference Build**
      - - Template: **Standard Client Task Sequence** - - Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim** - - Specify Product Key: **Do not specify a product key at this time** - - Full Name: **Contoso** - - Organization: **Contoso** - - Internet Explorer home page: **http://www.contoso.com** - - Admin Password: **Do not specify an Administrator password at this time** - - Summary: click **Next** - - Confirmation: click **Finish** - -11. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step. - -12. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**. A new group will be added under Tattoo. - -13. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. To see the name change, click **Tattoo**, then click the new group again. - -14. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**. - -15. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**. - -16. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox. - >Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications. - -17. Click **OK** to complete editing the task sequence. - -18. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and click **Properties**, and then click the **Rules** tab. - -19. Replace the default rules with the following text: - - ``` - [Settings] - Priority=Default - - [Default] - _SMSTSORGNAME=Contoso - UserDataLocation=NONE - DoCapture=YES - OSInstall=Y - AdminPassword=pass@word1 - TimeZoneName=Pacific Standard TimeZoneName - OSDComputername=#Left("PC-%SerialNumber%",7)# - JoinWorkgroup=WORKGROUP - HideShell=YES - FinishAction=SHUTDOWN - DoNotCreateExtraPartition=YES - ApplyGPOPack=NO - SkipAdminPassword=YES - SkipProductKey=YES - SkipComputerName=YES - SkipDomainMembership=YES - SkipUserData=YES - SkipLocaleSelection=YES - SkipTaskSequence=NO - SkipTimeZone=YES - SkipApplications=YES - SkipBitLocker=YES - SkipSummary=YES - SkipRoles=YES - SkipCapture=NO - SkipFinalSummary=NO - ``` - -20. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file: - - ``` - [Settings] - Priority=Default - - [Default] - DeployRoot=\\SRV1\MDTBuildLab$ - UserDomain=CONTOSO - UserID=MDT_BA - UserPassword=pass@word1 - SkipBDDWelcome=YES - ``` - -21. Click **OK** to complete the configuration of the deployment share. - -22. Right-click **MDT build lab (C:\MDTBuildLab)** and then click **Update Deployment Share**. - -23. Accept all default values in the Update Deployment Share Wizard by clicking **Next**. The update process will take 5 to 10 minutes. When it has completed, click **Finish**. - -24. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI). - - >Hint: Top copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**. - -25. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands: - - ``` - New-VM –Name REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB - Set-VMMemory -VMName REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20 - Set-VMDvdDrive -VMName REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso - Start-VM REFW10X64-001 - vmconnect localhost REFW10X64-001 - ``` -26. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then click **Next**. - -27. Accept the default values on the Capture Image page, and click **Next**. Operating system installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally (do not press a key). The process is fully automated. - - Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures: - - - Install the Windows 10 Enterprise operating system. - - Install added applications, roles, and features. - - Update the operating system using Windows Update (or WSUS if optionally specified). - - Stage Windows PE on the local disk. - - Run System Preparation (Sysprep) and reboot into Windows PE. - - Capture the installation to a Windows Imaging (WIM) file. - - Turn off the virtual machine. - - This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host and your network's download speed. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on SRV1. The file name is **REFW10X64-001.wim**. - -### Add a Windows 10 operating system image - -1. Type the following commands at an elevated Windows PowerShell prompt on SRV1: - - ``` - New-Item -ItemType Directory -Path "C:\Sources\OSD\OS\Windows 10 Enterprise x64" - cmd /c copy /z "C:\MDTBuildLab\Captures\REFW10X64-001.wim" "C:\Sources\OSD\OS\Windows 10 Enterprise x64" - ``` - -2. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Operating System Images**, and then click **Add Operating System Image**. - -3. On the Data Source page, under **Path:**, type or browse to **\\\SRV1\Sources$\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim**, and click **Next**. - -4. On the General page, next to **Name:**, type **Windows 10 Enterprise x64**, click **Next** twice, and then click **Close**. - -5. Distribute the operating system image to the SRV1 distribution point by right-clicking the **Windows 10 Enterprise x64** operating system image and then clicking **Distribute Content**. - -6. In the Distribute Content Wizard, click **Next**, click **Add**, click **Distribution Point**, add the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**. - -7. Enter **\Monitoring\Overview\Distribution Status\Content Status** on the location bar (be sure there is no space at the end of the location or you will get an error), click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. Processing of the image on the site server can take several minutes. - - >If content distribution is not successful, verify that sufficient disk space is available. - -### Create a task sequence - ->Complete this section slowly. There are a large number of similar settings from which to choose. - -1. In the Configuration Manager console, in the **Software Library** workspace expand **Operating Systems**, right-click **Task Sequences**, and then click **Create MDT Task Sequence**. - -2. On the Choose Template page, select the **Client Task Sequence** template and click **Next**. - -3. On the General page, type **Windows 10 Enterprise x64** under **Task sequence name:** and then click **Next**. - -4. On the Details page, enter the following settings: - - Join a domain: **contoso.com** - - Account: click **Set** - - User name: **contoso\CM_JD** - - Password: pass@word1 - - Confirm password: pass@word1 - - Click **OK** - - Windows Settings - - User name: **Contoso** - - Organization name: **Contoso** - - Product key: \ - - Administrator Account: **Enable the account and specify the local administrator password** - - Password: pass@word1 - - Confirm password: pass@word1 - - Click **Next** - -5. On the Capture Settings page, accept the default settings and click **Next**. - -6. On the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package, click **OK**, and then click **Next**. - -7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\MDT\MDT** (MDT is repeated here, not a typo), and then click **Next**. - -8. On the MDT Details page, next to **Name:** type **MDT** and then click **Next**. - -9. On the OS Image page, browse and select the **Windows 10 Enterprise x64** package, click **OK**, and then click **Next**. - -10. On the Deployment Method page, accept the default settings for **Zero Touch Installation** and click **Next**. - -11. On the Client Package page, browse and select the **Microsoft Corporation Configuration Manager Client package**, click **OK**, and then click **Next**. - -12. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows 10.0.14393.0** package, click **OK**, and then click **Next**. - -13. On the Settings Package page, select **Create a new settings package**, and under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Settings\Windows 10 x64 Settings**, and then click **Next**. - -14. On the Settings Details page, next to **Name:**, type **Windows 10 x64 Settings**, and click **Next**. - -15. On the Sysprep Package page, click **Next** twice. - -16. On the Confirmation page, click **Finish**. - -### Edit the task sequence - -1. In the Configuration Manager console, in the **Software Library** workspace, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Edit**. - -2. Scroll down to the **Install** group and click the **Set Variable for Drive Letter** action. - -3. Change the Value under **OSDPreserveDriveLetter** from **False** to **True**, and then click **Apply**. - -4. In the **State Restore** group, click the **Set Status 5** action, click **Add** in the upper left corner, point to **User State**, and click **Request State Store**. This adds a new action immediately after **Set Status 5**. - -5. Configure the **Request State Store** action that was just added with the following settings:
      - - Request state storage location to: **Restore state from another computer**
      - - Select the **If computer account fails to connect to state store, use the Network Access account** checkbox.
      - - Options tab: Select the **Continue on error** checkbox.
      - - Add Condition: **Task Sequence Variable**:
      - - Variable: **USMTLOCAL**
      - - Condition: **not equals**
      - - Value: **True**
      - - Click **OK**.
      - - Click **Apply**
      . - -6. In the **State Restore** group, click **Restore User State**, click **Add**, point to **User State**, and click **Release State Store**. - -7. Configure the **Release State Store** action that was just added with the following settings:
      - - Options tab: Select the **Continue on error** checkbox.
      - - Add Condition: **Task Sequence Variable**:
      - - Variable: **USMTLOCAL**
      - - Condition: **not equals**
      - - Value: **True**
      - - Click **OK**.
      - - Click **OK**
      . - - -### Finalize the operating system configuration - ->If you completed all procedures in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then the MDT deployment share is already present on SRV1. In this case, skip the first four steps below and begin with step 5 to edit CustomSettings.ini. - -1. In the MDT deployment workbench on SRV1, right-click **Deployment Shares** and then click **New Deployment Share**. - -2. Use the following settings for the New Deployment Share Wizard: - - Deployment share path: **C:\MDTProduction**
      - - Share name: **MDTProduction$**
      - - Deployment share description: **MDT Production**
      - - Options: click **Next** to accept the default
      - - Summary: click **Next**
      - - Progress: settings will be applied
      - - Confirmation: click **Finish** - -3. Right-click the **MDT Production** deployment share, and click **Properties**. - -4. Click the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**. - -5. Type the following command at an elevated Windows PowerShell prompt on SRV1: - - ``` - notepad "C:\Sources\OSD\Settings\Windows 10 x64 Settings\CustomSettings.ini" - ``` -6. Replace the contents of the file with the following text, and then save the file: - - ``` - [Settings] - Priority=Default - Properties=OSDMigrateConfigFiles,OSDMigrateMode - - [Default] - DoCapture=NO - ComputerBackupLocation=NONE - OSDMigrateMode=Advanced - OSDMigrateAdditionalCaptureOptions=/ue:*\* /ui:CONTOSO\* - OSDMigrateConfigFiles=Miguser.xml,Migapp.xml - SLSHARE=\\SRV1\Logs$ - EventService=http://SRV1:9800 - ApplyGPOPack=NO - ``` - - >As noted previously, if you wish to migrate accounts other than those in the Contoso domain, then change the OSDMigrateAdditionalCaptureOptions option. For example, the following option will capture settings from all user accounts: - - ``` - OSDMigrateAdditionalCaptureOptions=/all - ``` - - -7. Return to the Configuration Manager console, and in the Software Library workspace, expand **Application Management**, click **Packages**, right-click **Windows 10 x64 Settings**, and then click **Update Distribution Points**. Click **OK** in the popup that appears. - -8. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Distribute Content**. - -9. In the Distribute Content Wizard, click **Next** twice, click **Add**, click **Distribution Point**, select the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**. - -10. Enter **\Monitoring\Overview\Distribution Status\Content Status\Windows 10 Enterprise x64** on the location bar, double-click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. - -### Create a deployment for the task sequence - -1. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Deploy**. - -2. On the General page, next to **Collection**, click **Browse**, select the **All Unknown Computers** collection, click **OK**, and then click **Next**. - -3. On the Deployment Settings page, use the following settings:
      - - Purpose: **Available**
      - - Make available to the following: **Only media and PXE**
      - - Click **Next**.
      -4. Click **Next** five times to accept defaults on the Scheduling, User Experience, Alerts, and Distribution Points pages. - -5. Click **Close**. - -## Deploy Windows 10 using PXE and Configuration Manager - -In this first deployment scenario, we will deploy Windows 10 using PXE. This scenario creates a new computer that does not have any migrated users or settings. - -1. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - New-VM –Name "PC4" –NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 40GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 - Set-VMMemory -VMName "PC4" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20 - Start-VM PC4 - vmconnect localhost PC4 - ``` - -2. Press ENTER when prompted to start the network boot service. - -3. In the Task Sequence Wizard, provide the password: pass@word1, and then click **Next**. - -4. Before you click **Next** in the Task Sequence Wizard, press the **F8** key. A command prompt will open. - -5. At the command prompt, type **explorer.exe** and review the Windows PE file structure. - -6. The smsts.log file is critical for troubleshooting any installation problems that might be encountered. Depending on the deployment phase, the smsts.log file is created in different locations: - - X:\windows\temp\SMSTSLog\smsts.log before disks are formatted. - - x:\smstslog\smsts.log after disks are formatted. - - c:\_SMSTaskSequence\Logs\Smstslog\smsts.log before the System Center Configuration Manager client is installed. - - c:\windows\ccm\logs\Smstslog\smsts.log after the System Center Configuration Manager client is installed. - - c:\windows\ccm\logs\smsts.log when the task sequence is complete. - - Note: If a reboot is pending on the client, the reboot will be blocked as long as the command window is open. - -7. In the explorer window, click **Tools** and then click **Map Network Drive**. - -8. Do not map a network drive at this time. If you need to save the smsts.log file, you can use this method to save the file to a location on SRV1. - -9. Close the Map Network Drive window, the Explorer window, and the command prompt. - -10. The **Windows 10 Enterprise x64** task sequence is selected in the Task Sequenc Wizard. Click **Next** to continue with the deployment. - -11. The task sequence will require several minutes to complete. You can monitor progress of the task sequence using the MDT Deployment Workbench under Deployment Shares > MDTProduction > Monitoring. The task sequence will: - - Install Windows 10 - - Install the Configuration Manager client and hotfix - - Join the computer to the contoso.com domain - - Install any applications that were specified in the reference image - - -12. When Windows 10 installation has completed, sign in to PC4 using the **contoso\administrator** account. - -13. Right-click **Start**, click **Run**, type **control appwiz.cpl**, press ENTER, click **Turn Windows features on or off**, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This is a feature included in the reference image. - -14. Shut down the PC4 VM. - ->Note: The following two procedures 1) Replace a client with Windows 10 and 2) Refresh a client with Windows 10 have been exchanged in their order in this guide compared to the previous version. This is to avoid having to restore Hyper-V checkpoints to have access to PC1 before the OS is upgraded. If this is your first time going through this guide, you won't notice any change, but if you have tried the guide previously then this change should make it simpler to complete. - -## Replace a client with Windows 10 using Configuration Manager - ->Before starting this section, you can delete computer objects from Active Directory that were created as part of previous deployment procedures. Use the Active Directory Users and Computers console on DC1 to remove stale entries under contoso.com\Computers, but do not delete the computer account (hostname) for PC1. There should be at least two computer accounts present in the contoso.com\Computers container: one for SRV1, and one for the hostname of PC1. It is not required to delete the stale entries, this is only done to remove clutter. - -![contoso.com\Computers](images/poc-computers.png) - -In the replace procedure, PC1 will not be migrated to a new operating system. It is simplest to perform this procedure before performing the refresh procedure. After refreshing PC1, the operating system will be new. The next (replace) procedure does not install a new operating system on PC1 but rather performs a side-by-side migration of PC1 and another computer (PC4), to copy users and settings from PC1 to the new computer. - -### Create a replace task sequence - -1. On SRV1, in the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and then click **Create MDT Task Sequence**. - -2. On the Choose Template page, select **Client Replace Task Sequence** and click **Next**. - -3. On the General page, type the following: - - Task sequence name: **Replace Task Sequence** - - Task sequence comments: **USMT backup only** - -4. Click **Next**, and on the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package. Click **OK** and then click **Next** to continue. -5. On the MDT Package page, browse and select the **MDT** package. Click **OK** and then click **Next** to continue. -6. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package. Click **OK** and then click **Next** to continue. -7. On the Settings Package page, browse and select the **Windows 10 x64 Settings** package. Click **OK** and then click **Next** to continue. -8. On the Summary page, review the details and then click **Next**. -9. On the Confirmation page, click **Finish**. - ->If an error is displayed at this stage it can be caused by a corrupt MDT integration. To repair it, close the Configuration Manager console, remove MDT integration, and then restore MDT integration. - -### Deploy PC4 - -Create a VM named PC4 to receive the applications and settings from PC1. This VM represents a new computer that will replace PC1. To create this VM, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: - -``` -New-VM –Name "PC4" –NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 -Set-VMMemory -VMName "PC4" -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 2048MB -Buffer 20 -Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF -``` - ->Hyper-V enables us to define a static MAC address on PC4. In a real-world scenario you must determine the MAC address of the new computer. - -### Install the Configuration Manager client on PC1 - -1. Verify that the PC1 VM is running and in its original state, which was saved as a checkpoint and then restored in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md). - -2. If a PC1 checkpoint has not already been saved, then save a checkpoint by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - Checkpoint-VM -Name PC1 -SnapshotName BeginState - ``` - -3. On SRV1, in the Configuration Manager console, in the Administration workspace, expand **Hierarchy Configuration** and click on **Discovery Methods**. -4. Double-click **Active Directory System Discovery** and on the **General** tab select the **Enable Active Directory System Discovery** checkbox. -5. Click the yellow starburst, click **Browse**, select **contoso\Computers**, and then click **OK** three times. -6. When a popup dialog box asks if you want to run full discovery, click **Yes**. -7. In the Assets and Compliance workspace, click **Devices** and verify that the computer account names for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the computer account name of PC1 in this example): - - ![assets](images/sccm-assets.png) - - >If you do not see the computer account for PC1, try clicking the **Refresh** button in the upper right corner of the console. - - The **Client** column indicates that the Configuration Manager client is not currently installed. This procedure will be carried out next. - -8. Sign in to PC1 using the contoso\administrator account and type the following at an elevated command prompt to remove any pre-existing client configuration, if it exists. Note: this command requires an elevated command prompt not an elevated Windows PowerShell prompt: - - ``` - sc stop ccmsetup - "\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /Uninstall - ``` - >If PC1 still has Configuration Manager registry settings that were applied by Group Policy, startup scripts, or other policies in its previous domain, these might not all be removed by CCMSetup /Uninstall and can cause problems with installation or registration of the client in its new environment. It might be necessary to manually remove these settings if they are present. For more information, see [Manual removal of the SCCM client](https://blogs.technet.microsoft.com/michaelgriswold/2013/01/02/manual-removal-of-the-sccm-client/). - -9. On PC1, temporarily stop Windows Update from queuing items for download and clear all BITS jobs from the queue: - - ``` - net stop wuauserv - net stop BITS - ``` - - Verify that both services were stopped successfully, then type the following at an elevated command prompt: - - ``` - del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat" - net start BITS - bitsadmin /list /allusers - ``` - - Verify that BITSAdmin displays 0 jobs. - -10. To install the Configuration Manager client as a standalone process, type the following at an elevated command prompt: - - ``` - "\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /mp:SRV1.contoso.com /logon SMSSITECODE=PS1 - ``` -11. On PC1, using file explorer, open the **C:\Windows\ccmsetup** directory. During client installation, files will be downloaded here. -12. Installation progress will be captured in the file: **c:\windows\ccmsetup\logs\ccmsetup.log**. You can periodically open this file in notepad, or you can type the following command at an elevated Windows PowerShell prompt to monitor installation progress: - - ``` - Get-Content -Path c:\windows\ccmsetup\logs\ccmsetup.log -Wait - ``` - - Installation might require several minutes, and display of the log file will appear to hang while some applications are installed. This is normal. When setup is complete, verify that **CcmSetup is existing with return code 0** is displayed on the last line of the ccmsetup.log file and then press **CTRL-C** to break out of the Get-Content operation (if you are viewing the log in Windows PowerShell the last line will be wrapped). A return code of 0 indicates that installation was successful and you should now see a directory created at **C:\Windows\CCM** that contains files used in registration of the client with its site. - -13. On PC1, open the Configuration Manager control panel applet by typing the following command: - - ``` - control smscfgrc - ``` - -14. Click the **Site** tab, click **Configure Settings**, and click **Find Site**. The client will report that it has found the PS1 site. See the following example: - - ![site](images/sccm-site.png) - - If the client is not able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. A common reason the site code is not located is because a previous configuration exists. For example, if a previous site code is configured at **HKLM\SOFTWARE\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode** this must be deleted or updated. - -15. On SRV1, in the Assets and Compliance workspace, click **Device Collections** and then double-click **All Desktop and Server Clients**. This node will be added under **Devices**. - -16. Click **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example: - - ![client](images/sccm-client.png) - - >It might take several minutes for the client to fully register with the site and complete a client check. When it is complete you will see a green check mark over the client icon as shown above. To refresh the client, click it and then press **F5** or right-click the client and click **Refresh**. - -### Create a device collection and deployment - -1. On SRV1, in the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections** and then click **Create Device Collection**. - -2. Use the following settings in the **Create Device Collection Wizard**: - - General > Name: **Install Windows 10 Enterprise x64**
      - - General > Limiting collection: **All Systems**
      - - Membership Rules > Add Rule: **Direct Rule**
      - - The **Create Direct Membership Rule Wizard** opens, click **Next**
      - - Search for Resources > Resource class: **System Resource**
      - - Search for Resources > Attribute name: **Name**
      - - Search for Resources > Value: **%**
      - - Select Resources > Value: Select the computername associated with the PC1 VM
      - - Click **Next** twice and then click **Close** in both windows (Next, Next, Close, then Next, Next, Close) - -3. Double-click the Install Windows 10 Enterprise x64 device collection and verify that the PC1 computer account is displayed. - -4. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64** and then click **Deploy**. - -5. Use the following settings in the Deploy Software wizard: - - General > Collection: Click Browse and select **Install Windows 10 Enterprise x64**
      - - Deployment Settings > Purpose: **Available**
      - - Deployment Settings > Make available to the following: **Configuration Manager clients, media and PXE**
      - - Scheduling > Click **Next**
      - - User Experience > Click **Next**
      - - Alerts > Click **Next**
      - - Distribution Points > Click **Next**
      - - Summary > Click **Next**
      - - Verify that the wizard completed successfully and then click **Close** - - -### Associate PC4 with PC1 - -1. On SRV1 in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices** and then click **Import Computer Information**. - -2. On the Select Source page, choose **Import single computer** and click **Next**. - -3. On the Single Computer page, use the following settings: - - Computer Name: **PC4** - - MAC Address: **00:15:5D:83:26:FF** - - Source Computer: \ - -4. Click **Next**, and on the User Accounts page choose **Capture and restore specified user accounts**, then click the yellow starburst next to **User accounts to migrate**. - -5. Click **Browse** and then under Enter the object name to select type **user1** and click OK twice. - -6. Click the yellow starburst again and repeat the previous step to add the **contoso\administrator** account. - -7. Click **Next** twice, and on the Choose Target Collection page, choose **Add computers to the following collection**, click **Browse**, choose **Install Windows 10 Enterprise x64**, click **OK**, click **Next** twice, and then click **Close**. - -8. In the Assets and Compliance workspace, click **User State Migration** and review the computer association in the display pane. The source computer will be the computername of PC1 (GREGLIN-PC1 in this example), the destination computer will be **PC4**, and the migration type will be **side-by-side**. - -9. Right-click the association in the display pane and then click **Specify User Accounts**. You can add or remove user account here. Click **OK**. - -10. Right-click the association in the display pane and then click **View Recovery Information**. Note that a recovery key has been assigned, but a user state store location has not. Click **Close**. - -11. Click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. Verify that **PC4** is displayed in the collection. You might have to update and refresh the collection, or wait a few minutes, but do not proceed until PC4 is available. See the following example: - - ![collection](images/sccm-collection.png) - -### Create a device collection for PC1 - -1. On SRV1, in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Device Collections** and then click **Create Device Collection**. - -2. Use the following settings in the **Create Device Collection Wizard**: - - General > Name: **USMT Backup (Replace)**
      - - General > Limiting collection: **All Systems**
      - - Membership Rules > Add Rule: **Direct Rule**
      - - The **Create Direct Membership Rule Wizard** opens, click **Next**
      - - Search for Resources > Resource class: **System Resource**
      - - Search for Resources > Attribute name: **Name**
      - - Search for Resources > Value: **%**
      - - Select Resources > Value: Select the computername associated with the PC1 VM (GREGLIN-PC1 in this example).
      - - Click **Next** twice and then click **Close** in both windows. - -3. Click **Device Collections** and then double-click **USMT Backup (Replace)**. Verify that the computer name/hostname associated with PC1 is displayed in the collection. Do not proceed until this name is displayed. - -### Create a new deployment - -In the Configuration Manager console, in the Software Library workspace under Operating Systems, click **Task Sequences**, right-click **Replace Task Sequence**, click **Deploy**, and use the following settings: -- General > Collection: **USMT Backup (Replace)**
      -- Deployment Settings > Purpose: **Available**
      -- Deployment Settings > Make available to the following: **Only Configuration Manager Clients**
      -- Scheduling: Click **Next**
      -- User Experience: Click **Next**
      -- Alerts: Click **Next**
      -- Distribution Points: Click **Next**
      -- Click **Next** and then click **Close**. - -### Verify the backup - -1. On PC1, open the Configuration Manager control panel applet by typing the following command: - - ``` - control smscfgrc - ``` -2. On the **Actions** tab, click **Machine Policy Retrieval & Evaluation Cycle**, click **Run Now**, click **OK**, and then click **OK** again. This is one method that can be used to run a task sequence in addition to the Client Notification method that will be demonstrated in the computer refresh procedure. - -3. Type the following at an elevated command prompt to open the Software Center: - - ``` - C:\Windows\CCM\SCClient.exe - ``` - -4. In the Software Center , click **Available Software** and then select the **Replace Task Sequence** checkbox. See the following example: - - ![software](images/sccm-software-cntr.png) - - >If you do not see any available software, try running step #2 again to start the Machine Policy Retrieval & Evaluation Cycle. You should see an alert that new software is available. - -5. Click **INSTALL SELECTED** and then click **INSTALL OPERATING SYSTEM**. -6. Allow the **Replace Task Sequence** to complete, then verify that the C:\MigData folder on SRV1 contains the USMT backup. - -### Deploy the new computer - -1. Start PC4 and press ENTER for a network boot when prompted. To start PC4, type the following commands at an elevated Windows Powershell prompt on the Hyper-V host: - - ``` - Start-VM PC4 - vmconnect localhost PC4 - ``` -2. In the **Welcome to the Task Sequence Wizard**, enter pass@word1 and click **Next**. -3. Choose the **Windows 10 Enterprise X64** image. -4. Setup will install the operating system using the Windows 10 Enterprise x64 reference image, install the configuration manager client, join PC4 to the domain, and restore users and settings from PC1. -5. Save checkpoints for all VMs if you wish to review their status at a later date. This is not required (checkpoints do take up space on the Hyper-V host). Note: the next procedure will install a new OS on PC1 update its status in Configuration Manager and in Active Directory as a Windows 10 device, so you cannot return to a previous checkpoint only on the PC1 VM without a conflict. Therefore, if you do create a checkpoint, you should do this for all VMs. - - To save a checkpoint for all VMs, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - Checkpoint-VM -Name DC1 -SnapshotName cm-refresh - Checkpoint-VM -Name SRV1 -SnapshotName cm-refresh - Checkpoint-VM -Name PC1 -SnapshotName cm-refresh - ``` - -## Refresh a client with Windows 10 using Configuration Manager - - -### Initiate the computer refresh - -1. On SRV1, in the Assets and Compliance workspace, click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. -2. Right-click the computer account for PC1, point to **Client Notification**, click **Download Computer Policy**, and click **OK** in the popup dialog box. -3. On PC1, in the notification area, click **New software is available** and then click **Open Software Center**. -4. In the Software Center, click **Operating Systems**, click **Windows 10 Enterprise x64**, click **Install** and then click **INSTALL OPERATING SYSTEM**. See the following example: - - ![installOS](images/sccm-install-os.png) - - The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the Monitoring workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then click **More Details**. Click the **Status** tab to see a list of tasks that have been performed. See the following example: - - ![asset](images/sccm-asset.png) - - You can also monitor progress of the installation by using the MDT deployment workbench and viewing the **Monitoring** node under **Deployment Shares\MDT Production**. - - When installation has completed, sign in using the contoso\administrator account or the contoso\user1 account and verify that applications and settings have been successfully backed up and restored to your new Windows 10 Enterprise operating system. - - ![post-refresh](images/sccm-post-refresh.png) - - - -## Related Topics - -[System Center 2012 Configuration Manager Survival Guide](https://social.technet.microsoft.com/wiki/contents/articles/7075.system-center-2012-configuration-manager-survival-guide.aspx#Step-by-Step_Guides) - - - - - - - +--- +title: Step by step - Deploy Windows 10 using Microsoft Endpoint Configuration Manager +description: Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +keywords: deployment, automate, tools, configure, sccm +ms.localizationpriority: medium +ms.date: 10/11/2017 +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager + +**Applies to** + +- Windows 10 + +**Important**: This guide leverages the proof of concept (PoC) environment, and some settings that are configured in the following guides: +- [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) +- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) + +Please complete all steps in these guides before attempting the procedures in this guide. If you wish to skip the Windows 10 deployment procedures in the MDT guide and move directly to this guide, you must at least install MDT and the Windows ADK before performing procedures in this guide. All steps in the first guide are required before attempting the procedures in this guide. + +The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs): +- **DC1**: A contoso.com domain controller, DNS server, and DHCP server. +- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network. +- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been cloned from a physical computer on your corporate network for testing purposes. +This guide leverages the Hyper-V server role to perform procedures. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work. + +>Multiple features and services are installed on SRV1 in this guide. This is not a typical installation, and is only done to set up a lab environment with a bare minimum of resources. However, if less than 4 GB of RAM is allocated to SRV1 in the Hyper-V console, some procedures will be extremely slow to complete. If resources are limited on the Hyper-V host, consider reducing RAM allocation on DC1 and PC1, and then increasing the RAM allocation on SRV1. You can adjust RAM allocation for a VM by right-clicking the VM in the Hyper-V Manager console, clicking **Settings**, clicking **Memory**, and modifying the value next to **Maximum RAM**. + +## In this guide + +This guide provides end-to-end instructions to install and configure Microsoft Endpoint Configuration Manager, and use it to deploy a Windows 10 image. Depending on the speed of your Hyper-V host, the procedures in this guide will require 6-10 hours to complete. + +Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed. + +
      + +
      + +
      TopicDescriptionTime + +
      Install prerequisitesInstall prerequisite Windows Server roles and features, download, install and configure SQL Server, configure firewall rules, and install the Windows ADK.60 minutes +
      Install Microsoft Endpoint Configuration ManagerDownload Microsoft Endpoint Configuration Manager, configure prerequisites, and install the package.45 minutes +
      Download MDOP and install DaRTDownload the Microsoft Desktop Optimization Pack 2015 and install DaRT 10.15 minutes +
      Prepare for Zero Touch installationPrerequisite procedures to support Zero Touch installation.60 minutes +
      Create a boot image for Configuration ManagerUse the MDT wizard to create the boot image in Configuration Manager.20 minutes +
      Create a Windows 10 reference imageThis procedure can be skipped if it was done previously, otherwise instructions are provided to create a reference image.0-60 minutes +
      Add a Windows 10 operating system imageAdd a Windows 10 operating system image and distribute it.10 minutes
      Create a task sequenceCreate a Configuration Manager task sequence with MDT integration using the MDT wizard15 minutes +
      Finalize the operating system configurationEnable monitoring, configure rules, and distribute content.30 minutes +
      Deploy Windows 10 using PXE and Configuration ManagerDeploy Windows 10 using Configuration Manager deployment packages and task sequences.60 minutes +
      Replace a client with Windows 10 using Configuration ManagerReplace a client computer with Windows 10 using Configuration Manager.90 minutes +
      Refresh a client with Windows 10 using Configuration ManagerUse a task sequence to refresh a client with Windows 10 using Configuration Manager and MDT90 minutes + +
      + +
      + +## Install prerequisites +1. Before installing Microsoft Endpoint Configuration Manager, we must install prerequisite services and features. Type the following command at an elevated Windows PowerShell prompt on SRV1: + + ``` + Install-WindowsFeature Web-Windows-Auth,Web-ISAPI-Ext,Web-Metabase,Web-WMI,BITS,RDC,NET-Framework-Features,Web-Asp-Net,Web-Asp-Net45,NET-HTTP-Activation,NET-Non-HTTP-Activ + ``` + + >If the request to add features fails, retry the installation by typing the command again. + +2. Download [SQL Server 2014 SP2](https://www.microsoft.com/evalcenter/evaluate-sql-server-2014-sp2) from the Microsoft Evaluation Center as an .ISO file on the Hyper-V host computer. Save the file to the **C:\VHD** directory. +3. When you have downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\SQLServer2014SP2-FullSlipstream-x64-ENU.iso + ``` + + This command mounts the .ISO file to drive D on SRV1. + +4. Type the following command at an elevated Windows PowerShell prompt on SRV1 to install SQL Server: + + ``` + D:\setup.exe /q /ACTION=Install /ERRORREPORTING="False" /FEATURES=SQLENGINE,RS,IS,SSMS,TOOLS,ADV_SSMS,CONN /INSTANCENAME=MSSQLSERVER /INSTANCEDIR="C:\Program Files\Microsoft SQL Server" /SQLSVCACCOUNT="NT AUTHORITY\System" /SQLSYSADMINACCOUNTS="BUILTIN\ADMINISTRATORS" /SQLSVCSTARTUPTYPE=Automatic /AGTSVCACCOUNT="NT AUTHORITY\SYSTEM" /AGTSVCSTARTUPTYPE=Automatic /RSSVCACCOUNT="NT AUTHORITY\System" /RSSVCSTARTUPTYPE=Automatic /ISSVCACCOUNT="NT AUTHORITY\System" /ISSVCSTARTUPTYPE=Disabled /ASCOLLATION="Latin1_General_CI_AS" /SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS" /TCPENABLED="1" /NPENABLED="1" /IAcceptSQLServerLicenseTerms + ``` + Installation will take several minutes. When installation is complete, the following output will be displayed: + + ``` + Microsoft (R) SQL Server 2014 12.00.5000.00 + Copyright (c) Microsoft Corporation. All rights reserved. + + Microsoft (R) .NET Framework CasPol 2.0.50727.7905 + Copyright (c) Microsoft Corporation. All rights reserved. + + Success + Microsoft (R) .NET Framework CasPol 2.0.50727.7905 + Copyright (c) Microsoft Corporation. All rights reserved. + + Success + One or more affected files have operations pending. + You should restart your computer to complete this process. + PS C:\> + ``` +5. Type the following commands at an elevated Windows PowerShell prompt on SRV1: + + ``` + New-NetFirewallRule -DisplayName “SQL Server” -Direction Inbound –Protocol TCP –LocalPort 1433 -Action allow + New-NetFirewallRule -DisplayName “SQL Admin Connection” -Direction Inbound –Protocol TCP –LocalPort 1434 -Action allow + New-NetFirewallRule -DisplayName “SQL Database Management” -Direction Inbound –Protocol UDP –LocalPort 1434 -Action allow + New-NetFirewallRule -DisplayName “SQL Service Broker” -Direction Inbound –Protocol TCP –LocalPort 4022 -Action allow + New-NetFirewallRule -DisplayName “SQL Debugger/RPC” -Direction Inbound –Protocol TCP –LocalPort 135 -Action allow + ``` + +7. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1703. Installation might require several minutes to acquire all components. + +## Install Microsoft Endpoint Configuration Manager + +1. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt: + + ``` + $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" + Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0 + Stop-Process -Name Explorer + ``` + +2. Download [Microsoft Endpoint Configuration Manager and Endpoint Protection](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) on SRV1 (download the executable file anywhere on SRV1), double-click the file, enter **C:\configmgr** for **Unzip to folder**, and click **Unzip**. The C:\configmgr directory will be automatically created. Click **OK** and then close the **WinZip Self-Extractor** dialog box when finished. + +3. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**: + + ``` + Get-Service Winmgmt + + Status Name DisplayName + ------ ---- ----------- + Running Winmgmt Windows Management Instrumentation + + Test-NetConnection -ComputerName 192.168.0.2 -Port 135 -InformationLevel Detailed + + ComputerName : 192.168.0.2 + RemoteAddress : 192.168.0.2 + RemotePort : 135 + AllNameResolutionResults : + MatchingIPsecRules : + NetworkIsolationContext : Internet + InterfaceAlias : Ethernet + SourceAddress : 192.168.0.2 + NetRoute (NextHop) : 0.0.0.0 + PingSucceeded : True + PingReplyDetails (RTT) : 0 ms + TcpTestSucceeded : True + ``` + You can also verify WMI using the WMI console by typing **wmimgmt.msc**, right-clicking **WMI Control (Local)** in the console tree, and then clicking **Properties**. + + If the WMI service is not started, attempt to start it or reboot the computer. If WMI is running but errors are present, see [WMIDiag](https://blogs.technet.microsoft.com/askperf/2015/05/12/wmidiag-2-2-is-here/) for troubleshooting information. + +4. To extend the Active Directory schema, type the following command at an elevated Windows PowerShell prompt: + + ``` + cmd /c C:\configmgr\SMSSETUP\BIN\X64\extadsch.exe + ``` + +5. Temporarily switch to the DC1 VM, and type the following command at an elevated command prompt on DC1: + + ``` + adsiedit.msc + ``` + +6. Right-click **ADSI Edit**, click **Connect to**, select **Default (Domain or server that you logged in to)** under **Computer** and then click **OK**. +7. Expand **Default naming context**>**DC=contoso,DC=com**, and then in the console tree right-click **CN=System**, point to **New**, and then click **Object**. +8. Click **container** and then click **Next**. +9. Next to **Value**, type **System Management**, click **Next**, and then click **Finish**. +10. Right-click **CN=system Management** and then click **Properties**. +11. On the **Security** tab, click **Add**, click **Object Types**, select **Computers**, and click **OK**. +12. Under **Enter the object names to select**, type **SRV1** and click **OK**. +13. The **SRV1** computer account will be highlighted, select **Allow** next to **Full control**. +14. Click **Advanced**, click **SRV1 (CONTOSO\SRV1$)** and click **Edit**. +15. Next to **Applies to**, choose **This object and all descendant objects**, and then click **OK** three times. +16. Close the ADSI Edit console and switch back to SRV1. +17. To start Configuration Manager installation, type the following command at an elevated Windows PowerShell prompt on SRV1: + + ``` + cmd /c C:\configmgr\SMSSETUP\BIN\X64\Setup.exe + ``` +18. Provide the following in the Microsoft Endpoint Configuration Manager Setup Wizard: + - **Before You Begin**: Read the text and click *Next*. + - **Getting Started**: Choose **Install a Configuration Manager primary site** and select the **Use typical installation options for a stand-alone primary site** checkbox. + - Click **Yes** in response to the popup window. + - **Product Key**: Choose **Install the evaluation edition of this Product**. + - **Microsoft Software License Terms**: Read the terms and then select the **I accept these license terms** checkbox. + - **Prerequisite Licenses**: Review license terms and select all three checkboxes on the page. + - **Prerequisite Downloads**: Choose **Download required files** and enter **c:\windows\temp** next to **Path**. + - **Site and Installation Settings**: Site code: **PS1**, Site name: **Contoso**. + - use default settings for all other options + - **Usage Data**: Read the text and click **Next**. + - **Service Connection Point Setup**: Accept the default settings (SRV1.contoso.com is automatically added under Select a server to use). + - **Settings Summary**: Review settings and click **Next**. + - **Prerequisite Check**: No failures should be listed. Ignore any warnings and click **Begin Install**. + + >There should be at most three warnings present: WSUS on site server, configuration for SQL Server memory usage, and SQL Server process memory allocation. These warnings can safely be ignored in this test environment. + + Depending on the speed of the Hyper-V host and resources allocated to SRV1, installation can require approximately one hour. Click **Close** when installation is complete. + +19. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1: + + ``` + Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1 + Stop-Process -Name Explorer + ``` + +## Download MDOP and install DaRT + +>[!IMPORTANT] +>This step requires an MSDN subscription or volume licence agreement. For more information, see [Ready for Windows 10: MDOP 2015 and more tools are now available](https://blogs.technet.microsoft.com/windowsitpro/2015/08/17/ready-for-windows-10-mdop-2015-and-more-tools-are-now-available/). +>If your organization qualifies and does not already have an MSDN subscription, you can obtain a [free MSDN subscription with BizSpark](https://blogs.msdn.microsoft.com/zainnab/2011/03/14/bizspark-free-msdn-subscription-for-start-up-companies/). + +1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso, 2.79 GB) to the C:\VHD directory on the Hyper-V host. + +2. Type the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1: + + ``` + Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso + ``` +3. Type the following command at an elevated Windows PowerShell prompt on SRV1: + + ``` + cmd /c "D:\DaRT\DaRT 10\Installers\en-us\x64\MSDaRT100.msi" + ``` +4. Install DaRT 10 using default settings. +5. Type the following commands at an elevated Windows PowerShell prompt on SRV1: + + ``` + Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx64.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64" + Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx86.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x86" + ``` + +## Prepare for Zero Touch installation + +This section contains several procedures to support Zero Touch installation with Microsoft Endpoint Configuration Manager. + +### Create a folder structure + +1. Type the following commands at a Windows PowerShell prompt on SRV1: + + ``` + New-Item -ItemType Directory -Path "C:\Sources\OSD\Boot" + New-Item -ItemType Directory -Path "C:\Sources\OSD\OS" + New-Item -ItemType Directory -Path "C:\Sources\OSD\Settings" + New-Item -ItemType Directory -Path "C:\Sources\OSD\Branding" + New-Item -ItemType Directory -Path "C:\Sources\OSD\MDT" + New-Item -ItemType Directory -Path "C:\Logs" + New-SmbShare -Name Sources$ -Path C:\Sources -ChangeAccess EVERYONE + New-SmbShare -Name Logs$ -Path C:\Logs -ChangeAccess EVERYONE + ``` + +### Enable MDT ConfigMgr integration + +1. On SRV1, click **Start**, type **configmgr**, and then click **Configure ConfigMgr Integration**. +2. Type **PS1** next to **Site code**, and then click **Next**. +3. Verify **The process completed successfully** is displayed, and then click **Finish**. + +### Configure client settings + +1. On SRV1, click **Start**, type **configuration manager**, right-click **Configuration Manager Console**, and then click **Pin to Taskbar**. +2. Click **Desktop**, and then launch the Configuration Manager console from the taskbar. +3. If the console notifies you that an update is available, click **OK**. It is not necessary to install updates to complete this lab. +4. In the console tree, open the **Administration** workspace (in the lower left corner) and click **Client Settings**. +5. In the display pane, double-click **Default Client Settings**. +6. Click **Computer Agent**, next to **Organization name displayed in Software Center** type **Contoso**, and then click **OK**. + +### Configure the network access account + +1. In the Administration workspace, expand **Site Configuration** and click **Sites**. +2. On the **Home** ribbon at the top of the console window, click **Configure Site Components** and then click **Software Distribution**. +3. On the **Network Access Account** tab, choose **Specify the account that accesses network locations**. +4. Click the yellow starburst and then click **New Account**. +5. Click **Browse** and then under **Enter the object name to select**, type **CM_NAA** and click **OK**. +6. Next to **Password** and **Confirm Password**, type pass@word1, and then click **OK** twice. + +### Configure a boundary group + +1. In the Administration workspace, expand **Hierarchy Configuration**, right-click **Boundaries** and then click **Create Boundary**. +2. Next to **Description**, type **PS1**, next to **Type** choose **Active Directory Site**, and then click **Browse**. +3. Choose **Default-First-Site-Name** and then click **OK** twice. +4. In the Administration workspace, right-click **Boundary Groups** and then click **Create Boundary Group**. +5. Next to **Name**, type **PS1 Site Assignment and Content Location**, click **Add**, select the **Default-First-Site-Name** boundary and then click **OK**. +6. On the **References** tab in the **Create Boundary Group** window select the **Use this boundary group for site assignment** checkbox. +7. Click **Add**, select the **\\\SRV1.contoso.com** checkbox, and then click **OK** twice. + +### Add the state migration point role + +1. In the Administration workspace, expand **Site Configuration**, click **Sites**, and then in on the **Home** ribbon at the top of the console click **Add Site System Roles**. +2. In the Add site System Roles Wizard, click **Next** twice and then on the Specify roles for this server page, select the **State migration point** checkbox. +3. Click **Next**, click the yellow starburst, type **C:\MigData** for the **Storage folder**, and click **OK**. +4. Click **Next**, and then verify under **Boundary groups** that **PS1 Site Assignment and Content Location** is displayed. +5. Click **Next** twice and then click **Close**. + +### Enable PXE on the distribution point + +>[!IMPORTANT] +>Before enabling PXE in Configuration Manager, ensure that any previous installation of WDS does not cause conflicts. Configuration Manager will automatically configure the WDS service to manage PXE requests. To disable a previous installation, if it exists, type the following commands at an elevated Windows PowerShell prompt on SRV1: + +``` +WDSUTIL /Set-Server /AnswerClients:None +``` + +1. Determine the MAC address of the internal network adapter on SRV1. To determine this, type the following command at an elevated Windows PowerShell prompt on SRV1: + + ``` + (Get-NetAdapter "Ethernet").MacAddress + ``` + >If the internal network adapter, assigned an IP address of 192.168.0.2, is not named "Ethernet" then replace the name "Ethernet" in the previous command with the name of this network adapter. You can review the names of network adapters and the IP addresses assigned to them by typing **ipconfig**. + +2. In the Microsoft Endpoint Configuration Manager console, in the **Administration** workspace, click **Distribution Points**. +3. In the display pane, right-click **SRV1.CONTOSO.COM** and then click **Properties**. +4. On the PXE tab, select the following settings: + - **Enable PXE support for clients**. Click **Yes** in the popup that appears. + - **Allow this distribution point to respond to incoming PXE requests** + - **Enable unknown computer support**. Click **OK** in the popup that appears. + - **Require a password when computers use PXE** + - **Password** and **Confirm password**: pass@word1 + - **Respond to PXE requests on specific network interfaces**: Click the yellow starburst and then enter the MAC address determined in the first step of this procedure. + + See the following example: + + Config Mgr PXE + +5. Click **OK**. +6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present: + + ``` + cmd /c dir /b C:\RemoteInstall\SMSBoot\x64 + + abortpxe.com + bootmgfw.efi + bootmgr.exe + pxeboot.com + pxeboot.n12 + wdsmgfw.efi + wdsnbp.com + ``` + >If these files are not present in the C:\RemoteInstall directory, verify that the REMINST share is configured as C:\RemoteInstall. You can view the properties of this share by typing "net share REMINST" at a command prompt. If the share path is set to a different value, then replace C:\RemoteInstall with your REMINST share path. + >You can also type the following command at an elevated Windows PowerShell prompt to open the Configuration Manager Trace Log Tool. In the tool, click **File**, click **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red: + + ``` + Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe' + ``` + + The log file will updated continuously while Configuration Manager is running. Wait for Configuration Manager to repair any issues that are present, and periodically re-check that the files are present in the REMINST share location. Close the Configuration Manager Trace Log Tool when done. You will see the following line in distmgr.log that indicates the REMINST share is being populated with necessary files: + + Running: WDSUTIL.exe /Initialize-Server /REMINST:"C:\RemoteInstall" + + Once the files are present in the REMINST share location, you can close the cmtrace tool. + +### Create a branding image file + +1. If you have a bitmap (.BMP) image for suitable use as a branding image, copy it to the C:\Sources\OSD\Branding folder on SRV1. Otherwise, use the following step to copy a simple branding image. +2. Type the following command at an elevated Windows PowerShell prompt: + + ``` + copy "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" "C:\Sources\OSD\Branding\contoso.bmp" + ``` + >You can open C:\Sources\OSD\Branding\contoso.bmp in MSPaint.exe if desired to customize this image. + + +### Create a boot image for Configuration Manager + +1. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and then click **Create Boot Image using MDT**. +2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then click **Next**. + - The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later. +3. On the General Settings page, type **Zero Touch WinPE x64** next to **Name**, and click **Next**. +4. On the Options page, under **Platform** choose **x64**, and click **Next**. +5. On the Components page, in addition to the default selection of **Microsoft Data Access Components (MDAC/ADO) support**, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox, and click **Next**. +6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, type or browse to **\\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then click **Next** twice. It will take a few minutes to generate the boot image. +7. Click **Finish**. +8. In the console display pane, right-click the **Zero Touch WinPE x64** boot image, and then click **Distribute Content**. +9. In the Distribute Content Wizard, click **Next**, click **Add** and select **Distribution Point**, select the **SRV1.CONTOSO.COM** checkbox, click **OK**, click **Next** twice, and then click **Close**. +10. Use the CMTrace application to view the **distmgr.log** file again and verify that the boot image has been distributed. To open CMTrace, type the following command at an elevated Windows PowerShell prompt on SRV1: + + ``` + Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe' + ``` + + In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example: + + ``` + STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=924 TID=1424 GMTDATE=Tue Oct 09 22:36:30.986 2018 ISTR0="Zero Touch WinPE x64" ISTR1="PS10000A" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS10000A" SMS_DISTRIBUTION_MANAGER 10/9/2018 3:36:30 PM 1424 (0x0590) + ``` + +11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Double-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab. +12. Next, in the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then click the **Data Source** tab. +13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and click **OK**. +14. Review the distmgr.log file again for "**STATMSG: ID=2301**" and verify that there are three folders under **C:\RemoteInstall\SMSImages** with boot images. See the following example: + + ``` + cmd /c dir /s /b C:\RemoteInstall\SMSImages + + C:\RemoteInstall\SMSImages\PS100004 + C:\RemoteInstall\SMSImages\PS100005 + C:\RemoteInstall\SMSImages\PS100006 + C:\RemoteInstall\SMSImages\PS100004\boot.PS100004.wim + C:\RemoteInstall\SMSImages\PS100005\boot.PS100005.wim + C:\RemoteInstall\SMSImages\PS100006\WinPE.PS100006.wim + ``` + + >The first two images (*.wim files) are default boot images. The third is the new boot image with DaRT. + +### Create a Windows 10 reference image + +If you have already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you have already created a Windows 10 reference image. In this case, skip to the next procedure in this guide: [Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image). If you have not yet created a Windows 10 reference image, complete the steps in this section. + +1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command: + + ``` + Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso + ``` +2. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D. + +3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**. + +4. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. + +5. Use the following settings for the New Deployment Share Wizard: + - Deployment share path: **C:\MDTBuildLab**
