deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-18 08:17:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'MicrosoftDocs:main' into main

Browse Source
This commit is contained in:
zwhitt-microsoft 2022-11-30 16:06:56 -08:00 committed by GitHub
commit e21a0b8513
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
106 changed files with 20403 additions and 21230 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
.openpublishing.redirection.json
View File

@ -20174,6 +20174,76 @@
"source_path": "windows/configuration/start-layout-troubleshoot.md",
"redirect_url": "/troubleshoot/windows-client/shell-experience/troubleshoot-start-menu-errors",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/planning/features-lifecycle.md",
"redirect_url": "/windows/whats-new/feature-lifecycle",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/planning/windows-10-deprecated-features.md",
"redirect_url": "/windows/whats-new/deprecated-features",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/planning/windows-10-removed-features.md",
"redirect_url": "/windows/whats-new/removed-features",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/usmt/usmt-common-issues.md",
"redirect_url": "/troubleshoot/windows-client/deployment/usmt-common-issues",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/usmt/usmt-return-codes.md",
"redirect_url": "/troubleshoot/windows-client/deployment/usmt-return-codes",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md",
"redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md",
"redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-issues",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md",
"redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-tpm-issues",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md",
"redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-configuration-known-issues",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md",
"redirect_url": "/troubleshoot/windows-client/windows-security/decode-measured-boot-logs-to-track-pcr-changes",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md",
"redirect_url": "/troubleshoot/windows-client/windows-security/enforcing-bitlocker-policies-by-using-intune-known-issues",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md",
"redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-network-unlock-known-issues",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md",
"redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-recovery-known-issues",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md",
"redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-and-tpm-other-known-issues",
"redirect_document_id": false
}
]
}

41
SECURITY.md Normal file
View File

@ -0,0 +1,41 @@
<!-- BEGIN MICROSOFT SECURITY.MD V0.0.8 BLOCK -->
## Security
Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/).
If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below.
## Reporting Security Issues
**Please do not report security vulnerabilities through public GitHub issues.**
Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/opensource/security/create-report).
If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey).
You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc).
Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
* Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
* Full paths of source file(s) related to the manifestation of the issue
* The location of the affected source code (tag/branch/commit or direct URL)
* Any special configuration required to reproduce the issue
* Step-by-step instructions to reproduce the issue
* Proof-of-concept or exploit code (if possible)
* Impact of the issue, including how an attacker might exploit the issue
This information will help us triage your report more quickly.
If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/opensource/security/bounty) page for more details about our active programs.
## Preferred Languages
We prefer all communications to be in English.
## Policy
Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/opensource/security/cvd).
<!-- END MICROSOFT SECURITY.MD BLOCK -->

2
windows/client-management/enable-admx-backed-policies-in-mdm.md
View File

@ -105,7 +105,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
2. Find the variable names of the parameters in the ADMX file.
You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](mdm/policy-configuration-service-provider.md#appvirtualization-publishingallowserver2).
You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](mdm/policy-csp-appvirtualization.md#appvirtualization-publishingallowserver2).
![Publishing server 2 policy description.](images/admx-appv-policy-description.png)

4144
windows/client-management/mdm/defender-csp.md
View File

File diff suppressed because it is too large Load Diff

1733
windows/client-management/mdm/defender-ddf.md
View File

File diff suppressed because it is too large Load Diff

2
windows/client-management/mdm/enterprisedataprotection-csp.md
View File

@ -277,7 +277,7 @@ Specifies whether to allow Azure RMS encryption for Windows Information Protecti
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
<a href="" id="settings-smbautoencryptedfileextensions"></a>**Settings/SMBAutoEncryptedFileExtensions**
Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from a Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for [NetworkIsolation/EnterpriseIPRange](policy-configuration-service-provider.md#networkisolation-enterpriseiprange) and [NetworkIsolation/EnterpriseNetworkDomainNames](policy-configuration-service-provider.md#networkisolation-enterprisenetworkdomainnames). Use semicolon (;) delimiter in the list.
Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from a Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for [NetworkIsolation/EnterpriseIPRange](policy-csp-networkisolation.md) and [NetworkIsolation/EnterpriseNetworkDomainNames](policy-csp-networkisolation.md). Use semicolon (;) delimiter in the list.
When this policy isn't specified, the existing auto-encryption behavior is applied. When this policy is configured, only files with the extensions in the list will be encrypted.
Supported operations are Add, Get, Replace and Delete. Value type is string.

4915
windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
View File

File diff suppressed because it is too large Load Diff

1816
windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
View File

File diff suppressed because it is too large Load Diff

52
windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
View File

@ -21,32 +21,32 @@ ms.date: 07/22/2020
- [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#cellular-showappcellularaccessui)
- [Cryptography/AllowFipsAlgorithmPolicy](policy-csp-cryptography.md#cryptography-allowfipsalgorithmpolicy)
- [Cryptography/TLSCipherSuites](policy-csp-cryptography.md#cryptography-tlsciphersuites)
- [Defender/AllowArchiveScanning](policy-csp-defender.md#defender-allowarchivescanning)
- [Defender/AllowBehaviorMonitoring](policy-csp-defender.md#defender-allowbehaviormonitoring)
- [Defender/AllowCloudProtection](policy-csp-defender.md#defender-allowcloudprotection)
- [Defender/AllowEmailScanning](policy-csp-defender.md#defender-allowemailscanning)
- [Defender/AllowFullScanOnMappedNetworkDrives](policy-csp-defender.md#defender-allowfullscanonmappednetworkdrives)
- [Defender/AllowFullScanRemovableDriveScanning](policy-csp-defender.md#defender-allowfullscanremovabledrivescanning)
- [Defender/AllowIOAVProtection](policy-csp-defender.md#defender-allowioavprotection)
- [Defender/AllowOnAccessProtection](policy-csp-defender.md#defender-allowonaccessprotection)
- [Defender/AllowRealtimeMonitoring](policy-csp-defender.md#defender-allowrealtimemonitoring)
- [Defender/AllowScanningNetworkFiles](policy-csp-defender.md#defender-allowscanningnetworkfiles)
- [Defender/AllowScriptScanning](policy-csp-defender.md#defender-allowscriptscanning)
- [Defender/AllowUserUIAccess](policy-csp-defender.md#defender-allowuseruiaccess)
- [Defender/AvgCPULoadFactor](policy-csp-defender.md#defender-avgcpuloadfactor)
- [Defender/DaysToRetainCleanedMalware](policy-csp-defender.md#defender-daystoretaincleanedmalware)
- [Defender/ExcludedExtensions](policy-csp-defender.md#defender-excludedextensions)
- [Defender/ExcludedPaths](policy-csp-defender.md#defender-excludedpaths)
- [Defender/ExcludedProcesses](policy-csp-defender.md#defender-excludedprocesses)
- [Defender/PUAProtection](policy-csp-defender.md#defender-puaprotection)
- [Defender/RealTimeScanDirection](policy-csp-defender.md#defender-realtimescandirection)
- [Defender/ScanParameter](policy-csp-defender.md#defender-scanparameter)
- [Defender/ScheduleQuickScanTime](policy-csp-defender.md#defender-schedulequickscantime)
- [Defender/ScheduleScanDay](policy-csp-defender.md#defender-schedulescanday)
- [Defender/ScheduleScanTime](policy-csp-defender.md#defender-schedulescantime)
- [Defender/SignatureUpdateInterval](policy-csp-defender.md#defender-signatureupdateinterval)
- [Defender/SubmitSamplesConsent](policy-csp-defender.md#defender-submitsamplesconsent)
- [Defender/ThreatSeverityDefaultAction](policy-csp-defender.md#defender-threatseveritydefaultaction)
- [Defender/AllowArchiveScanning](policy-csp-defender.md#allowarchivescanning)
- [Defender/AllowBehaviorMonitoring](policy-csp-defender.md#allowbehaviormonitoring)
- [Defender/AllowCloudProtection](policy-csp-defender.md#allowcloudprotection)
- [Defender/AllowEmailScanning](policy-csp-defender.md#allowemailscanning)
- [Defender/AllowFullScanOnMappedNetworkDrives](policy-csp-defender.md#allowfullscanonmappednetworkdrives)
- [Defender/AllowFullScanRemovableDriveScanning](policy-csp-defender.md#allowfullscanremovabledrivescanning)
- [Defender/AllowIOAVProtection](policy-csp-defender.md#allowioavprotection)
- [Defender/AllowOnAccessProtection](policy-csp-defender.md#allowonaccessprotection)
- [Defender/AllowRealtimeMonitoring](policy-csp-defender.md#allowrealtimemonitoring)
- [Defender/AllowScanningNetworkFiles](policy-csp-defender.md#allowscanningnetworkfiles)
- [Defender/AllowScriptScanning](policy-csp-defender.md#allowscriptscanning)
- [Defender/AllowUserUIAccess](policy-csp-defender.md#allowuseruiaccess)
- [Defender/AvgCPULoadFactor](policy-csp-defender.md#avgcpuloadfactor)
- [Defender/DaysToRetainCleanedMalware](policy-csp-defender.md#daystoretaincleanedmalware)
- [Defender/ExcludedExtensions](policy-csp-defender.md#excludedextensions)
- [Defender/ExcludedPaths](policy-csp-defender.md#excludedpaths)
- [Defender/ExcludedProcesses](policy-csp-defender.md#excludedprocesses)
- [Defender/PUAProtection](policy-csp-defender.md#puaprotection)
- [Defender/RealTimeScanDirection](policy-csp-defender.md#realtimescandirection)
- [Defender/ScanParameter](policy-csp-defender.md#scanparameter)
- [Defender/ScheduleQuickScanTime](policy-csp-defender.md#schedulequickscantime)
- [Defender/ScheduleScanDay](policy-csp-defender.md#schedulescanday)
- [Defender/ScheduleScanTime](policy-csp-defender.md#schedulescantime)
- [Defender/SignatureUpdateInterval](policy-csp-defender.md#signatureupdateinterval)
- [Defender/SubmitSamplesConsent](policy-csp-defender.md#submitsamplesconsent)
- [Defender/ThreatSeverityDefaultAction](policy-csp-defender.md#threatseveritydefaultaction)
- [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize)
- [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching)
- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode)

10578
windows/client-management/mdm/policy-configuration-service-provider.md
View File

File diff suppressed because it is too large Load Diff

812
windows/client-management/mdm/policy-csp-admx-mss-legacy.md Normal file
View File

@ -0,0 +1,812 @@
---
title: ADMX_MSS-legacy Policy CSP
description: Learn more about the ADMX_MSS-legacy Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 11/29/2022
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- ADMX_MSS-legacy-Begin -->
# Policy CSP - ADMX_MSS-legacy
> [!TIP]
> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!-- ADMX_MSS-legacy-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ADMX_MSS-legacy-Editable-End -->
<!-- Pol_MSS_AutoAdminLogon-Begin -->
## Pol_MSS_AutoAdminLogon
<!-- Pol_MSS_AutoAdminLogon-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Pol_MSS_AutoAdminLogon-Applicability-End -->
<!-- Pol_MSS_AutoAdminLogon-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_AutoAdminLogon
```
<!-- Pol_MSS_AutoAdminLogon-OmaUri-End -->
<!-- Pol_MSS_AutoAdminLogon-Description-Begin -->
<!-- Description-Not-Found -->
<!-- Pol_MSS_AutoAdminLogon-Description-End -->
<!-- Pol_MSS_AutoAdminLogon-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Enable Automatic Logon (not recommended).
<!-- Pol_MSS_AutoAdminLogon-Editable-End -->
<!-- Pol_MSS_AutoAdminLogon-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Pol_MSS_AutoAdminLogon-DFProperties-End -->
<!-- Pol_MSS_AutoAdminLogon-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- Pol_MSS_AutoAdminLogon-AdmxBacked-End -->
<!-- Pol_MSS_AutoAdminLogon-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Pol_MSS_AutoAdminLogon-Examples-End -->
<!-- Pol_MSS_AutoAdminLogon-End -->
<!-- Pol_MSS_AutoReboot-Begin -->
## Pol_MSS_AutoReboot
<!-- Pol_MSS_AutoReboot-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Pol_MSS_AutoReboot-Applicability-End -->
<!-- Pol_MSS_AutoReboot-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_AutoReboot
```
<!-- Pol_MSS_AutoReboot-OmaUri-End -->
<!-- Pol_MSS_AutoReboot-Description-Begin -->
<!-- Description-Not-Found -->
<!-- Pol_MSS_AutoReboot-Description-End -->
<!-- Pol_MSS_AutoReboot-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Allow Windows to automatically restart after a system crash (recommended except for highly secure environments).
<!-- Pol_MSS_AutoReboot-Editable-End -->
<!-- Pol_MSS_AutoReboot-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Pol_MSS_AutoReboot-DFProperties-End -->
<!-- Pol_MSS_AutoReboot-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- Pol_MSS_AutoReboot-AdmxBacked-End -->
<!-- Pol_MSS_AutoReboot-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Pol_MSS_AutoReboot-Examples-End -->
<!-- Pol_MSS_AutoReboot-End -->
<!-- Pol_MSS_AutoShareServer-Begin -->
## Pol_MSS_AutoShareServer
<!-- Pol_MSS_AutoShareServer-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Pol_MSS_AutoShareServer-Applicability-End -->
<!-- Pol_MSS_AutoShareServer-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_AutoShareServer
```
<!-- Pol_MSS_AutoShareServer-OmaUri-End -->
<!-- Pol_MSS_AutoShareServer-Description-Begin -->
<!-- Description-Not-Found -->
<!-- Pol_MSS_AutoShareServer-Description-End -->
<!-- Pol_MSS_AutoShareServer-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Enable administrative shares on servers (recommended except for highly secure environments).
<!-- Pol_MSS_AutoShareServer-Editable-End -->
<!-- Pol_MSS_AutoShareServer-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Pol_MSS_AutoShareServer-DFProperties-End -->
<!-- Pol_MSS_AutoShareServer-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- Pol_MSS_AutoShareServer-AdmxBacked-End -->
<!-- Pol_MSS_AutoShareServer-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Pol_MSS_AutoShareServer-Examples-End -->
<!-- Pol_MSS_AutoShareServer-End -->
<!-- Pol_MSS_AutoShareWks-Begin -->
## Pol_MSS_AutoShareWks
<!-- Pol_MSS_AutoShareWks-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Pol_MSS_AutoShareWks-Applicability-End -->
<!-- Pol_MSS_AutoShareWks-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_AutoShareWks
```
<!-- Pol_MSS_AutoShareWks-OmaUri-End -->
<!-- Pol_MSS_AutoShareWks-Description-Begin -->
<!-- Description-Not-Found -->
<!-- Pol_MSS_AutoShareWks-Description-End -->
<!-- Pol_MSS_AutoShareWks-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Enable administrative shares on workstations (recommended except for highly secure environments).
<!-- Pol_MSS_AutoShareWks-Editable-End -->
<!-- Pol_MSS_AutoShareWks-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Pol_MSS_AutoShareWks-DFProperties-End -->
<!-- Pol_MSS_AutoShareWks-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- Pol_MSS_AutoShareWks-AdmxBacked-End -->
<!-- Pol_MSS_AutoShareWks-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Pol_MSS_AutoShareWks-Examples-End -->
<!-- Pol_MSS_AutoShareWks-End -->
<!-- Pol_MSS_DisableSavePassword-Begin -->
## Pol_MSS_DisableSavePassword
<!-- Pol_MSS_DisableSavePassword-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Pol_MSS_DisableSavePassword-Applicability-End -->
<!-- Pol_MSS_DisableSavePassword-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_DisableSavePassword
```
<!-- Pol_MSS_DisableSavePassword-OmaUri-End -->
<!-- Pol_MSS_DisableSavePassword-Description-Begin -->
<!-- Description-Not-Found -->
<!-- Pol_MSS_DisableSavePassword-Description-End -->
<!-- Pol_MSS_DisableSavePassword-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Pol_MSS_DisableSavePassword-Editable-End -->
<!-- Pol_MSS_DisableSavePassword-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Pol_MSS_DisableSavePassword-DFProperties-End -->
<!-- Pol_MSS_DisableSavePassword-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- Pol_MSS_DisableSavePassword-AdmxBacked-End -->
<!-- Pol_MSS_DisableSavePassword-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
Prevent the dial-up password from being saved (recommended).
<!-- Pol_MSS_DisableSavePassword-Examples-End -->
<!-- Pol_MSS_DisableSavePassword-End -->
<!-- Pol_MSS_EnableDeadGWDetect-Begin -->
## Pol_MSS_EnableDeadGWDetect
<!-- Pol_MSS_EnableDeadGWDetect-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Pol_MSS_EnableDeadGWDetect-Applicability-End -->
<!-- Pol_MSS_EnableDeadGWDetect-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_EnableDeadGWDetect
```
<!-- Pol_MSS_EnableDeadGWDetect-OmaUri-End -->
<!-- Pol_MSS_EnableDeadGWDetect-Description-Begin -->
<!-- Description-Not-Found -->
<!-- Pol_MSS_EnableDeadGWDetect-Description-End -->
<!-- Pol_MSS_EnableDeadGWDetect-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Allow automatic detection of dead network gateways (could lead to DoS).
<!-- Pol_MSS_EnableDeadGWDetect-Editable-End -->
<!-- Pol_MSS_EnableDeadGWDetect-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Pol_MSS_EnableDeadGWDetect-DFProperties-End -->
<!-- Pol_MSS_EnableDeadGWDetect-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- Pol_MSS_EnableDeadGWDetect-AdmxBacked-End -->
<!-- Pol_MSS_EnableDeadGWDetect-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Pol_MSS_EnableDeadGWDetect-Examples-End -->
<!-- Pol_MSS_EnableDeadGWDetect-End -->
<!-- Pol_MSS_HideFromBrowseList-Begin -->
## Pol_MSS_HideFromBrowseList
<!-- Pol_MSS_HideFromBrowseList-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Pol_MSS_HideFromBrowseList-Applicability-End -->
<!-- Pol_MSS_HideFromBrowseList-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_HideFromBrowseList
```
<!-- Pol_MSS_HideFromBrowseList-OmaUri-End -->
<!-- Pol_MSS_HideFromBrowseList-Description-Begin -->
<!-- Description-Not-Found -->
<!-- Pol_MSS_HideFromBrowseList-Description-End -->
<!-- Pol_MSS_HideFromBrowseList-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Hide Computer From the Browse List (not recommended except for highly secure environments).
<!-- Pol_MSS_HideFromBrowseList-Editable-End -->
<!-- Pol_MSS_HideFromBrowseList-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Pol_MSS_HideFromBrowseList-DFProperties-End -->
<!-- Pol_MSS_HideFromBrowseList-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- Pol_MSS_HideFromBrowseList-AdmxBacked-End -->
<!-- Pol_MSS_HideFromBrowseList-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Pol_MSS_HideFromBrowseList-Examples-End -->
<!-- Pol_MSS_HideFromBrowseList-End -->
<!-- Pol_MSS_KeepAliveTime-Begin -->
## Pol_MSS_KeepAliveTime
<!-- Pol_MSS_KeepAliveTime-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Pol_MSS_KeepAliveTime-Applicability-End -->
<!-- Pol_MSS_KeepAliveTime-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_KeepAliveTime
```
<!-- Pol_MSS_KeepAliveTime-OmaUri-End -->
<!-- Pol_MSS_KeepAliveTime-Description-Begin -->
<!-- Description-Not-Found -->
<!-- Pol_MSS_KeepAliveTime-Description-End -->
<!-- Pol_MSS_KeepAliveTime-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Define how often keep-alive packets are sent in milliseconds.
<!-- Pol_MSS_KeepAliveTime-Editable-End -->
<!-- Pol_MSS_KeepAliveTime-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Pol_MSS_KeepAliveTime-DFProperties-End -->
<!-- Pol_MSS_KeepAliveTime-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- Pol_MSS_KeepAliveTime-AdmxBacked-End -->
<!-- Pol_MSS_KeepAliveTime-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Pol_MSS_KeepAliveTime-Examples-End -->
<!-- Pol_MSS_KeepAliveTime-End -->
<!-- Pol_MSS_NoDefaultExempt-Begin -->
## Pol_MSS_NoDefaultExempt
<!-- Pol_MSS_NoDefaultExempt-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Pol_MSS_NoDefaultExempt-Applicability-End -->
<!-- Pol_MSS_NoDefaultExempt-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_NoDefaultExempt
```
<!-- Pol_MSS_NoDefaultExempt-OmaUri-End -->
<!-- Pol_MSS_NoDefaultExempt-Description-Begin -->
<!-- Description-Not-Found -->
<!-- Pol_MSS_NoDefaultExempt-Description-End -->
<!-- Pol_MSS_NoDefaultExempt-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Configure IPSec exemptions for various types of network traffic.
<!-- Pol_MSS_NoDefaultExempt-Editable-End -->
<!-- Pol_MSS_NoDefaultExempt-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Pol_MSS_NoDefaultExempt-DFProperties-End -->
<!-- Pol_MSS_NoDefaultExempt-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- Pol_MSS_NoDefaultExempt-AdmxBacked-End -->
<!-- Pol_MSS_NoDefaultExempt-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Pol_MSS_NoDefaultExempt-Examples-End -->
<!-- Pol_MSS_NoDefaultExempt-End -->
<!-- Pol_MSS_NtfsDisable8dot3NameCreation-Begin -->
## Pol_MSS_NtfsDisable8dot3NameCreation
<!-- Pol_MSS_NtfsDisable8dot3NameCreation-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Pol_MSS_NtfsDisable8dot3NameCreation-Applicability-End -->
<!-- Pol_MSS_NtfsDisable8dot3NameCreation-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_NtfsDisable8dot3NameCreation
```
<!-- Pol_MSS_NtfsDisable8dot3NameCreation-OmaUri-End -->
<!-- Pol_MSS_NtfsDisable8dot3NameCreation-Description-Begin -->
<!-- Description-Not-Found -->
<!-- Pol_MSS_NtfsDisable8dot3NameCreation-Description-End -->
<!-- Pol_MSS_NtfsDisable8dot3NameCreation-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Enable the computer to stop generating 8.3 style filenames.
<!-- Pol_MSS_NtfsDisable8dot3NameCreation-Editable-End -->
<!-- Pol_MSS_NtfsDisable8dot3NameCreation-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Pol_MSS_NtfsDisable8dot3NameCreation-DFProperties-End -->
<!-- Pol_MSS_NtfsDisable8dot3NameCreation-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- Pol_MSS_NtfsDisable8dot3NameCreation-AdmxBacked-End -->
<!-- Pol_MSS_NtfsDisable8dot3NameCreation-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Pol_MSS_NtfsDisable8dot3NameCreation-Examples-End -->
<!-- Pol_MSS_NtfsDisable8dot3NameCreation-End -->
<!-- Pol_MSS_PerformRouterDiscovery-Begin -->
## Pol_MSS_PerformRouterDiscovery
<!-- Pol_MSS_PerformRouterDiscovery-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Pol_MSS_PerformRouterDiscovery-Applicability-End -->
<!-- Pol_MSS_PerformRouterDiscovery-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_PerformRouterDiscovery
```
<!-- Pol_MSS_PerformRouterDiscovery-OmaUri-End -->
<!-- Pol_MSS_PerformRouterDiscovery-Description-Begin -->
<!-- Description-Not-Found -->
<!-- Pol_MSS_PerformRouterDiscovery-Description-End -->
<!-- Pol_MSS_PerformRouterDiscovery-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS).
<!-- Pol_MSS_PerformRouterDiscovery-Editable-End -->
<!-- Pol_MSS_PerformRouterDiscovery-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Pol_MSS_PerformRouterDiscovery-DFProperties-End -->
<!-- Pol_MSS_PerformRouterDiscovery-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- Pol_MSS_PerformRouterDiscovery-AdmxBacked-End -->
<!-- Pol_MSS_PerformRouterDiscovery-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Pol_MSS_PerformRouterDiscovery-Examples-End -->
<!-- Pol_MSS_PerformRouterDiscovery-End -->
<!-- Pol_MSS_SafeDllSearchMode-Begin -->
## Pol_MSS_SafeDllSearchMode
<!-- Pol_MSS_SafeDllSearchMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Pol_MSS_SafeDllSearchMode-Applicability-End -->
<!-- Pol_MSS_SafeDllSearchMode-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_SafeDllSearchMode
```
<!-- Pol_MSS_SafeDllSearchMode-OmaUri-End -->
<!-- Pol_MSS_SafeDllSearchMode-Description-Begin -->
<!-- Description-Not-Found -->
<!-- Pol_MSS_SafeDllSearchMode-Description-End -->
<!-- Pol_MSS_SafeDllSearchMode-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Enable Safe DLL search mode (recommended).
<!-- Pol_MSS_SafeDllSearchMode-Editable-End -->
<!-- Pol_MSS_SafeDllSearchMode-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Pol_MSS_SafeDllSearchMode-DFProperties-End -->
<!-- Pol_MSS_SafeDllSearchMode-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- Pol_MSS_SafeDllSearchMode-AdmxBacked-End -->
<!-- Pol_MSS_SafeDllSearchMode-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Pol_MSS_SafeDllSearchMode-Examples-End -->
<!-- Pol_MSS_SafeDllSearchMode-End -->
<!-- Pol_MSS_ScreenSaverGracePeriod-Begin -->
## Pol_MSS_ScreenSaverGracePeriod
<!-- Pol_MSS_ScreenSaverGracePeriod-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Pol_MSS_ScreenSaverGracePeriod-Applicability-End -->
<!-- Pol_MSS_ScreenSaverGracePeriod-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_ScreenSaverGracePeriod
```
<!-- Pol_MSS_ScreenSaverGracePeriod-OmaUri-End -->
<!-- Pol_MSS_ScreenSaverGracePeriod-Description-Begin -->
<!-- Description-Not-Found -->
<!-- Pol_MSS_ScreenSaverGracePeriod-Description-End -->
<!-- Pol_MSS_ScreenSaverGracePeriod-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
he time in seconds before the screen saver grace period expires (0 recommended).
<!-- Pol_MSS_ScreenSaverGracePeriod-Editable-End -->
<!-- Pol_MSS_ScreenSaverGracePeriod-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Pol_MSS_ScreenSaverGracePeriod-DFProperties-End -->
<!-- Pol_MSS_ScreenSaverGracePeriod-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- Pol_MSS_ScreenSaverGracePeriod-AdmxBacked-End -->
<!-- Pol_MSS_ScreenSaverGracePeriod-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Pol_MSS_ScreenSaverGracePeriod-Examples-End -->
<!-- Pol_MSS_ScreenSaverGracePeriod-End -->
<!-- Pol_MSS_SynAttackProtect-Begin -->
## Pol_MSS_SynAttackProtect
<!-- Pol_MSS_SynAttackProtect-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Pol_MSS_SynAttackProtect-Applicability-End -->
<!-- Pol_MSS_SynAttackProtect-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_SynAttackProtect
```
<!-- Pol_MSS_SynAttackProtect-OmaUri-End -->
<!-- Pol_MSS_SynAttackProtect-Description-Begin -->
<!-- Description-Not-Found -->
<!-- Pol_MSS_SynAttackProtect-Description-End -->
<!-- Pol_MSS_SynAttackProtect-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Syn attack protection level (protects against DoS).
<!-- Pol_MSS_SynAttackProtect-Editable-End -->
<!-- Pol_MSS_SynAttackProtect-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Pol_MSS_SynAttackProtect-DFProperties-End -->
<!-- Pol_MSS_SynAttackProtect-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- Pol_MSS_SynAttackProtect-AdmxBacked-End -->
<!-- Pol_MSS_SynAttackProtect-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Pol_MSS_SynAttackProtect-Examples-End -->
<!-- Pol_MSS_SynAttackProtect-End -->
<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-Begin -->
## Pol_MSS_TcpMaxConnectResponseRetransmissions
<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-Applicability-End -->
<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_TcpMaxConnectResponseRetransmissions
```
<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-OmaUri-End -->
<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-Description-Begin -->
<!-- Description-Not-Found -->
<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-Description-End -->
<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
SYN-ACK retransmissions when a connection request is not acknowledged.
<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-Editable-End -->
<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-DFProperties-End -->
<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-AdmxBacked-End -->
<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-Examples-End -->
<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-End -->
<!-- Pol_MSS_TcpMaxDataRetransmissions-Begin -->
## Pol_MSS_TcpMaxDataRetransmissions
<!-- Pol_MSS_TcpMaxDataRetransmissions-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Pol_MSS_TcpMaxDataRetransmissions-Applicability-End -->
<!-- Pol_MSS_TcpMaxDataRetransmissions-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_TcpMaxDataRetransmissions
```
<!-- Pol_MSS_TcpMaxDataRetransmissions-OmaUri-End -->
<!-- Pol_MSS_TcpMaxDataRetransmissions-Description-Begin -->
<!-- Description-Not-Found -->
<!-- Pol_MSS_TcpMaxDataRetransmissions-Description-End -->
<!-- Pol_MSS_TcpMaxDataRetransmissions-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Define how many times unacknowledged data is retransmitted (3 recommended, 5 is default).
<!-- Pol_MSS_TcpMaxDataRetransmissions-Editable-End -->
<!-- Pol_MSS_TcpMaxDataRetransmissions-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Pol_MSS_TcpMaxDataRetransmissions-DFProperties-End -->
<!-- Pol_MSS_TcpMaxDataRetransmissions-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- Pol_MSS_TcpMaxDataRetransmissions-AdmxBacked-End -->
<!-- Pol_MSS_TcpMaxDataRetransmissions-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Pol_MSS_TcpMaxDataRetransmissions-Examples-End -->
<!-- Pol_MSS_TcpMaxDataRetransmissions-End -->
<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-Begin -->
## Pol_MSS_TcpMaxDataRetransmissionsIPv6
<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-Applicability-End -->
<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_TcpMaxDataRetransmissionsIPv6
```
<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-OmaUri-End -->
<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-Description-Begin -->
<!-- Description-Not-Found -->
<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-Description-End -->
<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Define how many times unacknowledged data is retransmitted (3 recommended, 5 is default).
<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-Editable-End -->
<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-DFProperties-End -->
<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-AdmxBacked-End -->
<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-Examples-End -->
<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-End -->
<!-- Pol_MSS_WarningLevel-Begin -->
## Pol_MSS_WarningLevel
<!-- Pol_MSS_WarningLevel-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Pol_MSS_WarningLevel-Applicability-End -->
<!-- Pol_MSS_WarningLevel-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_WarningLevel
```
<!-- Pol_MSS_WarningLevel-OmaUri-End -->
<!-- Pol_MSS_WarningLevel-Description-Begin -->
<!-- Description-Not-Found -->
<!-- Pol_MSS_WarningLevel-Description-End -->
<!-- Pol_MSS_WarningLevel-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Percentage threshold for the security event log at which the system will generate a warning.
<!-- Pol_MSS_WarningLevel-Editable-End -->
<!-- Pol_MSS_WarningLevel-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Pol_MSS_WarningLevel-DFProperties-End -->
<!-- Pol_MSS_WarningLevel-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- Pol_MSS_WarningLevel-AdmxBacked-End -->
<!-- Pol_MSS_WarningLevel-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Pol_MSS_WarningLevel-Examples-End -->
<!-- Pol_MSS_WarningLevel-End -->
<!-- ADMX_MSS-legacy-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- ADMX_MSS-legacy-CspMoreInfo-End -->
<!-- ADMX_MSS-legacy-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

1145
windows/client-management/mdm/policy-csp-admx-qos.md Normal file
View File

File diff suppressed because it is too large Load Diff

113
windows/client-management/mdm/policy-csp-admx-sam.md Normal file
View File

@ -0,0 +1,113 @@
---
title: ADMX_sam Policy CSP
description: Learn more about the ADMX_sam Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 11/29/2022
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- ADMX_sam-Begin -->
# Policy CSP - ADMX_sam
> [!TIP]
> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!-- ADMX_sam-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ADMX_sam-Editable-End -->
<!-- SamNGCKeyROCAValidation-Begin -->
## SamNGCKeyROCAValidation
<!-- SamNGCKeyROCAValidation-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- SamNGCKeyROCAValidation-Applicability-End -->
<!-- SamNGCKeyROCAValidation-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_sam/SamNGCKeyROCAValidation
```
<!-- SamNGCKeyROCAValidation-OmaUri-End -->
<!-- SamNGCKeyROCAValidation-Description-Begin -->
This policy setting allows you to configure how domain controllers handle Windows Hello for Business (WHfB) keys that are vulnerable to the "Return of Coppersmith's attack" (ROCA) vulnerability.
For more information on the ROCA vulnerability, please see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15361
https://en.wikipedia.org/wiki/ROCA_vulnerability
If you enable this policy setting the following options are supported:
Ignore: during authentication the domain controller will not probe any WHfB keys for the ROCA vulnerability.
Audit: during authentication the domain controller will emit audit events for WHfB keys that are subject to the ROCA vulnerability (authentications will still succeed).
Block: during authentication the domain controller will block the use of WHfB keys that are subject to the ROCA vulnerability (authentications will fail).
This setting only takes effect on domain controllers.
If not configured, domain controllers will default to using their local configuration. The default local configuration is Audit.
A reboot is not required for changes to this setting to take effect.
Note: to avoid unexpected disruptions this setting should not be set to Block until appropriate mitigations have been performed, for example patching of vulnerable TPMs.
More information is available at https://go.microsoft.com/fwlink/?linkid=2116430.
<!-- SamNGCKeyROCAValidation-Description-End -->
<!-- SamNGCKeyROCAValidation-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- SamNGCKeyROCAValidation-Editable-End -->
<!-- SamNGCKeyROCAValidation-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- SamNGCKeyROCAValidation-DFProperties-End -->
<!-- SamNGCKeyROCAValidation-AdmxBacked-Begin -->
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | SamNGCKeyROCAValidation |
| Friendly Name | Configure validation of ROCA-vulnerable WHfB keys during authentication |
| Location | Computer Configuration |
| Path | System > Security Account Manager |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\SAM |
| ADMX File Name | sam.admx |
<!-- SamNGCKeyROCAValidation-AdmxBacked-End -->
<!-- SamNGCKeyROCAValidation-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- SamNGCKeyROCAValidation-Examples-End -->
<!-- SamNGCKeyROCAValidation-End -->
<!-- ADMX_sam-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- ADMX_sam-CspMoreInfo-End -->
<!-- ADMX_sam-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

1038
windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md Normal file
View File

File diff suppressed because it is too large Load Diff

80
windows/client-management/mdm/policy-csp-clouddesktop.md Normal file
View File

@ -0,0 +1,80 @@
---
title: CloudDesktop Policy CSP
description: Learn more about the CloudDesktop Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 11/22/2022
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- CloudDesktop-Begin -->
# Policy CSP - CloudDesktop
<!-- CloudDesktop-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- CloudDesktop-Editable-End -->
<!-- BootToCloudMode-Begin -->
## BootToCloudMode
<!-- BootToCloudMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :x: Windows SE | :heavy_check_mark: Windows Insider Preview |
<!-- BootToCloudMode-Applicability-End -->
<!-- BootToCloudMode-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/CloudDesktop/BootToCloudMode
```
<!-- BootToCloudMode-OmaUri-End -->
<!-- BootToCloudMode-Description-Begin -->
This policy is used by IT admin to set the configuration mode of cloud PC.
<!-- BootToCloudMode-Description-End -->
<!-- BootToCloudMode-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- BootToCloudMode-Editable-End -->
<!-- BootToCloudMode-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
| Dependency [OverrideShellProgramDependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/Policy/Config/WindowsLogon/OverrideShellProgram` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- BootToCloudMode-DFProperties-End -->
<!-- BootToCloudMode-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Not Configured |
| 1 | Enable Boot to Cloud Desktop |
<!-- BootToCloudMode-AllowedValues-End -->
<!-- BootToCloudMode-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- BootToCloudMode-Examples-End -->
<!-- BootToCloudMode-End -->
<!-- CloudDesktop-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- CloudDesktop-CspMoreInfo-End -->
<!-- CloudDesktop-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

79
windows/client-management/mdm/policy-csp-cloudpc.md Normal file
View File

@ -0,0 +1,79 @@
---
title: CloudPC Policy CSP
description: Learn more about the CloudPC Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 11/02/2022
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- CloudPC-Begin -->
# Policy CSP - CloudPC
<!-- CloudPC-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- CloudPC-Editable-End -->
<!-- CloudPCConfiguration-Begin -->
## CloudPCConfiguration
<!-- CloudPCConfiguration-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :x: Pro <br> :x: Enterprise <br> :x: Education <br> :x: Windows SE | :heavy_check_mark: Windows Insider Preview |
<!-- CloudPCConfiguration-Applicability-End -->
<!-- CloudPCConfiguration-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/CloudPC/CloudPCConfiguration
```
<!-- CloudPCConfiguration-OmaUri-End -->
<!-- CloudPCConfiguration-Description-Begin -->
This policy is used by IT admin to set the configuration mode of cloud PC.
<!-- CloudPCConfiguration-Description-End -->
<!-- CloudPCConfiguration-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- CloudPCConfiguration-Editable-End -->
<!-- CloudPCConfiguration-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- CloudPCConfiguration-DFProperties-End -->
<!-- CloudPCConfiguration-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Fast Switching Configuration. |
| 1 | Boot to cloud PC Configuration. |
<!-- CloudPCConfiguration-AllowedValues-End -->
<!-- CloudPCConfiguration-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- CloudPCConfiguration-Examples-End -->
<!-- CloudPCConfiguration-End -->
<!-- CloudPC-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- CloudPC-CspMoreInfo-End -->
<!-- CloudPC-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

17
windows/client-management/mdm/policy-csp-controlpolicyconflict.md
View File

@ -20,25 +20,16 @@ manager: aaroncz
<!--Policies-->
## ControlPolicyConflict policies
<dl>
<dd>
<a href="#controlpolicyconflict-mdmwinsovergp">ControlPolicyConflict/MDMWinsOverGP</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="controlpolicyconflict-mdmwinsovergp"></a>**ControlPolicyConflict/MDMWinsOverGP**
> [!NOTE]
> This setting doesn't apply to the following types of group policies:
>
> - If they don't map to an MDM policy. For example, firewall policies and account lockout policies.
> - If they aren't defined by an ADMX. For example, Password policy - minimum password age.
> - If they're in the Windows Update category.
> - If they have list entries. For example, the Microsoft Edge CookiesAllowedForUrls policy.
> - If they don't map to an MDM policy. For example, Windows Settings > Security Settings > Public Key Policies.
> - If they are group policies that aren't defined by an ADMX template. For example, Windows Settings > Scripts.
> - If they have list entries. For example, Administrative Templates > Windows Components > ActiveX Installer Service > Approved Installation Sites for ActiveX Controls.
> - If they are in the Windows Update category.
<!--SupportedSKUs-->

5119
windows/client-management/mdm/policy-csp-defender.md
View File

File diff suppressed because it is too large Load Diff

305
windows/client-management/mdm/policy-csp-msslegacy.md
View File

@ -1,211 +1,210 @@
---
title: Policy CSP - MSSLegacy
description: Learn how Policy CSP - MSSLegacy, an ADMX-backed policy, requires a special SyncML format to enable or disable.
title: MSSLegacy Policy CSP
description: Learn more about the MSSLegacy Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.date: 11/29/2022
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: aaroncz
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- MSSLegacy-Begin -->
# Policy CSP - MSSLegacy
<hr/>
<!--Policies-->
## MSSLegacy policies
<dl>
<dd>
<a href="#msslegacy-allowicmpredirectstooverrideospfgeneratedroutes">MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes</a>
</dd>
<dd>
<a href="#msslegacy-allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers">MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers</a>
</dd>
<dd>
<a href="#msslegacy-ipsourceroutingprotectionlevel">MSSLegacy/IPSourceRoutingProtectionLevel</a>
</dd>
<dd>
<a href="#msslegacy-ipv6sourceroutingprotectionlevel">MSSLegacy/IPv6SourceRoutingProtectionLevel</a>
</dd>
</dl>
> [!TIP]
> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
<!-- MSSLegacy-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- MSSLegacy-Editable-End -->
<!--Policy-->
<a href="" id="msslegacy-allowicmpredirectstooverrideospfgeneratedroutes"></a>**MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes**
<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-Begin -->
## AllowICMPRedirectsToOverrideOSPFGeneratedRoutes
<!--SupportedSKUs-->
<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-Applicability-End -->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes
```
<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-OmaUri-End -->
<!--/SupportedSKUs-->
<hr/>
<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-Description-Begin -->
<!-- Description-Not-Found -->
<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-Description-End -->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Allow ICMP redirects to override OSPF generated routes.
<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-Editable-End -->
> [!div class = "checklist"]
> * Device
<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-DFProperties-Begin -->
**Description framework properties**:
<hr/>
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-DFProperties-End -->
<!--/Scope-->
<!--Description-->
<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-AdmxBacked-End -->
<!--/Description-->
<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-Examples-End -->
<!--ADMXBacked-->
ADMX Info:
- GP name: *Pol_MSS_EnableICMPRedirect*
- GP ADMX file name: *mss-legacy.admx*
<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-End -->
<!--/ADMXBacked-->
<!--/Policy-->
<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-Begin -->
## AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers
<hr/>
<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-Applicability-End -->
<!--Policy-->
<a href="" id="msslegacy-allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers"></a>**MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers**
<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers
```
<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-OmaUri-End -->
<!--SupportedSKUs-->
<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-Description-Begin -->
<!-- Description-Not-Found -->
<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-Description-End -->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Allow the computer to ignore NetBIOS name release requests except from WINS servers.
<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-Editable-End -->
<!--/SupportedSKUs-->
<hr/>
<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-DFProperties-Begin -->
**Description framework properties**:
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-DFProperties-End -->
> [!div class = "checklist"]
> * Device
<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-AdmxBacked-End -->
<hr/>
<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-Examples-End -->
<!--/Scope-->
<!--Description-->
<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-End -->
<!--/Description-->
<!-- IPSourceRoutingProtectionLevel-Begin -->
## IPSourceRoutingProtectionLevel
<!-- IPSourceRoutingProtectionLevel-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
<!-- IPSourceRoutingProtectionLevel-Applicability-End -->
<!--ADMXBacked-->
ADMX Info:
- GP name: *Pol_MSS_NoNameReleaseOnDemand*
- GP ADMX file name: *mss-legacy.admx*
<!-- IPSourceRoutingProtectionLevel-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/MSSLegacy/IPSourceRoutingProtectionLevel
```
<!-- IPSourceRoutingProtectionLevel-OmaUri-End -->
<!--/ADMXBacked-->
<!--/Policy-->
<!-- IPSourceRoutingProtectionLevel-Description-Begin -->
<!-- Description-Not-Found -->
<!-- IPSourceRoutingProtectionLevel-Description-End -->
<hr/>
<!-- IPSourceRoutingProtectionLevel-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
IP source routing protection level (protects against packet spoofing).
<!-- IPSourceRoutingProtectionLevel-Editable-End -->
<!--Policy-->
<a href="" id="msslegacy-ipsourceroutingprotectionlevel"></a>**MSSLegacy/IPSourceRoutingProtectionLevel**
<!-- IPSourceRoutingProtectionLevel-DFProperties-Begin -->
**Description framework properties**:
<!--SupportedSKUs-->
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- IPSourceRoutingProtectionLevel-DFProperties-End -->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- IPSourceRoutingProtectionLevel-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- IPSourceRoutingProtectionLevel-AdmxBacked-End -->
<!--/SupportedSKUs-->
<hr/>
<!-- IPSourceRoutingProtectionLevel-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- IPSourceRoutingProtectionLevel-Examples-End -->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
<!-- IPSourceRoutingProtectionLevel-End -->
> [!div class = "checklist"]
> * Device
<!-- IPv6SourceRoutingProtectionLevel-Begin -->
## IPv6SourceRoutingProtectionLevel
<hr/>
<!-- IPv6SourceRoutingProtectionLevel-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
<!-- IPv6SourceRoutingProtectionLevel-Applicability-End -->
<!--/Scope-->
<!--Description-->
<!-- IPv6SourceRoutingProtectionLevel-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/MSSLegacy/IPv6SourceRoutingProtectionLevel
```
<!-- IPv6SourceRoutingProtectionLevel-OmaUri-End -->
<!--/Description-->
<!-- IPv6SourceRoutingProtectionLevel-Description-Begin -->
<!-- Description-Not-Found -->
<!-- IPv6SourceRoutingProtectionLevel-Description-End -->
<!--ADMXBacked-->
ADMX Info:
- GP name: *Pol_MSS_DisableIPSourceRouting*
- GP ADMX file name: *mss-legacy.admx*
<!-- IPv6SourceRoutingProtectionLevel-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
IPv6 source routing protection level (protects against packet spoofing).
<!-- IPv6SourceRoutingProtectionLevel-Editable-End -->
<!--/ADMXBacked-->
<!--/Policy-->
<!-- IPv6SourceRoutingProtectionLevel-DFProperties-Begin -->
**Description framework properties**:
<hr/>
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- IPv6SourceRoutingProtectionLevel-DFProperties-End -->
<!--Policy-->
<a href="" id="msslegacy-ipv6sourceroutingprotectionlevel"></a>**MSSLegacy/IPv6SourceRoutingProtectionLevel**
<!-- IPv6SourceRoutingProtectionLevel-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- IPv6SourceRoutingProtectionLevel-AdmxBacked-End -->
<!--SupportedSKUs-->
<!-- IPv6SourceRoutingProtectionLevel-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- IPv6SourceRoutingProtectionLevel-Examples-End -->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- IPv6SourceRoutingProtectionLevel-End -->
<!--/SupportedSKUs-->
<hr/>
<!-- MSSLegacy-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- MSSLegacy-CspMoreInfo-End -->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
<!-- MSSLegacy-End -->
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP name: *Pol_MSS_DisableIPSourceRoutingIPv6*
- GP ADMX file name: *mss-legacy.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--/Policies-->
## Related topics
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

96
windows/client-management/mdm/policy-csp-settingssync.md Normal file
View File

@ -0,0 +1,96 @@
---
title: SettingsSync Policy CSP
description: Learn more about the SettingsSync Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 11/29/2022
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- SettingsSync-Begin -->
# Policy CSP - SettingsSync
> [!TIP]
> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!-- SettingsSync-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- SettingsSync-Editable-End -->
<!-- DisableAccessibilitySettingSync-Begin -->
## DisableAccessibilitySettingSync
<!-- DisableAccessibilitySettingSync-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
<!-- DisableAccessibilitySettingSync-Applicability-End -->
<!-- DisableAccessibilitySettingSync-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/SettingsSync/DisableAccessibilitySettingSync
```
<!-- DisableAccessibilitySettingSync-OmaUri-End -->
<!-- DisableAccessibilitySettingSync-Description-Begin -->
Prevent the "accessibility" group from syncing to and from this PC. This turns off and disables the "accessibility" group on the "Windows backup" settings page in PC settings.
If you enable this policy setting, the "accessibility", group will not be synced.
Use the option "Allow users to turn accessibility syncing on" so that syncing is turned off by default but not disabled.
If you do not set or disable this setting, syncing of the "accessibility" group is on by default and configurable by the user.
<!-- DisableAccessibilitySettingSync-Description-End -->
<!-- DisableAccessibilitySettingSync-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DisableAccessibilitySettingSync-Editable-End -->
<!-- DisableAccessibilitySettingSync-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- DisableAccessibilitySettingSync-DFProperties-End -->
<!-- DisableAccessibilitySettingSync-AdmxBacked-Begin -->
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | DisableAccessibilitySettingSync |
| Friendly Name | Do not sync accessibility settings |
| Location | Computer Configuration |
| Path | Windows Components > Sync your settings |
| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync |
| Registry Value Name | DisableAccessibilitySettingSync |
| ADMX File Name | SettingSync.admx |
<!-- DisableAccessibilitySettingSync-AdmxBacked-End -->
<!-- DisableAccessibilitySettingSync-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- DisableAccessibilitySettingSync-Examples-End -->
<!-- DisableAccessibilitySettingSync-End -->
<!-- SettingsSync-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- SettingsSync-CspMoreInfo-End -->
<!-- SettingsSync-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