      + - Share name: **MDTBuildLab$**
      + - Deployment share description: **MDT build lab**
      + - Options: click **Next** to accept the default
      + - Summary: click **Next**
      + - Progress: settings will be applied
      + - Confirmation: click **Finish** + +6. Expand the **Deployment Shares** node, and then expand **MDT build lab**. + +7. Right-click the **Operating Systems** node, and then click **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and click **Finish**. + +7. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**. + +8. Use the following settings for the Import Operating System Wizard: + - OS Type: **Full set of source files**
      + - Source: **D:\\**
      + - Destination: **W10Ent_x64**
      + - Summary: click **Next** + - Confirmation: click **Finish** + +9. For purposes of this test lab, we will not add applications, such as Microsoft Office, to the deployment share. For information about adding applications, see the [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#sec03) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library. + +10. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + - Task sequence ID: **REFW10X64-001**
      + - Task sequence name: **Windows 10 Enterprise x64 Default Image**
      + - Task sequence comments: **Reference Build**
      + - Template: **Standard Client Task Sequence** + - Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim** + - Specify Product Key: **Do not specify a product key at this time** + - Full Name: **Contoso** + - Organization: **Contoso** + - Internet Explorer home page: **http://www.contoso.com** + - Admin Password: **Do not specify an Administrator password at this time** + - Summary: click **Next** + - Confirmation: click **Finish** + +11. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step. + +12. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**. A new group will be added under Tattoo. + +13. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. To see the name change, click **Tattoo**, then click the new group again. + +14. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**. + +15. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**. + +16. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox. + >Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications. + +17. Click **OK** to complete editing the task sequence. + +18. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and click **Properties**, and then click the **Rules** tab. + +19. Replace the default rules with the following text: + + ``` + [Settings] + Priority=Default + + [Default] + _SMSTSORGNAME=Contoso + UserDataLocation=NONE + DoCapture=YES + OSInstall=Y + AdminPassword=pass@word1 + TimeZoneName=Pacific Standard TimeZoneName + OSDComputername=#Left("PC-%SerialNumber%",7)# + JoinWorkgroup=WORKGROUP + HideShell=YES + FinishAction=SHUTDOWN + DoNotCreateExtraPartition=YES + ApplyGPOPack=NO + SkipAdminPassword=YES + SkipProductKey=YES + SkipComputerName=YES + SkipDomainMembership=YES + SkipUserData=YES + SkipLocaleSelection=YES + SkipTaskSequence=NO + SkipTimeZone=YES + SkipApplications=YES + SkipBitLocker=YES + SkipSummary=YES + SkipRoles=YES + SkipCapture=NO + SkipFinalSummary=NO + ``` + +20. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file: + + ``` + [Settings] + Priority=Default + + [Default] + DeployRoot=\\SRV1\MDTBuildLab$ + UserDomain=CONTOSO + UserID=MDT_BA + UserPassword=pass@word1 + SkipBDDWelcome=YES + ``` + +21. Click **OK** to complete the configuration of the deployment share. + +22. Right-click **MDT build lab (C:\MDTBuildLab)** and then click **Update Deployment Share**. + +23. Accept all default values in the Update Deployment Share Wizard by clicking **Next**. The update process will take 5 to 10 minutes. When it has completed, click **Finish**. + +24. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI). + + >Hint: Top copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**. + +25. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands: + + ``` + New-VM –Name REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB + Set-VMMemory -VMName REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20 + Set-VMDvdDrive -VMName REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso + Start-VM REFW10X64-001 + vmconnect localhost REFW10X64-001 + ``` +26. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then click **Next**. + +27. Accept the default values on the Capture Image page, and click **Next**. Operating system installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally (do not press a key). The process is fully automated. + + Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures: + + - Install the Windows 10 Enterprise operating system. + - Install added applications, roles, and features. + - Update the operating system using Windows Update (or WSUS if optionally specified). + - Stage Windows PE on the local disk. + - Run System Preparation (Sysprep) and reboot into Windows PE. + - Capture the installation to a Windows Imaging (WIM) file. + - Turn off the virtual machine. + + This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host and your network's download speed. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on SRV1. The file name is **REFW10X64-001.wim**. + +### Add a Windows 10 operating system image + +1. Type the following commands at an elevated Windows PowerShell prompt on SRV1: + + ``` + New-Item -ItemType Directory -Path "C:\Sources\OSD\OS\Windows 10 Enterprise x64" + cmd /c copy /z "C:\MDTBuildLab\Captures\REFW10X64-001.wim" "C:\Sources\OSD\OS\Windows 10 Enterprise x64" + ``` + +2. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Operating System Images**, and then click **Add Operating System Image**. + +3. On the Data Source page, under **Path:**, type or browse to **\\\SRV1\Sources$\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim**, and click **Next**. + +4. On the General page, next to **Name:**, type **Windows 10 Enterprise x64**, click **Next** twice, and then click **Close**. + +5. Distribute the operating system image to the SRV1 distribution point by right-clicking the **Windows 10 Enterprise x64** operating system image and then clicking **Distribute Content**. + +6. In the Distribute Content Wizard, click **Next**, click **Add**, click **Distribution Point**, add the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**. + +7. Enter **\Monitoring\Overview\Distribution Status\Content Status** on the location bar (be sure there is no space at the end of the location or you will get an error), click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. Processing of the image on the site server can take several minutes. + + >If content distribution is not successful, verify that sufficient disk space is available. + +### Create a task sequence + +>Complete this section slowly. There are a large number of similar settings from which to choose. + +1. In the Configuration Manager console, in the **Software Library** workspace expand **Operating Systems**, right-click **Task Sequences**, and then click **Create MDT Task Sequence**. + +2. On the Choose Template page, select the **Client Task Sequence** template and click **Next**. + +3. On the General page, type **Windows 10 Enterprise x64** under **Task sequence name:** and then click **Next**. + +4. On the Details page, enter the following settings: + - Join a domain: **contoso.com** + - Account: click **Set** + - User name: **contoso\CM_JD** + - Password: pass@word1 + - Confirm password: pass@word1 + - Click **OK** + - Windows Settings + - User name: **Contoso** + - Organization name: **Contoso** + - Product key: \ + - Administrator Account: **Enable the account and specify the local administrator password** + - Password: pass@word1 + - Confirm password: pass@word1 + - Click **Next** + +5. On the Capture Settings page, accept the default settings and click **Next**. + +6. On the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package, click **OK**, and then click **Next**. + +7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\MDT\MDT** (MDT is repeated here, not a typo), and then click **Next**. + +8. On the MDT Details page, next to **Name:** type **MDT** and then click **Next**. + +9. On the OS Image page, browse and select the **Windows 10 Enterprise x64** package, click **OK**, and then click **Next**. + +10. On the Deployment Method page, accept the default settings for **Zero Touch Installation** and click **Next**. + +11. On the Client Package page, browse and select the **Microsoft Corporation Configuration Manager Client package**, click **OK**, and then click **Next**. + +12. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows 10.0.14393.0** package, click **OK**, and then click **Next**. + +13. On the Settings Package page, select **Create a new settings package**, and under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Settings\Windows 10 x64 Settings**, and then click **Next**. + +14. On the Settings Details page, next to **Name:**, type **Windows 10 x64 Settings**, and click **Next**. + +15. On the Sysprep Package page, click **Next** twice. + +16. On the Confirmation page, click **Finish**. + +### Edit the task sequence + +1. In the Configuration Manager console, in the **Software Library** workspace, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Edit**. + +2. Scroll down to the **Install** group and click the **Set Variable for Drive Letter** action. + +3. Change the Value under **OSDPreserveDriveLetter** from **False** to **True**, and then click **Apply**. + +4. In the **State Restore** group, click the **Set Status 5** action, click **Add** in the upper left corner, point to **User State**, and click **Request State Store**. This adds a new action immediately after **Set Status 5**. + +5. Configure the **Request State Store** action that was just added with the following settings:
      + - Request state storage location to: **Restore state from another computer**
      + - Select the **If computer account fails to connect to state store, use the Network Access account** checkbox.
      + - Options tab: Select the **Continue on error** checkbox.
      + - Add Condition: **Task Sequence Variable**:
      + - Variable: **USMTLOCAL**
      + - Condition: **not equals**
      + - Value: **True**
      + - Click **OK**.
      + - Click **Apply**
      . + +6. In the **State Restore** group, click **Restore User State**, click **Add**, point to **User State**, and click **Release State Store**. + +7. Configure the **Release State Store** action that was just added with the following settings:
      + - Options tab: Select the **Continue on error** checkbox.
      + - Add Condition: **Task Sequence Variable**:
      + - Variable: **USMTLOCAL**
      + - Condition: **not equals**
      + - Value: **True**
      + - Click **OK**.
      + - Click **OK**
      . + + +### Finalize the operating system configuration + +>If you completed all procedures in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then the MDT deployment share is already present on SRV1. In this case, skip the first four steps below and begin with step 5 to edit CustomSettings.ini. + +1. In the MDT deployment workbench on SRV1, right-click **Deployment Shares** and then click **New Deployment Share**. + +2. Use the following settings for the New Deployment Share Wizard: + - Deployment share path: **C:\MDTProduction**
      + - Share name: **MDTProduction$**
      + - Deployment share description: **MDT Production**
      + - Options: click **Next** to accept the default
      + - Summary: click **Next**
      + - Progress: settings will be applied
      + - Confirmation: click **Finish** + +3. Right-click the **MDT Production** deployment share, and click **Properties**. + +4. Click the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**. + +5. Type the following command at an elevated Windows PowerShell prompt on SRV1: + + ``` + notepad "C:\Sources\OSD\Settings\Windows 10 x64 Settings\CustomSettings.ini" + ``` +6. Replace the contents of the file with the following text, and then save the file: + + ``` + [Settings] + Priority=Default + Properties=OSDMigrateConfigFiles,OSDMigrateMode + + [Default] + DoCapture=NO + ComputerBackupLocation=NONE + OSDMigrateMode=Advanced + OSDMigrateAdditionalCaptureOptions=/ue:*\* /ui:CONTOSO\* + OSDMigrateConfigFiles=Miguser.xml,Migapp.xml + SLSHARE=\\SRV1\Logs$ + EventService=http://SRV1:9800 + ApplyGPOPack=NO + ``` + + >As noted previously, if you wish to migrate accounts other than those in the Contoso domain, then change the OSDMigrateAdditionalCaptureOptions option. For example, the following option will capture settings from all user accounts: + + ``` + OSDMigrateAdditionalCaptureOptions=/all + ``` + + +7. Return to the Configuration Manager console, and in the Software Library workspace, expand **Application Management**, click **Packages**, right-click **Windows 10 x64 Settings**, and then click **Update Distribution Points**. Click **OK** in the popup that appears. + +8. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Distribute Content**. + +9. In the Distribute Content Wizard, click **Next** twice, click **Add**, click **Distribution Point**, select the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**. + +10. Enter **\Monitoring\Overview\Distribution Status\Content Status\Windows 10 Enterprise x64** on the location bar, double-click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. + +### Create a deployment for the task sequence + +1. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Deploy**. + +2. On the General page, next to **Collection**, click **Browse**, select the **All Unknown Computers** collection, click **OK**, and then click **Next**. + +3. On the Deployment Settings page, use the following settings:
      + - Purpose: **Available**
      + - Make available to the following: **Only media and PXE**
      + - Click **Next**.
      +4. Click **Next** five times to accept defaults on the Scheduling, User Experience, Alerts, and Distribution Points pages. + +5. Click **Close**. + +## Deploy Windows 10 using PXE and Configuration Manager + +In this first deployment scenario, we will deploy Windows 10 using PXE. This scenario creates a new computer that does not have any migrated users or settings. + +1. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + New-VM –Name "PC4" –NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 40GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 + Set-VMMemory -VMName "PC4" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20 + Start-VM PC4 + vmconnect localhost PC4 + ``` + +2. Press ENTER when prompted to start the network boot service. + +3. In the Task Sequence Wizard, provide the password: pass@word1, and then click **Next**. + +4. Before you click **Next** in the Task Sequence Wizard, press the **F8** key. A command prompt will open. + +5. At the command prompt, type **explorer.exe** and review the Windows PE file structure. + +6. The smsts.log file is critical for troubleshooting any installation problems that might be encountered. Depending on the deployment phase, the smsts.log file is created in different locations: + - X:\windows\temp\SMSTSLog\smsts.log before disks are formatted. + - x:\smstslog\smsts.log after disks are formatted. + - c:\_SMSTaskSequence\Logs\Smstslog\smsts.log before the Microsoft Endpoint Configuration Manager client is installed. + - c:\windows\ccm\logs\Smstslog\smsts.log after the Microsoft Endpoint Configuration Manager client is installed. + - c:\windows\ccm\logs\smsts.log when the task sequence is complete. + + Note: If a reboot is pending on the client, the reboot will be blocked as long as the command window is open. + +7. In the explorer window, click **Tools** and then click **Map Network Drive**. + +8. Do not map a network drive at this time. If you need to save the smsts.log file, you can use this method to save the file to a location on SRV1. + +9. Close the Map Network Drive window, the Explorer window, and the command prompt. + +10. The **Windows 10 Enterprise x64** task sequence is selected in the Task Sequenc Wizard. Click **Next** to continue with the deployment. + +11. The task sequence will require several minutes to complete. You can monitor progress of the task sequence using the MDT Deployment Workbench under Deployment Shares > MDTProduction > Monitoring. The task sequence will: + - Install Windows 10 + - Install the Configuration Manager client and hotfix + - Join the computer to the contoso.com domain + - Install any applications that were specified in the reference image + + +12. When Windows 10 installation has completed, sign in to PC4 using the **contoso\administrator** account. + +13. Right-click **Start**, click **Run**, type **control appwiz.cpl**, press ENTER, click **Turn Windows features on or off**, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This is a feature included in the reference image. + +14. Shut down the PC4 VM. + +>Note: The following two procedures 1) Replace a client with Windows 10 and 2) Refresh a client with Windows 10 have been exchanged in their order in this guide compared to the previous version. This is to avoid having to restore Hyper-V checkpoints to have access to PC1 before the OS is upgraded. If this is your first time going through this guide, you won't notice any change, but if you have tried the guide previously then this change should make it simpler to complete. + +## Replace a client with Windows 10 using Configuration Manager + +>Before starting this section, you can delete computer objects from Active Directory that were created as part of previous deployment procedures. Use the Active Directory Users and Computers console on DC1 to remove stale entries under contoso.com\Computers, but do not delete the computer account (hostname) for PC1. There should be at least two computer accounts present in the contoso.com\Computers container: one for SRV1, and one for the hostname of PC1. It is not required to delete the stale entries, this is only done to remove clutter. + +![contoso.com\Computers](images/poc-computers.png) + +In the replace procedure, PC1 will not be migrated to a new operating system. It is simplest to perform this procedure before performing the refresh procedure. After refreshing PC1, the operating system will be new. The next (replace) procedure does not install a new operating system on PC1 but rather performs a side-by-side migration of PC1 and another computer (PC4), to copy users and settings from PC1 to the new computer. + +### Create a replace task sequence + +1. On SRV1, in the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and then click **Create MDT Task Sequence**. + +2. On the Choose Template page, select **Client Replace Task Sequence** and click **Next**. + +3. On the General page, type the following: + - Task sequence name: **Replace Task Sequence** + - Task sequence comments: **USMT backup only** + +4. Click **Next**, and on the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package. Click **OK** and then click **Next** to continue. +5. On the MDT Package page, browse and select the **MDT** package. Click **OK** and then click **Next** to continue. +6. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package. Click **OK** and then click **Next** to continue. +7. On the Settings Package page, browse and select the **Windows 10 x64 Settings** package. Click **OK** and then click **Next** to continue. +8. On the Summary page, review the details and then click **Next**. +9. On the Confirmation page, click **Finish**. + +>If an error is displayed at this stage it can be caused by a corrupt MDT integration. To repair it, close the Configuration Manager console, remove MDT integration, and then restore MDT integration. + +### Deploy PC4 + +Create a VM named PC4 to receive the applications and settings from PC1. This VM represents a new computer that will replace PC1. To create this VM, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + +``` +New-VM –Name "PC4" –NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 +Set-VMMemory -VMName "PC4" -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 2048MB -Buffer 20 +Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF +``` + +>Hyper-V enables us to define a static MAC address on PC4. In a real-world scenario you must determine the MAC address of the new computer. + +### Install the Configuration Manager client on PC1 + +1. Verify that the PC1 VM is running and in its original state, which was saved as a checkpoint and then restored in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md). + +2. If a PC1 checkpoint has not already been saved, then save a checkpoint by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Checkpoint-VM -Name PC1 -SnapshotName BeginState + ``` + +3. On SRV1, in the Configuration Manager console, in the Administration workspace, expand **Hierarchy Configuration** and click on **Discovery Methods**. +4. Double-click **Active Directory System Discovery** and on the **General** tab select the **Enable Active Directory System Discovery** checkbox. +5. Click the yellow starburst, click **Browse**, select **contoso\Computers**, and then click **OK** three times. +6. When a popup dialog box asks if you want to run full discovery, click **Yes**. +7. In the Assets and Compliance workspace, click **Devices** and verify that the computer account names for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the computer account name of PC1 in this example): + + ![assets](images/sccm-assets.png) + + >If you do not see the computer account for PC1, try clicking the **Refresh** button in the upper right corner of the console. + + The **Client** column indicates that the Configuration Manager client is not currently installed. This procedure will be carried out next. + +8. Sign in to PC1 using the contoso\administrator account and type the following at an elevated command prompt to remove any pre-existing client configuration, if it exists. Note: this command requires an elevated command prompt not an elevated Windows PowerShell prompt: + + ``` + sc stop ccmsetup + "\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /Uninstall + ``` + >If PC1 still has Configuration Manager registry settings that were applied by Group Policy, startup scripts, or other policies in its previous domain, these might not all be removed by CCMSetup /Uninstall and can cause problems with installation or registration of the client in its new environment. It might be necessary to manually remove these settings if they are present. For more information, see [Manual removal of the SCCM client](https://blogs.technet.microsoft.com/michaelgriswold/2013/01/02/manual-removal-of-the-sccm-client/). + +9. On PC1, temporarily stop Windows Update from queuing items for download and clear all BITS jobs from the queue: + + ``` + net stop wuauserv + net stop BITS + ``` + + Verify that both services were stopped successfully, then type the following at an elevated command prompt: + + ``` + del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat" + net start BITS + bitsadmin /list /allusers + ``` + + Verify that BITSAdmin displays 0 jobs. + +10. To install the Configuration Manager client as a standalone process, type the following at an elevated command prompt: + + ``` + "\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /mp:SRV1.contoso.com /logon SMSSITECODE=PS1 + ``` +11. On PC1, using file explorer, open the **C:\Windows\ccmsetup** directory. During client installation, files will be downloaded here. +12. Installation progress will be captured in the file: **c:\windows\ccmsetup\logs\ccmsetup.log**. You can periodically open this file in notepad, or you can type the following command at an elevated Windows PowerShell prompt to monitor installation progress: + + ``` + Get-Content -Path c:\windows\ccmsetup\logs\ccmsetup.log -Wait + ``` + + Installation might require several minutes, and display of the log file will appear to hang while some applications are installed. This is normal. When setup is complete, verify that **CcmSetup is existing with return code 0** is displayed on the last line of the ccmsetup.log file and then press **CTRL-C** to break out of the Get-Content operation (if you are viewing the log in Windows PowerShell the last line will be wrapped). A return code of 0 indicates that installation was successful and you should now see a directory created at **C:\Windows\CCM** that contains files used in registration of the client with its site. + +13. On PC1, open the Configuration Manager control panel applet by typing the following command: + + ``` + control smscfgrc + ``` + +14. Click the **Site** tab, click **Configure Settings**, and click **Find Site**. The client will report that it has found the PS1 site. See the following example: + + ![site](images/sccm-site.png) + + If the client is not able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. A common reason the site code is not located is because a previous configuration exists. For example, if a previous site code is configured at **HKLM\SOFTWARE\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode** this must be deleted or updated. + +15. On SRV1, in the Assets and Compliance workspace, click **Device Collections** and then double-click **All Desktop and Server Clients**. This node will be added under **Devices**. + +16. Click **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example: + + ![client](images/sccm-client.png) + + >It might take several minutes for the client to fully register with the site and complete a client check. When it is complete you will see a green check mark over the client icon as shown above. To refresh the client, click it and then press **F5** or right-click the client and click **Refresh**. + +### Create a device collection and deployment + +1. On SRV1, in the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections** and then click **Create Device Collection**. + +2. Use the following settings in the **Create Device Collection Wizard**: + - General > Name: **Install Windows 10 Enterprise x64**
      + - General > Limiting collection: **All Systems**
      + - Membership Rules > Add Rule: **Direct Rule**
      + - The **Create Direct Membership Rule Wizard** opens, click **Next**
      + - Search for Resources > Resource class: **System Resource**
      + - Search for Resources > Attribute name: **Name**
      + - Search for Resources > Value: **%**
      + - Select Resources > Value: Select the computername associated with the PC1 VM
      + - Click **Next** twice and then click **Close** in both windows (Next, Next, Close, then Next, Next, Close) + +3. Double-click the Install Windows 10 Enterprise x64 device collection and verify that the PC1 computer account is displayed. + +4. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64** and then click **Deploy**. + +5. Use the following settings in the Deploy Software wizard: + - General > Collection: Click Browse and select **Install Windows 10 Enterprise x64**
      + - Deployment Settings > Purpose: **Available**
      + - Deployment Settings > Make available to the following: **Configuration Manager clients, media and PXE**
      + - Scheduling > Click **Next**
      + - User Experience > Click **Next**
      + - Alerts > Click **Next**
      + - Distribution Points > Click **Next**
      + - Summary > Click **Next**
      + - Verify that the wizard completed successfully and then click **Close** + + +### Associate PC4 with PC1 + +1. On SRV1 in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices** and then click **Import Computer Information**. + +2. On the Select Source page, choose **Import single computer** and click **Next**. + +3. On the Single Computer page, use the following settings: + - Computer Name: **PC4** + - MAC Address: **00:15:5D:83:26:FF** + - Source Computer: \ + +4. Click **Next**, and on the User Accounts page choose **Capture and restore specified user accounts**, then click the yellow starburst next to **User accounts to migrate**. + +5. Click **Browse** and then under Enter the object name to select type **user1** and click OK twice. + +6. Click the yellow starburst again and repeat the previous step to add the **contoso\administrator** account. + +7. Click **Next** twice, and on the Choose Target Collection page, choose **Add computers to the following collection**, click **Browse**, choose **Install Windows 10 Enterprise x64**, click **OK**, click **Next** twice, and then click **Close**. + +8. In the Assets and Compliance workspace, click **User State Migration** and review the computer association in the display pane. The source computer will be the computername of PC1 (GREGLIN-PC1 in this example), the destination computer will be **PC4**, and the migration type will be **side-by-side**. + +9. Right-click the association in the display pane and then click **Specify User Accounts**. You can add or remove user account here. Click **OK**. + +10. Right-click the association in the display pane and then click **View Recovery Information**. Note that a recovery key has been assigned, but a user state store location has not. Click **Close**. + +11. Click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. Verify that **PC4** is displayed in the collection. You might have to update and refresh the collection, or wait a few minutes, but do not proceed until PC4 is available. See the following example: + + ![collection](images/sccm-collection.png) + +### Create a device collection for PC1 + +1. On SRV1, in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Device Collections** and then click **Create Device Collection**. + +2. Use the following settings in the **Create Device Collection Wizard**: + - General > Name: **USMT Backup (Replace)**
      + - General > Limiting collection: **All Systems**
      + - Membership Rules > Add Rule: **Direct Rule**
      + - The **Create Direct Membership Rule Wizard** opens, click **Next**
      + - Search for Resources > Resource class: **System Resource**
      + - Search for Resources > Attribute name: **Name**
      + - Search for Resources > Value: **%**
      + - Select Resources > Value: Select the computername associated with the PC1 VM (GREGLIN-PC1 in this example).
      + - Click **Next** twice and then click **Close** in both windows. + +3. Click **Device Collections** and then double-click **USMT Backup (Replace)**. Verify that the computer name/hostname associated with PC1 is displayed in the collection. Do not proceed until this name is displayed. + +### Create a new deployment + +In the Configuration Manager console, in the Software Library workspace under Operating Systems, click **Task Sequences**, right-click **Replace Task Sequence**, click **Deploy**, and use the following settings: +- General > Collection: **USMT Backup (Replace)**
      +- Deployment Settings > Purpose: **Available**
      +- Deployment Settings > Make available to the following: **Only Configuration Manager Clients**
      +- Scheduling: Click **Next**
      +- User Experience: Click **Next**
      +- Alerts: Click **Next**
      +- Distribution Points: Click **Next**
      +- Click **Next** and then click **Close**. + +### Verify the backup + +1. On PC1, open the Configuration Manager control panel applet by typing the following command: + + ``` + control smscfgrc + ``` +2. On the **Actions** tab, click **Machine Policy Retrieval & Evaluation Cycle**, click **Run Now**, click **OK**, and then click **OK** again. This is one method that can be used to run a task sequence in addition to the Client Notification method that will be demonstrated in the computer refresh procedure. + +3. Type the following at an elevated command prompt to open the Software Center: + + ``` + C:\Windows\CCM\SCClient.exe + ``` + +4. In the Software Center , click **Available Software** and then select the **Replace Task Sequence** checkbox. See the following example: + + ![software](images/sccm-software-cntr.png) + + >If you do not see any available software, try running step #2 again to start the Machine Policy Retrieval & Evaluation Cycle. You should see an alert that new software is available. + +5. Click **INSTALL SELECTED** and then click **INSTALL OPERATING SYSTEM**. +6. Allow the **Replace Task Sequence** to complete, then verify that the C:\MigData folder on SRV1 contains the USMT backup. + +### Deploy the new computer + +1. Start PC4 and press ENTER for a network boot when prompted. To start PC4, type the following commands at an elevated Windows Powershell prompt on the Hyper-V host: + + ``` + Start-VM PC4 + vmconnect localhost PC4 + ``` +2. In the **Welcome to the Task Sequence Wizard**, enter pass@word1 and click **Next**. +3. Choose the **Windows 10 Enterprise X64** image. +4. Setup will install the operating system using the Windows 10 Enterprise x64 reference image, install the configuration manager client, join PC4 to the domain, and restore users and settings from PC1. +5. Save checkpoints for all VMs if you wish to review their status at a later date. This is not required (checkpoints do take up space on the Hyper-V host). Note: the next procedure will install a new OS on PC1 update its status in Configuration Manager and in Active Directory as a Windows 10 device, so you cannot return to a previous checkpoint only on the PC1 VM without a conflict. Therefore, if you do create a checkpoint, you should do this for all VMs. + + To save a checkpoint for all VMs, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Checkpoint-VM -Name DC1 -SnapshotName cm-refresh + Checkpoint-VM -Name SRV1 -SnapshotName cm-refresh + Checkpoint-VM -Name PC1 -SnapshotName cm-refresh + ``` + +## Refresh a client with Windows 10 using Configuration Manager + + +### Initiate the computer refresh + +1. On SRV1, in the Assets and Compliance workspace, click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. +2. Right-click the computer account for PC1, point to **Client Notification**, click **Download Computer Policy**, and click **OK** in the popup dialog box. +3. On PC1, in the notification area, click **New software is available** and then click **Open Software Center**. +4. In the Software Center, click **Operating Systems**, click **Windows 10 Enterprise x64**, click **Install** and then click **INSTALL OPERATING SYSTEM**. See the following example: + + ![installOS](images/sccm-install-os.png) + + The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the Monitoring workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then click **More Details**. Click the **Status** tab to see a list of tasks that have been performed. See the following example: + + ![asset](images/sccm-asset.png) + + You can also monitor progress of the installation by using the MDT deployment workbench and viewing the **Monitoring** node under **Deployment Shares\MDT Production**. + + When installation has completed, sign in using the contoso\administrator account or the contoso\user1 account and verify that applications and settings have been successfully backed up and restored to your new Windows 10 Enterprise operating system. + + ![post-refresh](images/sccm-post-refresh.png) + + + +## Related Topics + +[System Center 2012 Configuration Manager Survival Guide](https://social.technet.microsoft.com/wiki/contents/articles/7075.system-center-2012-configuration-manager-survival-guide.aspx#Step-by-Step_Guides) + + + + + + + diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md index 7a4fb81ed7..a7ede5de94 100644 --- a/windows/deployment/windows-10-poc.md +++ b/windows/deployment/windows-10-poc.md @@ -1,1106 +1,1108 @@ ---- -title: Configure a test lab to deploy Windows 10 -ms.reviewer: -manager: laurawi -ms.audience: itpro author: greg-lindsay -description: Concepts and procedures for deploying Windows 10 in a proof of concept lab environment. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -keywords: deployment, automate, tools, configure, mdt, sccm -ms.localizationpriority: medium -audience: itpro author: greg-lindsay -ms.topic: article ---- - -# Step by step guide: Configure a test lab to deploy Windows 10 - -**Applies to** - -- Windows 10 - -This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides: - -- [Step by step: Deploy Windows 10 in a test lab using MDT](windows-10-poc-mdt.md)
      -- [Step by step: Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
      - -The PoC deployment guides are intended to provide a demonstration of Windows 10 deployment tools and processes for IT professionals that are not familiar with these tools, and those that are interested in setting up a proof of concept environment. The instructions in this guide should not be used in a production setting, and are not meant to replace the instructions found in production deployment guidance. - -Approximately 3 hours are required to configure the PoC environment. You will need a Hyper-V capable computer running Windows 8.1 or later with at least 16GB of RAM. Detailed [requirements](#hardware-and-software-requirements) are provided below. You will also need to have a [Microsoft account](https://www.microsoft.com/account) to use for downloading evaluation software. - -Windows PowerShell commands are provided to set up the PoC environment quickly. You do not need to be an expert in Windows PowerShell to complete the steps in the guide, however you are required to customize some commands to your environment. - -> Instructions to "type" Windows PowerShell commands provided in this guide can be followed literally by typing the commands, but the preferred method is to copy and paste these commands. -> -> A Windows PowerShell window can be used to run all commands in this guide. However, when commands are specified for a command prompt, you must either type CMD at the Windows PowerShell prompt to enter the command prompt, or preface the command with "cmd /c", or if desired you can escape special characters in the command using the back-tick character (`). In most cases, the simplest thing is to type cmd and enter a command prompt, type the necessary commands, then type "exit" to return to Windows PowerShell. - -Hyper-V is installed, configured and used extensively in this guide. If you are not familiar with Hyper-V, review the [terminology](#appendix-b-terminology-used-in-this-guide) used in this guide before starting. - -## In this guide - -This guide contains instructions for three general procedures: Install Hyper-V, configure Hyper-V, and configure VMs. If you already have a computer running Hyper-V, you can use this computer and skip the first procedure. In this case, your virtual switch settings must be modified to match those used in this guide, or the steps in this guide can be modified to use your existing Hyper-V settings. - -After completing the instructions in this guide, you will have a PoC environment that enables you to test Windows 10 deployment procedures by following instructions in companion guides that are written to use the PoC environment. Links are provided to download trial versions of Windows Server 2012, Windows 10 Enterprise, and all deployment tools necessary to complete the lab. - -Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed. - -
      - -
      - - - -
      TopicDescriptionTime
      Hardware and software requirementsPrerequisites to complete this guide.Informational -
      Lab setupA description and diagram of the PoC environment.Informational -
      Configure the PoC environmentParent topic for procedures.Informational -
      Verify support and install Hyper-VVerify that installation of Hyper-V is supported, and install the Hyper-V server role.10 minutes -
      Download VHD and ISO filesDownload evaluation versions of Windows Server 2012 R2 and Windows 10 and prepare these files to be used on the Hyper-V host.30 minutes -
      Convert PC to VMConvert a physical computer on your network to a VM hosted in Hyper-V.30 minutes -
      Resize VHDIncrease the storage capacity for one of the Windows Server VMs.5 minutes -
      Configure Hyper-VCreate virtual switches, determine available RAM for virtual machines, and add virtual machines.15 minutes -
      Configure service and user accountsStart virtual machines and configure all services and settings.60 minutes -
      Configure VMsStart virtual machines and configure all services and settings.60 minutes -
      Appendix A: Verify the configurationVerify and troubleshoot network connectivity and services in the PoC environment.30 minutes -
      Appendix B: Terminology in this guideTerms used in this guide.Informational -
      -
      - -## Hardware and software requirements - -One computer that meets the hardware and software specifications below is required to complete the guide; A second computer is recommended to validate the upgrade process. - -- **Computer 1**: the computer you will use to run Hyper-V and host virtual machines. This computer should have 16 GB or more of installed RAM and a multi-core processor. -- **Computer 2**: a client computer from your corporate network. It is shadow-copied to create a VM that can be added to the PoC environment, enabling you to test a mirror image of a computer on your network. If you do not have a computer to use for this simulation, you can download an evaluation VHD and use it to represent this computer. Subsequent guides use this computer to simulate Windows 10 replace and refresh scenarios, so the VM is required even if you cannot create this VM using computer 2. - -Harware requirements are displayed below: - -
      - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Computer 1 (required)Computer 2 (recommended)
      RoleHyper-V hostClient computer
      DescriptionThis computer will run Hyper-V, the Hyper-V management tools, and the Hyper-V Windows PowerShell module.This computer is a Windows 7 or Windows 8/8.1 client on your corporate network that will be converted to a VM to demonstrate the upgrade process.
      OSWindows 8.1/10 or Windows Server 2012/2012 R2/2016*Windows 7 or a later
      EditionEnterprise, Professional, or EducationAny
      Architecture64-bitAny
      Note: Retaining applications and settings requires that architecture (32 or 64-bit) is the same before and after the upgrade.
      RAM8 GB RAM (16 GB recommended) to test Windows 10 deployment with MDT. -
      16 GB RAM to test Windows 10 deployment with System Center Configuration Manager.      		Any
      Disk200 GB available hard disk space, any format.Any size, MBR formatted.
      CPUSLAT-Capable CPUAny
      NetworkInternet connectionAny
      - - -\*The Hyper-V server role can also be installed on a computer running Windows Server 2008 R2. However, the Windows PowerShell module for Hyper-V is not available on Windows Server 2008 R2, therefore you cannot use many of the steps provided in this guide to configure Hyper-V. To manage Hyper-V on Windows Server 2008 R2, you can use Hyper-V WMI, or you can use the Hyper-V Manager console. Providing all steps in this guide as Hyper-V WMI or as 2008 R2 Hyper-V Manager procedures is beyond the scope of the guide. -
      -
      The Hyper-V role cannot be installed on Windows 7 or earlier versions of Windows. - -
      - -## Lab setup - -The lab architecture is summarized in the following diagram: - -![PoC](images/poc.png) - -- Computer 1 is configured to host four VMs on a private, PoC network. - - Two VMs are running Windows Server 2012 R2 with required network services and tools installed. - - Two VMs are client systems: One VM is intended to mirror a host on your corporate network (computer 2) and one VM is running Windows 10 Enterprise to demonstrate the hardware replacement scenario. - ->If you have an existing Hyper-V host, you can use this host and skip the Hyper-V installation section in this guide. - -The two Windows Server VMs can be combined into a single VM to conserve RAM and disk space if required. However, instructions in this guide assume two server systems are used. Using two servers enables Active Directory Domain Services and DHCP to be installed on a server that is not directly connected to the corporate network. This mitigates the risk of clients on the corporate network receiving DHCP leases from the PoC network (i.e. "rogue" DHCP), and limits NETBIOS service broadcasts. - -## Configure the PoC environment - ->**Hint**: Before you begin, ensure that Windows PowerShell is pinned to the taskbar for easy access. If the Hyper-V host is running Windows Server then Windows PowerShell is automatically pinned to the taskbar. To pin Windows PowerShell to the taskbar on Windows 8.1 or Windows 10: Click **Start**, type **power**, right click **Windows PowerShell**, and then click **Pin to taskbar**. After Windows PowerShell is pinned to the taskbar, you can open an elevated Windows PowerShell prompt by right-clicking the icon on the taskbar and then clicking **Run as Administrator**. - -### Procedures in this section - -[Verify support and install Hyper-V](#verify-support-and-install-hyper-v)
      -[Download VHD and ISO files](#download-vhd-and-iso-files)
      -[Convert PC to VM](#convert-pc-to-vm)
      -[Resize VHD](#resize-vhd)
      -[Configure Hyper-V](#configure-hyper-v)
      -[Configure VMs](#configure-vms)
      - -### Verify support and install Hyper-V - -Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information. - -1. To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example: - - 
      -    C:\>systeminfo
-
-    ...
-    Hyper-V Requirements:      VM Monitor Mode Extensions: Yes
-                               Virtualization Enabled In Firmware: Yes
-                               Second Level Address Translation: Yes
-                               Data Execution Prevention Available: Yes
-
      - - In this example, the computer supports SLAT and Hyper-V. - - If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings. - - You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example: - - 
      -    C:\>coreinfo -v
-
-    Coreinfo v3.31 - Dump information on system CPU and memory topology
-    Copyright (C) 2008-2014 Mark Russinovich
-    Sysinternals - www.sysinternals.com
-
-    Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz
-    Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
-    Microcode signature: 0000001B
-    HYPERVISOR      -       Hypervisor is present
-    VMX             *       Supports Intel hardware-assisted virtualization
-    EPT             *       Supports Intel extended page tables (SLAT)
-
      - - Note: A 64-bit operating system is required to run Hyper-V. - -2. The Hyper-V feature is not installed by default. To install it, open an elevated Windows PowerShell window and type the following command: - - 
      Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V –All
      - - This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. This command will also install Hyper-V if it isn't already installed, so if desired you can just type the following command on Windows Server 2012 or 2016 instead of using the Enable-WindowsOptionalFeature command: - - 
      Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
      - - When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once. After installation is complete, you can open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt. - - >Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below: - - ![hyper-v feature](images/hyper-v-feature.png) - - ![hyper-v](images/svr_mgr2.png) - -

      If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools. - -### Download VHD and ISO files - -When you have completed installation of Hyper-V on the host computer, begin configuration of Hyper-V by downloading VHD and ISO files to the Hyper-V host. These files will be used to create the VMs used in the lab. Before you can download VHD and ISO files, you will need to register and sign in to the [TechNet Evaluation Center](https://www.microsoft.com/evalcenter/) using your Microsoft account. - -1. Create a directory on your Hyper-V host named **C:\VHD** and download a single [Windows Server 2012 R2 VHD](https://www.microsoft.com/evalcenter/evaluate-windows-server-2012-r2) from the TechNet Evaluation Center to the **C:\VHD** directory. - - **Important**: This guide assumes that VHDs are stored in the **C:\VHD** directory on the Hyper-V host. If you use a different directory to store VHDs, you must adjust steps in this guide appropriately. - - After completing registration you will be able to download the 7.47 GB Windows Server 2012 R2 evaluation VHD. An example of the download offering is shown below. - - - -
      VHD
      - -2. Download the file to the **C:\VHD** directory. When the download is complete, rename the VHD file that you downloaded to **2012R2-poc-1.vhd**. This is done to make the filename simple to recognize and type. -3. Copy the VHD to a second file also in the **C:\VHD** directory and name this VHD **2012R2-poc-2.vhd**. -4. Download the [Windows 10 Enterprise ISO](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) from the TechNet Evaluation Center to the **C:\VHD** directory on your Hyper-V host. - - >During registration, you must specify the type, version, and language of installation media to download. In this example, a Windows 10 Enterprise, 64 bit, English ISO is chosen. You can choose a different version if desired. **Note: The evaluation version of Windows 10 does not support in-place upgrade**. - -5. Rename the ISO file that you downloaded to **w10-enterprise.iso**. Again, this is done so that the filename is simple to type and recognize. After completing registration you will be able to download the 3.63 GB Windows 10 Enterprise evaluation ISO. - -After completing these steps, you will have three files in the **C:\VHD** directory: **2012R2-poc-1.vhd**, **2012R2-poc-2.vhd**, **w10-enterprise.iso**. - -The following displays the procedures described in this section, both before and after downloading files: - -