79
windows/client-management/mdm/policy-csp-stickers.md Normal file
View File

@ -0,0 +1,79 @@
---
title: Stickers Policy CSP
description: Learn more about the Stickers Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 11/02/2022
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- Stickers-Begin -->
# Policy CSP - Stickers
<!-- Stickers-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Stickers-Editable-End -->
<!-- EnableStickers-Begin -->
## EnableStickers
<!-- EnableStickers-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :x: Pro <br> :x: Enterprise <br> :x: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
<!-- EnableStickers-Applicability-End -->
<!-- EnableStickers-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Stickers/EnableStickers
```
<!-- EnableStickers-OmaUri-End -->
<!-- EnableStickers-Description-Begin -->
This policy setting allows you to control whether you want to allow stickers to be edited and placed on Desktop
<!-- EnableStickers-Description-End -->
<!-- EnableStickers-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnableStickers-Editable-End -->
<!-- EnableStickers-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- EnableStickers-DFProperties-End -->
<!-- EnableStickers-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
<!-- EnableStickers-AllowedValues-End -->
<!-- EnableStickers-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnableStickers-Examples-End -->
<!-- EnableStickers-End -->
<!-- Stickers-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- Stickers-CspMoreInfo-End -->
<!-- Stickers-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

80
windows/client-management/mdm/policy-csp-tenantdefinedtelemetry.md Normal file
View File

@ -0,0 +1,80 @@
---
title: TenantDefinedTelemetry Policy CSP
description: Learn more about the TenantDefinedTelemetry Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 11/02/2022
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- TenantDefinedTelemetry-Begin -->
# Policy CSP - TenantDefinedTelemetry
<!-- TenantDefinedTelemetry-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- TenantDefinedTelemetry-Editable-End -->
<!-- CustomTelemetryId-Begin -->
## CustomTelemetryId
<!-- CustomTelemetryId-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :x: Pro <br> :x: Enterprise <br> :x: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
<!-- CustomTelemetryId-Applicability-End -->
<!-- CustomTelemetryId-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/TenantDefinedTelemetry/CustomTelemetryId
```
<!-- CustomTelemetryId-OmaUri-End -->
<!-- CustomTelemetryId-Description-Begin -->
This policy is used to let mission control what type of Edition we are currently in.
<!-- CustomTelemetryId-Description-End -->
<!-- CustomTelemetryId-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- CustomTelemetryId-Editable-End -->
<!-- CustomTelemetryId-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- CustomTelemetryId-DFProperties-End -->
<!-- CustomTelemetryId-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Base |
| 1 | Education |
| 2 | Commercial |
<!-- CustomTelemetryId-AllowedValues-End -->
<!-- CustomTelemetryId-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- CustomTelemetryId-Examples-End -->
<!-- CustomTelemetryId-End -->
<!-- TenantDefinedTelemetry-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- TenantDefinedTelemetry-CspMoreInfo-End -->
<!-- TenantDefinedTelemetry-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

98
windows/client-management/mdm/policy-csp-tenantrestrictions.md Normal file
View File

@ -0,0 +1,98 @@
---
title: TenantRestrictions Policy CSP
description: Learn more about the TenantRestrictions Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 11/29/2022
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- TenantRestrictions-Begin -->
# Policy CSP - TenantRestrictions
> [!TIP]
> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!-- TenantRestrictions-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- TenantRestrictions-Editable-End -->
<!-- ConfigureTenantRestrictions-Begin -->
## ConfigureTenantRestrictions
<!-- ConfigureTenantRestrictions-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.320] and later <br> :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1320] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1320] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1320] and later <br> :heavy_check_mark: Windows 10, version 21H2 [10.0.19044] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- ConfigureTenantRestrictions-Applicability-End -->
<!-- ConfigureTenantRestrictions-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/TenantRestrictions/ConfigureTenantRestrictions
```
<!-- ConfigureTenantRestrictions-OmaUri-End -->
<!-- ConfigureTenantRestrictions-Description-Begin -->
This setting enables and configures the device-based tenant restrictions feature for Azure Active Directory.
When you enable this setting, compliant applications will be prevented from accessing disallowed tenants, according to a policy set in your Azure AD tenant.
Note: Creation of a policy in your home tenant is required, and additional security measures for managed devices are recommended for best protection. Refer to Azure AD Tenant Restrictions for more details.
https://go.microsoft.com/fwlink/?linkid=2148762
Before enabling firewall protection, ensure that a Windows Defender Application Control (WDAC) policy that correctly tags applications has been applied to the target devices. Enabling firewall protection without a corresponding WDAC policy will prevent all applications from reaching Microsoft endpoints. This firewall setting is not supported on all versions of Windows - see the following link for more information.
For details about setting up WDAC with tenant restrictions, see https://go.microsoft.com/fwlink/?linkid=2155230
<!-- ConfigureTenantRestrictions-Description-End -->
<!-- ConfigureTenantRestrictions-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureTenantRestrictions-Editable-End -->
<!-- ConfigureTenantRestrictions-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- ConfigureTenantRestrictions-DFProperties-End -->
<!-- ConfigureTenantRestrictions-AdmxBacked-Begin -->
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | trv2_payload |
| Friendly Name | Cloud Policy Details |
| Location | Computer Configuration |
| Path | Windows Components > Tenant Restrictions |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload |
| ADMX File Name | TenantRestrictions.admx |
<!-- ConfigureTenantRestrictions-AdmxBacked-End -->
<!-- ConfigureTenantRestrictions-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureTenantRestrictions-Examples-End -->
<!-- ConfigureTenantRestrictions-End -->
<!-- TenantRestrictions-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- TenantRestrictions-CspMoreInfo-End -->
<!-- TenantRestrictions-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

23
windows/client-management/mdm/policy-csp-update.md
View File

@ -2988,6 +2988,9 @@ The table below shows the applicability of Windows:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy will only take effect if <a href="#update-allowautoupdate">Update/AllowAutoUpdate</a> has been configured to option 3 or 4 for scheduled installation.
Enables the IT admin to schedule the day of the update installation.
Supported data type is an integer.
@ -3049,6 +3052,9 @@ The table below shows the applicability of Windows:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy will only take effect if <a href="#update-allowautoupdate">Update/AllowAutoUpdate</a> has been configured to option 3 or 4 for scheduled installation.
Enables the IT admin to schedule the update installation on every week.
Supported Value type is integer.
@ -3100,6 +3106,9 @@ The table below shows the applicability of Windows:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy will only take effect if <a href="#update-allowautoupdate">Update/AllowAutoUpdate</a> has been configured to option 3 or 4 for scheduled installation.
Enables the IT admin to schedule the update installation on the first week of the month.
Supported value type is integer.
@ -3151,6 +3160,9 @@ The table below shows the applicability of Windows:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy will only take effect if <a href="#update-allowautoupdate">Update/AllowAutoUpdate</a> has been configured to option 3 or 4 for scheduled installation.
Enables the IT admin to schedule the update installation on the fourth week of the month.
Supported value type is integer.
@ -3202,9 +3214,12 @@ The table below shows the applicability of Windows:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy will only take effect if <a href="#update-allowautoupdate">Update/AllowAutoUpdate</a> has been configured to option 3 or 4 for scheduled installation.
Enables the IT admin to schedule the update installation on the second week of the month.
Supported vlue type is integer.
Supported value type is integer.
Supported values:
@ -3254,6 +3269,9 @@ The table below shows the applicability of Windows:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy will only take effect if <a href="#update-allowautoupdate">Update/AllowAutoUpdate</a> has been configured to option 3 or 4 for scheduled installation.
Enables the IT admin to schedule the update installation on the third week of the month.
Supported value type is integer.
@ -3305,6 +3323,9 @@ The table below shows the applicability of Windows:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy will only take effect if <a href="#update-allowautoupdate">Update/AllowAutoUpdate</a> has been configured to option 3 or 4 for scheduled installation.
Enables the IT admin to schedule the time of the update installation. Note that there is a window of approximately 30 minutes to allow for higher success rates of installation.
The supported data type is an integer.

813
windows/client-management/mdm/policy-csp-windowslogon.md
View File

@ -1,267 +1,264 @@
---
title: Policy CSP - WindowsLogon
description: Use the Policy CSP - WindowsLogon setting to control whether a device automatically signs in and locks the last interactive user after the system restarts.
title: WindowsLogon Policy CSP
description: Learn more about the WindowsLogon Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.date: 11/29/2022
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: aaroncz
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- WindowsLogon-Begin -->
# Policy CSP - WindowsLogon
<hr/>
<!--Policies-->
## WindowsLogon policies
<dl>
<dd>
<a href="#windowslogon-allowautomaticrestartsignon">WindowsLogon/AllowAutomaticRestartSignOn</a>
</dd>
<dd>
<a href="#windowslogon-configautomaticrestartsignon">WindowsLogon/ConfigAutomaticRestartSignOn</a>
</dd>
<dd>
<a href="#windowslogon-disablelockscreenappnotifications">WindowsLogon/DisableLockScreenAppNotifications</a>
</dd>
<dd>
<a href="#windowslogon-dontdisplaynetworkselectionui">WindowsLogon/DontDisplayNetworkSelectionUI</a>
</dd>
<dd>
<a href="#windowslogon-enablefirstlogonanimation">WindowsLogon/EnableFirstLogonAnimation</a>
</dd>
<dd>
<a href="#windowslogon-enablemprnotifications">WindowsLogon/EnableMPRNotifications</a>
</dd>
<dd>
<a href="#windowslogon-enumeratelocalusersondomainjoinedcomputers">WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers</a>
</dd>
<dd>
<a href="#windowslogon-hidefastuserswitching">WindowsLogon/HideFastUserSwitching</a>
</dd>
</dl>
> [!TIP]
> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
<!-- WindowsLogon-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- WindowsLogon-Editable-End -->
<!--Policy-->
<a href="" id="windowslogon-allowautomaticrestartsignon"></a>**WindowsLogon/AllowAutomaticRestartSignOn**
<!-- AllowAutomaticRestartSignOn-Begin -->
## AllowAutomaticRestartSignOn
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
<!-- AllowAutomaticRestartSignOn-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
<!-- AllowAutomaticRestartSignOn-Applicability-End -->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- AllowAutomaticRestartSignOn-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/WindowsLogon/AllowAutomaticRestartSignOn
```
<!-- AllowAutomaticRestartSignOn-OmaUri-End -->
<!--/SupportedSKUs-->
<hr/>
<!-- AllowAutomaticRestartSignOn-Description-Begin -->
This policy setting controls whether a device will automatically sign in and lock the last interactive user after the system restarts or after a shutdown and cold boot.
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
This only occurs if the last interactive user didnt sign out before the restart or shutdown.
> [!div class = "checklist"]
> * Device
If the device is joined to Active Directory or Azure Active Directory, this policy only applies to Windows Update restarts. Otherwise, this will apply to both Windows Update restarts and user-initiated restarts and shutdowns.
<hr/>
If you dont configure this policy setting, it is enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots.
<!--/Scope-->
<!--Description-->
This policy setting controls whether a device automatically signs in and locks the last interactive user after the system restarts or after a shutdown and cold boot.
After enabling this policy, you can configure its settings through the ConfigAutomaticRestartSignOn policy, which configures the mode of automatically signing in and locking the last interactive user after a restart or cold boot.
This scenario occurs only if the last interactive user didn't sign out before the restart or shutdown.
If you disable this policy setting, the device does not configure automatic sign in. The users lock screen apps are not restarted after the system restarts.
<!-- AllowAutomaticRestartSignOn-Description-End -->
If the device is joined to Active Directory or Azure Active Directory, this policy applies only to Windows Update restarts. Otherwise, this policy applies to both Windows Update restarts and user-initiated restarts and shutdowns.
<!-- AllowAutomaticRestartSignOn-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AllowAutomaticRestartSignOn-Editable-End -->
If you don't configure this policy setting, it's enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots.
<!-- AllowAutomaticRestartSignOn-DFProperties-Begin -->
**Description framework properties**:
After enabling this policy, you can configure its settings through the [ConfigAutomaticRestartSignOn](#windowslogon-configautomaticrestartsignon) policy, which configures the mode of automatically signing in and locking the last interactive user after a restart or cold boot.
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- AllowAutomaticRestartSignOn-DFProperties-End -->
If you disable this policy setting, the device doesn't configure automatic sign in. The users lock screen apps aren't restarted after the system restarts.
<!-- AllowAutomaticRestartSignOn-AdmxBacked-Begin -->
**ADMX mapping**:
<!--/Description-->
| Name | Value |
|:--|:--|
| Name | AutomaticRestartSignOnDescription |
| Friendly Name | Sign-in and lock last interactive user automatically after a restart |
| Location | Computer Configuration |
| Path | Windows Components > Windows Logon Options |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
| Registry Value Name | DisableAutomaticRestartSignOn |
| ADMX File Name | WinLogon.admx |
<!-- AllowAutomaticRestartSignOn-AdmxBacked-End -->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Sign-in and lock last interactive user automatically after a restart*
- GP name: *AutomaticRestartSignOn*
- GP path: *Windows Components/Windows Logon Options*
- GP ADMX file name: *WinLogon.admx*
<!-- AllowAutomaticRestartSignOn-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AllowAutomaticRestartSignOn-Examples-End -->
<!--/ADMXBacked-->
<!--SupportedValues-->
<!-- AllowAutomaticRestartSignOn-End -->
<!--/SupportedValues-->
<!--Example-->
<!-- ConfigAutomaticRestartSignOn-Begin -->
## ConfigAutomaticRestartSignOn
<!--/Example-->
<!--Validation-->
<!-- ConfigAutomaticRestartSignOn-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
<!-- ConfigAutomaticRestartSignOn-Applicability-End -->
<!--/Validation-->
<!--/Policy-->
<!-- ConfigAutomaticRestartSignOn-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/WindowsLogon/ConfigAutomaticRestartSignOn
```
<!-- ConfigAutomaticRestartSignOn-OmaUri-End -->
<hr/>
<!--Policy-->
<a href="" id="windowslogon-configautomaticrestartsignon"></a>**WindowsLogon/ConfigAutomaticRestartSignOn**
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls the configuration under which an automatic restart, sign in, and lock occurs after a restart or cold boot. If you chose “Disabled” in the [AllowAutomaticRestartSignOn](#windowslogon-allowautomaticrestartsignon) policy, then automatic sign in doesn't occur and this policy need not be configured.
<!-- ConfigAutomaticRestartSignOn-Description-Begin -->
This policy setting controls the configuration under which an automatic restart and sign on and lock occurs after a restart or cold boot. If you chose “Disabled” in the “Sign-in and lock last interactive user automatically after a restart” policy, then automatic sign on will not occur and this policy does not need to be configured.
If you enable this policy setting, you can choose one of the following two options:
- Enabled if BitLocker is on and not suspended: Specifies that automatic sign in and lock occurs only if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the devices hard drive at this time if BitLocker isn't on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components.
1. “Enabled if BitLocker is on and not suspended” specifies that automatic sign on and lock will only occur if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the devices hard drive at this time if BitLocker is not on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components.
BitLocker is suspended during updates if:
- The device doesn't have TPM 2.0 and PCR7
- The device doesn't use a TPM-only protector
- Always Enabled: Specifies that automatic sign in happens even if BitLocker is off or suspended during reboot or shutdown. When BitLocker isn't enabled, personal data is accessible on the hard drive. Automatic restart and sign in should only be run under this condition if you're confident that the configured device is in a secure physical location.
- The device doesnt have TPM 2.0 and PCR7, or
- The device doesnt use a TPM-only protector
2. “Always Enabled” specifies that automatic sign on will happen even if BitLocker is off or suspended during reboot or shutdown. When BitLocker is not enabled, personal data is accessible on the hard drive. Automatic restart and sign on should only be run under this condition if you are confident that the configured device is in a secure physical location.
If you disable or don't configure this setting, automatic sign in defaults to the “Enabled if BitLocker is on and not suspended” behavior.
If you disable or dont configure this setting, automatic sign on will default to the “Enabled if BitLocker is on and not suspended” behavior.
<!-- ConfigAutomaticRestartSignOn-Description-End -->
<!--/Description-->
<!-- ConfigAutomaticRestartSignOn-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigAutomaticRestartSignOn-Editable-End -->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot*
- GP name: *ConfigAutomaticRestartSignOn*
- GP path: *Windows Components/Windows Logon Options*
- GP ADMX file name: *WinLogon.admx*
<!-- ConfigAutomaticRestartSignOn-DFProperties-Begin -->
**Description framework properties**:
<!--/ADMXBacked-->
<!--SupportedValues-->
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- ConfigAutomaticRestartSignOn-DFProperties-End -->
<!--/SupportedValues-->
<!--Example-->
<!-- ConfigAutomaticRestartSignOn-AdmxBacked-Begin -->
**ADMX mapping**:
<!--/Example-->
<!--Validation-->
| Name | Value |
|:--|:--|
| Name | ConfigAutomaticRestartSignOnDescription |
| Friendly Name | Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot |
| Location | Computer Configuration |
| Path | Windows Components > Windows Logon Options |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
| ADMX File Name | WinLogon.admx |
<!-- ConfigAutomaticRestartSignOn-AdmxBacked-End -->
<!--/Validation-->
<!--/Policy-->
<!-- ConfigAutomaticRestartSignOn-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigAutomaticRestartSignOn-Examples-End -->
<hr/>
<!-- ConfigAutomaticRestartSignOn-End -->
<!--Policy-->
<a href="" id="windowslogon-disablelockscreenappnotifications"></a>**WindowsLogon/DisableLockScreenAppNotifications**
<!-- DisableLockScreenAppNotifications-Begin -->
## DisableLockScreenAppNotifications
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
<!-- DisableLockScreenAppNotifications-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
<!-- DisableLockScreenAppNotifications-Applicability-End -->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- DisableLockScreenAppNotifications-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/WindowsLogon/DisableLockScreenAppNotifications
```
<!-- DisableLockScreenAppNotifications-OmaUri-End -->
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
<!-- DisableLockScreenAppNotifications-Description-Begin -->
This policy setting allows you to prevent app notifications from appearing on the lock screen.
If you enable this policy setting, no app notifications are displayed on the lock screen.
If you disable or don't configure this policy setting, users can choose which apps display notifications on the lock screen.
If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen.
<!-- DisableLockScreenAppNotifications-Description-End -->
<!--/Description-->
<!-- DisableLockScreenAppNotifications-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DisableLockScreenAppNotifications-Editable-End -->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Turn off app notifications on the lock screen*
- GP name: *DisableLockScreenAppNotifications*
- GP path: *System/Logon*
- GP ADMX file name: *logon.admx*
<!-- DisableLockScreenAppNotifications-DFProperties-Begin -->
**Description framework properties**:
<!--/ADMXBacked-->
<!--/Policy-->
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- DisableLockScreenAppNotifications-DFProperties-End -->
<hr/>
<!-- DisableLockScreenAppNotifications-AdmxBacked-Begin -->
**ADMX mapping**:
<!--Policy-->
<a href="" id="windowslogon-dontdisplaynetworkselectionui"></a>**WindowsLogon/DontDisplayNetworkSelectionUI**
| Name | Value |
|:--|:--|
| Name | DisableLockScreenAppNotifications |
| Friendly Name | Turn off app notifications on the lock screen |
| Location | Computer Configuration |
| Path | System > Logon |
| Registry Key Name | Software\Policies\Microsoft\Windows\System |
| Registry Value Name | DisableLockScreenAppNotifications |
| ADMX File Name | Logon.admx |
<!-- DisableLockScreenAppNotifications-AdmxBacked-End -->
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
<!-- DisableLockScreenAppNotifications-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- DisableLockScreenAppNotifications-Examples-End -->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- DisableLockScreenAppNotifications-End -->
<!--/SupportedSKUs-->
<hr/>
<!-- DontDisplayNetworkSelectionUI-Begin -->
## DontDisplayNetworkSelectionUI
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
<!-- DontDisplayNetworkSelectionUI-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
<!-- DontDisplayNetworkSelectionUI-Applicability-End -->
> [!div class = "checklist"]
> * Device
<!-- DontDisplayNetworkSelectionUI-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/WindowsLogon/DontDisplayNetworkSelectionUI
```
<!-- DontDisplayNetworkSelectionUI-OmaUri-End -->
<hr/>
<!-- DontDisplayNetworkSelectionUI-Description-Begin -->
This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen.
<!--/Scope-->
<!--Description-->
This policy setting allows you to control whether anyone can interact with available networks UI on the sign-in screen.
If you enable this policy setting, the PC's network connectivity state can't be changed without signing into Windows.
If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows.
If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows.
<!-- DontDisplayNetworkSelectionUI-Description-End -->
<!-- DontDisplayNetworkSelectionUI-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DontDisplayNetworkSelectionUI-Editable-End -->
<!-- DontDisplayNetworkSelectionUI-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- DontDisplayNetworkSelectionUI-DFProperties-End -->
<!-- DontDisplayNetworkSelectionUI-AdmxBacked-Begin -->
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | DontDisplayNetworkSelectionUI |
| Friendly Name | Do not display network selection UI |
| Location | Computer Configuration |
| Path | System > Logon |
| Registry Key Name | Software\Policies\Microsoft\Windows\System |
| Registry Value Name | DontDisplayNetworkSelectionUI |
| ADMX File Name | Logon.admx |
<!-- DontDisplayNetworkSelectionUI-AdmxBacked-End -->
<!-- DontDisplayNetworkSelectionUI-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
**Example**:
Here's an example to enable this policy:
@ -287,236 +284,314 @@ Here's an example to enable this policy:
</SyncBody>
</SyncML>
```
<!-- DontDisplayNetworkSelectionUI-Examples-End -->
<!--/Description-->
<!-- DontDisplayNetworkSelectionUI-End -->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Do not display network selection UI*
- GP name: *DontDisplayNetworkSelectionUI*
- GP path: *System/Logon*
- GP ADMX file name: *logon.admx*
<!-- EnableFirstLogonAnimation-Begin -->
## EnableFirstLogonAnimation
<!--/ADMXBacked-->
<!--/Policy-->
<!-- EnableFirstLogonAnimation-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
<!-- EnableFirstLogonAnimation-Applicability-End -->
<hr/>
<!-- EnableFirstLogonAnimation-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/WindowsLogon/EnableFirstLogonAnimation
```
<!-- EnableFirstLogonAnimation-OmaUri-End -->
<!--Policy-->
<a href="" id="windowslogon-enablefirstlogonanimation"></a>**WindowsLogon/EnableFirstLogonAnimation**
<!-- EnableFirstLogonAnimation-Description-Begin -->
This policy setting allows you to control whether users see the first sign-in animation when signing in to the computer for the first time. This applies to both the first user of the computer who completes the initial setup and users who are added to the computer later. It also controls if Microsoft account users will be offered the opt-in prompt for services during their first sign-in.
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
If you enable this policy setting, Microsoft account users will see the opt-in prompt for services, and users with other accounts will see the sign-in animation.
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
If you disable this policy setting, users will not see the animation and Microsoft account users will not see the opt-in prompt for services.
<!--/SupportedSKUs-->
<hr/>
If you do not configure this policy setting, the user who completes the initial Windows setup will see the animation during their first sign-in. If the first user had already completed the initial setup and this policy setting is not configured, users new to this computer will not see the animation.
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
Note: The first sign-in animation will not be shown on Server, so this policy will have no effect.
<!-- EnableFirstLogonAnimation-Description-End -->
> [!div class = "checklist"]
> * Device
<!-- EnableFirstLogonAnimation-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnableFirstLogonAnimation-Editable-End -->
<hr/>
<!-- EnableFirstLogonAnimation-DFProperties-Begin -->
**Description framework properties**:
<!--/Scope-->
<!--Description-->
This policy setting allows you to control whether users see the first sign-in animation when signing in to the computer for the first time. This view applies to both the first user of the computer who completes the initial setup and users who are added to the computer later. It also controls if Microsoft account users are offered the opt-in prompt for services during their first sign-in.
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
<!-- EnableFirstLogonAnimation-DFProperties-End -->
If you enable this policy setting, Microsoft account users see the opt-in prompt for services, and users with other accounts see the sign-in animation.
<!-- EnableFirstLogonAnimation-AllowedValues-Begin -->
**Allowed values**:
If you disable this policy setting, users don't see the animation and Microsoft account users don't see the opt-in prompt for services.
| Value | Description |
|:--|:--|
| 0 | Disabled. |
| 1 (Default) | Enabled. |
<!-- EnableFirstLogonAnimation-AllowedValues-End -->
If you don't configure this policy setting, the user who completes the initial Windows setup see the animation during their first sign-in. If the first user had already completed the initial setup and this policy setting isn't configured, users new to this computer don't see the animation.
<!-- EnableFirstLogonAnimation-GpMapping-Begin -->
**Group policy mapping**:
> [!NOTE]
> The first sign-in animation isn't displayed on Server, so this policy has no effect.
| Name | Value |
|:--|:--|
| Name | EnableFirstLogonAnimation |
| Friendly Name | Show first sign-in animation |
| Location | Computer Configuration |
| Path | System > Logon |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
| Registry Value Name | EnableFirstLogonAnimation |
| ADMX File Name | Logon.admx |
<!-- EnableFirstLogonAnimation-GpMapping-End -->
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Show first sign-in animation*
- GP name: *EnableFirstLogonAnimation*
- GP path: *System/Logon*
- GP ADMX file name: *Logon.admx*
<!-- EnableFirstLogonAnimation-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnableFirstLogonAnimation-Examples-End -->
<!--/ADMXMapped-->
<!--SupportedValues-->
Supported values:
- 0 - disabled
- 1 - enabled
<!--/SupportedValues-->
<!--Example-->
<!-- EnableFirstLogonAnimation-End -->
<!--/Example-->
<!--Validation-->
<!-- EnableMPRNotifications-Begin -->
## EnableMPRNotifications
<!--/Validation-->
<!--/Policy-->
<!-- EnableMPRNotifications-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
<!-- EnableMPRNotifications-Applicability-End -->
<hr/>
<!-- EnableMPRNotifications-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/WindowsLogon/EnableMPRNotifications
```
<!-- EnableMPRNotifications-OmaUri-End -->
<!--Policy-->
<a href="" id="windowslogon-enablemprnotifications"></a>**WindowsLogon/EnableMPRNotifications**
<!-- EnableMPRNotifications-Description-Begin -->
This policy controls the configuration under which winlogon sends MPR notifications in the system.
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
If you enable this setting or do not configure it, winlogon sends MPR notifications if a credential manager is configured.
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
If you disable this setting, winlogon does not send MPR notifications.
<!-- EnableMPRNotifications-Description-End -->
<!--/SupportedSKUs-->
<hr/>
<!-- EnableMPRNotifications-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnableMPRNotifications-Editable-End -->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
<!-- EnableMPRNotifications-DFProperties-Begin -->
**Description framework properties**:
> [!div class = "checklist"]
> * Device
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- EnableMPRNotifications-DFProperties-End -->
<hr/>
<!-- EnableMPRNotifications-AdmxBacked-Begin -->
**ADMX mapping**:
<!--/Scope-->
<!--Description-->
This policy allows winlogon to send MPR notifications in the system if a credential manager is configured.
| Name | Value |
|:--|:--|
| Name | EnableMPRNotifications |
| Friendly Name | Enable MPR notifications for the system |
| Location | Computer Configuration |
| Path | Windows Components > Windows Logon Options |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
| Registry Value Name | EnableMPR |
| ADMX File Name | WinLogon.admx |
<!-- EnableMPRNotifications-AdmxBacked-End -->
If you disable (0), MPR notifications will not be sent by winlogon.
<!-- EnableMPRNotifications-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnableMPRNotifications-Examples-End -->
If you enable (1) or do not configure this policy setting this policy, MPR notifications will be sent by winlogon.
<!-- EnableMPRNotifications-End -->
<!--/Description-->
<!--SupportedValues-->
Supported values:
<!-- EnumerateLocalUsersOnDomainJoinedComputers-Begin -->
## EnumerateLocalUsersOnDomainJoinedComputers
- 0 - disabled
- 1 (default)- enabled
<!--/SupportedValues-->
<!-- EnumerateLocalUsersOnDomainJoinedComputers-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
<!-- EnumerateLocalUsersOnDomainJoinedComputers-Applicability-End -->
<!--/Policy-->
<!-- EnumerateLocalUsersOnDomainJoinedComputers-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers
```
<!-- EnumerateLocalUsersOnDomainJoinedComputers-OmaUri-End -->
<hr/>
<!--Policy-->
<a href="" id="windowslogon-enumeratelocalusersondomainjoinedcomputers"></a>**WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers**
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
<!-- EnumerateLocalUsersOnDomainJoinedComputers-Description-Begin -->
This policy setting allows local users to be enumerated on domain-joined computers.
If you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers.
If you disable or don't configure this policy setting, the Logon UI won't enumerate local users on domain-joined computers.
If you disable or do not configure this policy setting, the Logon UI will not enumerate local users on domain-joined computers.
<!-- EnumerateLocalUsersOnDomainJoinedComputers-Description-End -->
<!--/Description-->
<!-- EnumerateLocalUsersOnDomainJoinedComputers-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnumerateLocalUsersOnDomainJoinedComputers-Editable-End -->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Enumerate local users on domain-joined computers*
- GP name: *EnumerateLocalUsers*
- GP path: *System/Logon*
- GP ADMX file name: *logon.admx*
<!-- EnumerateLocalUsersOnDomainJoinedComputers-DFProperties-Begin -->
**Description framework properties**:
<!--/ADMXBacked-->
<!--/Policy-->
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- EnumerateLocalUsersOnDomainJoinedComputers-DFProperties-End -->
<hr/>
<!-- EnumerateLocalUsersOnDomainJoinedComputers-AdmxBacked-Begin -->
**ADMX mapping**:
<!--Policy-->
<a href="" id="windowslogon-hidefastuserswitching"></a>**WindowsLogon/HideFastUserSwitching**
| Name | Value |
|:--|:--|
| Name | EnumerateLocalUsers |
| Friendly Name | Enumerate local users on domain-joined computers |
| Location | Computer Configuration |
| Path | System > Logon |
| Registry Key Name | Software\Policies\Microsoft\Windows\System |
| Registry Value Name | EnumerateLocalUsers |
| ADMX File Name | Logon.admx |
<!-- EnumerateLocalUsersOnDomainJoinedComputers-AdmxBacked-End -->
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
<!-- EnumerateLocalUsersOnDomainJoinedComputers-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnumerateLocalUsersOnDomainJoinedComputers-Examples-End -->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- EnumerateLocalUsersOnDomainJoinedComputers-End -->
<!--/SupportedSKUs-->
<hr/>
<!-- HideFastUserSwitching-Begin -->
## HideFastUserSwitching
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
<!-- HideFastUserSwitching-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
<!-- HideFastUserSwitching-Applicability-End -->
> [!div class = "checklist"]
> * Device
<!-- HideFastUserSwitching-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/WindowsLogon/HideFastUserSwitching
```
<!-- HideFastUserSwitching-OmaUri-End -->
<hr/>
<!-- HideFastUserSwitching-Description-Begin -->
This policy setting allows you to hide the Switch User interface in the Logon UI, the Start menu and the Task Manager.
<!--/Scope-->
<!--Description-->
This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or don't configure this policy setting, the Switch account button is accessible to the user in the three locations.
If you enable this policy setting, the Switch User interface is hidden from the user who is attempting to log on or is logged on to the computer that has this policy applied.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Hide entry points for Fast User Switching*
- GP name: *HideFastUserSwitching*
- GP path: *System/Logon*
- GP ADMX file name: *Logon.admx*
The locations that Switch User interface appear are in the Logon UI, the Start menu and the Task Manager.
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
If you disable or do not configure this policy setting, the Switch User interface is accessible to the user in the three locations.
<!-- HideFastUserSwitching-Description-End -->
- 0 (default) - Disabled (visible).
- 1 - Enabled (hidden).
<!-- HideFastUserSwitching-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- HideFastUserSwitching-Editable-End -->
<!--/SupportedValues-->
<!--Validation-->
To validate on Desktop, do the following steps:
<!-- HideFastUserSwitching-DFProperties-Begin -->
**Description framework properties**:
1. Enable policy.
2. Verify that the Switch account button in Start is hidden.
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- HideFastUserSwitching-DFProperties-End -->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!-- HideFastUserSwitching-AllowedValues-Begin -->
**Allowed values**:
<!--/Policies-->
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled (visible). |
| 1 | Enabled (hidden). |
<!-- HideFastUserSwitching-AllowedValues-End -->
## Related topics
<!-- HideFastUserSwitching-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | HideFastUserSwitching |
| Friendly Name | Hide entry points for Fast User Switching |
| Location | Computer Configuration |
| Path | System > Logon |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
| Registry Value Name | HideFastUserSwitching |
| ADMX File Name | Logon.admx |
<!-- HideFastUserSwitching-GpMapping-End -->
<!-- HideFastUserSwitching-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- HideFastUserSwitching-Examples-End -->
<!-- HideFastUserSwitching-End -->
<!-- OverrideShellProgram-Begin -->
## OverrideShellProgram
<!-- OverrideShellProgram-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
<!-- OverrideShellProgram-Applicability-End -->
<!-- OverrideShellProgram-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/WindowsLogon/OverrideShellProgram
```
<!-- OverrideShellProgram-OmaUri-End -->
<!-- OverrideShellProgram-Description-Begin -->
This policy is used by IT admin to override the registry based shell program.
<!-- OverrideShellProgram-Description-End -->
<!-- OverrideShellProgram-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- OverrideShellProgram-Editable-End -->
<!-- OverrideShellProgram-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- OverrideShellProgram-DFProperties-End -->
<!-- OverrideShellProgram-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Not Configured |
| 1 | Apply Lightweight shell |
<!-- OverrideShellProgram-AllowedValues-End -->
<!-- OverrideShellProgram-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- OverrideShellProgram-Examples-End -->
<!-- OverrideShellProgram-End -->
<!-- WindowsLogon-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- WindowsLogon-CspMoreInfo-End -->
<!-- WindowsLogon-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

34
windows/client-management/mdm/toc.yml
View File

@ -1,5 +1,5 @@
items:
- name: Configuration service provider reference
- name: Configuration service provider reference
href: index.yml
expanded: true
items:
@ -128,8 +128,6 @@ items:
href: policy-csp-admx-eaime.md
- name: ADMX_EncryptFilesonMove
href: policy-csp-admx-encryptfilesonmove.md
- name: ADMX_EventLogging
href: policy-csp-admx-eventlogging.md
- name: ADMX_EnhancedStorage
href: policy-csp-admx-enhancedstorage.md
- name: ADMX_ErrorReporting
@ -138,6 +136,8 @@ items:
href: policy-csp-admx-eventforwarding.md
- name: ADMX_EventLog
href: policy-csp-admx-eventlog.md
- name: ADMX_EventLogging
href: policy-csp-admx-eventlogging.md
- name: ADMX_EventViewer
href: policy-csp-admx-eventviewer.md
- name: ADMX_Explorer
@ -210,6 +210,8 @@ items:
href: policy-csp-admx-msi.md
- name: ADMX_MsiFileRecovery
href: policy-csp-admx-msifilerecovery.md
- name: ADMX_MSS-legacy
href: policy-csp-admx-mss-legacy.md
- name: ADMX_nca
href: policy-csp-admx-nca.md
- name: ADMX_NCSI
@ -240,6 +242,8 @@ items:
href: policy-csp-admx-printing2.md
- name: ADMX_Programs
href: policy-csp-admx-programs.md
- name: ADMX_QOS
href: policy-csp-admx-qos.md
- name: ADMX_Reliability
href: policy-csp-admx-reliability.md
- name: ADMX_RemoteAssistance
@ -248,6 +252,8 @@ items:
href: policy-csp-admx-removablestorage.md
- name: ADMX_RPC
href: policy-csp-admx-rpc.md
- name: ADMX_sam
href: policy-csp-admx-sam.md
- name: ADMX_Scripts
href: policy-csp-admx-scripts.md
- name: ADMX_sdiageng
@ -278,6 +284,8 @@ items:
href: policy-csp-admx-startmenu.md
- name: ADMX_SystemRestore
href: policy-csp-admx-systemrestore.md
- name: ADMX_TabletPCInputPanel
href: policy-csp-admx-tabletpcinputpanel.md
- name: ADMX_TabletShell
href: policy-csp-admx-tabletshell.md
- name: ADMX_Taskbar
@ -320,8 +328,6 @@ items:
href: policy-csp-admx-wininit.md
- name: ADMX_WinLogon
href: policy-csp-admx-winlogon.md
- name: ADMX-Winsrv
href: policy-csp-admx-winsrv.md
- name: ADMX_wlansvc
href: policy-csp-admx-wlansvc.md
- name: ADMX_WordWheel
@ -330,6 +336,8 @@ items:
href: policy-csp-admx-workfoldersclient.md
- name: ADMX_WPN
href: policy-csp-admx-wpn.md
- name: ADMX-Winsrv
href: policy-csp-admx-winsrv.md
- name: ApplicationDefaults
href: policy-csp-applicationdefaults.md
- name: ApplicationManagement
@ -358,14 +366,18 @@ items:
href: policy-csp-camera.md
- name: Cellular
href: policy-csp-cellular.md
- name: CloudDesktop
href: policy-csp-clouddesktop.md
- name: CloudPC
href: policy-csp-cloudpc.md
- name: Connectivity
href: policy-csp-connectivity.md
- name: ControlPolicyConflict
href: policy-csp-controlpolicyconflict.md
- name: CredentialsDelegation
href: policy-csp-credentialsdelegation.md
- name: CredentialProviders
href: policy-csp-credentialproviders.md
- name: CredentialsDelegation
href: policy-csp-credentialsdelegation.md
- name: CredentialsUI
href: policy-csp-credentialsui.md
- name: Cryptography
@ -488,10 +500,14 @@ items:
href: policy-csp-servicecontrolmanager.md
- name: Settings
href: policy-csp-settings.md
- name: SettingsSync
href: policy-csp-settingssync.md
- name: Speech
href: policy-csp-speech.md
- name: Start
href: policy-csp-start.md
- name: Stickers
href: policy-csp-stickers.md
- name: Storage
href: policy-csp-storage.md
- name: System
@ -502,6 +518,10 @@ items:
href: policy-csp-taskmanager.md
- name: TaskScheduler
href: policy-csp-taskscheduler.md
- name: TenantDefinedTelemetry
href: policy-csp-tenantdefinedtelemetry.md
- name: TenantRestrictions
href: policy-csp-tenantrestrictions.md
- name: TextInput
href: policy-csp-textinput.md
- name: TimeLanguageSettings

6
windows/client-management/new-in-windows-mdm-enrollment-management.md
View File

@ -348,9 +348,9 @@ No. Only one MDM is allowed.
Entry | Description
--------------- | --------------------
What is dmwappushsvc? | It's a Windows service that ships in Windows 10 and Windows 11 operating system as a part of the windows management platform. It's used internally by the operating system as a queue for categorizing and processing all WAP messages, which include Windows management messages, MMS, NabSync, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. |
What data is handled by dmwappushsvc? | It's a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further: MMS, NabSync, SI/SL. This service doesn't send telemetry.|
How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc). However, since this service is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to disable the service. Disabling this service will cause your management to fail.|
What is dmwappushsvc? | It's a Windows service that ships in Windows 10 and Windows 11 operating system as a part of the windows management platform. It's used internally by the operating system as a queue for categorizing and processing all Wireless Application Protocol (WAP) messages, which include Windows management messages, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. |
What data is handled by dmwappushsvc? | It's a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further. This service doesn't send telemetry.|
How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc) and locating *Device Management Wireless Application Protocol (WAP) Push message Routing Service*. However, since this service is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to disable the service. Disabling this service will cause your management to fail.|
## Change history for MDM documentation

11
windows/configuration/customize-start-menu-layout-windows-11.md
View File

@ -62,16 +62,9 @@ Start has the following areas:
- `Computer Configuration\Administrative Templates\Start Menu and Taskbar`
- `User Configuration\Administrative Templates\Start Menu and Taskbar`
- **Recommended**: Shows recently opened files and recently installed apps. This section can't be customized using the JSON file.
- **Recommended**: Shows recently opened files and recently installed apps. This section can only be customized in Windows 11 SE using the following policy.
The [Start/HideRecentJumplists CSP](/windows/client-management/mdm/policy-csp-start#start-hiderecentjumplists) exposes settings that prevent files from showing in this section. This CSP also hides recent files that show from the taskbar.
In **Intune**, you can configure this feature, and more. For more information on the Start menu settings you can configure in an Intune policy, see [Windows 10/11 device settings to allow or restrict features](/mem/intune/configuration/device-restrictions-windows-10#start).
In **Group Policy**, there are policies that include settings that control the Start menu layout. Some policies may not work as expected. Be sure to test your policies before broadly deploying them across your devices:
- `Computer Configuration\Administrative Templates\Start Menu and Taskbar`
- `User Configuration\Administrative Templates\Start Menu and Taskbar`
- `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Remove Recommended section from Start Menu`
## Create the JSON file

79
windows/configuration/stop-employees-from-using-microsoft-store.md
View File

@ -8,59 +8,58 @@ author: lizgt2000
ms.author: lizlong
ms.topic: conceptual
ms.localizationpriority: medium
ms.date: 4/16/2018
ms.date: 11/29/2022
ms.collection: highpri
ms.technology: itpro-configure
---
# Configure access to Microsoft Store
**Applies to**
**Applies to:**
- Windows 10
>For more info about the features and functionality that are supported in each edition of Windows, see [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
> [!TIP]
> For more info about the features and functionality that are supported in each edition of Windows, see [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
IT pros can configure access to Microsoft Store for client computers in their organization. For some organizations, business policies require blocking access to Microsoft Store.
> [!Important]
> [!IMPORTANT]
> All executable code including Microsoft Store applications should have an update and maintenance plan. Organizations that use Microsoft Store applications should ensure that the applications can be updated through the Microsoft Store over the internet, through the [Private Store](/microsoft-store/distribute-apps-from-your-private-store), or [distributed offline](/microsoft-store/distribute-offline-apps) to keep the applications up to date.
## Options to configure access to Microsoft Store
You can use these tools to configure access to Microsoft Store: AppLocker or Group Policy. For Windows 10, this is only supported on Windows 10 Enterprise edition.
You can use either AppLocker or Group Policy to configure access to Microsoft Store. For Windows 10, configuring access to Microsoft Store is only supported on Windows 10 Enterprise edition.
## <a href="" id="block-store-applocker"></a>Block Microsoft Store using AppLocker
Applies to: Windows 10 Enterprise, Windows 10 Education
## Block Microsoft Store using AppLocker
Applies to: Windows 10 Enterprise, Windows 10 Education
AppLocker provides policy-based access control management for applications. You can block access to Microsoft Store app with AppLocker by creating a rule for packaged apps. You'll give the name of the Microsoft Store app as the packaged app that you want to block from client computers.
For more information on AppLocker, see [What is AppLocker?](/windows/device-security/applocker/what-is-applocker) For more information on creating an AppLocker rule for app packages, see [Create a rule for packaged apps](/windows/device-security/applocker/create-a-rule-for-packaged-apps).
**To block Microsoft Store using AppLocker**
**To block Microsoft Store using AppLocker:**
1. Type secpol in the search bar to find and start AppLocker.
1. Enter **`secpol`** in the search bar to find and start AppLocker.
2. In the console tree of the snap-in, click **Application Control Policies**, click **AppLocker**, and then click **Packaged app Rules**.
2. In the console tree of the snap-in, select **Application Control Policies**, select **AppLocker**, and then select **Packaged app Rules**.
3. On the **Action** menu, or by right-clicking on **Packaged app Rules**, click **Create New Rule**.
3. On the **Action** menu, or by right-clicking on **Packaged app Rules**, select **Create New Rule**.
4. On **Before You Begin**, click **Next**.
4. On **Before You Begin**, select **Next**.
5. On **Permissions**, select the action (allow or deny) and the user or group that the rule should apply to, and then click **Next**.
5. On **Permissions**, select the action (allow or deny) and the user or group that the rule should apply to, and then select **Next**.
6. On **Publisher**, you can select **Use an installed app package as a reference**, and then click **Select**.
6. On **Publisher**, you can select **Use an installed app package as a reference**, and then select **Select**.
7. On **Select applications**, find and click **Store** under **Applications** column, and then click **OK**. Click **Next**.
7. On **Select applications**, find and select **Store** under **Applications** column, and then select **OK**. Select **Next**.
[Create a rule for packaged apps](/windows/device-security/applocker/create-a-rule-for-packaged-apps) has more information on reference options and setting the scope on packaged app rules.
8. Optional: On **Exceptions**, specify conditions by which to exclude files from being affected by the rule. This allows you to add exceptions based on the same rule reference and rule scope as you set before. Click **Next**.
8. Optional: On **Exceptions**, specify conditions by which to exclude files from being affected by the rule. Conditions allow you to add exceptions based on the same rule reference and rule scope as you set before. Select **Next**.
## <a href="" id="block-store-csp"></a>Block Microsoft Store using configuration service provider
## Block Microsoft Store using configuration service provider
Applies to: Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education
@ -73,53 +72,51 @@ For more information, see [Configure an MDM provider](/microsoft-store/configure
For more information on the rules available via AppLocker on the different supported operating systems, see [Operating system requirements](/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker#operating-system-requirements).
> [!IMPORTANT]
> If you block access to the Store using CSP, you need to also configure [AllowAppStoreAutoUpdate](/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowappstoreautoupdate) to enable in-box store apps to update while still blocking access to the store.
## <a href="" id="block-store-group-policy"></a>Block Microsoft Store using Group Policy
## Block Microsoft Store using Group Policy
Applies to: Windows 10 Enterprise, Windows 10 Education
Applies to: Windows 10 Enterprise, Windows 10 Education
> [!Note]
> [!NOTE]
> Not supported on Windows 10 Pro, starting with version 1511. For more info, see [Knowledge Base article #3135657](/troubleshoot/windows-client/group-policy/cannot-disable-microsoft-store).
You can also use Group Policy to manage access to Microsoft Store.
**To block Microsoft Store using Group Policy**
**To block Microsoft Store using Group Policy:**
1. Type gpedit in the search bar to find and start Group Policy Editor.
1. Enter **`gpedit`** in the search bar to find and start Group Policy Editor.
2. In the console tree of the snap-in, click **Computer Configuration**, click **Administrative Templates**, click **Windows Components**, and then click **Store**.
2. In the console tree of the snap-in, select **Computer Configuration**, select **Administrative Templates**, select **Windows Components**, and then select **Store**.
3. In the Setting pane, click **Turn off the Store application**, and then click **Edit policy setting**.
3. In the Setting pane, select **Turn off the Store application**, and then select **Edit policy setting**.
4. On the **Turn off the Store application** setting page, click **Enabled**, and then click **OK**.
4. On the **Turn off the Store application** setting page, select **Enabled**, and then select **OK**.
> [!Important]
> When you enable the policy to **Turn off the Store application**, it turns off app updates from the Microsoft Store. To allow store apps to update, disable the policy to **Turn off automatic download and install of Updates**. This configuration allows in-box store apps to update while still blocking access to the store.
> [!IMPORTANT]
> When you enable the policy to **Turn off the Store application**, it turns off app updates from the Microsoft Store. To allow store apps to update, disable the policy to **Turn off automatic download and install of Updates**. This policy is found under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store**. This configuration allows in-box store apps to update while still blocking access to the store.
## Show private store only using Group Policy
Applies to Windows 10 Enterprise, Windows 10 Education
Applies to Windows 10 Enterprise, Windows 10 Education
If you're using Microsoft Store for Business and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Microsoft Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store.
**To show private store only in Microsoft Store app**
**To show private store only in Microsoft Store app:**
1. Type **gpedit** in the search bar, and then select **Edit group policy (Control panel)** to find and start Group Policy Editor.
1. Enter **`gpedit`** in the search bar, and then select **Edit group policy (Control panel)** to find and start Group Policy Editor.
2. In the console tree of the snap-in, go to **User Configuration** or **Computer Configuration** > **Administrative Templates** > **Windows Components**, and then click **Store**.
2. In the console tree of the snap-in, go to **User Configuration** or **Computer Configuration** > **Administrative Templates** > **Windows Components**, and then select **Store**.
3. Right-click **Only display the private store within the Microsoft Store app** in the right pane, and click **Edit**.
3. Right-click **Only display the private store within the Microsoft Store app** in the right pane, and select **Edit**.
This opens the **Only display the private store within the Microsoft Store app** policy settings.
The **Only display the private store within the Microsoft Store app** policy settings will open.
4. On the **Only display the private store within the Microsoft Store app** setting page, click **Enabled**, and then click **OK**.
4. On the **Only display the private store within the Microsoft Store app** setting page, select **Enabled**, and then select **OK**.
## Related topics
## Related articles
[Distribute apps using your private store](/microsoft-store/distribute-apps-from-your-private-store)
[Manage access to private store](/microsoft-store/manage-access-to-private-store)
 

42
windows/deployment/TOC.yml
View File

@ -62,16 +62,11 @@
- name: Features removed or planned for replacement
items:
- name: Windows client features lifecycle
href: planning/features-lifecycle.md
- name: Features we're no longer developing
items:
- name: Windows deprecated features
href: planning/windows-10-deprecated-features.md
- name: Features we removed
items:
- name: Windows features removed
href: planning/windows-10-removed-features.md
href: /windows/whats-new/feature-lifecycle?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
- name: Deprecated features
href: /windows/whats-new/deprecated-features?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
- name: Removed features
href: /windows/whats-new/removed-features?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
- name: Prepare
items:
- name: Prepare for Windows 11
@ -466,18 +461,6 @@
href: usmt/usmt-reroute-files-and-settings.md
- name: Verify the Condition of a Compressed Migration Store
href: usmt/verify-the-condition-of-a-compressed-migration-store.md
- name: USMT Troubleshooting
href: usmt/usmt-troubleshooting.md
- name: Common Issues
href: usmt/usmt-common-issues.md
- name: Frequently Asked Questions
href: usmt/usmt-faq.yml
- name: Log Files
href: usmt/usmt-log-files.md
- name: Return Codes
href: usmt/usmt-return-codes.md
- name: USMT Resources
href: usmt/usmt-resources.md
- name: USMT Reference
items:
@ -546,6 +529,21 @@
- name: Offline Migration Reference
href: usmt/offline-migration-reference.md
- name: Troubleshoot USMT
items:
- name: USMT Troubleshooting
href: usmt/usmt-troubleshooting.md
- name: USMT Common Issues
href: /troubleshoot/windows-client/deployment/usmt-common-issues
- name: USMT Frequently Asked Questions
href: usmt/usmt-faq.yml
- name: USMT Log Files
href: usmt/usmt-log-files.md
- name: USMT Return Codes
href: /troubleshoot/windows-client/deployment/usmt-return-codes
- name: USMT Resources
href: usmt/usmt-resources.md
- name: Application Compatibility Toolkit (ACT) Technical Reference
items:
- name: SUA User's Guide

12
windows/deployment/breadcrumb/toc.yml
View File

@ -10,3 +10,15 @@ items:
- name: Deployment
tocHref: /troubleshoot/windows-client/deployment/
topicHref: /windows/deployment/
- name: Learn
tocHref: /
topicHref: /
items:
- name: Windows
tocHref: /windows/
topicHref: /windows/resources/
items:
- name: Deployment
tocHref: /windows/whats-new
topicHref: /windows/deployment/

32
windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md
View File

@ -9,17 +9,19 @@ ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
ms.date: 10/28/2022
ms.date: 11/28/2022
---
# Assign applications using roles in MDT
This article will show you how to add applications to a role in the MDT database and then assign that role to a computer. For the purposes of this article, the application we're adding is Adobe Reader XI. In addition to using computer-specific entries in the database, you can use roles in MDT to group settings together.
## <a href="" id="sec01"></a>Create and assign a role entry in the database
## Create and assign a role entry in the database
1. On MDT01, using Deployment Workbench, in the MDT Production deployment share, expand **Advanced Configuration** and then expand **Database**.
2. In the **Database** node, right-click **Role**, select **New**, and create a role entry with the following settings:
1. Role name: Standard PC
2. Applications / Lite Touch Applications:
3. Install - Adobe Reader XI - x86
@ -28,10 +30,12 @@ This article will show you how to add applications to a role in the MDT database
Figure 12. The Standard PC role with the application added
## <a href="" id="sec02"></a>Associate the role with a computer in the database
## Associate the role with a computer in the database
After creating the role, you can associate it with one or more computer entries.
1. Using Deployment Workbench, expand **MDT Production**, expand **Advanced Configuration**, expand **Database**, and select **Computers**.
2. In the **Computers** node, double-click the **PC00075** entry, and add the following setting:
- Roles: Standard PC
@ -39,13 +43,15 @@ After creating the role, you can associate it with one or more computer entries.
Figure 13. The Standard PC role added to PC00075 (having ID 1 in the database).
## <a href="" id="sec03"></a>Verify database access in the MDT simulation environment
## Verify database access in the MDT simulation environment
When the database is populated, you can use the MDT simulation environment to simulate a deployment. The applications aren't installed, but you can see which applications would be installed if you did a full deployment of the computer.
1. On PC0001, log on as **CONTOSO\\MDT\_BA**.
2. Modify the C:\\MDT\\CustomSettings.ini file to look like below:
```
```ini
[Settings]
Priority=CSettings, CRoles, RApplications, Default
[Default]
@ -110,7 +116,7 @@ When the database is populated, you can use the MDT simulation environment to si
3. Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press **Enter** after each command:
``` powershell
```powershell
Set-Location C:\MDT
.\Gather.ps1
@ -122,10 +128,10 @@ Figure 14. ZTIGather.log displaying the application GUID belonging to the Adobe
## Related articles
[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
<BR>[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
<BR>[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
<BR>[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
<BR>[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
<BR>[Use web services in MDT](use-web-services-in-mdt.md)
<BR>[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
- [Use web services in MDT](use-web-services-in-mdt.md)
- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)

161
windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
View File

@ -10,12 +10,13 @@ ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
ms.date: 10/28/2022
ms.date: 11/28/2022
---
# Build a distributed environment for Windows 10 deployment
**Applies to**
**Applies to:**
- Windows 10
Perform the steps in this article to build a distributed environment for Windows 10 deployment. A distributed environment for deployment is useful when you have a segmented network, for example one that is segmented geographically into two branch locations. If you work in a distributed environment, replicating the deployment shares is an important part of a deployment solution because images of 5 GB or more in size can present bandwidth issues when deployed over the wire. Replicating this content enables clients to do local deployments.
@ -28,7 +29,8 @@ For the purposes of this article, we assume that MDT02 is prepared with the same
Computers used in this article.
>HV01 is also used in this topic to host the PC0006 virtual machine.
> [!NOTE]
> HV01 is also used in this topic to host the PC0006 virtual machine.
## Replicate deployment shares
@ -55,9 +57,9 @@ On **MDT01**:
1. Install the DFS Replication role on MDT01 by entering the following at an elevated Windows PowerShell prompt:
```powershell
Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools
```
```powershell
Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools
```
2. Wait for installation to complete, and then verify that the installation was successful. See the following output:
@ -75,9 +77,9 @@ On **MDT02**:
1. Perform the same procedure on MDT02 by entering the following at an elevated Windows PowerShell prompt:
```powershell
Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools
```
```powershell
Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools
```
2. Wait for installation to complete, and then verify that the installation was successful. See the following output:
@ -112,11 +114,11 @@ On **MDT02**:
### Configure the deployment share
When you have multiple deployment servers sharing the same content, you need to configure the Bootstrap.ini file with information about which server to connect to based on where the client is located. In MDT that can be done by using the DefaultGateway property.
When you have multiple deployment servers sharing the same content, you need to configure the Bootstrap.ini file with information about which server to connect to based on where the client is located. In MDT that can be done by using the **DefaultGateway** property.
On **MDT01**:
1. Using Notepad, navigate to the **D:\\MDTProduction\\Control** folder and modify the Boostrap.ini file as follows. Under [DefaultGateway] enter the IP addresses for the client's default gateway in New York and Stockholm, respectively (replace 10.10.10.1 and 10.10.20.1 with your default gateways). The default gateway setting is what tells the client which deployment share (that is, server) to use.
1. Using Notepad, navigate to the **D:\\MDTProduction\\Control** folder and modify the `Boostrap.ini` file as follows. Under `[DefaultGateway]` enter the IP addresses for the client's default gateway in New York and Stockholm, respectively (replace 10.10.10.1 and 10.10.20.1 with your default gateways). The default gateway setting is what tells the client which deployment share (that is, server) to use.
```ini
[Settings]
@ -138,119 +140,156 @@ On **MDT01**:
UserPassword=pass@word1
SkipBDDWelcome=YES
```
>[!NOTE]
>The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local. To learn more about USMT, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) and [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md).
2. Save the Bootstrap.ini file.
> [!NOTE]
> The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local. To learn more about USMT, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) and [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md).
2. Save the `Bootstrap.ini` file.
3. Using the Deployment Workbench, right-click the **MDT Production** deployment share and select **Update Deployment Share**. Use the default settings for the Update Deployment Share Wizard. This process will take a few minutes.
4. After the update is complete, use the Windows Deployment Services console on MDT01. In the **Boot Images** node, right-click the **MDT Production x64** boot image and select **Replace Image**.
5. Browse and select the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** boot image, and then complete Replace Boot Image Wizard using the default settings.
![figure 5.](../images/mdt-10-fig05.png)
Replacing the updated boot image in WDS.
>[!TIP]
>If you modify bootstrap.ini again later, be sure to repeat the process of updating the deployment share in the Deployment Workbench and replacing the boot image in the WDS console.
> [!TIP]
> If you modify bootstrap.ini again later, be sure to repeat the process of updating the deployment share in the Deployment Workbench and replacing the boot image in the WDS console.
## Replicate the content
## Replicate the content
Once the MDT01 and MDT02 servers are prepared, you're ready to configure the actual replication.
Once the MDT01 and MDT02 servers are prepared, you're ready to configure the actual replication.
### Create the replication group
### Create the replication group
6. On MDT01, using DFS Management (dfsmgmt.msc), right-click **Replication**, and select **New Replication Group**.
7. On the **Replication Group Type** page, select **Multipurpose replication group**, and select **Next**.
8. On the **Name and Domain** page, assign the **MDTProduction** name, and select **Next**.
9. On the **Replication Group Members** page, select **Add**, add **MDT01** and **MDT02**, and then select **Next**.
1. On MDT01, using DFS Management (dfsmgmt.msc), right-click **Replication**, and select **New Replication Group**.
2. On the **Replication Group Type** page, select **Multipurpose replication group**, and select **Next**.
3. On the **Name and Domain** page, assign the **MDTProduction** name, and select **Next**.
4. On the **Replication Group Members** page, select **Add**, add **MDT01** and **MDT02**, and then select **Next**.
![figure 6.](../images/mdt-10-fig06.png)
Adding the Replication Group Members.
10. On the **Topology Selection** page, select the **Full mesh** option and select **Next**.
11. On the **Replication Group Schedule and Bandwidth** page, accept the default settings and select **Next**.
12. On the **Primary Member** page, select **MDT01** and select **Next**.
13. On the **Folders to Replicate** page, select **Add**, enter **D:\\MDTProduction** as the folder to replicate, select **OK**, and then select **Next**.
14. On the **Local Path of MDTProduction** on the **Other Members** page, select **MDT02**, and select **Edit**.
15. On the **Edit** page, select the **Enabled** option, type in **D:\\MDTProduction** as the local path of folder, select the **Make the selected replicated folder on this member read-only** check box, select **OK**, and then select **Next**.
16. On the **Review Settings and Create Replication Group** page, select **Create**.
17. On the **Confirmation** page, select **Close**.
5. On the **Topology Selection** page, select the **Full mesh** option and select **Next**.
### Configure replicated folders
6. On the **Replication Group Schedule and Bandwidth** page, accept the default settings and select **Next**.
7. On the **Primary Member** page, select **MDT01** and select **Next**.
8. On the **Folders to Replicate** page, select **Add**, enter **D:\\MDTProduction** as the folder to replicate, select **OK**, and then select **Next**.
9. On the **Local Path of MDTProduction** on the **Other Members** page, select **MDT02**, and select **Edit**.
10. On the **Edit** page, select the **Enabled** option, type in **D:\\MDTProduction** as the local path of folder, select the **Make the selected replicated folder on this member read-only** check box, select **OK**, and then select **Next**.
11. On the **Review Settings and Create Replication Group** page, select **Create**.
12. On the **Confirmation** page, select **Close**.
### Configure replicated folders
1. On **MDT01**, using DFS Management, expand **Replication** and then select **MDTProduction**.
2. In the middle pane, right-click the **MDT01** member and select **Properties**.
3. On the **MDT01 (MDTProduction) Properties** page, configure the following and then select **OK**:
18. On **MDT01**, using DFS Management, expand **Replication** and then select **MDTProduction**.
19. In the middle pane, right-click the **MDT01** member and select **Properties**.
20. On the **MDT01 (MDTProduction) Properties** page, configure the following and then select **OK**:
1. In the **Staging** tab, set the quota to **20480 MB**.
2. In the **Advanced** tab, set the quota to **8192 MB**.
In this scenario the size of the deployment share is known, but you might need to change the values for your environment. A good rule of thumb is to get the size of the 16 largest files and make sure they fit in the staging area. Below is a Windows PowerShell example that calculates the size of the 16 largest files in the D:\\MDTProduction deployment share:
``` powershell
```powershell
(Get-ChildItem D:\MDTProduction -Recurse | Sort-Object Length -Descending | Select-Object -First 16 | Measure-Object -Property Length -Sum).Sum /1GB
```
21. In the middle pane, right-click the **MDT02** member and select **Properties**.
22. On the **MDT02 (MDTProduction) Properties** page, configure the following and then select **OK**:
4. In the middle pane, right-click the **MDT02** member and select **Properties**.
5. On the **MDT02 (MDTProduction) Properties** page, configure the following and then select **OK**:
1. In the **Staging** tab, set the quota to **20480 MB**.
2. In the **Advanced** tab, set the quota to **8192 MB**.
> [!NOTE]
> It will take some time for the replication configuration to be picked up by the replication members (MDT01 and MDT02). The time for the initial sync will depend on the WAN link speed between the sites. After that, delta changes are replicated quickly.
23. Verify that MDT01 and MDT02 are members of the MDTProduction replication group, with MDT01 being primary as follows using an elevated command prompt:
6. Verify that MDT01 and MDT02 are members of the MDTProduction replication group, with MDT01 being primary as follows using an elevated command prompt:
```cmd
C:\> dfsradmin membership list /rgname:MDTProduction /attr:MemName,IsPrimary
MemName IsPrimary
MDT01 Yes
MDT02 No
```
```cmd
C:\> dfsradmin membership list /rgname:MDTProduction /attr:MemName,IsPrimary
MemName IsPrimary
MDT01 Yes
MDT02 No
```
### Verify replication
On **MDT02**:
1. Wait until you start to see content appear in the **D:\\MDTProduction** folder.
2. Using DFS Management, expand **Replication**, right-click **MDTProduction**, and select **Create Diagnostics Report**.
3. In the Diagnostics Report Wizard, on the **Type of Diagnostics Report or Test** page, choose **Health report** and select **Next**.
4. On the **Path and Name** page, accept the default settings and select **Next**.
5. On the **Members to Include** page, accept the default settings and select **Next**.
6. On the **Options** page, accept the default settings and select **Next**.
7. On the **Review Settings and Create Report** page, select **Create**.
8. Open the report in Internet Explorer, and if necessary, select the **Allow blocked content** option.
![figure 9.](../images/mdt-10-fig09.png)
![figure 9.](../images/mdt-10-fig09.png)
The DFS Replication Health Report.
The DFS Replication Health Report.
>If there are replication errors you can review the DFS event log in Event Viewer under **Applications and Services Logs**.
> [!NOTE]
> If there are replication errors you can review the DFS event log in Event Viewer under **Applications and Services Logs**.
## Configure Windows Deployment Services (WDS) in a remote site
Like you did in the previous article for MDT01, you need to add the MDT Production Lite Touch x64 Boot image to Windows Deployment Services on MDT02. For the following steps, we assume that WDS has already been installed on MDT02.
1. On MDT02, using the WDS console, right-click **Boot Images** and select **Add Boot Image**.
2. Browse to the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** file and add the image with the default settings.
## Deploy a Windows 10 client to the remote site
Now you should have a solution ready for deploying the Windows 10 client to the remote site: Stockholm, using the MDTProduction deployment share replica on MDT02. You can test this deployment with the following optional procedure.
>For demonstration purposes, the following procedure uses a virtual machine (PC0006) hosted by the Hyper-V server HV01. To use the remote site server (MDT02) the VM must be assigned a default gateway that matches the one you entered in the Boostrap.ini file.
> [!NOTE]
> For demonstration purposes, the following procedure uses a virtual machine (PC0006) hosted by the Hyper-V server HV01. To use the remote site server (MDT02) the VM must be assigned a default gateway that matches the one you entered in the `Boostrap.ini` file.
1. Create a virtual machine with the following settings:
1. Name: PC0006
2. Location: C:\\VMs
3. Generation: 2
4. Memory: 2048 MB
5. Hard disk: 60 GB (dynamic disk)
1. **Name**: PC0006
2. **Location**: C:\\VMs
3. **Generation**: 2
4. **Memory**: 2048 MB
5. **Hard disk**: 60 GB (dynamic disk)
6. Install an operating system from a network-based installation server
2. Start the PC0006 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The VM will now load the Windows PE boot image from the WDS server.
3. After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings:
1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image
2. Computer Name: PC0006
3. Applications: Select the Install - Adobe Reader
4. Setup will now start and perform the following steps:
1. Install the Windows 10 Enterprise operating system.
2. Install applications.
3. Update the operating system using your local Windows Server Update Services (WSUS) server.
@ -259,9 +298,9 @@ Now you should have a solution ready for deploying the Windows 10 client to the
## Related articles
[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)<br>
[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)<br>
[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)<br>
[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)<br>
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)<br>
[Configure MDT settings](configure-mdt-settings.md)
- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
- [Configure MDT settings](configure-mdt-settings.md)

41
windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md
View File

@ -9,23 +9,24 @@ ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
ms.date: 10/28/2022
ms.date: 11/28/2022
---
# Configure MDT deployment share rules
In this article, you'll learn how to configure the MDT rules engine to reach out to other resources, including external scripts, databases, and web services, for additional information instead of storing settings directly in the rules engine. The rules engine in MDT is powerful: most of the settings used for operating system deployments are retrieved and assigned via the rules engine. In its simplest form, the rules engine is the CustomSettings.ini text file.
## <a href="" id="sec01"></a>Assign settings
## Assign settings
When using MDT, you can assign setting in three distinct ways:
- You can pre-stage the information before deployment.
- You can prompt the user or technician for information.
- You can have MDT generate the settings automatically.
In order to illustrate these three options, let's look at some sample configurations.
## <a href="" id="sec02"></a>Sample configurations
## Sample configurations
Before adding the more advanced components like scripts, databases, and web services, consider the commonly used configurations below; they demonstrate the power of the rules engine.
@ -33,7 +34,7 @@ Before adding the more advanced components like scripts, databases, and web serv
If you have a small test environment, or simply want to assign settings to a limited number of machines, you can edit the rules to assign settings directly for a given MAC Address. When you have many machines, it makes sense to use the database instead.
```
```ini
[Settings]
Priority=MacAddress, Default
[Default]
@ -48,7 +49,7 @@ In the preceding sample, you set the PC00075 computer name for a machine with a
Another way to assign a computer name is to identify the machine via its serial number.
```
```ini
[Settings]
Priority=SerialNumber, Default
[Default]
@ -63,7 +64,7 @@ In this sample, you set the PC00075 computer name for a machine with a serial nu
You also can configure the rules engine to use a known property, like a serial number, to generate a computer name on the fly.
```
```ini
[Settings]
Priority=Default
[Default]
@ -72,15 +73,15 @@ OSDComputerName=PC-%SerialNumber%
```
In this sample, you configure the rules to set the computer name to a prefix (PC-) and then the serial number. If the serial number of the machine is CND0370RJ7, the preceding configuration sets the computer name to PC-CND0370RJ7.
**Note**
Be careful when using the serial number to assign computer names. A serial number can contain more than 15 characters, but the Windows setup limits a computer name to 15 characters.
> [!NOTE]
> Be careful when using the serial number to assign computer names. A serial number can contain more than 15 characters, but the Windows setup limits a computer name to 15 characters.
### Generate a limited computer name based on a serial number
To avoid assigning a computer name longer than 15 characters, you can configure the rules in more detail by adding VBScript functions, as follows:
```
```ini
[Settings]
Priority=Default
[Default]
@ -94,7 +95,7 @@ In the preceding sample, you still configure the rules to set the computer name
In the rules, you find built-in properties that use a Windows Management Instrumentation (WMI) query to determine whether the machine you're deploying is a laptop, desktop, or server. In this sample, we assume you want to add laptops to different OUs in Active Directory. Note that ByLaptopType isn't a reserved word; rather, it's the name of the section to read.
```
```ini
[Settings]
Priority=ByLaptopType, Default
[Default]
@ -107,16 +108,10 @@ MachineObjectOU=OU=Laptops,OU=Contoso,DC=contoso,DC=com
## Related articles
[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
[Use web services in MDT](use-web-services-in-mdt.md)
[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
- [Use web services in MDT](use-web-services-in-mdt.md)
- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)

31
windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md
View File

@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
ms.date: 10/28/2022
ms.date: 11/28/2022
---
# Configure MDT for UserExit scripts
@ -20,7 +20,7 @@ In this article, you'll learn how to configure the MDT rules engine to use a Use
You can call a UserExit by referencing the script in your rules. Then you can configure a property to be set to the result of a function of the VBScript. In this example, we have a VBScript named Setname.vbs (provided in the book sample files, in the UserExit folder).
```
```ini
[Settings]
Priority=Default
[Default]
@ -35,7 +35,7 @@ The UserExit=Setname.vbs calls the script and then assigns the computer name to
The Setname.vbs script takes the MAC Address passed from the rules. The script then does some string manipulation to add a prefix (PC) and remove the semicolons from the MAC Address.
```
```vb
Function UserExit(sType, sWhen, sDetail, bSkip)
UserExit = Success
End Function
@ -48,23 +48,18 @@ Function SetName(sMac)
SetName = "PC" & re.Replace(sMac, "")
End Function
```
The first three lines of the script make up a header that all UserExit scripts have. The interesting part is the lines between Function and End Function. Those lines add a prefix (PC), remove the colons from the MAC Address, and return the value to the rules by setting the SetName value.
>[!NOTE]
>The purpose of this sample isn't to recommend that you use the MAC Address as a base for computer naming, but to show you how to take a variable from MDT, pass it to an external script, make some changes to it, and then return the new value to the deployment process.
> [!NOTE]
> The purpose of this sample isn't to recommend that you use the MAC Address as a base for computer naming, but to show you how to take a variable from MDT, pass it to an external script, make some changes to it, and then return the new value to the deployment process.
## Related articles
[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
[Use web services in MDT](use-web-services-in-mdt.md)
[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
- [Use web services in MDT](use-web-services-in-mdt.md)
- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)

14
windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
View File

@ -10,7 +10,7 @@ ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
ms.date: 10/28/2022
ms.date: 11/28/2022
---
# Configure MDT settings
@ -35,9 +35,9 @@ The computers used in this article.
## Related articles
[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)<br>
[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)<br>
[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)<br>
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)<br>
[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)<br>
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)

406
windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
View File

@ -9,31 +9,33 @@ ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
ms.date: 10/28/2022
ms.date: 11/28/2022
---
# Create a Windows 10 reference image
**Applies to**
**Applies to:**
- Windows 10
Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this article, you 'll learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT). You 'll create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this article, you 'll have a Windows 10 reference image that can be used in your deployment solution.
>[!NOTE]
>For more information about the server, client, and network infrastructure used in this guide, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
> [!NOTE]
> For more information about the server, client, and network infrastructure used in this guide, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
For the purposes of this article, we'll use three computers: DC01, MDT01, and HV01.
- DC01 is a domain controller for the contoso.com domain.
- MDT01 is a contoso.com domain member server.
- HV01 is a Hyper-V server that will be used to build the reference image.
- DC01 is a domain controller for the contoso.com domain.
- MDT01 is a contoso.com domain member server.
- HV01 is a Hyper-V server that will be used to build the reference image.
![devices.](../images/mdt-08-fig01.png)
Computers used in this article.
## The reference image
The reference image described in this guide is designed primarily for deployment to physical devices. However, the reference image is typically created on a virtual platform, before being automatically run through the System Preparation (Sysprep) tool process and captured to a Windows Imaging (WIM) file. The reasons for creating the reference image on a virtual platform are:
- To reduce development time and can use snapshots to test different configurations quickly.
- To rule out hardware issues. You get the best possible image, and if you've a problem, it's not likely to be hardware related.
- To ensure that you won't have unwanted applications that could be installed as part of a driver install but not removed by the Sysprep process.
@ -47,19 +49,25 @@ With Windows 10, there's no hard requirement to create reference images. However
On **MDT01**:
- Sign in as contoso\\administrator using a password of <b>pass@word1</b> (credentials from the [prepare for deployment](prepare-for-windows-deployment-with-mdt.md) article).
- Start the MDT deployment workbench, and pin this workbench to the taskbar for easy access.
- Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**.
- Use the following settings for the New Deployment Share Wizard:
1. Sign in as **contoso\\administrator** using a password of **pass@word1** (credentials from the [prepare for deployment](prepare-for-windows-deployment-with-mdt.md) article).
2. Start the MDT deployment workbench, and pin this workbench to the taskbar for easy access.
3. Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**.
4. Use the following settings for the New Deployment Share Wizard:
- Deployment share path: **D:\\MDTBuildLab**
- Share name: **MDTBuildLab$**
- Deployment share description: **MDT Build Lab**
- Accept the default selections on the Options page and select **Next**.
- Review the Summary page, select **Next**, wait for the deployment share to be created, then select **Finish**.
- Verify that you can access the <b>\\\\MDT01\\MDTBuildLab$</b> share.
5. Accept the default selections on the Options page and select **Next**.
6. Review the Summary page, select **Next**, wait for the deployment share to be created, then select **Finish**.
7. Verify that you can access the **\\\\MDT01\\MDTBuildLab$** share.
![figure 2.](../images/mdt-08-fig02.png)
The Deployment Workbench with the MDT Build Lab deployment share.
### Enable monitoring
@ -73,9 +81,10 @@ In order to read files in the deployment share and write the reference image bac
On **MDT01**:
1. Ensure you're signed in as **contoso\\administrator**.
2. Modify the NTFS permissions for the **D:\\MDTBuildLab** folder by running the following command in an elevated Windows PowerShell prompt:
``` powershell
```powershell
icacls "D:\MDTBuildLab" /grant '"CONTOSO\MDT_BA":(OI)(CI)(M)'
grant-smbshareaccess -Name MDTBuildLab$ -AccountName "Contoso\MDT_BA" -AccessRight Full -force
```
@ -88,8 +97,8 @@ This section will show you how to populate the MDT deployment share with the Win
MDT supports adding both full source Windows 10 DVDs (ISOs) and custom images that you've created. In this case, you create a reference image, so you add the full source setup files from Microsoft.
>[!NOTE]
>Due to the Windows limits on path length, we are purposely keeping the operating system destination directory short, using the folder name W10EX64RTM rather than a more descriptive name like Windows 10 Enterprise x64 RTM.
> [!NOTE]
> Due to the Windows limits on path length, we are purposely keeping the operating system destination directory short, using the folder name W10EX64RTM rather than a more descriptive name like Windows 10 Enterprise x64 RTM.
### Add Windows 10 Enterprise x64 (full source)
@ -100,16 +109,21 @@ On **MDT01**:
![ISO.](../images/iso-data.png)
2. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Build Lab**.
3. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**.
4. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard:
- Full set of source files
- Source directory: (location of your source files)
- Destination directory name: <b>W10EX64RTM</b>
5. After adding the operating system, in the **Operating Systems / Windows 10** folder, double-click it and change the name to: **Windows 10 Enterprise x64 RTM Default Image**. See the following example.
- Destination directory name: **W10EX64RTM**
5. After adding the operating system, in the **Operating Systems** > **Windows 10** folder, double-click it and change the name to: **Windows 10 Enterprise x64 RTM Default Image**. See the following example.
![Default image.](../images/deployment-workbench01.png)
>Depending on the DVD you used, there might be multiple editions available. For the purposes of this guide, we are using the Windows 10 Enterprise image, but other images will also work.
> [!NOTE]
> Depending on the DVD you used, there might be multiple editions available. For the purposes of this guide, we are using the Windows 10 Enterprise image, but other images will also work.
## Add applications
@ -120,14 +134,18 @@ On **MDT01**:
First, create an MDT folder to store the Microsoft applications that will be installed:
1. In the MDT Deployment Workbench, expand **Deployment Shares \\ MDT Build Lab \\ Applications**
2. Right-click **Applications** and then select **New Folder**.
3. Under **Folder name**, type **Microsoft**.
4. Select **Next** twice, and then select **Finish**.
The steps in this section use a strict naming standard for your MDT applications.
- Use the "<b>Install - </b>" prefix for typical application installations that run a setup installer of some kind,
- Use the "<b>Configure - </b>" prefix when an application configures a setting in the operating system.
- You also add an "<b> - x86</b>", "<b> - x64</b>", or "<b>- x86-x64</b>" suffix to indicate the application's architecture (some applications have installers for both architectures).
- Use the **Install -** prefix for typical application installations that run a setup installer of some kind.
- Use the **Configure -** prefix when an application configures a setting in the operating system.
- You also add an **- x86**, **- x64**, or **- x86-x64** suffix to indicate the application's architecture (some applications have installers for both architectures).
Using a script naming standard is always recommended when using MDT as it helps maintain order and consistency.
@ -142,21 +160,23 @@ In example sections, you 'll add the following applications:
>The 64-bit version of Microsoft Office 365 Pro Plus is recommended unless you need legacy app support. For more information, see [Choose between the 64-bit or 32-bit version of Office](https://support.office.com/article/choose-between-the-64-bit-or-32-bit-version-of-office-2dee7807-8f95-4d0c-b5fe-6c6f49b8d261)
Download links:
- [Office Deployment Tool](https://www.microsoft.com/download/details.aspx?id=49117)
- [Microsoft Visual C++ Redistributable 2019 - x86](https://aka.ms/vs/16/release/VC_redist.x86.exe)
- [Microsoft Visual C++ Redistributable 2019 - x64](https://aka.ms/vs/16/release/VC_redist.x64.exe)
Download all three items in this list to the D:\\Downloads folder on MDT01.
>[!NOTE]
>For the purposes of this lab, we'll leave the MSVC files in the D:\\Downloads folder and the Office365 files will be extracted to a child folder. If you prefer, you can place each application in its own separate child folder, and then modify the $ApplicationSourcePath below as needed (instead of just D:\\Downloads).
> [!NOTE]
> For the purposes of this lab, we'll leave the MSVC files in the D:\\Downloads folder and the Office365 files will be extracted to a child folder. If you prefer, you can place each application in its own separate child folder, and then modify the $ApplicationSourcePath below as needed (instead of just D:\\Downloads).
>[!NOTE]
>All the Microsoft Visual C++ downloads can be found on [The latest supported Visual C++ downloads](https://go.microsoft.com/fwlink/p/?LinkId=619523). Visual C++ 2015, 2017 and 2019 all share the same redistributable files.
> [!NOTE]
> All the Microsoft Visual C++ downloads can be found on [The latest supported Visual C++ downloads](https://go.microsoft.com/fwlink/p/?LinkId=619523). Visual C++ 2015, 2017 and 2019 all share the same redistributable files.
### Create configuration file: Microsoft Office 365 Professional Plus x64
1. After downloading the most current version of the Office Deployment tool from the Microsoft Download Center using the link provided above, run the self-extracting executable file and extract the files to **D:\\Downloads\\Office365**. The Office Deployment Tool (setup.exe) and several sample configuration.xml files will be extracted.
2. Using a text editor (such as Notepad), create an XML file in the D:\\Downloads\\Office365 directory with the installation settings for Microsoft 365 Apps for enterprise that are appropriate for your organization. The file uses an XML format, so the file you create must have an extension of .xml but the file can have any filename.
For example, you can use the following configuration.xml file, which provides these configuration settings:
@ -180,8 +200,8 @@ Download all three items in this list to the D:\\Downloads folder on MDT01.
When you use these settings, anytime you build the reference image you'll be installing the most up-to-date General Availability Channel version of Microsoft 365 Apps for enterprise.
>[!TIP]
>You can also use the web-based interface of the [Office Customization Tool](https://config.office.com/) to help you create your configuration.xml file.
> [!TIP]
> You can also use the web-based interface of the [Office Customization Tool](https://config.office.com/) to help you create your configuration.xml file.
For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/configuration-options-for-the-office-2016-deployment-tool) and [Overview of the Office Deployment Tool](/DeployOffice/overview-of-the-office-2016-deployment-tool).
@ -189,16 +209,19 @@ Download all three items in this list to the D:\\Downloads folder on MDT01.
![folder.](../images/office-folder.png)
Assuming you've named the file "configuration.xml" as shown above, we'll use the command "**setup.exe /configure configuration.xml**" when we create the application in MDT. This command execution will perform the installation of Microsoft 365 Apps for enterprise using the configuration settings in the configuration.xml file. Don't perform this step yet.
Assuming you've named the file `configuration.xml` as shown above, we'll use the command **`setup.exe /configure configuration.xml`** when we create the application in MDT. This command execution will perform the installation of Microsoft 365 Apps for enterprise using the configuration settings in the configuration.xml file. Don't perform this step yet.
>[!IMPORTANT]
>After Microsoft 365 Apps for enterprise is installed on the reference image, do NOT open any Office programs. if you open an Office program, you're prompted to sign-in, which activates the installation of Microsoft 365 Apps for enterprise. Even if you don't sign in and you close the Sign in to set up Office dialog box, a temporary product key is installed. You don't want any kind of product key for Microsoft 365 Apps for enterprise installed as part of your reference image.
> [!IMPORTANT]
> After Microsoft 365 Apps for enterprise is installed on the reference image, do NOT open any Office programs. if you open an Office program, you're prompted to sign-in, which activates the installation of Microsoft 365 Apps for enterprise. Even if you don't sign in and you close the Sign in to set up Office dialog box, a temporary product key is installed. You don't want any kind of product key for Microsoft 365 Apps for enterprise installed as part of your reference image.
Additional information
- Microsoft 365 Apps for enterprise is updated on a monthly basis with security updates and other quality updates (bug fixes), and possibly new features (depending on which update channel you're using). That means that once you've deployed your reference image, Microsoft 365 Apps for enterprise will most likely need to download and install the latest updates that have been released since you created your reference image.
- **Note**: With the installing Office Deployment Tool being used as part of the reference image, Microsoft 365 Apps for enterprise is installed immediately after the reference image is deployed to the user's device, rather than including Office apps part of the reference image. This way the user will have the most up-to-date version of Microsoft 365 Apps for enterprise right away and won't have to download any new updates (which is most likely what would happen if Microsoft 365 Apps for enterprise was installed as part of the reference image.)
- When you're creating your reference image, instead of installing Microsoft 365 Apps for enterprise directly from the Office CDN on the internet, you can install Microsoft 365 Apps for enterprise from a location on your local network, such as a file share. To do that, you would use the Office Deployment Tool in /download mode to download the installation files to that file share. Then you could use the Office Deployment Tool in /configure mode to install Microsoft 365 Apps for enterprise from that location on to your reference image. As part of that process, you'll need to point to that location in your configuration.xml file so that the Office Deployment Tool knows where to get the Microsoft 365 Apps for enterprise files. If you decide to do this step, the next time you create a new reference image, you'll want to be sure to use the Office Deployment Tool to download the most up-to-date installation files for Microsoft 365 Apps for enterprise to that location on your internal network. That way your new reference image will have a more up-to-date installation of Microsoft 365 Apps for enterprise.
> [!NOTE]
> With the installing Office Deployment Tool being used as part of the reference image, Microsoft 365 Apps for enterprise is installed immediately after the reference image is deployed to the user's device, rather than including Office apps part of the reference image. This way the user will have the most up-to-date version of Microsoft 365 Apps for enterprise right away and won't have to download any new updates (which is most likely what would happen if Microsoft 365 Apps for enterprise was installed as part of the reference image.)
- When you're creating your reference image, instead of installing Microsoft 365 Apps for enterprise directly from the Office CDN on the internet, you can install Microsoft 365 Apps for enterprise from a location on your local network, such as a file share. To do that, you would use the Office Deployment Tool in /download mode to download the installation files to that file share. Then you could use the Office Deployment Tool in /configure mode to install Microsoft 365 Apps for enterprise from that location on to your reference image. As part of that process, you'll need to point to that location in your configuration.xml file so that the Office Deployment Tool knows where to get the Microsoft 365 Apps for enterprise files. If you decide to do this step, the next time you create a new reference image, you'll want to be sure to use the Office Deployment Tool to download the most up-to-date installation files for Microsoft 365 Apps for enterprise to that location on your internal network. That way your new reference image will have a more up-to-date installation of Microsoft 365 Apps for enterprise.
### Connect to the deployment share using Windows PowerShell
@ -209,12 +232,13 @@ On **MDT01**:
1. Ensure you're signed in as **contoso\\Administrator**.
2. Import the snap-in and create the PSDrive by running the following commands in an elevated PowerShell prompt:
``` powershell
```powershell
Import-Module "C:\Program Files\Microsoft Deployment Toolkit\bin\MicrosoftDeploymentToolkit.psd1"
New-PSDrive -Name "DS001" -PSProvider MDTProvider -Root "D:\MDTBuildLab"
```
>[!TIP]
>Use "Get-Command -module MicrosoftDeploymentToolkit" to see a list of available cmdlets
> [!TIP]
> Use `Get-Command -module MicrosoftDeploymentToolkit` to see a list of available cmdlets
### Create the install: Microsoft Office 365 Pro Plus - x64
@ -223,9 +247,10 @@ In these steps, we assume that you've downloaded the Office Deployment Tool. You
On **MDT01**:
1. Ensure you're signed on as **contoso\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt:
``` powershell
```powershell
$ApplicationName = "Install - Office365 ProPlus - x64"
$CommandLine = "setup.exe /configure configuration.xml"
$ApplicationSourcePath = "D:\Downloads\Office365"
@ -233,7 +258,8 @@ On **MDT01**:
```
Upon successful installation, the following text is displayed:
```
```output
VERBOSE: Performing the operation "import" on target "Application".
VERBOSE: Beginning application import
VERBOSE: Copying application source files from D:\Downloads\Office365 to D:\MDTBuildLab\Applications\Install -
@ -248,17 +274,18 @@ On **MDT01**:
### Create the install: Microsoft Visual C++ Redistributable 2019 - x86
>[!NOTE]
>We have abbreviated "Microsoft Visual C++ Redistributable" in the $ApplicationName below as "MSVC" to avoid the path name exceeding the maxiumum allowed length of 248 characters.
> [!NOTE]
> We have abbreviated "Microsoft Visual C++ Redistributable" in the $ApplicationName below as "MSVC" to avoid the path name exceeding the maxiumum allowed length of 248 characters.
In these steps, we assume that you've downloaded Microsoft Visual C++ Redistributable 2019 - x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads.
On **MDT01**:
1. Ensure you're signed on as **contoso\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt:
``` powershell
```powershell
$ApplicationName = "Install - MSVC 2019 - x86"
$CommandLine = "vc_redist.x86.exe /Q"
$ApplicationSourcePath = "D:\Downloads"
@ -266,7 +293,8 @@ On **MDT01**:
```
Upon successful installation, the following text is displayed:
```
```output
VERBOSE: Performing the operation "import" on target "Application".
VERBOSE: Beginning application import
VERBOSE: Copying application source files from D:\Downloads to D:\MDTBuildLab\Applications\Install - MSVC 2019 - x86
@ -285,9 +313,10 @@ In these steps, we assume that you've downloaded Microsoft Visual C++ Redistribu
On **MDT01**:
1. Ensure you're signed on as **contoso\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt:
``` powershell
```powershell
$ApplicationName = "Install - MSVC 2019 - x64"
$CommandLine = "vc_redist.x64.exe /Q"
$ApplicationSourcePath = "D:\Downloads"
@ -310,17 +339,19 @@ To create a Windows 10 reference image task sequence, the process is as follows:
On **MDT01**:
1. When you're using the Deployment Workbench, under **Deployment Shares > MDT Build Lab** right-click **Task Sequences**, and create a **New Folder** named **Windows 10**.
2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
1. Task sequence ID: REFW10X64-001
2. Task sequence name: Windows 10 Enterprise x64 RTM Default Image
3. Task sequence comments: Reference Build
4. Template: Standard Client Task Sequence
5. Select OS: Windows 10 Enterprise x64 RTM Default Image
6. Specify Product Key: Don't specify a product key at this time
7. Full Name: Contoso
8. Organization: Contoso
9. Internet Explorer home page: http://www.contoso.com
10. Admin Password: Don't specify an Administrator Password at this time
1. **Task sequence ID**: REFW10X64-001
2. **Task sequence name**: Windows 10 Enterprise x64 RTM Default Image
3. **Task sequence comments**: Reference Build
4. **Template**: Standard Client Task Sequence
5. **Select OS**: Windows 10 Enterprise x64 RTM Default Image
6. **Specify Product Key**: Don't specify a product key at this time
7. **Full Name**: Contoso
8. **Organization**: Contoso
9. **Internet Explorer home page**: `http://www.contoso.com`
10. **Admin Password**: Don't specify an Administrator Password at this time
### Edit the Windows 10 task sequence
@ -329,81 +360,99 @@ The steps below walk you through the process of editing the Windows 10 reference
On **MDT01**:
1. In the **Task Sequences / Windows 10** folder, right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence, and select **Properties**.
2. On the **Task Sequence** tab, configure the Windows 10 Enterprise x64 RTM Default Image task sequence with the following settings:
1. **State Restore > Windows Update (Pre-Application Installation)** action: Enable this action by clicking the **Options** tab and clearing the **Disable this step** check box.
- **State Restore > Windows Update (Pre-Application Installation)** action: Enable this action by clicking the **Options** tab and clearing the **Disable this step** check box.
2. **State Restore > Windows Update (Post-Application Installation)** action: Also enable this action.
3. **State Restore**: After the **Tattoo** action, add a new **Group** action (select **Add** then select **New Group**) with the following setting:
- **State Restore > Windows Update (Post-Application Installation)** action: Also enable this action.
- **State Restore**: After the **Tattoo** action, add a new **Group** action (select **Add** then select **New Group**) with the following setting:
- Name: **Custom Tasks (Pre-Windows Update)**
4. **State Restore**: After **Windows Update (Post-Application Installation)** action, rename **Custom Tasks** to **Custom Tasks (Post-Windows Update)**.
- **Note**: The reason for adding the applications after the Tattoo action but before running Windows Update is simply to save time during the deployment. This way we can add all applications that will upgrade some of the built-in components and avoid unnecessary updating.
5. **State Restore > Custom Tasks (Pre-Windows Update)**: Add a new **Install Roles and Features** action with the following settings:
1. Name: Install - Microsoft NET Framework 3.5.1
2. Select the operating system for which roles are to be installed: Windows 10
3. Select the roles and features that should be installed: .NET Framework 3.5 (includes .NET 2.0 and 3.0)
>[!IMPORTANT]
>This is probably the most important step when creating a reference image. Many applications need the .NET Framework, and we strongly recommend having it available in the image. The one thing that makes this different from other components is that .NET Framework 3.5.1 is not included in the WIM file. It's installed from the **Sources\\SxS** folder on the media, and that makes it more difficult to add after the image has been deployed.
- **State Restore**: After **Windows Update (Post-Application Installation)** action, rename **Custom Tasks** to **Custom Tasks (Post-Windows Update)**.
> [!NOTE]
> The reason for adding the applications after the Tattoo action but before running Windows Update is simply to save time during the deployment. This way we can add all applications that will upgrade some of the built-in components and avoid unnecessary updating.
- **State Restore > Custom Tasks (Pre-Windows Update)**: Add a new **Install Roles and Features** action with the following settings:
- **Name**: Install - Microsoft NET Framework 3.5.1
- **Select the operating system for which roles are to be installed**: Windows 10
- **Select the roles and features that should be installed**: .NET Framework 3.5 (includes .NET 2.0 and 3.0)
> [!IMPORTANT]
> This is probably the most important step when creating a reference image. Many applications need the .NET Framework, and we strongly recommend having it available in the image. The one thing that makes this different from other components is that .NET Framework 3.5.1 is not included in the WIM file. It's installed from the **Sources\\SxS** folder on the media, and that makes it more difficult to add after the image has been deployed.
![task sequence.](../images/fig8-cust-tasks.png)
The task sequence after creating the Custom Tasks (Pre-Windows Update) group and adding the Install - Microsoft NET Framework 3.5.1 action.
6. **State Restore > Custom Tasks (Pre-Windows Update)**: After the **Install - Microsoft NET Framework 3.5.1** action, add a new **Install Application** action (selected from the **General** group) with the following settings:
1. Name: Microsoft Visual C++ Redistributable 2019 - x86
2. Install a Single Application: browse to **Install - MSVC 2019 - x86**
7. Repeat these steps (add a new **Install Application**) to add Microsoft Visual C++ Redistributable 2019 - x64 and Microsoft 365 Apps for enterprise as well.
- **State Restore > Custom Tasks (Pre-Windows Update)**: After the **Install - Microsoft NET Framework 3.5.1** action, add a new **Install Application** action (selected from the **General** group) with the following settings:
- **Name**: Microsoft Visual C++ Redistributable 2019 - x86
- **Install a Single Application**: browse to **Install - MSVC 2019 - x86**
- Repeat these steps (add a new **Install Application**) to add Microsoft Visual C++ Redistributable 2019 - x64 and Microsoft 365 Apps for enterprise as well.
3. Select **OK**.
![apps.](../images/mdt-apps.png)
### Optional configuration: Add a suspend action
The goal when creating a reference image is to automate everything. But sometimes you've a special configuration or application setup that is too time-consuming to automate. If you need to do some manual configuration, you can add a little-known feature called Lite Touch Installation (LTI) Suspend. If you add the LTISuspend.wsf script as a custom action in the task sequence, it will suspend the task sequence until you select the Resume Task Sequence shortcut icon on the desktop. In addition to using the LTI Suspend feature for manual configuration or installation, you can also use it simply for verifying a reference image before you allow the task sequence to continue and use Sysprep and capture the virtual machine.
![figure 8.](../images/fig8-suspend.png)
A task sequence with optional Suspend action (LTISuspend.wsf) added.
![figure 9.](../images/fig9-resumetaskseq.png)
The Windows 10 desktop with the Resume Task Sequence shortcut.
### Edit the Unattend.xml file for Windows 10 Enterprise
When using MDT, you don't need to edit the Unattend.xml file often because most configurations are taken care of by MDT. However if, for example, you want to configure Internet Explorer behavior, then you can edit the Unattend.xml. Editing the Unattend.xml for basic Internet Explorer settings is easy, but for more advanced settings, you 'll want to use the Internet Explorer Administration Kit (IEAK).
>[!WARNING]
>Don't use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml file. These settings are deprecated and can have unintended effects if used.
> [!WARNING]
> Don't use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml file. These settings are deprecated and can have unintended effects if used.
>[!NOTE]
>You also can use the Unattend.xml to enable components in Windows 10, like the Telnet Client or Hyper-V client. Normally we prefer to do this via the **Install Roles and Features** action, or using Deployment Image Servicing and Management (DISM) command-line tools, because then we can add that as an application, being dynamic, having conditions, and so forth. Also, if you're adding packages via Unattend.xml, it's version specific, so Unattend.xml must match the exact version of the operating system you're servicing.
> [!NOTE]
> You also can use the Unattend.xml to enable components in Windows 10, like the Telnet Client or Hyper-V client. Normally we prefer to do this via the **Install Roles and Features** action, or using Deployment Image Servicing and Management (DISM) command-line tools, because then we can add that as an application, being dynamic, having conditions, and so forth. Also, if you're adding packages via Unattend.xml, it's version specific, so Unattend.xml must match the exact version of the operating system you're servicing.
Follow these steps to configure Internet Explorer settings in Unattend.xml for the Windows 10 Enterprise x64 RTM Default Image task sequence:
On **MDT01**:
1. When you're using the Deployment Workbench, under **Deployment Shares > MDT Build Lab > Task Sequences** right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence and select **Properties**.
2. In the **OS Info** tab, select **Edit Unattend.xml**. MDT now generates a catalog file. This file generation process will take a few minutes, and then Windows System Image Manager (Windows SIM) will start.
> [!IMPORTANT]
> The ADK version 1903 has a [known issue](/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-1903) generating a catalog file for Windows 10, version 1903 or 1909 X64 install.wim. You might see the error "Could not load file or assembly" in in the console output. To avoid this issue, [install the ADK, version 2004 or a later version](/windows-hardware/get-started/adk-install). A workaround is also available for the ADK version 1903:
> The ADK version 1903 has a [known issue](/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-1903) generating a catalog file for Windows 10, version 1903 or 1909 X64 install.wim. You might see the error **Could not load file or assembly** in in the console output. To avoid this issue, [install the ADK, version 2004 or a later version](/windows-hardware/get-started/adk-install). A workaround is also available for the ADK version 1903:
>
> - Close the Deployment Workbench and install the [WSIM 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334). This will update imagecat.exe and imgmgr.exe to version 10.0.18362.144.
>
> - Manually run imgmgr.exe (C:\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM\\imgmgr.exe).
>
> - Generate a catalog (Tools/Create Catalog) for the selected install.wim (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install.wim).
>
> - After manually creating the catalog file (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install_Windows 10 Enterprise.clg), open the Deployment Workbench and proceed to edit unattend.xml.
3. In Windows SIM, expand the **4 specialize** node in the **Answer File** pane and select the amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral entry.
4. In the **amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral properties** window (right-hand window), set the following values:
- DisableDevTools: true
- **DisableDevTools**: true
5. Save the Unattend.xml file, and close Windows SIM.
> [!NOTE]
> If errors are reported that certain display values are incorrect, you can ignore this message or browse to **7oobeSystem\\amd64_Microsoft-Windows-Shell-Setup__neutral\\Display** and enter the following: ColorDepth 32, HorizontalResolution 1, RefreshRate 60, VerticalResolution 1.
6. On the Windows 10 Enterprise x64 RTM Default Image Properties, select **OK**.
![figure 10.](../images/fig10-unattend.png)
Windows System Image Manager with the Windows 10 Unattend.xml.
## Configure the MDT deployment share rules
@ -419,9 +468,10 @@ To configure the rules for the MDT Build Lab deployment share:
On **MDT01**:
1. Using the Deployment Workbench, right-click the **MDT Build Lab** deployment share and select **Properties**.
2. Select the **Rules** tab and replace the existing content with the following information (edit the settings as needed to match your deployment). For example, If you don't have a WSUS server in your environment, delete the **WSUSServer** line from the configuration:
```
```ini
[Settings]
Priority=Default
@ -456,12 +506,11 @@ On **MDT01**:
```
![figure 11.](../images/mdt-rules.png)
The server-side rules for the MDT Build Lab deployment share.
3. Select **Edit Bootstrap.ini** and modify using the following information:
```
```ini
[Settings]
Priority=Default
@ -474,21 +523,27 @@ On **MDT01**:
SkipBDDWelcome=YES
```
>[!NOTE]
>For security reasons, you normally don't add the password to the Bootstrap.ini file; however, because this deployment share is for creating reference image builds only, and should not be published to the production network, it's acceptable to do so in this situation. Obviously if you're not using the same password (pass@word3) that is provided in this lab, you must enter your own custom password on the Rules tab and in Bootstrap.ini.
> [!NOTE]
> For security reasons, you normally don't add the password to the Bootstrap.ini file; however, because this deployment share is for creating reference image builds only, and should not be published to the production network, it's acceptable to do so in this situation. Obviously if you're not using the same password (pass@word3) that is provided in this lab, you must enter your own custom password on the Rules tab and in Bootstrap.ini.
4. On the **Windows PE** tab, in the **Platform** drop-down list, select **x86**.
5. In the **Lite Touch Boot Image Settings** area, configure the following settings:
1. Image description: MDT Build Lab x86
2. ISO file name: MDT Build Lab x86.iso
- **Image description**: MDT Build Lab x86
- **ISO file name**: MDT Build Lab x86.iso
6. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
7. In the **Lite Touch Boot Image Settings** area, configure the following settings:
1. Image description: MDT Build Lab x64
2. ISO file name: MDT Build Lab x64.iso
- **Image description**: MDT Build Lab x64
- **ISO file name**: MDT Build Lab x64.iso
8. Select **OK**.
>[!NOTE]
>In MDT, the x86 boot image can deploy both x86 and x64 operating systems (except on computers based on Unified Extensible Firmware Interface).
> [!NOTE]
> In MDT, the x86 boot image can deploy both x86 and x64 operating systems (except on computers based on Unified Extensible Firmware Interface).
### Update the deployment share
@ -497,8 +552,8 @@ After the deployment share has been configured, it needs to be updated. This upd
1. In the Deployment Workbench, right-click the **MDT Build Lab** deployment share and select **Update Deployment Share**.
2. Use the default options for the Update Deployment Share Wizard.
>[!NOTE]
>The update process will take 5 to 10 minutes.
> [!NOTE]
> The update process will take 5 to 10 minutes.
### The rules explained
@ -508,14 +563,14 @@ The Bootstrap.ini and CustomSettings.ini files work together. The Bootstrap.ini
The CustomSettings.ini file is normally stored on the server, in the Deployment share\\Control folder, but also can be stored on the media (when using offline media).
>[!NOTE]
>The settings, or properties, that are used in the rules (CustomSettings.ini and Bootstrap.ini) are listed in the MDT documentation, in the Microsoft Deployment Toolkit Reference / Properties / Property Definition section.
> [!NOTE]
> The settings, or properties, that are used in the rules (CustomSettings.ini and Bootstrap.ini) are listed in the MDT documentation, in the Microsoft Deployment Toolkit Reference / Properties / Property Definition section.
### The Bootstrap.ini file
The Bootstrap.ini file is available via the deployment share's Properties dialog box, or via the D:\\MDTBuildLab\\Control folder on MDT01.
```
```ini
[Settings]
Priority=Default
[Default]
@ -527,23 +582,26 @@ SkipBDDWelcome=YES
```
So, what are these settings?
- **Priority.** This setting determines the order in which different sections are read. This Bootstrap.ini has only one section, named \[Default\].
- **DeployRoot.** This location is of the deployment share. Normally, this value is set by MDT, but you need to update the DeployRoot value if you move to another server or other share. If you don't specify a value, the Windows Deployment Wizard prompts you for a location.
- **UserDomain, UserID, and UserPassword.** These values are used for automatic sign in to the deployment share. Again, if they aren't specified, the wizard prompts you.
>[!WARNING]
>Caution is advised. These values are stored in clear text on the boot image. Use them only for the MDT Build Lab deployment share and not for the MDT Production deployment share that you learn to create in the next topic.
- **Priority**: This setting determines the order in which different sections are read. This Bootstrap.ini has only one section, named \[Default\].
- **SkipBDDWelcome.** Even if it's nice to be welcomed every time we start a deployment, we prefer to skip the initial welcome page of the Windows Deployment Wizard.
- **DeployRoot**: This location is of the deployment share. Normally, this value is set by MDT, but you need to update the DeployRoot value if you move to another server or other share. If you don't specify a value, the Windows Deployment Wizard prompts you for a location.
>[!NOTE]
>All properties beginning with "Skip" control only whether to display that pane in the Windows Deployment Wizard. Most of the panes also require you to actually set one or more values.
- **UserDomain, UserID, and UserPassword**: These values are used for automatic sign in to the deployment share. Again, if they aren't specified, the wizard prompts you.
> [!WARNING]
> Caution is advised. These values are stored in clear text on the boot image. Use them only for the MDT Build Lab deployment share and not for the MDT Production deployment share that you learn to create in the next topic.
- **SkipBDDWelcome**: Even if it's nice to be welcomed every time we start a deployment, we prefer to skip the initial welcome page of the Windows Deployment Wizard.
> [!NOTE]
> All properties beginning with "Skip" control only whether to display that pane in the Windows Deployment Wizard. Most of the panes also require you to actually set one or more values.
### The CustomSettings.ini file
The CustomSettings.ini file, whose content you see on the Rules tab of the deployment share Properties dialog box, contains most of the properties used in the configuration.
```
```ini
[Settings]
Priority=Default
[Default]
@ -575,37 +633,63 @@ SkipRoles=YES
SkipCapture=NO
SkipFinalSummary=YES
```
- **Priority.** Has the same function as in Bootstrap.ini. Priority determines the order in which different sections are read. This CustomSettings.ini has only one section, named \[Default\]. In general, if you've multiple sections that set the same value, the value from the first section (higher priority) wins. The rare exceptions are listed in the ZTIGather.xml file.
- **\_SMSTSORGNAME.** The organization name displayed in the task sequence progress bar window during deployment.
- **UserDataLocation.** Controls the settings for user state backup. You don't need to use when building and capturing a reference image.
- **DoCapture.** Configures the task sequence to run the System Preparation (Sysprep) tool and capture the image to a file when the operating system is installed.
- **OSInstall.** Must be set to Y or YES (the code just looks for the Y character) for the setup to proceed.
- **AdminPassword.** Sets the local Administrator account password.
- **TimeZoneName.** Establishes the time zone to use. Don't confuse this value with TimeZone, which is only for legacy operating systems (Windows 7 and Windows Server 2003).
>[!NOTE]
>The easiest way to find the current time zone name on a Windows 10 machine is to run tzutil /g in a command prompt. You can also run tzutil /l to get a listing of all available time zone names.
- **Priority**: Has the same function as in Bootstrap.ini. Priority determines the order in which different sections are read. This CustomSettings.ini has only one section, named \[Default\]. In general, if you've multiple sections that set the same value, the value from the first section (higher priority) wins. The rare exceptions are listed in the ZTIGather.xml file.
- **JoinWorkgroup.** Configures Windows to join a workgroup.
- **HideShell.** Hides the Windows Shell during deployment. This hide-operation is especially useful for Windows 10 deployments in which the deployment wizard will otherwise appear behind the tiles.
- **FinishAction.** Instructs MDT what to do when the task sequence is complete.
- **DoNotCreateExtraPartition.** Configures the task sequence not to create the extra partition for BitLocker. There's no need to do this configuration for your reference image.
- **WSUSServer.** Specifies which Windows Server Update Services (WSUS) server (and port, if needed) to use during the deployment. Without this option MDT will use Microsoft Update directly, which will increase deployment time and limit your options of controlling which updates are applied.
- **SLSHARE.** Instructs MDT to copy the log files to a server share if something goes wrong during deployment, or when a deployment is successfully completed.
- **ApplyGPOPack.** Allows you to deploy local group policies created by Microsoft Security Compliance Manager (SCM).
- **SkipAdminPassword.** Skips the pane that asks for the Administrator password.
- **SkipProductKey.** Skips the pane that asks for the product key.
- **SkipComputerName.** Skips the Computer Name pane.
- **SkipDomainMemberShip.** Skips the Domain Membership pane. If set to Yes, you need to configure either the JoinWorkgroup value or the JoinDomain, DomainAdmin, DomainAdminDomain, and DomainAdminPassword properties.
- **SkipUserData.** Skips the pane for user state migration.
- **SkipLocaleSelection.** Skips the pane for selecting language and keyboard settings.
- **SkipTimeZone.** Skips the pane for setting the time zone.
- **SkipApplications.** Skips the Applications pane.
- **SkipBitLocker.** Skips the BitLocker pane.
- **SkipSummary.** Skips the initial Windows Deployment Wizard summary pane.
- **SkipRoles.** Skips the Install Roles and Features pane.
- **SkipCapture.** Skips the Capture pane.
- **SkipFinalSummary.** Skips the final Windows Deployment Wizard summary. Because you use FinishAction=Shutdown, you don't want the wizard to stop in the end so that you need to select OK before the machine shuts down.
- **\_SMSTSORGNAME**: The organization name displayed in the task sequence progress bar window during deployment.
- **UserDataLocation**: Controls the settings for user state backup. You don't need to use when building and capturing a reference image.
- **DoCapture**: Configures the task sequence to run the System Preparation (Sysprep) tool and capture the image to a file when the operating system is installed.
- **OSInstall**: Must be set to Y or YES (the code just looks for the Y character) for the setup to proceed.
- **AdminPassword**: Sets the local Administrator account password.
- **TimeZoneName**: Establishes the time zone to use. Don't confuse this value with TimeZone, which is only for legacy operating systems (Windows 7 and Windows Server 2003).
> [!NOTE]
> The easiest way to find the current time zone name on a Windows 10 machine is to run tzutil /g in a command prompt. You can also run tzutil /l to get a listing of all available time zone names.
- **JoinWorkgroup**: Configures Windows to join a workgroup.
- **HideShell**: Hides the Windows Shell during deployment. This hide-operation is especially useful for Windows 10 deployments in which the deployment wizard will otherwise appear behind the tiles.
- **FinishAction**: Instructs MDT what to do when the task sequence is complete.
- **DoNotCreateExtraPartition**: Configures the task sequence not to create the extra partition for BitLocker. There's no need to do this configuration for your reference image.
- **WSUSServer**: Specifies which Windows Server Update Services (WSUS) server (and port, if needed) to use during the deployment. Without this option MDT will use Microsoft Update directly, which will increase deployment time and limit your options of controlling which updates are applied.
- **SLSHARE**: Instructs MDT to copy the log files to a server share if something goes wrong during deployment, or when a deployment is successfully completed.
- **ApplyGPOPack**: Allows you to deploy local group policies created by Microsoft Security Compliance Manager (SCM).
- **SkipAdminPassword**: Skips the pane that asks for the Administrator password.
- **SkipProductKey**: Skips the pane that asks for the product key.
- **SkipComputerName**: Skips the Computer Name pane.
- **SkipDomainMemberShip**: Skips the Domain Membership pane. If set to Yes, you need to configure either the JoinWorkgroup value or the JoinDomain, DomainAdmin, DomainAdminDomain, and DomainAdminPassword properties.
- **SkipUserData**: Skips the pane for user state migration.
- **SkipLocaleSelection**: Skips the pane for selecting language and keyboard settings.
- **SkipTimeZone**: Skips the pane for setting the time zone.
- **SkipApplications**: Skips the Applications pane.
- **SkipBitLocker**: Skips the BitLocker pane.
- **SkipSummary**: Skips the initial Windows Deployment Wizard summary pane.
- **SkipRoles**: Skips the Install Roles and Features pane.
- **SkipCapture**: Skips the Capture pane.
- **SkipFinalSummary**: Skips the final Windows Deployment Wizard summary. Because you use FinishAction=Shutdown, you don't want the wizard to stop in the end so that you need to select OK before the machine shuts down.
## Build the Windows 10 reference image
@ -617,40 +701,46 @@ The steps below outline the process used to boot a virtual machine using an ISO
1. Copy D:\\MDTBuildLab\\Boot\\MDT Build Lab x86.iso on MDT01 to C:\\ISO on your Hyper-V host (HV01).
>[!NOTE]
>Remember, in MDT you can use the x86 boot image to deploy both x86 and x64 operating system images. That's why you can use the x86 boot image instead of the x64 boot image.
> [!NOTE]
> Remember, in MDT you can use the x86 boot image to deploy both x86 and x64 operating system images. That's why you can use the x86 boot image instead of the x64 boot image.
On **HV01**:
2. Create a new virtual machine with the following settings:
1. Create a new virtual machine with the following settings:
1. Name: REFW10X64-001
2. Store the virtual machine in a different location: C:\VM
3. Generation 1
4. Memory: 1024 MB
5. Network: Must be able to connect to \\MDT01\MDTBuildLab$
7. Hard disk: 60 GB (dynamic disk)
8. Install OS with image file: C:\\ISO\\MDT Build Lab x86.iso
1. Before you start the VM, add a checkpoint for REFW10X64-001, and name it **Clean with MDT Build Lab x86 ISO**.
6. Hard disk: 60 GB (dynamic disk)
7. Install OS with image file: C:\\ISO\\MDT Build Lab x86.iso
>[!NOTE]
>Checkpoints are useful if you need to restart the process and want to make sure you can start clean.
2. Before you start the VM, add a checkpoint for REFW10X64-001, and name it **Clean with MDT Build Lab x86 ISO**.
4. Start the REFW10X64-001 virtual machine and connect to it.
> [!NOTE]
> Checkpoints are useful if you need to restart the process and want to make sure you can start clean.
>[!NOTE]
>Up to this point we haven't discussed IP addressing or DHCP. In the initial setup for this guide, DC01 was provisioned as a DHCP server to provide IP address leases to client computers. You might have a different DHCP server on your network that you wish to use. The REFW10X64-001 virtual machine requires an IP address lease that provides it with connectivity to MDT01 so that it can connect to the \\MDT01\MDTBuildLab$ share. In the current scenario, this connectivity is accomplished with a DHCP scope that provides IP addresses in the 10.10.10.100 - 10.10.10.200 range, as part of a /24 subnet so that the client can connect to MDT01 at 10.10.10.11.
3. Start the REFW10X64-001 virtual machine and connect to it.
> [!NOTE]
> Up to this point we haven't discussed IP addressing or DHCP. In the initial setup for this guide, DC01 was provisioned as a DHCP server to provide IP address leases to client computers. You might have a different DHCP server on your network that you wish to use. The REFW10X64-001 virtual machine requires an IP address lease that provides it with connectivity to MDT01 so that it can connect to the \\MDT01\MDTBuildLab$ share. In the current scenario, this connectivity is accomplished with a DHCP scope that provides IP addresses in the 10.10.10.100 - 10.10.10.200 range, as part of a /24 subnet so that the client can connect to MDT01 at 10.10.10.11.
After booting into Windows PE, complete the Windows Deployment Wizard with the following settings:
1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Default Image
2. Specify whether to capture an image: Capture an image of this reference computer
- **Select a task sequence to execute on this computer**: Windows 10 Enterprise x64 RTM Default Image
- **Specify whether to capture an image**: Capture an image of this reference computer
- Location: \\\\MDT01\\MDTBuildLab$\\Captures
3. File name: REFW10X64-001.wim
- **File name**: REFW10X64-001.wim
![capture image.](../images/captureimage.png)
The Windows Deployment Wizard for the Windows 10 reference image.
5. The setup now starts and does the following steps:
4. The setup now starts and does the following steps:
1. Installs the Windows 10 Enterprise operating system.
2. Installs the added applications, roles, and features.
3. Updates the operating system via your local Windows Server Update Services (WSUS) server.
@ -666,7 +756,7 @@ After some time, you 'll have a Windows 10 Enterprise x64 image that is fully pa
## Troubleshooting
> [!IMPORTANT]
> If you encounter errors applying the image when using a BIOS firmware type, see [Windows 10 deployments fail with Microsoft Deployment Toolkit on computers with BIOS type firmware](https://support.microsoft.com/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7). This
> If you encounter errors applying the image when using a BIOS firmware type, see [Windows 10 deployments fail with Microsoft Deployment Toolkit on computers with BIOS type firmware](https://support.microsoft.com/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7).
If you [enabled monitoring](#enable-monitoring), you can check the progress of the task sequence.
@ -678,9 +768,9 @@ After some time, you 'll have a Windows 10 Enterprise x64 image that is fully pa
## Related articles
[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)<br>
[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)<br>
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)<br>
[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)<br>
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)<br>
[Configure MDT settings](configure-mdt-settings.md)
- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
- [Configure MDT settings](configure-mdt-settings.md)