      -C:>mkdir VHD
-C:>cd VHD
-C:\VHD>ren 9600*.vhd 2012R2-poc-1.vhd
-C:\VHD>copy 2012R2-poc-1.vhd 2012R2-poc-2.vhd
-   1 file(s) copied.
-C:\VHD ren *.iso w10-enterprise.iso
-C:\VHD>dir /B
-2012R2-poc-1.vhd
-2012R2-poc-2.vhd
-w10-enterprise.iso
-
      - -### Convert PC to VM - ->Important: Do not attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, do not start the VM outside the PoC network. - -
      -If you do not have a PC available to convert to VM, perform the following steps to download an evaluation VM: -
      -
        -
      1. Open the Download virtual machines page. -
      2. Under Virtual machine, choose IE11 on Win7. -
      3. Under Select platform choose HyperV (Windows). -
      4. Click Download .zip. The download is 3.31 GB. -
      5. Extract the zip file. Three directories are created. -
      6. Open the Virtual Hard Disks directory and then copy IE11 - Win7.vhd to the C:\VHD directory. -
      7. Rename IE11 - Win7.vhd to w7.vhd (do not rename the file to w7.vhdx). -
      8. In step 5 of the Configure Hyper-V section, replace the VHD file name w7.vhdx with w7.vhd. -
      -
      - -If you have a PC available to convert to VM (computer 2): - -1. Sign in on computer 2 using an account with Administrator privileges. - ->Important: the account used in this step must have local administrator privileges. You can use a local computer account, or a domain account with administrative rights if domain policy allows the use of cached credentials. After converting the computer to a VM, you must be able to sign in on this VM with administrator rights while the VM is disconnected from the corporate network. - -2. [Determine the VM generation and partition type](#determine-the-vm-generation-and-partition-type) that is required. -3. Based on the VM generation and partition type, perform one of the following procedures: [Prepare a generation 1 VM](#prepare-a-generation-1-vm), [Prepare a generation 2 VM](#prepare-a-generation-2-vm), or [prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk). - -#### Determine the VM generation and partition type - -When creating a VM in Hyper-V, you must specify either generation 1 or generation 2. The following table describes requirements for these two types of VMs. - -
      - - - - - - - - - - - - - - - - - - - - -
      ArchitectureOperating systemPartition style
      Generation 132-bit or 64-bitWindows 7 or laterMBR
      Generation 264-bitWindows 8 or laterMBR or GPT
      - -
      - -If the PC is running a 32-bit OS or the OS is Windows 7, it must be converted to a generation 1 VM. Otherwise, it can be converted to a generation 2 VM. - -- To determine the OS and architecture of a PC, type **systeminfo** at a command prompt and review the output next to **OS Name** and **System Type**. -- To determine the partition style, open a Windows PowerShell prompt on the PC and type the following command: - -
      -Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
-
      - -If the **Type** column does not indicate GPT, then the disk partition format is MBR ("Installable File System" = MBR). In the following example, the disk is GPT: - -
      -PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
-
-SystemName                           Caption                                 Type
-----------                           -------                                 ----
-USER-PC1                             Disk #0, Partition #0                   GPT: System
-USER-PC1                             Disk #0, Partition #1                   GPT: Basic Data
-
      - -On a computer running Windows 8 or later, you can also type **Get-Disk** at a Windows PowerShell prompt to discover the partition style. The default output of this cmdlet displays the partition style for all attached disks. Both commands are displayed below. In this example, the client computer is running Windows 8.1 and uses a GPT style partition format: - -
      -PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
-
-SystemName                            Caption                               Type
-----------                            -------                               ----
-PC-X1                                 Disk #0, Partition #0                 GPT: Unknown
-PC-X1                                 Disk #0, Partition #1                 GPT: System
-PC-X1                                 Disk #0, Partition #2                 GPT: Basic Data
-PC-X1                                 Disk #0, Partition #3                 GPT: Basic Data
-PC-X1                                 Disk #0, Partition #4                 GPT: Basic Data
-
-PS C:> Get-Disk
-
-Number Friendly Name                  OperationalStatus                     Total Size Partition Style
------- -------------                  -----------------                     ---------- ---------------
-0      INTEL SSDSCMMW240A3L           Online                                223.57 GB GPT
-
      - - - -**Choosing a VM generation** - -The following table displays the Hyper-V VM generation to choose based on the OS, architecture, and partition style. Links to procedures to create the corresponding VMs are included. - -
      - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      OSPartition styleArchitectureVM generationProcedure
      Windows 7MBR321Prepare a generation 1 VM
      641Prepare a generation 1 VM
      GPT32N/AN/A
      641Prepare a generation 1 VM from a GPT disk
      Windows 8 or laterMBR321Prepare a generation 1 VM
      641, 2Prepare a generation 1 VM
      GPT321Prepare a generation 1 VM from a GPT disk
      642Prepare a generation 2 VM
      - -
      - -Notes:
      -
        -
      • If the PC is running Windows 7, it can only be converted and hosted in Hyper-V as a generation 1 VM. This Hyper-V requirement means that if the Windows 7 PC is also using a GPT partition style, the OS disk can be shadow copied, but a new system partition must be created. In this case, see Prepare a generation 1 VM from a GPT disk. -
      • If the PC is running Windows 8 or later and uses the GPT partition style, you can capture the disk image and create a generation 2 VM. To do this, you must temporarily mount the EFI system partition which is accomplished using the mountvol command. In this case, see Prepare a generation 2 VM. -
      • If the PC is using an MBR partition style, you can convert the disk to VHD and use it to create a generation 1 VM. If you use the Disk2VHD tool described in this guide, it is not necessary to mount the MBR system partition, but it is still necessary to capture it. In this case, see Prepare a generation 1 VM. -
      - -#### Prepare a generation 1 VM - -1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert. - - >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive. - -2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. -3. Select the checkboxes next to the **C:\\** and the **system reserved** (BIOS/MBR) volumes. The system volume is not assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to **\\?\Volume{**. See the following example. **Important**: You must include the system volume in order to create a bootable VHD. If this volume is not displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation). -4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and click **Create**. See the following example: - - ![disk2vhd](images/disk2vhd.png) - - >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. - -5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (w7.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory: - - 
      -    C:\vhd>dir /B
-    2012R2-poc-1.vhd
-    2012R2-poc-2.vhd
-    w10-enterprise.iso
-    w7.VHDX
-
      - -#### Prepare a generation 2 VM - -1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert. - - >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive. - -2. On the computer you wish to convert, open an elevated command prompt and type the following command: - - 
      mountvol s: /s
      - - This command temporarily assigns a drive letter of S to the system volume and mounts it. If the letter S is already assigned to a different volume on the computer, then choose one that is available (ex: mountvol z: /s). - -3. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. -4. Select the checkboxes next to the **C:\\** and the **S:\\** volumes, and clear the **Use Volume Shadow Copy checkbox**. Volume shadow copy will not work if the EFI system partition is selected. - - **Important**: You must include the EFI system partition in order to create a bootable VHD. The Windows RE tools partition (shown below) is not required, but it can also be converted if desired. - -5. Specify a location to save the resulting VHD or VHDX file (F:\VHD\PC1.vhdx in the following example) and click **Create**. See the following example: - - ![disk2vhd](images/disk2vhd-gen2.png) - - >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. - -6. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (PC1.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory: - - 
      -    C:\vhd>dir /B
-    2012R2-poc-1.vhd
-    2012R2-poc-2.vhd
-    w10-enterprise.iso
-    PC1.VHDX
-
      - -#### Prepare a generation 1 VM from a GPT disk - -1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert. - - >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive. - -2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. -3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**. Note: the system volume is not copied in this scenario, it will be added later. -4. Specify a location to save the resulting VHD file (F:\VHD\w7.vhd in the following example) and click **Create**. See the following example: - - ![disk2vhd](images/disk2vhd4.png) - - >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. - -5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHD file (w7.vhd) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory: - - 
      -    C:\vhd>dir /B
-    2012R2-poc-1.vhd
-    2012R2-poc-2.vhd
-    w10-enterprise.iso
-    w7.VHD
-
      - - >In its current state, the w7.VHD file is not bootable. The VHD will be used to create a bootable VM later in the [Configure Hyper-V](#configure-hyper-v) section. - -### Resize VHD - -
      -Enhanced session mode - -**Important**: Before proceeding, verify that you can take advantage of [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer. - -To ensure that enhanced session mode is enabled on the Hyper-V host, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: - -
      Set-VMhost -EnableEnhancedSessionMode $TRUE
      - ->If enhanced session mode was not previously enabled, close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex. - -
      - -The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 100GB to support installing imaging tools and storing OS images. - -1. To add available space for the partition, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: - - 
      -    Resize-VHD –Path c:\VHD\2012R2-poc-2.vhd –SizeBytes 100GB
-    $x = (Mount-VHD –Path c:\VHD\2012R2-poc-2.vhd -passthru | Get-Disk | Get-Partition | Get-Volume).DriveLetter
-    Resize-Partition -DriveLetter $x -Size (Get-PartitionSupportedSize -DriveLetter $x).SizeMax
-
      - -2. Verify that the mounted VHD drive is resized to 100 GB, and then dismount the drive: - - 
      -    Get-Volume -DriveLetter $x
-    Dismount-VHD –Path c:\VHD\2012R2-poc-2.vhd
      - -### Configure Hyper-V - -1. Open an elevated Windows PowerShell window and type the following command to create two virtual switches named "poc-internal" and "poc-external": - - >If the Hyper-V host already has an external virtual switch bound to a physical NIC, do not attempt to add a second external virtual switch. Attempting to add a second external switch will result in an error indicating that the NIC is **already bound to the Microsoft Virtual Switch protocol.** In this case, choose one of the following options:
      -    A) Remove the existing external virtual switch, then add the poc-external switch
      -    B) Rename the existing external switch to "poc-external"
      -    C) Replace each instance of "poc-external" used in this guide with the name of your existing external virtual switch
      - If you choose B) or C), then do not run the second command below. - - 
      -    New-VMSwitch -Name poc-internal -SwitchType Internal -Notes "PoC Network"
-    New-VMSwitch -Name poc-external -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name -Notes "PoC External"
-
      - - **Note**: The second command above will temporarily interrupt network connectivity on the Hyper-V host. - - >Since an external virtual switch is associated to a physical network adapter on the Hyper-V host, this adapter must be specified when adding the virtual switch. The previous commands automate this by filtering for active non-virtual ethernet adapters using the Get-NetAdapter cmdlet ($_.Status -eq "Up" -and !$_.Virtual). If your Hyper-V host is dual-homed with multiple active ethernet adapters, this automation will not work, and the second command above will fail. In this case, you must edit the command used to add the "poc-external" virtual switch by inserting the appropriate NetAdapterName. The NetAdapterName value corresponds to the name of the network interface you wish to use. For example, if the network interface you use on the Hyper-V host to connect to the Internet is named "Ethernet 2" then type the following command to create an external virtual switch: New-VMSwitch -Name poc-external -NetAdapterName "Ethernet 2" -Notes "PoC External" - -2. At the elevated Windows PowerShell prompt, type the following command to determine the megabytes of RAM that are currently available on the Hyper-V host: - - 
      -    (Get-VMHostNumaNode).MemoryAvailable
-
      - - This command will display the megabytes of RAM available for VMs. On a Hyper-V host computer with 16 GB of physical RAM installed, 10,000 MB of RAM or greater should be available if the computer is not also running other applications. On a computer with 8 GB of physical RAM installed, at least 4000 MB should be available. If the computer has less RAM available than this, try closing applications to free up more memory. - -3. Determine the available memory for VMs by dividing the available RAM by 4. For example: - - 
      -    (Get-VMHostNumaNode).MemoryAvailable/4
-    2775.5
-
      - - In this example, VMs can use a maximum of 2700 MB of RAM each, to run four VMs simultaneously. - -4. At the elevated Windows PowerShell prompt, type the following command to create two new VMs. Other VMs will be added later. - >**Important**: Replace the value of 2700MB for $maxRAM in the first command below with the RAM value that you calculated in the previous step. - - 
      -    $maxRAM = 2700MB
-    New-VM -Name "DC1" -VHDPath c:\vhd\2012R2-poc-1.vhd -SwitchName poc-internal
-    Set-VMMemory -VMName "DC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
-    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName DC1
-    New-VM -Name "SRV1" -VHDPath c:\vhd\2012R2-poc-2.vhd -SwitchName poc-internal
-    Add-VMNetworkAdapter -VMName "SRV1" -SwitchName "poc-external"
-    Set-VMMemory -VMName "SRV1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 80
-    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName SRV1
-
      - - **Note**: The RAM values assigned to VMs in this step are not permanent, and can be easily increased or decreased later if needed to address performance issues. - -5. Using the same elevated Windows PowerShell prompt that was used in the previous step, type one of the following sets of commands, depending on the type of VM that was prepared in the [Determine VM generation](#determine-vm-generation) section, either generation 1, generation 2, or generation 1 with GPT. - - To create a generation 1 VM (using c:\vhd\w7.vhdx): - - 
      -    New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhdx -SwitchName poc-internal
-    Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
-    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
-
      - - To create a generation 2 VM (using c:\vhd\PC1.vhdx): - - 
      -    New-VM -Name "PC1" -Generation 2 -VHDPath c:\vhd\PC1.vhdx -SwitchName poc-internal
-    Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
-    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
-
      - - To create a generation 1 VM from a GPT disk (using c:\vhd\w7.vhd): - - >Note: The following procedure is more complex because it includes steps to convert the OS partition from GPT to MBR format. Steps are included to create a temporary VHD and attach it to the VM, the OS image is saved to this drive, the OS drive is then reformatted to MBR, the OS image restored, and the temporary drive is removed. - - First, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to create a temporary VHD that will be used to save the OS image. Do not forget to include a pipe (|) at the end of the first five commands: - - 
      -    New-VHD -Path c:\vhd\d.vhd -SizeBytes 1TB |
-    Mount-VHD -Passthru |
-    Get-Disk -Number {$_.DiskNumber} |
-    Initialize-Disk -PartitionStyle MBR -PassThru |
-    New-Partition -UseMaximumSize |
-    Format-Volume -Confirm:$false -FileSystem NTFS -force
-    Dismount-VHD -Path c:\vhd\d.vhd
-
      - - Next, create the PC1 VM with two attached VHDs, and boot to DVD ($maxram must be defined previously using the same Windows PowerShell promt): - - 
      -    New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhd -SwitchName poc-internal
-    Add-VMHardDiskDrive -VMName PC1 -Path c:\vhd\d.vhd
-    Set-VMDvdDrive -VMName PC1 -Path c:\vhd\w10-enterprise.iso
-    Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
-    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
-    Start-VM PC1
-    vmconnect localhost PC1
-
      - - The VM will automatically boot into Windows Setup. In the PC1 window: - - 1. Click **Next**. - 2. Click **Repair your computer**. - 3. Click **Troubleshoot**. - 4. Click **Command Prompt**. - 5. Type the following command to save an image of the OS drive: - - 
      -      dism /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C
-
      - - 6. Wait for the OS image to complete saving, and then type the following commands to convert the C: drive to MBR: - - 
      -      diskpart
-      select disk 0
-      clean
-      convert MBR
-      create partition primary size=100
-      format fs=ntfs quick
-      active
-      create partition primary
-      format fs=ntfs quick label=OS
-      assign letter=c
-      exit
-
      - - 7. Type the following commands to restore the OS image and boot files: - - 
      -      dism /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\
-      bcdboot c:\windows
-      exit
-
      - - 8. Click **Continue** and verify the VM boots successfully (do not boot from DVD). - 9. Click **Ctrl+Alt+Del**, and then in the bottom right corner, click **Shut down**. - 10. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to remove the temporary disks and drives from PC1: - - 
      -       Remove-VMHardDiskDrive -VMName PC1 -ControllerType IDE -ControllerNumber 0 -ControllerLocation 1
-       Set-VMDvdDrive -VMName PC1 -Path $null
-
      - -### Configure VMs - -1. At an elevated Windows PowerShell prompt on the Hyper-V host, start the first Windows Server VM and connect to it by typing the following commands: - - 
      -    Start-VM DC1
-    vmconnect localhost DC1
-
      - -2. Click **Next** to accept the default settings, read the license terms and click **I accept**, provide an administrator password of pass@word1, and click **Finish**. -3. Click **Ctrl+Alt+Del** in the upper left corner of the virtual machine connection window, and then sign in to DC1 using the Administrator account. -4. Right-click **Start**, point to **Shut down or sign out**, and click **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, click **Connect** and sign in again with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It is only necessary to do this the first time you sign in to a new VM. -5. If DC1 is configured as described in this guide, it will currently be assigned an APIPA address, have a randomly generated hostname, and a single network adapter named "Ethernet." Open an elevated Windows PowerShell prompt on DC1 and type or paste the following commands to provide a new hostname and configure a static IP address and gateway: - - 
      -    Rename-Computer DC1
-    New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.1 –PrefixLength 24 -DefaultGateway 192.168.0.2
-    Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
-
      - - > The default gateway at 192.168.0.2 will be configured later in this guide. - > - > Note: A list of available tasks for an app will be populated the first time you run it on the taskbar. Because these tasks aren't available until the App has been run, you will not see the **Run as Administrator** task until you have left-clicked Windows PowerShell for the first time. In this newly created VM, you will need to left-click Windows PowerShell one time, and then you can right-click and choose Run as Administrator to open an elevated Windows PowerShell prompt. - -6. Install the Active Directory Domain Services role by typing the following command at an elevated Windows PowerShell prompt: - - 
      -    Install-WindowsFeature -Name AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools
-
      - -7. Before promoting DC1 to a Domain Controller, you must reboot so that the name change in step 3 above takes effect. To restart the computer, type the following command at an elevated Windows PowerShell prompt: - - 
      -    Restart-Computer
-
      - -8. When DC1 has rebooted, sign in again and open an elevated Windows PowerShell prompt. Now you can promote the server to be a domain controller. The directory services restore mode password must be entered as a secure string. Type the following commands at the elevated Windows PowerShell prompt: - - 
      -    $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
-    Install-ADDSForest -DomainName contoso.com -InstallDns -SafeModeAdministratorPassword $pass -Force
-
      - - Ignore any warnings that are displayed. The computer will automatically reboot upon completion. - -9. When the reboot has completed, reconnect to DC1, sign in using the CONTOSO\Administrator account, open an elevated Windows PowerShell prompt, and use the following commands to add a reverse lookup zone for the PoC network, add the DHCP Server role, authorize DHCP in Active Directory, and suppress the post-DHCP-install alert: - - 
      -    Add-DnsServerPrimaryZone -NetworkID "192.168.0.0/24" -ReplicationScope Forest
-    Add-WindowsFeature -Name DHCP -IncludeManagementTools
-    netsh dhcp add securitygroups
-    Restart-Service DHCPServer
-    Add-DhcpServerInDC  dc1.contoso.com  192.168.0.1
-    Set-ItemProperty –Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 –Name ConfigurationState –Value 2
-
      - -10. Next, add a DHCP scope and set option values: - - 
      -    Add-DhcpServerv4Scope -Name "PoC Scope" -StartRange 192.168.0.100 -EndRange 192.168.0.199 -SubnetMask 255.255.255.0 -Description "Windows 10 PoC" -State Active
-    Set-DhcpServerv4OptionValue -ScopeId 192.168.0.0 -DnsDomain contoso.com -Router 192.168.0.2 -DnsServer 192.168.0.1,192.168.0.2 -Force
-
      - - >The -Force option is necessary when adding scope options to skip validation of 192.168.0.2 as a DNS server because we have not configured it yet. The scope should immediately begin issuing leases on the PoC network. The first DHCP lease that will be issued is to vEthernet interface on the Hyper-V host, which is a member of the internal network. You can verify this by using the command: Get-DhcpServerv4Lease -ScopeId 192.168.0.0. - -11. The DNS server role will also be installed on the member server, SRV1, at 192.168.0.2 so that we can forward DNS queries from DC1 to SRV1 to resolve Internet names without having to configure a forwarder outside the PoC network. Since the IP address of SRV1 already exists on DC1's network adapter, it will be automatically added during the DCPROMO process. To verify this server-level DNS forwarder on DC1, type the following command at an elevated Windows PowerShell prompt on DC1: - - 
      -    Get-DnsServerForwarder
-
      - - The following output should be displayed: - - 
      -    UseRootHint        : True
-    Timeout(s)         : 3
-    EnableReordering   : True
-    IPAddress          : 192.168.0.2
-    ReorderedIPAddress : 192.168.0.2
-
      - - If this output is not displayed, you can use the following command to add SRV1 as a forwarder: - - 
      -    Add-DnsServerForwarder -IPAddress 192.168.0.2
-
      - - **Configure service and user accounts** - - Windows 10 deployment with MDT and System Center Configuration Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire. - - >To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) - - On DC1, open an elevated Windows PowerShell prompt and type the following commands: - - 
      -    New-ADUser -Name User1 -UserPrincipalName user1 -Description "User account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
-    New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
-    New-ADUser -Name CM_JD -UserPrincipalName CM_JD -Description "Configuration Manager Join Domain Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
-    New-ADUser -Name CM_NAA -UserPrincipalName CM_NAA -Description "Configuration Manager Network Access Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
-    Add-ADGroupMember "Domain Admins" MDT_BA,CM_JD,CM_NAA
-    Set-ADUser -Identity user1 -PasswordNeverExpires $true
-    Set-ADUser -Identity administrator -PasswordNeverExpires $true
-    Set-ADUser -Identity MDT_BA -PasswordNeverExpires $true
-    Set-ADUser -Identity CM_JD -PasswordNeverExpires $true
-    Set-ADUser -Identity CM_NAA -PasswordNeverExpires $true
-
      - -12. Minimize the DC1 VM window but **do not stop** the VM. - - Next, the client VM will be started and joined to the contoso.com domain. This is done before adding a gateway to the PoC network so that there is no danger of duplicate DNS registrations for the physical client and its cloned VM in the corporate domain. - -13. If the PC1 VM is not started yet, using an elevated Windows PowerShell prompt on the Hyper-V host, start the client VM (PC1), and connect to it: - - 
      -    Start-VM PC1
-    vmconnect localhost PC1
-
      - -14. Sign in to PC1 using an account that has local administrator rights. - - >PC1 will be disconnected from its current domain, so you cannot use a domain account to sign on unless these credentials are cached and the use of cached credentials is permitted by Group Policy. If cached credentials are available and permitted, you can use these credentials to sign in. Otherwise, use an existing local administrator account. - -15. After signing in, the operating system detects that it is running in a new environment. New drivers will be automatically installed, including the network adapter driver. The network adapter driver must be updated before you can proceed, so that you will be able to join the contoso.com domain. Depending on the resources allocated to PC1, installing the network adapter driver might take a few minutes. You can monitor device driver installation by clicking **Show hidden icons** in the notification area. - - ![PoC](images/installing-drivers.png) - - >If the client was configured with a static address, you must change this to a dynamic one so that it can obtain a DHCP lease. - -16. When the new network adapter driver has completed installation, you will receive an alert to set a network location for the contoso.com network. Select **Work network** and then click **Close**. When you receive an alert that a restart is required, click **Restart Later**. - -17. Open an elevated Windows PowerShell prompt on PC1 and verify that the client VM has received a DHCP lease and can communicate with the consoto.com domain controller. - - To open Windows PowerShell on Windows 7, click **Start**, and search for "**power**." Right-click **Windows PowerShell** and then click **Pin to Taskbar** so that it is simpler to use Windows Powershell during this lab. Click **Windows PowerShell** on the taskbar, and then type **ipconfig** at the prompt to see the client's current IP address. Also type **ping dc1.contoso.com** and **nltest /dsgetdc:contoso.com** to verify that it can reach the domain controller. See the following examples of a successful network connection: - - ``` - ipconfig - - Windows IP Configuration - - Ethernet adapter Local Area Connection 3: - Connection-specific DNS Suffix . : contoso.com - Link-local IPv6 Address . . . . . : fe80::64c2:4d2a:7403:6e02%18 - Ipv4 Address. . . . . . . . . . . : 192.168.0.101 - Subnet Mask . . . . . . . . . . . : 255.255.255.0 - Default Gateway . . . . . . . . . : 192.168.0.2 - - ping dc1.contoso.com - - Pinging dc1.contoso.com [192.168.0.1] with 32 bytes of data: - Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 - Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 - Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 - Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 - - nltest /dsgetdc:contoso.com - DC: \\DC1 - Address: \\192.168.0.1 - Dom Guid: fdbd0643-d664-411b-aea0-fe343d7670a8 - Dom Name: CONTOSO - Forest Name: contoso.com - Dc Site Name: Default-First-Site-Name - Our Site Name: Default-First-Site-Name - Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_FOREST CLOSE_SITE FULL_SECRET WS 0xC000 - ``` - - >If PC1 is running Windows 7, enhanced session mode might not be available, which means that you cannot copy and paste commands from the Hyper-V host to a Windows PowerShell prompt on PC1. However, it is possible to use integration services to copy a file from the Hyper-V host to a VM. The next procedure demonstrates this. If the Copy-VMFile command fails, then type the commands below at an elevated Windows PowerShell prompt on PC1 instead of saving them to a script to run remotely. If PC1 is running Windows 8 or a later operating system, you can use enhanced session mode to copy and paste these commands instead of typing them. - -18. Minimize the PC1 window and switch to the Hyper-V host computer. Open an elevated Windows PowerShell ISE window on the Hyper-V host (right-click Windows PowerShell and then click **Run ISE as Administrator**) and type the following commands in the (upper) script editor pane: - - 
      -    (Get-WmiObject Win32_ComputerSystem).UnjoinDomainOrWorkgroup($null,$null,0)
-    $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
-    $user = "contoso\administrator"
-    $cred = New-Object System.Management.Automation.PSCredential($user,$pass)
-    Add-Computer -DomainName contoso.com -Credential $cred
-    Restart-Computer
-
      - - >If you do not see the script pane, click **View** and verify **Show Script Pane Top** is enabled. Click **File** and then click **New**. - - See the following example: - - ![ISE](images/ISE.png) - -19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host. -20. In the (lower) terminal input window, type the following commands to enable Guest Service Interface on PC1 and then use this service to copy the script to PC1: - - 
      -    Enable-VMIntegrationService -VMName PC1 -Name "Guest Service Interface"
-    Copy-VMFile "PC1" –SourcePath "C:\VHD\pc1.ps1"  –DestinationPath "C:\pc1.ps1" –CreateFullPath –FileSource Host
-
      - - >In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service. - - If the copy-vmfile command does not work and you cannot properly enable or upgrade integration services on PC1, then create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. The copy-vmfile command is only used in this procedure as a demonstration of automation methods that can be used in a Hyper-V environment when enhanced session mode is not available. After typing the script file manually, be sure to save the file as a Windows PowerShell script file with the .ps1 extension and not as a text (.txt) file. - -21. On PC1, type the following commands at an elevated Windows PowerShell prompt: - - 
      -    Get-Content c:\pc1.ps1 | powershell.exe -noprofile -
-
      - - >The commands in this script might take a few moments to complete. If an error is displayed, check that you typed the command correctly, paying close attention to spaces. PC1 is removed from its domain in this step while not connected to the corporate network so as to ensure the computer object in the corporate domain is unaffected. PC1 is also not renamed to "PC1" in system properties so that it maintains some of its mirrored identity. However, if desired you can also rename the computer. - -22. Upon completion of the script, PC1 will automatically restart. When it has restarted, sign in to the contoso.com domain using the **Switch User** option, with the **user1** account you created in step 11 of this section. - >**Important**: The settings that will be used later to migrate user data specifically select only accounts that belong to the CONTOSO domain. However, this can be changed to migrate all user accounts, or only other specified accounts. If you wish to test migration of user data and settings with accounts other than those in the CONTOSO domain, you must specify these accounts or domains when you configure the value of **ScanStateArgs** in the MDT test lab guide. This value is specifically called out when you get to that step. If you wish to only migrate CONTOSO accounts, then you can log in with the user1 account or the administrator account at this time and modify some of the files and settings for later use in migration testing. -23. Minimize the PC1 window but do not turn it off while the second Windows Server 2012 R2 VM (SRV1) is configured. This verifies that the Hyper-V host has enough resources to run all VMs simultaneously. Next, SRV1 will be started, joined to the contoso.com domain, and configured with RRAS and DNS services. -24. On the Hyper-V host computer, at an elevated Windows PowerShell prompt, type the following commands: - - 
      -    Start-VM SRV1
-    vmconnect localhost SRV1
-
      - -25. Accept the default settings, read license terms and accept them, provide an administrator password of pass@word1, and click **Finish**. When you are prompted about finding PCs, devices, and content on the network, click **Yes**. -26. Sign in to SRV1 using the local administrator account. In the same way that was done on DC1, sign out of SRV1 and then sign in again to enable enhanced session mode. This will enable you to copy and paste Windows PowerShell commands from the Hyper-V host to the VM. -27. Open an elevated Windows PowerShell prompt on SRV1 and type the following commands: - - 
      -    Rename-Computer SRV1
-    New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.2 –PrefixLength 24
-    Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
-    Restart-Computer
-
      - - >[!IMPORTANT] - >Verify that you are configuring the correct interface in this step. The commands in this step assume that the poc-internal interface on SRV1 is named "Ethernet." If you are unsure how to check the interface, see step #30 below for instructions and tips on how to verify and modify the interface name. - -28. Wait for the computer to restart, sign in again, then type the following commands at an elevated Windows PowerShell prompt: - - 
      -    $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
-    $user = "contoso\administrator"
-    $cred = New-Object System.Management.Automation.PSCredential($user,$pass)
-    Add-Computer -DomainName contoso.com -Credential $cred
-    Restart-Computer
-
      - -29. Sign in to the contoso.com domain on SRV1 using the domain administrator account (enter contoso\administrator as the user), open an elevated Windows PowerShell prompt, and type the following commands: - - 
      -    Install-WindowsFeature -Name DNS -IncludeManagementTools
-    Install-WindowsFeature -Name WDS -IncludeManagementTools
-    Install-WindowsFeature -Name Routing -IncludeManagementTools
-
      - -30. Before configuring the routing service that was just installed, verify that network interfaces were added to SRV1 in the right order, resulting in an interface alias of "Ethernet" for the private interface, and an interface alias of "Ethernet 2" for the public interface. Also verify that the external interface has a valid external DHCP IP address lease. - - To view a list of interfaces, associated interface aliases, and IP addresses on SRV1, type the following Windows PowerShell command. Example output of the command is also shown below: - - 
      -    Get-NetAdapter | ? status -eq ‘up’ | Get-NetIPAddress -AddressFamily IPv4 | ft IPAddress, InterfaceAlias
-
-    IPAddress                                                                  InterfaceAlias
-    ---------                                                                  --------------
-    10.137.130.118                                                             Ethernet 2
-    192.168.0.2                                                                Ethernet
-
      - - In this example, the poc-internal network interface at 192.168.0.2 is associated with the "Ethernet" interface and the Internet-facing poc-external interface is associated with the "Ethernet 2" interface. If your interfaces are different, you must adjust the commands provided in the next step appropriately to configure routing services. Also note that if the "Ethernet 2" interface has an IP address in the 192.168.0.100-105 range then it likely is getting a DHCP lease from DC1 instead of your corporate network. If this is the case, you can try removing and re-adding the second network interface from the SRV1 VM through its Hyper-V settings. - - >[!TIP] - >Sometimes a computer will have hidden, disconnected interfaces that prevent you from naming a network adapter. When you attempt to rename an adapter, you will receive an error that the adapter name already exists. These disconnected devices can be viewed in device manager by clicking **View** and then clicking **Show hidden devices**. The disconnected device can then be uninstalled, enabling you to reuse the adapter name. - - -31. To configure SRV1 with routing capability for the PoC network, type or paste the following commands at an elevated Windows PowerShell prompt on SRV1: - - 
      -    Install-RemoteAccess -VpnType Vpn
-    cmd /c netsh routing ip nat install
-    cmd /c netsh routing ip nat add interface name="Ethernet 2" mode=FULL
-    cmd /c netsh routing ip nat add interface name="Ethernet" mode=PRIVATE
-    cmd /c netsh routing ip nat add interface name="Internal" mode=PRIVATE
-
      - -32. The DNS service on SRV1 also needs to resolve hosts in the contoso.com domain. This can be accomplished with a conditional forwarder. Open an elevated Windows PowerShell prompt on SRV1 and type the following command: - - 
      -    Add-DnsServerConditionalForwarderZone -Name contoso.com -MasterServers 192.168.0.1
-
      - -33. In most cases, this completes configuration of the PoC network. However, if your corporate network has a firewall that filters queries from local DNS servers, you will also need to configure a server-level DNS forwarder on SRV1 to resolve Internet names. To test whether or not DNS is working without this forwarder, try to reach a name on the Internet from DC1 or PC1, which are only using DNS services on the PoC network. You can test DNS with the ping command, for example: - - 
      -    ping www.microsoft.com
-
      - - If you see "Ping request could not find host www.microsoft.com" on PC1 and DC1, but not on SRV1, then you will need to configure a server-level DNS forwarder on SRV1. To do this, open an elevated Windows PowerShell prompt on SRV1 and type the following command. - - **Note**: This command also assumes that "Ethernet 2" is the external-facing network adapter on SRV1. If the external adapter has a different name, replace "Ethernet 2" in the command below with that name: - - 
      -    Add-DnsServerForwarder -IPAddress (Get-DnsClientServerAddress -InterfaceAlias "Ethernet 2").ServerAddresses
-
      - -34. If DNS and routing are both working correctly, you will see the following on DC1 and PC1 (the IP address might be different, but that is OK): - - 
      -    PS C:\> ping www.microsoft.com
-
-    Pinging e2847.dspb.akamaiedge.net [23.222.146.170] with 32 bytes of data:
-    Reply from 23.222.146.170: bytes=32 time=3ms TTL=51
-    Reply from 23.222.146.170: bytes=32 time=2ms TTL=51
-    Reply from 23.222.146.170: bytes=32 time=2ms TTL=51
-    Reply from 23.222.146.170: bytes=32 time=1ms TTL=51
-
-    Ping statistics for 23.222.146.170:
-        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
-    Approximate round trip times in milli-seconds:
-        Minimum = 1ms, Maximum = 3ms, Average = 2ms
-
      - -35. Verify that all three VMs can reach each other, and the Internet. See [Appendix A: Verify the configuration](#appendix-a-verify-the-configuration) for more information. -36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in 3 days. To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1: - - 
      -    runas /noprofile /env /user:administrator@contoso.com "cmd /c slmgr -rearm"
-    Restart-Computer
-
      - -This completes configuration of the starting PoC environment. Additional services and tools are installed in subsequent guides. - -## Appendix A: Verify the configuration - -Use the following procedures to verify that the PoC environment is configured properly and working as expected. - -1. On DC1, open an elevated Windows PowerShell prompt and type the following commands: - - 
      -    Get-Service NTDS,DNS,DHCP
-    DCDiag -a
-    Get-DnsServerResourceRecord -ZoneName contoso.com -RRType A
-    Get-DnsServerForwarder
-    Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
-    Get-DhcpServerInDC
-    Get-DhcpServerv4Statistics
-    ipconfig /all
-
      - - **Get-Service** displays a status of "Running" for all three services.
      - **DCDiag** displays "passed test" for all tests.
      - **Get-DnsServerResourceRecord** displays the correct DNS address records for DC1, SRV1, and the computername of PC1. Additional address records for the zone apex (@), DomainDnsZones, and ForestDnsZones will also be registered.
      - **Get-DnsServerForwarder** displays a single forwarder of 192.168.0.2.
      - **Resolve-DnsName** displays public IP address results for www.microsoft.com.
      - **Get-DhcpServerInDC** displays 192.168.0.1, dc1.contoso.com.
      - **Get-DhcpServerv4Statistics** displays 1 scope with 2 addresses in use (these belong to PC1 and the Hyper-V host).
      - **ipconfig** displays a primary DNS suffix and suffix search list of contoso.com, IP address of 192.168.0.1, subnet mask of 255.255.255.0, default gateway of 192.168.0.2, and DNS server addresses of 192.168.0.1 and 192.168.0.2. - -2. On SRV1, open an elevated Windows PowerShell prompt and type the following commands: - - 
      -    Get-Service DNS,RemoteAccess
-    Get-DnsServerForwarder
-    Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
-    ipconfig /all
-    netsh int ipv4 show address
-
      - - **Get-Service** displays a status of "Running" for both services.
      - **Get-DnsServerForwarder** either displays no forwarders, or displays a list of forwarders you are required to use so that SRV1 can resolve Internet names.
      - **Resolve-DnsName** displays public IP address results for www.microsoft.com.
      - **ipconfig** displays a primary DNS suffix of contoso.com. The suffix search list contains contoso.com and your corporate domain. Two ethernet adapters are shown: Ethernet adapter "Ethernet" has an IP addresses of 192.168.0.2, subnet mask of 255.255.255.0, no default gateway, and DNS server addresses of 192.168.0.1 and 192.168.0.2. Ethernet adapter "Ethernet 2" has an IP address, subnet mask, and default gateway configured by DHCP on your corporate network.
      - **netsh** displays three interfaces on the computer: interface "Ethernet 2" with DHCP enabled = Yes and IP address assigned by your corporate network, interface "Ethernet" with DHCP enabled = No and IP address of 192.168.0.2, and interface "Loopback Pseudo-Interface 1" with IP address of 127.0.0.1. - -3. On PC1, open an elevated Windows PowerShell prompt and type the following commands: - - 
      -    whoami
-    hostname
-    nslookup www.microsoft.com
-    ping -n 1 dc1.contoso.com
-    tracert www.microsoft.com
-
      - - **whoami** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed.
      - **hostname** displays the name of the local computer, for example W7PC-001.
      - **nslookup** displays the DNS server used for the query, and the results of the query. For example, server dc1.contoso.com, address 192.168.0.1, Name e2847.dspb.akamaiedge.net.
      - **ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it cannot be resolved, "..could not find host" will be diplayed and if the target is found and also responds to ICMP, you will see "Reply from" and the IP address of the target.
      - **tracert** displays the path to reach the destination, for example srv1.contoso.com [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination. - - -## Appendix B: Terminology used in this guide - -