173
windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
View File

@ -11,12 +11,13 @@ ms.topic: article
ms.technology: itpro-deploy
ms.collection:
- highpri
ms.date: 10/28/2022
ms.date: 11/28/2022
---
# Deploy a Windows 10 image using MDT
**Applies to**
**Applies to:**
- Windows 10
This article will show you how to take your reference image for Windows 10 (that was [created](create-a-windows-10-reference-image.md)), and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT).
@ -34,8 +35,8 @@ MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contos
![devices.](../images/mdt-07-fig01.png)
>[!NOTE]
>For details about the setup for the procedures in this article, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
> [!NOTE]
> For details about the setup for the procedures in this article, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
## Step 1: Configure Active Directory permissions
@ -85,7 +86,9 @@ On **MDT01**:
The steps for creating the deployment share for production are the same as when you created the deployment share for creating the custom reference image:
1. Ensure you're signed on as: contoso\administrator.
2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and select **Next**.
4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and select **Next**.
@ -93,6 +96,7 @@ The steps for creating the deployment share for production are the same as when
5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and select **Next**.
6. On the **Options** page, accept the default settings and select **Next** twice, and then select **Finish**.
7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share.
### Configure permissions for the production deployment share
@ -102,10 +106,11 @@ To read files in the deployment share, you need to assign NTFS and SMB permissio
On **MDT01**:
1. Ensure you're signed in as **contoso\\administrator**.
2. Modify the NTFS permissions for the **D:\\MDTProduction** folder by running the following command in an elevated Windows PowerShell prompt:
``` powershell
icacls "D:\MDTProduction" /grant '"CONTOSO\MDT_BA":(OI)(CI)(M)'
```powershell
icacls.exe "D:\MDTProduction" /grant '"CONTOSO\MDT_BA":(OI)(CI)(M)'
grant-smbshareaccess -Name MDTProduction$ -AccountName "Contoso\MDT_BA" -AccessRight Full -force
```
@ -118,6 +123,7 @@ The next step is to add a reference image into the deployment share with the set
In these steps, we assume that you've completed the steps in the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) article, so you've a Windows 10 reference image at **D:\\MDTBuildLab\\Captures\REFW10X64-001.wim** on MDT01.
1. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**; select the **Operating Systems** node, and create a folder named **Windows 10**.
2. Right-click the **Windows 10** folder and select **Import Operating System**.
3. On the **OS Type** page, select **Custom image file** and select **Next**.
@ -127,11 +133,11 @@ In these steps, we assume that you've completed the steps in the [Create a Windo
5. On the **Setup** page, select the **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path** option; in the **Setup source directory** text box, browse to **D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM** and select **Next**.
6. On the **Destination** page, in the **Destination directory name** text box, type **W10EX64RTM**, select **Next** twice, and then select **Finish**.
7. After adding the operating system, double-click the added operating system name in the **Operating Systems / Windows 10** node and change the name to **Windows 10 Enterprise x64 RTM Custom Image**.
>[!NOTE]
>The reason for adding the setup files has changed since earlier versions of MDT. MDT 2010 used the setup files to install Windows. MDT uses DISM to apply the image; however, you still need the setup files because some components in roles and features are stored outside the main image.
> [!NOTE]
> The reason for adding the setup files has changed since earlier versions of MDT. MDT 2010 used the setup files to install Windows. MDT uses DISM to apply the image; however, you still need the setup files because some components in roles and features are stored outside the main image.
![imported OS.](../images/fig2-importedos.png)
@ -144,8 +150,11 @@ When you configure your MDT Build Lab deployment share, you can also add applica
On **MDT01**:
1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2200320282_en_US.exe) to **D:\\setup\\adobe** on MDT01.
2. Extract the .exe file that you downloaded to a .msi (ex: .\AcroRdrDC2200320282_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node.
4. Right-click the **Applications** node, and create a new folder named **Adobe**.
5. In the **Applications** node, right-click the **Adobe** folder and select **New Application**.
@ -161,12 +170,12 @@ On **MDT01**:
10. On the **Command Details** page, in the **Command Line** text box, type **msiexec /i AcroRead.msi /q**, select **Next** twice, and then select **Finish**.
![acroread image.](../images/acroread.png)
The Adobe Reader application added to the Deployment Workbench.
## Step 5: Prepare the drivers repository
In order to deploy Windows 10 with MDT successfully, you need drivers for the boot images and for the actual operating system. This section will show you how to add drivers for the boot image and operating system, using the following hardware models as examples:
- Lenovo ThinkPad T420
- Dell Latitude 7390
- HP EliteBook 8560w
@ -174,8 +183,8 @@ In order to deploy Windows 10 with MDT successfully, you need drivers for the bo
For boot images, you need to have storage and network drivers; for the operating system, you need to have the full suite of drivers.
>[!NOTE]
>You should only add drivers to the Windows PE images if the default drivers don't work. Adding drivers that are not necessary will only make the boot image larger and potentially delay the download time.
> [!NOTE]
> You should only add drivers to the Windows PE images if the default drivers don't work. Adding drivers that are not necessary will only make the boot image larger and potentially delay the download time.
### Create the driver source structure in the file system
@ -187,11 +196,15 @@ On **MDT01**:
> In the steps below, it's critical that the folder names used for various computer makes and models exactly match the results of **wmic computersystem get model,manufacturer** on the target system.
1. Using File Explorer, create the **D:\\drivers** folder.
2. In the **D:\\drivers** folder, create the following folder structure:
1. WinPE x86
2. WinPE x64
3. Windows 10 x64
3. In the new Windows 10 x64 folder, create the following folder structure:
- Dell Inc.
- Latitude E7450
- Hewlett-Packard
@ -207,12 +220,17 @@ On **MDT01**:
### Create the logical driver structure in MDT
When you import drivers to the MDT driver repository, MDT creates a single instance folder structure based on driver class names. However, you can, and should, mimic the driver structure of your driver source repository in the Deployment Workbench. This mimic is done by creating logical folders in the Deployment Workbench.
1. On MDT01, using Deployment Workbench, select the **Out-of-Box Drivers** node.
2. In the **Out-Of-Box Drivers** node, create the following folder structure:
1. WinPE x86
2. WinPE x64
3. Windows 10 x64
3. In the **Windows 10 x64** folder, create the following folder structure:
- Dell Inc.
- Latitude E7450
- Hewlett-Packard
@ -230,36 +248,40 @@ Get-WmiObject -Class:Win32_ComputerSystem
Or, you can use this command in a normal command prompt:
```console
wmic csproduct get name
```cmd
wmic.exe csproduct get name
```
If you want a more standardized naming convention, try the **ModelAliasExit.vbs script** from the Deployment Guys blog post, entitled [Using and Extending Model Aliases for Hardware Specific Application Installation](/archive/blogs/deploymentguys/using-and-extending-model-aliases-for-hardware-specific-application-installation).
![drivers.](../images/fig4-oob-drivers.png)
The Out-of-Box Drivers structure in the Deployment Workbench.
### Create the selection profiles for boot image drivers
By default, MDT adds any storage and network drivers that you import to the boot images. However, you should add only the drivers that are necessary to the boot image. You can control which drivers are added by using selection profiles.
The drivers that are used for the boot images (Windows PE) are Windows 10 drivers. If you cant locate Windows 10 drivers for your device, a Windows 7 or Windows 8.1 driver will most likely work, but Windows 10 drivers should be your first choice.
The drivers that are used for the boot images (Windows PE) are Windows 10 drivers. If you can't locate Windows 10 drivers for your device, a Windows 7 or Windows 8.1 driver will most likely work, but Windows 10 drivers should be your first choice.
On **MDT01**:
1. In the Deployment Workbench, under the **MDT Production** node, expand the **Advanced Configuration** node, right-click the **Selection Profiles** node, and select **New Selection Profile**.
2. In the New Selection Profile Wizard, create a selection profile with the following settings:
1. Selection Profile name: WinPE x86
2. Folders: Select the WinPE x86 folder in Out-of-Box Drivers.
3. Select **Next**, **Next** and **Finish**.
2. In the **New Selection Profile Wizard**, create a selection profile with the following settings:
- **Selection Profile name**: WinPE x86
- **Folders**: Select the WinPE x86 folder in Out-of-Box Drivers.
- Select **Next**, **Next** and **Finish**.
3. Right-click the **Selection Profiles** node again, and select **New Selection Profile**.
4. In the New Selection Profile Wizard, create a selection profile with the following settings:
1. Selection Profile name: WinPE x64
2. Folders: Select the WinPE x64 folder in Out-of-Box Drivers.
3. Select **Next**, **Next** and **Finish**.
- **Selection Profile name**: WinPE x64
- **Folders**: Select the WinPE x64 folder in Out-of-Box Drivers.
- Select **Next**, **Next** and **Finish**.
![figure 5.](../images/fig5-selectprofile.png)
Creating the WinPE x64 selection profile.
### Extract and import drivers for the x64 boot image
@ -269,10 +291,16 @@ Windows PE supports all the hardware models that we have, but here you learn to
On **MDT01**:
1. Download **PROWinx64.exe** from Intel.com (ex: [PROWinx64.exe](https://downloadcenter.intel.com/downloads/eula/25016/Intel-Network-Adapter-Driver-for-Windows-10?httpDown=https%3A%2F%2Fdownloadmirror.intel.com%2F25016%2Feng%2FPROWinx64.exe)).
2. Extract PROWinx64.exe to a temporary folder - in this example to the **C:\\Tmp\\ProWinx64** folder.
a. **Note**: Extracting the .exe file manually requires an extraction utility. You can also run the .exe and it will self-extract files to the **%userprofile%\AppData\Local\Temp\RarSFX0** directory. This directory is temporary and will be deleted when the .exe terminates.
> [!NOTE]
> Extracting the .exe file manually requires an extraction utility. You can also run the .exe and it will self-extract files to the **%userprofile%\AppData\Local\Temp\RarSFX0** directory. This directory is temporary and will be deleted when the .exe terminates.
3. Using File Explorer, create the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder.
4. Copy the content of the **C:\\Tmp\\PROWinx64\\PRO1000\\Winx64\\NDIS64** folder to the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder.
5. In the Deployment Workbench, expand the **MDT Production** > **Out-of-Box Drivers** node, right-click the **WinPE x64** node, and select **Import Drivers**, and use the following Driver source directory to import drivers: **D:\\Drivers\\WinPE x64\\Intel PRO1000**.
### Download, extract, and import drivers
@ -281,8 +309,7 @@ On **MDT01**:
For the ThinkStation P500 model, you use the Lenovo ThinkVantage Update Retriever software to download the drivers. With Update Retriever, you need to specify the correct Lenovo Machine Type for the actual hardware (the first four characters of the model name). As an example, the Lenovo ThinkStation P500 model has the 30A6003TUS model name, meaning the Machine Type is 30A6.
> [!div class="mx-imgBorder"]
> ![ThinkStation image.](../images/thinkstation.png)
![ThinkStation image.](../images/thinkstation.png)
To get the updates, download the drivers from the Lenovo ThinkVantage Update Retriever using its export function. You can also download the drivers by searching PC Support on the [Lenovo website](https://go.microsoft.com/fwlink/p/?LinkId=619543).
@ -310,7 +337,7 @@ On **MDT01**:
2. Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers:
**D:\\Drivers\\Windows 10 x64\\Dell Inc.\\Latitude E7450**
**`D:\Drivers\Windows 10 x64\Dell Inc.\Latitude E7450`**
### For the HP EliteBook 8560w
@ -324,7 +351,7 @@ On **MDT01**:
2. Right-click the **HP EliteBook 8560w** folder and select **Import Drivers** and use the following Driver source directory to import drivers:
**D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w**
**`D:\Drivers\Windows 10 x64\Hewlett-Packard\HP EliteBook 8560w`**
### For the Microsoft Surface Laptop
@ -336,7 +363,7 @@ On **MDT01**:
2. Right-click the **Surface Laptop** folder and select **Import Drivers**; and use the following Driver source directory to import drivers:
**D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop**
**`D:\Drivers\Windows 10 x64\Microsoft\Surface Laptop`**
## Step 6: Create the deployment task sequence
@ -349,6 +376,7 @@ On **MDT01**:
1. In the Deployment Workbench, under the **MDT Production** node, right-click **Task Sequences**, and create a folder named **Windows 10**.
2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- Task sequence ID: W10-X64-001
- Task sequence name: Windows 10 Enterprise x64 RTM Custom Image
- Task sequence comments: Production Image
@ -367,12 +395,14 @@ On **MDT01**:
2. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings:
1. Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings:
1. Name: Set DriverGroup001
2. Task Sequence Variable: DriverGroup001
3. Value: Windows 10 x64\\%Make%\\%Model%
- **Name**: Set DriverGroup001
- **Task Sequence Variable**: DriverGroup001
- **Value**: Windows 10 x64\\%Make%\\%Model%
2. Configure the **Inject Drivers** action with the following settings:
- Choose a selection profile: Nothing
- **Choose a selection profile**: Nothing
- Install all drivers from the selection profile
> [!NOTE]
@ -385,7 +415,6 @@ On **MDT01**:
3. Select **OK**.
![drivergroup.](../images/fig6-taskseq.png)
The task sequence for production deployment.
## Step 7: Configure the MDT production deployment share
@ -400,9 +429,10 @@ In this section, you'll learn how to configure the MDT Build Lab deployment shar
On **MDT01**:
1. Right-click the **MDT Production** deployment share and select **Properties**.
2. Select the **Rules** tab and replace the existing rules with the following information (modify the domain name, WSUS server, and administrative credentials to match your environment):
```
```ini
[Settings]
Priority=Default
@ -441,7 +471,7 @@ On **MDT01**:
3. Select **Edit Bootstrap.ini** and modify using the following information:
```
```ini
[Settings]
Priority=Default
@ -483,8 +513,8 @@ On **MDT01**:
11. Select **OK**.
>[!NOTE]
>It will take a while for the Deployment Workbench to create the monitoring database and web service.
> [!NOTE]
> It will take a while for the Deployment Workbench to create the monitoring database and web service.
![figure 8.](../images/mdt-07-fig08.png)
@ -500,7 +530,7 @@ You can optionally remove the **UserID** and **UserPassword** entries from Boots
This file is the MDT Production Bootstrap.ini:
```
```ini
[Settings]
Priority=Default
@ -516,7 +546,7 @@ SkipBDDWelcome=YES
This file is the CustomSettings.ini file with the new join domain information:
```
```ini
[Settings]
Priority=Default
@ -555,6 +585,7 @@ EventService=http://MDT01:9800
```
Some properties to use in the MDT Production rules file are as follows:
- **JoinDomain.** The domain to join.
- **DomainAdmin.** The account to use when joining the machine to the domain.
- **DomainAdminDomain.** The domain for the join domain account.
@ -578,7 +609,6 @@ If your organization has a Microsoft Software Assurance agreement, you also can
If you've licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you don't have DaRT licensing, or don't want to use it, skip to the next section, [Update the Deployment Share](#update-the-deployment-share). To enable the remote connection feature in MDT, you need to do the following steps:
> [!NOTE]
> DaRT 10 is part of [MDOP 2015](/microsoft-desktop-optimization-pack/#how-to-get-mdop).
>
@ -592,23 +622,22 @@ On **MDT01**:
![DaRT image.](../images/dart.png)
2. Copy the two tools CAB files from **C:\\Program Files\\Microsoft DaRT\\v10** (**Toolsx86.cab** and **Toolsx64.cab**) to the production deployment share at **D:\\MDTProduction\\Tools\\x86** and **D:\\MDTProduction\\Tools\\x64**, respectively.
3. Copy the two tools CAB files from **C:\\Program Files\\Microsoft DaRT\\v10** (**Toolsx86.cab** and **Toolsx64.cab**) to the production deployment share at **D:\\MDTProduction\\Tools\\x86** and **D:\\MDTProduction\\Tools\\x64**, respectively.
3. In the Deployment Workbench, right-click the **MDT Production** deployment share and select **Properties**.
4. In the Deployment Workbench, right-click the **MDT Production** deployment share and select **Properties**.
4. On the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected.
5. On the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected.
5. On the **Features** sub tab, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox.
6. On the **Features** sub tab, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox.
![DaRT selection.](../images/mdt-07-fig09.png)
Selecting the DaRT 10 feature in the deployment share.
8. In the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
7. In the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
9. In the **Features** sub tab, in addition to the default selected feature pack, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box.
8. In the **Features** sub tab, in addition to the default selected feature pack, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box.
10. Select **OK**.
9. Select **OK**.
### Update the deployment share
@ -618,8 +647,8 @@ Like the MDT Build Lab deployment share, the MDT Production deployment share nee
2. Use the default options for the Update Deployment Share Wizard.
>[!NOTE]
>The update process will take 5 to 10 minutes.
> [!NOTE]
> The update process will take 5 to 10 minutes.
## Step 8: Deploy the Windows 10 client image
@ -638,7 +667,6 @@ On **MDT01**:
3. Browse to the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** file and add the image with the default settings.
![figure 9.](../images/mdt-07-fig10.png)
The boot image added to the WDS console.
### Deploy the Windows 10 client
@ -660,7 +688,6 @@ On **HV01**:
2. Start the PC0005 virtual machine, and press **Enter** to start the PXE boot. The VM will now load the Windows PE boot image from the WDS server.
![figure 10.](../images/mdt-07-fig11.png)
The initial PXE boot process of PC0005.
3. After Windows PE has booted, complete the Windows Deployment Wizard using the following setting:
@ -696,7 +723,6 @@ On **MDT01**:
3. Double-click PC0005, and review the information.
![figure 11.](../images/mdt-07-fig13.png)
The Monitoring node, showing the deployment progress of PC0005.
### Use information in the Event Viewer
@ -704,7 +730,6 @@ On **MDT01**:
When monitoring is enabled, MDT also writes information to the event viewer on MDT01. This information can be used to trigger notifications via scheduled tasks when deployment is completed. For example, you can configure scheduled tasks to send an email when a certain event is created in the event log.
![figure 12.](../images/mdt-07-fig14.png)
The Event Viewer showing a successful deployment of PC0005.
## Multicast deployments
@ -722,12 +747,14 @@ Setting up MDT for multicast is straightforward. You enable multicast on the dep
On **MDT01**:
1. In the Deployment Workbench, right-click the **MDT Production** deployment share folder and select **Properties**.
2. On the **General** tab, select the **Enable multicast for this deployment share (requires Windows Server 2008 R2 Windows Deployment Services)** check box, and select **OK**.
3. Right-click the **MDT Production** deployment share folder and select **Update Deployment Share**.
4. After updating the deployment share, use the Windows Deployment Services console to, verify that the multicast namespace was created.
![figure 13.](../images/mdt-07-fig15.png)
The newly created multicast namespace.
## Use offline media to deploy Windows 10
@ -747,7 +774,7 @@ On **MDT01**:
2. Use the following settings for the New Selection Profile Wizard:
- General Settings
- Selection profile name: Windows 10 Offline Media
- **Selection profile name**: Windows 10 Offline Media
- Folders
- Applications / Adobe
@ -764,12 +791,13 @@ In these steps, you generate offline media from the MDT Production deployment sh
1. On MDT01, using File Explorer, create the **D:\\MDTOfflineMedia** folder.
>[!NOTE]
>When creating offline media, you need to create the target folder first. It's crucial that you don't create a subfolder inside the deployment share folder because it will break the offline media.
> [!NOTE]
> When creating offline media, you need to create the target folder first. It's crucial that you don't create a subfolder inside the deployment share folder because it will break the offline media.
2. In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click the **Media** node, and select **New Media**.
3. Use the following settings for the New Media Wizard:
- General Settings
- Media path: **D:\\MDTOfflineMedia**
- Selection profile: **Windows 10 Offline Media**
@ -791,8 +819,9 @@ On **MDT01**:
4. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
5. On the **General** sub tab, configure the following settings:
- In the **Lite Touch Boot Image Settings** area:
- Image description: MDT Production x64
- **Image description**: MDT Production x64
- In the **Windows PE Customizations** area, set the Scratch space size to 128.
6. On the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option.
@ -813,8 +842,14 @@ On **MDT01**:
The ISO that you got when updating the offline media item can be burned to a DVD and used directly (it will be bootable), but it's often more efficient to use USB sticks instead since they're faster and can hold more data. (A dual-layer DVD is limited to 8.5 GB.)
>[!TIP]
>In this example, the .wim file is 5.5 GB in size. However, bootable USB sticks are formatted with the FAT32 file system which limits file size to 4.0 GB. You can place the image on a different drive (ex: E:\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.swm) and then modify E:\Deploy\Control\OperatingSystems.xml to point to it. Alternatively to keep using the USB you must split the .wim file, which can be done using DISM: <br>&nbsp;<br>Dism /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800. <br>&nbsp;<br>Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm. <br>&nbsp;<br>To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (`<SkipWimSplit>True</SkipWimSplit>`), so this must be changed and the offline media content updated.
> [!TIP]
> In this example, the .wim file is 5.5 GB in size. However, bootable USB sticks are formatted with the FAT32 file system which limits file size to 4.0 GB. You can place the image on a different drive (ex: E:\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.swm) and then modify E:\Deploy\Control\OperatingSystems.xml to point to it. Alternatively to keep using the USB you must split the .wim file, which can be done using DISM:
>
> **`Dism.exe /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800.`**
>
> Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm.
>
> To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (`<SkipWimSplit>True</SkipWimSplit>`), so this must be changed and the offline media content updated.
Follow these steps to create a bootable USB stick from the offline media content:
@ -840,9 +875,9 @@ The partitions when deploying an UEFI-based machine.
## Related articles
[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)<br>
[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)<br>
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)<br>
[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)<br>
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)<br>
[Configure MDT settings](configure-mdt-settings.md)<br>
- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
- [Configure MDT settings](configure-mdt-settings.md)

126
windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
View File

@ -11,12 +11,13 @@ ms.topic: article
ms.technology: itpro-deploy
ms.collection:
- highpri
ms.date: 10/28/2022
ms.date: 11/28/2022
---
# Get started with MDT
**Applies to**
**Applies to:**
- Windows 10
This article provides an overview of the features, components, and capabilities of the [Microsoft Deployment Toolkit (MDT)](/mem/configmgr/mdt/). When you have finished reviewing this information, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
@ -37,39 +38,58 @@ MDT supports the deployment of Windows 10, and Windows 7, Windows 8.1, and Windo
MDT has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. The toolkit has evolved, both in functionality and popularity, and today it's considered fundamental to Windows operating system and enterprise application deployment.
MDT has many useful features, such as:
- **Windows Client support.** Supports Windows 7, Windows 8.1, and Windows 10.
- **Windows Server support.** Supports Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019.
- **Additional operating systems support.** Supports Windows Thin PC and [Windows Embedded POSReady 7](https://www.microsoft.com/en-us/download/details.aspx?id=26558), and Windows 8.1 Embedded Industry.
- **UEFI support.** Supports deployment to machines using Unified Extensible Firmware Interface (UEFI) version 2.3.1.
- **GPT support.** Supports deployment to machines that require the new GPT partition table format. This feature is related to UEFI.
- **Enhanced Windows PowerShell support.** Provides support for running PowerShell scripts.
- **Windows Client support**: Supports Windows 7, Windows 8.1, and Windows 10.
- **Windows Server support**: Supports Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019.
- **Additional operating systems support**: Supports Windows Thin PC and [Windows Embedded POSReady 7](https://www.microsoft.com/download/details.aspx?id=26558), and Windows 8.1 Embedded Industry.
- **UEFI support**: Supports deployment to machines using Unified Extensible Firmware Interface (UEFI) version 2.3.1.
- **GPT support**: Supports deployment to machines that require the new GPT partition table format. This feature is related to UEFI.
- **Enhanced Windows PowerShell support**: Provides support for running PowerShell scripts.
![figure 2.](../images/mdt-05-fig02.png)
The deployment share mounted as a standard PSDrive allows for administration using PowerShell.
- **Add local administrator accounts.** Allows you to add multiple user accounts to the local Administrators group on the target computers, either via settings or the deployment wizard.
- **Automated participation in CEIP and WER.** Provides configuration for participation in Windows Customer Experience Improvement Program (CEIP) and Windows Error Reporting (WER).
- **Deploy Windows RE.** Enables deployment of a customized Windows Recovery Environment (Windows RE) as part of the task sequence.
- **Deploy to VHD.** Provides ready-made task sequence templates for deploying Windows into a virtual hard disk (VHD) file.
- **Improved deployment wizard.** Provides more progress information and a cleaner UI for the Lite Touch Deployment Wizard.
- **Monitoring.** Allows you to see the status of currently running deployments.
- **Apply GPO Pack.** Allows you to deploy local group policy objects created by Microsoft Security Compliance Manager (SCM).
- **Partitioning routines.** Provides improved partitioning routines to ensure that deployments work regardless of the current hard drive structure.
- **Offline BitLocker.** Provides the capability to have BitLocker enabled during the Windows Preinstallation Environment (Windows PE) phase, thus saving hours of encryption time.
- **USMT offline user-state migration.** Provides support for running the User State Migration Tool (USMT) capture offline, during the Windows PE phase of the deployment.
- **Add local administrator accounts**: Allows you to add multiple user accounts to the local Administrators group on the target computers, either via settings or the deployment wizard.
- **Automated participation in CEIP and WER**: Provides configuration for participation in Windows Customer Experience Improvement Program (CEIP) and Windows Error Reporting (WER).
- **Deploy Windows RE**: Enables deployment of a customized Windows Recovery Environment (Windows RE) as part of the task sequence.
- **Deploy to VHD**: Provides ready-made task sequence templates for deploying Windows into a virtual hard disk (VHD) file.
- **Improved deployment wizard**: Provides more progress information and a cleaner UI for the Lite Touch Deployment Wizard.
- **Monitoring**: Allows you to see the status of currently running deployments.
- **Apply GPO Pack**: Allows you to deploy local group policy objects created by Microsoft Security Compliance Manager (SCM).
- **Partitioning routines**: Provides improved partitioning routines to ensure that deployments work regardless of the current hard drive structure.
- **Offline BitLocker**: Provides the capability to have BitLocker enabled during the Windows Preinstallation Environment (Windows PE) phase, thus saving hours of encryption time.
- **USMT offline user-state migration**: Provides support for running the User State Migration Tool (USMT) capture offline, during the Windows PE phase of the deployment.
![figure 3.](../images/mdt-05-fig03.png)
The offline USMT backup in action.
- **Install or uninstall Windows roles or features.** Enables you to select roles and features as part of the deployment wizard. MDT also supports uninstall of roles and features.
- **Microsoft System Center Orchestrator integration.** Provides the capability to use Orchestrator runbooks as part of the task sequence.
- **Support for DaRT.** Supports optional integration of the DaRT components into the boot image.
- **Support for Microsoft Office.** Provides added support for deploying Microsoft Office.
- **Support for Modern UI app package provisioning.** Provisions applications based on the new Windows app package standard, which is used in Windows 8 and later.
- **Extensibility.** Provides the capability to extend MDT far beyond the built-in features by adding custom scripts, web services, System Center Orchestrator runbooks, PowerShell scripts, and VBScripts.
- **Upgrade task sequence.** Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, see the [Microsoft Deployment Toolkit resource page](/mem/configmgr/mdt/).
- **Install or uninstall Windows roles or features**: Enables you to select roles and features as part of the deployment wizard. MDT also supports uninstall of roles and features.
- **Microsoft System Center Orchestrator integration**: Provides the capability to use Orchestrator runbooks as part of the task sequence.
- **Support for DaRT**: Supports optional integration of the DaRT components into the boot image.
- **Support for Microsoft Office**: Provides added support for deploying Microsoft Office.
- **Support for Modern UI app package provisioning**: Provisions applications based on the new Windows app package standard, which is used in Windows 8 and later.
- **Extensibility**: Provides the capability to extend MDT far beyond the built-in features by adding custom scripts, web services, System Center Orchestrator runbooks, PowerShell scripts, and VBScripts.
- **Upgrade task sequence**: Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, see the [Microsoft Deployment Toolkit resource page](/mem/configmgr/mdt/).
## MDT Lite Touch components
@ -88,6 +108,7 @@ A deployment share is essentially a folder on the server that is shared and cont
## Rules
The rules (CustomSettings.ini and Bootstrap.ini) make up the brain of MDT. The rules control the Windows Deployment Wizard on the client and, for example, can provide the following settings to the machine being deployed:
- Computer name
- Domain to join, and organizational unit (OU) in Active Directory to hold the computer object
- Whether to enable BitLocker
@ -95,13 +116,11 @@ The rules (CustomSettings.ini and Bootstrap.ini) make up the brain of MDT. The r
You can manage hundreds of settings in the rules. For more information, see the [Microsoft Deployment Toolkit resource center](/mem/configmgr/mdt/).
![figure 5.](../images/mdt-05-fig05.png)
Example of an MDT rule. In this example, the new computer name is being calculated based on PC- plus the first seven (Left) characters from the serial number
## Boot images
Boot images are the Windows Preinstallation Environment (Windows PE) images that are used to start the deployment. They can be started from a CD or DVD, an ISO file, a USB device, or over the network using a Pre-Boot Execution Environment (PXE) server. The boot images connect to the deployment
share on the server and start the deployment.
Boot images are the Windows Preinstallation Environment (Windows PE) images that are used to start the deployment. They can be started from a CD or DVD, an ISO file, a USB device, or over the network using a Pre-Boot Execution Environment (PXE) server. The boot images connect to the deployment share on the server and start the deployment.
## Operating systems
@ -124,33 +143,44 @@ With the Deployment Workbench, you can add any Microsoft packages that you want
Task sequences are the heart and soul of the deployment solution. When creating a task sequence, you need to select a template. The templates are located in the Templates folder in the MDT installation directory, and they determine which default actions are present in the sequence.
You can think of a task sequence as a list of actions that need to be executed in a certain order. Each action can also have conditions. Some examples of actions are as follows:
- **Gather.** Reads configuration settings from the deployment server.
- **Format and Partition.** Creates the partition(s) and formats them.
- **Inject Drivers.** Finds out which drivers the machine needs and downloads them from the central driver repository.
- **Apply Operating System.** Uses ImageX to apply the image.
- **Windows Update.** Connects to a WSUS server and updates the machine.
- **Gather**: Reads configuration settings from the deployment server.
- **Format and Partition**: Creates the partition(s) and formats them.
- **Inject Drivers**: Finds out which drivers the machine needs and downloads them from the central driver repository.
- **Apply Operating System**: Applies the Windows image.
- **Windows Update**: Connects to a WSUS server and updates the machine.
## Task sequence templates
MDT comes with nine default task sequence templates. You can also create your own templates. As long as you store them in the Templates folder, they'll be available when you create a new task sequence.
- **Sysprep and Capture task sequence.** Used to run the System Preparation (Sysprep) tool and capture an image of a reference computer.
- **Sysprep and Capture task sequence**: Used to run the System Preparation (Sysprep) tool and capture an image of a reference computer.
> [!NOTE]
> It's preferable to use a complete build and capture instead of the Sysprep and Capture task sequence. A complete build and capture can be automated, whereas Sysprep and Capture can't.
- **Standard Client task sequence.** The most frequently used task sequence. Used for creating reference images and for deploying clients in production.
- **Standard Client Replace task sequence.** Used to run User State Migration Tool (USMT) backup and the optional full Windows Imaging (WIM) backup action. Can also be used to do a secure wipe of a machine that is going to be decommissioned.
- **Custom task sequence.** As the name implies, a custom task sequence with only one default action (one Install Application action).
- **Standard Server task sequence.** The default task sequence for deploying operating system images to servers. The main difference between this template and the Standard Client task sequence template is that it doesn't contain any USMT actions because USMT isn't supported on servers.
- **Lite Touch OEM task sequence.** Used to preload operating systems images on the computer hard drive. Typically used by computer original equipment manufacturers (OEMs) but some enterprise organizations also use this feature.
- **Post OS Installation task sequence.** A task sequence prepared to run actions after the operating system has been deployed. Useful for server deployments but not often used for client deployments.
- **Deploy to VHD Client task sequence.** Similar to the Standard Client task sequence template but also creates a virtual hard disk (VHD) file on the target computer and deploys the image to the VHD file.
- **Deploy to VHD Server task sequence.** Same as the Deploy to VHD Client task sequence but for servers.
- **Standard Client Upgrade task sequence.** A simple task sequence template used to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 directly to Windows 10, automatically preserving existing data, settings, applications, and drivers.
- **Standard Client task sequence**: The most frequently used task sequence. Used for creating reference images and for deploying clients in production.
- **Standard Client Replace task sequence**: Used to run User State Migration Tool (USMT) backup and the optional full Windows Imaging (WIM) backup action. Can also be used to do a secure wipe of a machine that is going to be decommissioned.
- **Custom task sequence**: As the name implies, a custom task sequence with only one default action (one Install Application action).
- **Standard Server task sequence**: The default task sequence for deploying operating system images to servers. The main difference between this template and the Standard Client task sequence template is that it doesn't contain any USMT actions because USMT isn't supported on servers.
- **Lite Touch OEM task sequence**: Used to preload operating systems images on the computer hard drive. Typically used by computer original equipment manufacturers (OEMs) but some enterprise organizations also use this feature.
- **Post OS Installation task sequence**: A task sequence prepared to run actions after the operating system has been deployed. Useful for server deployments but not often used for client deployments.
- **Deploy to VHD Client task sequence**: Similar to the Standard Client task sequence template but also creates a virtual hard disk (VHD) file on the target computer and deploys the image to the VHD file.
- **Deploy to VHD Server task sequence**: Same as the Deploy to VHD Client task sequence but for servers.
- **Standard Client Upgrade task sequence**: A simple task sequence template used to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 directly to Windows 10, automatically preserving existing data, settings, applications, and drivers.
## Selection profiles
Selection profiles, which are available in the Advanced Configuration node, provide a way to filter content in the Deployment Workbench. Selection profiles are used for several purposes in the Deployment Workbench and in Lite Touch deployments. For example, they can be used to:
- Control which drivers and packages are injected into the Lite Touch (and generic) boot images.
- Control which drivers are injected during the task sequence.
- Control what is included in any media that you create.
@ -161,8 +191,8 @@ Selection profiles, which are available in the Advanced Configuration node, prov
MDT uses many log files during operating system deployments. By default the logs are client side, but by configuring the deployment settings, you can have MDT store them on the server, as well.
**Note**
The easiest way to view log files is to use Configuration Manager Trace (CMTrace), which is included in the [Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717).
> [!NOTE]
> The easiest way to view log files is to use Configuration Manager Trace (CMTrace), which is included in the [Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717).
## Monitoring
@ -170,4 +200,4 @@ On the deployment share, you also can enable monitoring. After you enable monito
## See next
[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
- [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)

100
windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
View File

@ -11,12 +11,13 @@ ms.topic: article
ms.technology: itpro-deploy
ms.collection:
- highpri
ms.date: 10/28/2022
ms.date: 11/28/2022
---
# Prepare for deployment with MDT
**Applies to**
**Applies to:**
- Windows 10
This article will walk you through the steps necessary to prepare your network and server infrastructure to deploy Windows 10 with the Microsoft Deployment Toolkit (MDT). It covers the installation of the necessary system prerequisites, the creation of shared folders and service accounts, and the configuration of security permissions in the file system and in Active Directory.
@ -28,12 +29,17 @@ The procedures in this guide use the following names and infrastructure.
### Network and servers
For the purposes of this article, we'll use three server computers: **DC01**, **MDT01**, and **HV01**.
- All servers are running Windows Server 2019.
- You can use an earlier version of Windows Server with minor modifications to some procedures.
- Note: Although MDT supports Windows Server 2008 R2, at least Windows Server 2012 R2 or later is required to perform the procedures in this guide.
- **DC01** is a domain controller, DHCP server, and DNS server for <b>contoso.com</b>, representing the fictitious Contoso Corporation.
- **DC01** is a domain controller, DHCP server, and DNS server for **contoso.com**, representing the fictitious Contoso Corporation.
- **MDT01** is a domain member server in contoso.com with a data (D:) drive that can store at least 200 GB. MDT01 will host deployment shares and run the Windows Deployment Service. Optionally, MDT01 is also a WSUS server.
- A second MDT server (**MDT02**) configured identically to MDT01 is optionally used to [build a distributed environment](build-a-distributed-environment-for-windows-10-deployment.md) for Windows 10 deployment. This server is located on a different subnet than MDT01 and has a different default gateway.
- **HV01** is a Hyper-V host computer that is used to build a Windows 10 reference image.
- See [Hyper-V requirements](#hyper-v-requirements) below for more information about HV01.
@ -42,11 +48,15 @@ For the purposes of this article, we'll use three server computers: **DC01**, **
Several client computers are referenced in this guide with hostnames of PC0001 to PC0007.
- **PC0001**: A computer running Windows 10 Enterprise x64, fully patched with the latest security updates, and configured as a member in the contoso.com domain.
- Client name: PC0001
- IP Address: DHCP
- **PC0002**: A computer running Windows 7 SP1 Enterprise x64, fully patched with the latest security updates, and configured as a member in the contoso.com domain. This computer is referenced during the migration scenarios.
- Client name: PC0002
- IP Address: DHCP
- **PC0003 - PC0007**: These are other client computers similar to PC0001 and PC0002 that are used in this guide and another guide for various scenarios. The device names are incremented for clarity within each scenario. For example, PC0003 and PC0004 are running Windows 7 just like PC0002, but are used for Configuration Manager refresh and replace scenarios, respectively.
### Storage requirements
@ -65,9 +75,9 @@ All server and client computers referenced in this guide are on the same subnet.
The following generic credentials are used in this guide. You should replace these credentials as they appear in each procedure with your credentials.
**Active Directory domain name**: contoso.com<br>
**Domain administrator username**: administrator<br>
**Domain administrator password**: pass@word1
- **Active Directory domain name**: contoso.com
- **Domain administrator username**: administrator
- **Domain administrator password**: pass@word1
### Organizational unit structure
@ -82,22 +92,28 @@ These steps assume that you have the MDT01 member server running and configured
On **MDT01**:
Visit the [Download and install the Windows ADK](/windows-hardware/get-started/adk-install) page and download the following items to the **D:\\Downloads\\ADK** folder on MDT01 (you'll need to create this folder):
- [The Windows ADK for Windows 10](https://go.microsoft.com/fwlink/?linkid=2086042)
- [The Windows PE add-on for the ADK](https://go.microsoft.com/fwlink/?linkid=2087112)
- [The Windows System Image Manager (WSIM) 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334)
- (Optional) [The MDT_KB4564442 patch for BIOS firmware](https://download.microsoft.com/download/3/0/6/306AC1B2-59BE-43B8-8C65-E141EF287A5E/KB4564442/MDT_KB4564442.exe)
- This patch is needed to resolve a bug that causes detection of BIOS-based machines as UEFI-based machines. If you have a UEFI deployment, you don't need this patch.
>[!TIP]
>You might need to temporarily disable IE Enhanced Security Configuration for administrators in order to download files from the Internet to the server. This setting can be disabled by using Server Manager (Local Server/Properties).
> [!TIP]
> You might need to temporarily disable IE Enhanced Security Configuration for administrators in order to download files from the Internet to the server. This setting can be disabled by using Server Manager (Local Server/Properties).
1. On **MDT01**, ensure that you're signed in as an administrator in the CONTOSO domain.
- For the purposes of this guide, we're using a Domain Admin account of **administrator** with a password of <b>pass@word1</b>. You can use your own administrator username and password as long as you properly adjust all steps in this guide that use these login credentials.
- For the purposes of this guide, we're using a Domain Admin account of **administrator** with a password of **pass@word1**. You can use your own administrator username and password as long as you properly adjust all steps in this guide that use these login credentials.
2. Start the **ADK Setup** (D:\\Downloads\\ADK\\adksetup.exe), select **Next** twice to accept the default installation parameters, select **Accept** to accept the license agreement, and then on the **Select the features you want to install** page accept the default list of features by clicking **Install**. This will install deployment tools and the USMT. Verify that the installation completes successfully before moving to the next step.
3. Start the **WinPE Setup** (D:\\Downloads\\ADK\\adkwinpesetup.exe), select **Next** twice to accept the default installation parameters, select **Accept** to accept the license agreement, and then on the **Select the features you want to install** page select **Install**. This will install Windows PE for x86, AMD64, ARM, and ARM64. Verify that the installation completes successfully before moving to the next step.
4. Extract the **WSIM 1903 update** (D:\\Downloads\ADK\\WSIM1903.zip) and then run the **UpdateWSIM.bat** file.
- You can confirm that the update is applied by viewing properties of the ImageCat.exe and ImgMgr.exe files at **C:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM** and verifying that the **Details** tab displays a **File version** of **10.0.18362.144** or later.
5. If you downloaded the optional MDT_KB4564442 patch for BIOS based deployment, see [this support article](https://support.microsoft.com/en-us/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7) for instructions on how to install the patch.
5. If you downloaded the optional MDT_KB4564442 patch for BIOS based deployment, see [this support article](https://support.microsoft.com/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7) for instructions on how to install the patch.
## Install and initialize Windows Deployment Services (WDS)
@ -107,8 +123,8 @@ On **MDT01**:
```powershell
Install-WindowsFeature -Name WDS -IncludeManagementTools
WDSUTIL /Verbose /Progress /Initialize-Server /Server:MDT01 /RemInst:"D:\RemoteInstall"
WDSUTIL /Set-Server /AnswerClients:All
WDSUTIL.exe /Verbose /Progress /Initialize-Server /Server:MDT01 /RemInst:"D:\RemoteInstall"
WDSUTIL.exe /Set-Server /AnswerClients:All
```
## Optional: Install Windows Server Update Services (WSUS)
@ -117,26 +133,32 @@ If you wish to use MDT as a WSUS server using the Windows Internal Database (WID
To install WSUS on MDT01, enter the following at an elevated Windows PowerShell prompt:
```powershell
Install-WindowsFeature -Name UpdateServices, UpdateServices-WidDB, UpdateServices-Services, UpdateServices-RSAT, UpdateServices-API, UpdateServices-UI
cmd /c "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall CONTENT_DIR=C:\WSUS
```
```powershell
Install-WindowsFeature -Name UpdateServices, UpdateServices-WidDB, UpdateServices-Services, UpdateServices-RSAT, UpdateServices-API, UpdateServices-UI
"C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall CONTENT_DIR=C:\WSUS
```
>To use the WSUS that you have installed on MDT01, you must also [configure Group Policy](../update/waas-manage-updates-wsus.md#configure-automatic-updates-and-update-service-location) on DC01 and perform the neccessary post-installation configuration of WSUS on MDT01.
> [!NOTE]
> To use the WSUS that you have installed on MDT01, you must also [configure Group Policy](../update/waas-manage-updates-wsus.md#configure-automatic-updates-and-update-service-location) on DC01 and perform the necessary post-installation configuration of WSUS on MDT01.
## Install MDT
>[!NOTE]
>MDT installation requires the following:
>- The Windows ADK for Windows 10 (installed in the previous procedure)
>- Windows PowerShell ([version 5.1](https://www.microsoft.com/download/details.aspx?id=54616) is recommended; type **$host** to check)
>- Microsoft .NET Framework
> [!NOTE]
> MDT installation requires the following:
>
> - The Windows ADK for Windows 10 (installed in the previous procedure)
> - Windows PowerShell ([version 5.1](https://www.microsoft.com/download/details.aspx?id=54616) is recommended; enter `$host` to check)
> - Microsoft .NET Framework
On **MDT01**:
1. Visit the [MDT resource page](/mem/configmgr/mdt/) and select **Download MDT**.
2. Save the **MicrosoftDeploymentToolkit_x64.msi** file to the D:\\Downloads\\MDT folder on MDT01.
- **Note**: As of the publishing date for this guide, the current version of MDT is 8456 (6.3.8456.1000), but a later version will also work.
> [!NOTE]
> As of the publishing date for this guide, the current version of MDT is 8456 (6.3.8456.1000), but a later version will also work.
3. Install **MDT** (D:\\Downloads\\MDT\\MicrosoftDeploymentToolkit_x64.exe) with the default settings.
## Create the OU structure
@ -187,19 +209,26 @@ To use the Active Directory Users and Computers console (instead of PowerShell):
On **DC01**:
1. Using the Active Directory Users and Computers console (dsa.msc), in the contoso.com domain level, create a top-level OU named **Contoso**.
2. In the **Contoso** OU, create the following OUs:
1. Accounts
2. Computers
3. Groups
- Accounts
- Computers
- Groups
3. In the **Contoso / Accounts** OU, create the following underlying OUs:
1. Admins
2. Service Accounts
3. Users
- Admins
- Service Accounts
- Users
4. In the **Contoso / Computers** OU, create the following underlying OUs:
1. Servers
2. Workstations
- Servers
- Workstations
5. In the **Contoso / Groups** OU, create the following OU:
1. Security Groups
- Security Groups
The final result of either method is shown below. The **MDT_BA** account will be created next.
@ -212,6 +241,7 @@ To create an MDT build account, open an elevated Windows PowerShell prompt on DC
```powershell
New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true
```
If you have the Active Directory Users and Computers console open you can refresh the view and see this new account in the **Contoso\Accounts\Service Accounts** OU as shown in the screenshot above.
## Create and share the logs folder
@ -221,6 +251,7 @@ By default MDT stores the log files locally on the client. In order to capture a
On **MDT01**:
1. Sign in as **CONTOSO\\administrator**.
2. Create and share the **D:\\Logs** folder by running the following commands in an elevated Windows PowerShell prompt:
```powershell
@ -252,8 +283,9 @@ When you've completed all the steps in this section to prepare for deployment, s
## Appendix
**Sample files**
### Sample files
The following sample files are also available to help automate some MDT deployment tasks. This guide doesn't use these files, but they're made available here so you can see how some tasks can be automated with Windows PowerShell.
- [Set-OUPermissions.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619362). This sample Windows PowerShell script creates a domain account and then configures OU permissions to allow the account to join machines to the domain in the specified OU.
- [MDTSample.zip](https://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT.

68
windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
View File

@ -9,17 +9,19 @@ ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
ms.date: 10/28/2022
ms.date: 11/28/2022
---
# Refresh a Windows 7 computer with Windows 10
**Applies to**
**Applies to:**
- Windows 10
This article will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the online computer refresh process. The computer refresh scenario is a reinstallation of an updated operating system on the same computer. You can also use this procedure to reinstall the same OS version. In this article, the computer refresh will be done while the computer is online. MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property on the [MDT resource page](/mem/configmgr/mdt/).
For the purposes of this article, we'll use three computers: DC01, MDT01, and PC0001.
- DC01 is a domain controller for the contoso.com domain.
- MDT01 is domain member server that hosts your deployment share.
- PC0001 is a domain member computer running a previous version of Windows that is going to be refreshed to a new version of Windows 10, with data and settings restored. The example used here is a computer running Windows 7 SP1.
@ -27,7 +29,6 @@ For the purposes of this article, we'll use three computers: DC01, MDT01, and PC
Both DC01 and MDT01 are running Windows Server 2019; however any supported version of Windows Server can be used. For more information on the setup for this article, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
![computers.](../images/mdt-04-fig01.png "Computers used in this topic")
The computers used in this article.
## The computer refresh process
@ -44,17 +45,17 @@ For a computer refresh with MDT, you use the User State Migration Tool (USMT), w
During the computer refresh, USMT uses a feature called Hard-Link Migration Store. When you use this feature, the files are linked in the file system, which allows for fast migration, even when there's many files.
>[!NOTE]
>In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file contains the entire volume from the computer and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire computer is not a supported scenario.
> [!NOTE]
> In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file contains the entire volume from the computer and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire computer is not a supported scenario.
### Multi-user migration
By default, ScanState in USMT backs up all profiles on the machine, including local computer profiles. If you have a computer that has been in your environment for a while, it likely has several domain-based profiles on it, including those of former users. You can limit which profiles are backed up by configuring command-line switches to ScanState (added as rules in MDT).
For example, the following line configures USMT to migrate only domain user profiles and not profiles from the local SAM account database: ScanStateArgs=/ue:\*\\\* /ui:CONTOSO\\\*
For example, the following line configures USMT to migrate only domain user profiles and not profiles from the local SAM account database: `ScanStateArgs=/ue:*\* /ui:CONTOSO\*`
>[!NOTE]
>You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days.
> [!NOTE]
> You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days.
### Support for additional settings
@ -76,41 +77,46 @@ It's also assumed that you have a domain member client computer named PC0001 in
### Upgrade (refresh) a Windows 7 SP1 client
>[!IMPORTANT]
>Domain join details [specified in the deployment share rules](deploy-a-windows-10-image-using-mdt.md#configure-the-rules) will be used to rejoin the computer to the domain during the refresh process. If the Windows 7 client is domain-jonied in a different OU than the one specified by MachineObjectOU, the domain join process will initially fail and then retry without specifying an OU. If the domain account that is specified (ex: **MDT_JD**) has [permissions limited to a specific OU](deploy-a-windows-10-image-using-mdt.md#step-1-configure-active-directory-permissions) then the domain join will ultimately fail, the refresh process will proceed, and the client computer object will be orphaned in Active Directory. In the current guide, computer objects should be located in Contoso > Computers > Workstations. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. To diagnose MDT domain join errors, see **ZTIDomainJoin.log** in the C:\Windows\Temp\DeploymentLogs directory on the client computer.
> [!IMPORTANT]
> Domain join details [specified in the deployment share rules](deploy-a-windows-10-image-using-mdt.md#configure-the-rules) will be used to rejoin the computer to the domain during the refresh process. If the Windows 7 client is domain-jonied in a different OU than the one specified by MachineObjectOU, the domain join process will initially fail and then retry without specifying an OU. If the domain account that is specified (ex: **MDT_JD**) has [permissions limited to a specific OU](deploy-a-windows-10-image-using-mdt.md#step-1-configure-active-directory-permissions) then the domain join will ultimately fail, the refresh process will proceed, and the client computer object will be orphaned in Active Directory. In the current guide, computer objects should be located in **Contoso** > **Computers** > **Workstations**. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. To diagnose MDT domain join errors, see **ZTIDomainJoin.log** in the C:\Windows\Temp\DeploymentLogs directory on the client computer.
1. On PC0001, sign in as **contoso\\Administrator** and start the Lite Touch Deploy Wizard by opening **\\\\MDT01\\MDTProduction$\\Scripts\\Litetouch.vbs**.
2. Complete the deployment guide using the following settings:
* Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image
* Computer name: &lt;default&gt;
* Specify where to save a complete computer backup: Don't back up the existing computer
>[!NOTE]
>Skip this optional full WIM backup that we are choosing not to perform. The USMT backup will still run.
* Select one or more applications to install: Install - Adobe Reader
- Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image
- **Computer name**: *\<default\>*
- **Specify where to save a complete computer backup**: Don't back up the existing computer
> [!NOTE]
> Skip this optional full WIM backup that we are choosing not to perform. The USMT backup will still run.
- **Select one or more applications to install**: Install - Adobe Reader
![Computer refresh.](../images/fig2-taskseq.png "Start the computer refresh")
4. Setup starts and performs the following actions:
3. Setup starts and performs the following actions:
* Backs up user settings and data using USMT.
* Installs the Windows 10 Enterprise x64 operating system.
* Installs any added applications.
* Updates the operating system using your local Windows Server Update Services (WSUS) server.
* Restores user settings and data using USMT.
- Backs up user settings and data using USMT.
- Installs the Windows 10 Enterprise x64 operating system.
- Installs any added applications.
- Updates the operating system using your local Windows Server Update Services (WSUS) server.
- Restores user settings and data using USMT.
5. You can monitor progress of the deployment using the deployment workbench on MDT01. See the following example:
4. You can monitor progress of the deployment using the deployment workbench on MDT01. See the following example:
![monitor deployment.](../images/monitor-pc0001.png)
6. After the refresh process completes, sign in to the Windows 10 computer and verify that user accounts, data and settings were migrated.
5. After the refresh process completes, sign in to the Windows 10 computer and verify that user accounts, data and settings were migrated.
## Related articles
[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)<br>
[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)<br>
[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)<br>
[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)<br>
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)<br>
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)<br>
[Configure MDT settings](configure-mdt-settings.md)
- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
- [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
- [Configure MDT settings](configure-mdt-settings.md)

96
windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
View File

@ -10,17 +10,19 @@ ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
ms.date: 10/28/2022
ms.date: 11/28/2022
---
# Replace a Windows 7 computer with a Windows 10 computer
**Applies to**
**Applies to:**
- Windows 10
A computer replace scenario for Windows 10 is similar to a computer refresh for Windows 10. However, because you're replacing a device, you can't store the backup on the old computer. Instead you need to store the backup to a location where the new computer can read it. The User State Migration Tool (USMT) will be used to back up and restore data and settings.
For the purposes of this article, we'll use four computers: DC01, MDT01, PC0002, and PC0007.
- DC01 is a domain controller for the contoso.com domain.
- MDT01 is domain member server that hosts your deployment share.
- PC0002 is an old computer running Windows 7 SP1 that will be replaced by PC0007.
@ -29,7 +31,6 @@ For the purposes of this article, we'll use four computers: DC01, MDT01, PC0002,
For more details on the setup for this article, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
![The computers used in this topic.](../images/mdt-03-fig01.png)
The computers used in this article.
>HV01 is also used in this topic to host the PC0007 virtual machine for demonstration purposes, however typically PC0007 is a physical computer.
@ -43,7 +44,9 @@ The computers used in this article.
On **MDT01**:
1. Open the Deployment Workbench, under **Deployment Shares** right-click **MDT Production**, select **Properties**, and then select the **Rules** tab.
2. Change the **SkipUserData=YES** option to **NO**, and select **OK**.
3. Right-click on **MDT Production** and select **Update Deployment Share**. Then select **Next**, **Next**, and **Finish** to complete the Update Deployment Share Wizard with the default settings.
### Create and share the MigData folder
@ -51,23 +54,25 @@ On **MDT01**:
On **MDT01**:
1. Create and share the **D:\\MigData** folder by running the following three commands in an elevated Windows PowerShell prompt:
``` powershell
```powershell
New-Item -Path D:\MigData -ItemType directory
New-SmbShare -Name MigData$ -Path D:\MigData -ChangeAccess EVERYONE
icacls D:\MigData /grant '"MDT_BA":(OI)(CI)(M)'
```
### Create a backup only (replace) task sequence
2. In Deployment Workbench, under the **MDT Production** deployment share, select the **Task Sequences** node and create a new folder named **Other**.
### Create a backup only (replace) task sequence
3. Right-click the **Other** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
1. In Deployment Workbench, under the **MDT Production** deployment share, select the **Task Sequences** node and create a new folder named **Other**.
* Task sequence ID: REPLACE-001
* Task sequence name: Backup Only Task Sequence
* Task sequence comments: Run USMT to back up user data and settings
* Template: Standard Client Replace Task Sequence
2. Right-click the **Other** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
4. In the **Other** folder, double-click **Backup Only Task Sequence**, and then in the **Task Sequence** tab, review the sequence. Notice that it only contains a subset of the normal client task sequence actions.
- Task sequence ID: REPLACE-001
- Task sequence name: Backup Only Task Sequence
- Task sequence comments: Run USMT to back up user data and settings
- Template: Standard Client Replace Task Sequence
3. In the **Other** folder, double-click **Backup Only Task Sequence**, and then in the **Task Sequence** tab, review the sequence. Notice that it only contains a subset of the normal client task sequence actions.
![The Backup Only Task Sequence action list.](../images/mdt-03-fig02.png "The Backup Only Task Sequence action list")
@ -78,6 +83,7 @@ On **MDT01**:
During a computer replace, the following are the high-level steps that occur:
1. On the computer you're replacing, a special replace task sequence runs the USMT backup and, if you configured it, runs the optional full Windows Imaging (WIM) backup.
2. On the new computer, you perform a standard bare-metal deployment. At the end of the bare-metal deployment, the USMT backup from the old computer is restored.
### Run the replace task sequence
@ -85,28 +91,30 @@ During a computer replace, the following are the high-level steps that occur:
On **PC0002**:
1. Sign in as **CONTOSO\\Administrator** and verify that you have write access to the **\\\\MDT01\\MigData$** share.
2. Run **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs**.
3. Complete the Windows Deployment Wizard using the following settings:
1. Select a task sequence to execute on this computer: Backup Only Task Sequence
* Specify where to save your data and settings: Specify a location
* Location: \\\\MDT01\\MigData$\\PC0002
3. Complete the **Windows Deployment Wizard** using the following settings:
>[!NOTE]
>If you are replacing the computer at a remote site you should create the MigData folder on MDT02 and use that share instead.
- **Select a task sequence to execute on this computer**: Backup Only Task Sequence
2. Specify where to save a complete computer backup: Don't back up the existing computer
- **Specify where to save your data and settings**: Specify a location
- **Location**: \\\\MDT01\\MigData$\\PC0002
> [!NOTE]
> If you are replacing the computer at a remote site you should create the MigData folder on MDT02 and use that share instead.
- **Specify where to save a complete computer backup**: Don't back up the existing computer
The task sequence will now run USMT (Scanstate.exe) to capture user data and settings of the computer.
![The new task sequence.](../images/mdt-03-fig03.png "The new task sequence")
The new task sequence running the Capture User State action on PC0002.
4. On **MDT01**, verify that you have a USMT.MIG compressed backup file in the **D:\\MigData\\PC0002\\USMT** folder.
![The USMT backup.](../images/mdt-03-fig04.png "The USMT backup")
The USMT backup of PC0002.
### Deploy the replacement computer
@ -117,12 +125,12 @@ On **HV01**:
1. Create a virtual machine with the following settings:
* Name: PC0007
* Location: C:\\VMs
* Generation: 2
* Memory: 2048 MB
* Hard disk: 60 GB (dynamic disk)
* Install an operating system from a network-based installation server
- **Name**: PC0007
- **Location**: C:\\VMs
- **Generation**: 2
- **Memory**: 2048 MB
- **Hard disk**: 60 GB (dynamic disk)
- Install an operating system from a network-based installation server
2. Start the PC0007 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The VM will now load the Windows PE boot image from MDT01 (or MDT02 if at a remote site).
@ -132,20 +140,20 @@ On **HV01**:
3. After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings:
* Select a task sequence to execute on this computer:
* Windows 10 Enterprise x64 RTM Custom Image
* Computer Name: PC0007
* Move Data and Settings: Don't move user data and settings.
* User Data (Restore) > Specify a location: \\\\MDT01\\MigData$\\PC0002
* Applications: Adobe > Install - Adobe Reader
- Select a task sequence to execute on this computer:
- Windows 10 Enterprise x64 RTM Custom Image
- **Computer Name**: PC0007
- **Move Data and Settings**: Don't move user data and settings.
- **User Data (Restore)** > **Specify a location**: \\\\MDT01\\MigData$\\PC0002
- **Applications**: Adobe > Install - Adobe Reader
4. Setup now starts and does the following actions:
* Partitions and formats the disk.
* Installs the Windows 10 Enterprise operating system.
* Installs the application.
* Updates the operating system via your local Windows Server Update Services (WSUS) server.
* Restores the USMT backup from PC0002.
- Partitions and formats the disk.
- Installs the Windows 10 Enterprise operating system.
- Installs the application.
- Updates the operating system via your local Windows Server Update Services (WSUS) server.
- Restores the USMT backup from PC0002.
You can view progress of the process by clicking the Monitoring node in the Deployment Workbench on MDT01.
@ -153,9 +161,9 @@ You can view progress of the process by clicking the Monitoring node in the Depl
## Related articles
[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)<br>
[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)<br>
[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)<br>
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)<br>
[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)<br>
[Configure MDT settings](configure-mdt-settings.md)
- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
- [Configure MDT settings](configure-mdt-settings.md)

65
windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
View File

@ -10,7 +10,7 @@ author: frankroj
ms.topic: article
ms.custom: seo-marvel-mar2020
ms.technology: itpro-deploy
ms.date: 10/28/2022
ms.date: 11/28/2022
---
# Set up MDT for BitLocker
@ -18,6 +18,7 @@ ms.date: 10/28/2022
This article will show you how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. BitLocker in Windows 10 has two requirements in regard to an operating system deployment:
- A protector, which can either be stored in the Trusted Platform Module (TPM) chip, or stored as a password. Technically, you can also use a USB stick to store the protector, but it's not a practical approach as the USB stick can be lost or stolen. We, therefore, recommend that you instead use a TPM chip and/or a password.
- Multiple partitions on the hard drive.
To configure your environment for BitLocker, you'll need to do the following actions:
@ -29,10 +30,8 @@ To configure your environment for BitLocker, you'll need to do the following act
> [!NOTE]
> Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery password in Active Directory. For more information about this feature, see [Backing Up BitLocker and TPM Recovery Information to AD DS](/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds).
If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
> [!NOTE]
> Backing up TPM to Active Directory was supported only on Windows 10 version 1507 and 1511.
>
> If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
For the purposes of this article, we'll use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more information on the setup for this article, see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md).
@ -54,18 +53,24 @@ The BitLocker Recovery information on a computer object in the contoso.com domai
The BitLocker Drive Encryption Administration Utilities are added as features via Server Manager (or Windows PowerShell):
1. On DC01, log on as **CONTOSO\\Administrator**, and, using Server Manager, select **Add roles and features**.
2. On the **Before you begin** page, select **Next**.
3. On the **Select installation type** page, select **Role-based or feature-based installation**, and select **Next**.
4. On the **Select destination server** page, select **DC01.contoso.com** and select **Next**.
5. On the **Select server roles** page, select **Next**.
6. On the **Select features** page, expand **Remote Server Administration Tools**, expand **Feature Administration Tools**, select the following features, and then select **Next**:
1. BitLocker Drive Encryption Administration Utilities
2. BitLocker Drive Encryption Tools
3. BitLocker Recovery Password Viewer
7. On the **Confirm installation selections** page, select **Install**, and then select **Close**.
![figure 3.](../images/mdt-09-fig03.png)
Selecting the BitLocker Drive Encryption Administration Utilities.
### Create the BitLocker Group Policy
@ -73,32 +78,41 @@ Selecting the BitLocker Drive Encryption Administration Utilities.
Following these steps, you enable the backup of BitLocker and TPM recovery information to Active Directory. You also enable the policy for the TPM validation profile.
1. On DC01, using Group Policy Management, right-click the **Contoso** organizational unit (OU), and select **Create a GPO in this domain, and Link it here**.
2. Assign the name **BitLocker Policy** to the new Group Policy.
3. Expand the **Contoso** OU, right-click the **BitLocker Policy**, and select **Edit**. Configure the following policy settings:
Computer Configuration / Policies / Administrative Templates / Windows Components / BitLocker Drive Encryption / Operating System Drives
3. Expand the **Contoso** OU, right-click the **BitLocker Policy**, and select **Edit**. Configure the following policy settings found under **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives**
1. Enable the **Choose how BitLocker-protected operating system drives can be recovered** policy, and configure the following settings:
1. Allow data recovery agent (default)
2. Save BitLocker recovery information to Active Directory Domain Services (default)
3. Don't enable BitLocker until recovery information is stored in AD DS for operating system drives
- Allow data recovery agent (default)
- Save BitLocker recovery information to Active Directory Domain Services (default)
- Don't enable BitLocker until recovery information is stored in AD DS for operating system drives
2. Enable the **Configure TPM platform validation profile for BIOS-based firmware configurations** policy.
3. Enable the **Configure TPM platform validation profile for native UEFI firmware configurations** policy.
> [!NOTE]
> If you consistently get the error "Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system." after encrypting a computer with BitLocker, you might have to change the various "Configure TPM platform validation profile" Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using.
> If you consistently get the error:
>
> **Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system.**
>
> after encrypting a computer with BitLocker, you might have to change the various **Configure TPM platform validation profile** Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using.
### Set permissions in Active Directory for BitLocker
In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you've downloaded the [Add-TPMSelfWriteACE.vbs script](https://raw.githubusercontent.com/DeploymentArtist/DF4/master/BitLocker%20and%20TPM/Add-TPMSelfWriteACE.vbs) to C:\\Setup\\Scripts on DC01.
1. On DC01, start an elevated PowerShell prompt (run as Administrator).
2. Configure the permissions by running the following command:
```dos
cscript C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs
```cmd
cscript.exe C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs
```
![figure 4.](../images/mdt-09-fig04.png)
Running the Add-TPMSelfWriteACE.vbs script on DC01.
## Add BIOS configuration tools from Dell, HP, and Lenovo
@ -113,7 +127,7 @@ If you want to automate enabling the TPM chip as part of the deployment process,
The HP tools are part of HP System Software Manager. The executable file from HP is named BiosConfigUtility.exe. This utility uses a configuration file for the BIOS settings. Here's a sample command to enable TPM and set a BIOS password using the BiosConfigUtility.exe tool:
```dos
```cmd
BIOSConfigUtility.EXE /SetConfig:TPMEnable.REPSET /NewAdminPassword:Password1234
```
@ -135,7 +149,7 @@ Embedded Security Device Availability
The Lenovo tools are a set of VBScripts available as part of the Lenovo BIOS Setup using Windows Management Instrumentation Deployment Guide. Lenovo also provides a separate download of the scripts. Here's a sample command to enable TPM using the Lenovo tools:
```dos
```cmd
cscript.exe SetConfig.vbs SecurityChip Active
```
@ -146,21 +160,24 @@ When configuring a task sequence to run any BitLocker tool, either directly or u
In the following task sequence, we added five actions:
- **Check TPM Status.** Runs the ZTICheckforTPM.wsf script to determine if TPM is enabled. Depending on the status, the script will set the TPMEnabled and TPMActivated properties to either true or false.
- **Configure BIOS for TPM.** Runs the vendor tools (in this case, HP, Dell, and Lenovo). To ensure this action is run only when necessary, add a condition so the action is run only when the TPM chip isn't already activated. Use the properties from the ZTICheckforTPM.wsf.
> [!NOTE]
> It is common for organizations to wrap these tools in scripts to get additional logging and error handling.
- **Restart computer.** Self-explanatory, reboots the computer.
- **Check TPM Status.** Runs the ZTICheckforTPM.wsf script one more time.
- **Enable BitLocker.** Runs the built-in action to activate BitLocker.
## Related articles
[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)<br>
[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)<br>
[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)<br>
[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)<br>
[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)<br>
[Use web services in MDT](use-web-services-in-mdt.md)<br>
[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
- [Use web services in MDT](use-web-services-in-mdt.md)
- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)

43
windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
View File

@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
ms.date: 10/28/2022
ms.date: 11/28/2022
---
# Simulate a Windows 10 deployment in a test environment
@ -19,7 +19,9 @@ This article will walk you through the process of creating a simulated environme
## Test environment
- A Windows 10 client named **PC0001** will be used to simulate deployment. The client is joined to the contoso.com domain and has access to the Internet to required download tools and scripts.
- It's assumed that you've performed (at least) the following procedures so that you have an MDT service account and an MDT production deployment share:
- [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
@ -29,6 +31,7 @@ This article will walk you through the process of creating a simulated environme
On **PC0001**:
1. Sign as **contoso\\Administrator**.
2. Copy the following to a PowerShell script named gather.ps1 and copy it to a directory named **C:\MDT** on PC0001.
```powershell
@ -48,15 +51,22 @@ On **PC0001**:
```
3. Download and install the free [Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717) on PC0001 so that you have access to the Configuration Manager Trace (cmtrace.exe) tool.
4. Using Local Users and Groups (lusrmgr.msc), add the **contoso\\MDT\_BA** user account to the local **Administrators** group.
5. Sign off, and then sign on to PC0001 as **contoso\\MDT\_BA**.
6. Open the **\\\\MDT01\\MDTProduction$\\Scripts** folder and copy the following files to **C:\\MDT**:
1. ZTIDataAccess.vbs
2. ZTIGather.wsf
3. ZTIGather.xml
4. ZTIUtility.vbs
- ZTIDataAccess.vbs
- ZTIGather.wsf
- ZTIGather.xml
- ZTIUtility.vbs
7. From the **\\\\MDT01\\MDTProduction$\\Control** folder, copy the CustomSettings.ini file to **C:\\MDT**.
8. In the **C:\\MDT** folder, create a subfolder named **X64**.
9. From the **\\\\MDT01\\MDTProduction$\\Tools\\X64** folder, copy the Microsoft.BDD.Utility.dll file to **C:\\MDT\\X64**.
![files.](../images/mdt-09-fig06.png)
@ -64,16 +74,19 @@ On **PC0001**:
The C:\\MDT folder with the files added for the simulation environment.
10. Type the following at an elevated Windows PowerShell prompt:
``` powershell
```powershell
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process -Force
Set-Location C:\MDT
.\Gather.ps1
```
When prompted, press **R** to run the gather script.
11. Review the ZTIGather.log in the **C:\\MININT\\SMSOSD\\OSDLOGS** folder using CMTrace.
**Note**
Warnings or errors regarding the Wizard.hta are expected. If the log file looks okay, you're ready to try a real deployment.
> [!NOTE]
> Warnings or errors regarding the Wizard.hta are expected. If the log file looks okay, you're ready to try a real deployment.
![ztigather.](../images/mdt-09-fig07.png)
@ -81,10 +94,10 @@ On **PC0001**:
## Related articles
[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)<br>
[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)<br>
[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)<br>
[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)<br>
[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)<br>
[Use web services in MDT](use-web-services-in-mdt.md)<br>
[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
- [Use web services in MDT](use-web-services-in-mdt.md)
- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)

68
windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
View File

@ -9,18 +9,19 @@ ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
ms.date: 10/28/2022
ms.date: 11/28/2022
---
# Perform an in-place upgrade to Windows 10 with MDT
**Applies to**
**Applies to:**
- Windows 10
The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade.
>[!TIP]
>In-place upgrade is the preferred method to use when migrating from Windows 10 to a later release of Windows 10, and is also a preferred method for upgrading from Windows 7 or 8.1 if you do not plan to significantly change the device's configuration or applications. MDT includes an in-place upgrade task sequence template that makes the process really simple.
> [!TIP]
> In-place upgrade is the preferred method to use when migrating from Windows 10 to a later release of Windows 10, and is also a preferred method for upgrading from Windows 7 or 8.1 if you do not plan to significantly change the device's configuration or applications. MDT includes an in-place upgrade task sequence template that makes the process really simple.
In-place upgrade differs from [computer refresh](refresh-a-windows-7-computer-with-windows-10.md) in that you can't use a custom image to perform the in-place upgrade. In this article, we'll add a default Windows 10 image to the production deployment share specifically to perform an in-place upgrade.
@ -31,39 +32,50 @@ Three computers are used in this article: DC01, MDT01, and PC0002.
- PC0002 is a domain member computer running Windows 7 SP1, targeted for the Windows 10 upgrade
![computers.](../images/mdt-upgrade.png)
The computers used in this article.
>[!NOTE]
>For details about the setup for the procedures in this article, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
> [!NOTE]
> For details about the setup for the procedures in this article, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
>
>If you have already completed all the steps in [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md), then you already have a production deployment share and you can skip to [Add Windows 10 Enterprise x64 (full source)](#add-windows-10-enterprise-x64-full-source).
## Create the MDT production deployment share
On **MDT01**:
1. Ensure you're signed on as: contoso\administrator.
1. Ensure you're signed on as **contoso\administrator**.
2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and select **Next**.
4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and select **Next**.
5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and select **Next**.
6. On the **Options** page, accept the default settings and select **Next** twice, and then select **Finish**.
7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share.
## Add Windows 10 Enterprise x64 (full source)
>If you have already have a Windows 10 [reference image](create-a-windows-10-reference-image.md) in the **MDT Build Lab** deployment share, you can use the deployment workbench to copy and paste this image from the MDT Build Lab share to the MDT Production share and skip the steps in this section.
> [!NOTE]
> If you have already have a Windows 10 [reference image](create-a-windows-10-reference-image.md) in the **MDT Build Lab** deployment share, you can use the deployment workbench to copy and paste this image from the MDT Build Lab share to the MDT Production share and skip the steps in this section.
On **MDT01**:
1. Sign in as contoso\\administrator and copy the content of a Windows 10 Enterprise x64 DVD/ISO to the **D:\\Downloads\\Windows 10 Enterprise x64** folder on MDT01, or just insert the DVD or mount an ISO on MDT01.
2. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**.
3. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**.
4. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard:
- Full set of source files
- Source directory: (location of your source files)
- Destination directory name: <b>W10EX64RTM</b>
- **Source directory**: (location of your source files)
- **Destination directory name**: `W10EX64RTM`
5. After adding the operating system, in the **Operating Systems / Windows 10** folder, double-click it and change the name to: **Windows 10 Enterprise x64 RTM Default Image**.
## Create a task sequence to upgrade to Windows 10 Enterprise
@ -71,14 +83,16 @@ On **MDT01**:
On **MDT01**:
1. Using the Deployment Workbench, select **Task Sequences** in the **MDT Production** node, then create a folder named **Windows 10**.
2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- Task sequence ID: W10-X64-UPG
- Task sequence name: Windows 10 Enterprise x64 RTM Upgrade
- Template: Standard Client Upgrade Task Sequence
- Select OS: Windows 10 Enterprise x64 RTM Default Image
- Specify Product Key: Don't specify a product key at this time
- Organization: Contoso
- Admin Password: Don't specify an Administrator password at this time
2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the **New Task Sequence Wizard**:
- **Task sequence ID**: W10-X64-UPG
- **Task sequence name**: Windows 10 Enterprise x64 RTM Upgrade
- **Template**: Standard Client Upgrade Task Sequence
- **Select OS**: Windows 10 Enterprise x64 RTM Default Image
- **Specify Product Key**: Don't specify a product key at this time
- **Organization**: Contoso
- **Admin Password**: Don't specify an Administrator password at this time
## Perform the Windows 10 upgrade
@ -87,24 +101,24 @@ To initiate the in-place upgrade, perform the following steps on PC0002 (the dev
On **PC0002**:
1. Start the MDT deployment wizard by running the following command: **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs**
2. Select the **Windows 10 Enterprise x64 RTM Upgrade** task sequence, and then select **Next**.
3. Select one or more applications to install (will appear if you use custom image): Install - Adobe Reader
4. On the **Ready** tab, select **Begin** to start the task sequence.
When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers.
When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers.
![upgrade1.](../images/upgrademdt-fig5-winupgrade.png)
<br>
![upgrade2.](../images/mdt-upgrade-proc.png)
<br>
![upgrade3.](../images/mdt-post-upg.png)
After the task sequence completes, the computer will be fully upgraded to Windows 10.
## Related articles
[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)<br>
[Microsoft Deployment Toolkit downloads and resources](/mem/configmgr/mdt/)
- [Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
- [Microsoft Deployment Toolkit downloads and resources](/mem/configmgr/mdt/)

156
windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md
View File

@ -9,38 +9,49 @@ ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
ms.date: 11/28/2022
---
# Use Orchestrator runbooks with MDT
This article will show you how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions.
MDT can integrate with System Center 2012 R2 Orchestrator, which is a component that ties the Microsoft System Center products together, as well as other products from both Microsoft and third-party vendors. The difference between using Orchestrator and "normal" web services, is that with Orchestrator you have a rich drag-and-drop style interface when building the solution, and little or no coding is required.
>[!Note]
>If you are licensed to use Orchestrator, we highly recommend that you start using it. To find out more about licensing options for System Center 2012 R2 and Orchestrator, visit the [System Center 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=619553) website.
> [!NOTE]
> If you are licensed to use Orchestrator, we highly recommend that you start using it. To find out more about licensing options for System Center 2012 R2 and Orchestrator, visit the [System Center 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=619553) website.
## <a href="" id="sec01"></a>Orchestrator terminology
## Orchestrator terminology
Before diving into the core details, here's a quick course in Orchestrator terminology:
- **Orchestrator Server.** This is a server that executes runbooks.
- **Runbooks.** A runbook is similar to a task sequence; it's a series of instructions based on conditions. Runbooks consist of workflow activities; an activity could be Copy File, Get User from Active Directory, or even Write to Database.
- **Orchestrator Designer.** This is where you build the runbooks. In brief, you do that by creating an empty runbook, dragging in the activities you need, and then connecting them in a workflow with conditions and subscriptions.
- **Subscriptions.** These are variables that come from an earlier activity in the runbook. So if you first execute an activity in which you type in a computer name, you can then subscribe to that value in the next activity. All these variables are accumulated during the execution of the runbook.
- **Orchestrator Console.** This is the Microsoft Silverlight-based web page you can use interactively to execute runbooks. The console listens to TCP port 81 by default.
- **Orchestrator web services.** These are the web services you use in the Microsoft Deployment Toolkit to execute runbooks during deployment. The web services listen to TCP port 82 by default.
- **Integration packs.** These provide additional workflow activities you can import to integrate with other products or solutions, like the rest of Active Directory, other System Center 2012 R2 products, or Microsoft Exchange Server, to name a few.
**Note**
To find and download additional integration packs, see [Integration Packs for System Center 2012 - Orchestrator](/previous-versions/system-center/packs/hh295851(v=technet.10)).
- **Orchestrator Server**: This is a server that executes runbooks.
## <a href="" id="sec02"></a>Create a sample runbook
- **Runbooks**: A runbook is similar to a task sequence; it's a series of instructions based on conditions. Runbooks consist of workflow activities; an activity could be Copy File, Get User from Active Directory, or even Write to Database.
- **Orchestrator Designer**: This is where you build the runbooks. In brief, you do that by creating an empty runbook, dragging in the activities you need, and then connecting them in a workflow with conditions and subscriptions.
- **Subscriptions**: These are variables that come from an earlier activity in the runbook. So if you first execute an activity in which you type in a computer name, you can then subscribe to that value in the next activity. All these variables are accumulated during the execution of the runbook.
- **Orchestrator Console**: This is the Microsoft Silverlight-based web page you can use interactively to execute runbooks. The console listens to TCP port 81 by default.
- **Orchestrator web services**: These are the web services you use in the Microsoft Deployment Toolkit to execute runbooks during deployment. The web services listen to TCP port 82 by default.
- **Integration packs**: These provide additional workflow activities you can import to integrate with other products or solutions, like the rest of Active Directory, other System Center 2012 R2 products, or Microsoft Exchange Server, to name a few.
> [!NOTE]
> To find and download additional integration packs, see [Integration Packs for System Center 2012 - Orchestrator](/previous-versions/system-center/packs/hh295851(v=technet.10)).
## Create a sample runbook
This section assumes you have Orchestrator 2012 R2 installed on a server named OR01. In this section, you create a sample runbook, which is used to log some of the MDT deployment information into a text file on OR01.
1. On OR01, using File Explorer, create the **E:\\Logfile** folder, and grant Users modify permissions (NTFS).
2. In the **E:\\Logfile** folder, create the DeployLog.txt file.
**Note**
Make sure File Explorer is configured to show known file extensions so the file isn't named DeployLog.txt.txt.
> [!NOTE]
> Make sure File Explorer is configured to show known file extensions so the file isn't named DeployLog.txt.txt.
![figure 23.](../images/mdt-09-fig23.png)
@ -53,11 +64,16 @@ This section assumes you have Orchestrator 2012 R2 installed on a server named O
Figure 24. Folder created in the Runbooks node.
4. In the **Runbooks** node, right-click the **1.0 MDT** folder, and select **New / Runbook**.
5. On the ribbon bar, select **Check Out**.
6. Right-click the **New Runbook** label, select **Rename**, and assign the name **MDT Sample**.
7. Add (using a drag-and-drop operation) the following items from the **Activities** list to the middle pane:
1. Runbook Control / Initialize Data
2. Text File Management / Append Line
- Runbook Control / Initialize Data
- Text File Management / Append Line
8. Connect **Initialize Data** to **Append Line**.
![figure 25.](../images/mdt-09-fig25.png)
@ -65,6 +81,7 @@ This section assumes you have Orchestrator 2012 R2 installed on a server named O
Figure 25. Activities added and connected.
9. Right-click the **Initialize Data** activity, and select **Properties**
10. On **the Initialize Data Properties** page, select **Add**, change **Parameter 1** to **OSDComputerName**, and then select **Finish**.
![figure 26.](../images/mdt-09-fig26.png)
@ -72,8 +89,11 @@ This section assumes you have Orchestrator 2012 R2 installed on a server named O
Figure 26. The Initialize Data Properties window.
11. Right-click the **Append Line** activity, and select **Properties**.
12. On the **Append Line Properties** page, in the **File** text box, type **E:\\Logfile\\DeployLog.txt**.
13. In the **File** encoding drop-down list, select **ASCII**.
14. In the **Append** area, right-click inside the **Text** text box and select **Expand**.
![figure 27.](../images/mdt-09-fig27.png)
@ -87,7 +107,9 @@ This section assumes you have Orchestrator 2012 R2 installed on a server named O
Figure 28. Subscribing to data.
16. In the **Published Data** window, select the **OSDComputerName** item, and select **OK**.
17. After the **{OSDComputerName from "Initialize Data"}** text, type in **has been deployed at** and, once again, right-click and select **Subscribe / Published Data**.
18. In the **Published Data** window, select the **Show common Published Data** check box, select the **Activity end time** item, and select **OK**.
![figure 29.](../images/mdt-09-fig29.png)
@ -95,14 +117,21 @@ This section assumes you have Orchestrator 2012 R2 installed on a server named O
Figure 29. The expanded text box after all subscriptions have been added.
19. On the **Append Line Properties** page, select **Finish**.
## <a href="" id="sec03"></a>Test the demo MDT runbook
After the runbook is created, you're ready to test it.
20. On the ribbon bar, select **Runbook Tester**.
21. Select **Run**, and in the **Initialize Data Parameters** dialog box, use the following setting and then select **OK**:
- OSDComputerName: PC0010
22. Verify that all activities are green (for more information, see each target).
23. Close the **Runbook Tester**.
24. On the ribbon bar, select **Check In**.
## Test the demo MDT runbook
After the runbook is created, you're ready to test it.
1. On the ribbon bar, select **Runbook Tester**.
2. Select **Run**, and in the **Initialize Data Parameters** dialog box, use the following setting and then select **OK**:
- **OSDComputerName**: PC0010
3. Verify that all activities are green (for more information, see each target).
4. Close the **Runbook Tester**.
5. On the ribbon bar, select **Check In**.
![figure 30.](../images/mdt-09-fig30.png)
@ -111,21 +140,31 @@ Figure 30. All tests completed.
## Use the MDT demo runbook from MDT
1. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, select the **Task Sequences** node, and create a folder named **Orchestrator**.
2. Right-click the **Orchestrator** node, and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
1. Task sequence ID: OR001
2. Task sequence name: Orchestrator Sample
3. Task sequence comments: &lt;blank&gt;
4. Template: Custom Task Sequence
2. Right-click the **Orchestrator** node, and select **New Task Sequence**. Use the following settings for the **New Task Sequence Wizard**:
- **Task sequence ID**: OR001
- **Task sequence name**: Orchestrator Sample
- **Task sequence comments**: *\<blank\>*
- **Template**: Custom Task Sequence
3. In the **Orchestrator** node, double-click the **Orchestrator Sample** task sequence, and then select the **Task Sequence** tab.
4. Remove the default **Application Install** action.
5. Add a **Gather** action and select the **Gather only local data (do not process rules)** option.
6. After the **Gather** action, add a **Set Task Sequence Variable** action with the following settings:
1. Name: Set Task Sequence Variable
2. Task Sequence Variable: OSDComputerName
3. Value: %hostname%
- **Name**: Set Task Sequence Variable
- **Task Sequence Variable**: OSDComputerName
- **Value**: %hostname%
7. After the **Set Task Sequence Variable** action, add a new **Execute Orchestrator Runbook** action with the following settings:
1. Orchestrator Server: OR01.contoso.com
2. Use Browse to select **1.0 MDT / MDT Sample**.
- **Orchestrator Server**: OR01.contoso.com
- Use **Browse** to select **1.0 MDT / MDT Sample**.
8. Select **OK**.
![figure 31.](../images/mdt-09-fig31.png)
@ -135,21 +174,28 @@ Figure 31. The ready-made task sequence.
## Run the orchestrator sample task sequence
Since this task sequence just starts a runbook, you can test the task sequence on the PC0001 client that you used for the MDT simulation environment.
**Note**
Make sure the account you're using has permissions to run runbooks on the Orchestrator server. For more information about runbook permissions, see [Runbook Permissions](/previous-versions/system-center/system-center-2012-R2/hh403774(v=sc.12)).
> [!NOTE]
> Make sure the account you're using has permissions to run runbooks on the Orchestrator server. For more information about runbook permissions, see [Runbook Permissions](/previous-versions/system-center/system-center-2012-R2/hh403774(v=sc.12)).
1. On PC0001, log on as **CONTOSO\\MDT\_BA**.
2. Using an elevated command prompt (run as Administrator), type the following command:
``` syntax
cscript \\MDT01\MDTProduction$\Scripts\Litetouch.vbs
```cmd
cscript.exe \\MDT01\MDTProduction$\Scripts\Litetouch.vbs
```
3. Complete the Windows Deployment Wizard using the following information:
1. Task Sequence: Orchestrator Sample
2. Credentials:
1. User Name: MDT\_BA
2. Password: P@ssw0rd
3. Domain: CONTOSO
3. Complete the **Windows Deployment Wizard** using the following information:
1. **Task Sequence**: Orchestrator Sample
2. **Credentials**:
- **User Name**: MDT\_BA
- **Password**: P@ssw0rd
- **Domain**: CONTOSO
4. Wait until the task sequence is completed and then verify that the DeployLog.txt file in the E:\\Logfile folder on OR01 was updated.
![figure 32.](../images/mdt-09-fig32.png)
@ -158,16 +204,10 @@ Figure 32. The ready-made task sequence.
## Related articles
[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
[Simulate a Windows10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
[Use web services in MDT](use-web-services-in-mdt.md)
- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
- [Simulate a Windows10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
- [Use web services in MDT](use-web-services-in-mdt.md)