        - -

      - - -
      TermDefinition -
      GPTGUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. -
      Hyper-VHyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8. -
      Hyper-V hostThe computer where Hyper-V is installed. -
      Hyper-V ManagerThe user-interface console used to view and configure Hyper-V. -
      MBRMaster Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format. -
      Proof of concept (PoC)Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process. -
      Shadow copyA copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes. -
      Virtual machine (VM)A VM is a virtual computer with its own operating system, running on the Hyper-V host. -
      Virtual switchA virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host. -
      VM snapshotA point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken. -
      - -
      - -## Related Topics - - -[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) - - - - - - - - +--- +title: Configure a test lab to deploy Windows 10 +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +description: Concepts and procedures for deploying Windows 10 in a proof of concept lab environment. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +keywords: deployment, automate, tools, configure, mdt, sccm +ms.localizationpriority: medium +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Step by step guide: Configure a test lab to deploy Windows 10 + +**Applies to** + +- Windows 10 + +This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides: + +- [Step by step: Deploy Windows 10 in a test lab using MDT](windows-10-poc-mdt.md)
      +- [Step by step: Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md)
      + +The PoC deployment guides are intended to provide a demonstration of Windows 10 deployment tools and processes for IT professionals that are not familiar with these tools, and those that are interested in setting up a proof of concept environment. The instructions in this guide should not be used in a production setting, and are not meant to replace the instructions found in production deployment guidance. + +Approximately 3 hours are required to configure the PoC environment. You will need a Hyper-V capable computer running Windows 8.1 or later with at least 16GB of RAM. Detailed [requirements](#hardware-and-software-requirements) are provided below. You will also need to have a [Microsoft account](https://www.microsoft.com/account) to use for downloading evaluation software. + +Windows PowerShell commands are provided to set up the PoC environment quickly. You do not need to be an expert in Windows PowerShell to complete the steps in the guide, however you are required to customize some commands to your environment. + +> Instructions to "type" Windows PowerShell commands provided in this guide can be followed literally by typing the commands, but the preferred method is to copy and paste these commands. +> +> A Windows PowerShell window can be used to run all commands in this guide. However, when commands are specified for a command prompt, you must either type CMD at the Windows PowerShell prompt to enter the command prompt, or preface the command with "cmd /c", or if desired you can escape special characters in the command using the back-tick character (`). In most cases, the simplest thing is to type cmd and enter a command prompt, type the necessary commands, then type "exit" to return to Windows PowerShell. + +Hyper-V is installed, configured and used extensively in this guide. If you are not familiar with Hyper-V, review the [terminology](#appendix-b-terminology-used-in-this-guide) used in this guide before starting. + +## In this guide + +This guide contains instructions for three general procedures: Install Hyper-V, configure Hyper-V, and configure VMs. If you already have a computer running Hyper-V, you can use this computer and skip the first procedure. In this case, your virtual switch settings must be modified to match those used in this guide, or the steps in this guide can be modified to use your existing Hyper-V settings. + +After completing the instructions in this guide, you will have a PoC environment that enables you to test Windows 10 deployment procedures by following instructions in companion guides that are written to use the PoC environment. Links are provided to download trial versions of Windows Server 2012, Windows 10 Enterprise, and all deployment tools necessary to complete the lab. + +Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed. + +
      + +
      + + + +
      TopicDescriptionTime
      Hardware and software requirementsPrerequisites to complete this guide.Informational +
      Lab setupA description and diagram of the PoC environment.Informational +
      Configure the PoC environmentParent topic for procedures.Informational +
      Verify support and install Hyper-VVerify that installation of Hyper-V is supported, and install the Hyper-V server role.10 minutes +
      Download VHD and ISO filesDownload evaluation versions of Windows Server 2012 R2 and Windows 10 and prepare these files to be used on the Hyper-V host.30 minutes +
      Convert PC to VMConvert a physical computer on your network to a VM hosted in Hyper-V.30 minutes +
      Resize VHDIncrease the storage capacity for one of the Windows Server VMs.5 minutes +
      Configure Hyper-VCreate virtual switches, determine available RAM for virtual machines, and add virtual machines.15 minutes +
      Configure service and user accountsStart virtual machines and configure all services and settings.60 minutes +
      Configure VMsStart virtual machines and configure all services and settings.60 minutes +
      Appendix A: Verify the configurationVerify and troubleshoot network connectivity and services in the PoC environment.30 minutes +
      Appendix B: Terminology in this guideTerms used in this guide.Informational +
      +
      + +## Hardware and software requirements + +One computer that meets the hardware and software specifications below is required to complete the guide; A second computer is recommended to validate the upgrade process. + +- **Computer 1**: the computer you will use to run Hyper-V and host virtual machines. This computer should have 16 GB or more of installed RAM and a multi-core processor. +- **Computer 2**: a client computer from your corporate network. It is shadow-copied to create a VM that can be added to the PoC environment, enabling you to test a mirror image of a computer on your network. If you do not have a computer to use for this simulation, you can download an evaluation VHD and use it to represent this computer. Subsequent guides use this computer to simulate Windows 10 replace and refresh scenarios, so the VM is required even if you cannot create this VM using computer 2. + +Harware requirements are displayed below: + +
      + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Computer 1 (required)Computer 2 (recommended)
      RoleHyper-V hostClient computer
      DescriptionThis computer will run Hyper-V, the Hyper-V management tools, and the Hyper-V Windows PowerShell module.This computer is a Windows 7 or Windows 8/8.1 client on your corporate network that will be converted to a VM to demonstrate the upgrade process.
      OSWindows 8.1/10 or Windows Server 2012/2012 R2/2016*Windows 7 or a later
      EditionEnterprise, Professional, or EducationAny
      Architecture64-bitAny
      Note: Retaining applications and settings requires that architecture (32 or 64-bit) is the same before and after the upgrade.
      RAM8 GB RAM (16 GB recommended) to test Windows 10 deployment with MDT. +
      16 GB RAM to test Windows 10 deployment with Microsoft Endpoint Configuration Manager.      		Any
      Disk200 GB available hard disk space, any format.Any size, MBR formatted.
      CPUSLAT-Capable CPUAny
      NetworkInternet connectionAny
      + + +\*The Hyper-V server role can also be installed on a computer running Windows Server 2008 R2. However, the Windows PowerShell module for Hyper-V is not available on Windows Server 2008 R2, therefore you cannot use many of the steps provided in this guide to configure Hyper-V. To manage Hyper-V on Windows Server 2008 R2, you can use Hyper-V WMI, or you can use the Hyper-V Manager console. Providing all steps in this guide as Hyper-V WMI or as 2008 R2 Hyper-V Manager procedures is beyond the scope of the guide. +
      +
      The Hyper-V role cannot be installed on Windows 7 or earlier versions of Windows. + +
      + +## Lab setup + +The lab architecture is summarized in the following diagram: + +![PoC](images/poc.png) + +- Computer 1 is configured to host four VMs on a private, PoC network. + - Two VMs are running Windows Server 2012 R2 with required network services and tools installed. + - Two VMs are client systems: One VM is intended to mirror a host on your corporate network (computer 2) and one VM is running Windows 10 Enterprise to demonstrate the hardware replacement scenario. + +>If you have an existing Hyper-V host, you can use this host and skip the Hyper-V installation section in this guide. + +The two Windows Server VMs can be combined into a single VM to conserve RAM and disk space if required. However, instructions in this guide assume two server systems are used. Using two servers enables Active Directory Domain Services and DHCP to be installed on a server that is not directly connected to the corporate network. This mitigates the risk of clients on the corporate network receiving DHCP leases from the PoC network (i.e. "rogue" DHCP), and limits NETBIOS service broadcasts. + +## Configure the PoC environment + +>**Hint**: Before you begin, ensure that Windows PowerShell is pinned to the taskbar for easy access. If the Hyper-V host is running Windows Server then Windows PowerShell is automatically pinned to the taskbar. To pin Windows PowerShell to the taskbar on Windows 8.1 or Windows 10: Click **Start**, type **power**, right click **Windows PowerShell**, and then click **Pin to taskbar**. After Windows PowerShell is pinned to the taskbar, you can open an elevated Windows PowerShell prompt by right-clicking the icon on the taskbar and then clicking **Run as Administrator**. + +### Procedures in this section + +[Verify support and install Hyper-V](#verify-support-and-install-hyper-v)
      +[Download VHD and ISO files](#download-vhd-and-iso-files)
      +[Convert PC to VM](#convert-pc-to-vm)
      +[Resize VHD](#resize-vhd)
      +[Configure Hyper-V](#configure-hyper-v)
      +[Configure VMs](#configure-vms)
      + +### Verify support and install Hyper-V + +Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information. + +1. To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example: + + 
      +    C:\>systeminfo
+
+    ...
+    Hyper-V Requirements:      VM Monitor Mode Extensions: Yes
+                               Virtualization Enabled In Firmware: Yes
+                               Second Level Address Translation: Yes
+                               Data Execution Prevention Available: Yes
+
      + + In this example, the computer supports SLAT and Hyper-V. + + If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings. + + You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example: + + 
      +    C:\>coreinfo -v
+
+    Coreinfo v3.31 - Dump information on system CPU and memory topology
+    Copyright (C) 2008-2014 Mark Russinovich
+    Sysinternals - www.sysinternals.com
+
+    Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz
+    Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
+    Microcode signature: 0000001B
+    HYPERVISOR      -       Hypervisor is present
+    VMX             *       Supports Intel hardware-assisted virtualization
+    EPT             *       Supports Intel extended page tables (SLAT)
+
      + + Note: A 64-bit operating system is required to run Hyper-V. + +2. The Hyper-V feature is not installed by default. To install it, open an elevated Windows PowerShell window and type the following command: + + 
      Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V –All
      + + This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. This command will also install Hyper-V if it isn't already installed, so if desired you can just type the following command on Windows Server 2012 or 2016 instead of using the Enable-WindowsOptionalFeature command: + + 
      Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
      + + When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once. After installation is complete, you can open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt. + + >Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below: + + ![hyper-v feature](images/hyper-v-feature.png) + + ![hyper-v](images/svr_mgr2.png) + +

      If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools. + +### Download VHD and ISO files + +When you have completed installation of Hyper-V on the host computer, begin configuration of Hyper-V by downloading VHD and ISO files to the Hyper-V host. These files will be used to create the VMs used in the lab. Before you can download VHD and ISO files, you will need to register and sign in to the [TechNet Evaluation Center](https://www.microsoft.com/evalcenter/) using your Microsoft account. + +1. Create a directory on your Hyper-V host named **C:\VHD** and download a single [Windows Server 2012 R2 VHD](https://www.microsoft.com/evalcenter/evaluate-windows-server-2012-r2) from the TechNet Evaluation Center to the **C:\VHD** directory. + + **Important**: This guide assumes that VHDs are stored in the **C:\VHD** directory on the Hyper-V host. If you use a different directory to store VHDs, you must adjust steps in this guide appropriately. + + After completing registration you will be able to download the 7.47 GB Windows Server 2012 R2 evaluation VHD. An example of the download offering is shown below. + + + +
      VHD
      + +2. Download the file to the **C:\VHD** directory. When the download is complete, rename the VHD file that you downloaded to **2012R2-poc-1.vhd**. This is done to make the filename simple to recognize and type. +3. Copy the VHD to a second file also in the **C:\VHD** directory and name this VHD **2012R2-poc-2.vhd**. +4. Download the [Windows 10 Enterprise ISO](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) from the TechNet Evaluation Center to the **C:\VHD** directory on your Hyper-V host. + + >During registration, you must specify the type, version, and language of installation media to download. In this example, a Windows 10 Enterprise, 64 bit, English ISO is chosen. You can choose a different version if desired. **Note: The evaluation version of Windows 10 does not support in-place upgrade**. + +5. Rename the ISO file that you downloaded to **w10-enterprise.iso**. Again, this is done so that the filename is simple to type and recognize. After completing registration you will be able to download the 3.63 GB Windows 10 Enterprise evaluation ISO. + +After completing these steps, you will have three files in the **C:\VHD** directory: **2012R2-poc-1.vhd**, **2012R2-poc-2.vhd**, **w10-enterprise.iso**. + +The following displays the procedures described in this section, both before and after downloading files: + +