50
windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
View File

@ -9,45 +9,52 @@ ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
ms.date: 10/28/2022
ms.date: 11/28/2022
---
# Use the MDT database to stage Windows 10 deployment information
This article is designed to teach you how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database, rather than include the information in a text file (CustomSettings.ini). You can use this process, for example, to add the client machines you want to deploy, specify their computer names and IP addresses, indicate applications to be deployed, and determine many more settings for the machines.
## <a href="" id="sec01"></a>Database prerequisites
## Database prerequisites
MDT can use either SQL Server Express or full SQL Server. However, since the deployment database isn't large, even in large enterprise environments, we recommend using the free SQL Server 2012 SP1 Express database in your environment.
>[!NOTE]
>Be sure to enable Named Pipes when configuring the SQL Server 2012 SP1 Express database. Although it is a legacy protocol, Named Pipes has proven to work well when connecting from Windows Preinstallation Environment (Windows PE) to the SQL Server database.
> [!NOTE]
> Be sure to enable Named Pipes when configuring the SQL Server 2012 SP1 Express database. Although it is a legacy protocol, Named Pipes has proven to work well when connecting from Windows Preinstallation Environment (Windows PE) to the SQL Server database.
## <a href="" id="sec02"></a>Create the deployment database
## Create the deployment database
The MDT database is by default created and managed from the Deployment Workbench. In these steps, we assume you have installed SQL Server 2012 SP1 Express on MDT01.
>[!NOTE]
>Since SQL Server 2012 SP1 Express runs by default on a separate instance (SQLEXPRESS), the SQL Server Browser service must be running, and the firewall configured to allow traffic to it. Port 1433 TCP and port 1434 UDP need to be opened for inbound traffic on MDT01.
> [!NOTE]
> Since SQL Server 2012 SP1 Express runs by default on a separate instance (SQLEXPRESS), the SQL Server Browser service must be running, and the firewall configured to allow traffic to it. Port 1433 TCP and port 1434 UDP need to be opened for inbound traffic on MDT01.
1. On MDT01, using Deployment Workbench, expand the MDT Production deployment share, expand **Advanced Configuration**, right-click **Database**, and select **New Database**.
2. In the New DB Wizard, on the **SQL Server Details** page, enter the following settings and select **Next**:
1. SQL Server Name: MDT01
2. Instance: SQLEXPRESS
3. Port: &lt;blank&gt;
4. Network Library: Named Pipes
3. On the **Database** page, select **Create a new database**; in the **Database** field, type **MDT** and select **Next**.
4. On the **SQL Share** page, in the **SQL Share** field, type **Logs$** and select **Next**. Select **Next** again and then select **Finish**.
![figure 8.](../images/mdt-09-fig08.png)
Figure 8. The MDT database added to MDT01.
## <a href="" id="sec03"></a>Configure database permissions
## Configure database permissions
After creating the database, you need to assign permissions to it. In MDT, the account you used to run the deployment is used to access the database. In this environment, the network access account is MDT\_BA.
1. On MDT01, start SQL Server Management Studio.
2. In the **Connect to Server** dialog box, in the **Server name** list, select **MDT01\\SQLEXPRESS** and select **Connect**.
3. In the **Object Explorer** pane, expand the top-level **Security** node, right-click **Logins**, and select **New Login**.
![figure 9.](../images/mdt-09-fig09.png)
@ -55,20 +62,25 @@ After creating the database, you need to assign permissions to it. In MDT, the a
Figure 9. The top-level Security node.
4. On the **Login - New** page, next to the **Login** name field, select **Search**, and search for **CONTOSO\\MDT\_BA**. Then in the left pane, select **User Mapping**. Select the **MDT** database, and assign the following roles:
1. db\_datareader
2. db\_datawriter
3. public (default)
5. Select **OK**, and close SQL Server Management Studio.
![figure 10.](../images/mdt-09-fig10.png)
Figure 10. Creating the login and settings permissions to the MDT database.
## <a href="" id="sec04"></a>Create an entry in the database
## Create an entry in the database
To start using the database, you add a computer entry and assign a description and computer name. Use the computer's MAC Address as the identifier.
1. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, expand **Advanced Configuration**, and expand **Database**.
2. Right-click **Computers**, select **New**, and add a computer entry with the following settings:
1. Description: New York Site - PC00075
2. MacAddress: &lt;PC00075 MAC Address in the 00:00:00:00:00:00 format&gt;
3. Details Tab / OSDComputerName: PC00075
@ -79,16 +91,10 @@ Figure 11. Adding the PC00075 computer to the database.
## Related articles
[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
[Use web services in MDT](use-web-services-in-mdt.md)
[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
- [Use web services in MDT](use-web-services-in-mdt.md)
- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)

108
windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md
View File

@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
ms.date: 10/28/2022
ms.date: 11/28/2022
---
# Use web services in MDT
@ -17,79 +17,96 @@ ms.date: 10/28/2022
In this article, you'll learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment. Web services provide a powerful way to assign settings during a deployment. Web services are web applications that run code on the server side, and MDT has built-in functions to call these web services.
Using a web service in MDT is straightforward, but it does require that you've enabled the Web Server (IIS) role on the server. Developing web services involves some coding, but for most web services used with MDT, you can use the free Microsoft Visual Studio Express 2013 for Web.
## <a href="" id="sec01"></a>Create a sample web service
## Create a sample web service
In these steps, we assume you have installed Microsoft Visual Studio Express 2013 for Web on PC0001 (the Windows 10 client) and downloaded the [MDT Sample Web Service](https://www.microsoft.com/download/details.aspx?id=42516) from the Microsoft Download Center and extracted it to C:\\Projects.
1. On PC0001, using Visual Studio Express 2013 for Web, open the C:\\Projects\\MDTSample\\ MDTSample.sln solution file.
2. On the ribbon bar, verify that Release is selected.
3. In the **Debug** menu, select the **Build MDTSample** action.
4. On MDT01, create a folder structure for **E:\\MDTSample\\bin**.
5. From PC0001, copy the C:\\Projects\\MDTSample\\obj\\Release\\MDTSample.dll file to the **E:\\MDTSample\\bin** folder on MDT01.
6. From PC0001, copy the following files from C:\\Projects\\MDTSample file to the **E:\\MDTSample** folder on MDT01:
1. Web.config
2. mdtsample.asmx
![figure 15.](../images/mdt-09-fig15.png)
- Web.config
- mdtsample.asmx
Figure 15. The sample project in Microsoft Visual Studio Express 2013 for Web.
![figure 15.](../images/mdt-09-fig15.png)
## <a href="" id="sec02"></a>Create an application pool for the web service
Figure 15. The sample project in Microsoft Visual Studio Express 2013 for Web.
## Create an application pool for the web service
This section assumes that you've enabled the Web Server (IIS) role on MDT01.
1. On MDT01, using Server Manager, install the **IIS Management Console** role (available under Web Server (IIS) / Management Tools).
2. Using Internet Information Services (IIS) Manager, expand the **MDT01 (CONTOSO\\Administrator)** node. If prompted with the **Do you want to get started with Microsoft Web Platform?** question, select the **Do not show this message** check box and then select **No**.
3. Right-click **Application Pools**, select **Add Application Pool**, and configure the new application pool with the following settings:
1. Name: MDTSample
2. .NET Framework version: .NET Framework 4.0.30319
3. Manage pipeline mode: Integrated
4. Select the **Start application pool immediately** check box.
5. Select **OK**.
![figure 16.](../images/mdt-09-fig16.png)
- **Name**: MDTSample
- **.NET Framework version**: .NET Framework 4.0.30319
- **Manage pipeline mode**: Integrated
- Select the **Start application pool immediately** check box.
- Select **OK**.
Figure 16. The new MDTSample application.
![figure 16.](../images/mdt-09-fig16.png)
## <a href="" id="sec03"></a>Install the web service
Figure 16. The new MDTSample application.
## Install the web service
1. On MDT01, using Internet Information Services (IIS) Manager, expand **Sites**, right-click **Default Web Site**, and select **Add Application**. Use the following settings for the application:
1. Alias: MDTSample
2. Application pool: MDTSample
3. Physical Path: E:\\MDTSample
- **Alias**: MDTSample
- **Application pool**: MDTSample
- **Physical Path**: E:\\MDTSample
![figure 17.](../images/mdt-09-fig17.png)
Figure 17. Adding the MDTSample web application.
2. In the **Default Web Site** node, select the MDTSample web application, and in the right pane, double-click **Authentication**. Use the following settings for the **Authentication** dialog box:
1. Anonymous Authentication: Enabled
2. ASP.NET Impersonation: Disabled
![figure 18.](../images/mdt-09-fig18.png)
- **Anonymous Authentication**: Enabled
- **ASP.NET Impersonation**: Disabled
Figure 18. Configuring Authentication for the MDTSample web service.
![figure 18.](../images/mdt-09-fig18.png)
## <a href="" id="sec04"></a>Test the web service in Internet Explorer
Figure 18. Configuring Authentication for the MDTSample web service.
## Test the web service in Internet Explorer
1. On PC0001, using Internet Explorer, navigate to: **`http://MDT01/MDTSample/mdtsample.asmx'**.
1. On PC0001, using Internet Explorer, navigate to: **http://MDT01/MDTSample/mdtsample.asmx**.
2. Select the **GetComputerName** link.
![figure 19.](../images/mdt-09-fig19.png)
Figure 19. The MDT Sample web service.
3. On the **GetComputerName** page, type in the following settings, and select **Invoke**:
1. Model: Hewlett-Packard
2. SerialNumber: 123456789
![figure 20.](../images/mdt-09-fig20.png)
- **Model**: Hewlett-Packard
- **SerialNumber**: 123456789
Figure 20. The result from the MDT Sample web service.
![figure 20.](../images/mdt-09-fig20.png)
## <a href="" id="sec05"></a>Test the web service in the MDT simulation environment
Figure 20. The result from the MDT Sample web service.
## Test the web service in the MDT simulation environment
After verifying the web service using Internet Explorer, you're ready to do the same test in the MDT simulation environment.
1. On PC0001, edit the CustomSettings.ini file in the **C:\\MDT** folder to look like the following:
```
```ini
[Settings]
Priority=Default, GetComputerName
[Default]
@ -99,35 +116,32 @@ After verifying the web service using Internet Explorer, you're ready to do the
Parameters=Model,SerialNumber
OSDComputerName=string
```
![figure 21.](../images/mdt-09-fig21.png)
Figure 21. The updated CustomSettings.ini file.
2. Save the CustomSettings.ini file.
3. Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press **Enter** after each command:
```
```powershell
Set-Location C:\MDT
.\Gather.ps1
```
4. Review the ZTIGather.log in the **C:\\MININT\\SMSOSD\\OSDLOGS** folder.
![figure 22.](../images/mdt-09-fig22.png)
![figure 22.](../images/mdt-09-fig22.png)
Figure 22. The OSDCOMPUTERNAME value obtained from the web service.
Figure 22. The OSDCOMPUTERNAME value obtained from the web service.
## Related articles
[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)

2
windows/deployment/planning/index.md
View File

@ -21,7 +21,7 @@ Windows 10 provides new deployment capabilities, scenarios, and tools by buildin
|[Windows 10 deployment considerations](windows-10-deployment-considerations.md) |There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications. |
|[Windows 10 compatibility](windows-10-compatibility.md) |Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. |
|[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) |There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. |
|[Features removed or planned for replacement](features-lifecycle.md) |Information is provided about Windows 10 features and functionality that are removed or planned for replacement. |
|[Features removed or planned for replacement](/windows/whats-new/feature-lifecycle) |Information is provided about Windows features and functionality that are removed or planned for replacement. |
|[Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) |The Microsoft® Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system. |
## Related topics

5
windows/deployment/update/wufb-reports-overview.md
View File

@ -40,10 +40,11 @@ Currently, Windows Update for Business reports contains the following features:
- UCClientReadinessStatus
- UCClientUpdateStatus
- UCDeviceAlert
- UCDOAggregatedStatus
- UCDOStatus
- UCServiceUpdateStatus
- UCUpdateAlert
- UCDOStatus
- UCDOAggregatedStatus
- Client data collection to populate the Windows Update for Business reports tables
:::image type="content" source="media/wufb-reports-query-table.png" alt-text="Screenshot of using a custom Kusto (KQL) query on Windows Update for Business reports data in Log Analytics." lightbox="media/wufb-reports-query-table.png":::

2
windows/deployment/update/wufb-reports-schema-ucdostatus.md
View File

@ -16,7 +16,7 @@ ms.technology: itpro-updates
<!--37063317, 30141258, 37063041-->
***(Applies to: Windows 11 & Windows 10)***
UCDOStatus provides information, for a single device, on its bandwidth utilization across content types in the event they use Delivery Optimization.
UCDOStatus provides information, for a single device, on its bandwidth utilization across content types in the event they use [Delivery Optimization and Microsoft Connected Cache](/windows/deployment/do).
|Field |Type |Example |Description |
|---|---|---|---|

2
windows/deployment/update/wufb-reports-schema.md
View File

@ -31,5 +31,7 @@ The following table summarizes the different tables that are part of the Windows
|[**UCClientReadinessStatus**](wufb-reports-schema-ucclientreadinessstatus.md) | Device record | UCClientReadinessStatus is an individual device's record about its readiness for updating to Windows 11. If the device isn't capable of running Windows 11, the record includes which Windows 11 hardware requirements the device doesn't meet.|
| [**UCClientUpdateStatus**](wufb-reports-schema-ucclientupdatestatus.md) | Device record | Update Event that combines the latest client-based data with the latest service-based data to create a complete picture for one device (client) and one update. |
| [**UCDeviceAlert**](wufb-reports-schema-ucdevicealert.md)| Service and device record | These alerts are activated as a result of an issue that is device-specific. It isn't specific to the combination of a specific update and a specific device. Like UpdateAlerts, the AlertType indicates where the Alert comes from such as a ServiceDeviceAlert or ClientDeviceAlert. |
| [**UCDOAggregatedStatus**](wufb-reports-schema-ucdoaggregatedstatus.md)| Device record | UCDOAggregatedStatus is an aggregation of all individual UDDOStatus records across the tenant and summarizes bandwidth savings across all devices enrolled using Delivery Optimization and Microsoft Connected Cache. |
| [**UCDOStatus**](wufb-reports-schema-ucdostatus.md)| Device record | UCDOStatus provides information, for a single device, on its bandwidth utilization across content types in the event they use Delivery Optimization and Microsoft Connected Cache. |
| [**UCServiceUpdateStatus**](wufb-reports-schema-ucserviceupdatestatus.md) | Service record | Update Event that comes directly from the service-side. The event has only service-side information for one device (client), and one update, in one deployment. |
| [**UCUpdateAlert**](wufb-reports-schema-ucupdatealert.md) | Service and device records | Alert for both client and service update. Contains information that needs attention, relative to one device (client), one update, and one deployment, if relevant. Certain fields may be blank depending on the UpdateAlert's AlertType field. For example, ServiceUpdateAlert won't necessarily contain client-side statuses and may be blank. |

299
windows/deployment/usmt/usmt-common-issues.md
View File

@ -1,299 +0,0 @@
---
title: Common Issues (Windows 10)
description: Learn about common issues that you might see when you run the User State Migration Tool (USMT) 10.0 tools.
ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
ms.date: 11/01/2022
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
---
# Common issues
The following sections discuss common issues that you might see when you run the User State Migration Tool (USMT) 10.0 tools. USMT produces log files that describe in further detail any errors that occurred during the migration process. These logs can be used to troubleshoot migration failures.
## General guidelines for identifying migration problems
When you encounter a problem or error message during migration, you can use the following general guidelines to help determine the source of the problem:
- Examine the **ScanState**, **LoadState**, and UsmtUtils logs to obtain the exact USMT error messages and Windows® application programming interface (API) error messages. For more information about USMT return codes and error messages, see [Return codes](usmt-return-codes.md). You can obtain more information about any listed **Windows** system error codes by typing in a command prompt window `net.exe helpmsg <error_number>` where *<error_number>* is the error code number generated by the error message. For more information about System Error Codes, see [System Error Codes (0-499)](/windows/win32/debug/system-error-codes--0-499-).
In most cases, the **ScanState** and **LoadState** logs indicate why a USMT migration is failing. We recommend that you use the `/v:5` option when testing your migration. This verbosity level can be adjusted in a production migration; however, reducing the verbosity level might make it more difficult to diagnose failures that are encountered during production migrations. You can use a verbosity level higher than 5 if you want the log files output to go to a debugger.
> [!NOTE]
> Running the **ScanState** and **LoadState** tools with the `/v:5` option creates a detailed log file. Although this option makes the log file large, the extra detail can help you determine where migration errors occurred.
- Use the `/Verify` option with the UsmtUtils tool to determine whether any files in a compressed migration store are corrupted. For more information, see [Verify the condition of a compressed migration store](verify-the-condition-of-a-compressed-migration-store.md).
- Use the `/Extract` option with the UsmtUtils tool to extract files from a compressed migration store. For more information, see [Extract files from a compressed USMT migration store](usmt-extract-files-from-a-compressed-migration-store.md).
- Create a progress log using the `/Progress` option to monitor your migration.
- For the source and destination computers, obtain operating system information, and versions of applications such as Internet Explorer and any other relevant programs. Then verify the exact steps that are needed to reproduce the problem. This information might help you to understand what is wrong and to reproduce the issue in your testing environment.
- Sign out after you run the **LoadState** tool. Some settings such as fonts, desktop backgrounds, and screen-saver settings won't take effect until the next time the end user logs on.
- Close all applications before running **ScanState** or **LoadState** tools. If some applications are running during the **ScanState** or **LoadState** process, USMT might not migrate some data. For example, if Microsoft Outlook® is open, USMT might not migrate PST files.
> [!NOTE]
> USMT will fail if it can't migrate a file or setting unless you specify the `/c` option. When you specify the `/c` option, USMT ignores errors. However, it logs an error when it encounters a file that is in use that didn't migrate.
## User account problems
The following sections describe common user account problems. Expand the section to see recommended solutions.
### I'm having problems creating local accounts on the destination computer
**Resolution:** For more information about creating accounts and migrating local accounts, see [Migrate user accounts](usmt-migrate-user-accounts.md).
### Not all of the user accounts were migrated to the destination computer
**Causes/Resolutions** There are two possible causes for this problem:
When running the **ScanState** and LoadState tools on Windows 7, Windows 8, or Windows 10, you must run them in Administrator mode from an account with administrative credentials to ensure that all specified users are migrated. To run in Administrator mode:
1. Select **Start** > **All Programs** > **Accessories**.
2. Right-click **Command Prompt**.
3. Select **Run as administrator**.
4. Specify the `LoadState.exe` or `ScanState.exe` command.
If you don't run USMT in Administrator mode, only the user profile that is logged on will be included in the migration.
Any user accounts on the computer that haven't been used won't be migrated. For example, if you add User1 to the computer, but User1 never logs on, then USMT won't migrate the User1 account.
### User accounts that I excluded were migrated to the destination computer
**Cause:** The command that you specified might have had conflicting `ui` and `/ue` options. If a user is specified with the `/ui` option and with either the `/ue` or `/uel` options at the same time, the user will be included in the migration. For example, if you specify `/ui:domain1\* /ue:domain1\user1`, then User1 will be migrated because the `/ui` option takes precedence.
**Resolution:** For more information about how to use the `/ui` and `/ue` options together, see the examples in the [ScanState Syntax](usmt-scanstate-syntax.md) article.
### I'm using the /uel option, but many accounts are still being included in the migration
**Cause:** The `/uel` option depends on the last modified date of the users' NTUser.dat file. There are scenarios in which this last modified date might not match the users' last sign-in date.
**Resolution:** This is a limitation of the `/uel` option. You might need to exclude these users manually with the `/ue` option.
### The LoadState tool reports an error as return code 71 and fails to restore a user profile during a migration test
**Cause:** During a migration test, if you run the **ScanState** tool on your test computer and then delete user profiles in order to test the **LoadState** tool on the same computer, you may have a conflicting key present in the registry. Using the **net use** command to remove a user profile will delete folders and files associated with that profile, but won't remove the registry key.
**Resolution:** To delete a user profile, use the **User Accounts** item in Control Panel. To correct an incomplete deletion of a user profile:
1. Open the registry editor by typing `regedit` at an elevated command prompt.
2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList`.
Each user profile is stored in a System Identifier key under `ProfileList`.
3. Delete the key for the user profile you're trying to remove.
### Files that weren't encrypted before the migration are now encrypted with the account used to run the LoadState tool
**Cause:** The **ScanState** tool was run using the `/EFS:copyraw` option to migrate encrypted files and Encrypting File System (EFS) certificates. The encryption attribute was set on a folder that was migrated, but the attribute was removed from file contents of that folder prior to migration.
**Resolution:** Before using the **ScanState** tool for a migration that includes encrypted files and EFS certificates, you can run the Cipher tool at the command prompt to review and change encryption settings on files and folders. You must remove the encryption attribute from folders that contain unencrypted files or encrypt the contents of all files within an encrypted folder.
To remove encryption from files that have already been migrated incorrectly, you must sign into the computer with the account that you used to run the **LoadState** tool and then remove the encryption from the affected files.
### The LoadState tool reports an error as return code 71 and a Windows Error 2202 in the log file
**Cause:** The computer name was changed during an offline migration of a local user profile.
**Resolution:** You can use the `/mu` option when you run the **LoadState** tool to specify a new name for the user. For example,
```cmd
LoadState.exe /i:MigApp.xml /i:MigDocs.xml \\server\share\migration\mystore
/progress:Progress.log /l:LoadState.log /mu:fareast\user1:farwest\user1
```
## Command-line problems
The following sections describe common command-line problems. Expand the section to see recommended solutions.
### I received the following error message: "Usage Error: You can't specify a file path with any of the command-line options that exceeds 256 characters."
**Cause:** You might receive this error message in some cases even if you don't specify a long store or file path, because the path length is calculated based on the absolute path. For example, if you run the ` **ScanState**.exe /o store` command from `C:\Program Files\USMT40`, then each character in "`C:\Program Files\USMT40`" will be added to the length of "store" to get the length of the path.
**Resolution:** Ensure that the total path length doesn't exceed 256 characters. The total path length includes the store path plus the current directory.
### I received the following error message: "USMT was unable to create the log file(s). Ensure that you have write access to the log directory."
**Cause:** If you're running the **ScanState** or **LoadState** tools from a shared network resource, you'll receive this error message if you don't specify `/l`.
**Resolution:** To fix this issue in this scenario, specify the `/l:ScanState.log` or `/l:LoadState.log` option.
## XML file problems
The following sections describe common XML file problems. Expand the section to see recommended solutions.
### I used the `/genconfig` option to create a `Config.xml` file, but I see only a few applications and components that are in `MigApp.xml`. Why does `Config.xml` not contain all of the same applications?
**Cause:** `Config.xml` will contain only operating system components, applications, and the user document sections that are in both of the .xml files and are installed on the computer when you run the `/genconfig` option. Otherwise, these applications and components won't appear in the `Config.xml` file.
**Resolution:** Install all of the desired applications on the computer before running the `/genconfig` option. Then run `ScanState.exe` with all of the .xml files. For example, run the following command:
```cmd
ScanState.exe /genconfig:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:5 /l:ScanState.log
```
### I'm having problems with a custom .xml file that I authored, and I can't verify that the syntax is correct
**Resolution:** You can load the XML schema file `MigXML.xsd` into your XML authoring tool. `MigXML.xsd` is included with USMT. For examples, see the [Visual Studio Development Center](https://go.microsoft.com/fwlink/p/?LinkId=74513). Then, load your .xml file in the authoring tool to see if there's a syntax error. For more information about using the XML elements, see [USMT XML Reference](usmt-xml-reference.md).
### I'm using a MigXML helper function, but the migration isn't working the way I expected it to. How do I troubleshoot this issue?
**Cause:** Typically, this issue is caused by incorrect syntax used in a helper function. You receive a Success return code, but the files you wanted to migrate didn't get collected or applied, or weren't collected or applied in the way you expected.
**Resolution:** You should search the **ScanState** or **LoadState** log for either the component name that contains the MigXML helper function, or the MigXML helper function title, so that you can locate the related warning in the log file.
## Migration problems
The following sections describe common migration problems. Expand the section to see recommended solutions.
### Files that I specified to exclude are still being migrated
**Cause:** There might be another rule that is including the files. If there's a more specific rule or a conflicting rule, the files will be included in the migration.
**Resolution:** For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md) and the Diagnostic Log section in [Log Files](usmt-log-files.md).
### I specified rules to move a folder to a specific location on the destination computer, but it hasn't migrated correctly
**Cause:** There might be an error in the XML syntax.
**Resolution:** You can use the USMT XML schema (`MigXML.xsd`) to write and validate migration .xml files. Also see the XML examples in the following articles:
[Conflicts and precedence](usmt-conflicts-and-precedence.md)
[Exclude files and settings](usmt-exclude-files-and-settings.md)
[Reroute files and settings](usmt-reroute-files-and-settings.md)
[Include files and settings](usmt-include-files-and-settings.md)
[Custom XML examples](usmt-custom-xml-examples.md)
### After LoadState completes, the new desktop background doesn't appear on the destination computer
There are three typical causes for this issue.
**Cause**: Some settings such as fonts, desktop backgrounds, and screen-saver settings aren't applied by **LoadState** until after the destination computer has been restarted.
**Resolution:** To fix this issue, sign out, and then log back on to see the migrated desktop background.
<!---
**Cause \#2:** If the source computer was running Windows® XP and the desktop background was stored in the *Drive*:\\WINDOWS\\Web\\Wallpaper folder—the default folder where desktop backgrounds are stored in Windows XP—the desktop background won't be migrated. Instead, the destination computer will have the default Windows® desktop background. This issue will occur even if the desktop background was a custom picture that was added to the \\WINDOWS\\Web\\Wallpaper folder. However, if the end user sets a picture as the desktop background that was saved in another location, for example, My Pictures, then the desktop background will migrate.
**Resolution:** Ensure that the desktop background images that you want to migrate aren't in the \\WINDOWS\\Web\\Wallpaper folder on the source computer.
**Cause \#3:** If **ScanState** wasn't run on Windows XP from an account with administrative credentials, some operating system settings won't migrate. For example, desktop background settings, screen-saver selections, modem options, media-player settings, and Remote Access Service (RAS) connection phone book (.pbk) files and settings won't migrate.
**Resolution:** Run the **ScanState** and **LoadState** tools from within an account with administrative credentials.
--->
### I included `MigApp.xml` in the migration, but some `PST` files aren't migrating
**Cause:** The `MigApp.xml` file migrates only the PST files that are linked to Outlook profiles.
**Resolution:** To migrate PST files that aren't linked to Outlook profiles, you must create a separate migration rule to capture these files.
### USMT doesn't migrate the Start layout
**Description:** You're using USMT to migrate profiles from one installation of Windows 10 to another installation of Windows 10 on different hardware. After migration, the user signs in on the new device and doesn't have the Start menu layout they had previously configured.
**Cause:** A code change in the Start Menu with Windows 10 version 1607 and later is incompatible with this USMT function.
**Resolution:** The following workaround is available:
1. With the user signed in, back up the Start layout using the following Windows PowerShell command. You can specify a different path if desired:
```powershell
Export-StartLayout -Path "C:\Layout\user1.xml"
```
2. Migrate the user's profile with USMT.
3. Before the user signs in on the new device, import the Start layout using the following Windows PowerShell command:
```powershell
Import-StartLayout -LayoutPath "C:\Layout\user1.xml" -MountPath %systemdrive%
```
This workaround changes the Default user's Start layout. The workaround doesn't scale to a mass migrations or multiuser devices, but it can potentially unblock some scenarios. If other users will sign on to the device, you should delete layoutmodification.xml from the Default user profile. Otherwise, all users who sign on to that device will use the imported Start layout.
## Offline migration problems
The following sections describe common offline migration problems. Expand the section to see recommended solutions.
### Some of my system settings don't migrate in an offline migration
**Cause:** Some system settings, such as desktop backgrounds and network printers, aren't supported in an offline migration. For more information, see [What does USMT migrate?](usmt-what-does-usmt-migrate.md)
**Resolution:** In an offline migration, these system settings must be restored manually.
### The ScanState tool fails with return code 26
**Cause:** A common cause of return code 26 is that a temp profile is active on the source computer. This profile maps to c:\\users\\temp. The **ScanState** log shows a **MigStartupOfflineCaught** exception that includes the message **User profile duplicate SID error**.
**Resolution:** You can reboot the computer to get rid of the temp profile or you can set **MIG_FAIL_ON_PROFILE_ERROR=0** to skip the error and exclude the temp profile.
### Include and Exclude rules for migrating user profiles don't work the same offline as they do online
**Cause:** When offline, the DNS server can't be queried to resolve the user name and SID mapping.
**Resolution:** Use a Security Identifier (SID) to include a user when running the **ScanState** tool. For example:
```cmd
ScanState.exe /ui:S1-5-21-124525095-708259637-1543119021*
```
The wild card (\*) at the end of the SID will migrate the *SID*\_Classes key as well.
You can also use patterns for SIDs that identify generic users or groups. For example, you can use the `/ue:*-500` option to exclude the local administrator accounts. For more information about Windows SIDs, see [Security identifiers](/windows-server/identity/ad-ds/manage/understand-security-identifiers).
### My script to wipe the disk fails after running the ScanState tool on a 64-bit system
**Cause:** The HKLM registry hive isn't unloaded after the **ScanState** tool has finished running.
**Resolution:** Reboot the computer or unload the registry hive at the command prompt after the **ScanState** tool has finished running. For example, at a command prompt, enter:
```cmd
reg.exe unload hklm\$dest$software
```
## Hard-Link Migration Problems
The following sections describe common hard-link migration problems. Expand the section to see recommended solutions.
### EFS files aren't restored to the new partition
**Cause:** EFS files can't be moved to a new partition with a hard link. The `/efs:hardlink` command-line option is only applicable to files migrated on the same partition.
**Resolution:** Use the `/efs:copyraw` command-line option to copy EFS files during the migration instead of creating hard links, or manually copy the EFS files from the hard-link store.
### The ScanState tool can't delete a previous hard-link migration store
**Cause:** The migration store contains hard links to locked files.
**Resolution:** Use the UsmtUtils tool to delete the store or change the store name. For example, at a command prompt, enter:
```cmd
UsmtUtils.exe /rd <storedir>
```
You should also reboot the machine.
## Related articles
[User State Migration Tool (USMT) troubleshooting](usmt-troubleshooting.md)
[Frequently asked questions](usmt-faq.yml)
[Return codes](usmt-return-codes.md)
[UsmtUtils syntax](usmt-utilities.md)

4
windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
View File

@ -25,7 +25,7 @@ Options used with the `/extract` option can specify:
In addition, you can specify the file patterns that you want to extract by using the `/i` option to include file patterns or the `/e` option to exclude file patterns. When both the `/i` option and the `/e` option are used in the same command, include patterns take precedence over exclude patterns. Note that this is different from the include and exclude rules used in the **ScanState** and **LoadState** tools.
### To run the UsmtUtils tool with the /extract option
## To run the UsmtUtils tool with the /extract option
To extract files from the compressed migration store onto the destination computer, use the following UsmtUtils syntax:
@ -93,6 +93,6 @@ In this example, if there is a myProject.exe file, it will also be extracted bec
[UsmtUtils syntax](usmt-utilities.md)
[Return codes](usmt-return-codes.md)
[Return codes](/troubleshoot/windows-client/deployment/usmt-return-codes)
[Verify the condition of a compressed migration store](verify-the-condition-of-a-compressed-migration-store.md)

339
windows/deployment/usmt/usmt-return-codes.md
View File

@ -1,339 +0,0 @@
---
title: Return Codes (Windows 10)
description: Learn about User State Migration Tool (USMT) 10.0 return codes and error messages. Also view a list of USMT return codes and their associated migration steps.
ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: frankroj
ms.date: 11/01/2022
ms.topic: article
ms.technology: itpro-deploy
---
# Return codes
This article describes User State Migration Tool (USMT) 10.0 return codes and error messages. Also included is a table listing the USMT return codes with their associated mitigation steps. In addition, this article provides tips to help you use the logfiles to determine why you received an error.
Understanding the requirements for running USMT can help minimize errors in your USMT migrations. For more information, see [USMT Requirements](usmt-requirements.md).
## USMT return codes
If you encounter an error in your USMT migration, you can use return codes and the more specific information provided in the associated USMT error messages to troubleshoot the issue and to identify mitigation steps.
Return codes are grouped into the following broad categories that describe their area of error reporting:
- Success or User Cancel
- Invalid Command Lines
- Setup and Initialization
- Non-fatal Errors
- Fatal Errors
As a best practice, we recommend that you set verbosity level to 5, `v:5`, on the `ScanState.exe`, `LoadState.exe`, and `UsmtUtils.exe` command lines so that the most detailed reporting is available in the respective USMT logs. You can use a higher verbosity level if you want the log files output to go to a debugger.
## USMT error messages
Error messages provide more detailed information about the migration problem than the associated return code. For example, the **ScanState**, **LoadState**, or **UsmtUtils** tool might return a code of **11** (for **USMT_INVALID_PARAMETERS**) and a related error message that reads **/key and /keyfile both specified**. The error message is displayed at the command prompt and is identified in the **ScanState**, **LoadState**, or **UsmtUtils** log files to help you determine why the return code was received.
You can obtain more information about any listed **Windows** system error codes by typing in a command prompt window `net.exe helpmsg <error_number>` where *<error_number>* is the error code number generated by the error message. For more information about System Error Codes, see [System Error Codes (0-499)](/windows/win32/debug/system-error-codes--0-499-).
## Troubleshooting return codes and error messages
The following information lists each return code by numeric value, along with the associated error messages and suggested troubleshooting actions.
### 0: USMT_SUCCESS
- **Category**: Success or User Cancel
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **Successful run** | NA |
### 1: USMT_DISPLAY_HELP
- **Category**: Success or User Cancel
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **Command line help requested** | NA |
### 2: USMT_STATUS_CANCELED
- **Category**: Success or User Cancel
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **Gather was aborted because of an EFS file** | NA |
| **User chose to cancel (such as pressing CTRL+C)** | NA |
### 3: USMT_WOULD_HAVE_FAILED
- **Category**:
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **At least one error was skipped as a result of /c.** | Review ScanState, LoadState, or UsmtUtils log for details about command-line errors. |
### 11: USMT_INVALID_PARAMETERS
- **Category**: Invalid Command Lines
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **/all conflicts with /ui, /ue or /uel** | Review ScanState log or LoadState log for details about command-line errors. |
| **/auto expects an optional parameter for the script folder** | Review ScanState log or LoadState log for details about command-line errors. |
| **/encrypt can't be used with /nocompress** | Review ScanState log or LoadState log for details about command-line errors. |
| **/encrypt requires /key or /keyfile** | Review ScanState log or LoadState log for details about command-line errors. |
| **/genconfig can't be used with most other options** | Review ScanState log or LoadState log for details about command-line errors. |
| **/genmigxml can't be used with most other options** | Review ScanState log or LoadState log for details about command-line errors. |
| **/hardlink requires /nocompress** | Review ScanState log or LoadState log for details about command-line errors. |
| **/key and /keyfile both specified** | Review ScanState log or LoadState log for details about command-line errors. |
| **/key or /keyfile used without enabling encryption** | Review ScanState log or LoadState log for details about command-line errors. |
| **/lae is only used with /lac** | Review ScanState log or LoadState log for details about command-line errors. |
| **/listfiles cannot be used with /p** | Review ScanState log or LoadState log for details about command-line errors. |
| **/offline requires a valid path to an XML file describing offline paths** | Review ScanState log or LoadState log for details about command-line errors. |
| **/offlinewindir requires a valid path to offline windows folder** | Review ScanState log or LoadState log for details about command-line errors. |
| **/offlinewinold requires a valid path to offline windows folder** | Review ScanState log or LoadState log for details about command-line errors. |
| **A command was already specified** | Verify that the command-line syntax is correct and that there are no duplicate commands. |
| **An option argument is missing** | Review ScanState log or LoadState log for details about command-line errors. |
| **An option is specified more than once and is ambiguous** | Review ScanState log or LoadState log for details about command-line errors. |
| **By default /auto selects all users and uses the highest log verbosity level. Switches like /all, /ui, /ue, /v are not allowed.** | Review ScanState log or LoadState log for details about command-line errors. |
| **Command line arguments are required. Specify /? for options.** | Review ScanState log or LoadState log for details about command-line errors. |
| **Command line option is not valid** | Review ScanState log or LoadState log for details about command-line errors. |
| **EFS parameter specified is not valid for /efs** | Review ScanState log or LoadState log for details about command-line errors. |
| **File argument is invalid for /genconfig** | Review ScanState log or LoadState log for details about command-line errors. |
| **File argument is invalid for /genmigxml** | Review ScanState log or LoadState log for details about command-line errors. |
| **Invalid space estimate path. Check the parameters and/or file system permissions** | Review ScanState log or LoadState log for details about command-line errors. |
| **List file path argument is invalid for /listfiles** | Review ScanState log or LoadState log for details about command-line errors. |
| **Retry argument must be an integer** | Review ScanState log or LoadState log for details about command-line errors. |
| **Settings store argument specified is invalid** | Review ScanState log or LoadState log for details about command-line errors. Make sure that the store path is accessible and that the proper permission levels are set. |
| **Specified encryption algorithm is not supported** | Review ScanState log or LoadState log for details about command-line errors. |
| **The /efs:hardlink requires /hardlink** | Review ScanState log or LoadState log for details about command-line errors. |
| **The /targetWindows7 option is only available for Windows XP, Windows Vista, and Windows 7** | Review ScanState log or LoadState log for details about command-line errors. |
| **The store parameter is required but not specified** | Review ScanState log or LoadState log for details about command-line errors. |
| **The source-to-target domain mapping is invalid for /md** | Review ScanState log or LoadState log for details about command-line errors. |
| **The source-to-target user account mapping is invalid for /mu** | Review ScanState log or LoadState log for details about command-line errors. |
| **Undefined or incomplete command line option** | Review ScanState log or LoadState log for details about command-line errors. |
| **Use /nocompress, or provide an XML file path with /p"pathtoafile" to get a compressed store size estimate** | Review ScanState log or LoadState log for details about command-line errors. |
| **User exclusion argument is invalid** | Review ScanState log or LoadState log for details about command-line errors. |
| **Verbosity level must be specified as a sum of the desired log options: Verbose (0x01), Record Objects (0x04), Echo to debug port (0x08)** | Review ScanState log or LoadState log for details about command-line errors. |
| **Volume shadow copy feature is not supported with a hardlink store** | Review ScanState log or LoadState log for details about command-line errors. |
| **Wait delay argument must be an integer** | Review ScanState log or LoadState log for details about command-line errors. |
### 12: USMT_ERROR_OPTION_PARAM_TOO_LARGE
- **Category**: Invalid Command Lines
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **Command line arguments cannot exceed 256 characters** | Review ScanState log or LoadState log for details about command-line errors. |
| **Specified settings store path exceeds the maximum allowed length of 256 characters** | Review ScanState log or LoadState log for details about command-line errors. |
### 13: USMT_INIT_LOGFILE_FAILED
- **Category**: Invalid Command Lines
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **Log path argument is invalid for /l** | When `/l` is specified in the ScanState command line, USMT validates the path. Verify that the drive and other information, for example file system characters, are correct. |
### 14: USMT_ERROR_USE_LAC
- **Category**: Invalid Command Lines
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **Unable to create a local account because /lac was not specified** | When creating local accounts, the command-line options `/lac` and `/lae` should be used. |
### 26: USMT_INIT_ERROR
- **Category**: Setup and Initialization
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **Multiple Windows installations found** | Listfiles.txt couldn't be created. Verify that the location you specified for the creation of this file is valid. |
| **Software malfunction or unknown exception** | Check all loaded .xml files for errors, common error when using `/i` to load the `Config.xml` file. |
| **Unable to find a valid Windows directory to proceed with requested offline operation; Check if offline input file is present and has valid entries** | Verify that the offline input file is present and that it has valid entries. USMT couldn't find valid offline operating system. Verify your offline directory mapping. |
### 27: USMT_INVALID_STORE_LOCATION
- **Category**: Setup and Initialization
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **A store path can't be used because an existing store exists; specify /o to overwrite** | Specify `/o` to overwrite an existing intermediate or migration store. |
| **A store path is missing or has incomplete data** | Make sure that the store path is accessible and that the proper permission levels are set. |
| **An error occurred during store creation** | Make sure that the store path is accessible and that the proper permission levels are set. Specify `/o` to overwrite an existing intermediate or migration store. |
| **An inappropriate device such as a floppy disk was specified for the store** | Make sure that the store path is accessible and that the proper permission levels are set. |
| **Invalid store path; check the store parameter and/or file system permissions** | Invalid store path; check the store parameter and/or file system permissions. |
| **The file layout and/or file content is not recognized as a valid store** | Make sure that the store path is accessible and that the proper permission levels are set. Specify `/o` to overwrite an existing intermediate or migration store. |
| **The store path holds a store incompatible with the current USMT version** | Make sure that the store path is accessible and that the proper permission levels are set. |
| **The store save location is read-only or does not support a requested storage option** | Make sure that the store path is accessible and that the proper permission levels are set. |
### 28: USMT_UNABLE_GET_SCRIPTFILES
- **Category**: Setup and Initialization
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **Script file is invalid for /i** | Check all specified migration .xml files for errors. This error is common when using `/i` to load the `Config.xml` file. |
| **Unable to find a script file specified by /i** | Verify the location of your script files, and ensure that the command-line options are correct. |
### 29: USMT_FAILED_MIGSTARTUP
- **Category**: Setup and Initialization
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **A minimum of 250 MB of free space is required for temporary files** | Verify that the system meets the minimum temporary disk space requirement of 250 MB. As a workaround, you can set the environment variable `USMT_WORKING_DIR=<path>` to redirect the temporary files working directory. |
| **Another process is preventing migration; only one migration tool can run at a time** | Check the ScanState log file for migration .xml file errors. |
| **Failed to start main processing, look in log for system errors or check the installation** | Check the ScanState log file for migration .xml file errors. |
| **Migration failed because of an XML error; look in the log for specific details** | Check the ScanState log file for migration .xml file errors. |
| **Unable to automatically map the drive letters to match the online drive letter layout; Use /offline to provide a mapping table** | Check the ScanState log file for migration .xml file errors. |
### 31: USMT_UNABLE_FINDMIGUNITS
- **Category**: Setup and Initialization
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **An error occurred during the discover phase; the log should have more specific information** | Check the ScanState log file for migration .xml file errors. |
### 32: USMT_FAILED_SETMIGRATIONTYPE
- **Category**: Setup and Initialization
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **An error occurred processing the migration system** | Check the ScanState log file for migration .xml file errors, or use online Help by typing `/?` on the command line. |
### 33: USMT_UNABLE_READKEY
- **Category**: Setup and Initialization
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **Error accessing the file specified by the /keyfile parameter** | Check the ScanState log file for migration .xml file errors, or use online Help by typing `/?` on the command line. |
| **The encryption key must have at least one character** | Check the ScanState log file for migration .xml file errors, or use online Help by typing `/?` on the command line. |
### 34: USMT_ERROR_INSUFFICIENT_RIGHTS
- **Category**: Setup and Initialization
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **Directory removal requires elevated privileges** | Sign in as Administrator, and run with elevated privileges. |
| **No rights to create user profiles; log in as Administrator; run with elevated privileges** | Sign in as Administrator, and run with elevated privileges. |
| **No rights to read or delete user profiles; log in as Administrator, run with elevated privileges** | Sign in as Administrator, and run with elevated privileges. |
### 35: USMT_UNABLE_DELETE_STORE
- **Category**: Setup and Initialization
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **A reboot is required to remove the store** | Reboot to delete any files that couldn't be deleted when the command was executed. |
| **A store path can't be used because it contains data that could not be overwritten** | A migration store couldn't be deleted. If you're using a hardlink migration store, you might have a locked file in it. You should manually delete the store, or use `UsmtUtils.exe /rd` command to delete the store. |
| **There was an error removing the store** | Review ScanState log or LoadState log for details about command-line errors. |
### 36: USMT_ERROR_UNSUPPORTED_PLATFORM
- **Category**: Setup and Initialization
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **Compliance check failure; please check the logs for details** | Investigate whether there's an active temporary profile on the system. |
| **Use of /offline is not supported during apply** | The `/offline` command wasn't used while running in the Windows Preinstallation Environment (WinPE). |
| **Use /offline to run gather on this platform** | The `/offline` command wasn't used while running in WinPE. |
### 37: USMT_ERROR_NO_INVALID_KEY
- **Category**: Setup and Initialization
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **The store holds encrypted data but the correct encryption key was not provided** | Verify that the correct encryption key or keyfile was included with the `/key` or `/keyfile` option. |
### 38: USMT_ERROR_CORRUPTED_NOTENCRYPTED_STORE
- **Category**: Setup and Initialization
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **An error occurred during store access** | Review ScanState log or LoadState log for details about command-line errors. Make sure that the store path is accessible and that the proper permission levels are set. |
### 39: USMT_UNABLE_TO_READ_CONFIG_FILE
- **Category**: Setup and Initialization
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **Error reading Config.xml** | Review ScanState log or LoadState log for details about command-line errors in the `Config.xml` file. |
| **File argument is invalid for /config** | Check the command line you used to load the `Config.xml` file. You can use online Help by typing `/?` on the command line. |
### 40: USMT_ERROR_UNABLE_CREATE_PROGRESS_LOG
- **Category**: Setup and Initialization
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **Error writing to the progress log** | The Progress log couldn't be created. Verify that the location is valid and that you have write access. |
| **Progress log argument is invalid for /progress** | The Progress log couldn't be created. Verify that the location is valid and that you have write access. |
### 41: USMT_PREFLIGHT_FILE_CREATION_FAILED
- **Category**: Setup and Initialization
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **Can't overwrite existing file** | The Progress log couldn't be created. Verify that the location is valid and that you have write access. |
| **Invalid space estimate path. Check the parameters and/or file system permissions** | Review ScanState log or LoadState log for details about command-line errors. |
### 42: USMT_ERROR_CORRUPTED_STORE
- **Category**:
| Error message | The store contains one or more corrupted files |
| --- | --- |
| **The store holds encrypted data but the correct encryption key was not provided** | Review UsmtUtils log for details about the corrupted files. For information on how to extract the files that aren't corrupted, see [Extract files from a compressed USMT migration store](usmt-extract-files-from-a-compressed-migration-store.md). |
### 61: USMT_MIGRATION_STOPPED_NONFATAL
- **Category**: Non-fatal Errors
| Error message | The store contains one or more corrupted files |
| --- | --- |
| **Processing stopped due to an I/O error** | USMT exited but can continue with the `/c` command-line option, with the optional configurable **&lt;ErrorControl&gt;** section or by using the `/vsc` command-line option. |
### 71: USMT_INIT_OPERATING_ENVIRONMENT_FAILED
- **Category**: Fatal Errors
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **A Windows Win32 API error occurred** | Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details. |
| **An error occurred when attempting to initialize the diagnostic mechanisms such as the log** | Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details. |
| **Failed to record diagnostic information** | Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details. |
| **Unable to start. Make sure you are running USMT with elevated privileges** | Exit USMT and sign in again with elevated privileges. |
### 72: USMT_UNABLE_DOMIGRATION
- **Category**: Fatal Errors
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **An error occurred closing the store** | Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details. |
| **An error occurred in the apply process** | Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details. |
| **An error occurred in the gather process** | Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details. |
| **Out of disk space while writing the store** | Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details. |
| **Out of temporary disk space on the local system** | Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details. |
## Related articles
[User State Migration Tool (USMT) troubleshooting](usmt-troubleshooting.md)
[USMT log files](usmt-log-files.md)

2
windows/deployment/usmt/usmt-test-your-migration.md
View File

@ -17,7 +17,7 @@ Always test your migration plan in a controlled laboratory setting before you de
After you've thoroughly tested the entire migration process on a single computer running each of your source operating systems, conduct a pilot migration with a small group of users. After migrating a few typical user states to the intermediate store, note the space required and adjust your initial calculations accordingly. For details about estimating the space needed for your migration, see [Estimate migration store size](usmt-estimate-migration-store-size.md). You might also need to adjust the registry-setting and file-location information in your migration-rule files. If you make changes, test the migration again. Then verify that all data and settings have migrated as expected. A pilot migration also gives you an opportunity to test your space estimates for the intermediate store.
If your test migration encounters any errors, examine the **ScanState** and **LoadState** logs to obtain the exact User State Migration Tool (USMT) 10.0 return code and associated error messages or Windows application programming interface (API) error message. For more information about USMT return codes and error messages, see [Return codes](usmt-return-codes.md). You can obtain more information about any listed **Windows** system error codes by typing in a command prompt window `net.exe helpmsg <error_number>` where *<error_number>* is the error code number generated by the error message. For more information about System Error Codes, see [System Error Codes (0-499)](/windows/win32/debug/system-error-codes--0-499-).
If your test migration encounters any errors, examine the **ScanState** and **LoadState** logs to obtain the exact User State Migration Tool (USMT) 10.0 return code and associated error messages or Windows application programming interface (API) error message. For more information about USMT return codes and error messages, see [Return codes](/troubleshoot/windows-client/deployment/usmt-return-codes). You can obtain more information about any listed **Windows** system error codes by typing in a command prompt window `net.exe helpmsg <error_number>` where *<error_number>* is the error code number generated by the error message. For more information about System Error Codes, see [System Error Codes (0-499)](/windows/win32/debug/system-error-codes--0-499-).
In most cases, the **ScanState** and **LoadState** logs indicate why a USMT migration is failing. We recommend that you use the `/v:5` option when testing your migration. This verbosity level can be adjusted in a production migration. Reducing the verbosity level might make it more difficult to diagnose failures that are encountered during production migrations. You can use a higher verbosity level if you want the log files output to go to a debugger.