      +C:>mkdir VHD
+C:>cd VHD
+C:\VHD>ren 9600*.vhd 2012R2-poc-1.vhd
+C:\VHD>copy 2012R2-poc-1.vhd 2012R2-poc-2.vhd
+   1 file(s) copied.
+C:\VHD ren *.iso w10-enterprise.iso
+C:\VHD>dir /B
+2012R2-poc-1.vhd
+2012R2-poc-2.vhd
+w10-enterprise.iso
+
      + +### Convert PC to VM + +>Important: Do not attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, do not start the VM outside the PoC network. + +
      +If you do not have a PC available to convert to VM, perform the following steps to download an evaluation VM: +
      +
        +
      1. Open the Download virtual machines page. +
      2. Under Virtual machine, choose IE11 on Win7. +
      3. Under Select platform choose HyperV (Windows). +
      4. Click Download .zip. The download is 3.31 GB. +
      5. Extract the zip file. Three directories are created. +
      6. Open the Virtual Hard Disks directory and then copy IE11 - Win7.vhd to the C:\VHD directory. +
      7. Rename IE11 - Win7.vhd to w7.vhd (do not rename the file to w7.vhdx). +
      8. In step 5 of the Configure Hyper-V section, replace the VHD file name w7.vhdx with w7.vhd. +
      +
      + +If you have a PC available to convert to VM (computer 2): + +1. Sign in on computer 2 using an account with Administrator privileges. + +>Important: the account used in this step must have local administrator privileges. You can use a local computer account, or a domain account with administrative rights if domain policy allows the use of cached credentials. After converting the computer to a VM, you must be able to sign in on this VM with administrator rights while the VM is disconnected from the corporate network. + +2. [Determine the VM generation and partition type](#determine-the-vm-generation-and-partition-type) that is required. +3. Based on the VM generation and partition type, perform one of the following procedures: [Prepare a generation 1 VM](#prepare-a-generation-1-vm), [Prepare a generation 2 VM](#prepare-a-generation-2-vm), or [prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk). + +#### Determine the VM generation and partition type + +When creating a VM in Hyper-V, you must specify either generation 1 or generation 2. The following table describes requirements for these two types of VMs. + +
      + + + + + + + + + + + + + + + + + + + + +
      ArchitectureOperating systemPartition style
      Generation 132-bit or 64-bitWindows 7 or laterMBR
      Generation 264-bitWindows 8 or laterMBR or GPT
      + +
      + +If the PC is running a 32-bit OS or the OS is Windows 7, it must be converted to a generation 1 VM. Otherwise, it can be converted to a generation 2 VM. + +- To determine the OS and architecture of a PC, type **systeminfo** at a command prompt and review the output next to **OS Name** and **System Type**. +- To determine the partition style, open a Windows PowerShell prompt on the PC and type the following command: + +
      +Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
+
      + +If the **Type** column does not indicate GPT, then the disk partition format is MBR ("Installable File System" = MBR). In the following example, the disk is GPT: + +
      +PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
+
+SystemName                           Caption                                 Type
+----------                           -------                                 ----
+USER-PC1                             Disk #0, Partition #0                   GPT: System
+USER-PC1                             Disk #0, Partition #1                   GPT: Basic Data
+
      + +On a computer running Windows 8 or later, you can also type **Get-Disk** at a Windows PowerShell prompt to discover the partition style. The default output of this cmdlet displays the partition style for all attached disks. Both commands are displayed below. In this example, the client computer is running Windows 8.1 and uses a GPT style partition format: + +
      +PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
+
+SystemName                            Caption                               Type
+----------                            -------                               ----
+PC-X1                                 Disk #0, Partition #0                 GPT: Unknown
+PC-X1                                 Disk #0, Partition #1                 GPT: System
+PC-X1                                 Disk #0, Partition #2                 GPT: Basic Data
+PC-X1                                 Disk #0, Partition #3                 GPT: Basic Data
+PC-X1                                 Disk #0, Partition #4                 GPT: Basic Data
+
+PS C:> Get-Disk
+
+Number Friendly Name                  OperationalStatus                     Total Size Partition Style
+------ -------------                  -----------------                     ---------- ---------------
+0      INTEL SSDSCMMW240A3L           Online                                223.57 GB GPT
+
      + + + +**Choosing a VM generation** + +The following table displays the Hyper-V VM generation to choose based on the OS, architecture, and partition style. Links to procedures to create the corresponding VMs are included. + +
      + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      OSPartition styleArchitectureVM generationProcedure
      Windows 7MBR321Prepare a generation 1 VM
      641Prepare a generation 1 VM
      GPT32N/AN/A
      641Prepare a generation 1 VM from a GPT disk
      Windows 8 or laterMBR321Prepare a generation 1 VM
      641, 2Prepare a generation 1 VM
      GPT321Prepare a generation 1 VM from a GPT disk
      642Prepare a generation 2 VM
      + +
      + +Notes:
      +
        +
      • If the PC is running Windows 7, it can only be converted and hosted in Hyper-V as a generation 1 VM. This Hyper-V requirement means that if the Windows 7 PC is also using a GPT partition style, the OS disk can be shadow copied, but a new system partition must be created. In this case, see Prepare a generation 1 VM from a GPT disk. +
      • If the PC is running Windows 8 or later and uses the GPT partition style, you can capture the disk image and create a generation 2 VM. To do this, you must temporarily mount the EFI system partition which is accomplished using the mountvol command. In this case, see Prepare a generation 2 VM. +
      • If the PC is using an MBR partition style, you can convert the disk to VHD and use it to create a generation 1 VM. If you use the Disk2VHD tool described in this guide, it is not necessary to mount the MBR system partition, but it is still necessary to capture it. In this case, see Prepare a generation 1 VM. +
      + +#### Prepare a generation 1 VM + +1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert. + + >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive. + +2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. +3. Select the checkboxes next to the **C:\\** and the **system reserved** (BIOS/MBR) volumes. The system volume is not assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to **\\?\Volume{**. See the following example. **Important**: You must include the system volume in order to create a bootable VHD. If this volume is not displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation). +4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and click **Create**. See the following example: + + ![disk2vhd](images/disk2vhd.png) + + >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. + +5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (w7.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory: + + 
      +    C:\vhd>dir /B
+    2012R2-poc-1.vhd
+    2012R2-poc-2.vhd
+    w10-enterprise.iso
+    w7.VHDX
+
      + +#### Prepare a generation 2 VM + +1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert. + + >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive. + +2. On the computer you wish to convert, open an elevated command prompt and type the following command: + + 
      mountvol s: /s
      + + This command temporarily assigns a drive letter of S to the system volume and mounts it. If the letter S is already assigned to a different volume on the computer, then choose one that is available (ex: mountvol z: /s). + +3. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. +4. Select the checkboxes next to the **C:\\** and the **S:\\** volumes, and clear the **Use Volume Shadow Copy checkbox**. Volume shadow copy will not work if the EFI system partition is selected. + + **Important**: You must include the EFI system partition in order to create a bootable VHD. The Windows RE tools partition (shown below) is not required, but it can also be converted if desired. + +5. Specify a location to save the resulting VHD or VHDX file (F:\VHD\PC1.vhdx in the following example) and click **Create**. See the following example: + + ![disk2vhd](images/disk2vhd-gen2.png) + + >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. + +6. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (PC1.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory: + + 
      +    C:\vhd>dir /B
+    2012R2-poc-1.vhd
+    2012R2-poc-2.vhd
+    w10-enterprise.iso
+    PC1.VHDX
+
      + +#### Prepare a generation 1 VM from a GPT disk + +1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert. + + >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive. + +2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. +3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**. Note: the system volume is not copied in this scenario, it will be added later. +4. Specify a location to save the resulting VHD file (F:\VHD\w7.vhd in the following example) and click **Create**. See the following example: + + ![disk2vhd](images/disk2vhd4.png) + + >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. + +5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHD file (w7.vhd) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory: + + 
      +    C:\vhd>dir /B
+    2012R2-poc-1.vhd
+    2012R2-poc-2.vhd
+    w10-enterprise.iso
+    w7.VHD
+
      + + >In its current state, the w7.VHD file is not bootable. The VHD will be used to create a bootable VM later in the [Configure Hyper-V](#configure-hyper-v) section. + +### Resize VHD + +
      +Enhanced session mode + +**Important**: Before proceeding, verify that you can take advantage of [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer. + +To ensure that enhanced session mode is enabled on the Hyper-V host, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: + +
      Set-VMhost -EnableEnhancedSessionMode $TRUE
      + +>If enhanced session mode was not previously enabled, close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex. + +
      + +The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 100GB to support installing imaging tools and storing OS images. + +1. To add available space for the partition, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + + 
      +    Resize-VHD –Path c:\VHD\2012R2-poc-2.vhd –SizeBytes 100GB
+    $x = (Mount-VHD –Path c:\VHD\2012R2-poc-2.vhd -passthru | Get-Disk | Get-Partition | Get-Volume).DriveLetter
+    Resize-Partition -DriveLetter $x -Size (Get-PartitionSupportedSize -DriveLetter $x).SizeMax
+
      + +2. Verify that the mounted VHD drive is resized to 100 GB, and then dismount the drive: + + 
      +    Get-Volume -DriveLetter $x
+    Dismount-VHD –Path c:\VHD\2012R2-poc-2.vhd
      + +### Configure Hyper-V + +1. Open an elevated Windows PowerShell window and type the following command to create two virtual switches named "poc-internal" and "poc-external": + + >If the Hyper-V host already has an external virtual switch bound to a physical NIC, do not attempt to add a second external virtual switch. Attempting to add a second external switch will result in an error indicating that the NIC is **already bound to the Microsoft Virtual Switch protocol.** In this case, choose one of the following options:
      +    A) Remove the existing external virtual switch, then add the poc-external switch
      +    B) Rename the existing external switch to "poc-external"
      +    C) Replace each instance of "poc-external" used in this guide with the name of your existing external virtual switch
      + If you choose B) or C), then do not run the second command below. + + 
      +    New-VMSwitch -Name poc-internal -SwitchType Internal -Notes "PoC Network"
+    New-VMSwitch -Name poc-external -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name -Notes "PoC External"
+
      + + **Note**: The second command above will temporarily interrupt network connectivity on the Hyper-V host. + + >Since an external virtual switch is associated to a physical network adapter on the Hyper-V host, this adapter must be specified when adding the virtual switch. The previous commands automate this by filtering for active non-virtual ethernet adapters using the Get-NetAdapter cmdlet ($_.Status -eq "Up" -and !$_.Virtual). If your Hyper-V host is dual-homed with multiple active ethernet adapters, this automation will not work, and the second command above will fail. In this case, you must edit the command used to add the "poc-external" virtual switch by inserting the appropriate NetAdapterName. The NetAdapterName value corresponds to the name of the network interface you wish to use. For example, if the network interface you use on the Hyper-V host to connect to the Internet is named "Ethernet 2" then type the following command to create an external virtual switch: New-VMSwitch -Name poc-external -NetAdapterName "Ethernet 2" -Notes "PoC External" + +2. At the elevated Windows PowerShell prompt, type the following command to determine the megabytes of RAM that are currently available on the Hyper-V host: + + 
      +    (Get-VMHostNumaNode).MemoryAvailable
+
      + + This command will display the megabytes of RAM available for VMs. On a Hyper-V host computer with 16 GB of physical RAM installed, 10,000 MB of RAM or greater should be available if the computer is not also running other applications. On a computer with 8 GB of physical RAM installed, at least 4000 MB should be available. If the computer has less RAM available than this, try closing applications to free up more memory. + +3. Determine the available memory for VMs by dividing the available RAM by 4. For example: + + 
      +    (Get-VMHostNumaNode).MemoryAvailable/4
+    2775.5
+
      + + In this example, VMs can use a maximum of 2700 MB of RAM each, to run four VMs simultaneously. + +4. At the elevated Windows PowerShell prompt, type the following command to create two new VMs. Other VMs will be added later. + >**Important**: Replace the value of 2700MB for $maxRAM in the first command below with the RAM value that you calculated in the previous step. + + 
      +    $maxRAM = 2700MB
+    New-VM -Name "DC1" -VHDPath c:\vhd\2012R2-poc-1.vhd -SwitchName poc-internal
+    Set-VMMemory -VMName "DC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
+    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName DC1
+    New-VM -Name "SRV1" -VHDPath c:\vhd\2012R2-poc-2.vhd -SwitchName poc-internal
+    Add-VMNetworkAdapter -VMName "SRV1" -SwitchName "poc-external"
+    Set-VMMemory -VMName "SRV1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 80
+    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName SRV1
+
      + + **Note**: The RAM values assigned to VMs in this step are not permanent, and can be easily increased or decreased later if needed to address performance issues. + +5. Using the same elevated Windows PowerShell prompt that was used in the previous step, type one of the following sets of commands, depending on the type of VM that was prepared in the [Determine VM generation](#determine-vm-generation) section, either generation 1, generation 2, or generation 1 with GPT. + + To create a generation 1 VM (using c:\vhd\w7.vhdx): + + 
      +    New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhdx -SwitchName poc-internal
+    Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
+    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
+
      + + To create a generation 2 VM (using c:\vhd\PC1.vhdx): + + 
      +    New-VM -Name "PC1" -Generation 2 -VHDPath c:\vhd\PC1.vhdx -SwitchName poc-internal
+    Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
+    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
+
      + + To create a generation 1 VM from a GPT disk (using c:\vhd\w7.vhd): + + >Note: The following procedure is more complex because it includes steps to convert the OS partition from GPT to MBR format. Steps are included to create a temporary VHD and attach it to the VM, the OS image is saved to this drive, the OS drive is then reformatted to MBR, the OS image restored, and the temporary drive is removed. + + First, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to create a temporary VHD that will be used to save the OS image. Do not forget to include a pipe (|) at the end of the first five commands: + + 
      +    New-VHD -Path c:\vhd\d.vhd -SizeBytes 1TB |
+    Mount-VHD -Passthru |
+    Get-Disk -Number {$_.DiskNumber} |
+    Initialize-Disk -PartitionStyle MBR -PassThru |
+    New-Partition -UseMaximumSize |
+    Format-Volume -Confirm:$false -FileSystem NTFS -force
+    Dismount-VHD -Path c:\vhd\d.vhd
+
      + + Next, create the PC1 VM with two attached VHDs, and boot to DVD ($maxram must be defined previously using the same Windows PowerShell promt): + + 
      +    New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhd -SwitchName poc-internal
+    Add-VMHardDiskDrive -VMName PC1 -Path c:\vhd\d.vhd
+    Set-VMDvdDrive -VMName PC1 -Path c:\vhd\w10-enterprise.iso
+    Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
+    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
+    Start-VM PC1
+    vmconnect localhost PC1
+
      + + The VM will automatically boot into Windows Setup. In the PC1 window: + + 1. Click **Next**. + 2. Click **Repair your computer**. + 3. Click **Troubleshoot**. + 4. Click **Command Prompt**. + 5. Type the following command to save an image of the OS drive: + + 
      +      dism /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C
+
      + + 6. Wait for the OS image to complete saving, and then type the following commands to convert the C: drive to MBR: + + 
      +      diskpart
+      select disk 0
+      clean
+      convert MBR
+      create partition primary size=100
+      format fs=ntfs quick
+      active
+      create partition primary
+      format fs=ntfs quick label=OS
+      assign letter=c
+      exit
+
      + + 7. Type the following commands to restore the OS image and boot files: + + 
      +      dism /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\
+      bcdboot c:\windows
+      exit
+
      + + 8. Click **Continue** and verify the VM boots successfully (do not boot from DVD). + 9. Click **Ctrl+Alt+Del**, and then in the bottom right corner, click **Shut down**. + 10. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to remove the temporary disks and drives from PC1: + + 
      +       Remove-VMHardDiskDrive -VMName PC1 -ControllerType IDE -ControllerNumber 0 -ControllerLocation 1
+       Set-VMDvdDrive -VMName PC1 -Path $null
+
      + +### Configure VMs + +1. At an elevated Windows PowerShell prompt on the Hyper-V host, start the first Windows Server VM and connect to it by typing the following commands: + + 
      +    Start-VM DC1
+    vmconnect localhost DC1
+
      + +2. Click **Next** to accept the default settings, read the license terms and click **I accept**, provide an administrator password of pass@word1, and click **Finish**. +3. Click **Ctrl+Alt+Del** in the upper left corner of the virtual machine connection window, and then sign in to DC1 using the Administrator account. +4. Right-click **Start**, point to **Shut down or sign out**, and click **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, click **Connect** and sign in again with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It is only necessary to do this the first time you sign in to a new VM. +5. If DC1 is configured as described in this guide, it will currently be assigned an APIPA address, have a randomly generated hostname, and a single network adapter named "Ethernet." Open an elevated Windows PowerShell prompt on DC1 and type or paste the following commands to provide a new hostname and configure a static IP address and gateway: + + 
      +    Rename-Computer DC1
+    New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.1 –PrefixLength 24 -DefaultGateway 192.168.0.2
+    Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
+
      + + > The default gateway at 192.168.0.2 will be configured later in this guide. + > + > Note: A list of available tasks for an app will be populated the first time you run it on the taskbar. Because these tasks aren't available until the App has been run, you will not see the **Run as Administrator** task until you have left-clicked Windows PowerShell for the first time. In this newly created VM, you will need to left-click Windows PowerShell one time, and then you can right-click and choose Run as Administrator to open an elevated Windows PowerShell prompt. + +6. Install the Active Directory Domain Services role by typing the following command at an elevated Windows PowerShell prompt: + + 
      +    Install-WindowsFeature -Name AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools
+
      + +7. Before promoting DC1 to a Domain Controller, you must reboot so that the name change in step 3 above takes effect. To restart the computer, type the following command at an elevated Windows PowerShell prompt: + + 
      +    Restart-Computer
+
      + +8. When DC1 has rebooted, sign in again and open an elevated Windows PowerShell prompt. Now you can promote the server to be a domain controller. The directory services restore mode password must be entered as a secure string. Type the following commands at the elevated Windows PowerShell prompt: + + 
      +    $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
+    Install-ADDSForest -DomainName contoso.com -InstallDns -SafeModeAdministratorPassword $pass -Force
+
      + + Ignore any warnings that are displayed. The computer will automatically reboot upon completion. + +9. When the reboot has completed, reconnect to DC1, sign in using the CONTOSO\Administrator account, open an elevated Windows PowerShell prompt, and use the following commands to add a reverse lookup zone for the PoC network, add the DHCP Server role, authorize DHCP in Active Directory, and suppress the post-DHCP-install alert: + + 
      +    Add-DnsServerPrimaryZone -NetworkID "192.168.0.0/24" -ReplicationScope Forest
+    Add-WindowsFeature -Name DHCP -IncludeManagementTools
+    netsh dhcp add securitygroups
+    Restart-Service DHCPServer
+    Add-DhcpServerInDC  dc1.contoso.com  192.168.0.1
+    Set-ItemProperty –Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 –Name ConfigurationState –Value 2
+
      + +10. Next, add a DHCP scope and set option values: + + 
      +    Add-DhcpServerv4Scope -Name "PoC Scope" -StartRange 192.168.0.100 -EndRange 192.168.0.199 -SubnetMask 255.255.255.0 -Description "Windows 10 PoC" -State Active
+    Set-DhcpServerv4OptionValue -ScopeId 192.168.0.0 -DnsDomain contoso.com -Router 192.168.0.2 -DnsServer 192.168.0.1,192.168.0.2 -Force
+
      + + >The -Force option is necessary when adding scope options to skip validation of 192.168.0.2 as a DNS server because we have not configured it yet. The scope should immediately begin issuing leases on the PoC network. The first DHCP lease that will be issued is to vEthernet interface on the Hyper-V host, which is a member of the internal network. You can verify this by using the command: Get-DhcpServerv4Lease -ScopeId 192.168.0.0. + +11. The DNS server role will also be installed on the member server, SRV1, at 192.168.0.2 so that we can forward DNS queries from DC1 to SRV1 to resolve Internet names without having to configure a forwarder outside the PoC network. Since the IP address of SRV1 already exists on DC1's network adapter, it will be automatically added during the DCPROMO process. To verify this server-level DNS forwarder on DC1, type the following command at an elevated Windows PowerShell prompt on DC1: + + 
      +    Get-DnsServerForwarder
+
      + + The following output should be displayed: + + 
      +    UseRootHint        : True
+    Timeout(s)         : 3
+    EnableReordering   : True
+    IPAddress          : 192.168.0.2
+    ReorderedIPAddress : 192.168.0.2
+
      + + If this output is not displayed, you can use the following command to add SRV1 as a forwarder: + + 
      +    Add-DnsServerForwarder -IPAddress 192.168.0.2
+
      + + **Configure service and user accounts** + + Windows 10 deployment with MDT and Microsoft Endpoint Configuration Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire. + + >To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) + + On DC1, open an elevated Windows PowerShell prompt and type the following commands: + + 
      +    New-ADUser -Name User1 -UserPrincipalName user1 -Description "User account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+    New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+    New-ADUser -Name CM_JD -UserPrincipalName CM_JD -Description "Configuration Manager Join Domain Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+    New-ADUser -Name CM_NAA -UserPrincipalName CM_NAA -Description "Configuration Manager Network Access Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+    Add-ADGroupMember "Domain Admins" MDT_BA,CM_JD,CM_NAA
+    Set-ADUser -Identity user1 -PasswordNeverExpires $true
+    Set-ADUser -Identity administrator -PasswordNeverExpires $true
+    Set-ADUser -Identity MDT_BA -PasswordNeverExpires $true
+    Set-ADUser -Identity CM_JD -PasswordNeverExpires $true
+    Set-ADUser -Identity CM_NAA -PasswordNeverExpires $true
+
      + +12. Minimize the DC1 VM window but **do not stop** the VM. + + Next, the client VM will be started and joined to the contoso.com domain. This is done before adding a gateway to the PoC network so that there is no danger of duplicate DNS registrations for the physical client and its cloned VM in the corporate domain. + +13. If the PC1 VM is not started yet, using an elevated Windows PowerShell prompt on the Hyper-V host, start the client VM (PC1), and connect to it: + + 
      +    Start-VM PC1
+    vmconnect localhost PC1
+
      + +14. Sign in to PC1 using an account that has local administrator rights. + + >PC1 will be disconnected from its current domain, so you cannot use a domain account to sign on unless these credentials are cached and the use of cached credentials is permitted by Group Policy. If cached credentials are available and permitted, you can use these credentials to sign in. Otherwise, use an existing local administrator account. + +15. After signing in, the operating system detects that it is running in a new environment. New drivers will be automatically installed, including the network adapter driver. The network adapter driver must be updated before you can proceed, so that you will be able to join the contoso.com domain. Depending on the resources allocated to PC1, installing the network adapter driver might take a few minutes. You can monitor device driver installation by clicking **Show hidden icons** in the notification area. + + ![PoC](images/installing-drivers.png) + + >If the client was configured with a static address, you must change this to a dynamic one so that it can obtain a DHCP lease. + +16. When the new network adapter driver has completed installation, you will receive an alert to set a network location for the contoso.com network. Select **Work network** and then click **Close**. When you receive an alert that a restart is required, click **Restart Later**. + +17. Open an elevated Windows PowerShell prompt on PC1 and verify that the client VM has received a DHCP lease and can communicate with the consoto.com domain controller. + + To open Windows PowerShell on Windows 7, click **Start**, and search for "**power**." Right-click **Windows PowerShell** and then click **Pin to Taskbar** so that it is simpler to use Windows Powershell during this lab. Click **Windows PowerShell** on the taskbar, and then type **ipconfig** at the prompt to see the client's current IP address. Also type **ping dc1.contoso.com** and **nltest /dsgetdc:contoso.com** to verify that it can reach the domain controller. See the following examples of a successful network connection: + + ``` + ipconfig + + Windows IP Configuration + + Ethernet adapter Local Area Connection 3: + Connection-specific DNS Suffix . : contoso.com + Link-local IPv6 Address . . . . . : fe80::64c2:4d2a:7403:6e02%18 + Ipv4 Address. . . . . . . . . . . : 192.168.0.101 + Subnet Mask . . . . . . . . . . . : 255.255.255.0 + Default Gateway . . . . . . . . . : 192.168.0.2 + + ping dc1.contoso.com + + Pinging dc1.contoso.com [192.168.0.1] with 32 bytes of data: + Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 + Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 + Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 + Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 + + nltest /dsgetdc:contoso.com + DC: \\DC1 + Address: \\192.168.0.1 + Dom Guid: fdbd0643-d664-411b-aea0-fe343d7670a8 + Dom Name: CONTOSO + Forest Name: contoso.com + Dc Site Name: Default-First-Site-Name + Our Site Name: Default-First-Site-Name + Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_FOREST CLOSE_SITE FULL_SECRET WS 0xC000 + ``` + + >If PC1 is running Windows 7, enhanced session mode might not be available, which means that you cannot copy and paste commands from the Hyper-V host to a Windows PowerShell prompt on PC1. However, it is possible to use integration services to copy a file from the Hyper-V host to a VM. The next procedure demonstrates this. If the Copy-VMFile command fails, then type the commands below at an elevated Windows PowerShell prompt on PC1 instead of saving them to a script to run remotely. If PC1 is running Windows 8 or a later operating system, you can use enhanced session mode to copy and paste these commands instead of typing them. + +18. Minimize the PC1 window and switch to the Hyper-V host computer. Open an elevated Windows PowerShell ISE window on the Hyper-V host (right-click Windows PowerShell and then click **Run ISE as Administrator**) and type the following commands in the (upper) script editor pane: + + 
      +    (Get-WmiObject Win32_ComputerSystem).UnjoinDomainOrWorkgroup($null,$null,0)
+    $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
+    $user = "contoso\administrator"
+    $cred = New-Object System.Management.Automation.PSCredential($user,$pass)
+    Add-Computer -DomainName contoso.com -Credential $cred
+    Restart-Computer
+
      + + >If you do not see the script pane, click **View** and verify **Show Script Pane Top** is enabled. Click **File** and then click **New**. + + See the following example: + + ![ISE](images/ISE.png) + +19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host. +20. In the (lower) terminal input window, type the following commands to enable Guest Service Interface on PC1 and then use this service to copy the script to PC1: + + 
      +    Enable-VMIntegrationService -VMName PC1 -Name "Guest Service Interface"
+    Copy-VMFile "PC1" –SourcePath "C:\VHD\pc1.ps1"  –DestinationPath "C:\pc1.ps1" –CreateFullPath –FileSource Host
+
      + + >In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service. + + If the copy-vmfile command does not work and you cannot properly enable or upgrade integration services on PC1, then create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. The copy-vmfile command is only used in this procedure as a demonstration of automation methods that can be used in a Hyper-V environment when enhanced session mode is not available. After typing the script file manually, be sure to save the file as a Windows PowerShell script file with the .ps1 extension and not as a text (.txt) file. + +21. On PC1, type the following commands at an elevated Windows PowerShell prompt: + + 
      +    Get-Content c:\pc1.ps1 | powershell.exe -noprofile -
+
      + + >The commands in this script might take a few moments to complete. If an error is displayed, check that you typed the command correctly, paying close attention to spaces. PC1 is removed from its domain in this step while not connected to the corporate network so as to ensure the computer object in the corporate domain is unaffected. PC1 is also not renamed to "PC1" in system properties so that it maintains some of its mirrored identity. However, if desired you can also rename the computer. + +22. Upon completion of the script, PC1 will automatically restart. When it has restarted, sign in to the contoso.com domain using the **Switch User** option, with the **user1** account you created in step 11 of this section. + >**Important**: The settings that will be used later to migrate user data specifically select only accounts that belong to the CONTOSO domain. However, this can be changed to migrate all user accounts, or only other specified accounts. If you wish to test migration of user data and settings with accounts other than those in the CONTOSO domain, you must specify these accounts or domains when you configure the value of **ScanStateArgs** in the MDT test lab guide. This value is specifically called out when you get to that step. If you wish to only migrate CONTOSO accounts, then you can log in with the user1 account or the administrator account at this time and modify some of the files and settings for later use in migration testing. +23. Minimize the PC1 window but do not turn it off while the second Windows Server 2012 R2 VM (SRV1) is configured. This verifies that the Hyper-V host has enough resources to run all VMs simultaneously. Next, SRV1 will be started, joined to the contoso.com domain, and configured with RRAS and DNS services. +24. On the Hyper-V host computer, at an elevated Windows PowerShell prompt, type the following commands: + + 
      +    Start-VM SRV1
+    vmconnect localhost SRV1
+
      + +25. Accept the default settings, read license terms and accept them, provide an administrator password of pass@word1, and click **Finish**. When you are prompted about finding PCs, devices, and content on the network, click **Yes**. +26. Sign in to SRV1 using the local administrator account. In the same way that was done on DC1, sign out of SRV1 and then sign in again to enable enhanced session mode. This will enable you to copy and paste Windows PowerShell commands from the Hyper-V host to the VM. +27. Open an elevated Windows PowerShell prompt on SRV1 and type the following commands: + + 
      +    Rename-Computer SRV1
+    New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.2 –PrefixLength 24
+    Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
+    Restart-Computer
+
      + + >[!IMPORTANT] + >Verify that you are configuring the correct interface in this step. The commands in this step assume that the poc-internal interface on SRV1 is named "Ethernet." If you are unsure how to check the interface, see step #30 below for instructions and tips on how to verify and modify the interface name. + +28. Wait for the computer to restart, sign in again, then type the following commands at an elevated Windows PowerShell prompt: + + 
      +    $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
+    $user = "contoso\administrator"
+    $cred = New-Object System.Management.Automation.PSCredential($user,$pass)
+    Add-Computer -DomainName contoso.com -Credential $cred
+    Restart-Computer
+
      + +29. Sign in to the contoso.com domain on SRV1 using the domain administrator account (enter contoso\administrator as the user), open an elevated Windows PowerShell prompt, and type the following commands: + + 
      +    Install-WindowsFeature -Name DNS -IncludeManagementTools
+    Install-WindowsFeature -Name WDS -IncludeManagementTools
+    Install-WindowsFeature -Name Routing -IncludeManagementTools
+
      + +30. Before configuring the routing service that was just installed, verify that network interfaces were added to SRV1 in the right order, resulting in an interface alias of "Ethernet" for the private interface, and an interface alias of "Ethernet 2" for the public interface. Also verify that the external interface has a valid external DHCP IP address lease. + + To view a list of interfaces, associated interface aliases, and IP addresses on SRV1, type the following Windows PowerShell command. Example output of the command is also shown below: + + 
      +    Get-NetAdapter | ? status -eq ‘up’ | Get-NetIPAddress -AddressFamily IPv4 | ft IPAddress, InterfaceAlias
+
+    IPAddress                                                                  InterfaceAlias
+    ---------                                                                  --------------
+    10.137.130.118                                                             Ethernet 2
+    192.168.0.2                                                                Ethernet
+
      + + In this example, the poc-internal network interface at 192.168.0.2 is associated with the "Ethernet" interface and the Internet-facing poc-external interface is associated with the "Ethernet 2" interface. If your interfaces are different, you must adjust the commands provided in the next step appropriately to configure routing services. Also note that if the "Ethernet 2" interface has an IP address in the 192.168.0.100-105 range then it likely is getting a DHCP lease from DC1 instead of your corporate network. If this is the case, you can try removing and re-adding the second network interface from the SRV1 VM through its Hyper-V settings. + + >[!TIP] + >Sometimes a computer will have hidden, disconnected interfaces that prevent you from naming a network adapter. When you attempt to rename an adapter, you will receive an error that the adapter name already exists. These disconnected devices can be viewed in device manager by clicking **View** and then clicking **Show hidden devices**. The disconnected device can then be uninstalled, enabling you to reuse the adapter name. + + +31. To configure SRV1 with routing capability for the PoC network, type or paste the following commands at an elevated Windows PowerShell prompt on SRV1: + + 
      +    Install-RemoteAccess -VpnType Vpn
+    cmd /c netsh routing ip nat install
+    cmd /c netsh routing ip nat add interface name="Ethernet 2" mode=FULL
+    cmd /c netsh routing ip nat add interface name="Ethernet" mode=PRIVATE
+    cmd /c netsh routing ip nat add interface name="Internal" mode=PRIVATE
+
      + +32. The DNS service on SRV1 also needs to resolve hosts in the contoso.com domain. This can be accomplished with a conditional forwarder. Open an elevated Windows PowerShell prompt on SRV1 and type the following command: + + 
      +    Add-DnsServerConditionalForwarderZone -Name contoso.com -MasterServers 192.168.0.1
+
      + +33. In most cases, this completes configuration of the PoC network. However, if your corporate network has a firewall that filters queries from local DNS servers, you will also need to configure a server-level DNS forwarder on SRV1 to resolve Internet names. To test whether or not DNS is working without this forwarder, try to reach a name on the Internet from DC1 or PC1, which are only using DNS services on the PoC network. You can test DNS with the ping command, for example: + + 
      +    ping www.microsoft.com
+
      + + If you see "Ping request could not find host www.microsoft.com" on PC1 and DC1, but not on SRV1, then you will need to configure a server-level DNS forwarder on SRV1. To do this, open an elevated Windows PowerShell prompt on SRV1 and type the following command. + + **Note**: This command also assumes that "Ethernet 2" is the external-facing network adapter on SRV1. If the external adapter has a different name, replace "Ethernet 2" in the command below with that name: + + 
      +    Add-DnsServerForwarder -IPAddress (Get-DnsClientServerAddress -InterfaceAlias "Ethernet 2").ServerAddresses
+
      + +34. If DNS and routing are both working correctly, you will see the following on DC1 and PC1 (the IP address might be different, but that is OK): + + 
      +    PS C:\> ping www.microsoft.com
+
+    Pinging e2847.dspb.akamaiedge.net [23.222.146.170] with 32 bytes of data:
+    Reply from 23.222.146.170: bytes=32 time=3ms TTL=51
+    Reply from 23.222.146.170: bytes=32 time=2ms TTL=51
+    Reply from 23.222.146.170: bytes=32 time=2ms TTL=51
+    Reply from 23.222.146.170: bytes=32 time=1ms TTL=51
+
+    Ping statistics for 23.222.146.170:
+        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
+    Approximate round trip times in milli-seconds:
+        Minimum = 1ms, Maximum = 3ms, Average = 2ms
+
      + +35. Verify that all three VMs can reach each other, and the Internet. See [Appendix A: Verify the configuration](#appendix-a-verify-the-configuration) for more information. +36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in 3 days. To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1: + + 
      +    runas /noprofile /env /user:administrator@contoso.com "cmd /c slmgr -rearm"
+    Restart-Computer
+
      + +This completes configuration of the starting PoC environment. Additional services and tools are installed in subsequent guides. + +## Appendix A: Verify the configuration + +Use the following procedures to verify that the PoC environment is configured properly and working as expected. + +1. On DC1, open an elevated Windows PowerShell prompt and type the following commands: + + 
      +    Get-Service NTDS,DNS,DHCP
+    DCDiag -a
+    Get-DnsServerResourceRecord -ZoneName contoso.com -RRType A
+    Get-DnsServerForwarder
+    Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
+    Get-DhcpServerInDC
+    Get-DhcpServerv4Statistics
+    ipconfig /all
+
      + + **Get-Service** displays a status of "Running" for all three services.
      + **DCDiag** displays "passed test" for all tests.
      + **Get-DnsServerResourceRecord** displays the correct DNS address records for DC1, SRV1, and the computername of PC1. Additional address records for the zone apex (@), DomainDnsZones, and ForestDnsZones will also be registered.
      + **Get-DnsServerForwarder** displays a single forwarder of 192.168.0.2.
      + **Resolve-DnsName** displays public IP address results for www.microsoft.com.
      + **Get-DhcpServerInDC** displays 192.168.0.1, dc1.contoso.com.
      + **Get-DhcpServerv4Statistics** displays 1 scope with 2 addresses in use (these belong to PC1 and the Hyper-V host).
      + **ipconfig** displays a primary DNS suffix and suffix search list of contoso.com, IP address of 192.168.0.1, subnet mask of 255.255.255.0, default gateway of 192.168.0.2, and DNS server addresses of 192.168.0.1 and 192.168.0.2. + +2. On SRV1, open an elevated Windows PowerShell prompt and type the following commands: + + 
      +    Get-Service DNS,RemoteAccess
+    Get-DnsServerForwarder
+    Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
+    ipconfig /all
+    netsh int ipv4 show address
+
      + + **Get-Service** displays a status of "Running" for both services.
      + **Get-DnsServerForwarder** either displays no forwarders, or displays a list of forwarders you are required to use so that SRV1 can resolve Internet names.
      + **Resolve-DnsName** displays public IP address results for www.microsoft.com.
      + **ipconfig** displays a primary DNS suffix of contoso.com. The suffix search list contains contoso.com and your corporate domain. Two ethernet adapters are shown: Ethernet adapter "Ethernet" has an IP addresses of 192.168.0.2, subnet mask of 255.255.255.0, no default gateway, and DNS server addresses of 192.168.0.1 and 192.168.0.2. Ethernet adapter "Ethernet 2" has an IP address, subnet mask, and default gateway configured by DHCP on your corporate network.
      + **netsh** displays three interfaces on the computer: interface "Ethernet 2" with DHCP enabled = Yes and IP address assigned by your corporate network, interface "Ethernet" with DHCP enabled = No and IP address of 192.168.0.2, and interface "Loopback Pseudo-Interface 1" with IP address of 127.0.0.1. + +3. On PC1, open an elevated Windows PowerShell prompt and type the following commands: + + 
      +    whoami
+    hostname
+    nslookup www.microsoft.com
+    ping -n 1 dc1.contoso.com
+    tracert www.microsoft.com
+
      + + **whoami** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed.
      + **hostname** displays the name of the local computer, for example W7PC-001.
      + **nslookup** displays the DNS server used for the query, and the results of the query. For example, server dc1.contoso.com, address 192.168.0.1, Name e2847.dspb.akamaiedge.net.
      + **ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it cannot be resolved, "..could not find host" will be diplayed and if the target is found and also responds to ICMP, you will see "Reply from" and the IP address of the target.
      + **tracert** displays the path to reach the destination, for example srv1.contoso.com [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination. + + +## Appendix B: Terminology used in this guide + +