4
windows/deployment/usmt/usmt-troubleshooting.md
View File

@ -19,10 +19,10 @@ The following table describes articles that address common User State Migration
| Link | Description |
|--- |--- |
|[Common Issues](usmt-common-issues.md)|Find troubleshooting solutions for common problems in USMT.|
|[Common Issues](/troubleshoot/windows-client/deployment/usmt-common-issues)|Find troubleshooting solutions for common problems in USMT.|
|[Frequently Asked Questions](usmt-faq.yml)|Find answers to questions about how to use USMT.|
|[Log Files](usmt-log-files.md)|Learn how to enable logging to help you troubleshoot issues in USMT.|
|[Return Codes](usmt-return-codes.md)|Learn how to use return codes to identify problems in USMT.|
|[Return Codes](/troubleshoot/windows-client/deployment/usmt-return-codes)|Learn how to use return codes to identify problems in USMT.|
|[USMT Resources](usmt-resources.md)|Find more information and support for using USMT.|
## Related articles

2
windows/deployment/usmt/usmt-utilities.md
View File

@ -97,4 +97,4 @@ Some examples of `/extract` commands:
[User State Migration Tool (USMT) command-line syntax](usmt-command-line-syntax.md)
[Return codes](usmt-return-codes.md)
[Return codes](/troubleshoot/windows-client/deployment/usmt-return-codes)

6
windows/deployment/usmt/usmt-what-does-usmt-migrate.md
View File

@ -53,7 +53,7 @@ This section describes the user data that USMT migrates by default, using the `M
- Favorites
> [!IMPORTANT]
> Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](./usmt-common-issues.md#usmt-doesnt-migrate-the-start-layout).
> Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](/troubleshoot/windows-client/deployment/usmt-common-issues#usmt-doesnt-migrate-the-start-layout).
- **Folders from the All Users and Public profiles.** When you specify the `MigUser.xml` file, USMT also migrates the following from the **Public** profile in Windows Vista, Windows 7, Windows 8, or Windows 10:
@ -209,7 +209,7 @@ When you specify the `MigApp.xml` file, USMT migrates the settings for the follo
## What USMT doesn't migrate
The following items are settings that USMT doesn't migrate. If you're having a problem that isn't listed here, see [Common issues](usmt-common-issues.md).
The following items are settings that USMT doesn't migrate. If you're having a problem that isn't listed here, see [Common issues](/troubleshoot/windows-client/deployment/usmt-common-issues).
### Application settings
@ -247,7 +247,7 @@ You should also note the following items:
### Start menu layout
Starting in Windows 10, version 1607 the USMT doesn't migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](./usmt-common-issues.md#usmt-doesnt-migrate-the-start-layout).
Starting in Windows 10, version 1607 the USMT doesn't migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](/troubleshoot/windows-client/deployment/usmt-common-issues#usmt-doesnt-migrate-the-start-layout).
### User profiles from Active Directory to Azure Active Directory

2
windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md
View File

@ -101,4 +101,4 @@ If the `/verify` option indicates that there are corrupted files in the migratio
[UsmtUtils syntax](usmt-utilities.md)
[Return codes](usmt-return-codes.md)
[Return codes](/troubleshoot/windows-client/deployment/usmt-return-codes)

3
windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
View File

@ -29,9 +29,6 @@ Windows Autopatch creates an enterprise application in your tenant. This enterpr
| ----- | ------ | ----- |
| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This application is used to manage the service, publish baseline configuration updates, and maintain overall service health. | <ul><li>DeviceManagementApps.ReadWrite.All</li><li>DeviceManagementConfiguration.ReadWrite.All</li><li>DeviceManagementManagedDevices.PriviligedOperation.All</li><li>DeviceManagementManagedDevices.ReadWrite.All</li><li>DeviceManagementRBAC.ReadWrite.All</li><li>DeviceManagementServiceConfig.ReadWrite.All</li><li>Directory.Read.All</li><li>Group.Create</li><li>Policy.Read.All</li><li>WindowsUpdates.Read.Write.All</li></ul> |
> [!NOTE]
> Enterprise application authentication is only available on tenants enrolled after July 9th, 2022. For tenants enrolled before this date, Enterprise Application authentication will be made available for enrollment soon.
### Service principal
Windows Autopatch will create a service principal in your tenant allowing the service to establish an identity and restrict access to what resources the service has access to within the tenant. For more information, see [Application and service principal objects in Azure Active Directory](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object). The service principal created by Windows Autopatch is:

18
windows/security/TOC.yml
View File

@ -136,25 +136,25 @@
- name: Troubleshoot BitLocker
items:
- name: Troubleshoot BitLocker
href: information-protection/bitlocker/troubleshoot-bitlocker.md
href: /troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting
- name: "BitLocker cannot encrypt a drive: known issues"
href: information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-issues
- name: "Enforcing BitLocker policies by using Intune: known issues"
href: information-protection/bitlocker/ts-bitlocker-intune-issues.md
href: /troubleshoot/windows-client/windows-security/enforcing-bitlocker-policies-by-using-intune-known-issues
- name: "BitLocker Network Unlock: known issues"
href: information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
href: /troubleshoot/windows-client/windows-security/bitlocker-network-unlock-known-issues
- name: "BitLocker recovery: known issues"
href: information-protection/bitlocker/ts-bitlocker-recovery-issues.md
href: /troubleshoot/windows-client/windows-security/bitlocker-recovery-known-issues
- name: "BitLocker configuration: known issues"
href: information-protection/bitlocker/ts-bitlocker-config-issues.md
href: /troubleshoot/windows-client/windows-security/bitlocker-configuration-known-issues
- name: Troubleshoot BitLocker and TPM issues
items:
- name: "BitLocker cannot encrypt a drive: known TPM issues"
href: information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-tpm-issues
- name: "BitLocker and TPM: other known issues"
href: information-protection/bitlocker/ts-bitlocker-tpm-issues.md
href: /troubleshoot/windows-client/windows-security/bitlocker-and-tpm-other-known-issues
- name: Decode Measured Boot logs to track PCR changes
href: information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
href: /troubleshoot/windows-client/windows-security/decode-measured-boot-logs-to-track-pcr-changes
- name: Personal Data Encryption (PDE)
items:
- name: Personal Data Encryption (PDE) overview

2
windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml
View File

@ -21,7 +21,7 @@ metadata:
ms.custom: bitlocker
title: BitLocker and Active Directory Domain Services (AD DS) FAQ
summary: |
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above

2
windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
View File

@ -17,7 +17,7 @@ ms.technology: itpro-security
# BitLocker basic deployment
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11

2
windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
View File

@ -17,7 +17,7 @@ ms.technology: itpro-security
# BitLocker Countermeasures
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11

2
windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
View File

@ -20,7 +20,7 @@ metadata:
ms.custom: bitlocker
title: BitLocker frequently asked questions (FAQ)
summary: |
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above

2
windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
View File

@ -15,7 +15,7 @@ ms.technology: itpro-security
# BitLocker deployment comparison
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11

2
windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
View File

@ -17,7 +17,7 @@ ms.technology: itpro-security
# Overview of BitLocker Device Encryption in Windows
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11

2
windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
View File

@ -22,7 +22,7 @@ metadata:
ms.custom: bitlocker
title: BitLocker frequently asked questions (FAQ) resources
summary: |
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above

2
windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
View File

@ -18,7 +18,7 @@ ms.technology: itpro-security
# BitLocker group policy settings
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11

2
windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
View File

@ -16,7 +16,7 @@ ms.technology: itpro-security
# BitLocker: How to deploy on Windows Server 2012 and later
*Applies to:*
**Applies to:**
- Windows Server 2012
- Windows Server 2012 R2

2
windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
View File

@ -17,7 +17,7 @@ ms.technology: itpro-security
# BitLocker: How to enable Network Unlock
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11

2
windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml
View File

@ -19,7 +19,7 @@ metadata:
ms.custom: bitlocker
title: BitLocker Key Management FAQ
summary: |
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above

2
windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml
View File

@ -19,7 +19,7 @@ metadata:
ms.custom: bitlocker
title: BitLocker Network Unlock FAQ
summary: |
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above

2
windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
View File

@ -21,7 +21,7 @@ metadata:
ms.custom: bitlocker
title: BitLocker Overview and Requirements FAQ
summary: |
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above

4
windows/security/information-protection/bitlocker/bitlocker-overview.md
View File

@ -17,7 +17,7 @@ ms.technology: itpro-security
# BitLocker
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11
@ -97,6 +97,6 @@ When installing the BitLocker optional component on a server, the Enhanced Stora
| [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) | This article describes the BCD settings that are used by BitLocker.|
| [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)| This article describes how to recover BitLocker keys from AD DS. |
| [Protect BitLocker from pre-boot attacks](./bitlocker-countermeasures.md)| This detailed guide helps you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device's configuration. |
| [Troubleshoot BitLocker](troubleshoot-bitlocker.md) | This guide describes the resources that can help you troubleshoot BitLocker issues, and provides solutions for several common BitLocker issues. |
| [Troubleshoot BitLocker](/troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting) | This guide describes the resources that can help you troubleshoot BitLocker issues, and provides solutions for several common BitLocker issues. |
| [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This article describes how to protect CSVs and SANs with BitLocker.|
| [Enabling Secure Boot and BitLocker Device Encryption on Windows IoT Core](/windows/iot-core/secure-your-device/SecureBootAndBitLocker) | This article describes how to use BitLocker with Windows IoT Core |

2
windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
View File

@ -18,7 +18,7 @@ ms.custom: bitlocker
# BitLocker recovery guide
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11

2
windows/security/information-protection/bitlocker/bitlocker-security-faq.yml
View File

@ -19,7 +19,7 @@ metadata:
ms.custom: bitlocker
title: BitLocker Security FAQ
summary: |
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above

2
windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml
View File

@ -19,7 +19,7 @@ metadata:
ms.custom: bitlocker
title: BitLocker To Go FAQ
summary: |
*Applies to:*
**Applies to:**
- Windows 10

2
windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml
View File

@ -19,7 +19,7 @@ metadata:
ms.custom: bitlocker
title: BitLocker Upgrading FAQ
summary: |
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above

2
windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
View File

@ -18,7 +18,7 @@ ms.technology: itpro-security
# BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11

2
windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
View File

@ -18,7 +18,7 @@ ms.technology: itpro-security
# BitLocker: Use BitLocker Recovery Password Viewer
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11

2
windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
View File

@ -19,7 +19,7 @@ metadata:
ms.custom: bitlocker
title: Using BitLocker with other programs FAQ
summary: |
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above

2
windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
View File

@ -17,7 +17,7 @@ ms.technology: itpro-security
# Prepare an organization for BitLocker: Planning and policies
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11

2
windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
View File

@ -16,7 +16,7 @@ ms.technology: itpro-security
# Protecting cluster shared volumes and storage area networks with BitLocker
*Applies to:*
**Applies to:**
- Windows Server 2016 and above

152
windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
View File

@ -1,152 +0,0 @@
---
title: Guidelines for troubleshooting BitLocker
description: Describes approaches for investigating BitLocker issues, including how to gather diagnostic information
ms.reviewer: kaushika
ms.technology: itpro-security
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 11/08/2022
ms.custom: bitlocker
---
# Guidelines for troubleshooting BitLocker
This article addresses common issues in BitLocker and provides guidelines to troubleshoot these issues. This article also provides information such as what data to collect and what settings to check. This information makes the troubleshooting process much easier.
## Review the event logs
Open **Event Viewer** and review the following logs under **Applications and Services Logs** > **Microsoft** > **Windows**:
- **BitLocker-API**. Review the **Management** log, the **Operational** log, and any other logs that are generated in this folder. The default logs have the following unique names:
- **Microsoft-Windows-BitLocker-API/Management**
- **Microsoft-Windows-BitLocker-API/Operational**
- **Microsoft-Windows-BitLocker-API/Tracing** - only displayed when **Show Analytic and Debug Logs** is enabled
- **BitLocker-DrivePreparationTool**. Review the **Admin** log, the **Operational** log, and any other logs that are generated in this folder. The default logs have the following unique names:
- **Microsoft-Windows-BitLocker-DrivePreparationTool/Admin**
- **Microsoft-Windows-BitLocker-DrivePreparationTool/Operational**
Additionally, review the **Windows Logs** > **System** log for events that were produced by the TPM and TPM-WMI event sources.
To filter and display or export logs, the [wevtutil.exe](/windows-server/administration/windows-commands/wevtutil) command-line tool or the [Get-WinEvent](/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-6&preserve-view=true) PowerShell cmdlet can be used.
For example, to use `wevtutil.exe` to export the contents of the operational log from the BitLocker-API folder to a text file that is named `BitLockerAPIOpsLog.txt`, open a Command Prompt window, and run the following command:
```cmd
wevtutil.exe qe "Microsoft-Windows-BitLocker/BitLocker Operational" /f:text > BitLockerAPIOpsLog.txt
```
To use the **Get-WinEvent** cmdlet to export the same log to a comma-separated text file, open a Windows PowerShell window and run the following command:
```powershell
Get-WinEvent -logname "Microsoft-Windows-BitLocker/BitLocker Operational" | Export-Csv -Path Bitlocker-Operational.csv
```
The Get-WinEvent can be used in an elevated PowerShell window to display filtered information from the system or application log by using the following syntax:
- To display BitLocker-related information:
```powershell
Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'BitLocker' | fl
```
The output of such a command resembles the following.
![Display of events that is produced by using Get-WinEvent and a BitLocker filter.](./images/psget-winevent-1.png)
- To export BitLocker-related information:
```powershell
Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'BitLocker' | Export-Csv -Path System-BitLocker.csv
```
- To display TPM-related information:
```powershell
Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'TPM' | fl
```
- To export TPM-related information:
```powershell
Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'TPM' | Export-Csv -Path System-TPM.csv
```
The output of such a command resembles the following.
![Display of events that is produced by using Get-WinEvent and a TPM filter.](./images/psget-winevent-2.png)
> [!NOTE]
> When contacting Microsoft Support, it is recommended to export the logs listed in this section.
## Gather status information from the BitLocker technologies
Open an elevated Windows PowerShell window, and run each of the following commands:
|Command |Notes | More Info |
| --- | --- | --- |
|**`Get-Tpm > C:\TPM.txt`** |PowerShell cmdlet that exports information about the local computer's Trusted Platform Module (TPM). This cmdlet shows different values depending on whether the TPM chip is version 1.2 or 2.0. This cmdlet isn't supported in Windows 7. | [Get-Tpm](/powershell/module/trustedplatformmodule/get-tpm)|
|**`manage-bde.exe -status > C:\BDEStatus.txt`** |Exports information about the general encryption status of all drives on the computer. | [manage-bde.exe status](/windows-server/administration/windows-commands/manage-bde-status) |
|**`manage-bde.exe c: -protectors -get > C:\Protectors`** |Exports information about the protection methods that are used for the BitLocker encryption key. | [manage-bde.exe protectors](/windows-server/administration/windows-commands/manage-bde-protectors)|
|**`reagentc.exe /info > C:\reagent.txt`** |Exports information about an online or offline image about the current status of the Windows Recovery Environment (WindowsRE) and any available recovery image. | [reagentc.exe](/windows-hardware/manufacture/desktop/reagentc-command-line-options) |
|**`Get-BitLockerVolume \| fl`** |PowerShell cmdlet that gets information about volumes that BitLocker Drive Encryption can protect. | [Get-BitLockerVolume](/powershell/module/bitlocker/get-bitlockervolume) |
## Review the configuration information
1. Open an elevated Command Prompt window, and run the following commands:
|Command |Notes | More Info |
| --- | --- | --- |
|**`gpresult.exe /h <Filename>`** |Exports the Resultant Set of Policy information, and saves the information as an HTML file. | [gpresult.exe](/windows-server/administration/windows-commands/gpresult) |
|**`msinfo.exe /report <Path> /computer <ComputerName>`** |Exports comprehensive information about the hardware, system components, and software environment on the local computer. The **/report** option saves the information as a .txt file. |[msinfo.exe](/windows-server/administration/windows-commands/msinfo32) |
2. Open Registry Editor, and export the entries in the following subkeys:
- **`HKLM\SOFTWARE\Policies\Microsoft\FVE`**
- **`HKLM\SYSTEM\CurrentControlSet\Services\TPM\`**
## Check the BitLocker prerequisites
Common settings that can cause issues for BitLocker include the following scenarios:
- The TPM must be unlocked. Check the output of the **`get-tpm`** PowerShell cmdlet command for the status of the TPM.
- Windows RE must be enabled. Check the output of the **`reagentc.exe`** command for the status of WindowsRE.
- The system-reserved partition must use the correct format.
- On Unified Extensible Firmware Interface (UEFI) computers, the system-reserved partition must be formatted as FAT32.
- On legacy computers, the system-reserved partition must be formatted as NTFS.
- If the device being troubleshot is a slate or tablet PC, use <https://gpsearch.azurewebsites.net/#8153> to verify the status of the **Enable use of BitLocker authentication requiring preboot keyboard input on slates** option.
For more information about the BitLocker prerequisites, see [BitLocker basic deployment: Using BitLocker to encrypt volumes](./bitlocker-basic-deployment.md#using-bitlocker-to-encrypt-volumes)
## Next steps
If the information examined so far indicates a specific issue (for example, WindowsRE isn't enabled), the issue may have a straightforward fix.
Resolving issues that don't have obvious causes depends on exactly which components are involved and what behavior is being see. The gathered information helps narrow down the areas to investigate.
- If the device being troubleshot is managed by Microsoft Intune, see [Enforcing BitLocker policies by using Intune: known issues](ts-bitlocker-intune-issues.md).
- If BitLocker doesn't start or can't encrypt a drive and errors or events that are related to the TPM are occurring, see [BitLocker cannot encrypt a drive: known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md).
- If BitLocker doesn't start or can't encrypt a drive, see [BitLocker cannot encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md).
- If BitLocker Network Unlock doesn't behave as expected, see [BitLocker Network Unlock: known issues](ts-bitlocker-network-unlock-issues.md).
- If BitLocker doesn't behave as expected when an encrypted drive is recovered, or if BitLocker unexpectedly recovered a drive, see [BitLocker recovery: known issues](ts-bitlocker-recovery-issues.md).
- If BitLocker or the encrypted drive doesn't behave as expected, and errors or events that are related to the TPM are occurring, see [BitLocker and TPM: other known issues](ts-bitlocker-tpm-issues.md).
- If BitLocker or the encrypted drive doesn't behave as expected, see [BitLocker configuration: known issues](ts-bitlocker-config-issues.md).
It's recommended to keep the gathered information handy in case Microsoft Support is contacted for help with resolving the issue.

114
windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
View File

@ -1,114 +0,0 @@
---
title: BitLocker cannot encrypt a drive known issues
description: Provides guidance for troubleshooting known issues that may prevent BitLocker Drive Encryption from encrypting a drive
ms.reviewer: kaushika
ms.technology: itpro-security
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 11/08/2022
ms.custom: bitlocker
---
# BitLocker cannot encrypt a drive: known issues
This article describes common issues that prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
> [!NOTE]
> If it is determined that the BitLocker issue involves the trusted platform module (TPM), see [BitLocker cannot encrypt a drive: known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md).
## **Error 0x80310059: BitLocker drive encryption is already performing an operation on this drive**
When BitLocker Drive Encryption is turned on a computer that is running Windows 10 Professional or Windows 11, the following message may appear:
> **ERROR: An error occurred (code 0x80310059): BitLocker Drive Encryption is already performing an operation on this drive. Please complete all operations before continuing. NOTE: If the -on switch has failed to add key protectors or start encryption, you may need to call manage-bde -off before attempting -on again.**
### Cause of **Error 0x80310059**
This issue may be caused by settings that are controlled by group policy objects (GPOs).
### Resolution for **Error 0x80310059**
> [!IMPORTANT]
> Follow the steps in this section carefully. Serious problems might occur if the registry is modified incorrectly. Before modifying the registry, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur.
To resolve this issue, follow these steps:
1. Start Registry Editor, and navigate to the following subkey:
**`HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE`**
2. Delete the following entries:
- **`OSPlatformValidation_BIOS`**
- **`OSPlatformValidation_UEFI`**
- **`PlatformValidation`**
3. Exit registry editor, and turn on BitLocker drive encryption again.
<!--
REMOVING THIS SECTION SINCE IT ONLY APPLIES TO WINDOWS 10 VERSIONS THAT BEEN OUT OF SUPPORT FOR SEVERAL YEARS
## **Access is denied** message when attempting to encrypt removable drives
A computer is running Windows 10, version 1709 or version 1607. Encryption is attempted on a USB drive by following these steps:
1. In Windows Explorer, right-click the USB drive and select **Turn on BitLocker**.
2. On the **Choose how you want to unlock this drive** page, select **Use a password to unlock the drive**.
3. Follow the instructions on the page to enter a password.
4. On the **Are you ready to encrypt this drive?** page, select **Start encrypting**.
5. The **Starting encryption** page displays the message **Access is denied.**
The message is received on any computer that runs Windows 10 version 1709 or version 1607, when any USB drive is used.
### Cause of **Access is denied** message
The security descriptor of the BitLocker drive encryption service (BDESvc) has an incorrect entry. Instead of NT AUTHORITY\Authenticated Users, the security descriptor uses NT AUTHORITY\INTERACTIVE.
To verify that this issue has occurred, follow these steps:
1. On an affected computer, open an elevated Command Prompt window and an elevated PowerShell window.
2. At the command prompt, enter the following command:
```console
C:\>sc sdshow bdesvc
```
The output of this command resembles the following output:
> `D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)`
3. Copy this output, and use it as part of the [**ConvertFrom-SddlString**](/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring) command in the PowerShell window, as follows.
![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\INTERACTIVE.](./images/ts-bitlocker-usb-sddl.png)
If `NT AUTHORITY\INTERACTIVE` is seen as highlighted in the output of this command, this line is the cause of the issue. Under typical conditions, the output should resemble the following output instead:
![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\Authenticated Users.](./images/ts-bitlocker-usb-default-sddl.png)
> [!NOTE]
> GPOs that change the security descriptors of services have been known to cause this issue.
### Resolution for **Access is denied** message
1. To repair the security descriptor of BDESvc, open an elevated PowerShell window and enter the following command:
```powershell
sc sdset bdesvc D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)
```
2. Restart the computer.
The issue should now be resolved.
-->

157
windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
View File

@ -1,157 +0,0 @@
---
title: BitLocker cannot encrypt a drive known TPM issues
description: Provides guidance for troubleshooting known issues that may prevent BitLocker Drive Encryption from encrypting a drive that can be attributed to the TPM
ms.reviewer: kaushika
ms.technology: itpro-security
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 11/08/2022
ms.custom: bitlocker
---
# BitLocker cannot encrypt a drive: known TPM issues
This article describes common issues that affect the Trusted Platform Module (TPM) that might prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
> [!NOTE]
> If it's been determined that the BitLocker issue does not involve the TPM, see [BitLocker cannot encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md).
## The TPM is locked and the error **`The TPM is defending against dictionary attacks and is in a time-out period`** is displayed
It's attempted to turn on BitLocker drive encryption on a device but it fails with an error message similar to the following error message:
> **The TPM is defending against dictionary attacks and is in a time-out period.**
### Cause of the TPM being locked
The TPM is locked out.
### Resolution for the TPM being locked
To resolve this issue, the TPM needs to be reset and cleared. The TPM can be reset and cleared with the following steps:
1. Open an elevated PowerShell window and run the following script:
```powershell
$Tpm = Get-WmiObject -class Win32_Tpm -namespace "root\CIMv2\Security\MicrosoftTpm"
$ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus
if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)}
```
2. Restart the computer. If a prompt is displayed confirming the clearing of the TPM, agree to clear the TPM.
3. Sign on to Windows and retry starting BitLocker drive encryption.
> [!WARNING]
> Resetting and clearing the TPM can cause data loss.
## The TPM fails to prepare with the error **`The TPM is defending against dictionary attacks and is in a time-out period`**
It's attempted to turn on BitLocker drive encryption on a device but it fails. While troubleshooting, the TPM management console (`tpm.msc`) is used to attempt to prepare the TPM on the device. The operation fails with an error message similar to the following error message:
> **The TPM is defending against dictionary attacks and is in a time-out period.**
### Cause of TPM failing to prepare
The TPM is locked out.
### Resolution for TPM failing to prepare
To resolve this issue, disable and re-enable the TPM with the following steps:
1. Enter the UEFI/BIOS configuration screens of the device by restarting the device and hitting the appropriate key combination as the device boots. Consult with the device manufacturer for the appropriate key combination for entering into the UEFI/BIOS configuration screens.
2. Once in the UEFI/BIOS configuration screens, disable the TPM. Consult with the device manufacturer for instructions on how to disable the TPM in the UEFI/BIOS configuration screens.
3. Save the UEFI/BIOS configuration with the TPM disabled and restart the device to boot into Windows.
4. Once signed into Windows, return to the TPM management console. An error message similar to the following error message is displayed:
> **Compatible TPM cannot be found**
>
> **Compatible Trusted Platform Module (TPM) cannot be found on this computer. Verify that this computer has 1.2 TPM and it is turned on in the BIOS.**
This message is expected since the TPM is currently disabled in the UEFI firmware/BIOS of the device.
5. Restart the device and enter the UEFI/BIOS configuration screens again.
6. Reenable the TPM in the UEFI/BIOS configuration screens.
7. Save the UEFI/BIOS configuration with the TPM enabled and restart the device to boot into Windows.
8. Once signed into Windows, return to the TPM management console.
If the TPM still can't be prepared, clear the existing TPM keys by following the instructions in the article [Troubleshoot the TPM: Clear all the keys from the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm).
> [!WARNING]
> Clearing the TPM can cause data loss.
## BitLocker fails to enable with the error **`Access Denied: Failed to backup TPM Owner Authorization information to Active Directory Domain Services. Errorcode: 0x80070005`** or **`Insufficient Rights`**
The **Do not enable BitLocker until recovery information is stored in AD DS** policy is enforced in the environment. It's attempted to turn on BitLocker drive encryption on a device but it fails with the error message of **`Access Denied: Failed to backup TPM Owner Authorization information to Active Directory Domain Services. Errorcode: 0x80070005`** or **`Insufficient Rights`**.
### Cause of **`Access Denied`** or **`Insufficient Rights`**
The TPM didn't have sufficient permissions on the TPM devices container in Active Directory Domain Services (AD DS). Therefore, the BitLocker recovery information couldn't be backed up to AD DS, and BitLocker drive encryption couldn't turn on.
This issue appears to be limited to computers that run versions of Windows that are earlier than Windows 10.
### Resolution for **`Access Denied`** or **`Insufficient Rights`**
To verify this issue is occurring, use one of the following two methods:
- Disable the policy or remove the computer from the domain followed by trying to turn on BitLocker drive encryption again. If the operation succeeds, then the issue was caused by the policy.
- Use LDAP and network trace tools to examine the LDAP exchanges between the client and the AD DS domain controller to identify the cause of the **Access Denied** or **Insufficient Rights** error. In this case, an error should be displayed when the client tries to access its object in the **`CN=TPM Devices,DC=<domain>,DC=com`** container.
1. To review the TPM information for the affected computer, open an elevated Windows PowerShell window and run the following command:
```powershell
Get-ADComputer -Filter {Name -like "ComputerName"} -Property * | Format-Table name,msTPM-TPMInformationForComputer
```
In this command, *ComputerName* is the name of the affected computer.
2. To resolve the issue, use a tool such as `dsacls.exe` to ensure that the access control list of msTPM-TPMInformationForComputer grants both **Read** and **Write** permissions to **NTAUTHORITY/SELF**.
## The TPM fails to be prepared with the error **`0x80072030: There is no such object on the server`**
Domain controllers were upgraded from Windows Server 2008 R2 to Windows Server 2012 R2. A group policy object (GPO) exists that enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy.
It's attempted to turn on BitLocker drive encryption on a device but it fails. While troubleshooting, the TPM management console (`tpm.msc`) is used to attempt to prepare the TPM on the device. The operation fails with an error message similar to the following error message:
> **0x80072030 There is no such object on the server when a policy to back up TPM information to active directory is enabled**
It's been confirmed that the **ms-TPM-OwnerInformation** and **msTPM-TpmInformationForComputer** attributes are present.
### Cause of **0x80072030: There is no such object on the server**
The domain and forest functional level of the environment may still be set to Windows 2008 R2. Additionally, the permissions in AD DS might not be correctly set.
### Resolution for **0x80072030: There is no such object on the server**
The issue can be resolved with the following steps:
1. Upgrade the functional level of the domain and forest to Windows Server 2012 R2.
2. Download [Add-TPMSelfWriteACE.vbs](/samples/browse/?redirectedfrom=TechNet-Gallery).
3. In the script, modify the value of **strPathToDomain** to the organization's domain name.
4. Open an elevated PowerShell window, and run the following command:
```cmd
cscript.exe <Path>\Add-TPMSelfWriteACE.vbs
```
In this command, \<*Path*> is the path to the script file.
For more information, see the following articles:
- [Back up the TPM recovery information to AD DS](../tpm/backup-tpm-recovery-information-to-ad-ds.md)
- [Prepare your organization for BitLocker: Planning and policies](./prepare-your-organization-for-bitlocker-planning-and-policies.md)

191
windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
View File

@ -1,191 +0,0 @@
---
title: BitLocker configuration known issues
description: Describes common issues that involve BitLocker configuration and BitLocker's general functionality, and provides guidance for addressing those issues.
ms.reviewer: kaushika
ms.technology: itpro-security
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 11/08/2022
ms.custom: bitlocker
---
# BitLocker configuration: known issues
This article describes common issues that affect BitLocker's configuration and general functionality. This article also provides guidance to address these issues.
## BitLocker encryption is slower in Windows 10 and Windows 11
BitLocker runs in the background to encrypt drives. However, in Windows 11 and Windows 10, BitLocker is less aggressive about requesting resources than in previous versions of Windows. This behavior reduces the chance that BitLocker will affect the computer's performance.
To compensate for these changes, BitLocker uses a conversion model called Encrypt-On-Write. This model makes sure that any new disk writes are encrypted as soon as BitLocker is enabled. This behavior happens on all client editions and for any internal drives.
> [!IMPORTANT]
> To preserve backward compatibility, BitLocker uses the previous conversion model to encrypt removable drives.
### Benefits of using the new conversion model
By using the previous conversion model, an internal drive can't be considered protected and compliant with data protection standards until the BitLocker conversion is 100 percent complete. Before the process finishes, the data that existed on the drive before encryption began - that is, potentially compromised data - can still be read and written without encryption. Therefore, for data to be considered protected and compliant with data protection standards, the encryption process has to finish before sensitive data is stored on the drive. Depending on the size of the drive, this delay can be substantial.
By using the new conversion model, sensitive data can be stored on the drive as soon as BitLocker is turned on. The encryption process doesn't need to finish first, and encryption doesn't adversely affect performance. The tradeoff is that the encryption process for pre-existing data takes more time.
### Other BitLocker enhancements
Several other areas of BitLocker were improved in versions of Windows released after Windows 7:
- **New encryption algorithm, XTS-AES** - Added in Windows 10 version 1511, this algorithm provides additional protection from a class of attacks on encrypted data that rely on manipulating cipher text to cause predictable changes in plain text.
By default, this algorithm complies with the Federal Information Processing Standards (FIPS). FIPS is a United States Government standard that provides a benchmark for implementing cryptographic software.
- **Improved administration features**. BitLocker can be managed on PCs or other devices by using the following interfaces:
- BitLocker Wizard
- manage-bde.exe
- Group Policy Objects (GPOs)
- Mobile Device Management (MDM) policy
- Windows PowerShell
- Windows Management Interface (WMI)
- **Integration with Azure Active Directory** (Azure AD) - BitLocker can store recovery information in Azure AD to make it easier to recover.
- **[Direct memory access (DMA) Port Protection](../kernel-dma-protection-for-thunderbolt.md)** - By using MDM policies to manage BitLocker, a device's DMA ports can be blocked which secures the device during its startup.
- **[BitLocker Network Unlock](./bitlocker-how-to-enable-network-unlock.md)** - If the BitLocker-enabled desktop or server computer is connected to a wired corporate network in a domain environment, its operating system volume can be automatically unlocked during a system restart.
- **Support for [Encrypted Hard Drives](../encrypted-hard-drive.md)** - Encrypted Hard Drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. By taking on that workload, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption.
- **Support for classes of HDD/SSD hybrid disks** - BitLocker can encrypt a disk that uses a small SSD as a non-volatile cache in front of the HDD, such as Intel Rapid Storage Technology.
## Hyper-V Gen 2 VM: Can't access the volume after BitLocker encryption
Consider the following scenario:
1. BitLocker is turned on a generation 2 virtual machine (VM) that runs on Hyper-V.
2. Data is added to the data disk as it encrypts.
3. The VM is restarted and the following behavior is observed:
- The system volume isn't encrypted.
- The encrypted volume isn't accessible, and the computer lists the volume's file system as **Unknown**.
- A message similar to the following message is displayed:
> **You need to format the disk in \<*drive_letter:*> drive before you can use it**
### Cause of not being able to access the volume after BitLocker encryption on a Hyper-V Gen 2 VM
This issue occurs because the third-party filter driver `Stcvsm.sys` (from StorageCraft) is installed on the VM.
### Resolution for not being able to access the volume after BitLocker encryption on a Hyper-V Gen 2 VM
To resolve this issue, remove the third-party software.
## Production snapshots fail for virtualized domain controllers that use BitLocker-encrypted disks
Consider the following scenario:
A Windows Server 2019 or 2016 Hyper-V Server is hosting VMs (guests) that are configured as Windows domain controllers. On a domain controller guest VM, BitLocker has encrypted the disks that store the Active Directory database and log files. When a "production snapshot" of the domain controller guest VM is attempted, the Volume Snap-Shot (VSS) service doesn't correctly process the backup.
This issue occurs regardless of any of the following variations in the environment:
- How the domain controller volumes are unlocked.
- Whether the VMs are generation 1 or generation 2.
- Whether the guest operating system is Windows Server 2019, 2016 or 2012 R2.
In the guest VM domain controller **Windows Logs** > **Application** Event Viewer log, the VSS event source records event **ID 8229**:
> ID: 8229<br>
> Level: Warning<br>
> Source: VSS<br>
> Message: A VSS writer has rejected an event with error 0x800423f4. The writer experienced a non-transient error. If the backup process is retried, the error is likely to reoccur.<br>
>
> Changes that the writer made to the writer components while handling the event will not be available to the requester.<br>
>
> Check the event log for related events from the application hosting the VSS writer.
>
> Operation:<br>
> PostSnapshot Event
>
> Context:<br>
> Execution Context: Writer<br>
> Writer Class Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757}<br>
> Writer Name: NTDS<br>
> Writer Instance ID: {d170b355-a523-47ba-a5c8-732244f70e75}<br>
> Command Line: C:\\Windows\\system32\\lsass.exe<br>
>
> Process ID: 680
In the guest VM domain controller **Applications and Services Logs** > **Directory Service** Event Viewer log, there's an event logged similar to the following event:
> Error Microsoft-Windows-ActiveDirectory\_DomainService 1168<br>
> Internal Processing Internal error: An Active Directory Domain Services error has occurred.
>
> Additional Data<br>
> Error value (decimal): -1022<br>
>
> Error value (hex): fffffc02
>
> Internal ID: 160207d9
> [!NOTE]
> The internal ID of this event may differ based on the operating system release version and patch level.
When this issue occurs, the **Active Directory Domain Services (NTDS) VSS Writer** will display the following error when the **`vssadmin.exe list writers`** command is run:
```Error
Writer name: 'NTDS'
Writer Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757}
Writer Instance Id: {08321e53-4032-44dc-9b03-7a1a15ad3eb8}
State: [11] Failed
Last error: Non-retryable error
```
Additionally, the VMs can't be backed up until they're restarted.
### Cause of production snapshots fail for virtualized domain controllers that use BitLocker-encrypted disks
After VSS creates a snapshot of a volume, the VSS writer takes "post snapshot" actions. When a "production snapshot" is initiated from the host server, Hyper-V tries to mount the snapshotted volume. However, it can't unlock the volume for unencrypted access. BitLocker on the Hyper-V server doesn't recognize the volume. Therefore, the access attempt fails and then the snapshot operation fails.
This behavior is by design.
### Workaround for production snapshots fail for virtualized domain controllers that use BitLocker-encrypted disks
A supported way to perform backup and restore of a virtualized domain controller is to run **Windows Server Backup** in the guest operating system.
If a production snapshot of a virtualized domain controller needs to be taken, BitLocker can be suspended in the guest operating system before the production snapshot is started. However, this approach isn't recommended.
For more information and recommendations about backing up virtualized domain controllers, see [Virtualizing Domain Controllers using Hyper-V: Backup and Restore Considerations for Virtualized Domain Controllers](/windows-server/identity/ad-ds/get-started/virtual-dc/virtualized-domain-controllers-hyper-v#backup-and-restore-considerations-for-virtualized-domain-controllers)
### More information
When the VSS NTDS writer requests access to the encrypted drive, the Local Security Authority Subsystem Service (LSASS) generates an error entry similar to the following error:
```console
\# for hex 0xc0210000 / decimal -1071579136
STATUS\_FVE\_LOCKED\_VOLUME ntstatus.h
\# This volume is locked by BitLocker Drive Encryption.
```
The operation produces the following call stack:
```console
\# Child-SP RetAddr Call Site
00 00000086\`b357a800 00007ffc\`ea6e7a4c KERNELBASE\!FindFirstFileExW+0x1ba \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 872\]
01 00000086\`b357abd0 00007ffc\`e824accb KERNELBASE\!FindFirstFileW+0x1c \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 208\]
02 00000086\`b357ac10 00007ffc\`e824afa1 ESENT\!COSFileFind::ErrInit+0x10b \[d:\\rs1\\onecore\\ds\\esent\\src\\os\\osfs.cxx @ 2476\]
03 00000086\`b357b700 00007ffc\`e827bf02 ESENT\!COSFileSystem::ErrFileFind+0xa1 \[d:\\rs1\\onecore\\ds\\esent\\src\\os\\osfs.cxx @ 1443\]
04 00000086\`b357b960 00007ffc\`e82882a9 ESENT\!JetGetDatabaseFileInfoEx+0xa2 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 11503\]
05 00000086\`b357c260 00007ffc\`e8288166 ESENT\!JetGetDatabaseFileInfoExA+0x59 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 11759\]
06 00000086\`b357c390 00007ffc\`e84c64fb ESENT\!JetGetDatabaseFileInfoA+0x46 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 12076\]
07 00000086\`b357c3f0 00007ffc\`e84c5f23 ntdsbsrv\!CVssJetWriterLocal::RecoverJetDB+0x12f \[d:\\rs1\\ds\\ds\\src\\jetback\\snapshot.cxx @ 2009\]
08 00000086\`b357c710 00007ffc\`e80339e0 ntdsbsrv\!CVssJetWriterLocal::OnPostSnapshot+0x293 \[d:\\rs1\\ds\\ds\\src\\jetback\\snapshot.cxx @ 2190\]
09 00000086\`b357cad0 00007ffc\`e801fe6d VSSAPI\!CVssIJetWriter::OnPostSnapshot+0x300 \[d:\\rs1\\base\\stor\\vss\\modules\\jetwriter\\ijetwriter.cpp @ 1704\]
0a 00000086\`b357ccc0 00007ffc\`e8022193 VSSAPI\!CVssWriterImpl::OnPostSnapshotGuard+0x1d \[d:\\rs1\\base\\stor\\vss\\modules\\vswriter\\vswrtimp.cpp @ 5228\]
0b 00000086\`b357ccf0 00007ffc\`e80214f0 VSSAPI\!CVssWriterImpl::PostSnapshotInternal+0xc3b \[d:\\rs1\\base\\stor\\vss\\modules\\vswriter\\vswrtimp.cpp @ 3552\]
```

120
windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
View File

@ -1,120 +0,0 @@
---
title: Decode Measured Boot logs to track PCR changes
description: Provides instructions for installing and using a tool for analyzing log information to identify changes to PCRs
ms.reviewer: kaushika
ms.technology: itpro-security
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 11/08/2022
ms.custom: bitlocker
---
# Decode Measured Boot logs to track PCR changes
Platform Configuration Registers (PCRs) are memory locations in the Trusted Platform Module (TPM). BitLocker and its related technologies depend on specific PCR configurations. Additionally, specific change in PCRs can cause a device or computer to enter BitLocker recovery mode.
By tracking changes in the PCRs, and identifying when they changed, insight can be gained into issues that occur or learn why a device or computer entered BitLocker recovery mode. The Measured Boot logs record PCR changes and other information. These logs are located in the `C:\Windows\Logs\MeasuredBoot\` folder.
This article describes tools that can be used to decode these logs: `TBSLogGenerator.exe` and `PCPTool.exe`.
For more information about Measured Boot and PCRs, see the following articles:
- [TPM fundamentals: Measured Boot with support for attestation](../tpm/tpm-fundamentals.md#measured-boot-with-support-for-attestation)
- [Understanding PCR banks on TPM 2.0 devices](../tpm/switch-pcr-banks-on-tpm-2-0-devices.md)
## Use `TBSLogGenerator.exe` to decode Measured Boot logs
Use `TBSLogGenerator.exe` to decode Measured Boot logs that were collected from Windows. `TBSLogGenerator.exe` can be installed on the following systems:
- A computer that is running Windows Server 2016 or newer and that has a TPM enabled
- A Gen 2 virtual machine running on Hyper-V that is running Windows Server 2016 or newer and is using a virtual TPM.
To install the tool, follow these steps:
1. Download the Windows Hardware Lab Kit from [Windows Hardware Lab Kit](/windows-hardware/test/hlk/).
2. After downloading, run the installation file from the path where the install was downloaded to.
3. Accept the default installation path.
![Specify Location page of the Windows Hardware Lab Kit installation wizard.](./images/ts-tpm-1.png)
4. Under **Select the features you want to install**, select **Windows Hardware Lab Kit&mdash;Controller + Studio**.
![Select features page of the Windows Hardware Lab Kit installation wizard.](./images/ts-tpm-2.png)
5. Finish the installation.
To use `TBSLogGenerator.exe`, follow these steps:
1. After the installation finishes, open an elevated Command Prompt window and navigate to the following folder:
**`C:\Program Files (x86)\Windows Kits\10\Hardware Lab Kit\Tests\amd64\NTTEST\BASETEST\ngscb`**
This folder contains the `TBSLogGenerator.exe` file.
![Properties and location of the `TBSLogGenerator.exe` file.](./images/ts-tpm-3.png)
1. Run the following command:
```cmd
TBSLogGenerator.exe -LF <LogFolderName>\<LogFileName>.log > <DestinationFolderName>\<DecodedFileName>.txt
```
where the variables represent the following values:
- \<*LogFolderName*> = the name of the folder that contains the file to be decoded
- \<*LogFileName*> = the name of the file to be decoded
- \<*DestinationFolderName*> = the name of the folder for the decoded text file
- \<*DecodedFileName*> = the name of the decoded text file
For example, the following figure shows Measured Boot logs that were collected from a Windows 10 computer and put into the **`C:\MeasuredBoot\`** folder. The figure also shows a Command Prompt window and the command to decode the **`0000000005-0000000000.log`** file:
```cmd
TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt
```
![Command Prompt window that shows an example of how to use `TBSLogGenerator.exe`.](./images/ts-tpm-4.png)
The command produces a text file that uses the specified name. In this example, the file is **`0000000005-0000000000.txt`**. The file is located in the same folder as the original `.log` file.
![Windows Explorer window that shows the text file that `TBSLogGenerator.exe`produces.](./images/ts-tpm-5.png)
The content of this text file is similar to the following text:
![Contents of the text file, as shown in NotePad.](./images/ts-tpm-6.png)
To find the PCR information, go to the end of the file.
![View of NotePad that shows the PCR information at the end of the text file.](./images/ts-tpm-7.png)
## Use `PCPTool.exe` to decode Measured Boot logs
> [!NOTE]
> `PCPTool.exe` is a Visual Studio solution, but executable needs to be built before tool can be used.
`PCPTool.exe` is part of the [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487). The tool decodes a Measured Boot log file and converts it into an XML file.
To download and install `PCPTool.exe`, go to the Toolkit page, select **Download**, and follow the instructions.
To decode a log, run the following command:
```cmd
PCPTool.exe decodelog <LogFolderPath>\<LogFileName>.log > <DestinationFolderName>\<DecodedFileName>.xml
```
where the variables represent the following values:
- \<*LogFolderPath*> = the path to the folder that contains the file to be decoded
- \<*LogFileName*> = the name of the file to be decoded
- \<*DestinationFolderName*> = the name of the folder for the decoded text file
- \<*DecodedFileName*> = the name of the decoded text file
The content of the XML file will be similar to the following XML:
:::image type="content" alt-text="Command Prompt window that shows an example of how to use `PCPTool.exe`." source="./images/pcptool-output.jpg" lightbox="./images/pcptool-output.jpg":::