        + +

      + + +
      TermDefinition +
      GPTGUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. +
      Hyper-VHyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8. +
      Hyper-V hostThe computer where Hyper-V is installed. +
      Hyper-V ManagerThe user-interface console used to view and configure Hyper-V. +
      MBRMaster Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format. +
      Proof of concept (PoC)Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process. +
      Shadow copyA copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes. +
      Virtual machine (VM)A VM is a virtual computer with its own operating system, running on the Hyper-V host. +
      Virtual switchA virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host. +
      VM snapshotA point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken. +
      + +
      + +## Related Topics + + +[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) + + + + + + + + diff --git a/windows/deployment/windows-autopilot/add-devices.md b/windows/deployment/windows-autopilot/add-devices.md index 096ebe1151..79467873cf 100644 --- a/windows/deployment/windows-autopilot/add-devices.md +++ b/windows/deployment/windows-autopilot/add-devices.md @@ -59,9 +59,9 @@ The hardware ID, also commonly referred to as a hardware hash, contains several Note that the hardware hash also contains details about when it was generated, so it will change each time it is generated. When the Windows Autopilot deployment service attempts to match a device, it considers changes like that, as well as more substantial changes such as a new hard drive, and is still able to match successfully. But substantial changes to the hardware, such as a motherboard replacement, would not match, so a new hash would need to be generated and uploaded. -### Collecting the hardware ID from existing devices using System Center Configuration Manager +### Collecting the hardware ID from existing devices using Microsoft Endpoint Configuration Manager -Starting with System Center Configuration Manager current branch version 1802, the hardware hashes for existing Windows 10 version 1703 and higher devices are automatically collected by Configuration Manager. See the [What’s new in version 1802](https://docs.microsoft.com/sccm/core/plan-design/changes/whats-new-in-version-1802#report-on-windows-autopilot-device-information) documentation for more details. The hash information can be extracted from Configuration Manager into a CSV file. +Starting with Microsoft Endpoint Configuration Manager current branch version 1802, the hardware hashes for existing Windows 10 version 1703 and higher devices are automatically collected by Configuration Manager. See the [What’s new in version 1802](https://docs.microsoft.com/sccm/core/plan-design/changes/whats-new-in-version-1802#report-on-windows-autopilot-device-information) documentation for more details. The hash information can be extracted from Configuration Manager into a CSV file. ### Collecting the hardware ID from existing devices using PowerShell diff --git a/windows/deployment/windows-autopilot/autopilot-faq.md b/windows/deployment/windows-autopilot/autopilot-faq.md index e2ac992f75..ec6615c435 100644 --- a/windows/deployment/windows-autopilot/autopilot-faq.md +++ b/windows/deployment/windows-autopilot/autopilot-faq.md @@ -111,8 +111,8 @@ A [glossary](#glossary) of abbreviations used in this article is provided at the | --- | --- | | Must we use Intune for our MDM? | No, any MDM will work with Autopilot, but others probably won’t have the same full suite of Windows Autopilot features as Intune. You’ll get the best experience from Intune. | | Can Intune support Win32 app preinstalls? | Yes. Starting with the Windows 10 October Update (version 1809), Intune supports Win32 apps using .msi (and .msix) wrappers. | -| What is co-management? | Co-management is when you use a combination of a cloud MDM tool (Intune) and an on-premises configuration tool like System Center Configuration Manager (SCCM). You only need to use SCCM if Intune can’t support what you want to do with your profile. If you choose to co-manage using Intune + SCCM, you do it by including an SCCM agent in your Intune profile. When that profile is pushed to the device, the device will see the SCCM agent and go out to SCCM to pull down any additional profile settings. | -| Must we use SCCM for Windows Autopilot | No. Co-management (described above) is optional. | +| What is co-management? | Co-management is when you use a combination of a cloud MDM tool (Intune) and an on-premises configuration tool like Microsoft Endpoint Configuration Manager. You only need to use the Configuration Manager if Intune can’t support what you want to do with your profile. If you choose to co-manage using Intune + Configuration Manager, you do it by including a Configuration Manager agent in your Intune profile. When that profile is pushed to the device, the device will see the Configuration Manager agent and go out to the Configuration Manager to pull down any additional profile settings. | +| Must we use Microsoft Endpoint Configuration Manager for Windows Autopilot | No. Co-management (described above) is optional. | ## Features diff --git a/windows/deployment/windows-autopilot/deployment-process.md b/windows/deployment/windows-autopilot/deployment-process.md index 3a8781ce86..5959c898e3 100644 --- a/windows/deployment/windows-autopilot/deployment-process.md +++ b/windows/deployment/windows-autopilot/deployment-process.md @@ -1,6 +1,6 @@ --- title: Windows 10 deployment process posters -description: View and download Windows 10 deployment process flows for System Center Configuration Manager and Windows Autopilot. +description: View and download Windows 10 deployment process flows for Microsoft Endpoint Configuration Manager and Windows Autopilot. ms.reviewer: manager: laurawi ms.audience: itpro @@ -24,4 +24,4 @@ Windows Autopilot deployment processes are summarized in the poster below. The p [![Deploy Windows 10 with Autopilot](../media/windows10-autopilot-flowchart.png)](../media/Windows10AutopilotFlowchart.pdf) -**Note**: The Windows Autopilot for existing devices process is included in the [System Center Configuration Manager deployment poster](../windows-10-deployment-posters.md#deploy-windows-10-with-system-center-configuration-manager). \ No newline at end of file +**Note**: The Windows Autopilot for existing devices process is included in the [Microsoft Endpoint Configuration Manager deployment poster](../windows-10-deployment-posters.md#deploy-windows-10-with-system-center-configuration-manager). \ No newline at end of file diff --git a/windows/deployment/windows-autopilot/existing-devices.md b/windows/deployment/windows-autopilot/existing-devices.md index 9f4cdcfc25..0ff41a1fac 100644 --- a/windows/deployment/windows-autopilot/existing-devices.md +++ b/windows/deployment/windows-autopilot/existing-devices.md @@ -29,7 +29,7 @@ This topic describes how to convert Windows 7 or Windows 8.1 domain-joined compu ## Prerequisites -- System Center Configuration Manager Current Branch (1806) OR System Center Configuration Manager Technical Preview (1808) +- Microsoft Endpoint Configuration Manager Current Branch (1806) OR Microsoft Endpoint Configuration Manager Technical Preview (1808) - The [Windows ADK](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) 1803 or later - Note: Config Mgr 1806 or later is required to [support](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10#windows-10-adk) the Windows ADK 1809. - Assigned Microsoft Intune Licenses diff --git a/windows/deployment/windows-autopilot/windows-autopilot.md b/windows/deployment/windows-autopilot/windows-autopilot.md index 7079e66d14..9965c972ae 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot.md +++ b/windows/deployment/windows-autopilot/windows-autopilot.md @@ -31,7 +31,7 @@ Windows Autopilot is designed to simplify all parts of the lifecycle of Windows When initially deploying new Windows devices, Windows Autopilot leverages the OEM-optimized version of Windows 10 that is preinstalled on the device, saving organizations the effort of having to maintain custom images and drivers for every model of device being used. Instead of re-imaging the device, your existing Windows 10 installation can be transformed into a “business-ready” state, applying settings and policies, installing apps, and even changing the edition of Windows 10 being used (e.g. from Windows 10 Pro to Windows 10 Enterprise) to support advanced features. -Once deployed, Windows 10 devices can be managed by tools such as Microsoft Intune, Windows Update for Business, System Center Configuration Manager, and other similar tools. Windows Autopilot can also be used to re-purpose a device by leveraging Windows Autopilot Reset to quickly prepare a device for a new user, or in break/fix scenarios to enable a device to quickly be brought back to a business-ready state. +Once deployed, Windows 10 devices can be managed by tools such as Microsoft Intune, Windows Update for Business, Microsoft Endpoint Configuration Manager, and other similar tools. Windows Autopilot can also be used to re-purpose a device by leveraging Windows Autopilot Reset to quickly prepare a device for a new user, or in break/fix scenarios to enable a device to quickly be brought back to a business-ready state. Windows Autopilot enables you to: * Automatically join devices to Azure Active Directory (Azure AD) or Active Directory (via Hybrid Azure AD Join). See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 555eb005b1..be242459bd 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -1322,7 +1322,7 @@ The following fields are available: - **IsEDPEnabled** Represents if Enterprise data protected on the device. - **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. - **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID -- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise System Center Configuration Manager (SCCM) environment. +- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise Microsoft Endpoint Configuration Manager environment. - **ServerFeatures** Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. - **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier. @@ -3025,7 +3025,7 @@ The following fields are available: - **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin. - **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled. - **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS. -- **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager). +- **RemediationShellDeviceSccm** TRUE if the device is managed by Microsoft Endpoint Configuration Manager. - **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely. - **RemediationTargetMachine** Indicates whether the device is a target of the specified fix. - **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 1cecae9cf2..6e6d0dcf38 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -3212,7 +3212,7 @@ The following fields are available: - **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin. - **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled. - **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS. -- **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager). +- **RemediationShellDeviceSccm** TRUE if the device is managed by Microsoft Endpoint Configuration Manager. - **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely. - **RemediationTargetMachine** Indicates whether the device is a target of the specified fix. - **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 94306ce392..0ae8c27e36 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -4302,7 +4302,7 @@ The following fields are available: - **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin. - **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled. - **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS. -- **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager). +- **RemediationShellDeviceSccm** TRUE if the device is managed by Microsoft Endpoint Configuration Manager. - **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely. - **RemediationTargetMachine** Indicates whether the device is a target of the specified fix. - **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 65bf5e307f..012c377306 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -2914,7 +2914,7 @@ The following fields are available: - **IsDeviceNetworkMetered** Indicates whether the device is connected to a metered network. - **IsDeviceOobeBlocked** Indicates whether user approval is required to install updates on the device. - **IsDeviceRequireUpdateApproval** Indicates whether user approval is required to install updates on the device. -- **IsDeviceSccmManaged** Indicates whether the device is running the Microsoft SCCM (System Center Configuration Manager) to keep the operating system and applications up to date. +- **IsDeviceSccmManaged** Indicates whether the device is running the Microsoft Endpoint Configuration Manager) to keep the operating system and applications up to date. - **IsDeviceUninstallActive** Indicates whether the OS (operating system) on the device was recently updated. - **IsDeviceUpdateNotificationLevel** Indicates whether the device has a set policy to control update notifications. - **IsDeviceUpdateServiceManaged** Indicates whether the device uses WSUS (Windows Server Update Services). @@ -4950,7 +4950,7 @@ The following fields are available: - **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS. - **RemediationShellDeviceProSku** Indicates whether a Windows 10 Professional edition is detected. - **RemediationShellDeviceQualityUpdatesPaused** Indicates whether Quality Updates are paused on the device. -- **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager). +- **RemediationShellDeviceSccm** TRUE if the device is managed by Microsoft Endpoint Configuration Manager. - **RemediationShellDeviceSedimentMutexInUse** Indicates whether the Sediment Pack mutual exclusion object (mutex) is in use. - **RemediationShellDeviceSetupMutexInUse** Indicates whether device setup is in progress. - **RemediationShellDeviceWuRegistryBlocked** Indicates whether the Windows Update is blocked on the device via the registry. From 82368a8c5ce1e05048bba3345281bd326f02bf05 Mon Sep 17 00:00:00 2001 From: LauraKellerGitHub Date: Sat, 18 Jan 2020 07:05:10 -0800 Subject: [PATCH 02/14] changed sccm to configmgr in docs path --- windows/deployment/update/wufb-autoupdate.md | 2 +- windows/deployment/upgrade/upgrade-readiness-get-started.md | 2 +- .../deployment/upgrade/upgrade-readiness-requirements.md | 2 +- windows/deployment/windows-autopilot/add-devices.md | 2 +- windows/deployment/windows-autopilot/existing-devices.md | 6 +++--- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/deployment/update/wufb-autoupdate.md b/windows/deployment/update/wufb-autoupdate.md index f4d794c2b8..ac584017e2 100644 --- a/windows/deployment/update/wufb-autoupdate.md +++ b/windows/deployment/update/wufb-autoupdate.md @@ -25,7 +25,7 @@ Automatic Update governs the "behind the scenes" download and installation proce |Policy|Description | |-|-| -|Configure Automatic Updates|Governs the installation activity that happens in the background. This allows you to configure the installation to happen during the [maintenance window](https://docs.microsoft.com/sccm/core/clients/manage/collections/use-maintenance-windows). Also, you can specify an installation time where the device will also try to install the latest packages. You can also pick a certain day and or week.| +|Configure Automatic Updates|Governs the installation activity that happens in the background. This allows you to configure the installation to happen during the [maintenance window](https://docs.microsoft.com/configmgr/core/clients/manage/collections/use-maintenance-windows). Also, you can specify an installation time where the device will also try to install the latest packages. You can also pick a certain day and or week.| |Automatic Update Detection Frequency|Lets you set the scan frequency the device will use to connect to Windows Update to see if there is any available content. Default is 22 hours, but you can increase or decrease the frequency. Keep in mind a desktop computer may need to scan less frequently than laptops, which can have intermittent internet connection.| |Specify Intranet Microsoft Update Service Location|Used for Windows Server Update Services or Microsoft Endpoint Configuration Manager users who want to install custom packages that are not offered through Windows Update.| |Do not connect to any Windows Update Internet locations
      Required for Dual Scan|Prevents access to Windows Update.| diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md index ea1383f381..ac367ac459 100644 --- a/windows/deployment/upgrade/upgrade-readiness-get-started.md +++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md @@ -29,7 +29,7 @@ Before you begin, consider reviewing the following helpful information:
      - [Upgrade Readiness requirements](upgrade-readiness-requirements.md): Provides detailed requirements to use Upgrade Readiness.
      - [Upgrade Readiness blog](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/bg-p/WindowsAnalyticsBlog): Contains announcements of new features and provides helpful tips for using Upgrade Readiness. ->If you are using Microsoft Endpoint Configuration Manager, also check out information about how to integrate Upgrade Readiness with Configuration Manager: [Integrate Upgrade Readiness with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics). +>If you are using Microsoft Endpoint Configuration Manager, also check out information about how to integrate Upgrade Readiness with Configuration Manager: [Integrate Upgrade Readiness with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/clients/manage/upgrade/upgrade-analytics). When you are ready to begin using Upgrade Readiness, perform the following steps: diff --git a/windows/deployment/upgrade/upgrade-readiness-requirements.md b/windows/deployment/upgrade/upgrade-readiness-requirements.md index 63790211b8..182b05e075 100644 --- a/windows/deployment/upgrade/upgrade-readiness-requirements.md +++ b/windows/deployment/upgrade/upgrade-readiness-requirements.md @@ -57,7 +57,7 @@ If you are not using Azure Portal or Azure Log Analytics, go to [Log Analytics]( ## Microsoft Endpoint Configuration Manager integration -Upgrade Readiness can be integrated with your installation of Configuration Manager. For more information, see [Integrate Upgrade Readiness with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics). +Upgrade Readiness can be integrated with your installation of Configuration Manager. For more information, see [Integrate Upgrade Readiness with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/clients/manage/upgrade/upgrade-analytics). diff --git a/windows/deployment/windows-autopilot/add-devices.md b/windows/deployment/windows-autopilot/add-devices.md index f2f6c4a975..3eff6520a5 100644 --- a/windows/deployment/windows-autopilot/add-devices.md +++ b/windows/deployment/windows-autopilot/add-devices.md @@ -61,7 +61,7 @@ Note that the hardware hash also contains details about when it was generated, s ### Collecting the hardware ID from existing devices using Microsoft Endpoint Configuration Manager -Starting with Microsoft Endpoint Configuration Manager current branch version 1802, the hardware hashes for existing Windows 10 version 1703 and higher devices are automatically collected by Configuration Manager. See the [What’s new in version 1802](https://docs.microsoft.com/sccm/core/plan-design/changes/whats-new-in-version-1802#report-on-windows-autopilot-device-information) documentation for more details. The hash information can be extracted from Configuration Manager into a CSV file. +Starting with Microsoft Endpoint Configuration Manager current branch version 1802, the hardware hashes for existing Windows 10 version 1703 and higher devices are automatically collected by Configuration Manager. See the [What’s new in version 1802](https://docs.microsoft.com/configmgr/core/plan-design/changes/whats-new-in-version-1802#report-on-windows-autopilot-device-information) documentation for more details. The hash information can be extracted from Configuration Manager into a CSV file. > [!Note] > Before uploading the CSV file on Intune, please make sure that the first row contains the device serial number, Windows product ID, hardware hash, group tag, and assigned user. If there is header information on the top of CSV file, please delete that header information. See details at [Enroll Windows devices in Intune](https://docs.microsoft.com/intune/enrollment/enrollment-autopilot). diff --git a/windows/deployment/windows-autopilot/existing-devices.md b/windows/deployment/windows-autopilot/existing-devices.md index 4bb98a3633..ec0def3245 100644 --- a/windows/deployment/windows-autopilot/existing-devices.md +++ b/windows/deployment/windows-autopilot/existing-devices.md @@ -31,7 +31,7 @@ This topic describes how to convert Windows 7 or Windows 8.1 domain-joined compu - Microsoft Endpoint Configuration Manager Current Branch (1806) OR Microsoft Endpoint Configuration Manager Technical Preview (1808) - The [Windows ADK](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) 1803 or later - - Note: Config Mgr 1806 or later is required to [support](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10#windows-10-adk) the Windows ADK 1809. + - Note: Config Mgr 1806 or later is required to [support](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10#windows-10-adk) the Windows ADK 1809. - Assigned Microsoft Intune Licenses - Azure Active Directory Premium - Windows 10 version 1809 or later imported into Config Mgr as an Operating System Image @@ -47,7 +47,7 @@ To enable and configure the enrollment and status page: 1. Open [Intune in the Azure portal](https://aka.ms/intuneportal). 2. Access **Intune > Device enrollment > Windows enrollment** and [Set up an enrollment status page](https://docs.microsoft.com/intune/windows-enrollment-status). -3. Access **Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune** and [Configure automatic MDM enrollment](https://docs.microsoft.com/sccm/mdm/deploy-use/enroll-hybrid-windows#enable-windows-10-automatic-enrollment) and configure the MDM user scope for some or all users. +3. Access **Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune** and [Configure automatic MDM enrollment](https://docs.microsoft.com/configmgr/mdm/deploy-use/enroll-hybrid-windows#enable-windows-10-automatic-enrollment) and configure the MDM user scope for some or all users. See the following examples. @@ -138,7 +138,7 @@ See the following examples. ![Notepad JSON](images/notepad.png) - After saving the file, move the file to a location suitable as an SCCM package source. + After saving the file, move the file to a location suitable as a Microsoft Endpoint Configuration Manager package source. >[!IMPORTANT] >Multiple JSON profile files can be used, but each must be named **AutopilotConfigurationFile.json** in order for OOBE to follow the Autopilot experience. The file also must be encoded as ANSI.

      **Saving the file with Unicode or UTF-8 encoding or saving it with a different file name will cause Windows 10 OOBE to not follow the Autopilot experience**.
      From 2e3d6ee04bc3f54c9212da99540aeb963e2e74c8 Mon Sep 17 00:00:00 2001 From: LauraKellerGitHub Date: Sun, 19 Jan 2020 04:45:45 -0800 Subject: [PATCH 03/14] correcting according to Suggestions --- windows/deployment/windows-10-poc.md | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md index ef8a9734cc..42a1176551 100644 --- a/windows/deployment/windows-10-poc.md +++ b/windows/deployment/windows-10-poc.md @@ -79,11 +79,7 @@ One computer that meets the hardware and software specifications below is requir - **Computer 1**: the computer you will use to run Hyper-V and host virtual machines. This computer should have 16 GB or more of installed RAM and a multi-core processor. - **Computer 2**: a client computer from your corporate network. It is shadow-copied to create a VM that can be added to the PoC environment, enabling you to test a mirror image of a computer on your network. If you do not have a computer to use for this simulation, you can download an evaluation VHD and use it to represent this computer. Subsequent guides use this computer to simulate Windows 10 replace and refresh scenarios, so the VM is required even if you cannot create this VM using computer 2. -<<<<<<< HEAD -Harware requirements are displayed below: -======= Hardware requirements are displayed below: ->>>>>>> 15571a3eeab72fb2d45a44e76e0f33dfa45ad0d0
      @@ -665,11 +661,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to Dismount-VHD -Path c:\vhd\d.vhd -<<<<<<< HEAD - Next, create the PC1 VM with two attached VHDs, and boot to DVD ($maxram must be defined previously using the same Windows PowerShell promt): -======= Next, create the PC1 VM with two attached VHDs, and boot to DVD ($maxram must be defined previously using the same Windows PowerShell prompt): ->>>>>>> 15571a3eeab72fb2d45a44e76e0f33dfa45ad0d0 
           New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhd -SwitchName poc-internal
@@ -859,11 +851,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
 
 17. Open an elevated Windows PowerShell prompt on PC1 and verify that the client VM has received a DHCP lease and can communicate with the consoto.com domain controller.
 