366
windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
View File

@ -1,366 +0,0 @@
---
title: Enforcing BitLocker policies by using Intune known issues
description: Provides assistance for issues that may be seen if Microsoft Intune policy is being used to manage silent BitLocker encryption on devices.
ms.reviewer: kaushika
ms.technology: itpro-security
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.collection:
- Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 11/08/2022
ms.custom: bitlocker
---
# Enforcing BitLocker policies by using Intune: known issues
This article helps troubleshooting issues that may be experienced if using Microsoft Intune policy to manage silent BitLocker encryption on devices. The Intune portal indicates whether BitLocker has failed to encrypt one or more managed devices.
:::image type="content" alt-text="The BitLocker status indictors on the Intune portal." source="./images/4509189-en-1.png" lightbox="./images/4509189-en-1.png":::
To start narrowing down the cause of the problem, review the event logs as described in [Troubleshoot BitLocker](troubleshoot-bitlocker.md). Concentrate on the **Management** and **Operations** logs in the **Applications and Services logs** > **Microsoft** > **Windows** > **BitLocker-API** folder. The following sections provide more information about how to resolve the indicated events and error messages:
- [Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer](#event-id-853-error-a-compatible-trusted-platform-module-tpm-security-device-cannot-be-found-on-this-computer)
- [Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer](#event-id-853-error-bitlocker-drive-encryption-detected-bootable-media-cd-or-dvd-in-the-computer)
- [Event ID 854: WinRE is not configured](#event-id-854-winre-is-not-configured)
- [Event ID 851: Contact manufacturer for BIOS upgrade](#event-id-851-contact-the-manufacturer-for-bios-upgrade-instructions)
- [Error message: The UEFI variable 'SecureBoot' could not be read](#error-message-the-uefi-variable-secureboot-could-not-be-read)
- [Event ID 846, 778, and 851: Error 0x80072f9a](#event-id-846-778-and-851-error-0x80072f9a)
- [Error message: There are conflicting group policy settings for recovery options on operating system drives](#error-message-there-are-conflicting-group-policy-settings-for-recovery-options-on-operating-system-drives)
If there's no clear trail of events or error messages to follow, other areas to investigate include the following areas:
- [Review the hardware requirements for using Intune to manage BitLocker on devices](/windows-hardware/design/device-experiences/oem-bitlocker#bitlocker-automatic-device-encryption-hardware-requirements)
- [Review BitLocker policy configuration](#review-bitlocker-policy-configuration)
For information about the procedure to verify whether Intune policies are enforcing BitLocker correctly, see [Verifying that BitLocker is operating correctly](#verifying-that-bitlocker-is-operating-correctly).
## Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer
Event ID 853 can carry different error messages, depending on the context. In this case, the Event ID 853 error message indicates that the device doesn't appear to have a TPM. The event information will be similar to the following event:
![Details of event ID 853 (A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer).](./images/4509190-en-1.png)
### Cause of Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer
The device that is being secured may not have a TPM chip, or the device BIOS might have been configured to disable the TPM.
### Resolution for Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer
To resolve this issue, verify the following configurations:
- The TPM is enabled in the device BIOS.
- The TPM status in the TPM management console is similar to the following statuses:
- Ready (TPM 2.0)
- Initialized (TPM 1.2)
For more information, see [Troubleshoot the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md).
## Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer
In this case, event ID 853 is displayed, and the error message in the event indicates that bootable media is available to the device. The event information resembles the following.
![Details of event ID 853 (TPM is not available, bootable media found).](./images/4509191-en-1.png)
### Cause of Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer
During the provisioning process, BitLocker drive encryption records the configuration of the device to establish a baseline. If the device configuration changes later (for example, if the media is removed), BitLocker recovery mode automatically starts.
To avoid this situation, the provisioning process stops if it detects a removable bootable media.
### Resolution for Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer
Remove the bootable media, and restart the device. After the device restarts, verify the encryption status.
## Event ID 854: WinRE is not configured
The event information resembles the following error message:
> Failed to enable Silent Encryption. WinRe is not configured.
>
> Error: This PC cannot support device encryption because WinRE is not properly configured.
### Cause of Event ID 854: WinRE is not configured
Windows Recovery Environment (WinRE) is a minimal Windows operating system that is based on Windows Preinstallation Environment (Windows PE). WinRE includes several tools that an administrator can use to recover or reset Windows and diagnose Windows issues. If a device can't start the regular Windows operating system, the device tries to start WinRE.
The provisioning process enables BitLocker drive encryption on the operating system drive during the Windows PE phase of provisioning. This action makes sure that the drive is protected before the full operating system is installed. The provisioning process also creates a system partition for WinRE to use if the system crashes.
If WinRE isn't available on the device, provisioning stops.
### Resolution for Event ID 854: WinRE is not configured
This issue can be resolved by verifying the configuration of the disk partitions, the status of WinRE, and the Windows Boot Loader configuration by following these steps:
#### Step 1: Verify the configuration of the disk partitions
The procedures described in this section depend on the default disk partitions that Windows configures during installation. Windows 11 and Windows 10 automatically create a recovery partition that contains the **`Winre.wim`** file. The partition configuration resembles the following.
![Default disk partitions, including the recovery partition.](./images/4509194-en-1.png)
To verify the configuration of the disk partitions, open an elevated Command Prompt window and run the following commands:
```cmd
diskpart.exe
list volume
```
![Output of the list volume command in the Diskpart app.](./images/4509195-en-1.png)
If the status of any of the volumes isn't healthy or if the recovery partition is missing, Windows may need to be reinstalled. Before reinstalling Windows, check the configuration of the Windows image that is being provisioned. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Configuration Manager):
![Windows image configuration in Microsoft Configuration Manager.](./images/configmgr-imageconfig.jpg)
#### Step 2: Verify the status of WinRE
To verify the status of WinRE on the device, open an elevated Command Prompt window and run the following command:
```cmd
reagentc.exe /info
```
The output of this command resembles the following.
![Output of the reagentc.exe /info command.](./images/4509193-en-1.png)
If the **Windows RE status** isn't **Enabled**, run the following command to enable it:
```cmd
reagentc.exe /enable
```
#### Step 3: Verify the Windows Boot Loader configuration
If the partition status is healthy, but the **`reagentc.exe /enable`** command results in an error, verify whether the Windows Boot Loader contains the recovery sequence GUID by running the following command in an elevated Command Prompt window:
```cmd
bcdedit.exe /enum all
```
The output of this command will be similar to the following output:
:::image type="content" alt-text="Output of the bcdedit /enum all command." source="./images/4509196-en-1.png" lightbox="./images/4509196-en-1.png":::
In the output, locate the **Windows Boot Loader** section that includes the line **identifier={current}**. In that section, locate the **recoverysequence** attribute. The value of this attribute should be a GUID value, not a string of zeros.
## Event ID 851: Contact the manufacturer for BIOS upgrade instructions
The event information will be similar to the following error message:
> Failed to enable Silent Encryption.
>
> Error: BitLocker Drive Encryption cannot be enabled on the operating system drive. Contact the computer manufacturer for BIOS upgrade instructions.
### Cause of Event ID 851: Contact the manufacturer for BIOS upgrade instructions
The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent BitLocker drive encryption doesn't support legacy BIOS.
### Resolution for Event ID 851: Contact the manufacturer for BIOS upgrade instructions
To verify the BIOS mode, use the System Information application by following these steps:
1. Select **Start**, and enter **msinfo32** in the **Search** box.
2. Verify that the **BIOS Mode** setting is **UEFI** and not **Legacy**.
![System Information app, showing the BIOS Mode setting.](./images/4509198-en-1.png)
3. If the **BIOS Mode** setting is **Legacy**, the UEFI firmware needs to be switched to **UEFI** or **EFI** mode. The steps for switching to **UEFI** or **EFI** mode are specific to the device.
> [!NOTE]
> If the device supports only Legacy mode, Intune can't be used to manage BitLocker Device Encryption on the device.
## Error message: The UEFI variable 'SecureBoot' could not be read
An error message similar to the following error message is displayed:
> **Error:** BitLocker cannot use Secure Boot for integrity because the UEFI variable 'SecureBoot' could not be read. A required privilege is not held by the client.
### Cause of Error message: The UEFI variable 'SecureBoot' could not be read
A platform configuration register (PCR) is a memory location in the TPM. In particular, PCR 7 measures the state of secure boot. Silent BitLocker drive encryption requires the secure boot to be turned on.
### Resolution for Error message: The UEFI variable 'SecureBoot' could not be read
This issue can be resolved by verifying the PCR validation profile of the TPM and the secure boot state by following these steps:
#### Step 1: Verify the PCR validation profile of the TPM
To verify that PCR 7 is in use, open an elevated Command Prompt window and run the following command:
```cmd
Manage-bde.exe -protectors -get %systemdrive%
```
In the TPM section of the output of this command, verify whether the **PCR Validation Profile** setting includes **7**, as follows:
![Output of the manage-bde command.](./images/4509199-en-1.png)
If **PCR Validation Profile** doesn't include **7** (for example, the values include **0**, **2**, **4**, and **11**, but not **7**), then secure boot isn't turned on.
![Output of the manage-bde command when PCR 7 is not present.](./images/4509200-en-1.png)
#### 2: Verify the secure boot state
To verify the secure boot state, use the System Information application by following these steps:
1. Select **Start**, and enter **msinfo32** in the **Search** box.
2. Verify that the **Secure Boot State** setting is **On**, as follows:
![System Information app, showing a supported Secure Boot State.](./images/4509201-en-1.png)
3. If the **Secure Boot State** setting is **Unsupported**, Silent BitLocker Encryption can't be used on the device.
![System Information app, showing a unsupported Secure Boot State.](./images/4509202-en-1.png)
> [!NOTE]
> The [Confirm-SecureBootUEFI](/powershell/module/secureboot/confirm-securebootuefi) PowerShell cmdlet can also be used to verify the Secure Boot state by opening an elevated PowerShell window and running the following command:
>
> ```powershell
> Confirm-SecureBootUEFI
> ```
>
> If the computer supports Secure Boot and Secure Boot is enabled, this cmdlet returns "True."
>
> If the computer supports secure boot and secure boot is disabled, this cmdlet returns "False."
>
> If the computer does not support Secure Boot or is a BIOS (non-UEFI) computer, this cmdlet returns "Cmdlet not supported on this platform."
## Event ID 846, 778, and 851: Error 0x80072f9a
Consider the following scenario:
Intune policy is being deployed to encrypt a Windows 10, version 1809 device, and the recovery password is being stored in Azure Active Directory (Azure AD). As part of the policy configuration, the **Allow standard users to enable encryption during Azure AD Join** option has been selected.
The policy deployment fails and the failure generates the following events in Event Viewer in the **Applications and Services Logs** > **Microsoft** > **Windows** > **BitLocker API** folder:
> Event ID:846
>
> Event:
> Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Azure AD.
>
> TraceId: {cbac2b6f-1434-4faa-a9c3-597b17c1dfa3}
> Error: Unknown HResult Error code: 0x80072f9a
> Event ID:778
>
> Event: The BitLocker volume C: was reverted to an unprotected state.
> Event ID: 851
>
> Event:
> Failed to enable Silent Encryption.
>
> Error: Unknown HResult Error code: 0x80072f9a.
These events refer to Error code 0x80072f9a.
### Cause of Event ID 846, 778, and 851: Error 0x80072f9a
These events indicate that the signed-in user doesn't have permission to read the private key on the certificate that is generated as part of the provisioning and enrollment process. Therefore, the BitLocker MDM policy refresh fails.
The issue affects Windows 10 version 1809.
### Resolution for Event ID 846, 778, and 851: Error 0x80072f9a
To resolve this issue, install the [May 21, 2019](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934) update.
## Error message: There are conflicting group policy settings for recovery options on operating system drives
An error message similar to the following error message is displayed:
> **Error:** BitLocker Drive Encryption cannot be applied to this drive because there are conflicting Group Policy settings for recovery options on operating system drives. Storing recovery information to Active Directory Domain Services cannot be required when the generation of recovery passwords is not permitted. Please have your system administrator resolve these policy conflicts before attempting to enable BitLocker…
### Resolution for Error message: There are conflicting group policy settings for recovery options on operating system drives
To resolve this issue, review the group policy object (GPO) settings for conflicts. For more information, see the next section, [Review BitLocker policy configuration](#review-bitlocker-policy-configuration).
For more information about GPOs and BitLocker, see [BitLocker Group Policy Reference](/previous-versions/windows/it-pro/windows-7/ee706521(v=ws.10)).
## Review BitLocker policy configuration
For information about the procedure to use policy together with BitLocker and Intune, see the following resources:
- [BitLocker management for enterprises: Managing devices joined to Azure Active Directory](./bitlocker-management-for-enterprises.md#managing-devices-joined-to-azure-active-directory)
- [BitLocker Group Policy Reference](/previous-versions/windows/it-pro/windows-7/ee706521(v=ws.10))
- [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference)
- [Policy CSP &ndash; BitLocker](/windows/client-management/mdm/policy-csp-bitlocker)
- [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp)
- [Enable ADMX-backed policies in MDM](/windows/client-management/mdm/enable-admx-backed-policies-in-mdm)
- [gpresult](/windows-server/administration/windows-commands/gpresult)
Intune offers the following enforcement types for BitLocker:
- **Automatic** (Enforced when the device joins Azure AD during the provisioning process. This option is available in Windows 10 version 1703 and later.)
- **Silent** (Endpoint protection policy. This option is available in Windows 10 version 1803 and later.)
- **Interactive** (Endpoint policy for Windows versions that are older than Windows 10 version 1803.)
If the device runs Windows 10 version 1703 or later, supports Modern Standby (also known as Instant Go) and is HSTI-compliant, joining the device to Azure AD triggers automatic device encryption. A separate endpoint protection policy isn't required to enforce device encryption.
If the device is HSTI-compliant but doesn't support Modern Standby, an endpoint protection policy has to be configured to enforce silent BitLocker drive encryption. The settings for this policy should be similar to the following settings:
![Intune policy settings.](./images/4509186-en-1.png)
The OMA-URI references for these settings are as follows:
- OMA-URI: **./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption**
Value Type: **Integer**
Value: **1** (1 = Require, 0 = Not Configured)
- OMA-URI: **./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption**
Value Type: **Integer**
Value: **0** (0 = Blocked, 1 = Allowed)
> [!NOTE]
> Because of an update to the BitLocker Policy CSP, if the device uses Windows 10 version 1809 or later, an endpoint protection policy can be used to enforce silent BitLocker Device Encryption even if the device is not HSTI-compliant.
> [!NOTE]
> If the **Warning for other disk encryption** setting is set to **Not configured**, the BitLocker drive encryption wizard has to be manually started.
If the device doesn't support Modern Standby but is HSTI-compliant, and it uses a version of Windows that is earlier than Windows 10, version 1803, an endpoint protection policy that has the settings that are described in this article delivers the policy configuration to the device. However, Windows then notifies the user to manually enable BitLocker Drive Encryption. When the user selects the notification, it will start the BitLocker Drive Encryption wizard.
Intune provides settings that can be used to configure automatic device encryption for Autopilot devices for standard users. Each device must meet the following requirements:
- Be HSTI-compliant
- Support Modern Standby
- Use Windows 10 version 1803 or later
![Intune policy setting.](./images/4509188-en-1.png)
The OMA-URI references for these settings are as follows:
- OMA-URI: **./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryption**
Value Type: **Integer**
Value: **1**
> [!NOTE]
> This node works together with the **RequireDeviceEncryption** and **AllowWarningForOtherDiskEncryption** nodes. For this reason, when the following settings are set:
>
> - **RequireDeviceEncryption** to **1**
> - **AllowStandardUserEncryption** to **1**
> - **AllowWarningForOtherDiskEncryption** to **0**
>
> Intune enforces silent BitLocker encryption for Autopilot devices that have standard user profiles.
## Verifying that BitLocker is operating correctly
During regular operations, BitLocker drive encryption generates events such as Event ID 796 and Event ID 845.
![Event ID 796, as shown in Event Viewer.](./images/4509203-en-1.png)
![Event ID 845, as shown in Event Viewer.](./images/4509204-en-1.png)
It can also be determined whether the BitLocker recovery password has been uploaded to Azure AD by checking the device details in the Azure AD Devices section.
![BitLocker recovery information as viewed in Azure AD.](./images/4509205-en-1.png)
On the device, check the Registry Editor to verify the policy settings on the device. Verify the entries under the following subkeys:
- **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\BitLocker`**
- **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device`**
![Registry subkeys that relate to Intune policy.](./images/4509206-en-1.png)

105
windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
View File

@ -1,105 +0,0 @@
---
title: BitLocker Network Unlock known issues
description: Describes several known issues that may be encountered while using Network Unlock, and provided guidance for addressing those issues.
ms.technology: itpro-security
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.reviewer: kaushika
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.custom: bitlocker
ms.date: 11/08/2022
---
# BitLocker Network Unlock: known issues
By using the BitLocker Network Unlock feature, computers can be managed remotely without having to enter a BitLocker PIN when each computer starts up. To configure this behavior, the environment needs to meet the following requirements:
- Each computer belongs to a domain.
- Each computer has a wired connection to the internal network.
- The internal network uses DHCP to manage IP addresses.
- Each computer has a DHCP driver implemented in its Unified Extensible Firmware Interface (UEFI) firmware.
For general guidelines about how to troubleshoot BitLocker Network Unlock, see [How to enable Network Unlock: Troubleshoot Network Unlock](./bitlocker-how-to-enable-network-unlock.md#troubleshoot-network-unlock).
This article describes several known issues that may be encountered when BitLocker Network Unlock is used and provides guidance to address these issues.
> [!TIP]
> BitLocker Network Unlock can be detected if it is enabled on a specific computer use the following steps on UEFI computers:
>
> 1. Open an elevated command prompt window and run the following command:
>
> ```cmd
> manage-bde.exe -protectors -get <Drive>
> ```
>
> For example:
>
> ```cmd
> manage-bde.exe -protectors -get C:
> ```
>
> If the output of this command includes a key protector of type **TpmCertificate (9)**, the configuration is correct for BitLocker Network Unlock.
>
> 2. Start Registry Editor, and verify the following settings:
>
> 1. The following registry key exists and has the following value:
>
> - **Subkey**: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE`
> - **Type**: `REG_DWORD`
> - **Value**: `OSManageNKP` equal to `1` (True)
>
> 2. The registry key:
>
> `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\FVE_NKP\Certificates`
>
> has an entry whose name matches the name of the certificate thumbprint of the BitLocker Network Unlock key protector that was found in step 1.
## On a Surface Pro 4 device, BitLocker Network Unlock doesn't work because the UEFI network stack is incorrectly configured
Consider the following scenario:
BitLocker Network Unlock has been configured as described in [BitLocker: How to enable Network Unlock](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). UEFI of a Surface Pro 4 has been configured to use DHCP. However, when the Surface Pro 4 is restarted, it still prompts for a BitLocker PIN.
When testing another device, such as a different type of tablet or laptop PC that's configured to use the same infrastructure, the device restarts as expected, without prompting for the BitLocker PIN. This test confirms that the infrastructure is correctly configured, and the issue is specific to the device.
### Cause of BitLocker Network Unlock not working on Surface Pro 4
The UEFI network stack on the device is incorrectly configured.
### Resolution for BitLocker Network Unlock not working on Surface Pro 4
To correctly configure the UEFI network stack of the Surface Pro 4, the Microsoft Surface Enterprise Management Mode (SEMM) needs to be used. For information about SEMM, see [Enroll and configure Surface devices with SEMM](/surface/enroll-and-configure-surface-devices-with-semm).
> [!NOTE]
> If SEMM can't be used, the Surface Pro 4 may be able to use BitLocker Network Unlock by configuring the Surface Pro 4 to use the network as its first boot option.
## Unable to use BitLocker Network Unlock feature on a Windows client computer
Consider the following scenario:
BitLocker Network Unlock has been configured as described in [BitLocker: How to enable Network Unlock](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). A Windows 8 client computer is connected to the internal network with an ethernet cable. However, when the device is restarted, the device still prompts for the BitLocker PIN.
### Cause of unable to use BitLocker Network Unlock feature on a Windows client computer
A Windows 8-based or Windows Server 2012-based client computer sometimes doesn't receive or use the BitLocker Network Unlock protector, depending on whether the client receives unrelated BOOTP replies from a DHCP server or WDS server.
DHCP servers may send any DHCP options to a BOOTP client as allowed by the DHCP options and BOOTP vendor extensions. This behavior means that because a DHCP server supports BOOTP clients, the DHCP server replies to BOOTP requests.
The manner in which a DHCP server handles an incoming message depends in part on whether the message uses the Message Type option:
- The first two messages that the BitLocker Network Unlock client sends are DHCP DISCOVER\REQUEST messages. They use the Message Type option, so the DHCP server treats them as DHCP messages.
- The third message that the BitLocker Network Unlock client sends doesn't have the Message Type option. The DHCP server treats the message as a BOOTP request.
A DHCP server that supports BOOTP clients must interact with those clients according to the BOOTP protocol. The server must create a BOOTP BOOTREPLY message instead of a DHCP DHCPOFFER message. In other words, the server must not include the DHCP message option type and must not exceed the size limit for BOOTREPLY messages. After the server sends the BOOTP BOOTREPLY message, the server marks a binding for a BOOTP client as BOUND. A non-DHCP client doesn't send a DHCPREQUEST message, nor does that client expect a DHCPACK message.
If a DHCP server that isn't configured to support BOOTP clients receives a BOOTREQUEST message from a BOOTP client, that server silently discards the BOOTREQUEST message.
For more information about DHCP and BitLocker Network Unlock, see [BitLocker: How to enable Network Unlock: Network Unlock sequence](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock#network-unlock-sequence).
### Resolution for unable to use BitLocker Network Unlock feature on a Windows client computer
To resolve this issue, change the configuration of the DHCP server by changing the **DHCP** option from **DHCP and BOOTP** to **DHCP**.

369
windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
View File

@ -1,369 +0,0 @@
---
title: BitLocker recovery known issues
description: Describes common issues that can occur that prevent BitLocker from behaving as expected when recovering a drive, or may cause BitLocker to start recovery unexpectedly. The article provides guidance for addressing those issues.
ms.reviewer: kaushika
ms.technology: itpro-security
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.collection:
- Windows Security Technologies\BitLocker
- highpri
ms.topic: troubleshooting
ms.date: 11/08/2022
ms.custom: bitlocker
---
# BitLocker recovery: known issues
This article describes common issues that may prevent BitLocker from behaving as expected when a drive is recovered, or that may cause BitLocker to start recovery unexpectedly. The article also provides guidance to address these issues.
> [!NOTE]
> In this article, "recovery password" refers to the 48-digit recovery password and "recovery key" refers to 32-digit recovery key. For more information, see [BitLocker key protectors](./prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-key-protectors).
## Windows prompts for a non-existing BitLocker recovery password
Windows prompts for a BitLocker recovery password. However, a BitLocker recovery password wasn't configured.
### Resolution for Windows prompts for a non-existing BitLocker recovery password
The BitLocker and Active Directory Domain Services (AD DS) FAQ address situations that may produce this symptom, and provides information about the procedure to resolve the issue:
- [What if BitLocker is enabled on a computer before the computer has joined the domain?](./bitlocker-and-adds-faq.yml#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain-)
- [What happens if the backup initially fails? Will BitLocker retry the backup?](./bitlocker-and-adds-faq.yml)
## The recovery password for a laptop wasn't backed up, and the laptop is locked
Consider the following scenario:
The hard disk of a Windows 11 or Windows 10 laptop has to be recovered. The disk was encrypted by using BitLocker Driver Encryption. However, the BitLocker recovery password wasn't backed up, and the usual user of the laptop isn't available to provide the password.
### Resolution for the recovery password for a laptop wasn't backed up
You can use either of the following methods to manually back up or synchronize an online client's existing recovery information:
- Create a Windows Management Instrumentation (WMI) script that backs up the information. For more information, see [BitLocker Drive Encryption Provider](/windows/win32/secprov/bitlocker-drive-encryption-provider).
- In an elevated Command Prompt window, use the [manage-bde.exe](/windows-server/administration/windows-commands/manage-bde) command to back up the information.
For example, to back up all of the recovery information for the C: drive to AD DS, open an elevated Command Prompt window and run the following command:
```cmd
manage-bde.exe -protectors -adbackup C:
```
> [!NOTE]
> BitLocker does not automatically manage this backup process.
## Tablet devices don't support using `manage-bde.exe -forcerecovery` to test recovery mode
Consider the following scenario:
BitLocker recovery needs to be tested on a tablet or slate device by running the following command:
```cmd
manage-bde.exe -forcerecovery
```
However, after entering the recovery password, the device can't start.
### Cause of tablet devices don't support using `manage-bde.exe -forcerecovery` to test recovery mode
> [!IMPORTANT]
> Tablet devices do not support the **`manage-bde.exe -forcerecovery`** command.
This issue occurs because the Windows Boot Manager can't process touch-input during the pre-boot phase of startup. If Boot Manager detects that the device is a tablet, it redirects the startup process to the Windows Recovery Environment (WinRE), which can process touch-input.
If WindowsRE detects the TPM protector on the hard disk, it does a PCR reseal. However, the **`manage-bde.exe -forcerecovery`** command deletes the TPM protectors on the hard disk. Therefore, WinRE can't reseal the PCRs. This failure triggers an infinite BitLocker recovery cycle and prevents Windows from starting.
This behavior is by design for all versions of Windows.
### Workaround for tablet devices don't support using `manage-bde.exe -forcerecovery` to test recovery mode
To resolve the restart loop, follow these steps:
1. On the BitLocker Recovery screen, select **Skip this drive**.
2. Select **Troubleshoot** > **Advanced Options** > **Command Prompt**.
3. In the Command Prompt window, run the following commands:
```cmd
manage-bde.exe -unlock C: -rp <48-digit BitLocker recovery password>
manage-bde.exe -protectors -disable C:
```
4. Close the Command Prompt window.
5. Shut down the device.
6. Start the device. Windows should start as usual.
## After installing UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password
Consider the following scenario:
A Surface device has BitLocker drive encryption turned on. The firmware of the Surface's TPM is updated or an update that changes the signature of the system firmware is installed. For example, the Surface TPM (IFX) update is installed.
You experience one or more of the following symptoms on the Surface device:
- At startup, the Surface device prompts for a BitLocker recovery password. The correct recovery password is entered, but Windows doesn't start up.
- Startup progresses directly into the Surface device's Unified Extensible Firmware Interface (UEFI) settings.
- The Surface device appears to be in an infinite restart loop.
### Cause of after installing UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password
This issue occurs if the Surface device TPM is configured to use Platform Configuration Register (PCR) values other than the default values of PCR 7 and PCR 11. For example, the following settings can configure the TPM this way:
- Secure boot is turned off.
- PCR values have been explicitly defined, such as by group policy.
Devices that support Connected Standby (also known as *InstantGO* or *Always On, Always Connected PCs*), including Surface devices, must use PCR 7 of the TPM. In its default configuration on such systems, BitLocker binds to PCR 7 and PCR 11 if PCR 7 and Secure Boot are correctly configured. For more information, see the [About the Platform Configuration Register (PCR)](bitlocker-group-policy-settings.md#about-the-platform-configuration-register-pcr) section of the [BitLocker Group Policy Settings](bitlocker-group-policy-settings.md) article.
### Resolution for after installing UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password
To verify the PCR values that are in use on a device, open an elevated Command Prompt window and run the following command:
```cmd
manage-bde.exe -protectors -get <OSDriveLetter>:
```
In this command, *\<OSDriveLetter\>* represents the drive letter of the operating system drive.
To resolve this issue and repair the device, follow these steps:
#### Step 1: Disable the TPM protectors on the boot drive
If a TPM or UEFI update has been installed and the Surface device can't start, even if the correct BitLocker recovery password has been entered, the ability to start can be restored by using the BitLocker recovery password and a Surface recovery image to remove the TPM protectors from the boot drive.
To use the BitLocker recovery password and a Surface recovery image to remove the TPM protectors from the boot drive, follow these steps:
1. Obtain the BitLocker recovery password from the Surface user's [Microsoft.com account](https://account.microsoft.com/devices/recoverykey). If BitLocker is managed by a different method, such as Microsoft BitLocker Administration and Monitoring (MBAM), Configuration Manager BitLocker Management, or Intune, contact the administrator for help.
2. Use another computer to download the Surface recovery image from [Surface Recovery Image Download](https://support.microsoft.com/surface-recovery-image). Use the downloaded image to create a USB recovery drive.
3. Insert the USB Surface recovery image drive into the Surface device, and start the device.
4. When prompted, select the following items:
1. The operating system language.
2. The keyboard layout.
5. Select **Troubleshoot** > **Advanced Options** > **Command Prompt**.
6. In the Command Prompt window, run the following commands:
```cmd
manage-bde.exe -unlock -recoverypassword <Password> <DriveLetter>:
manage-bde.exe -protectors -disable <DriveLetter>:
```
where:
- *\<Password\>* is the BitLocker recovery password that was obtained in Step 1
- *\<DriveLetter\>* is the drive letter that is assigned to the operating system drive
> [!NOTE]
> For more information about how to use this command, see [manage-bde unlock](/windows-server/administration/windows-commands/manage-bde-unlock).
7. Restart the computer.
8. When prompted, enter the BitLocker recovery password that was obtained in Step 1.
> [!NOTE]
> After the TPM protectors are disabled, BitLocker drive encryption no longer protects the device. To re-enable BitLocker drive encryption, select **Start**, type **Manage BitLocker**, and then press **Enter**. Follow the steps to encrypt the drive.
#### Step 2: Use Surface BMR to recover data and reset the Surface device
To recover data from the Surface device if Windows doesn't start, follow steps 1 through 5 of the section [Step 1: Disable the TPM protectors on the boot drive](#step-1-disable-the-tpm-protectors-on-the-boot-drive) to get to a Command Prompt window. Once a Command Prompt window is open, follow these steps:
1. At the command prompt, run the following command:
```cmd
manage-bde.exe -unlock -recoverypassword <Password> <DriveLetter>:
```
In this command, *\<Password\>* is the BitLocker recovery password that was obtained in Step 1 of the section [Step 1: Disable the TPM protectors on the boot drive](#step-1-disable-the-tpm-protectors-on-the-boot-drive), and \<*DriveLetter*> is the drive letter that is assigned to the operating system drive.
2. After the drive is unlocked, use the **`copy`** or **`xcopy.exe`** command to copy the user data to another drive.
> [!NOTE]
> For more information about the these commands, see the [Windows commands](/windows-server/administration/windows-commands/windows-commands) article.
3. To reset the device by using a Surface recovery image, follow the instructions in the article [Creating and using a USB recovery drive for Surface](https://support.microsoft.com/surface/creating-and-using-a-usb-recovery-drive-for-surface-677852e2-ed34-45cb-40ef-398fc7d62c07).
#### Step 3: Restore the default PCR values
To prevent this issue from recurring, it's recommended to restore the default configuration of Secure Boot and the PCR values.
To enable Secure Boot on a Surface device, follow these steps:
1. Suspend BitLocker by opening an elevated Windows PowerShell window and running the following PowerShell cmdlet:
```powershell
Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0
```
In this command, *\<DriveLetter\>* is the letter that is assigned to the drive.
2. Restart the device, and then edit the UEFI settings to set the **Secure Boot** option to **Microsoft Only**.
3. Restart the device and sign into Windows.
4. Open an elevated PowerShell window and run the following PowerShell cmdlet:
```powershell
Resume-BitLocker -MountPoint "<DriveLetter>:"
```
To reset the PCR settings on the TPM, follow these steps:
1. Disable any Group Policy Objects that configure the PCR settings, or remove the device from any groups that enforce such policies.
For more information, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
2. Suspend BitLocker by opening an elevated Windows PowerShell window and running the following PowerShell cmdlet:
```powershell
Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0
```
In this command, *\<DriveLetter\>* is the letter that is assigned to the drive.
3. Run the following PowerShell cmdlet:
```powershell
Resume-BitLocker -MountPoint "<DriveLetter>:"
```
#### Step 4: Suspend BitLocker during TPM or UEFI firmware updates
You can avoid this scenario when installing updates to system firmware or TPM firmware by temporarily suspending BitLocker before applying such updates.
> [!IMPORTANT]
> TPM and UEFI firmware updates may require multiple restarts while they install. To keep BitLocker suspended during this process, the PowerShell cmdlet [Suspend-BitLocker](/powershell/module/bitlocker/suspend-bitlocker) must be used and the **Reboot Count** parameter must be set to either of the following values:
>
> - **2** or greater: This value sets the number of times the device will restart before BitLocker Device Encryption resumes. For example, setting the value to **2** will cause BitLocker to resume after the device restarts twice.
>
> - **0**: This value suspends BitLocker Drive Encryption indefinitely. To resume BitLocker, the PowerShell cmdlet [Resume-BitLocker](/powershell/module/bitlocker/resume-bitlocker) or another mechanism needs to be used to resume BitLocker protection.
To suspend BitLocker while installing TPM or UEFI firmware updates:
1. Open an elevated Windows PowerShell window and run the following PowerShell cmdlet:
```powershell
Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0
```
In this PowerShell cmdlet, *\<DriveLetter\>* is the letter that is assigned to the drive.
2. Install the Surface device driver and firmware updates.
3. After installing the firmware updates, restart the computer, open an elevated PowerShell window, and then run the following PowerShell cmdlet:
```powershell
Resume-BitLocker -MountPoint "<DriveLetter>:"
```
<!--
REMOVING THIS STATEMENT SINCE THIS IS NOT NEEDED. BITLOCKER WAS ONLY SUSPENDED. IT WAS NOT DISABLED AND THE DRIVE WAS NEVER DECRYPTED. STEP 3 ABOVE ALREADY RESUMES BITLOCKER SO RE-ENABLING AND/OR REENCRYPTING IS NOT NEEDED.
To re-enable BitLocker drive encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive.
-->
<!--
REMOVING THIS SECTION SINCE IT ONLY APPLIES TO VERSIONS OF WINDOWS 10 THAT HAVE BEEN OUT OF SUPPORT FOR SEVERAL YEARS
## After installing an update to a Hyper V-enabled computer, BitLocker prompts for the recovery password and returns error 0xC0210000
Consider the following scenario:
A device is running Windows 10, version 1703, Windows 10, version 1607, or Windows Server 2016 and Hyper-V is enabled. After installing an affected update and restart the device, the device enters BitLocker Recovery mode and error code 0xC0210000 is displayed.
### Workaround
If the device is already in this state, Windows can be successfully started after suspending BitLocker from the Windows Recovery Environment (WinRE). To do this, follow these steps:
1. Retrieve the 48-digit BitLocker recovery password for the operating system drive from the organization's portal or from wherever the password was stored when BitLocker Drive Encryption was first turned on. Solutions that store the BitLocker password could include Microsoft BitLocker Administration and Monitoring (MBAM), Configuration Manager BitLocker Management, or Intune.
2. On the Recovery screen, press **Enter**. When prompted, enter the recovery password.
3. If the device starts in the (WinRE) and prompts for the recovery password again, select **Skip the drive**.
4. Select **Advanced options** > **Troubleshoot** > **Advanced options** > **Command Prompt**.
5. In the Command Prompt window, run the following commands:
```cmd
manage-bde.exe -unlock c: -rp <48 digit numerical recovery password separated by "-" in 6 digit group>
manage-bde.exe -protectors -disable c:
exit
```
These commands unlock the drive and then suspend BitLocker by disabling the TPM protectors on the drive. The final command closes the Command Prompt window.
> [!NOTE]
> These commands suspend BitLocker for one restart of the device. The **-rc 1** option works only inside the operating system and does not work in the recovery environment.
6. Select **Continue**. Windows should start.
7. After Windows has started, open an elevated Command Prompt window and run the following command:
```cmd
manage-bde.exe -protectors -enable c:
```
> [!IMPORTANT]
> Unless BitLocker is suspended before restarting the device, this issue recurs.
To temporarily suspend BitLocker just before restarting the device, open an elevated Command Prompt window and run the following command:
```cmd
manage-bde.exe -protectors -disable c: -rc 1
```
### Resolution
To resolve this issue, install the appropriate update on the affected device:
- For Windows 10, version 1703: [July 9, 2019—KB4507450 (OS Build 15063.1928)](https://support.microsoft.com/help/4507450/windows-10-update-kb4507450)
- For Windows 10, version 1607 and Windows Server 2016: [July 9, 2019—KB4507460 (OS Build 14393.3085)](https://support.microsoft.com/help/4507460/windows-10-update-kb4507460)
-->
## Credential Guard/Device Guard on TPM 1.2: At every restart, BitLocker prompts for the recovery password and returns error 0xC0210000
Consider the following scenario:
A device uses TPM 1.2 and runs Windows 10, version 1809. The device also uses [Virtualization-based Security](/windows-hardware/design/device-experiences/oem-vbs) features such as [Device Guard and Credential Guard](/windows-hardware/drivers/bringup/device-guard-and-credential-guard). Every time the device is started, the device enters BitLocker Recovery mode and an error message similar to the following error message is displayed:
> Recovery
>
> Your PC/Device needs to be repaired.
> A required file couldn't be accessed because your BitLocker key wasn't loaded correctly.
>
> Error code 0xc0210000
>
> You'll need to use recovery tools. If you don't have any installation media (like a disc or USB device), contact your PC administrator or PC/Device manufacturer.
### Cause of Credential Guard/Device Guard on TPM 1.2: At every restart, BitLocker prompts for the recovery password and returns error 0xC0210000
TPM 1.2 doesn't support Secure Launch. For more information, see [System Guard Secure Launch and SMM protection: Requirements Met by System Guard Enabled Machines](../../threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
For more information about this technology, see [Windows Defender System Guard: How a hardware-based root of trust helps protect Windows](../../threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md)
### Resolution for Credential Guard/Device Guard on TPM 1.2: At every restart, BitLocker prompts for the recovery password and returns error 0xC0210000
To resolve this issue, use one of the following two solutions:
- Remove any device that uses TPM 1.2 from any group that is subject to GPOs that enforce secure launch.
- Edit the **Turn On Virtualization Based Security** GPO to set **Secure Launch Configuration** to **Disabled**.

126
windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md
View File

@ -1,126 +0,0 @@
---
title: BitLocker and TPM other known issues
description: Describes common issues that relate directly to the TPM, and provides guidance for resolving those issues.
ms.reviewer: kaushika
ms.technology: itpro-security
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 11/08/2022
ms.custom: bitlocker
---
# BitLocker and TPM: other known issues
This article describes common issues that relate directly to the trusted platform module (TPM), and provides guidance to address these issues.
## Azure AD: Windows Hello for Business and single sign-on don't work
Consider the following scenario:
An Azure Active Directory (Azure AD)-joined client computer can't authenticate correctly. The computer is experiencing one or more of the following symptoms:
- Windows Hello for Business doesn't work
- Conditional access fails
- Single sign-on (SSO) doesn't work
Additionally, in Event Viewer, the computer logs the following Event ID 1026 event under **Windows Logs** > **System**:
> Log Name: System
> Source: Microsoft-Windows-TPM-WMI
> Date: \<Date and Time>
> Event ID: 1026
> Task Category: None
> Level: Information
> Keywords:
> User: SYSTEM
> Computer: \<Computer name\>
> Description:
> The Trusted Platform Module (TPM) hardware on this computer cannot be provisioned for use automatically. To set up the TPM interactively use the TPM management console (Start-\>tpm.msc) and use the action to make the TPM ready.
> Error: The TPM is defending against dictionary attacks and is in a time-out period.
> Additional Information: 0x840000
### Cause of Azure AD: Windows Hello for Business and single sign-on don't work
This event indicates that the TPM isn't ready or has some setting that prevents access to the TPM keys.
Additionally, the behavior indicates that the client computer can't obtain a [Primary Refresh Token (PRT)](/azure/active-directory/devices/concept-primary-refresh-token).
### Resolution for Azure AD: Windows Hello for Business and single sign-on don't work
To verify the status of the PRT, use the [dsregcmd.exe /status](/azure/active-directory/devices/troubleshoot-device-dsregcmd) command to collect information. In the tool output, verify that either **User state** or **SSO state** contains the **AzureAdPrt** attribute. If the value of this attribute is **No**, the PRT wasn't issued. If the value of the attribute is **No**, it may indicate that the computer couldn't present its certificate for authentication.
To resolve this issue, follow these steps to troubleshoot the TPM:
1. Open the TPM management console (`tpm.msc`) by selecting **Start** and entering **tpm.msc** in the **Search** box.
2. If a notice is displayed to either unlock the TPM or reset the lockout, contact the hardware vendor to determine whether there's a known fix for the issue.
3. If the issue is still not resolved after contacting the hardware vendor, clear and reinitialize the TPM by following the instructions in the article [Troubleshoot the TPM: Clear all the keys from the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm).
> [!WARNING]
> Clearing the TPM can cause data loss.
If in Step 2 there's no notice to either unlock the TPM or reset the lockout, review the UEFI firmware/BIOS settings of the computer for any setting that can be used to reset or disable the lockout.
## TPM 1.2 Error: Loading the management console failed. The device that is required by the cryptographic provider isn't ready for use
Consider the following scenario:
When trying to open the TPM management console on a Windows computer that uses TPM version 1.2, the following message is displayed:
> Loading the management console failed. The device that is required by the cryptographic provider is not ready for use.
> HRESULT 0x800900300x80090030 - NTE\_DEVICE\_NOT\_READY
> The device that is required by this cryptographic provider is not ready for use.
> TPM Spec version: TPM v1.2
On a different device that is running the same version of Windows, the TPM management console can be opened.
### Cause (suspected) of TPM 1.2 Error: Loading the management console failed. The device that is required by the cryptographic provider isn't ready for use
These symptoms indicate that the TPM has hardware or firmware issues.
### Resolution for TPM 1.2 Error: Loading the management console failed. The device that is required by the cryptographic provider isn't ready for use
To resolve the issue:
- Switch the TPM operating mode from version 1.2 to version 2.0 if the device has this option available.
- If switching the TPM from version 1.2 to version 2.0 doesn't resolve the issue, or if the device doesn't have TPM version 2.0 available, contact the hardware vendor to determine whether there's a UEFI firmware update/BIOS update/TPM update for the device. If there's an update available, install the update to see if it resolves the issue.
- If updating the UEFI firmware/BIOS doesn't resolve the issue, or if there's no update available, consider replacing the device motherboard by contacting the hardware vendor. After the motherboard has been replaced, switch the TPM operating mode from version 1.2 to version 2.0 if this option is available.
> [!WARNING]
> Replacing the motherboard will cause data in the TPM to be lost.
## Devices don't join hybrid Azure AD because of a TPM issue
When trying to join a device to a hybrid Azure AD, the join operation appears to fail.
To verify that the join succeeded, use the [dsregcmd /status command](/azure/active-directory/devices/troubleshoot-device-dsregcmd). In the tool output, the following attributes indicate that the join succeeded:
- **AzureAdJoined: YES**
- **DomainName: \<*on-prem Domain name*\>**
If the value of **AzureADJoined** is **No**, the join operation failed.
### Causes and resolutions for devices don't join hybrid Azure AD because of a TPM issue
This issue may occur when the Windows operating system isn't the owner of the TPM. The specific fix for this issue depends on which errors or events are displayed, as shown in the following table:
|Message |Reason | Resolution|
| - | - | - |
|*NTE\_BAD\_KEYSET (0x80090016/-2146893802)* |TPM operation failed or was invalid |This issue was probably caused by a corrupted sysprep image. When creating a sysprep image, make sure to use a computer that isn't joined to or registered in Azure AD or hybrid Azure AD. |
|*TPM\_E\_PCP\_INTERNAL\_ERROR (0x80290407/-2144795641)* |Generic TPM error. |If the device returns this error, disable its TPM. Windows 10, version 1809 and later versions, automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. |
|*TPM\_E\_NOTFIPS (0x80280036/-2144862154*) |The FIPS mode of the TPM is currently not supported. |If the device gives this error, disable its TPM. Windows 10, version 1809 and later versions, automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. |
|*NTE\_AUTHENTICATION\_IGNORED (0x80090031/-2146893775)* |The TPM is locked out. |This error is transient. Wait for the cooldown period, and then retry the join operation. |
For more information about TPM issues, see the following articles:
- [TPM fundamentals: Anti-hammering](../tpm/tpm-fundamentals.md#anti-hammering)
- [Troubleshooting hybrid Azure Active Directory-joined devices](/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current)
- [Troubleshoot the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md)

2
windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md
View File

@ -61,7 +61,7 @@ The steps to use Intune's custom OMA-URI functionality are:
2. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings:
- **OMA-URI**: `./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy`
- **Data type**: Base64 (file)
- **Certificate file**: upload your binary format policy file. You don't need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf.
- **Certificate file**: Upload your binary format policy file. To do this, change your {GUID}.cip file to {GUID}.bin. You don't need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf.
> [!div class="mx-imgBorder"]
> ![Configure custom WDAC.](../images/wdac-intune-custom-oma-uri.png)

2
windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
View File

@ -43,7 +43,7 @@ To complete this procedure, you must be a member of the Domain Administrators gr
4. In the navigation pane, right-click **Group Policy Objects** again, and then click **Paste**.
![Screenshot that shows Copy Paste GPO.](/images/grouppolicy-paste.png)
:::image type="content" alt-text="Screenshot that shows Copy Paste GPO." source="images/grouppolicy-paste.png":::
5. In the **Copy GPO** dialog box, click **Preserve the existing permissions**, and then click **OK**. Selecting this option preserves any exception groups to which you denied Read and Apply GPO permissions, making the change simpler.

9
windows/whats-new/TOC.yml
View File

@ -24,3 +24,12 @@
href: whats-new-windows-10-version-21H1.md
- name: What's new in Windows 10, version 20H2
href: whats-new-windows-10-version-20H2.md
- name: Deprecated and removed Windows features
expanded: false
items:
- name: Windows client features lifecycle
href: feature-lifecycle.md
- name: Deprecated Windows features
href: deprecated-features.md
- name: Removed Windows features
href: removed-features.md

10
windows/deployment/planning/windows-10-deprecated-features.md → windows/whats-new/deprecated-features.md
View File

@ -1,12 +1,12 @@
---
title: Deprecated features in Windows client
title: Deprecated features in the Windows client
description: Review the list of features that Microsoft is no longer developing in Windows 10 and Windows 11.
ms.date: 10/28/2022
ms.prod: windows-client
ms.technology: itpro-fundamentals
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
author: mestew
ms.author: mstewart
manager: aaroncz
ms.reviewer:
ms.topic: article
@ -19,11 +19,11 @@ ms.topic: article
- Windows 10
- Windows 11
Each version of Windows client adds new features and functionality. Occasionally, new versions also remove features and functionality, often because they've added a newer option. This article provides details about the features and functionalities that are no longer being developed in Windows client. For more information about features that have been removed, see [Windows features removed](windows-10-removed-features.md).
Each version of Windows client adds new features and functionality. Occasionally, new versions also remove features and functionality, often because they've added a newer option. This article provides details about the features and functionalities that are no longer being developed in Windows client. For more information about features that have been removed, see [Windows features removed](removed-features.md).
For more information about features in Windows 11, see [Feature deprecations and removals](https://www.microsoft.com/windows/windows-11-specifications#table3).
To understand the distinction between _deprecation_ and _removal_, see [Windows client features lifecycle](features-lifecycle.md).
To understand the distinction between _deprecation_ and _removal_, see [Windows client features lifecycle](feature-lifecycle.md).
The features in this article are no longer being actively developed, and might be removed in a future update. Some features have been replaced with other features or functionality and some are now available from other sources.

14
windows/deployment/planning/features-lifecycle.md → windows/whats-new/feature-lifecycle.md
View File

@ -1,11 +1,11 @@
---
title: Windows client features lifecycle
description: Learn about the lifecycle of Windows 10 features, as well as features that are no longer developed, removed features, and terminology assigned to a feature.
description: Learn about the lifecycle of Windows features, as well as features that are no longer developed, removed features, and terminology assigned to a feature.
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
author: mestew
manager: aaroncz
ms.author: frankroj
ms.author: mstewart
ms.topic: article
ms.custom: seo-marvel-apr2020
ms.technology: itpro-fundamentals
@ -27,17 +27,17 @@ For information about features that are impacted when you upgrade from Windows 1
The following topic lists features that are no longer being developed. These features might be removed in a future release.
[Windows 10 features we're no longer developing](windows-10-deprecated-features.md)
[Deprecated Windows features](deprecated-features.md)
## Features removed
The following topics have details about features that have been removed from Windows 10 or Windows 11. This includes features that are present in Windows 10, but are removed in Windows 11.
[Windows 10 features we removed](windows-10-removed-features.md)
[Removed Windows features](removed-features.md)
## Terminology
The following terms can be used to describe the status that might be assigned to a feature during its lifecycle.
The following terms can be used to describe the status that might be assigned to a feature during its lifecycle:
- **Deprecation**: The stage of the product lifecycle when a feature or functionality is no longer in active development and may be removed in future releases of a product or online service.
- **End of support**: The stage of the product lifecycle when support and servicing are no longer available for a product.
@ -47,4 +47,4 @@ The following terms can be used to describe the status that might be assigned to
## Also see
[Windows 10 release information](/windows/release-health/release-information)
[Windows release information](/windows/release-health/release-information)

4
windows/whats-new/index.yml
View File

@ -56,9 +56,9 @@ landingContent:
- text: Windows 10 update history
url: https://support.microsoft.com/topic/windows-10-update-history-857b8ccb-71e4-49e5-b3f6-7073197d98fb
- text: Windows features we're no longer developing
url: /windows/deployment/planning/windows-10-deprecated-features
url: deprecated-features.md
- text: Features and functionality removed in Windows
url: /windows/deployment/planning/windows-10-removed-features
url: removed-features.md
- text: Compare Windows 11 Editions
url: https://www.microsoft.com/windows/business/compare-windows-11
- text: Windows 10 Enterprise LTSC

Some files were not shown because too many files have changed in this diff Show More