-<<<<<<< HEAD
-    To open Windows PowerShell on Windows 7, click **Start**, and search for "**power**." Right-click **Windows PowerShell** and then click **Pin to Taskbar** so that it is simpler to use Windows Powershell during this lab. Click **Windows PowerShell** on the taskbar, and then type **ipconfig** at the prompt to see the client's current IP address. Also type **ping dc1.contoso.com** and **nltest /dsgetdc:contoso.com** to verify that it can reach the domain controller. See the following examples of a successful network connection:
-=======
     To open Windows PowerShell on Windows 7, click **Start**, and search for "**power**." Right-click **Windows PowerShell** and then click **Pin to Taskbar** so that it is simpler to use Windows PowerShell during this lab. Click **Windows PowerShell** on the taskbar, and then type **ipconfig** at the prompt to see the client's current IP address. Also type **ping dc1.contoso.com** and **nltest /dsgetdc:contoso.com** to verify that it can reach the domain controller. See the following examples of a successful network connection:
->>>>>>> 15571a3eeab72fb2d45a44e76e0f33dfa45ad0d0
 
     ```
     ipconfig
@@ -1006,11 +994,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
     cmd /c netsh routing ip nat add interface name="Internal" mode=PRIVATE
      -<<<<<<< HEAD -32. The DNS service on SRV1 also needs to resolve hosts in the contoso.com domain. This can be accomplished with a conditional forwarder. Open an elevated Windows PowerShell prompt on SRV1 and type the following command: -======= 32. The DNS service on SRV1 also needs to resolve hosts in the `contoso.com` domain. This can be accomplished with a conditional forwarder. Open an elevated Windows PowerShell prompt on SRV1 and type the following command: ->>>>>>> 15571a3eeab72fb2d45a44e76e0f33dfa45ad0d0 
           Add-DnsServerConditionalForwarderZone -Name contoso.com -MasterServers 192.168.0.1

From 6f3ddb12b17b2bcd25ae761aacd96e6a1b68174a Mon Sep 17 00:00:00 2001
From: LauraKellerGitHub 
Date: Sun, 19 Jan 2020 04:58:04 -0800
Subject: [PATCH 04/14] removal of SCCM

---
 .../basic-level-windows-diagnostic-events-and-fields-1703.md  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
index 6a45e90797..b679ecf92c 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
@@ -1323,7 +1323,7 @@ The following fields are available:
 - **MPNId**  Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
 - **SCCMClientId**  This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise Microsoft Endpoint Configuration Manager environment.
 - **ServerFeatures**  Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
-- **SystemCenterID**  The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier.
+- **SystemCenterID**  The Microsoft Endpoint Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier.
 
 
 ### Census.Firmware
@@ -4528,7 +4528,7 @@ The following fields are available:
 - **DeviceIsMdmManaged**  This device is MDM managed.
 - **IsNetworkAvailable**  If the device network is not available.
 - **IsNetworkMetered**  If network is metered.
-- **IsSccmManaged**  This device is SCCM managed.
+- **IsSccmManaged**  This device is managed by Microsoft Endpoint Configuration Manager.
 - **NewlyInstalledOs**  OS is newly installed quiet period.
 - **PausedByPolicy**  Updates are paused by policy.
 - **RecoveredFromRS3**  Previously recovered from RS3.

From 53b1519f1be827cac92f5363d43075eeb3b2d7f1 Mon Sep 17 00:00:00 2001
From: LauraKellerGitHub 
Date: Thu, 23 Jan 2020 10:56:05 -0800
Subject: [PATCH 05/14] removed obsolete configmgr version number

---
 windows/deployment/windows-autopilot/add-devices.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deployment/windows-autopilot/add-devices.md b/windows/deployment/windows-autopilot/add-devices.md
index 3eff6520a5..ac13eea355 100644
--- a/windows/deployment/windows-autopilot/add-devices.md
+++ b/windows/deployment/windows-autopilot/add-devices.md
@@ -61,7 +61,7 @@ Note that the hardware hash also contains details about when it was generated, s
 
 ### Collecting the hardware ID from existing devices using Microsoft Endpoint Configuration Manager
 
-Starting with Microsoft Endpoint Configuration Manager current branch version 1802, the hardware hashes for existing Windows 10 version 1703 and higher devices are automatically collected by Configuration Manager. See the [What’s new in version 1802](https://docs.microsoft.com/configmgr/core/plan-design/changes/whats-new-in-version-1802#report-on-windows-autopilot-device-information) documentation for more details.  The hash information can be extracted from Configuration Manager into a CSV file.
+Starting with Microsoft Endpoint Configuration Manager, the hardware hashes for existing Windows 10 version 1703 and higher devices are automatically collected by Configuration Manager. See the [What’s new in version 1802](https://docs.microsoft.com/configmgr/core/plan-design/changes/whats-new-in-version-1802#report-on-windows-autopilot-device-information) documentation for more details. The hash information can be extracted from Configuration Manager into a CSV file.
 
 > [!Note]
 > Before uploading the CSV file on Intune, please make sure that the first row contains the device serial number, Windows product ID, hardware hash, group tag, and assigned user. If there is header information on the top of CSV file, please delete that header information. See details at [Enroll Windows devices in Intune](https://docs.microsoft.com/intune/enrollment/enrollment-autopilot).

From 2b811e0814bcb8ecd9ec7061a1ad479f2eaa63cd Mon Sep 17 00:00:00 2001
From: LauraKellerGitHub 
Date: Thu, 23 Jan 2020 12:27:25 -0800
Subject: [PATCH 06/14] updating bookmarks

---
 windows/deployment/windows-10-deployment-posters.md        | 2 +-
 windows/deployment/windows-10-poc-sc-config-mgr.md         | 2 +-
 windows/deployment/windows-autopilot/deployment-process.md | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/deployment/windows-10-deployment-posters.md b/windows/deployment/windows-10-deployment-posters.md
index b37a3cf91f..3ae808a4af 100644
--- a/windows/deployment/windows-10-deployment-posters.md
+++ b/windows/deployment/windows-10-deployment-posters.md
@@ -38,4 +38,4 @@ The Configuration Manager poster is one page in landscape mode (17x11). Click th
 ## See also
 
 [Overview of Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot)
      
-[Scenarios to deploy enterprise operating systems with Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems)
\ No newline at end of file
+[Scenarios to deploy enterprise operating systems with Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems)
\ No newline at end of file
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index 96ff61fc93..fc6a392e8f 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -50,7 +50,7 @@ Topics and procedures in this guide are summarized in the following table. An es
 TopicDescriptionTime
 
 Install prerequisitesInstall prerequisite Windows Server roles and features, download, install and configure SQL Server, configure firewall rules, and install the Windows ADK.60 minutes
-Install Microsoft Endpoint Configuration ManagerDownload Microsoft Endpoint Configuration Manager, configure prerequisites, and install the package.45 minutes
+Install Microsoft Endpoint Configuration ManagerDownload Microsoft Endpoint Configuration Manager, configure prerequisites, and install the package.45 minutes
 Download MDOP and install DaRTDownload the Microsoft Desktop Optimization Pack 2015 and install DaRT 10.15 minutes
 Prepare for Zero Touch installationPrerequisite procedures to support Zero Touch installation.60 minutes
 Create a boot image for Configuration ManagerUse the MDT wizard to create the boot image in Configuration Manager.20 minutes
diff --git a/windows/deployment/windows-autopilot/deployment-process.md b/windows/deployment/windows-autopilot/deployment-process.md
index 5959c898e3..6ea316f459 100644
--- a/windows/deployment/windows-autopilot/deployment-process.md
+++ b/windows/deployment/windows-autopilot/deployment-process.md
@@ -24,4 +24,4 @@ Windows Autopilot deployment processes are summarized in the poster below. The p
 
 [![Deploy Windows 10 with Autopilot](../media/windows10-autopilot-flowchart.png)](../media/Windows10AutopilotFlowchart.pdf)
 
-**Note**: The Windows Autopilot for existing devices process is included in the [Microsoft Endpoint Configuration Manager deployment poster](../windows-10-deployment-posters.md#deploy-windows-10-with-system-center-configuration-manager).
\ No newline at end of file
+**Note**: The Windows Autopilot for existing devices process is included in the [Microsoft Endpoint Configuration Manager deployment poster](../windows-10-deployment-posters.md#deploy-windows-10-with-configuration-manager).
\ No newline at end of file

From ce0452e23f9e9cf2a27d7cbd29efb2d3d00e1053 Mon Sep 17 00:00:00 2001
From: LauraKellerGitHub 
Date: Thu, 23 Jan 2020 13:06:13 -0800
Subject: [PATCH 07/14] one more bookmark update

---
 windows/deployment/windows-autopilot/deployment-process.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deployment/windows-autopilot/deployment-process.md b/windows/deployment/windows-autopilot/deployment-process.md
index 6ea316f459..6723d50e35 100644
--- a/windows/deployment/windows-autopilot/deployment-process.md
+++ b/windows/deployment/windows-autopilot/deployment-process.md
@@ -24,4 +24,4 @@ Windows Autopilot deployment processes are summarized in the poster below. The p
 
 [![Deploy Windows 10 with Autopilot](../media/windows10-autopilot-flowchart.png)](../media/Windows10AutopilotFlowchart.pdf)
 
-**Note**: The Windows Autopilot for existing devices process is included in the [Microsoft Endpoint Configuration Manager deployment poster](../windows-10-deployment-posters.md#deploy-windows-10-with-configuration-manager).
\ No newline at end of file
+**Note**: The Windows Autopilot for existing devices process is included in the [Microsoft Endpoint Configuration Manager deployment poster](../windows-10-deployment-posters.md#deploy-windows-10-with-microsoft-endpoint-configuration-manager). 
\ No newline at end of file

From 5ad477f1f1370769eb893fcf553105959e51d2b2 Mon Sep 17 00:00:00 2001
From: LauraKellerGitHub 
Date: Thu, 23 Jan 2020 14:42:37 -0800
Subject: [PATCH 08/14] 2012 name order change in resolution-procedures

---
 windows/deployment/upgrade/resolution-procedures.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deployment/upgrade/resolution-procedures.md b/windows/deployment/upgrade/resolution-procedures.md
index 38e04c555d..41c49f7eb9 100644
--- a/windows/deployment/upgrade/resolution-procedures.md
+++ b/windows/deployment/upgrade/resolution-procedures.md
@@ -601,7 +601,7 @@ Download and run the media creation tool. See 
-<<<<<<< HEAD
-TopicDescriptionTime
-=======
 TopicDescriptionTime
->>>>>>> 15571a3eeab72fb2d45a44e76e0f33dfa45ad0d0
 Hardware and software requirementsPrerequisites to complete this guide.Informational
 Lab setupA description and diagram of the PoC environment.Informational
 Configure the PoC environmentParent topic for procedures.Informational
@@ -86,55 +82,31 @@ Hardware requirements are displayed below:
 
-<<<<<<< HEAD
-        
-        
-    
-    
-        
-=======
         
->>>>>>> 15571a3eeab72fb2d45a44e76e0f33dfa45ad0d0
         
-<<<<<<< HEAD
-        
-=======
         
->>>>>>> 15571a3eeab72fb2d45a44e76e0f33dfa45ad0d0
         
-<<<<<<< HEAD
-        
-=======
         
->>>>>>> 15571a3eeab72fb2d45a44e76e0f33dfa45ad0d0
         
-<<<<<<< HEAD
-        
-=======
         
->>>>>>> 15571a3eeab72fb2d45a44e76e0f33dfa45ad0d0
         
-<<<<<<< HEAD
-        
-=======
         
->>>>>>> 15571a3eeab72fb2d45a44e76e0f33dfa45ad0d0
         
@@ -1006,11 +978,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
     ping www.microsoft.com
     
 
-<<<<<<< HEAD
-    If you see "Ping request could not find host www.microsoft.com" on PC1 and DC1, but not on SRV1, then you will need to configure a server-level DNS forwarder on SRV1. To do this, open an elevated Windows PowerShell prompt on SRV1 and type the following command.
-=======
     If you see "Ping request could not find host `www.microsoft.com`" on PC1 and DC1, but not on SRV1, then you will need to configure a server-level DNS forwarder on SRV1. To do this, open an elevated Windows PowerShell prompt on SRV1 and type the following command.
->>>>>>> 15571a3eeab72fb2d45a44e76e0f33dfa45ad0d0
 
     **Note**: This command also assumes that "Ethernet 2" is the external-facing network adapter on SRV1. If the external adapter has a different name, replace "Ethernet 2" in the command below with that name:
 
@@ -1066,17 +1034,10 @@ Use the following procedures to verify that the PoC environment is configured pr
     **DCDiag** displays "passed test" for all tests.
      
     **Get-DnsServerResourceRecord** displays the correct DNS address records for DC1, SRV1, and the computername of PC1. Additional address records for the zone apex (@), DomainDnsZones, and ForestDnsZones will also be registered.
      
     **Get-DnsServerForwarder** displays a single forwarder of 192.168.0.2.
      
-<<<<<<< HEAD
-    **Resolve-DnsName** displays public IP address results for www.microsoft.com.
      
-    **Get-DhcpServerInDC** displays 192.168.0.1, dc1.contoso.com.
      
-    **Get-DhcpServerv4Statistics** displays 1 scope with 2 addresses in use (these belong to PC1 and the Hyper-V host).
      
-    **ipconfig** displays a primary DNS suffix and suffix search list of contoso.com, IP address of 192.168.0.1, subnet mask of 255.255.255.0, default gateway of 192.168.0.2, and DNS server addresses of 192.168.0.1 and 192.168.0.2.
-=======
     **Resolve-DnsName** displays public IP address results for `www.microsoft.com`.
      
     **Get-DhcpServerInDC** displays 192.168.0.1, `dc1.contoso.com`.
      
     **Get-DhcpServerv4Statistics** displays 1 scope with 2 addresses in use (these belong to PC1 and the Hyper-V host).
      
     **ipconfig** displays a primary DNS suffix and suffix search list of `contoso.com`, IP address of 192.168.0.1, subnet mask of 255.255.255.0, default gateway of 192.168.0.2, and DNS server addresses of 192.168.0.1 and 192.168.0.2.
->>>>>>> 15571a3eeab72fb2d45a44e76e0f33dfa45ad0d0
 
 2. On SRV1, open an elevated Windows PowerShell prompt and type the following commands:
 
@@ -1090,13 +1051,8 @@ Use the following procedures to verify that the PoC environment is configured pr
 
     **Get-Service** displays a status of "Running" for both services.
      
     **Get-DnsServerForwarder** either displays no forwarders, or displays a list of forwarders you are required to use so that SRV1 can resolve Internet names.
      
-<<<<<<< HEAD
-    **Resolve-DnsName** displays public IP address results for www.microsoft.com.
      
-    **ipconfig** displays a primary DNS suffix of contoso.com. The suffix search list contains contoso.com and your corporate domain. Two ethernet adapters are shown: Ethernet adapter "Ethernet" has an IP addresses of 192.168.0.2, subnet mask of 255.255.255.0, no default gateway, and DNS server addresses of 192.168.0.1 and 192.168.0.2. Ethernet adapter "Ethernet 2" has an IP address, subnet mask, and default gateway configured by DHCP on your corporate network.
      
-=======
     **Resolve-DnsName** displays public IP address results for `www.microsoft.com`.
      
     **ipconfig** displays a primary DNS suffix of `contoso.com`. The suffix search list contains `contoso.com` and your corporate domain. Two ethernet adapters are shown: Ethernet adapter "Ethernet" has an IP addresses of 192.168.0.2, subnet mask of 255.255.255.0, no default gateway, and DNS server addresses of 192.168.0.1 and 192.168.0.2. Ethernet adapter "Ethernet 2" has an IP address, subnet mask, and default gateway configured by DHCP on your corporate network.
      
->>>>>>> 15571a3eeab72fb2d45a44e76e0f33dfa45ad0d0
     **netsh** displays three interfaces on the computer: interface "Ethernet 2" with DHCP enabled = Yes and IP address assigned by your corporate network, interface "Ethernet" with DHCP enabled = No and IP address of 192.168.0.2, and interface "Loopback Pseudo-Interface 1" with IP address of 127.0.0.1.
 
 3. On PC1, open an elevated Windows PowerShell prompt and type the following commands:
@@ -1111,15 +1067,9 @@ Use the following procedures to verify that the PoC environment is configured pr
 
     **whoami** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed.
      
     **hostname** displays the name of the local computer, for example W7PC-001.
      
-<<<<<<< HEAD
-    **nslookup** displays the DNS server used for the query, and the results of the query. For example, server dc1.contoso.com, address 192.168.0.1, Name e2847.dspb.akamaiedge.net.
      
-    **ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it cannot be resolved, "..could not find host" will be diplayed and if the target is found and also responds to ICMP, you will see "Reply from" and the IP address of the target.
      
-    **tracert** displays the path to reach the destination, for example srv1.contoso.com [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination.
-=======
     **nslookup** displays the DNS server used for the query, and the results of the query. For example, server `dc1.contoso.com`, address 192.168.0.1, Name `e2847.dspb.akamaiedge.net`.
      
     **ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it cannot be resolved, "..could not find host" will be displayed and if the target is found and also responds to ICMP, you will see "Reply from" and the IP address of the target.
      
     **tracert** displays the path to reach the destination, for example `srv1.contoso.com` [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination.
->>>>>>> 15571a3eeab72fb2d45a44e76e0f33dfa45ad0d0
 
 
 ## Appendix B: Terminology used in this guide
@@ -1129,12 +1079,8 @@ Use the following procedures to verify that the PoC environment is configured pr
 
      
 
 
      
     
      
         Computer 1 (required)Computer 2 (recommended)
      RoleComputer 1 (required)
         Computer 2 (recommended)
     
      
     
      
         RoleHyper-V host
         Client computer
     
      
     
      DescriptionDescriptionThis computer will run Hyper-V, the Hyper-V management tools, and the Hyper-V Windows PowerShell module.
         This computer is a Windows 7 or Windows 8/8.1 client on your corporate network that will be converted to a VM to demonstrate the upgrade process.
     
      
     
      OSOSWindows 8.1/10 or Windows Server 2012/2012 R2/2016*
         Windows 7 or a later
     
      
     
      EditionEditionEnterprise, Professional, or Education
         Any
     
      
     
      ArchitectureArchitecture64-bit
         Any
      Note: Retaining applications and settings requires that architecture (32 or 64-bit) is the same before and after the upgrade.      		
     
      
-<<<<<<< HEAD
-
      TermDefinition
-=======
 
      Term
 Definition
->>>>>>> 15571a3eeab72fb2d45a44e76e0f33dfa45ad0d0
 
      GPTGUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions.
 
      Hyper-VHyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8.
 
      Hyper-V hostThe computer where Hyper-V is installed.

From a9c3e7bbd780e422369f44a0f162e6264abe3e76 Mon Sep 17 00:00:00 2001
From: LauraKellerGitHub 
Date: Tue, 28 Jan 2020 20:07:47 -0800
Subject: [PATCH 12/14] corrections upgrade-readiness existing-devices
 fields-1809

---
 .../upgrade/manage-windows-upgrades-with-upgrade-readiness.md   | 2 +-
 windows/deployment/windows-autopilot/existing-devices.md        | 2 +-
 .../basic-level-windows-diagnostic-events-and-fields-1809.md    | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md b/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md
index bcfd0a6ac4..22a0623cd6 100644
--- a/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md
+++ b/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md
@@ -29,7 +29,7 @@ Use Upgrade Readiness to get:
 -   Guidance and insights into application and driver compatibility issues, with suggested fixes
 -   Data driven application rationalization tools
 -   Application usage information, allowing targeted validation; workflow to track validation progress and decisions
--   Data export to commonly used software deployment tools, including Microsoft Endpoint Configuration Manager
+-   Data export to commonly used software deployment tools, including System Center Configuration Manager
 
 The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
 
diff --git a/windows/deployment/windows-autopilot/existing-devices.md b/windows/deployment/windows-autopilot/existing-devices.md
index ec0def3245..daad48abfa 100644
--- a/windows/deployment/windows-autopilot/existing-devices.md
+++ b/windows/deployment/windows-autopilot/existing-devices.md
@@ -31,7 +31,7 @@ This topic describes how to convert Windows 7 or Windows 8.1 domain-joined compu
 
 - Microsoft Endpoint Configuration Manager Current Branch (1806) OR Microsoft Endpoint Configuration Manager Technical Preview (1808)
 - The [Windows ADK](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) 1803 or later
-    - Note: Config Mgr 1806 or later is required to [support](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10#windows-10-adk) the Windows ADK 1809.
+    - For more information on Configuration Manager support, see [Support for Windows 10 ADK](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10#windows-10-adk).
 - Assigned Microsoft Intune Licenses
 - Azure Active Directory Premium
 - Windows 10 version 1809 or later imported into Config Mgr as an Operating System Image
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
index 52244ce093..8048327d37 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
@@ -2994,7 +2994,7 @@ The following fields are available:
 - **IsDeviceNetworkMetered**  Indicates whether the device is connected to a metered network.
 - **IsDeviceOobeBlocked**  Indicates whether user approval is required to install updates on the device.
 - **IsDeviceRequireUpdateApproval**  Indicates whether user approval is required to install updates on the device.
-- **IsDeviceSccmManaged**  Indicates whether the device is running the Microsoft Endpoint Configuration Manager) to keep the operating system and applications up to date.
+- **IsDeviceSccmManaged**  Indicates whether the device is running the Microsoft Endpoint Configuration Manager client to keep the operating system and applications up to date.
 - **IsDeviceUninstallActive**  Indicates whether the OS (operating system) on the device was recently updated.
 - **IsDeviceUpdateNotificationLevel**  Indicates whether the device has a set policy to control update notifications.
 - **IsDeviceUpdateServiceManaged**  Indicates whether the device uses WSUS (Windows Server Update Services).

From 03b5311757116f46fd671ce7b79d2cdcd3ae2297 Mon Sep 17 00:00:00 2001
From: LauraKellerGitHub 
Date: Wed, 29 Jan 2020 04:43:06 -0800
Subject: [PATCH 13/14] review corrections completed

---
 windows/deployment/usmt/usmt-common-migration-scenarios.md | 2 +-
 windows/deployment/usmt/usmt-test-your-migration.md        | 2 +-
 windows/deployment/windows-10-poc-mdt.md                   | 2 +-
 windows/deployment/windows-autopilot/existing-devices.md   | 6 +++---
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/windows/deployment/usmt/usmt-common-migration-scenarios.md b/windows/deployment/usmt/usmt-common-migration-scenarios.md
index adbd9fbc55..b23758ae60 100644
--- a/windows/deployment/usmt/usmt-common-migration-scenarios.md
+++ b/windows/deployment/usmt/usmt-common-migration-scenarios.md
@@ -130,7 +130,7 @@ A company receives 50 new laptops for their managers and needs to reallocate 50
 
 A company is allocating 20 new computers to users in the accounting department. The users each have a source computer that contains their files and settings. An administrator uses a management technology such as a logon script or a batch file to run ScanState on each source computer to collect the user states and save them to a server in a compressed migration store.
 
-1.  On each source computer, the administrator runs the ScanState tool using Microsoft Microsoft Endpoint Configuration Manager, Microsoft Deployment Toolkit (MDT), a logon script, a batch file, or a non-Microsoft management technology. ScanState collects the user state from each source computer and then saves it to a server.
+1.  On each source computer, the administrator runs the ScanState tool using Microsoft Endpoint Configuration Manager, Microsoft Deployment Toolkit (MDT), a logon script, a batch file, or a non-Microsoft management technology. ScanState collects the user state from each source computer and then saves it to a server.
 
 2.  On each new computer, the administrator installs the company's SOE, which includes Windows 10 and other company applications.
 
diff --git a/windows/deployment/usmt/usmt-test-your-migration.md b/windows/deployment/usmt/usmt-test-your-migration.md
index 533b7f5286..183f7bc16e 100644
--- a/windows/deployment/usmt/usmt-test-your-migration.md
+++ b/windows/deployment/usmt/usmt-test-your-migration.md
@@ -30,7 +30,7 @@ Running the ScanState and LoadState tools with the **/v**:5 option crea
 
  
 
-After you have determined that the pilot migration successfully migrated the specified files and settings, you are ready to add USMT to the server that is running Microsoft Endpoint Configuration Manager, or a non-Microsoft management technology. For more information, see [Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=140246).
+After you have determined that the pilot migration successfully migrated the specified files and settings, you are ready to add USMT to the server that is running Microsoft Endpoint Configuration Manager, or a non-Microsoft management technology. For more information, see [Manage user state in Configuration Manager](https://docs.microsoft.com/configmgr/osd/get-started/manage-user-state).
 
 **Note**  
 For testing purposes, you can create an uncompressed store using the **/hardlink /nocompress** option. When compression is disabled, the ScanState tool saves the files and settings to a hidden folder named "File" at *StorePath*\\USMT. You can use the uncompressed store to view what USMT has stored or to troubleshoot a problem, or you can run an antivirus utility against the files. Additionally, you can also use the **/listfiles** command-line option and the diagnostic log to list the files that were gathered and to troubleshoot problems with your migration.
diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md
index dc74d56ad8..a9ffbb1c73 100644
--- a/windows/deployment/windows-10-poc-mdt.md
+++ b/windows/deployment/windows-10-poc-mdt.md
@@ -490,7 +490,7 @@ This section will demonstrate how to export user data from an existing client co
     cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs
     ```
 
-    **Note**: Litetouch.vbs must be able to create the C:\MININT directory on the local computer.
+    **Note**: For more information on tools for viewing log files and to assist with troubleshooting, see [Configuration Manager Tools](https://docs.microsoft.com/configmgr/core/support/tools).
 
 5. Choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**.
 
diff --git a/windows/deployment/windows-autopilot/existing-devices.md b/windows/deployment/windows-autopilot/existing-devices.md
index daad48abfa..bd7fef2b74 100644
--- a/windows/deployment/windows-autopilot/existing-devices.md
+++ b/windows/deployment/windows-autopilot/existing-devices.md
@@ -29,12 +29,12 @@ This topic describes how to convert Windows 7 or Windows 8.1 domain-joined compu
 
 ## Prerequisites
 
-- Microsoft Endpoint Configuration Manager Current Branch (1806) OR Microsoft Endpoint Configuration Manager Technical Preview (1808)
+- Microsoft Endpoint Configuration Manager 
 - The [Windows ADK](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) 1803 or later
     - For more information on Configuration Manager support, see [Support for Windows 10 ADK](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10#windows-10-adk).
 - Assigned Microsoft Intune Licenses
 - Azure Active Directory Premium
-- Windows 10 version 1809 or later imported into Config Mgr as an Operating System Image
+- Windows 10 version 1809 or later imported into Configuration Manager as an Operating System Image
   - **Important**: See [Known issues](known-issues.md) if you are using Windows 10 1903 with Configuration Manager’s built-in **Windows Autopilot existing device** task sequence template. Currently, one of the steps in this task sequence must be edited to work properly with Windows 10, version 1903.
 
 ## Procedures
@@ -156,7 +156,7 @@ See the following examples.
     - Program Type: **Do not create a program**
 4. Click **Next** twice and then click **Close**.
 
-**NOTE**: If you change user-driven Autopilot profile settings in Intune at a later date, you must also update the JSON file and redistribute the associated Config Mgr package.
+**NOTE**: If you change user-driven Autopilot profile settings in Intune at a later date, you must also update the JSON file and redistribute the associated Configuration Manager package.
 
 ### Create a target collection
 

From ebe3bb5fc9ef96684c6a33769eb6f61272690bba Mon Sep 17 00:00:00 2001
From: LauraKellerGitHub 
Date: Wed, 29 Jan 2020 06:26:14 -0800
Subject: [PATCH 14/14] corrected version under prereqs

---
 windows/deployment/windows-autopilot/existing-devices.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deployment/windows-autopilot/existing-devices.md b/windows/deployment/windows-autopilot/existing-devices.md
index bd7fef2b74..ad9577ade4 100644
--- a/windows/deployment/windows-autopilot/existing-devices.md
+++ b/windows/deployment/windows-autopilot/existing-devices.md
@@ -29,7 +29,7 @@ This topic describes how to convert Windows 7 or Windows 8.1 domain-joined compu
 
 ## Prerequisites
 
-- Microsoft Endpoint Configuration Manager 
+- A currently supported version of Microsoft Endpoint Configuration Manager current branch or technical preview branch. 
 - The [Windows ADK](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) 1803 or later
     - For more information on Configuration Manager support, see [Support for Windows 10 ADK](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10#windows-10-adk).
 - Assigned Microsoft Intune Licenses